H January(68) February(106) March(112) April(110) June(37) July(114) August(126) September(12) October(0) November(0) December(0) | DefCon32 BLACKHAT USA 2024 | BLACKHAT USA 2024 ZIP DEFCON32 ZIP
SonicWall Urges Users to Patch Critical Firewall Flaw Amid Possible Exploitation
7.9.24 Vulnerebility The Hacker News
SonicWall has revealed that a recently patched critical security flaw impacting SonicOS may have come under active exploitation, making it essential that users apply the patches as soon as possible.
The vulnerability, tracked as CVE-2024-40766, carries a CVSS score of 9.3 out of a maximum of 10.
"An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash," SonicWall said in an updated advisory.
With the latest development, the company has revealed that CVE-2024-40766 also impacts the firewall's SSLVPN feature. The issue has been addressed in the below versions -
SOHO (Gen 5 Firewalls) - 5.9.2.14-13o
Gen 6 Firewalls - 6.5.2.8-2n (for SM9800, NSsp 12400, and NSsp 12800) and 6.5.4.15.116n (for other Gen 6 Firewall appliances)
The network security vendor has since updated the bulletin to reflect the possibility that it may have been actively exploited.
"This vulnerability is potentially being exploited in the wild," it added. "Please apply the patch as soon as possible for affected products."
As temporary mitigations, it's recommended to restrict firewall management to trusted sources or disable firewall WAN management from Internet access. For SSLVPN, it's advised to limit access to trusted sources, or disable internet access altogether.
Additional mitigations include enabling multi-factor authentication (MFA) for all SSLVPN users using one-time passwords (OTPs) and recommending customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts to immediately update their passwords for preventing unauthorized access.
There are currently no details about how the flaw may have been weaponized in the wild, but Chinese threat actors have, in the past, unpatched SonicWall Secure Mobile Access (SMA) 100 appliances to establish long-term persistence.
GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware
7.9.24 BotNet The Hacker News
A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk.
The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances.
In mid-July, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The Shadowserver Foundation said it detected exploitation attempts against its honeypot sensors starting July 9, 2024.
According to Fortinet FortiGuard Labs, the flaw has been observed to deliver GOREVERSE, a reverse proxy server designed to establish a connection with a command-and-control (C2) server for post-exploitation activity.
These attacks are said to target IT service providers in India, technology companies in the U.S., government entities in Belgium, and telecommunications companies in Thailand and Brazil.
The GeoServer server has also served as a conduit for Condi and a Mirai botnet variant dubbed JenX, and at least four types of cryptocurrency miners, one of which is retrieved from a fake website that impersonates the Institute of Chartered Accountants of India (ICAI).
Perhaps the most notable of the attack chains leveraging the flaw is the one that propagates an advanced Linux backdoor called SideWalk, which is attributed to a Chinese threat actor tracked as APT41.
The starting point is a shell script that's responsible for downloading the ELF binaries for ARM, MIPS, and X86 architectures, which, in turn, extracts the C2 server from an encrypted configuration, connects to it, and receives further commands for execution on the compromised device.
This includes running a legitimate tool known as Fast Reverse Proxy (FRP) to evade detection by creating an encrypted tunnel from the host to the attacker-controlled server, allowing for persistent remote access, data exfiltration, and payload deployment.
"The primary targets appear to be distributed across three main regions: South America, Europe, and Asia," security researchers Cara Lin and Vincent Li said.
"This geographical spread suggests a sophisticated and far-reaching attack campaign, potentially exploiting vulnerabilities common to these diverse markets or targeting specific industries prevalent in these areas."
The development comes as CISA this week added to its KEV catalog two flaws found in 2021 in DrayTek VigorConnect (CVE-2021-20123 and CVE-2021-20124, CVSS scores: 7.5) that could be exploited to download arbitrary files from the underlying operating system with root privileges.
GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious Code
7.9.24 Vulnerebility The Hacker News
Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages.
These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com).
Adversaries targeting open-source repositories across platforms have relied on developers making typing errors to initiate software supply chain attacks through PyPI, npm, Maven Central, NuGet, RubyGems, and Crate.
The latest findings from cloud security firm Orca show that even GitHub Actions, a continuous integration and continuous delivery (CI/CD) platform, is not immune from the threat.
"If developers make a typo in their GitHub Action that matches a typosquatter's action, applications could be made to run malicious code without the developer even realizing," security researcher Ofir Yakobi said in a report shared with The Hacker News.
The attack is possible because anyone can publish a GitHub Action by creating a GitHub account with a temporary email account. Given that actions run within the context of a user's repository, a malicious action could be exploited to tamper with the source code, steal secrets, and use it to deliver malware.
