Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label ESET. Show all posts
XDSpy
Cyber Attacks ESET F.A.C.C.T. State-sponsored Hackers XDSpy

XDSpy Hackers Target Russian Military Industrial Companies

XDSpy hackers attack military-industrial companies in Russia

XDSpy attcks Russian industries

A cyberespionage group called XDSpy has recently attacked Russian military-industrial enterprises, as per new research. 

XDSpy is said to be a state-controlled hacker, in the game since 2011, that mainly targets counties across Eastern Europe and the Balkans. In its recent November campaign, attackers tried to get entry into the Russian metallurgical enterprise systems and a research organization involved in the production and development of guided missile weapons, as per Russian cybersecurity form F.A.C.C.T.

F.A.C.C.T. — an offshoot of Singapore-based cybersecurity firm Group IB — reported earlier this week that hackers sent phishing emails to their victims, posing as a research organization dealing in nuclear weapon design.

Similiar tacticts used from previous attacks

The group's tactics were similar to those used in their earlier attack on Russian companies, which included a well-known scientific facility in July. During that event, the hackers pretended to be Russia's Ministry of Emergency Situations and sent phishing emails with malicious PDF files. Researchers did not say whether attackers could break into the victims' systems and steal data.

According to F.A.C.C.T., Russia is the major target of XDSpy hackers. According to analysts, the gang used to target the country's government, military, financial institutions, and energy, research, and mining firms.

Even though the group has been active for years, there is no proof of its strikes on Russia, particularly since many foreign cybersecurity companies fled the country following the Russian takeover of Ukraine.

Spearphishing attacks used in attacks

ESET, a cybersecurity firm based in Slovakia, has been monitoring XDSpy's behavior since 2020, and researcher Matthieu Faou said that the group has constantly undertaken spearphishing efforts aimed mostly at important companies in Eastern Europe.

ESET lost first-hand visibility of cyberattacks occurring in Russia and Belarus after leaving these countries, both targets of XDSpy. However, the business announced last week that it had spotted the group's attack on a Ukrainian aerospace company.

Hackers utilized a breach chain nearly identical to the one described by F.A.C.C.T. in this attempt, which was not officially reported by Ukrainian security services and was likely unsuccessful. "We do agree with their analysis and also attribute this to XDSpy," stated Faou.

Despite the group's extensive history, analysts have not been able to pinpoint the country that is funding it. XDSpy may not have an exceptionally sophisticated toolbox, but "they have very good operative defense," according to Faou. "So far, we haven't found any errors that could point toward a specific country."

Russia: Victim of Cyberattack

Because many Western corporations have little access to computer systems in the region, reports about cyberattacks against Russia are rare.

This week, on the other hand, has been jam-packed with reports from Russian cybersecurity organizations. In addition to the XDSpy attack, F.A.C.C.T. recorded a DarkWatchman malware-based strike on Russian banks, telecom providers, logistics organizations, and IT firms. A phishing email was disguised as a newsletter from a Russian courier delivery firm by the hackers. The outcome of these strikes is uncertain.

According to the Russian cybersecurity firm Positive Technologies, which has been sanctioned by the US, another cyberattack was carried out by a new hacker gang called Hellhounds. Hellhounds has already infiltrated at least 20 Russian businesses, including government institutions, technology firms, and space and energy industries.

Rare Wolf hackers were also recorded by the cybersecurity firm BI.ZONE. According to researchers, the gang has targeted approximately 400 Russian companies since 2019.

These assessments do not reveal which countries are responsible for the attacks against Russia. However, analysts at the cybersecurity firm Solar stated in a November report that the majority of state-sponsored attacks against Russia come from North Korea and China, with a primary focus on data theft.


Read more »
ScHackTool
CosmicBeetle cryptocurrency Cyberattacks CyberCrime Cybersecurity ESET malware Remote Desktop Protocol Scarab Ransomware ScHackTool

Scarab Ransomware Toolkit: Unveiling the Ingenious Weaponry

 


In a recent report, cybersecurity researchers from the ESET cybersecurity company highlighted that malware of the Scarab ransomware family has been deployed to spread its variants across global victim organizations using a malicious toolset named Spacecolon. 

ESET has issued an advisory about the vulnerability of the toolset that may allow targeted attackers to penetrate victim organizations by exploiting commonly vulnerable web servers or using brute-force attacks against Remote Desktop Protocol (RDP) credentials to gain entry into victim organizations. As a result of ESET's investigation, it was also discovered that certain Spacecolon versions include Turkish strings, which suggests that a Turkish-speaking developer was involved in the development of these versions.  

According to a detailed technical report released on August 22, 2023, by ESET security researcher Jakub Souek, the Spacecolon malicious toolkit is being used by a cyber campaign that is targeting organizations all over the world to spread various variants of the Scarab ransomware, and it is targeting anti-torture organizations in particular. 

As of May 20, 2023, the most recent build of Spacecolon has been carried out, and the roots of the project can be traced back to as early as May 2020. Despite extensive tracking and analysis, ESET does not yet have an explanation as to what threat actor group is likely to be using the toolset to exploit the system. This has led to the name "CosmicBeetle" being used by the firm for the operators behind Spacecolon due to the similarity of their names. 

The threat actor CosmicBeetle is reported to have infiltrated some companies through misconfigured web servers, and they attempt to brute-force login information for Remote Desktop Protocol (RDP) by accessing misconfigured web servers. There have been victims across several countries who have been identified as having been infected by the Spacecolon virus since May 2020. This includes France, Mexico, Poland, Slovakia, Spain, and Turkey.

An American school in Mexico was attacked by a group of hackers, who chose a hospital and tourist resort in Thailand as their targets, an insurance company in Israel, a Polish government organization, an entertainment company in Brazil, and a Turkish environmental company based in Turkey. Further, Cosmic Beetle may also target unpatched servers that have not yet been updated with security patches, attempting to infiltrate networks by exploiting these vulnerabilities. 

The CosmicBeetle botnet deploys the main Spacecolon component used by CosmicBeetle to compromise vulnerable web servers after CosmicBeetle compromises the target web server. It is called ScHackTool. This type of attack relies heavily on the operating system's GUI and the active participation of operators; the GUI enables operators to orchestrate attacks and download and execute additional tools on demand, according to their requirements, on compromised machines. 

