Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label ESET. Show all posts
XSS
Cyber Attacks Cyberespionage Operation Cybersecurity CyberThreat ESET Global Hacking Global Surveillance Operation RoundPress Webmail XSS

Global Surveillance Campaign Targets Government Webmail Through XSS Exploits

 


Amid the ongoing conflict between Russia and Ukraine, the digital battlefield remains just as active as the one on the ground. Researchers have identified a sophisticated and ongoing global hacking campaign known as "Operation RoundPress" as a disturbing escalation of cyberespionage activity. As part of the campaign, high-profile government entities across multiple nations have been targeted to intercept sensitive communications via webmail servers, which have been targeted strategically. 

New research from cybersecurity firm ESET indicates that attackers have been exploiting both zero-day vulnerabilities, which were previously unknown security flaws, and n-day vulnerabilities that have been known for a long time but are still unpatched on the targeted systems, according to the report. APT28, a well-known Russian state-sponsored threat actor also known as Fancy Bear or Sednit, has been attributed to the campaign with moderate confidence by ESET. 

There is no doubt that the group, which is thought to operate under the direction of Russia's military intelligence agency, GRU, is a very well-known cyber-attack organisation known for its high-profile cyber intrusions into foreign elections and for gathering information about political and military targets. The APT28 hacker group, also known as Fancy Bear, Sednit, and Sofacy, is among the most infamous and persistent state-sponsored hacking groups in the world today.

It has been said that APT28 has been connected to numerous high-impact cyber operations over the last two decades, and it is believed to be closely related to the Russian military intelligence agency (GRU). There has previously been international scrutiny relating to this group for its involvement in the 2016 Democratic National Committee (DNC) hack, as well as the TV5Monde cyberattack and numerous cyber-espionage campaigns that target governmental institutions and defence agencies across several continents. 

Operation RoundPress, the latest campaign in which the group appears to have intensified its efforts to steal sensitive information from targeted email accounts, is the focus of the group's latest campaign. Specifically, Matthieu Faou, an ESET researcher, stated that the operation was designed to collect confidential information, particularly from organisations with significant strategic or geopolitical significance. 

The majority of victims are governmental entities and defence companies, Faou explained, whereas government officials in Africa, Europe, and South America have also been targeted. Considering the broad range of targets that APT28 has deployed and the carefully curated nature of its targeting pattern, it is clear that APT28's operation continues to advance the intelligence gathering objectives of the Russian government by using cyberspace. 

It is evident from the group's ability to adapt its techniques and pivot to new geographical regions not only that it has advanced in technological sophistication, but also how extensive modern state-sponsored cyber threats are around the world. As of 2023, Operation RoundPress has been ongoing since then, with threat actors constantly evolving their techniques and adopting new exploits to breach a wide range of popular open-source and commercial webmail platforms until 2024.

There are a number of these tools, such as Roundcube, Horde, MDaemon, and Zimbra, all widely used in government and business settings. As a result of the campaign's global reach and methodical exploitation of email infrastructure, it is clear that it is intended to obtain persistent access to important government communications. This demonstrates the persistent threat that nation-state-backed hacking groups pose in today's volatile geopolitical environment, reinforced by their adaptability and persistence.

A detailed analysis of Sednit's cyber operations reveals that it has intensified its operations against Ukrainian targets, deploying advanced intrusion techniques to gain intelligence and disrupt systems. The group has been in the news for quite some time; in 2016, the U.S. Department of Justice publicly accused the group of orchestrating the hacking of the Democratic National Committee (DNC), leading up to the U.S. presidential election—an incident which demonstrated the geopolitical consequences of cyber warfare in the twenty-first century. 

In "Operation RoundPress", the state-backed digital threats that are emerging are exemplified, showing how cyberattacks are now increasingly being deployed as strategic weapons in international conflicts. As a result of this latest cyberattack, Russia has continued to engage in aggressive cyber warfare. It is aligned closely with the Russian political objectives, reinforcing the urgent need for robust cybersecurity measures on a global scale, which is a key factor in their success. 

Researchers were first able to recognise Operation RoundPress, a sophisticated cyber-espionage campaign linked to the Russian state-linked group Sednit (also known as APT28 or Fancy Bear) in the year 2023, when they first identified it. At first, the attackers exploited a known vulnerability in the open-source webmail application Roundcube - CVE-2020-35730. However, by 2024, the attackers were able to expand the scope of the attack and the technical sophistication of the campaign by a significant amount.

In addition, the threat actors have begun exploiting other vulnerabilities, including a zero-day vulnerability (CVE-2024-11182) affecting the MDaemon webmail platform, which proves their ability to continue adapting and evolving in real-time as the attacks are evolving. It is common for attackers to use spearphishing emails embedded with cross-site scripting exploits (XSS) in order to compromise a system. 

It has been carefully crafted to trigger the execution of malicious JavaScript payloads when the email is viewed in a webmail client which is vulnerable to this attack. Through this tactic, attackers can gain long-term access to sensitive communications, such as email credentials, message content, contact lists, or even bypass two-factor authentication (2FA) protections, and this allows them long-term access to sensitive data without any detection on their part. 

As ESET researchers, who discovered and analysed Operation RoundPress with high confidence, they believe it is the result of Sednit. Based on the infrastructure overlaps, phishing techniques, and code-level similarities with previously documented operations related to Sednit, they make this conclusion with medium confidence. 

According to their research, the primary targets of this attack have been governmental agencies and defence contractors throughout Eastern Europe, particularly those involved in the ongoing conflict in Ukraine. However, the campaign has also extended its reach to include several European Union member states. In addition, incidents have been observed in Africa, South America, and several EU countries, proving that the campaign has global ambitions while reinforcing concerns about the growing threat of nation-state cyber activity. 

In the wake of Operation RoundPress, state-sponsored threat actors are exploiting a number of long-standing weaknesses in widely used webmail platforms in order to gain access to high-value targets. It is evident from this campaign's success that multiple cross-site scripting (XSS) vulnerabilities were used to stealthily inject malicious JavaScript payloads into routine email communications, which was one of the key factors in the campaign's success. 

In addition to exploiting the vulnerabilities in several commercial and open-source webmail systems, the attackers were able to gain access to sensitive data and user credentials, and even circumvent multi-factor authentication mechanisms, as well. The ESET researchers who have thoroughly analysed Operation RoundPress have identified a variety of known and unknown vulnerabilities that will be exploited in the campaign: 

CVE-2020-35730 – Roundcube: It was first exploited in 2023 to take advantage of a stored XSS vulnerability that allowed attackers to embed malicious JavaScript directly into emails' bodies. The script ran automatically whenever the user opened the message through the Roundcube interface, allowing the user to steal credentials as well as hijack their sessions. 

This CVE-2023-43770 vulnerability related to improper sanitisation of hyperlink text and improper insertion of script tags into the email content allowed the attackers to take advantage of this vulnerability in early 2024 and exploit it by inserting script tags into the email content to get the malicious code to run when it was viewed. 

MGaemon - CVE-2024-11182: Among the main targets caught by MDaemon's HTML parser in 2024 was a zero-day vulnerability identified in July 2008. The vulnerability involved creating a malicious title attribute using a noembed tag and hiding a JavaScript payload within an MGaemon file called an image onerror handler. A team of attackers used this technique in order to extract credentials, bypass two-factor authentication, and establish persistent access using App Passwords as a mechanism to defeat two-factor authentication. 