All that the technique involves is for the attacker to create organizations and repositories with names that closely resemble popular or widely-used GitHub Actions.
If a user makes inadvertent spelling errors when setting up a GitHub action for their project and that misspelled version has already been created by the adversary, then the user's workflow will run the malicious action as opposed to the intended one.
"Imagine an action that exfiltrates sensitive information or modifies code to introduce subtle bugs or backdoors, potentially affecting all future builds and deployments," Yakobi said.
"In fact, a compromised action can even leverage your GitHub credentials to push malicious changes to other repositories within your organization, amplifying the damage across multiple projects."
Orca said that a search on GitHub revealed as many as 198 files that invoke "action/checkout" or "actons/checkout" instead of "actions/checkout" (note the missing "s" and "i"), putting all those projects at risk.
This form of typosquatting is appealing to threat actors because it's a low-cost, high-impact attack that could result in powerful software supply chain compromises, affecting several downstream customers all at once.
Users are advised to double-check actions and their names to ensure they are referencing the correct GitHub organization, stick to actions from trusted sources, and periodically scan their CI/CD workflows for typosquatting issues.
"This experiment highlights how easy it is for attackers to exploit typosquatting in GitHub Actions and the importance of vigilance and best practices in preventing such attacks," Yakobi said.
"The actual problem is even more concerning because here we are only highlighting what happens in public repositories. The impact on private repositories, where the same typos could be leading to serious security breaches, remains unknown."
Critical Security Flaw Found in LiteSpeed Cache Plugin for WordPress
6.9.24 Vulnerebility The Hacker News
Cybersecurity researchers have discovered yet another critical security flaw in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated users to take control of arbitrary accounts.
The vulnerability, tracked as CVE-2024-44000 (CVSS score: 7.5), impacts versions before and including 6.4.1. It has been addressed in version 6.5.0.1.
"The plugin suffers from an unauthenticated account takeover vulnerability which allows any unauthenticated visitor to gain authentication access to any logged-in users and at worst can gain access to an Administrator level role after which malicious plugins could be uploaded and installed," Patchstack researcher Rafie Muhammad said.
The discovery follows an extensive security analysis of the plugin, which previously led to the identification of a critical privilege escalation flaw (CVE-2024-28000, CVSS score: 9.8). LiteSpeed Cache is a popular caching plugin for the WordPress ecosystem with over 5 million active installations.
The new vulnerability stems from the fact that a debug log file named "/wp-content/debug.log" is publicly exposed, which makes it possible for unauthenticated attackers to view potentially sensitive information contained in the file.
This could also include user cookie information present within HTTP response headers, effectively allowing users to log in to a vulnerable site with any session that is actively valid.
The lower severity of the flaw is owing to the prerequisite that the debug feature must be enabled on a WordPress site for it to be successful. Alternatively, it could also affect sites that had activated the debug log feature at some point in the past, but have failed to remove the debug file.
It's important to note that this feature is disabled by default. The patch addresses the problem by moving the log file to a dedicated folder within the LiteSpeed plugin folder ("/wp-content/litespeed/debug/"), randomizing filenames, and dropping the option to log cookies in the file.
Users are advised to check their installations for the presence of the "/wp-content/debug.log" and take steps to purge them if the debugging feature has (or had) been enabled.
It's also recommended to set an .htaccess rule to deny direct access to the log files as malicious actors can still directly access the new log file if they know the new filename by means of a trial-and-error method.
"This vulnerability highlights the critical importance of ensuring the security of performing a debug log process, what data should not be logged, and how the debug log file is managed," Muhammad said.
Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution
6.9.24 Vulnerebility The Hacker News
A new security flaw has been addressed in the Apache OFBiz open-source enterprise resource planning (ERP) system that, if successfully exploited, could lead to unauthenticated remote code execution on Linux and Windows.
The high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5), affects all versions of the software before 18.12.16.
"An attacker with no valid credentials exploit missing view authorization checks in the web application to execute arbitrary code on the server," Rapid7 security researcher Ryan Emmons said in a new report.
It's worth noting that CVE-2024-45195 is a bypass for a sequence of issues, CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which were addressed by the project maintainers over the past few months.
Both CVE-2024-32113 and CVE-2024-38856 have since come under active exploitation in the wild, with the former leveraged to deploy the Mirai botnet malware.
Rapid7 said all three older shortcomings stem from the "ability to desynchronize the controller and view map state," a problem that was never fully remediated in any of the patches.
A consequence of the vulnerability is that it could be abused by attackers to execute code or SQL queries and achieve remote code execution sans authentication.
The latest patch put in place "validates that a view should permit anonymous access if a user is unauthenticated, rather than performing authorization checks purely based on the target controller."