A CosmicBeetle can deploy ScInstaller over the local network and use it to further secure the target. For example, it can use ScInstaller to install ScService, which provides even further remote access to the target. Ultimately, CosmicBeetle deploys the Scarab ransomware variant as its final payload as a part of its campaign. 

A clipboard monitoring software known as ClipBanker is deployed in this variant, which monitors the contents of the clipboard and changes any suspicious contents, e.g. cryptocurrency wallet addresses, into a controlled address that is controlled by the attacker. Additionally, samples of a new ransomware family are being uploaded to VirusTotal from Turkey, suggesting that this family is being developed. 

As a result of the research conducted by ESET, the company is convinced that this malware has been written by the same developers that wrote Spacecolon, a virus that has been named ScRansom by ESET. In addition to it encrypting all hard drives, removable drives, and remote drives, ScRansom also encrypts e-mail. 

The ransomware has not yet been seen in the wild, and the development stage of this ransomware is still at a pre-release stage. First discovered in February 2023, it is most likely that the attacks have changed intact as a result of the discovery of Spacecolon variants released by Zaufana Trzecia Strona. 

Spacecolon is primarily composed of ScHackTool, an orchestrator based on Delphi that deploys an installer that, just as the name implies, installs ScService, a backdoor that can run customized commands, download and execute payloads, and extract information from compromised systems to obtain system information. It is also responsible for incorporating several third-party tools that are retrieved from a remote server, IP address 193.149.185.23, which can be accessed using ScHackTool. They are aimed at exploiting the access provided by ScService to introduce a ransomware variant called Scarab that has the goal of obtaining ransom money from the user. 

The threat actors using Impacket to deliver ScService in place of ScHackTool is also another alternative infection chain identified by ESET, indicating that the threats are experimenting with different techniques to deploy ScService instead of ScHackTool. 

The motives of CosmicBeetle have been financial, as the ransomware payload includes clipper malware that monitors the system clipboard and replaces cryptocurrency wallet addresses with ones the attacker controls through the use of file-sharing programs. 

There is also evidence that suggests that there may be active development of another strain of ransomware known as ScRansom that is actively being developed. AES-128 can be used to encrypt hard drives, removable drives, and networked drives; the encryption key can be derived from a hard-coded string, making the variant suitable for cases when the encryption key must be derived from multiple sources. 

A second issue with CosmicBeetle's malware is the lack of effort to conceal its presence, as well as the fact that their toolset leaves several artifacts behind when compromised machines are compromised, as well as a lack of robust anti-analysis and anti-emulation defenses.
Read more »
WhatsApp
BingeChat ESET ESET Research GravityRAT malware SpaceCobra WhatsApp

GravityRAT: ESET Researchers Discover New Android Malware Campaign


ESET researchers have recently discovered a new Android malware campaign, apparently infecting devices with an updated version of GravityRAT, distributed via messaging apps BingeChat and Chitaco. The campaign has been active since August 2022.

According to ESET researcher Lukas Stenfanko who examined a sample after getting a tip from MalwareHunterTeam, it was found that one of the noteworthy new features seen in the most recent GravityRAT version is the ability to collect WhatsApp backup files.

GravtiRAT

A remote access tool called GravityRAT has been used in targeted cyberattacks on India since at least 2015 and is known to be in use. There are versions for Windows, Android, and macOS, as previously reported by Cisco Talos, Kaspersky, and Cyble. However it is still unknown who is the actor behind GravityRAT, the group has been internally defined as SpaceCobra.

Although GravityRAT has been active since at least 2015, it only began specifically focusing on Android in 2020. Its operators, 'SpaceCobra,' only employ the malware in specific targeting tasks.

Current Android Campaign

According to ESET, the app is delivered via “bingechat[.]net” and other domains or distribution channels, however, the downloads require invites, entering valid login information, or creating a new account.

While registrations are currently closed, this method only enables the threat actors to distribute the malware to targeted users. Additionally, accessing a copy for analysis becomes more difficult for researchers. 

Upon installation on the target's smartphone, the BingeChat app makes dangerous requests for access to contacts, location, phone, SMS, storage, call records, camera, and microphone.

Since these are some typical permissions asked of the users for any instant messaging apps, the malicious app goes unsuspected.

The program provides call records, contact lists, SMS messages, device location, and basic device information to the threat actor's command and control (C2) server before the user registers on BingeChat.

Along with the aforementioned records, files, and document files of jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, and crypt32 types, have also been compromised.

While SpaceCobra’s malware campaign is mainly targeting India, all Android users are advised to refrain from downloading APKs anywhere other than Google Play and be very careful with potentially risky permission requests while installing any app.

Read more »
VPN
CAN attacks criminals ESET High Tech Method Privacy Stealing VPN

Vehicles Stolen Using High-Tech Methods by Criminals

 


Over the past 20 years, the number of cars stolen in the United States has been reduced by half. However, authorities are now seeing an increasing number of break-ins associated with high-tech techniques being used in these break-ins. 

There has been evidence to suggest that some employees at the Immigration and Customs Enforcement Agency (ICE) misused law enforcement databases to spy on their romantic partners, neighbors, and business partners. 

According to a new dataset obtained through records requests, hundreds of ICE employees and contractors have been under scrutiny since 2016 because they attempted to access medical, biometric, and location data without permission. There are more questions raised by the revelations about ICE's rights to protect sensitive information. 

Local intelligence agencies have found that in the current period, criminals are using sophisticated technology to target high-end luxury cars equipped with keyless entry systems and emergency starting features to commit theft. 

It was noted that the group identified three main methods criminals use to gain access to and steal vehicles with these features across the nation.

There was a video that was captured by Michael Shin of Los Angeles two years ago, where he captured the image of a man opening his car while holding just a backpack. As Shin explained, the man was not prepared to break into the car, as he had no break-in tools in his possession.  An NICB official affirmed that 35 vehicles were tested using this type of system by the NICB. As a result, 18 test cars were opened, started, and driven off by the team, with no problems at all. 

