Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Block Chain. Show all posts
worm
Block Chain Canister Cybersecurity malware Supply Chain worm

CanisterWorm Campaign Combines Supply Chain Attack, Data Destruction, and Blockchain-Based Control

 



Malware that can automatically spread between systems, commonly referred to as worms, has long been a recurring threat in cybersecurity. What makes the latest campaign unusual is not just its ability to propagate, but the decision by its operators to deliberately destroy systems in a specific region. In this case, machines located in Iran are being targeted for complete data erasure, alongside the use of an unconventional control architecture.

The activity has been linked to a relatively new group known as TeamPCP. The group first appeared in reporting late last year after compromising widely used infrastructure tools such as Docker, Kubernetes, Redis, and Next.js. Its earlier operations appeared focused on assembling a large network of compromised systems that could function as proxies. Such infrastructure is typically valuable for conducting ransomware attacks, extortion campaigns, or other financially driven operations, either by the group itself or by third parties.

The latest version of its malware, referred to as CanisterWorm, introduces behavior that diverges from this profit-oriented pattern. Once inside a system, the malware checks the device’s configured time zone to infer its geographic location. If the system is identified as being in Iran, the malware immediately executes destructive commands. In Kubernetes environments, this results in the deletion of all nodes within a cluster, effectively dismantling the entire deployment. On standard virtual machines, the malware runs a command that recursively deletes all files on the system, leaving it unusable. If the system is not located in Iran, the malware continues to operate as a traditional worm, maintaining persistence and spreading further.

The decision to destroy infected machines has raised questions among researchers, as disabling systems reduces their value for sustained exploitation. In comments reported by KrebsOnSecurity, Charlie Eriksen of Aikido Security suggested that the action may be intended as a demonstration of capability rather than a financially motivated move. He also indicated that the group may have access to a much larger pool of compromised systems than those directly impacted in this campaign.

The attack chain appears to have begun over a recent weekend, starting with the compromise of Trivy, an open-source vulnerability scanning tool frequently used in software development pipelines. By gaining access to publishing credentials associated with Node.js packages that depend on Trivy, the attackers were able to inject malicious code into the npm ecosystem. This allowed the malware to spread further as developers unknowingly installed compromised packages. Once executed, the malware deployed multiple background processes designed to resemble legitimate system services, reducing the likelihood of detection.

A key technical aspect of this campaign lies in how it is controlled. Instead of relying on conventional command-and-control servers, the operators used a decentralized approach by hosting instructions on the Internet Computer Project. Specifically, they utilized a canister, which functions as a smart contract containing both executable code and stored data. Because this infrastructure is distributed across a blockchain network, it is significantly more resistant to disruption than traditional centralized servers.

The Internet Computer Project operates differently from widely known blockchain systems such as Bitcoin or Ethereum. Participation requires node operators to undergo identity verification and provide substantial computing resources. Estimates suggest the network includes around 1,400 machines, with roughly half actively participating at any given time, distributed across more than 100 providers in 34 countries.

The platform’s governance model adds another layer of complexity. Canisters are typically controlled only by their creators, and while the network allows reports of malicious use, any action to disable such components requires a vote with a high approval threshold. This structure is designed to prevent arbitrary or politically motivated shutdowns, but it also makes rapid response to abuse more difficult.

Following public disclosure of the campaign, there are indications that the malicious canister may have been temporarily disabled by its operators. However, due to the design of the system, it can be reactivated at any time. As a result, the most effective defensive measure currently available is to block network-level access to the associated infrastructure.

This campaign reflects a convergence of several developing threat trends. It combines a software supply chain compromise through npm packages, selective targeting based on inferred geographic location, and the use of decentralized technologies for operational control. Together, these elements underline how attackers are expanding both their technical methods and their strategic objectives, increasing the complexity of detection and response for organizations worldwide.

Read more »
VPN
Android Flaw Block Chain Cyber Bug Cyber Data Cyberattacks Cybersecurity Data Leaks DNS Mullvad Privacy VPN

Android Flaw Exposes DNS Queries Despite VPN Kill Switch

 


Several months ago, a Mullvad VPN user discovered that Android users have a serious privacy concern when using Mullvad VPN. Even with the Always-On VPN feature activated, which ensures that the VPN connection is always active, and with the "Block connections without VPN" setting active, which acts as a kill switch that ensures that only the VPN is the one that passes network traffic, it has been found that when switching between VPN servers, Android devices leak DNS queries. 