Apache OFBiz version 18.12.16 also addresses a critical server-side request forgery (SSRF) vulnerability (CVE-2024-45507, CVSS score: 9.8) that could lead to unauthorized access and system compromise by taking advantage of a specially crafted URL.
Pavel Durov Criticizes Outdated Laws After Arrest Over Telegram Criminal Activity
6.9.24 BigBrothers The Hacker News
Telegram CEO Pavel Durov has broken his silence nearly two weeks after his arrest in France, stating the charges are misguided.
"If a country is unhappy with an internet service, the established practice is to start a legal action against the service itself," Durov said in a 600-word statement on his Telegram account.
"Using laws from the pre-smartphone era to charge a CEO with crimes committed by third-parties on the platform he manages is a misguided approach."
Durov was charged late last month for enabling various forms of criminal activity on Telegram, including drug trafficking and money laundering, following a probe into an unnamed person's distribution of child sexual abuse material.
He also highlighted the struggles to balance both privacy and security, noting that Telegram is ready to exit markets that aren't compatible with its mission to "protect our users in authoritarian regimes."
Durov also blamed "growing pains that made it easier for criminals to abuse our platform." The popular messaging app recently crossed 950 million monthly active users.
"That's why I made it my personal goal to ensure we significantly improve things in this regard," he said. "We've already started that process internally, and I will share more details on our progress with you very soon."
The company has since updated its FAQ to allow users to report illegal content within private and group chats by flagging it for review using a dedicated "Report" button, a major policy shift and a feature that was previously off-limits.
Durov's statement, however, doesn't delve into the lack of end-to-end encryption (E2EE) protections by default, which users have to explicitly enable in one-to-one chats.
"It is also a 'cloud messenger,' meaning that all messages live on Telegram's servers rather than the user's device," Moxie Marlinspike, creator of the E2EE messaging app Signal, pointed out.
"With one query, the Russian Telegram team can get every message the French president has ever sent or received to his contacts, every message those contacts have ever sent or received to their contacts, every message those contacts' contacts have ever sent or received, etc."
Matthew Green, a security researcher and an associate professor of computer science at Johns Hopkins University, further called out the platform for making it an onerous process that requires at least four clicks on Telegram's iOS app.
"The feature is explicitly not turned on for the vast majority of conversations, and is only available for one-on-one conversations, and never for group chats with more than two people in them," Green said.
"As a kind of a weird bonus, activating end-to-end encryption in Telegram is oddly difficult for non-expert users to actually do. Secret Chats only works if your conversation partner happens to be online when you do this."
Chinese-Speaking Hacker Group Targets Human Rights Studies in Middle East
6.9.24 APT The Hacker News
Unnamed government entities in the Middle East and Malaysia are the target of a persistent cyber campaign orchestrated by a threat actor known as Tropic Trooper since June 2023.
"Sighting this group's [Tactics, Techniques, and Procedures] in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them," Kaspersky security researcher Sherif Magdy said.
The Russian cybersecurity vendor said it detected the activity in June 2024 upon discovering a new version of the China Chopper web Shell, a tool shared by many Chinese-speaking threat actors for remote access to compromised servers, on a public web server hosting an open-source content management system (CMS) called Umbraco.
The attack chain is designed to deliver a malware implant named Crowdoor, a variant of the SparrowDoor backdoor documented by ESET back in September 2021. The efforts were ultimately unsuccessful.
Tropic Trooper, also known by the names APT23, Earth Centaur, KeyBoy, and Pirate Panda, is known for its targeting of government, healthcare, transportation, and high-tech industries in Taiwan, Hong Kong, and the Philippines. The Chinese-speaking collective has been assessed to be active since 2011, sharing close ties with another intrusion set tracked as FamousSparrow.
The latest intrusion highlighted by Kaspersky is significant for compiling the China Chopper web shell as a .NET module of Umbraco CMS, with follow-on exploitation leading to the deployment of tools for network scanning, lateral movement, and defense evasion, before launching Crowdoor using DLL side-loading techniques.
It's suspected that the web shells are delivered by exploiting known security vulnerabilities in publicly accessible web applications, such as Adobe ColdFusion (CVE-2023-26360) and Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
Crowdoor, first observed in June 2023, also functions as a loader to drop Cobalt Strike and maintain persistence on the infected hosts, while also acting as a backdoor to harvest sensitive information, launch a reverse shell, erase other malware files, and terminate itself.
"When the actor became aware that their backdoors were detected, they tried to upload newer samples to evade detection, thereby increasing the risk of their new set of samples being detected in the near future," Magdy noted.
"The significance of this intrusion lies in the sighting of a Chinese-speaking actor targeting a content management platform that published studies on human rights in the Middle East, specifically focusing on the situation around the Israel-Hamas conflict."