Morris said it was believed that professional criminals have discovered how to build their versions of the devices that the NICB used for its break-in tests. Morris explained that the NICB used devices supplied by a company that works closely with law enforcement on security testing for these tests. 

With criminals discovering how to hack into vehicle security systems and defeat them, car owners must be vigilant to protect their vehicles. As Morris pointed out in his statement, this is a serious reminder of the risks associated with today's cars that function as essentially "computers on wheels." 

In a recent study, ESET researchers discovered that there is a significant amount of sensitive data contained within old enterprise routers. The company purchased an old router and analyzed it, discovering it had login details for the company VPN, hashed root admin passwords, and details of the previous owner. The old routers contained login details for the company VPN and other valuable information. As a result of the information available on the router, it is easy to impersonate the company that sold it previously. Passkeys are going to take over all your passwords in the future, but a messy phase is beginning to emerge in the race to replace all your passwords with them. Getting new technologies off to a good start is among the biggest challenges in introducing them to the market. 

The fact that authorities have been puzzled by this type of break-in in the past has been a source of puzzlement for several years now but insurance investigators now believe that criminals are using key fobs - the little authentication devices you use to access newer models that are “keyless” - to start and unlock cars remotely by simply pushing a button. 

As a result of tests conducted by the research and development team, the group found that the vehicle's computer-controlled systems are being exploited by thieves carrying out highly sophisticated cyber-attacks.

It is important to note that a combination of CAN attacks, FOB relays, and key cloning attacks are among these attacks. 

  • When a CAN Attack occurs, high-tech electronic equipment is used to gain entry to the vehicle's Control Area Network and then access the computer system to start the engine using remote access software. As a result, the vehicle begins working as soon as the engine is started. 
  • By utilizing advanced receivers and transmitters aimed at remote reading the vehicle's security key, Fob Relaying is possible, allowing an attacker to unlock and begin the vehicle even if it is in the owner's possession. 
  • In the third method, a variety of sophisticated techniques and equipment are used to disable the vehicle's alarm system and then clone and steal the security key for the vehicle after the vehicle has been forced entry.
Read more »
Routers Threat
Business Network Cyber Attacks cyber threat CyberCrime ESET Routers Routers Threat

A Corporate Secret is not Destroyed, it's Discarded: Threat of Old Routers

 



Many business network environments probably experience the process of removing a defunct router from a rack and accommodating a shiny refurbished replacement now and then. The fate of the disposed router should be as significant, if not more so, as the smooth transition and delivery of the upgraded kit into the rack. The truth is, however, that this is not always the case. 

Home and business security are threatened by security issues stemming from vulnerabilities in routers. These threats can extend beyond email compromises to security breaches in physical homes. However, despite this, people rarely consider security as a concern when using their devices. According to research, approximately 73% of Internet users never consider upgrading their router or securing their system. Therefore, it can be considered one of the major threats to the Internet of Things.

It surprised the ESET research team that in many cases, previously used configurations had not been wiped away when they purchased a few used routers to setup a test environment, causing them to be shocked upon realizing the data on the routers could be used as a source of identification along with the network configurations of the prior owners. 

The researchers purchased 18 used routers made by three popular vendors: Cisco, Fortinet, and Juniper Networks, in a variety of models. Nine of them were found exactly the way their owners left them, fully accessible. Only five of the remaining ones had been properly wiped by their owners. One of the devices was encrypted, one was dead, and the other was a mirror copy of an encrypted device.  

All nine devices left uncovered appear to contain credentials for the organization's VPN. They also contained credentials for another secure network communication service, or hashed passwords for root administrators of the organization. The identifying data included in all of them was sufficient to identify the previous owner or operator of the router. In addition, it enabled router identification.  

Data gathered from these devices could be used to launch cyberattacks – including customer data, router-to-router authentication keys, list of applications, and several other things, if this data is put into the wrong hands. An attacker could have gained access to a company's digital assets by gaining the initial access necessary to research where they are located and what they might be worth. 

An Internet router serves as the hub of an entire home network. This is where all elements of a smart home are connected to the Internet and share information between them. 

When an attacker infects a router, he or she gains access to the network by which data packets are transmitted. This is the network through which the router operates. By doing this, they can install malicious software on the victims' computers, allowing them to steal sensitive data, private photos, and business files. This is potentially irreparable damage to them as a result of this maneuver. Using the infected router, the attacker can redirect users to phishing websites that look exactly like popular webmail and online banking sites. 

KELA Cybercrime Prevention, a cybercrime prevention company that specializes in cybercrime prevention technologies, has found that the average price for access credentials to corporate networks at the time of the initial unauthorized intrusion is $2,800. This price is based on KELA Cybercrime Prevention research. Considering that a used router purchased for a few hundred dollars could provide a cybercriminal with a significant return on investment, a cybercriminal could purchase a used router for a few hundred dollars out of pocket and use it immediately to access the network with little effort. It is assumed that they will simply strip off the access data and sell it on the dark web instead of launching a full-scale cyberattack themselves, although that may very well be the case. 

As a result of the findings of the ESET researchers, organizations may believe that they are conducting business responsibly by contracting with a device-management firm outside their own. 

Those in the e-waste disposal business, or even device-sanitization services that promise to wipe large volumes of corporate devices for resale can be counted on to take care of that for you. 

On the other hand, it may be that these third parties are not performing whatever they claim in practice. Considering that mainstream routers come with encryption and other security features, more organizations might benefit from them to mitigate the negative impacts of fallout should devices that have not been wiped end up roaming the world with no security features. 

Ensure that your router is protected from cybercriminals' attacks by following these steps:

  • There are risks associated with buying second-hand smart appliances. Previous owners of such products may have modified the alarm system firmware so that a remote attacker can collect all the data.
  • It is very important that you change the default password of your account. You should choose a complex password and change it regularly.
  • On social networks, you should not share serial numbers, IP addresses, or other sensitive information concerning your smart devices. 
Read more »
Trojan Attacks
Antivirus APT Backdoor Botnets Cyber Crime Endpoint ESET Symantec Trojan Attacks

Hacker Group Cranefly Develops ISS Method

The novel method of reading commands from seemingly innocent Internet Information Services (IIS) logs has been used to install backdoors and other tools by a recently leaked dropper. Cybersecurity experts at Symantec claimed an attacker is utilizing the malware known as Cranefly also known as UNC3524 to install Trojan. Danfuan, another undocumented malware, as well as other tools.