Horde - Unspecified XSS: Along with the Horde XSS issue, APT28 also attempted to exploit an older XSS problem in Horde's mail system. They used XSS (XSS exploiting XSS on an image error) to execute the attack. However, it failed due to improved input filtering in the newer Horde releases. Researchers have not yet been able to identify the exact CVE model, but the vulnerability is believed to have been fixed since then. 

A previously unknown exploit in Zimbra's calendar module has been exploited by attackers using CVE-2024-27443. The attacker exploited an XSS flaw to exploit the vulnerability. By injecting unsanitized input via the header, which is X-Zimbra-Calendar-Intended-For, APT28 was able to embed an executable JavaScript payload in calendar invitations that would execute upon viewing when the invitation was viewed. 

ESET's investigation revealed that no evidence of Operation RoundPress activity in 2025 was found, however, researchers warn that the techniques used, particularly those that utilised XSS, remain highly relevant. In an era where new vulnerabilities are constantly exposed in webmail clients, the danger of similar attacks is high as new vulnerabilities are continuously discovered. 

Throughout the campaign, it is a powerful reminder that the ongoing need for vigilant patching, secure coding, and layers of email security is essential for protecting against nation-state attacks. It is important to keep in mind that the revelations surrounding Operation RoundPress underscore an important reality: the cyber threat landscape is evolving faster than many organisations are capable of adjusting to. 

It is becoming increasingly evident that cybersecurity is not merely a technical issue anymore; it is a matter of national resilience and strategic foresight that is being exploited by state-sponsored adversaries like APT28. Since then, it has become increasingly clear that cybersecurity is more than a technical issue. The government, the defence industry, and corporations must reevaluate the robustness of their digital ecosystems, especially those underlying communication and collaboration, in light of these developments. 

There is no longer any question that proactive threat detection, meticulous patch management, and zero-trust architectures must be prioritised. Furthermore, because the sophistication of these campaigns keeps growing, we must strengthen international cooperation, share intelligence, and invest in next-generation security solutions. The launch of Operation RoundPress has acted as a wake-up call for companies operating in high-risk sectors: companies that are willing to be vigilant, quick, and adaptable have now become essential components of any serious defence against Cybercrime.
Read more »
TTPs
Browser Vulnerability BYOVD CyberCrime Cybersecurity CyberThreat ESET malware ToddyCat TTPs

ESET Security Tool Vulnerability Facilitates TCESB Malware Deployment



The threat actor "ToddyCat," a Chinese-linked threat actor, is being observed exploiting a vulnerability in ESET security software to spread a newly discovered malware strain known as TCESB, a new strain that has recently been discovered.

In a recent study by cybersecurity company Kaspersky, the group's evolving tactics and expanding arsenal were highlighted in an analysis released by the company. The TCESB software, which consists of a novel addition to ToddyCat's toolkit, has been designed specifically to be able to stealthily execute malicious payloads without being detected by existing monitoring and protection software installed on compromised computers, according to Kaspersky.

The malware's ability to bypass security measures illustrates its sophistication and the calculated approach adopted by its operators. In recent years, TeddyCat has actively participated in several cyber-espionage campaigns primarily targeting Asian organizations, primarily targeting organisations. In at least December 2020, the group began to conduct attacks against high-value entities in the region, and it has gained notoriety for a number of these attacks, including sustained attacks on high-value entities throughout the region. 

The intrusions are believed to be intended to gather intelligence, often by compromising targeted environments for a long time. In a comprehensive report released last year, Kaspersky detailed ToddyCat's extensive use of custom and off-the-shelf tools to establish persistent access within victim networks. As part of the report, the group is also described as exfiltrating large volumes of sensitive information on an industrial scale, from a wide variety of organisations in Asia-Pacific. As part of its operations, the group is also able to exfiltrate large amounts of sensitive information. 

It was ToddyCat's tactic, technique, and procedure (TTPS) that was significantly evolved by exploitation of a security flaw in ESET software to deliver TCESB. There is an increasing trend among advanced persistent threat (APT) actors to exploit software supply chain vulnerabilities and trusted security tools as a way of infiltration by utilising these vectors. It has recently been reported by cybersecurity researchers that a group of advanced persistent threats (APT) known as ToddyCat, which has been attributed to cyber-espionage operations originating in China, has been involved in a disturbing development. 

According to an analysis published by Kaspersky, the threat actor has been exploiting a vulnerability in ESET security software to distribute a newly discovered and previously unknown malware strain dubbed TCESB by exploiting a vulnerability in ESET security software. During this malware, the group has demonstrated significant advances in their offensive capability, and the evolution of its offensive toolkit has been continuous. 

The TCESB malware is notable for its stealthy design, allowing it to execute malicious payloads without being detected by endpoint protection or monitoring software, thus demonstrating how it can accomplish its goals. By deploying it through a legitimate security solution, such as ESET, it underscores how sophisticated and strategically planned its actors are. As well as facilitating deeper penetration into targeted systems, the technique also complicates detection and response efforts by blending malicious activity with otherwise trusted processes, which is one of the most important advantages of this technique. 

ToddyCat has been active since December 2020 and has conducted a variety of targeted intrusions across a wide range of sectors within Asia. According to Kaspersky, the organisation's operations are mostly intelligence-driven, with a particular focus on maintaining access to high-value targets for data exfiltration. Previous reports have demonstrated that the group maintains persistence within compromised environments by using both custom-built and widely available tools. It is important to note that, during their campaigns, they have been perpetrating large-scale data theft, which has been described by researchers as industrial-scale harvesting, primarily from Asian entities.

As ToddyCat's operations have recently changed, it illustrates the broader trend among nation-state threat actors to weaponise trusted software platforms as a method of delivering TCESB, and marks a tactical shift in ToddyCat's operations. As a result of this incident, concerns have been raised regarding vulnerabilities in the software supply chain, as well as the increasingly sophisticated evasion techniques employed by APT actors to maintain access and achieve long-term strategic goals. Following a responsible disclosure procedure, ESET corrected the identified security vulnerability in January 2025. To mitigate the vulnerability that was exploited by ToddyCat to deploy the TCESB malware, the company released a patch to mitigate it. 

The latest security updates for ESET's widely used endpoint protection software are highly recommended for organisations using the system, as they strongly recommend implementing these updates as soon as possible. It remains critical to maintain an effective patch management process to avoid exposure to emerging threats and reduce the risk of compromise by addressing known vulnerabilities. In addition to updating their systems, organisations are advised to implement enhanced monitoring procedures to detect suspicious activity linked to the use of similar tools to detect suspicious activity. 

It is Kaspersky's belief that effective detection depends upon monitoring the events that are associated with the installation of drivers that are known to contain vulnerabilities. Furthermore, organizations should be cautious for instances involving Windows kernel debug symbols being loaded onto endpoints, particularly on endpoints where kernel debugging is not a routine or expected process. An anomaly of this kind could be indicative of a compromise and, therefore, requires immediate investigation to prevent further intrusions or data exfiltration. 

It has been determined that the TCESB malware is based on an open-source tool called EDRSandBlast, a modified variant of the malware. This adaptation incorporates advanced functionalities that are specifically intended to manipulate kernel structures, which are an integral part of the Windows operating system. It is capable of deactivating notification routines, also called callbacks, as part of its primary capabilities.

It is crucial for security and monitoring tools to work properly that these routines allow drivers to be alerted about specific system events, such as the creation of new processes or the modification of registry keys, to the extent that they will be able to be notified about these events. By enabling these callbacks, TCESB effectively makes security solutions unaware of the presence and activity of the compromised system by disabling them. Using the Bring Your Vulnerable Driver (BYOVD) technique, TCESB can achieve this degree of control.