"Our analysis of this intrusion revealed that this entire system was the sole target during the attack, indicating a deliberate focus on this specific content."
Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues
6.9.24 Vulnerebility The Hacker News
Veeam has shipped security updates to address a total of 18 security flaws impacting its software products, including five critical vulnerabilities that could result in remote code execution.
The list of shortcomings is below -
CVE-2024-40711 (CVSS score: 9.8) - A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution.
CVE-2024-42024 (CVSS score: 9.1) - A vulnerability in Veeam ONE that enables an attacker in possession of the Agent service account credentials to perform remote code execution on the underlying machine
CVE-2024-42019 (CVSS score: 9.0) - A vulnerability in Veeam ONE that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account
CVE-2024-38650 (CVSS score: 9.9) - A vulnerability in Veeam Service Provider Console (VPSC) that allows a low privileged attacker to access the NTLM hash of the service account on the server
CVE-2024-39714 (CVSS score: 9.9) - A vulnerability in VPSC that permits a low-privileged user to upload arbitrary files to the server, resulting in remote code execution on the server
In addition, the September 2024 updates address 13 other high-severity flaws that could permit privilege escalation, multi-factor authentication (MFA) bypass, and execute code with elevated permissions.
All the issues have been addressed in the below versions -
Veeam Backup & Replication 12.2 (build 12.2.0.334)
Veeam Agent for Linux 6.2 (build 6.2.0.101)
Veeam ONE v12.2 (build 12.2.0.4093)
Veeam Service Provider Console v8.1 (build 8.1.0.21377)
Veeam Backup for Nutanix AHV Plug-In v12.6.0.632
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In v12.5.0.299
With flaws in Veeam software Users becoming a lucrative target for threat actors to serve ransomware, users are advised to update to the latest version as soon as possible to mitigate potential threats.
U.S. Seizes 32 Pro-Russian Propaganda Domains in Major Disinformation Crackdown
5.9.24 BigBrothers The Hacker News
The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of 32 internet domains used by a pro-Russian propaganda operation called Doppelganger as part of a sweeping set of actions.
Accusing the Russian government-directed foreign malign influence campaign of violating U.S. money laundering and criminal trademark laws, the agency called out companies Social Design Agency (SDA), Structura National Technology (Structura), and ANO Dialog for working at the behest of the Russian Presidential Administration.
The goal, it said, is to "covertly spread Russian government propaganda with the aim of reducing international support for Ukraine, bolstering pro-Russian policies and interests, and influencing voters in U.S. and foreign elections, including the U.S. 2024 Presidential Election."
Among the methods Doppelganger used to drive viewership to the cybersquatted media domains encompassed the deployment of "influencers" worldwide, paid social media ads, and the creation of social media profiles posing as U.S. (or other non-Russian) citizens to post comments on social media platforms with links to the domains in an attempt to redirect unsuspecting viewers.
The sites dismantled by the U.S. government were filled with Russian government propaganda created by the Kremlin to reduce international support for Ukraine, bolster pro-Russian policies and interests, and influence voters in the U.S. and other countries.
The complete list of domains, which mimic legitimate news outlets like Der Spiegel, Fox News, Le Monde, and The Washington Post, is as follows -
tribunalukraine.info
rrn.media
ukrlm.info
faz.ltd
spiegel.agency
lemonde.ltd
leparisien.ltd
rbk.media
50statesoflie.media
meisterurian.io
artichoc.io
vip-news.org
acrosstheline.press
mypride.press
truthgate.us
warfareinsider.us
shadowwatch.us
pravda-ua.com
waronfakes.com
holylandherald.com
levinaigre.net
grenzezank.com
lexomnium.com
uschina.online
honeymoney.press
sueddeutsche.co
tagesspiegel.co
bild.work
fox-news.top
fox-news.in
forward.pw, and
washingtonpost.pm
Concurrent with the domain seizures, the Treasury Department sanctioned 10 individuals and two entities for engaging in efforts to influence and undermine confidence in the electoral process.
Specifically, it alleged that executives at RT, Russia's state-funded news media publication, covertly recruited unwitting American influencers into its campaign efforts. It's also said to have used a front company to conceal its own involvement or that of the government.
"At Putin's direction, Russian companies SDA, Structura, and ANO Dialog used cybersquatting, fabricated influencers, and fake profiles to covertly promote AI-generated false narratives on social media," said Deputy Attorney General Lisa Monaco. "Those narratives targeted specific American demographics and regions in a calculated effort to subvert our election."
In conjunction, the DoJ also announced the indictment of two RT employees for funneling $9.7 million to further "hidden" Russian government messaging and disinformation by disseminating thousands of videos via a Tennessee-based content creation firm with an ultimate aim to sow discord among Americans.