It is important to understand that enabling the "Block Connections Without VPN" option (also known as the kill switch) ensures that all network traffic and connections pass through an always-connected VPN tunnel, preventing prying eyes from tracking all Internet activity by users. During the investigation, Mullvad discovered that even with these features enabled in the latest version of Android (Android 14), a bug still leaks some DNS information. 

As a result, this bug may occur when you use apps that make direct calls to the getaddrinfo C function. The function provides protocol-independent translation from a text hostname to an IP address through the getaddrinfo function. When the VPN is active (and the DNS server is not configured) or when the VPN app re-configures the tunnel, crashes or is forced to stop, Android leaks DNS traffic. 

This leakage behaviour is not observed by apps that are solely based on Android's API, such as DNSResolver, Mullvad clarified. As a result, apps such as Flash Player and Chrome that currently have support for getting address information directly from the OS are susceptible to this issue since they can access the address information directly. This is rather concerning since it goes against what you would expect from the OS, even if security features are enabled. 

Users may want to use caution when using Android devices for sensitive tasks, and may even want to employ additional protective measures until Google addresses this bug and issues a patch that is compatible with both original Android and older versions of Android, in light of the severity of this privacy issue. 

The first DNS leak scenario, which occurs when the user changes the DNS server or switches to a different server, is easily mitigated if the VPN app is set to use a bogus DNS server at the same time. It has also failed to resolve the VPN tunnel reconnect DNS query leak, which is a significant issue for all other Android VPN apps because this issue is likely to affect all other VPN apps as well. 

Mullvad also discovered in October 2022 that, every time an Android device connected to a WiFi network, the device leaked DNS queries (such as IP addresses and DNS lookups), since the device was performing connectivity checks. Even when the "Always-on VPN" feature was enabled with the "Block connections without VPN" option enabled, Android devices still leaked DNS queries.

The leak of DNS traffic can potentially expose users' approximate locations and the online platforms they use as well as their precise locations, posing a serious threat to user privacy. Since this is a serious issue, it may be best to stop using Android devices for sensitive activities or to adapt additional safeguards to mitigate the risk of such leaks until Google fixes the bug and backports the patch to older versions of Android to mitigate the risk.
Read more »
Ransomware
Block Chain Crypto Theft Cyber Security North Korea Ransomware

North Korean Actors Behind $600M in Crypto Thefts: TRM Labs


North Korean Hackers

According to a TRM Labs analysis, hackers with ties to North Korea were responsible for one-third of all cryptocurrency exploits and thefts last year, taking away about $600 million in cash.

The blockchain analytics company claimed on Friday that the amount takes the Democratic People's Republic of Korea's (DPRK) total revenue from cryptocurrency initiatives to about $3 billion over the previous six years.

Nevertheless, according to Ari Redbord, head of legal and government affairs at TRM, the amount is roughly 30% lower than in 2022. Actors with ties to the DPRK stole about $850 million that year, "a huge chunk" of which came from the Ronin Bridge exploit, Redbord said. 

Current Scenario

The latter few months of 2023 saw the majority of the stolen money seized.

"They're clearly attacking the crypto ecosystem at a really unprecedented speed and scale and continue to take advantage of sort of weak cyber controls," said Redbord. Many of the attacks continue to use so-called social engineering, allowing the perpetrators to acquire private keys for projects, he said.

TRM links around $200 M in stolen funds to North Korea last year. The fact that the earnings of North Korean attacks go toward the development of WMDs raises worries about national security and sets them apart from other attacks.

Stolen Money: 2023

In 2023, the total amount of money obtained through hacking was approximately $1.7 billion, as opposed to $4 billion, which was taken the year before.

Redbord gave multiple reasons for the decline. Less significant hacks, such as the Ronin theft in 2022, have occurred. Other contributing factors include stronger cybersecurity measures, effective law enforcement initiatives, and, to a lesser degree, price volatility in the previous year.

During a recent trilateral meeting over North Korea's WMD efforts, national security officials from the United States, the Republic of Korea, and Japan brought up these concerns directly.

"North Korean hackers are different, because it's not for greed or money or the typical hacker mentality; it's about taking those funds and using them for weapons proliferation and other types of destabilizing activity, which is a global threat," Redbord said. "And that's why there's such a focus on it from a national security perspective."
Read more »
Subscribe to: Posts (Atom)