In this particular instance, the malware can install a legitimate but vulnerable Dell driver by using the Windows Device Manager interface – DBUtilDrv2.sys. There is a security vulnerability affecting the driver known as CVE-2021-36276 that could allow attackers to execute code with elevated privileges by granting access to the driver. There has been a precedent of Dell drivers being exploited for malicious purposes for years. 

For example, in 2022, a group of North Korean advanced persistent threat actors, known as the Lazarus Group, exploited another Dell driver vulnerability (CVE-2021-21551 in dbutil_2_3.sys) in a similar BYOVD attack to disable security defences and maintain persistence against malware. When the susceptible driver has been successfully deployed to the operating system, TCESB initiates a continuous monitoring loop in which two-second intervals are checked to see if a payload file with a specific name is present in the current working directory. 

Andrey Gunkin, a researcher at Kaspersky, has pointed out that the malware is designed to operate when there is no payload at launch, and that when the malware detects the payload, it deploys an algorithm to decrypt and execute it. While the payload samples themselves were not available during the analysis period, forensic investigation revealed that the payload samples are encrypted with AES-128 and are immediately decoded and executed as soon as they are identified in the specified location, once the AES-128 algorithm has been used. 

Cybersecurity experts recommend vigilant system monitoring practices because the TCESB is so stealthy and technically sophisticated. Organizations need to monitor events related to the installation of drivers that may contain security flaws, as well as the loading of kernel debug symbols by Windows in environments where kernel-level debugging is not commonly used. It is important to investigate and investigate these behaviors immediately as they may indicate that advanced threats are trying to undermine the integrity of the system.

Read more »
vulnerabledrivers
Cyber Attacks Cybersecurity Darkweb EDR endpointsecurity ESET Ransomware ransomware-as-a-service vulnerabledrivers

Rise in EDR Killers Signals Growing Threat to Ransomware Detection Systems

 

EDR killers are becoming an increasingly favored tool among ransomware-as-a-service (RaaS) affiliates, with EDRKillShifter emerging as a notable threat. According to a recent report by ESET malware researchers Jakub Souček and Jan Holman, the tool is not alone—there has been a noticeable rise in the variety of EDR killers being used by attackers.

“However, it is not the only EDR killer out there; in fact, ESET researchers have observed an increase in the variety of EDR killers used by ransomware affiliates,” Souček and Holman wrote in the report.

These tools are designed to bypass endpoint detection and response (EDR) solutions that can typically recognize and block encryption payloads used in ransomware attacks. To remain undetected, affiliates rely on EDR killers, which presents a major hurdle for both cybersecurity vendors and internal IT security teams.

ESET’s defense approach includes flagging vulnerable drivers exploited by these tools as potentially unsafe, preventing their activation. The researchers urged organizations to implement similar protective measures.

They referenced the Living Off The Land Drivers (LOLD) project, which tracks over 1,700 vulnerable drivers. However, only a small subset of these are exploited for EDR killer activity, and that number has remained largely consistent.

Identifying and neutralizing these drivers remains a technical challenge. ESET’s analysis highlights how many EDR killers use obfuscated code to dodge early-stage detection. In particular, RansomHub’s EDRKillShifter conceals its shellcode using a 64-character password.

“Without the password, security researchers can neither retrieve the list of targeted process names nor the abused vulnerable driver,” they wrote in the report.

Due to its effectiveness, EDRKillShifter has been adopted by a growing number of affiliates associated with rival ransomware groups since it was released as a service on the dark web.

ESET researchers said they saw a “steep increase” in activity following the release.
Read more »
Ransomware
AI Cyber Crime Cyberattacks CyberCrime Cybersecurity Cyberthreats EMBARGO ESET MDeployer Ransomware

Embargo Ransomware Uses Custom Rust-Based Tools for Advanced Defense Evasion

 


Researchers at ESET claim that Embargo ransomware is using custom Rust-based tools to overcome cybersecurity defences built by vendors such as Microsoft and IBM. An instance of this new toolkit was observed during a ransomware incident targeting US companies in July 2024 and was composed of a loader and an EDR killer, namely MDeployer and MS4Killer, respectively, and was observed during a ransomware attack targeting US companies. 

Unlike other viruses, MS4Killer was customized for each victim's environment, excluding only selected security solutions. This makes it particularly dangerous to those who are unaware of its existence. It appears that the tools were created together and that some of the functionality in the tools overlaps. This report has revealed that the ransomware payloads of MDeployer, MS4Killer and Embargo were all made in Rust, which indicates that this language is the programming language that the group favours. 

During the summer of 2024, the first identification of the Embargo gang took place. This company appears to have a good amount of resources, being able to develop custom tools as well as set up its own infrastructure to help communicate with those affected. A double extortion method is used by the group - as well as encrypting the victims' data and extorting data from them, they threaten to publish those data on a leak site, demonstrating their intention to leak their data. 

Moreover, ESET considers Embargo to be a provider of ransomware-as-a-service (RaaS) that provides threats to users. The group is also able to adjust quickly during attacks. “The main purpose of the Embargo toolkit is to secure successful deployment of the ransomware payload by disabling the security solution in the victim’s infrastructure. Embargo puts a lot of effort into that, replicating the same functionality at different stages of the attack,” the researchers wrote. 

“We have also observed the attackers’ ability to adjust their tools on the fly, during an active intrusion, for a particular security solution,” they added. MDeployer is the main malicious loader Embargo attempts to deploy on victims’ machines in the compromised network. Its purpose is to facilitate ransomware execution and file encryption. It executes two payloads, MS4Killer and Embargo ransomware, and decrypts two encrypted files a.cache and b.cache that were dropped by an unknown previous stage. 

When the ransomware finishes encrypting the system, MDeployer terminates the MS4Killer process, deletes the decrypted payloads and a driver file dropped by MS4Killer, and finally reboots the system. Another feature of MDeployer is when it is executed with admin privileges as a DLL file, it attempts to reboot the victim’s system into Safe Mode to disable selected security solutions. As most cybersecurity defenses are not in effect in Safe Mode, it helps threat actors avoid detection. 

MS4Killer is a defense evasion tool that terminates security product processes using a technique known as bring your own vulnerable driver (BYOVD). MS4Killer terminates security products from the kernel by installing and abusing a vulnerable driver that is stored in a global variable. The process identifier of the process to terminate is passed to s4killer as a program argument. 

Embargo has extended the tool’s functionality with features such as running in an endless loop to constantly scan for running processes and hardcoding the list of process names to kill in the binary. After disabling the security tooling, Embargo affiliates can run the ransomware payload without worrying whether their payload gets detected. During attacks, the group can also adjust to the environment quickly, which is another advantage.

Basically, what Embargo toolkit does is that it offers a method of ensuring the successful deployment of the ransomware payload and prevents the security solution from being enabled in the victim's infrastructure on the day of deployment. This is something that Embargo invests a lot of time and effort into, replicating the same functionality at different stages of the attack process," wrote the researchers. They added that the attackers also showed a capability to modify their tools on the fly, during an active intrusion, by adjusting the settings on different security solutions on the fly. 

As part of Embargo's campaign against victims in the compromised network, MDeployer is one of the main malicious loaders that it attempts to deploy on victims' machines. With the use of this tool, ransomware can be executed and files can be encrypted easily. During the execution process, two payloads are executed, MS4Killer and Embargo ransomware, which decrypt two encrypted files a.cache and b.cache that have been left over from an unknown earlier stage onto the system.