Court documents allege that Kostiantyn Kalashnikov, 31, and Elena Afanasyeva, 27, along with other RT employees financed the company's operations to publish English-language videos across TikTok, Instagram, X, and YouTube, racking up millions of views. Kalashnikov and Afanasyeva masqueraded as an outside editing team.
The company is estimated to have posted nearly 2,000 videos since its launch in November 2023, sharing commentary related to immigration, inflation, and other topics related to domestic and foreign policy. The videos have been watched over 16 million times on YouTube alone.
"While the views expressed in the videos are not uniform, most are directed to the publicly stated goals of the Government of Russia and RT — to amplify domestic divisions in the United States," the DoJ said, adding the company "never disclosed to its viewers that it was funded and directed by RT."
The two Russian nationals have been charged with conspiracy to violate the Foreign Agents Registration Act (FARA), which carries a maximum sentence of five years in prison, and conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison.
Furthermore, the State Department has instituted a new policy to restrict visa issuance to individuals acting on behalf of Kremlin-supported media organizations and using them as cover to engage in clandestine influence activities.
It has also designated Rossiya Segodnya, and subsidiaries RIA Novosti, RT, TV-Novosti, Ruptly, and Sputnik, as foreign missions, requiring them to notify the Department of all personnel working in the country, as well as disclose all real property they hold within U.S. borders.
Taken together, the actions signal a broader push by the U.S. government to clamp down on Russian-backed disinformation operations ahead of November's general election.
The development comes amid revelations that a Chinese influence operation dubbed Spamouflage has ramped up its efforts to influence online discourse around the U.S. elections, creating fake personas across social media platforms to push divisive narratives about sensitive social issues by capitalizing on a polarized information environment.
"These accounts have seeded and amplified content denigrating Democratic and Republican candidates, sowing doubt in the legitimacy of the U.S. electoral process, and spreading divisive narratives about sensitive social issues including gun control, homelessness, drug abuse, racial inequality, and the Israel-Hamas conflict," Graphika said.
Malware Attackers Using MacroPack to Deliver Havoc, Brute Ratel, and PhantomCore
5.9.24 Virus The Hacker News
Threat actors are likely employing a tool designated for red teaming exercises to serve malware, according to new findings from Cisco Talos.
The program in question is a payload generation framework called MacroPack, which is used to generate Office documents, Visual Basic scripts, Windows shortcuts, and other formats for penetration testing and social engineering assessments. It was developed by French developer Emeric Nasi.
The cybersecurity company said it found artifacts uploaded to VirusTotal from China, Pakistan, Russia, and the U.S. that were all generated by MacroPack and used to deliver various payloads such as Havoc, Brute Ratel, and a new variant of PhantomCore, a remote access trojan (RAT) attributed to a hacktivist group named Head Mare.
"A common feature in all the malicious documents we dissected that caught our attention is the existence of four non-malicious VBA subroutines," Talos researcher Vanja Svajcer said.
"These subroutines appeared in all the samples and were not obfuscated. They also had never been used by any other malicious subroutines or anywhere else in any documents."
An important aspect to note here is that the lure themes spanning these documents are varied, ranging from generic topics that instruct users to enable macros to official-looking documents that appear to come from military organizations. This suggests the involvement of distinct threat actors.
Some of the documents have also been observed taking advantage of advanced features offered as part of MacroPack to bypass anti-malware heuristic detections by concealing the malicious functionality using Markov chains to create seemingly meaningful functions and variable names.
The attack chains, observed between May and July 2024, follow a three-step process that entails sending a booby-trapped Office document containing MacroPack VBA code, which then decodes a next-stage payload to ultimately fetch and execute the final malware.
The development is a sign that threat actors are constantly updating tactics in response to disruptions and taking more sophisticated approaches to code execution.
New Cross-Platform Malware KTLVdoor Discovered in Attack on Chinese Trading Firm
5.9.24 Virus The Hacker News
The Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China.
The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems.
"KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning," Trend Micro researchers Cedric Pernet and Jaromir Horejsi said in an analysis published Wednesday.
Some of the tools KTLVdoor impersonates include sshd, Java, SQLite, bash, and edr-agent, among others, with the malware distributed in the form of dynamic-link library (.dll) or a shared object (.so).
Perhaps the most unusual aspect of the activity cluster is the discovery of more than 50 command-and-control (C&C) servers, all hosted at Chinese company Alibaba, that have been identified as communicating with variants of the malware, raising the possibility that the infrastructure could be shared with other Chinese threat actors.
Earth Lusca is known to be active since at least 2021, orchestrating cyber attacks against public and private sector entities across Asia, Australia, Europe, and North America. It's assessed to share some tactical overlaps with other intrusion sets tracked as RedHotel and APT27 (aka Budworm, Emissary Panda, and Iron Tiger).