Mandiant reported that Cranefly mainly targeted the emails of individuals who specialized in corporate development, merger and acquisitions, and significant corporate transactions when it was originally founded in May. Mandiant claims that these attackers remained undetected on target networks for at least 18 months by using backdoors on equipment without support for security measures.

One of the main malware strains used by the gang is QUIETEXIT, a backdoor installed on network equipment like cloud services and wireless access point controllers that do not enable antivirus or endpoint monitoring. This allows the attacker to remain undetected for a long time.

Geppei and Danfuan augment Cranefly's arsenal of specialized cyber weapons, with Geppei serving as a dropper by collecting orders from IIS logs that look like normal web access requests delivered to a compromised host.

The most recent Symantec advisory now claims that UNC3524 used Hacktool-based backdoors in some instances. Multiple advanced persistent threat (APT) clusters use the open-source technology Regeorg.
Additionally, Symantec has cautioned that Cranefly is a 'pretty experienced' hacking group as evidenced by the adoption of a new method in conjunction with the bespoke tools and the measures made to conceal their activity.

On its alert and Protection Bulletins website, Symantec lists the indicators of compromise (IoC) for this attack. Polonium is another threat actor that usually focuses on gathering intelligence, and ESET recently saw Polonium utilizing seven different backdoor variants to snoop on Israeli firms.

Cranefly employs this sneaky method to keep a foothold on compromised servers and gather information covertly. As attackers can send commands through various channels, including proxy servers, VPNs, Tor, or online development environments, this method also aids in avoiding detection by investigators and law enforcement.

It is unclear how many systems have been compromised or how often the threat actors may have utilized this technique in ongoing operations.



Read more »
Vulnerabilities and Exploits
ESET HTTP Attacks Payload PowerShell Slovak Vulnerabilities and Exploits

Hacktivists Target Asian Government Organizations

 

An unknown espionage group called Worok that is active since late 2020 targets high-profile businesses and municipal governments with headquarters largely in Asia.

The cyber gang, originally identified as Worok by ESET experts, also has attacked targets in the Middle East and Africa.

Worok is alleged to have parallels with another antagonistic collective known as TA428 in terms of skills and goals. TA428 has been linked to attacks against military, government, and public sector organizations, as well as telecom, banking, maritime, and energy firms.

Worok's toolkit, according to ESET researcher Thibaut Passilly, "includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that employs steganography to extract concealed malicious payloads from PNG files."

Between May 2021 and January 2022, the group's malicious operations took a significant hiatus before picking back up the following month. The Slovak cybersecurity company determined that the group's objectives were compatible with identity theft.

In certain cases, ProxyShell exploits were used to gain an initial foothold on target networks until 2021 and 2022. Additional custom backdoors were then introduced for entrenched access. Other initial compromise approaches are not yet known.

Infection chains in 2022 have now abandoned CLRLoad in favor of PowHeartBeat, a fully functional PowerShell implant that launches PNGLoad and communicates with a remote server via HTTP or ICMP to carry out associated file operations, transmit and receive files, and execute arbitrary commands.

​"In such situations, webshells have often been uploaded after these vulnerabilities have been exploited on order to enable persistence in the victim's network. The operators then utilized a variety of implants to obtain more capabilities, "Passilly continued.

ESET discovered a new PowerShell backdoor called PowHeartBeat, which has replaced CLRLoad in instances recorded since February 2022 as the tool designed to launch PNGLoad on infected systems. However, it has not yet been able to recover one of the final payloads delivered in the group's attacks.

A cyber espionage organization called Worok compromises its targets using both custom-built tools and techniques that already exist.

We believe the attackers are after information theft from their victims as they target high-profile organisations in Asia and Africa, focusing on diverse sectors, both private and public, but with a particular emphasis on government entities.

Read more »
Symbiote
Cybersecurity ESET Linux malware Stealth Symbiote

Symbiote: A Stealth Malware that Attacks Banking Institutions

 

Cybersecurity experts discovered a "nearly-impossible-to-detect" Linux malware that can be exploited to backdoor infected systems. Known as Symbiote by threat intelligence firms Blackberry and intezer, the stealth malware is known for its capability to hide itself in running processes and network traffic and extract the target's data like a parasite. 

The Hacker News says "this is not the first time a malware with similar capabilities has been spotted in the wild. In February 2014, ESET revealed a Linux backdoor called Ebury that's built to steal OpenSSH credentials and maintain access to a compromised server." 

The actors behind Symbiote are believed to have started working on the malware in November 2021, using it for targeting financial institutions in Latin America, which includes banks such as Banco do Brazil and Caixa. 

The main aim of Symbiote is to get credentials and fecilitate backdoor access to the target's systems. What makes Symbiote standout from other Linux malware is that it corrupts running processes instead of using a standalone file execution to cause damage. 

It is done by leveraging a local Linux feature known as LD_PRELOAD- a technique earlier used by malware like Pro-Ocean and Facefish. It is later deployed by the dynamic linker into the running operations and start infecting the host. Other than hiding itself in the file system, Symbiote can also cloak its network traffic via using the extended Berkeley Packet Filter (eBPF) feature. 

The task is attained via injecting the malware into an inspection software's processing and deploying BPF to categorize the results that will disclose the activities. 

"Upon hijacking all running processes, Symbiote enables rootkit functionality to further hide evidence of its existence and provides a backdoor for the threat actor to log in to the machine and execute privileged commands. It has also been observed storing captured credentials encrypted in files masquerading as C header files," reports The Hacker News.
Read more »
VPN
Data Breach Data Wiping Malware ESET Microsoft Russian Hackers Supply Chain Ukraine Ukrainian Cyber Security VPN

Viasat: Acid Rain Virus Disable Satellite Modems

 

The cyberattack which targeted the KA-SAT satellite broadband service to erase SATCOM modems on February 24 used a newly discovered data wiper virus. It impacted thousands in Ukraine and thousands more across Europe. 