After its encryption process, the MDeployer program systematically terminates the MS4Killer process, erases any decrypted payloads, and removes a driver previously introduced by MS4Killer. Upon completing these actions, the MDeployer initiates a system reboot. This process helps ensure that no remnants of the decryption or defence-evasion components persist on the system, potentially aiding threat actors in maintaining operational security. In scenarios where MDeployer is executed as a DLL file with administrative privileges, it has an additional capability: rebooting the compromised system into Safe Mode. 

This mode restricts numerous core functionalities, which is often leveraged by threat actors to minimize the effectiveness of cybersecurity defences and enhance stealth. Since most security tools do not operate in Safe Mode, this functionality enables attackers to evade detection more effectively and hinder any active defences, making detection and response significantly more challenging. The MS4Killer utility functions as a defense-evasion mechanism that specifically targets security product processes for termination. This is achieved using a technique referred to as "bring your own vulnerable driver" (BYOVD), wherein threat actors exploit a known vulnerable driver. 

By installing and leveraging this driver, which is maintained within a global variable, MS4Killer is able to terminate security processes from the kernel level, bypassing higher-level protections. The identifier for the targeted process is supplied as an argument to the MS4Killer program. To further enhance MS4Killer’s effectiveness, Embargo has incorporated additional capabilities, such as enabling the tool to run continuously in a loop. This looping function allows it to monitor for active processes that match a predefined list, which is hardcoded within the binary, and terminate them as they appear. 

By persistently disabling security tools, Embargo affiliates can then deploy ransomware payloads with minimal risk of detection or interference, creating an environment highly conducive to successful exploitation.
Read more »
Security Defenses
BlackCat Cyber Community CyberCrime Cybersecurity Cyberthreats EMBARGO ESET MDeployment MS4Killer Ransomware Rust Security Defenses

Security Defenses Crippled by Embargo Ransomware

 


There is a new gang known as Embargo ransomware that specializes in ransomware-as-a-service (RaaS). According to a study by ESET researchers published Wednesday, the Embargo ransomware group is a relatively young and undeveloped ransomware gang. It uses a custom Rust-based toolkit, with one variant utilizing the Windows Safe Mode feature to disable security processes.

ESET researchers say that the Embargo ransomware group is developing custom Rust-based tools to defeat the cybersecurity defenses put in place by companies and governments. There is a new toolkit that was discovered in July 2024 during an attack on US companies by ransomware and is made up of a loader and an EDR killer, MDeployer, and MS4Killer, respectively, which can also be accessed and downloaded online. There are several ways in which MS4Killer can be utilized. 

For instance, it can be compiled according to each victim's environment, targeting only specific security solutions. As it appears that both tools were developed together, there is some overlap in functionality between them. Several of the programs that were developed as part of the group, including MDeployer, MS4Killer, and Embargo's ransomware payload, are written in Rust, thus suggesting that the language is one that the developers use most often. It is claimed that the group has committed ten acts of cybercrime on its dark web leak site, including a non-bank lender from Australia, a police department from South Carolina, and a community hospital from Idaho. 

An interview conducted in June with a self-proclaimed representative of Embargo said that the group specializes in ransomware-as-a-service, with affiliates taking an extortion payment of up to 80%. It is believed that the toolkit discovered by Eset consists of two primary components: MDeployer, which is designed to deploy Embargo's ransomware and other malicious payloads, and MS4Killer, which is built to exploit vulnerable drivers to disable endpoint detection and response systems. 

In both MDeployment and MS4Killer, Rust is used as the programming language. Because of its memory protection features as well as its low-level capabilities, it can be used to create malware that is both effective and resilient. A study conducted by Eset reported that Embargo can target both Windows and Linux systems with Rust. It was in May 2024, one month after the first observation of Embargo in the ESET telemetry in June 2024 that Embargo was publicly observed for the first time. There are several reasons why the group has drawn attention besides the fact that it successfully breached high-profile targets as well as the language it used for its ransomware payload that piqued people's curiosity. 

As part of its development, Embargo chose Rust, which is a cross-platform programming language that provided the potential to develop ransomware that targets both Windows and Linux platforms. The Embargo group follows in the footsteps of BlackCat and Hive as yet another group developing ransomware payloads using Rust programming language. It is clear from Embargo's mode of operation that it is a well-resourced group considering its modus operandi. This system also allows victims to communicate with it via Tox, which results in the communication being managed by the system itself. It is a group that uses double extortion to force victims to pay him and then publishes the stolen information on its leaked website too. 

It is the MDeployer that Embargo uses mainly to install malicious loads on victims' computers within the compromised network to destroy them. An application for this purpose is designed to make it easier to execute ransomware and encrypt files. Two payloads are executed, MS4Killer and Embargo ransomware. Additionally, two encrypted files, a.cache, and b.cache, which were dropped by an unknown stage in the previous step, are decrypted and delivered to the victim. 

If the ransomware finishes encrypting the system, the MDeployer terminates the MS4Killer process, deletes all the decrypted payload files and the driver file dropped by MS4Killer, and finally restarts the computer. Besides the fact that MDeployer can run as a DLL file with administrative privileges, it has also the ability to reboot the victim's system into a Safe Mode if it is executed with administrator access. This is because major cybersecurity defenses aren't switched on in Safe Mode, which allows threat actors to continue operating undetected. The initial intrusion vector is unknown, however, once MDeployer has installed itself on the victim machine, it decrypts MS4Killer from the encrypted file "b.cache" and drops the file "praxisbackup.exe" into the system. 

In every single case observed by ESET, the MDeployer used the same hardcoded RC4 key to decrypt both files from "a.cache" and dropped and executed them as "pay.exe." MDeployer decrypted both files using the same hardcoded RC4 key. It has been reported that MS4Killer allegedly builds upon the S4Killer proof-of-concept tool available on GitHub and drops the vulnerable mini-filter drive problem.sys version 3.0.0.4 as part of what is known as the "Bring Your Own Vulnerable Driver" idea (BYOVD), which is a technique developed to deal with driver vulnerabilities in general. The researchers wrote in their paper that MS4Killer exploits this vulnerability to obtain kernel-level code execution and interacts with security software to carry out its malicious purposes. 

The Embargo's version of MS4Killer differs from the original MS4Killer in that Embargo has hardcoded a list of the processes to be killed into its binary. It has also encrypted the embedded driver blob which is an RC4 hash. Using cloud-based techniques, ESET researchers describe how MS4Killer runs in an endless loop and constantly seeks out processes that need to be terminated.   

MDeployer, a component of the Embargo ransomware attack chain, meticulously logs any errors encountered during its operations in a file named “fail.txt.” Upon completion of the attack — whether by successful ransomware deployment or an error in loader execution halting the attack — the MDeployer initiates a cleanup routine. This process includes terminating the MS4Killer loop and deleting specific files such as praxisbackup.exe, pay.exe, and a vulnerable driver. 

Additionally, it generates a control file named “stop.exe,” which certain MDeployer versions reference to prevent re-execution and, consequently, double encryption. Embargo, developed in Rust, appends each encrypted file with a unique, randomly generated six-character extension combining letters and numbers, such as “.b58eeb.” It also drops a ransom note titled “HOW_TO_RECOVER_FILES.txt” in each affected directory. The group has established its secure infrastructure for covert communication with victims but provides the option to negotiate through Tox chat as well. 