KTLVdoor, the latest addition to the group's malware arsenal, is highly obfuscated and gets its name from the use of a marker called "KTLV" in its configuration file that includes various parameters necessary to meet its functions, including the C&C servers to connect to.
Once initialized, the malware initiates contact with the C&C server on a loop, awaiting further instructions to be executed on the compromised host. The supported commands allow it to download/upload files, enumerate the file system, launch an interactive shell, run shellcode, and initiate scanning using ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb, among others.
That having said, not much is known about how the malware is distributed and if it has been used to target other entities across the world.
"This new tool is used by Earth Lusca, but it might also be shared with other Chinese-speaking threat actors," the researchers noted. "Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling."
Cisco Fixes Two Critical Flaws in Smart Licensing Utility to Prevent Remote Attacks
5.9.24 Vulnerebility The Hacker News
Cisco has released security updates for two critical security flaws impacting its Smart Licensing Utility that could allow unauthenticated, remote attackers to elevate their privileges or access sensitive information.
A brief description of the two vulnerabilities is below -
CVE-2024-20439 (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system
CVE-2024-20440 (CVSS score: 9.8) - A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API
While these shortcomings are not dependent on each other for them to be successful, Cisco notes in its advisory that they "are not exploitable unless Cisco Smart Licensing Utility was started by a user and is actively running."
The flaws, which were discovered during internal security testing, also do not affect Smart Software Manager On-Prem and Smart Software Manager Satellite products.
Users of Cisco Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0 are advised to update to a fixed release. Version 2.3.0 of the software is not susceptible to the bug.
Cisco has also released updates to resolve a command injection vulnerability in its Identity Services Engine (ISE) that could permit an authenticated, local attacker to run arbitrary commands on an underlying operating system and elevate privileges to root.
The flaw, tracked as CVE-2024-20469 (CVSS score: 6.0), requires an attacker to have valid administrator privileges on an affected device.
"This vulnerability is due to insufficient validation of user-supplied input," the company said. "An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root."
It impacts the following versions -
Cisco ISE 3.2 (3.2P7 - Sep 2024)
Cisco ISE 3.3 (3.3P4 - Oct 2024)
The company has also warned that a proof-of-concept (PoC) exploit code is available, although it's not aware of any malicious exploitation of the bug.
North Korean Hackers Targets Job Seekers with Fake FreeConference App
5.9.24 APT The Hacker News
North Korean threat actors have leveraged a fake Windows video conferencing application impersonating FreeConference.com to backdoor developer systems as part of an ongoing financially-driven campaign dubbed Contagious Interview.
The new attack wave, spotted by Singaporean company Group-IB in mid-August 2024, is yet another indication that the activity is also leveraging native installers for Windows and Apple macOS to deliver malware.
Contagious Interview, also tracked as DEV#POPPER, is a malicious campaign orchestrated by a North Korean threat actor tracked by CrowdStrike under the moniker Famous Chollima.
The attack chains begin with a fictitious job interview, tricking job seekers into downloading and running a Node.js project that contains the BeaverTail downloader malware, which in turn delivers InvisibleFerret, a cross-platform Python backdoor that's equipped with remote control, keylogging, and browser stealing capabilities.
Some iterations of BeaverTail, which also functions as an information stealer, have manifested in the form of JavaScript malware, typically distributed via bogus npm packages as part of a purported technical assessment during the interview process.
But that changed in July 2024 when Windows MSI installer and Apple macOS disk image (DMG) files masquerading as the legitimate MiroTalk video conferencing software were discovered in the wild, acting as a conduit to deploy an updated version of BeaverTail.
The latest findings from Group-IB, which has attributed the campaign to the infamous Lazarus Group, suggest that the threat actor is continuing to lean on this specific distribution mechanism, the only difference being that the installer ("FCCCall.msi") mimics FreeConference.com instead of MiroTalk.
It's believed that the phony installer is downloaded from a website named freeconference[.]io, which uses the same registrar as the fictitious mirotalk[.]net website.
"In addition to Linkedin, Lazarus is also actively searching for potential victims on other job search platforms such as WWR, Moonlight, Upwork, and others," security researcher Sharmine Low said.
"After making initial contact, they would often attempt to move the conversation onto Telegram, where they would then ask the potential interviewees to download a video conferencing application, or a Node.js project, to perform a technical task as part of the interview process."
In a sign that the campaign is undergoing active refinement, the threat actors have been observed injecting the malicious JavaScript into both cryptocurrency- and gaming-related repositories. The JavaScript code, for its part, is designed to retrieve the BeaverTail Javascript code from the domain ipcheck[.]cloud or regioncheck[.]net.