A cybersecurity firm, SentinelOne, claims to have discovered a malware sample, which disrupted internet connectivity on February 24. The malware, called AcidRain, which was also likely utilized in the Viasat breach, is a Unix executable application which is meant to attack MIPS-based devices. This could indicate the attackers' lack of experience with the filesystem and firmware of the targeted devices, or their desire to create a reusable tool.

The same sample came from SkyLogic, the Viasat operator in charge of the damaged network, which is also situated in Italy. The software sample was also tagged with the moniker "ukrop," which could be a reference to the Ukraine Operation. 

The researchers underscored that Viasat did not offer technical indicators of compromise or a detailed incident response report. Instead, rogue commands damaged modems in Ukraine and other European countries, according to the satellite industry. The SentinelOne duo were perplexed as to how valid orders could produce such mayhem in the modem, "scalable disruption is more feasibly performed by delivering an update, script, or executable," they added. 

The program wipes the system and various storage device files completely. AcidRain executes an initial repetitive replacement and removal of non-standard files in the filesystem if the malware is launched as root "Juan Andres Guerrero-Saade and Max van Amerongen," SentinelOne threat experts, revealed. 

The wipers overwrite file structures with up to 0x40000 bytes of data or utilize MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB input/output control (IOCTL) service calls to erase data on compromised devices. 

The fact Viasat has supplied nearly 30,000 modems to get clients back online since the February 2022 attack and is still shipping more to speed up service restoration, suggests that SentinelOne's supply-chain threat scenario is correct. The IOCTLs used by this virus also resemble those used by the VPNFilter malware 'dstr' wiper plugin, a destructive program linked to Russian GRU hackers. 

The Ukrainian Computer Emergency Response Team recently stated a data wiper known as DoubleZero had been used in assaults on Ukrainian businesses. On the same day that Russia invaded Ukraine, they discovered IsaacWiper, a data wiper, and HermeticWizard, a new worm which dropped HermeticWiper payloads. ESET has discovered a fourth data-destroying malware strain called CaddyWiper, which wipes data across Windows domains and eliminates user data and partition information from associated drivers. 

Microsoft discovered a sixth wiper, now known as WhisperGate, in mid-January, which was being used in data-wiping attacks targeting Ukraine while masquerading as ransomware.
Read more »
Trojan
Chinese Hackers DLL load hijacking ESET ISP malware NATO THORChain Trojan

Hackers from China's 'Mustang Panda' were Utilizing New 'Hodur' Malware

 

Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416 or RedDelta), a China-based advanced persistent threat (APT), has been traced to an ongoing cyberattack campaign using a formerly undocumented variation of the PlugX remote access trojan on affected workstations mostly in and around Southeast Asia. For its similarities to another PlugX (aka Korplug) variation called THOR which surfaced in July 2021, slovak cybersecurity firm ESET termed the current version Hodur. 

Korplug is a proprietary virus used widely, it was initially uncovered in a 2020 investigation that looked into Chinese hackers' activities against Australian targets. Mustang Panda employs phishing lures with counterfeit papers to target European embassies, ISPs (Internet Service Providers), and research institutes in the most recent known campaign, according to cybersecurity firm ESET. "Anti-analysis measures and control-flow obfuscation are used at every level of the deployment process," the firm told.

Hodur is based on PlugX, a remote access tool that "allows remote users to steal data or take control of impacted systems without authorization. It can copy, move, rename, execute, and delete files, as well as log keystrokes and fingerprint the infected system." The infections end with the implementation of the Hodur backdoor on the infected Windows host, irrespective of the phishing lure used. 

As formerly stated, the campaign begins simply, with the group phishing its targets using current events. Proofpoint identified it using a NATO diplomat's email address to send out.ZIP and.EXE files labeled "Situation at the EU Borders with Ukraine" last month. If a victim accepts the bait, a legitimate, properly signed executable prone to DLL search-order hijacking will be delivered. Russia, Greece, Cyprus, South Africa, Vietnam, Mongolia, Myanmar, and South Sudan are the countries targeted in this campaign. 

ESET claims to have sampled sophisticated custom loaders as well as new Korplug (Hodur) versions still using DLL side-loading but has considerably more robust obfuscation and anti-analysis techniques across the infection chain. The side-loading custom DLL loader uses a digitally-signed genuine executable, in this case, a SmadAV file, and leverages a known flaw. Except for one, which loads the new Korplug variation, the loader's many functions are all fake. 

As it is a Chinese actor with a history of pursuing higher political espionage purposes, the scope of its targeting should be rather consistent.
Read more »
Teamviewer
APT actors C&C DNS Hacking ESET Illegal spying Iranian hackers malware Teamviewer

Iranian Hackers Employed a New Marlin Backdoor in a Surveillance Operation 

 

Iranian hackers are using the New Marlin backdoor as part of a long-running surveillance operation that began in April 2018. ESET, a Slovak cybersecurity firm, linked the attacks, entitled "Out to Sea," to a threat actor known as OilRig (aka APT34), firmly linking its actions to another Iranian group known as Lyceum as well (Hexane aka SiameseKitten).

Since 2014, the hacking organization has attacked Middle Eastern governments as well as a range of industry verticals, including chemical, oil, finance, and telecommunications. In April 2021, the threat actors used an implant dubbed SideTwist to assault a Lebanese company. 

"Victims of the campaign include diplomatic institutions, technological businesses, and medical organizations in Israel, Tunisia, and the United Arab Emirates," according to a report by ESET.

Lyceum has previously conducted campaigns in Israel, Morocco, Tunisia, and Saudi Arabia to single out IT companies. Since the campaign's discovery in 2018, the Lyceum infecting chains have developed to drop many backdoors, starting with DanBot and progressing to Shark and Milan in 2021. Later attacks, utilizing a new data harvesting virus dubbed Marlin, were detected in August 2021. 

The hacking organization discarded the old OilRig TTPs, which comprised command-and-control (C&C) connections over DNS and HTTPS. For its C2 activities, Marlin relies on Microsoft's OneDrive API. ESET identified parallels in tools and tactics between OilRig's backdoors and those of Lyceum as "too numerous and specific," stating the initial access to the network was gained through spear-phishing and management applications like ITbrain and TeamViewer. 