Although still developing, Embargo shows signs of ambition, borrowing techniques from established ransomware-as-a-service (RaaS) groups. These include implementing the "bring your vulnerable driver" (BYOVD) strategy, exploiting Safe Mode, and leveraging the adaptable Rust programming language. ESET's analysis highlights Embargo’s indicators of compromise (IoCs) and its tactics, techniques, and procedures (TTPs), offering guidance to help organizations defend against this emerging threat.
Read more »
Turkey
CosmicBeetle Cyber Attacks ESET ESET Research Malware Attack ransomware attacks small business security Small Businesses Turkey

CosmicBeetle Exploits Vulnerabilities in Small Businesses Globally

 

CosmicBeetle is a cybercriminal group exploiting vulnerabilities in software commonly used by small and medium-sized businesses (SMBs) across Turkey, Spain, India, and South Africa. Their main tool, a custom ransomware called ScRansom, is still under development, leading to various issues in the encryption process. This sometimes leaves victims unable to recover their data, making the ransomware not only dangerous but also unpredictable. 

Based on analysis by Slovakian cybersecurity firm ESET, CosmicBeetle’s skills as malware developers are relatively immature. This inexperience has led to chaotic encryption schemes, with one victim’s machines being encrypted multiple times. Such issues complicate the decryption process, making it unreliable for victims to restore their data, even if they comply with ransom demands. Unlike well-established ransomware groups that focus on making the decryption process smoother to encourage payment, CosmicBeetle’s flawed approach undermines its effectiveness, leaving victims in a state of uncertainty. 

Interestingly, the group has attempted to boost its reputation by implying ties to the infamous LockBit group, a well-known and more sophisticated ransomware operation. However, these claims seem to be a tactic to appear more credible to their victims. CosmicBeetle has also joined the RansomHub affiliate program, which allows them to distribute third-party ransomware, likely as an attempt to strengthen their attack strategies. The group primarily targets outdated and unpatched software, especially in SMBs with limited cybersecurity infrastructure. They exploit known vulnerabilities in Veeam Backup & Replication and Microsoft Active Directory. 

While CosmicBeetle doesn’t specifically focus on SMBs, their choice of software vulnerabilities makes smaller organizations, which often lack robust patch management, easy targets. According to ESET, businesses in sectors such as manufacturing, pharmaceuticals, education, healthcare, and legal industries are particularly vulnerable. CosmicBeetle’s attacks are opportunistic, scanning for weak spots in various sectors where companies might not have stringent security measures in place. Turkey, in particular, has seen a high concentration of CosmicBeetle’s attacks, suggesting that the group may be operating from within the region. 

However, organizations in Spain, India, and South Africa have also been affected, illustrating the group’s global reach. CosmicBeetle’s focus on exploiting older vulnerabilities demonstrates the need for businesses to prioritize patching and updating their systems regularly. One key issue with CosmicBeetle’s operations is the immaturity of their ransomware development. Unlike more experienced cybercriminals, CosmicBeetle’s encryption tool is in a constant state of flux, making it unreliable for victims. While ESET has been able to verify that the decryption tool technically works, its rapid and frequent updates leave victims uncertain whether they can fully recover their data. To reduce the risk of falling victim to such attacks, SMBs must prioritize several cybersecurity measures. 

First and foremost, regular software updates and patch management are essential. Vulnerabilities in widely used platforms like Veeam Backup and Microsoft Active Directory must be addressed promptly. Businesses should also invest in employee cybersecurity training, emphasizing the importance of recognizing phishing attacks and suspicious links. In addition to these basic cybersecurity practices, companies should back up their data regularly and have robust incident response plans. Having a reliable backup strategy can mitigate the damage in the event of a ransomware attack, ensuring that data can be restored without paying the ransom. Companies should also invest in cybersecurity solutions that monitor for unusual network activity, providing early warning signs of potential breaches.
Read more »
Telegram
Android App Safety APK Files Cyber Attacks ESET ESET Research Malicious Apps Telegram

EvilVideo Exploit: Telegram Zero-Day Vulnerability Allows Disguised APK Attacks

 

A recent zero-day vulnerability in Telegram for Android, dubbed ‘EvilVideo,’ has been exploited by attackers to send malicious Android APK payloads disguised as video files. This significant security flaw was first brought to light when a threat actor named ‘Ancryno’ started selling the exploit on June 6, 2024, on the Russian-speaking XSS hacking forum. 

The vulnerability affected Telegram versions 10.14.4 and older. ESET researchers discovered the flaw after a proof-of-concept demonstration was shared on a public Telegram channel, allowing them to analyze the malicious payload. They confirmed that the exploit worked on Telegram v10.14.4 and older, naming it ‘EvilVideo.’ The vulnerability was responsibly disclosed to Telegram by ESET researcher Lukas Stefanko on June 26 and again on July 4, 2024. Telegram responded on July 4, indicating that they were investigating the report. 

Subsequently, they patched the vulnerability in version 10.14.5, released on July 11, 2024. This timeline suggests that threat actors had at least five weeks to exploit the zero-day vulnerability before it was patched. While it remains unclear if the flaw was actively exploited in attacks, ESET shared a command and control server (C2) used by the payloads at ‘infinityhackscharan.ddns[.]net.’ BleepingComputer identified two malicious APK files using that C2 on VirusTotal that masqueraded as Avast Antivirus and an ‘xHamster Premium Mod.’ 

The EvilVideo zero-day exploit specifically targeted Telegram for Android. It allowed attackers to create specially crafted APK files that, when sent to other users on Telegram, appeared as embedded videos. ESET believes the exploit used the Telegram API to programmatically create a message showing a 30-second video preview. The channel participants received the payload on their devices once they opened the conversation. 

For users who had disabled the auto-download feature, a single tap on the video preview was enough to initiate the file download. When users attempted to play the fake video, Telegram suggested using an external player, which could lead recipients to tap the “Open” button, executing the payload. Despite the threat actor’s claim that the exploit was “one-click,” the multiple clicks, steps, and specific settings required for a successful attack significantly reduced the risk. ESET tested the exploit on Telegram’s web client and Telegram Desktop and found that it didn’t work on these platforms, as the payload was treated as an MP4 video file. 

Telegram’s fix in version 10.14.5 now correctly displays the APK file in the preview, preventing recipients from being deceived by files masquerading as videos. Users who recently received video files requesting an external app to play via Telegram are advised to perform a filesystem scan using a mobile security suite to locate and remove any malicious payloads.
Read more »
Threat Intelligence
Cyber Attacks ESET Global Security North Korea Threat Intelligence

Defending Digital Frontiers: Strategies for Organizations in an Unstable World

Global Stability Issues Alter Cyber Threat Landscape

An overview

  • Geopolitical Tensions: Regional stability issues, such as political conflicts and economic tensions, have a direct impact on cyber threats. As geopolitical events unfold, threat actors adapt their strategies to exploit vulnerabilities.
  • Attack Trends: While no groundbreaking attack methods have emerged, existing techniques continue to evolve. Advanced Persistent Threat (APT) groups remain active, targeting government entities, critical infrastructure, and private organizations.
  • Leading Actors: ESET’s research identifies Russia-aligned APT groups as the most prolific attackers. Their sophisticated campaigns target various sectors, including energy, finance, and defense. China-aligned actors follow closely, focusing on espionage and intellectual property theft.

The current landscape

A recent analysis from threat intelligence analysts ESET claims that threat actors are increasing their attacks worldwide, with geographic events determining which locations are most heavily targeted. The principal author of the research recommends that CISOs to intensify their protection plans in light of the activity, even if he claims that no new attack techniques have been discovered.

The director of threat research at ESET, Jean-Ian Boutin said  that current attack methods "still work well." Thus, attackers don't always need to use innovative vectors. According to Boutin, CISOs are defending against these attacks properly; they only need to fortify themselves even more.

Impact on regional stability

The researchers claim that because the primary worldwide assault trends that ESET has identified have been directly impacted by regional stability difficulties, these challenges are also affecting the cyber sphere. The report focuses on activities of specific advanced persistent threat (APT) groups from October 2023 to March 2024, the experts said in the report.

Researchers from ESET also observed that organizations connected with Russia were concentrating on espionage activities throughout the European Union in addition to assaults against Ukraine.

Along with operations against Ukraine, ESET researchers also saw that entities connected with Russia were concentrating on espionage across the European Union. However, the researchers noted that several threat actors with ties to China took use of flaws in software and public-facing hardware, including firewalls and VPNs, as well as Confluence and Microsoft Exchange Server, to gain first access to targets across a variety of sectors.

Analysis of attacks

Using emotions to keep the assault from being disclosed is one of the more recent strategies ESET is witnessing in North Korea; this will probably increase the tactic's usefulness and duration. According to Boutin, the method has been used for years, but North Korean APT organizations are making a small adjustment.

Under the guise of a job application, the hack targets programmers and other technical talent at numerous significant US corporations. The victim is exposed to the malware and the trap is set when the attacker poses as a recruiter for such companies and requests that the victims complete an online test to demonstrate their technical proficiency.

Implications for CISOs

  • Defense Strategies: Organizations must strengthen their defense mechanisms. Proactive threat intelligence, robust network security, and employee training are essential. Zero-day vulnerabilities and supply chain attacks require constant vigilance.
  • Threat Attribution: Understanding threat actors’ motivations and affiliations is crucial. Attribution helps tailor defenses and prioritize resources effectively. Collaboration among security professionals and law enforcement agencies is vital.
  • Risk Assessment: Organizations should assess their risk exposure based on geopolitical events. Consider the impact of regional instability on critical assets and operations. Regular risk assessments inform decision-making.

Read more »
XDSpy
Cyber Attacks ESET F.A.C.C.T. State-sponsored Hackers XDSpy

XDSpy Hackers Target Russian Military Industrial Companies

XDSpy hackers attack military-industrial companies in Russia

XDSpy attcks Russian industries

A cyberespionage group called XDSpy has recently attacked Russian military-industrial enterprises, as per new research. 

XDSpy is said to be a state-controlled hacker, in the game since 2011, that mainly targets counties across Eastern Europe and the Balkans. In its recent November campaign, attackers tried to get entry into the Russian metallurgical enterprise systems and a research organization involved in the production and development of guided missile weapons, as per Russian cybersecurity form F.A.C.C.T.

F.A.C.C.T. — an offshoot of Singapore-based cybersecurity firm Group IB — reported earlier this week that hackers sent phishing emails to their victims, posing as a research organization dealing in nuclear weapon design.

Similiar tacticts used from previous attacks

The group's tactics were similar to those used in their earlier attack on Russian companies, which included a well-known scientific facility in July. During that event, the hackers pretended to be Russia's Ministry of Emergency Situations and sent phishing emails with malicious PDF files. Researchers did not say whether attackers could break into the victims' systems and steal data.

According to F.A.C.C.T., Russia is the major target of XDSpy hackers. According to analysts, the gang used to target the country's government, military, financial institutions, and energy, research, and mining firms.

Even though the group has been active for years, there is no proof of its strikes on Russia, particularly since many foreign cybersecurity companies fled the country following the Russian takeover of Ukraine.

Spearphishing attacks used in attacks

ESET, a cybersecurity firm based in Slovakia, has been monitoring XDSpy's behavior since 2020, and researcher Matthieu Faou said that the group has constantly undertaken spearphishing efforts aimed mostly at important companies in Eastern Europe.

ESET lost first-hand visibility of cyberattacks occurring in Russia and Belarus after leaving these countries, both targets of XDSpy. However, the business announced last week that it had spotted the group's attack on a Ukrainian aerospace company.

Hackers utilized a breach chain nearly identical to the one described by F.A.C.C.T. in this attempt, which was not officially reported by Ukrainian security services and was likely unsuccessful. "We do agree with their analysis and also attribute this to XDSpy," stated Faou.

Despite the group's extensive history, analysts have not been able to pinpoint the country that is funding it. XDSpy may not have an exceptionally sophisticated toolbox, but "they have very good operative defense," according to Faou. "So far, we haven't found any errors that could point toward a specific country."

Russia: Victim of Cyberattack

Because many Western corporations have little access to computer systems in the region, reports about cyberattacks against Russia are rare.

This week, on the other hand, has been jam-packed with reports from Russian cybersecurity organizations. In addition to the XDSpy attack, F.A.C.C.T. recorded a DarkWatchman malware-based strike on Russian banks, telecom providers, logistics organizations, and IT firms. A phishing email was disguised as a newsletter from a Russian courier delivery firm by the hackers. The outcome of these strikes is uncertain.

According to the Russian cybersecurity firm Positive Technologies, which has been sanctioned by the US, another cyberattack was carried out by a new hacker gang called Hellhounds. Hellhounds has already infiltrated at least 20 Russian businesses, including government institutions, technology firms, and space and energy industries.

Rare Wolf hackers were also recorded by the cybersecurity firm BI.ZONE. According to researchers, the gang has targeted approximately 400 Russian companies since 2019.

These assessments do not reveal which countries are responsible for the attacks against Russia. However, analysts at the cybersecurity firm Solar stated in a November report that the majority of state-sponsored attacks against Russia come from North Korea and China, with a primary focus on data theft.


Read more »
ScHackTool
CosmicBeetle cryptocurrency Cyberattacks CyberCrime Cybersecurity ESET malware Remote Desktop Protocol Scarab Ransomware ScHackTool

Scarab Ransomware Toolkit: Unveiling the Ingenious Weaponry

 


In a recent report, cybersecurity researchers from the ESET cybersecurity company highlighted that malware of the Scarab ransomware family has been deployed to spread its variants across global victim organizations using a malicious toolset named Spacecolon. 

ESET has issued an advisory about the vulnerability of the toolset that may allow targeted attackers to penetrate victim organizations by exploiting commonly vulnerable web servers or using brute-force attacks against Remote Desktop Protocol (RDP) credentials to gain entry into victim organizations. As a result of ESET's investigation, it was also discovered that certain Spacecolon versions include Turkish strings, which suggests that a Turkish-speaking developer was involved in the development of these versions.  

According to a detailed technical report released on August 22, 2023, by ESET security researcher Jakub Souek, the Spacecolon malicious toolkit is being used by a cyber campaign that is targeting organizations all over the world to spread various variants of the Scarab ransomware, and it is targeting anti-torture organizations in particular. 

As of May 20, 2023, the most recent build of Spacecolon has been carried out, and the roots of the project can be traced back to as early as May 2020. Despite extensive tracking and analysis, ESET does not yet have an explanation as to what threat actor group is likely to be using the toolset to exploit the system. This has led to the name "CosmicBeetle" being used by the firm for the operators behind Spacecolon due to the similarity of their names. 

The threat actor CosmicBeetle is reported to have infiltrated some companies through misconfigured web servers, and they attempt to brute-force login information for Remote Desktop Protocol (RDP) by accessing misconfigured web servers. There have been victims across several countries who have been identified as having been infected by the Spacecolon virus since May 2020. This includes France, Mexico, Poland, Slovakia, Spain, and Turkey.

An American school in Mexico was attacked by a group of hackers, who chose a hospital and tourist resort in Thailand as their targets, an insurance company in Israel, a Polish government organization, an entertainment company in Brazil, and a Turkish environmental company based in Turkey. Further, Cosmic Beetle may also target unpatched servers that have not yet been updated with security patches, attempting to infiltrate networks by exploiting these vulnerabilities. 

The CosmicBeetle botnet deploys the main Spacecolon component used by CosmicBeetle to compromise vulnerable web servers after CosmicBeetle compromises the target web server. It is called ScHackTool. This type of attack relies heavily on the operating system's GUI and the active participation of operators; the GUI enables operators to orchestrate attacks and download and execute additional tools on demand, according to their requirements, on compromised machines. 

A CosmicBeetle can deploy ScInstaller over the local network and use it to further secure the target. For example, it can use ScInstaller to install ScService, which provides even further remote access to the target. Ultimately, CosmicBeetle deploys the Scarab ransomware variant as its final payload as a part of its campaign. 

A clipboard monitoring software known as ClipBanker is deployed in this variant, which monitors the contents of the clipboard and changes any suspicious contents, e.g. cryptocurrency wallet addresses, into a controlled address that is controlled by the attacker. Additionally, samples of a new ransomware family are being uploaded to VirusTotal from Turkey, suggesting that this family is being developed. 

As a result of the research conducted by ESET, the company is convinced that this malware has been written by the same developers that wrote Spacecolon, a virus that has been named ScRansom by ESET. In addition to it encrypting all hard drives, removable drives, and remote drives, ScRansom also encrypts e-mail. 

The ransomware has not yet been seen in the wild, and the development stage of this ransomware is still at a pre-release stage. First discovered in February 2023, it is most likely that the attacks have changed intact as a result of the discovery of Spacecolon variants released by Zaufana Trzecia Strona. 

Spacecolon is primarily composed of ScHackTool, an orchestrator based on Delphi that deploys an installer that, just as the name implies, installs ScService, a backdoor that can run customized commands, download and execute payloads, and extract information from compromised systems to obtain system information. It is also responsible for incorporating several third-party tools that are retrieved from a remote server, IP address 193.149.185.23, which can be accessed using ScHackTool. They are aimed at exploiting the access provided by ScService to introduce a ransomware variant called Scarab that has the goal of obtaining ransom money from the user. 

The threat actors using Impacket to deliver ScService in place of ScHackTool is also another alternative infection chain identified by ESET, indicating that the threats are experimenting with different techniques to deploy ScService instead of ScHackTool. 

The motives of CosmicBeetle have been financial, as the ransomware payload includes clipper malware that monitors the system clipboard and replaces cryptocurrency wallet addresses with ones the attacker controls through the use of file-sharing programs. 

There is also evidence that suggests that there may be active development of another strain of ransomware known as ScRansom that is actively being developed. AES-128 can be used to encrypt hard drives, removable drives, and networked drives; the encryption key can be derived from a hard-coded string, making the variant suitable for cases when the encryption key must be derived from multiple sources. 

A second issue with CosmicBeetle's malware is the lack of effort to conceal its presence, as well as the fact that their toolset leaves several artifacts behind when compromised machines are compromised, as well as a lack of robust anti-analysis and anti-emulation defenses.
Read more »
WhatsApp
BingeChat ESET ESET Research GravityRAT malware SpaceCobra WhatsApp

GravityRAT: ESET Researchers Discover New Android Malware Campaign


ESET researchers have recently discovered a new Android malware campaign, apparently infecting devices with an updated version of GravityRAT, distributed via messaging apps BingeChat and Chitaco. The campaign has been active since August 2022.

According to ESET researcher Lukas Stenfanko who examined a sample after getting a tip from MalwareHunterTeam, it was found that one of the noteworthy new features seen in the most recent GravityRAT version is the ability to collect WhatsApp backup files.

GravtiRAT

A remote access tool called GravityRAT has been used in targeted cyberattacks on India since at least 2015 and is known to be in use. There are versions for Windows, Android, and macOS, as previously reported by Cisco Talos, Kaspersky, and Cyble. However it is still unknown who is the actor behind GravityRAT, the group has been internally defined as SpaceCobra.

Although GravityRAT has been active since at least 2015, it only began specifically focusing on Android in 2020. Its operators, 'SpaceCobra,' only employ the malware in specific targeting tasks.

Current Android Campaign

According to ESET, the app is delivered via “bingechat[.]net” and other domains or distribution channels, however, the downloads require invites, entering valid login information, or creating a new account.

While registrations are currently closed, this method only enables the threat actors to distribute the malware to targeted users. Additionally, accessing a copy for analysis becomes more difficult for researchers. 

Upon installation on the target's smartphone, the BingeChat app makes dangerous requests for access to contacts, location, phone, SMS, storage, call records, camera, and microphone.

Since these are some typical permissions asked of the users for any instant messaging apps, the malicious app goes unsuspected.

The program provides call records, contact lists, SMS messages, device location, and basic device information to the threat actor's command and control (C2) server before the user registers on BingeChat.

Along with the aforementioned records, files, and document files of jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, and crypt32 types, have also been compromised.

While SpaceCobra’s malware campaign is mainly targeting India, all Android users are advised to refrain from downloading APKs anywhere other than Google Play and be very careful with potentially risky permission requests while installing any app.

Read more »
VPN
CAN attacks criminals ESET High Tech Method Privacy Stealing VPN

Vehicles Stolen Using High-Tech Methods by Criminals

 


Over the past 20 years, the number of cars stolen in the United States has been reduced by half. However, authorities are now seeing an increasing number of break-ins associated with high-tech techniques being used in these break-ins. 

There has been evidence to suggest that some employees at the Immigration and Customs Enforcement Agency (ICE) misused law enforcement databases to spy on their romantic partners, neighbors, and business partners. 

According to a new dataset obtained through records requests, hundreds of ICE employees and contractors have been under scrutiny since 2016 because they attempted to access medical, biometric, and location data without permission. There are more questions raised by the revelations about ICE's rights to protect sensitive information. 

Local intelligence agencies have found that in the current period, criminals are using sophisticated technology to target high-end luxury cars equipped with keyless entry systems and emergency starting features to commit theft. 

It was noted that the group identified three main methods criminals use to gain access to and steal vehicles with these features across the nation.

There was a video that was captured by Michael Shin of Los Angeles two years ago, where he captured the image of a man opening his car while holding just a backpack. As Shin explained, the man was not prepared to break into the car, as he had no break-in tools in his possession.  An NICB official affirmed that 35 vehicles were tested using this type of system by the NICB. As a result, 18 test cars were opened, started, and driven off by the team, with no problems at all. 

Morris said it was believed that professional criminals have discovered how to build their versions of the devices that the NICB used for its break-in tests. Morris explained that the NICB used devices supplied by a company that works closely with law enforcement on security testing for these tests. 

With criminals discovering how to hack into vehicle security systems and defeat them, car owners must be vigilant to protect their vehicles. As Morris pointed out in his statement, this is a serious reminder of the risks associated with today's cars that function as essentially "computers on wheels." 