It's worth mentioning here that this behavior was also recently highlighted by software supply chain security firm Phylum in connection with an npm package named helmet-validate, suggesting that the threat actors are simultaneously making use of different propagation vectors.
Another notable change is that BeaverTail is now configured to extract data from more cryptocurrency wallet extensions such as Kaikas, Rabby, Argent X, and Exodus Web3, in addition to implementing functionality to establish persistence using AnyDesk.
That's not all. BeaverTail's information-stealing features are now realized through a set of Python scripts, collectively called CivetQ, which is capable of harvesting cookies, web browser data, keystrokes, and clipboard content, and delivering more scripts. A total of 74 browser extensions are targeted by the malware.
"The malware is able to steal data from Microsoft Sticky Notes by targeting the application's SQLite database files located at `%LocalAppData%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite,` where user notes are stored in an unencrypted format," Low said.
"By querying and extracting data from this database, the malware can retrieve and exfiltrate sensitive information from the victim's Sticky Notes application."
The emergence of CivetQ points to a modularized approach, while also underscoring that the tools are under active development and have been constantly evolving in little increments over the past few months.
"Lazarus has updated their tactics, upgraded their tools, and found better ways to conceal their activities," Low said. "They show no signs of easing their efforts, with their campaign targeting job seekers extending into 2024 and to the present day. Their attacks have become increasingly creative, and they are now expanding their reach across more platforms."
The disclosure comes as the U.S. Federal Bureau of Investigation (FBI) warned of North Korean cyber actors' aggressive targeting of the cryptocurrency industry using "well-disguised" social engineering attacks to facilitate cryptocurrency theft.
"North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen," the FBI said in an advisory released Tuesday, stating the threat actors scout prospective victims by reviewing their social media activity on professional networking or employment-related platforms.
"Teams of North Korean malicious cyber actors identify specific DeFi or cryptocurrency-related businesses to target and attempt to socially engineer dozens of these companies' employees to gain unauthorized access to the company's network."
Android Users Urged to Install Latest Security Updates to Fix Actively Exploited Flaw
5.9.24 OS The Hacker News
Google has released its monthly security updates for the Android operating system to address a known security flaw that it said has come under active exploitation in the wild.
The high-severity vulnerability, tracked as CVE-2024-32896 (CVSS score: 7.8), relates to a case of privilege escalation in the Android Framework component.
According to the description of the bug in the NIST National Vulnerability Database (NVD), it concerns a logic error that could lead to local escalation of privileges without requiring any additional execution privileges.
"There are indications that CVE-2024-32896 may be under limited, targeted exploitation," Google said in its Android Security Bulletin for September 2024.
It's worth noting that CVE-2024-32896 was first disclosed in June 2024 as impacting only the Google-owned Pixel lineup.
There are currently no details on how the vulnerability is being exploited in the wild, although GrapheneOS maintainers revealed that CVE-2024-32896 plugs a partial solution for CVE-2024-29748, another Android flaw that has been weaponized by forensic companies.
Google later confirmed to The Hacker News that the impact of CVE-2024-32896 goes beyond Pixel devices to include the entire Android ecosystem and that it's working with original equipment manufacturers (OEMs) to apply the fixes where applicable.
"This vulnerability requires physical access to the device to exploit and interrupts the factory reset process," Google noted at the time. "Additional exploits would be needed to compromise the device."
"We are prioritizing applicable fixes for other Android OEM partners and will roll them out as soon as they are available. As a best security practice, users should always update their devices whenever there are new security updates available."
Researchers Find Over 22,000 Removed PyPI Packages at Risk of Revival Hijack
5.9.24 Hacking The Hacker News
A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations.
It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package downloads. These susceptible packages have more than 100,000 downloads or have been active for over six months.
"This attack technique involves hijacking PyPI software packages by manipulating the option to re-register them once they're removed from PyPI's index by the original owner," JFrog security researchers Andrey Polkovnychenko and Brian Moussalli said in a report shared with The Hacker News.
At its core, the attack hinges on the fact that Python packages published in the PyPI repository may get removed, making available the names of those deleted projects for registration to any other user.
Statistics shared by JFrog show that about 309 packages are removed each month on average. These could happen for any number of reasons: Lack of maintenance (i.e., abandonware), package getting re-published under a different name, or introducing the same functionality into official libraries or built-in APIs.
This also poses a lucrative attack surface that's more effective than typosquatting and which an attacker, using their own accounts, could exploit to publish malicious packages under the same name and a higher version to infect developer environments.
"The technique does not rely on the victim making a mistake when installing the package," the researchers said, pointing out how Revival Hijack can yield better results from the point of view of an adversary. "Updating a 'once safe' package to its latest version is viewed as a safe operation by many users."