"The ToneDeaf backdoor connected with its C&C primarily over HTTP/S, but featured a secondary route, DNS tunneling, which did not work effectively," the researcher indicated. "Shark has similar problems, with DNS as its primary communication channel and an HTTP/S secondary one which isn't working." 

Marlin randomly selects the executable code's internal structure, denying the attacker a comprehensive assessment of instruction addresses needed to build the intended exploit payload. The findings also revealed the usage of several folders in a backdoor's file menu for sending and receiving data from the C&C server, the concurrent use of DNS as a C&C communication route while also utilizing HTTP/S as a backup communication mechanism.
Read more »
user agreements
ESET Personal Data Privacy user agreements

More than 90% of Russians do not Finish Reading User Agreements on the Internet

A study by the information security company ESET showed that Russian Internet users do not read user agreements on websites in 81% of cases. 

13% of respondents said that they completely ignore the submitted contracts and agree with them without looking. Nearly half of Russians (49%) are either vague about user agreements on the Internet or have no idea what they mean. The absolute majority (92%) do not worry if their data is transferred to third parties: they do not try to leave the site or application, in the user agreement of which such a function is indicated. 

In comparison with citizens of Europe and the United States, Russians, in general, are less responsible for reading user agreements, said Fedor Muzalevsky, Director of the technical department of RTM Group. Experts noted that the reason for the digital illiteracy of Russians maybe those user agreements in the Russian Federation began to be applied later than in Western countries. 

Negligent attitude to user agreements can be fraught with consequences, warned Kirill Podgorny, Director of the ESET Marketing Department. According to him, there are sometimes exotic or impossible conditions in contracts. 

"A good example is the experiment of the British wireless Internet operator Purple, which introduced the clause "I undertake to go to voluntary work on cleaning public toilets" into the agreement. Out of 22 thousand users who agreed with the terms of service, only one noticed this point and complained to the provider," the experts said. 

However, far more often there are potentially dangerous ones. Thus, a condition on automatic consent to the processing of personal data is illegally added to user agreements, said Lyudmila Kurovskaya, head of the Center for Legal Assistance to Citizens in the Digital Environment.

"When citizens submit their data without going into the purpose of its processing, automatically check the boxes on websites and report excessive information about themselves, it can create conditions for leakage of their personal data," she said.
Read more »
smartwatch
Bluetooth Cyber Crime Darknet Data Theft ESET Personal Data Russia Smart Devices smartwatch

ESET: Criminals will be Able to Steal Personal Data Using Smartwatches

 

ESET analysts reported that cybercriminals can use smartwatches to steal personal data and warned Russians about the main dangers associated with this gadget. 

"According to our estimates, the market for smartwatches and fitness trackers will grow by 12.5 percent annually and will exceed $118 billion by 2028. Such indicators cannot but attract scammers. Therefore, it is worth understanding in advance the security and privacy risks associated with this," the ESET study says. 

The threat of data interception is due to the fact that many smartwatches and fitness trackers are synchronized with the owners' smartphones, including some applications such as e-mail or messengers. Thus, attackers can hijack both devices, which threatens, in particular, the loss of passwords. ESET further warns that the stolen personal data can then be sold on the darknet. 

Another serious risk for a cybercriminal's victim is tracking the GeoPosition of the device. Such data allows hackers to draw up a detailed diagram of the user's movements in order to attack his home or car. "The safety of children's smartwatches, which can be monitored by outsiders, is even more worrying," ESET states. Speaking about the specific vulnerabilities of smart fitness trackers, cyber specialists pay attention to Bluetooth technology, in which "numerous vulnerabilities have been discovered over the years," weak software of gadgets and paired smartphone applications that may contain coding errors. 

According to ESET analysts, risks can be reduced via the use of two-factor authentication, the use of a strong password to lock the screen, as well as a ban on external connections to smartwatches will also prevent threat. 


Data can be leaked both via the Internet and via Bluetooth a critical Bluetooth vulnerabilities allow executing arbitrary malicious code on the device and gaining full control over the device's system, as well as carrying out a man-in-the-middle attack (MiTM), which leads to the unauthorized interception of user data.
Read more »
Window Domains
Driver issue ESET Kernel Hacks Microsoft Software Piracy Vulnerability and Exploits Window Domains

Unprotected Access to Windows' Centre: Signed Kernel Drivers

 

ESET researchers investigated the misuse of vulnerable kernel drivers in depth saying "Software" drivers are among the different types of kernel drivers that provide particular, non-hardware-related capabilities such as software debugging and diagnostics, as well as system analysis. These have the potential to greatly increase the attack surface. 

Although it is no longer possible to directly load a malicious, unsigned driver in current versions of Windows, and kernel rootkits are deemed obsolete, there are still ways to load malicious code into the kernel, particularly through manipulating legal, signed drivers. There are many drivers available from a variety of hardware and software suppliers that allow you to completely access the kernel with minimal effort. 

The most common vulnerabilities detected in-kernel drivers:
  • Checks that restrict read and write access to critical model-specific registers are disabled (MSRs). 
  • Exposing the ability to read and write from physical memory in user mode. 
  • The ability to read and write to virtual kernel memory from user mode is now enabled. 

"When malware actors need to run malicious code in the Windows kernel on x64 systems with driver signature enforcement in place, carrying a vulnerable signed kernel driver seems to be a viable option for doing so," says Peter Kálnai, Senior Malware Researcher at ESET and one of the report's co-investigators. 

Bring Your Own Vulnerable Driver, or BYOVD, is a technique that has been observed in the wild by both high-profile APT actors and commodity malware, such as the RobbinHood ransomware, which, as commodity malware, aims to reach as many people as possible. As a result, seeing it use a BYOVD approach is uncommon but significant. 


Mitigation strategies that work :
  • Virtualization-based security is a Windows 10 feature that uses hardware virtualization to place the kernel in a sandbox, safeguarding the operating system with various protections.
  • Drivers in recent Windows systems have a valid signature based on an "acceptable" certificate, which can be revoked. Revocation of a vulnerable driver's certificate would be a simple approach to "disarm" it and render it useless. 
  • When the most notoriously susceptible drivers are detected on a system, Microsoft and numerous third-party security product suppliers, including ESET, use driver blocklisting to detect and eliminate them. 
Vulnerable drivers have been exploited by both game cheaters and malware producers, and while significant progress has been made to reduce the impacts, the fight continues. The people responsible for the problem want to remedy it — the vendors who were contacted were quite proactive during the disclosure process, eager to repair the flaws that were discovered. 

Read more »
ESET
Cyber Fraud Cyber Security awareness ESET

ESET experts warned about New Year's fraud schemes

According to ESET experts, one of these fraudsters' tricks is related to travel services: criminals pretend to be employees of travel companies and ask victims to make an advance payment.

The second scheme popular among fraudsters is fake websites, where one can allegedly receive "New Year's payments from the state." "Hackers fake web pages under the banner of law firms or imitate the sites of popular banks, where they ask you to enter card details to receive funds," the experts explained.

Analysts also warned that the data on the expiration date of the bank card and the three-digit CVV number cannot be transferred under any circumstances. "This information is needed only for payment, but certainly not for receiving money," noted in ESET.

Experts have also recorded a serious increase in the number of fake food delivery sites. Fraudsters completely imitate the appearance of popular sites and then use them to find out the bank data of Russians and withdraw money from cards.

Domain names of real and fake sites often differ from each other by just one character. “For example, dellivery-club instead of delivery-club or eda.ynadex instead of eda.yandex,” the company explained.

Experts noted that the victims of attackers are also often fans of ski resorts. "Attackers take advantage of the desire of Russians to save money and sell fake online tickets to ski slopes," ESET stressed.

ESET experts also warned that cybercriminals often send congratulatory emails, offering to click on malicious links.

Scammers know that on the eve of the holidays, companies generously distribute bonuses and gifts to their customers, and take advantage of this. When a person clicks on such a link as a rule he gets to a phishing site where he is asked to fill in personal or banking information. Often such messages contain links to viral software.

Read more »
RDP
Crypto Currency Cyber Security Cyberattack ESET Ransomware attack RDP

RDP Attacks On A Massive Increase, Warns ESET Threat Report

 

Cybersecurity firm ESET released a report warning a sudden rise in attacks RDP (Remote desktop protocol) endpoints, besides this Nobelium gang has also been active against European government organisations. ESET data tells that attacks on RDP servers went upto 103.9% in its T1 June reports that ESET publishes three times a year. The report shows total number of identified brute force attacks to be 55 billion, owing to a hacking campaign targeting Spanish victims. From the T1 2021 ESET report, one would assume that RDP attacks would go down. 

However, it came as a surprise when RDP related attacks were found again. The pattern suggests a potential increase in hacking attempts, especially a stark one in T3, it being the busiest time of 2021. The RDP attacks notice a small increase in some parts, but there was a huge uptick in RDP attacks against the Spanish targets. ESET data suggests that the total number of attacks against the Spanish targets in August accounts for one third globally. In addition to Spain, the US, Germany and Italy were also in the list. A similar pattern was noticed in SQL password guessing incidents. Meanwhile there was a 200% increase in RDP related attacks, cryptocurrency attacks noticed a slight downside. 

ESET experts believe that there might be a relation between cryptocurrency attacks and cryptocurrency price, especially in matters of cryptomining. ESET says "our report even mentions PayPal's and Twitter's announcements which sent the prices of major cryptocurrencies up following this increase (visible in the trend toward the end of T2). If there are more high-profile adoptions/announcements supporting cryptocurrencies in the coming months, we expect their prices to grow and cryptomining to follow." 

Even though ransomware attacks observed a single digit deficit (ESET also linked it to fall in cryptocurrency prices), the company is sure that the problem still persists. It wasn't possible to keep a full account of ransomware attacks in T2 as it was too busy, however, some incidents couldn't be ignored. "The attack shutting down the operations of Colonial Pipeline – the largest pipeline company in the US – and the supply-chain attack leveraging a vulnerability in the Kaseya IT management software, sent shockwaves that were felt not only in the cybersecurity industry," says ESET.
Read more »
Russia
ESET Privacy Russia

ESET: 77% of Russian residents believe they are being tracked via their smartphones

According to a survey conducted by ESET, a company specializing in anti-virus software development and protection against cyberthreats, most Russians (77%) believe that they are being tracked via mobile devices.

Young people aged 18 to 24 expressed the least concern about possible surveillance (35%), believing it is a manifestation of paranoia. People over 35 years of age are more concerned about surveillance.

At the same time, 39.5% of respondents believe that the search history on all devices is tracked, 25.5% believe that all actions performed on the device are transmitted, 14.1% believe that they are monitored using the microphone and gadget camera, and 20.9% think that all the above means are used.

Among the main reasons why interested companies collect personal data, 65% of the study participants named the setting of targeted advertising. According to other respondents, the data is used by special services and fraudsters.

According to the study, the Russians are afraid of the use of their personal data by fraudsters, leakage of intimate videos and photos, reading correspondence and wiretapping, as well as study habits and interests based on the search history.

To avoid potential surveillance, 45% of respondents disable geolocation on their devices. Another 39% check the ability of applications to access data. 34 and 32% avoid discussing personal topics on the phone and connecting to public Wi-Fi.

In July, Pavel Durov, the founder of VKontakte and Telegram, reported about the surveillance of his mobile device with the help of a spyware program. According to him, spyware applications are able to hack any phone on the iOS and Android operating systems and there is no way to protect the device now.

Read more »
United Kingdom
Cyber Attacks ESET Hackers Ransomware United Kingdom

The Salvation Army in the UK was Infected with Ransomware

 

The Register has uncovered that criminals infected the Salvation Army in the United Kingdom with ransomware and stole the organization's data. A spokeswoman for the Salvation Army confirmed that the evangelical Christian church and charity had been hacked and that it had notified UK regulators. 

She said, “We are investigating an IT incident affecting a number of our corporate IT systems. We have informed the Charity Commission and the Information Commissioner’s Office, are also in dialogue with our key partners and staff, and are working to notify any other relevant third parties. We can also confirm that our services for the vulnerable people who depend on us are not impacted and continue as normal.” 

There is currently no other information concerning the event, such as the identity of the attackers or the material that was accessed. Furthermore, no data has been found on any known ransomware gang websites. Salvation Army workers and volunteers, on the other hand, have been instructed to keep a tight eye on their accounts for any unusual banking activity or suspicious contact. 

Jake Moore, a cybersecurity specialist with Slovakian antivirus firm ESET, told The Register: “It is vital that those who could be at risk are equipped with the knowledge of how to mitigate further attacks. The first few days and weeks after a breach are the most important, as criminals will be quick to take advantage of the situation and strike while they still can.”

 “Those who may believe they have had their details taken must contact their banks to add extra fraud protection and to be on guard for extra attempts such as unsolicited calls or emails phishing for extra information,” added ESET’s Moore. 

Other information security industry sources speculated that the attacks were carried either by the Conti or Pysa ransomware gangs. Conti was the ransomware strain used by the WizardSpider gang in the Irish Health Service attack, which came dangerously close to paralyzing Irish hospitals as employees were forced to revert to pre-computer era paper-based systems. Pysa, meanwhile, has been detected targeting schools and other “soft underbelly” targets, like the Hackney Council breach late last year. 

The current ransomware attack has shown that no organization is immune to ransomware and that it must be prepared to confront attacks at any time. Keith Glancey, systems engineering manager at Infoblox, commented: “This latest attack on the UK arm of the Salvation Army shows that ransomware is growing in sophistication and that actors are getting bolder. No organization is off-limits, even those in the charity sector.”
Read more »
President
Backdoor Chinese Hackers ESET malware President

Myanmar President’s Office Hacked for the Second Time

 

A cyber-espionage hacking gang is suspected of breaking into the Myanmar president's office website and injecting a backdoor trojan into a customized Myanmar font package accessible for download on the home page. ESET, a Slovak security firm, discovered the attack on Wednesday, June 02, 2021. 

The software employed in the attack resembles malware strains used in previous spear-phishing efforts intended at Myanmar targets by a Chinese state-sponsored hacker outfit known as Mustang Panda, RedEcho, or Bronze President, according to researchers. 

Mustang Panda is mostly focused on non-governmental organizations (NGOs). It employs Mongolian language decoys and themes, as well as shared malware such as Poison Ivy and PlugX, to attack its targets. Their attack chain looks something like this: 

• A malicious link is disguised using the goo.gl link shortening tool and sent to a Google Drive folder.

• When you click on the Google Drive link, you'll be taken to a zip file that contains a.Ink file disguised as a.pdf file. 

• The user is redirected to a Windows Scripting Component (.wsc) file when they open the file. This file can be found on a malicious microblogging website.
 
• A VBScript and a PowerShell script from the Twitter page are included in the.Ink file to get the fake PDF file. 
 
• A Cobalt Strike (https://know.netenrich.com/threatintel/malware/Cobalt % 20Strike) payload is created by the PowerShell script. 

• The threat actor can operate the system remotely using Cobalt Strike's connection to the command-and-control IP address. 

Mustang Panda has a history of carefully constructed email-based attacks; for this operation, the gang appears to have modified a Myanmar Unicode font package available for download on the Myanmar presidency's website. “In the archive, attackers added a Cobalt Strike loader [named] Acrobat.dll, that loads a Cobalt Strike shellcode,” the ESET team wrote in a Twitter thread. 

This loader, according to researchers, pings a command and control (C&C) server at 95.217.1[.]81. The loader resembled other malware copies that had previously been transmitted as file attachments in spear-phishing efforts directed at Myanmar targets.

The archives show signs of an advanced and stealthy cyber-espionage operation hidden in files named “NUG Meeting Report.zip,” “Proposed Talking Points for ASEAN-Japan Summit.rar,” “MMRS Geneva,” “2021-03-11.lnk,” and “MOHS-3-covid.rar,” even if ESET said it has yet to officially confirm Mustang Panda's involvement beyond a doubt.

This is the second time the Myanmar president's office has been hacked in order to launch a watering hole attack. The first incident occurred between November 2014 and May 2015, when the site was used to disseminate a version of the EvilGrab malware by another alleged Chinese cyber-espionage group.
Read more »
Malware Attack
ESET lazarus malware Malware Attack

ESET has revealed a new series of Lazarus attacks

Experts of the antivirus company ESET have discovered a series of attacks, behind which is one of the most famous North Korean groups, Lazarus. The hackers targeted users of government and banking websites in South Korea. The cybercriminals used an unusual mechanism to deliver the malware, disguising themselves as stolen security software and digital certificates.

The spread of the Lazarus virus was facilitated by the fact that South Korean Internet users are often asked to install additional security programs when visiting government websites or Internet banking websites, explained the head of the investigation, Anton Cherepanov.

"The WIZVERA VeraPort integration installation program is widespread in South Korea. After installation, users can download the necessary software for a specific website. This scheme is usually used by the South Korean government and banking websites. For some of these sites, the presence of WIZVERA VeraPort is mandatory,” said Mr. Cherepanov.

Attackers used illegally obtained code signing certificates to inject malware samples. And one of these certificates was issued to a firm specializing in security - the American branch of a South Korean security company.

"Hackers disguised Lazarus malware samples as legitimate programs. These samples have the same file names, icons and resources as legitimate South Korean software," said Peter Kalnai, who was involved in the investigation of the attack.

ESET's analysis once again demonstrated the non-standard nature of the methods of intrusion, encryption and configuration of the network infrastructure, which has become the business card of Lazarus hackers.

It is worth noting that on November 13, Microsoft representatives reported that, according to their data, in recent months, three APT groups attacked at least seven companies engaged in COVID-19 research and vaccine development. The Russian-speaking group Strontium (Fancy Bear, APT28, and so on), as well as North Korean Zinc (Lazarus) and Cerium, are blamed for these attacks.

Hacker group Zinc (aka Lazarus) mainly relied on targeted phishing campaigns, sending potential victims emails with fictitious job descriptions and posing as recruiters.

Read more »
Subscribe to: Posts (Atom)