In a recent study, ESET researchers discovered that there is a significant amount of sensitive data contained within old enterprise routers. The company purchased an old router and analyzed it, discovering it had login details for the company VPN, hashed root admin passwords, and details of the previous owner. The old routers contained login details for the company VPN and other valuable information. As a result of the information available on the router, it is easy to impersonate the company that sold it previously. Passkeys are going to take over all your passwords in the future, but a messy phase is beginning to emerge in the race to replace all your passwords with them. Getting new technologies off to a good start is among the biggest challenges in introducing them to the market. 

The fact that authorities have been puzzled by this type of break-in in the past has been a source of puzzlement for several years now but insurance investigators now believe that criminals are using key fobs - the little authentication devices you use to access newer models that are “keyless” - to start and unlock cars remotely by simply pushing a button. 

As a result of tests conducted by the research and development team, the group found that the vehicle's computer-controlled systems are being exploited by thieves carrying out highly sophisticated cyber-attacks.

It is important to note that a combination of CAN attacks, FOB relays, and key cloning attacks are among these attacks. 

  • When a CAN Attack occurs, high-tech electronic equipment is used to gain entry to the vehicle's Control Area Network and then access the computer system to start the engine using remote access software. As a result, the vehicle begins working as soon as the engine is started. 
  • By utilizing advanced receivers and transmitters aimed at remote reading the vehicle's security key, Fob Relaying is possible, allowing an attacker to unlock and begin the vehicle even if it is in the owner's possession. 
  • In the third method, a variety of sophisticated techniques and equipment are used to disable the vehicle's alarm system and then clone and steal the security key for the vehicle after the vehicle has been forced entry.
Read more »
Routers Threat
Business Network Cyber Attacks cyber threat CyberCrime ESET Routers Routers Threat

A Corporate Secret is not Destroyed, it's Discarded: Threat of Old Routers

 



Many business network environments probably experience the process of removing a defunct router from a rack and accommodating a shiny refurbished replacement now and then. The fate of the disposed router should be as significant, if not more so, as the smooth transition and delivery of the upgraded kit into the rack. The truth is, however, that this is not always the case. 

Home and business security are threatened by security issues stemming from vulnerabilities in routers. These threats can extend beyond email compromises to security breaches in physical homes. However, despite this, people rarely consider security as a concern when using their devices. According to research, approximately 73% of Internet users never consider upgrading their router or securing their system. Therefore, it can be considered one of the major threats to the Internet of Things.

It surprised the ESET research team that in many cases, previously used configurations had not been wiped away when they purchased a few used routers to setup a test environment, causing them to be shocked upon realizing the data on the routers could be used as a source of identification along with the network configurations of the prior owners. 

The researchers purchased 18 used routers made by three popular vendors: Cisco, Fortinet, and Juniper Networks, in a variety of models. Nine of them were found exactly the way their owners left them, fully accessible. Only five of the remaining ones had been properly wiped by their owners. One of the devices was encrypted, one was dead, and the other was a mirror copy of an encrypted device.  

All nine devices left uncovered appear to contain credentials for the organization's VPN. They also contained credentials for another secure network communication service, or hashed passwords for root administrators of the organization. The identifying data included in all of them was sufficient to identify the previous owner or operator of the router. In addition, it enabled router identification.  

Data gathered from these devices could be used to launch cyberattacks – including customer data, router-to-router authentication keys, list of applications, and several other things, if this data is put into the wrong hands. An attacker could have gained access to a company's digital assets by gaining the initial access necessary to research where they are located and what they might be worth. 

An Internet router serves as the hub of an entire home network. This is where all elements of a smart home are connected to the Internet and share information between them. 

When an attacker infects a router, he or she gains access to the network by which data packets are transmitted. This is the network through which the router operates. By doing this, they can install malicious software on the victims' computers, allowing them to steal sensitive data, private photos, and business files. This is potentially irreparable damage to them as a result of this maneuver. Using the infected router, the attacker can redirect users to phishing websites that look exactly like popular webmail and online banking sites. 

KELA Cybercrime Prevention, a cybercrime prevention company that specializes in cybercrime prevention technologies, has found that the average price for access credentials to corporate networks at the time of the initial unauthorized intrusion is $2,800. This price is based on KELA Cybercrime Prevention research. Considering that a used router purchased for a few hundred dollars could provide a cybercriminal with a significant return on investment, a cybercriminal could purchase a used router for a few hundred dollars out of pocket and use it immediately to access the network with little effort. It is assumed that they will simply strip off the access data and sell it on the dark web instead of launching a full-scale cyberattack themselves, although that may very well be the case. 

As a result of the findings of the ESET researchers, organizations may believe that they are conducting business responsibly by contracting with a device-management firm outside their own. 

Those in the e-waste disposal business, or even device-sanitization services that promise to wipe large volumes of corporate devices for resale can be counted on to take care of that for you. 

On the other hand, it may be that these third parties are not performing whatever they claim in practice. Considering that mainstream routers come with encryption and other security features, more organizations might benefit from them to mitigate the negative impacts of fallout should devices that have not been wiped end up roaming the world with no security features. 

Ensure that your router is protected from cybercriminals' attacks by following these steps:

  • There are risks associated with buying second-hand smart appliances. Previous owners of such products may have modified the alarm system firmware so that a remote attacker can collect all the data.
  • It is very important that you change the default password of your account. You should choose a complex password and change it regularly.
  • On social networks, you should not share serial numbers, IP addresses, or other sensitive information concerning your smart devices. 
Read more »
Trojan Attacks
Antivirus APT Backdoor Botnets Cyber Crime Endpoint ESET Symantec Trojan Attacks

Hacker Group Cranefly Develops ISS Method

The novel method of reading commands from seemingly innocent Internet Information Services (IIS) logs has been used to install backdoors and other tools by a recently leaked dropper. Cybersecurity experts at Symantec claimed an attacker is utilizing the malware known as Cranefly also known as UNC3524 to install Trojan. Danfuan, another undocumented malware, as well as other tools.

Mandiant reported that Cranefly mainly targeted the emails of individuals who specialized in corporate development, merger and acquisitions, and significant corporate transactions when it was originally founded in May. Mandiant claims that these attackers remained undetected on target networks for at least 18 months by using backdoors on equipment without support for security measures.

One of the main malware strains used by the gang is QUIETEXIT, a backdoor installed on network equipment like cloud services and wireless access point controllers that do not enable antivirus or endpoint monitoring. This allows the attacker to remain undetected for a long time.

Geppei and Danfuan augment Cranefly's arsenal of specialized cyber weapons, with Geppei serving as a dropper by collecting orders from IIS logs that look like normal web access requests delivered to a compromised host.

The most recent Symantec advisory now claims that UNC3524 used Hacktool-based backdoors in some instances. Multiple advanced persistent threat (APT) clusters use the open-source technology Regeorg.
Additionally, Symantec has cautioned that Cranefly is a 'pretty experienced' hacking group as evidenced by the adoption of a new method in conjunction with the bespoke tools and the measures made to conceal their activity.

On its alert and Protection Bulletins website, Symantec lists the indicators of compromise (IoC) for this attack. Polonium is another threat actor that usually focuses on gathering intelligence, and ESET recently saw Polonium utilizing seven different backdoor variants to snoop on Israeli firms.

Cranefly employs this sneaky method to keep a foothold on compromised servers and gather information covertly. As attackers can send commands through various channels, including proxy servers, VPNs, Tor, or online development environments, this method also aids in avoiding detection by investigators and law enforcement.

It is unclear how many systems have been compromised or how often the threat actors may have utilized this technique in ongoing operations.



Read more »
Subscribe to: Posts (Atom)