While PyPI does have safeguards in place against author impersonation and typosquatting attempts, JFrog's analysis found that running the "pip list --outdated" command lists the counterfeit package as a new version of the original package, wherein the former corresponds to a different package from an entirely different author.
Even more concerning, running the "pip install –upgrade" command replaces the actual package with the phony one without not so much of a warning that the package's author has changed, potentially exposing unwitting developers to a huge software supply chain risk.
JFrog said it took the step of creating a new PyPI user account called "security_holding" that it used to safely hijack the susceptible packages and replace them with empty placeholders so as to prevent malicious actors from capitalizing on the removed packages.
Additionally, each of these packages has been assigned the version number as 0.0.0.1 – the opposite of a dependency confusion attack scenario – to avoid getting pulled by developers when running a pip upgrade command.
What's more disturbing is that Revival Hijack has already been exploited in the wild, with an unknown threat actor called Jinnis introducing a benign version of a package named "pingdomv3" on March 30, 2024, the same day the original owner (cheneyyan) removed the package from PyPI.
On April 12, 2024, the new developer is said to have released an update containing a Base64-encoded payload that checks for the presence of the "JENKINS_URL" environment variable, and if present, executes an unknown next-stage module retrieved from a remote server.
"This suggests that the attackers either delayed the delivery of the attack or designed it to be more targeted, possibly limiting it to a specific IP range," JFrog said.
The new attack is a sign that threat actors are eyeing supply chain attacks on a broader scale by targeting deleted PyPI packages in order to expand the reach of the campaigns. Organizations and developers are recommended to inspect their DevOps pipelines to ensure that they are not installing packages that have been already removed from the repository.
"Using a vulnerable behavior in the handling of removed packages allowed attackers to hijack existing packages, making it possible to install it to the target systems without any changes to the user's workflow," said Moussalli, JFrog Security Research Team Lead.
"The PyPI package attack surface is continually growing. Despite proactive intervention here, users should always stay vigilant and take the necessary precautions to protect themselves and the PyPI community from this hijack technique."
North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit
1.9.24 Exploit The Hacker News
A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit.
The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.
Microsoft, which detected the activity on August 19, 2024, attributed it to a threat actor it tracks as Citrine Sleet (formerly DEV-0139 and DEV-1222), which is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. It's assessed to be a sub-cluster within the Lazarus Group (aka Diamond Sleet and Hidden Cobra).
It's worth mentioning that the use of the AppleJeus malware has been previously also attributed by Kaspersky to another Lazarus subgroup called BlueNoroff (aka APT38, Nickel Gladstone, and Stardust Chollima), indicative of the infrastructure and toolset sharing between these threat actors.
"Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain," the Microsoft Threat Intelligence team said.
"As part of its social engineering tactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it."
The attack chains typically involve setting up fake websites masquerading as legitimate cryptocurrency trading platforms that seek to trick users into installing weaponized cryptocurrency wallets or trading applications that facilitate the theft of digital assets.
The observed zero-day exploit attack by Citrine Sleet involved the exploitation of CVE-2024-7971, a high-severity type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could allow threat actors to gain remote code execution (RCE) in the sandboxed Chromium renderer process. It was patched by Google as part of updates released last week.
As previously stated by The Hacker News, CVE-2024-7971 is the third actively exploited type confusion bug in V8 that Google resolved this year after CVE-2024-4947 and CVE-2024-5274.
It's currently not clear how widespread these attacks were or who was targeted, but the victims are said to have been directed to a malicious website named voyagorclub[.]space likely through social engineering techniques, thereby triggering an exploit for CVE-2024-7971.
The RCE exploit, for its part, paves the way for the retrieval of shellcode containing a Windows sandbox escape exploit (CVE-2024-38106) and the FudModule rootkit, which is used to establish admin-to-kernel access to Windows-based systems to allow read/write primitive functions and perform [direct kernel object manipulation]."
CVE-2024-38106, a Windows kernel privilege escalation bug, is one of the six actively exploited security flaws that Microsoft remediated as part of its August 2024 Patch Tuesday update. That said, the Citrine Sleet-linked exploitation of the flaw has been found to have occurred after the fix was released.
"This may suggest a 'bug collision,' where the same vulnerability is independently discovered by separate threat actors, or knowledge of the vulnerability was shared by one vulnerability researcher to multiple actors," Microsoft said.
CVE-2024-7971 is also the third vulnerability that North Korean threat actors have leveraged this year to drop the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193, both of which are privilege escalation flaws in the built-in Windows drivers and were fixed by Microsoft in February and August.
"The CVE-2024-7971 exploit chain relies on multiple components to compromise a target, and this attack chain fails if any of these components are blocked, including CVE-2024-38106," the company said.
"Zero-day exploits necessitate not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation."