Search This Blog

Showing posts with label Internet Explorer. Show all posts

Latest Phishing Campaign Deploys Malware and Steals Critical Information

A phishing campaign on a massive scale is targeting Windows PC and wants to deploy malware that can hack usernames, passwords, contents of the crypto wallets, and credit card credentials. Malware named RedLine Stealer is provided as a malware-as-a-service scheme, giving amateur level cybercriminals the option to steal various kinds of critical personal information, for amounts as much as $150. The malware first surfaced in 2020, but RedLine recently added a few additional features and is widely spread in large-scale spam campaigns in April. 

The phishing email campaign includes a malicious attachment which, if active, starts the process of deploying malware. Hackers target users (mostly) from Europe and North America. The malware uses CVE-2021-26411 exploits discovered in Internet Explorer to send the payload. The vulnerability was revealed last year and patched, to limit the malware's impact on users who are yet to install the security updates. Once executed, RedLine Stealer does starting recon against the target system, looking for information that includes usernames, the type of browser that the user has, and if an antivirus is running in the system. 

After that, it finds information to steal and then extracts passwords, credit card data, and cookies stored in browsers, crypto wallets, VPN login credentials, chat logs, and information from files. Redline can be bought from the dark web, hackers are offered services on different hierarchical levels, this shows how easy it has become to buy malware. Even noob hackers can rent the software for $100 or get a lifetime subscription for $800. 

The malware is very simple, but very effective, as it can steal vast amounts of data, and inexperienced hackers can take advantage of this. ZDNet reports "it's possible to protect against Redline by applying security patches, particularly for Internet Explorer, as that will prevent the exploit kit from taking advantage of the CVE-2021-26411 vulnerability." The users should keep their operating systems updated, anti-virus and apps updated, to prevent known vulnerabilities from getting exploited for distributing malware.

Gh0stCringe Malware Recently Attacked Insecure Microsoft SQL and MySQL Servers

 

Hackers are deploying the Gh0stCringe remote support trojans on vulnerable computers by inadequately targeting secured Microsoft SQL and MySQL database servers. 

Gh0stCringe, also known as CirenegRAT, is a Gh0st RAT malware variant that was most recently used in Chinese cyber-espionage activities in 2020, however, it has been around since 2018. The malware has several instructions and functionalities which can be activated after the malware connects to its command and control server, or through data stored in the virus's settings. 

Attackers can use Gh0stCringe to download payloads like crypto miners from C2 servers, access specified websites via the Internet Explorer web browser, and even wipe the start-up disk's Master Boot Record (MBR). The malware includes a keylogger, which records input data in the Default. key file in the Windows System directory if it is activated. 

Threat actors are infiltrating database servers and writing the malicious'mcsql.exe' executable to disc utilizing the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes. These assaults are comparable to the Microsoft SQL server attempts, which used the Microsoft SQL xp cmdshell command to drop Cobalt Strike beacons. In addition to Gh0stCringe, AhnLab's study notes the presence of numerous malware samples on the investigated servers, implying potentially competing threat actors are infiltrating the same servers to drop payloads with its own operations.

Gh0stCringe RAT is a strong virus that can connect to a C2 server to receive custom commands or exfiltrate stolen data to the enemies. For an endless loop, the keylogging component uses the Windows Polling method (GetAsyncKeyState API) to ask the state of each key. This otherwise dependable recording mechanism carries the risk of very high CPU utilization, however, this is unlikely to cause issues for threat actors on poorly maintained servers. The malware will also record keystrokes for the previous three minutes and send them to the infection's command and control servers along with basic system and network information. 

Threat actors will be able to steal login passwords and other sensitive information that logged-in users entered on the device using these logged keystrokes. CirenegRAT has four operational modes: 0, 1, 2, and a specific Windows 10 mode which the threat actor can choose from during deployment.

Update your server software to install the most recent security upgrades, which can help you avoid a variety of attacks to make use of known flaws. It's also critical to use a secure admin password that can't be brute-forced. The most important step is to put the database server behind a firewall to only allow authorized devices to connect to it.

Magniber Ransomware Group now Shifted to Exploiting Internet Explorer Flaws

 

The Magniber ransomware group is now infecting users and encrypting their devices via two Internet Explorer vulnerabilities and fraudulent advertising. CVE-2021-26411 and CVE-2021-40444 are the two Internet Explorer vulnerabilities, both with a CVSS v3 severity score of 8.8. 

The first, CVE-2021-26411, is a memory corruption bug that may be triggered by visiting a skillfully constructed website. It was resolved in March 2021. The second flaw, termed CVE-2021-40444, is essentially a remote code execution flaw in Internet Explorer's rendering browser engine. This has an 8.8 rating as well.

Magniber was caught breaching Windows servers in August exploiting the 'PrintNightmare' vulnerabilities, which took Microsoft a considerable time to fix because of their impact on printing. According to Tencent security experts who discovered "new" payloads, the most recent Magniber activity focused on attacking Internet Explorer vulnerabilities utilising malvertising that distributes exploit kits. 

One probable reason for this trend is that Microsoft has substantially solved the 'PrintNightmare' vulnerabilities over the last four months, and the news has been widely broadcasted, compelling administrators to implement security upgrades. Another reason Magniber may have chosen Internet Explorer vulnerabilities is that they are remarkably easy to exploit, relying merely on the recipient's willingness to open a file or webpage to activate them. 

Targeting an old, unpopular browser like Internet Explorer may appear weird. However, according to StatCounter, IE still accounts for 1.15 per cent of worldwide page views. Although this is a small fraction, StatCounter monitors approximately 10 billion page views every month, equating to 115,000,000 page views by Internet Explorer users. 

Furthermore, because Firefox and Chromium-based browsers, such as Google Chrome and Microsoft Edge, use an auto-update system that immediately protects users from known vulnerabilities, it is much more difficult to target them. 

About the Magniber group 

The Magniber group is notorious for exploiting security flaws in order to get access to computers and spread ransomware. They started their operations in 2017, and they are considered the successors of the Cerber ransomware.

Initially, they primarily targeted victims in South Korea. The gang then expanded its activities to other Asian nations such as China, Singapore, and Malaysia. Magniber's reach has grown to the point that it now affects exclusively Asian businesses and organizations. 

The Magniber ransomware has been under active development since its release, and its payload has been totally rebuilt three times. Because it is yet uncracked, there is no decryptor available to assist users to recover any data that have been encrypted by this strain. 

Lastly, because Magniber does not follow the trend of file-stealing and double-extortion, their assaults are confined to file encryption.

With Safari Zero-Day Attacks, Russian SVR Hackers Targeted LinkedIn Users

 

Google security experts revealed details on four zero-day vulnerabilities that were undisclosed until they were exploited in the wild earlier this year. After discovering exploits leveraging zero-day vulnerabilities in Google Chrome, Internet Explorer, and WebKit, the engine used by Apple's Safari web browser, Google Threat Analysis Group (TAG), and Google Project Zero researchers discovered the four security issues. 

CVE-2021-21166 and CVE-2021-30551 in Chrome, CVE-2021-33742 in Internet Explorer, and CVE-2021-1879 in WebKit were the four zero-day exploits found by Google researchers earlier this year while being abused in the wild. "We tie three to a commercial surveillance vendor arming govt backed attackers and one to likely Russian APT," Google Threat Analysis Group's Director Shane Huntley said. "Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020," Google researchers added. "While there is an increase in the number of 0-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend." 

Despite the fact that the zero-day flaws for Chrome and Internet Explorer were developed and sold by the same vendor to customers all over the world looking to improve their surveillance capabilities, they were not employed in any high-profile operations. The CVE-2021-1879 WebKit/Safari bug, according to Google, was used "to target government officials from Western European countries by sending them malicious links," via LinkedIn Messaging. 

The attackers were part of a likely Russian government-backed actor employing this zero-day to target iOS devices running older versions of iOS (12.4 through 13.7), according to Google experts. While Google did not link the exploit to a specific threat group, Microsoft claims it is Nobelium, the state-sponsored hacking group responsible for the SolarWinds supply-chain attack that resulted in the compromise of numerous US federal agencies last year. 

Volexity, a cybersecurity firm, also attributed the attacks to SVR operators based on strategies used in earlier attacks dating back to 2018. In April, the US government charged the Russian Foreign Intelligence Service (aka SVR) for conducting "a broad-scale cyber-espionage campaign" through its hacking group known as APT29, The Dukes, or Cozy Bear. The attacks were designed to "collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo and send them via WebSocket to an attacker-controlled IP," according to Google.

Hackers Used Internet Explorer Zero-Day Vulnerability To Target Security Researchers

 

In recent times, during the attacks against the security and vulnerability researchers in North Korea, an Internet Explorer zero-day vulnerability has been discovered. The zero-day vulnerability is a computer software vulnerability unknown to individuals who need to minimize the harm. Hackers may use the vulnerability to change computer systems, files, machines, and networks to the detriment of the vulnerability. 

Google announced last month that the Lazarus-sponsored state-based North Korean hacking community carried out attacks on security scholars in social engineers, wherein the hacking community used social networks as a tool to target security researchers and used custom backdoor malware. The Lazarus group is a North Korea based persistent threat group (APT), which has gained a lot of prominence in the preceding years as various CyberAttacks have been attributed to the threat group. 

The threat actors have developed comprehensive online "security researcher" personas who then use social media to connect with renowned security researchers to contribute to the vulnerability and exploit growth to execute their attacks. 

In this regard, the attackers have sent malignant Visual Studio Projects and links to the website that hosts the exploit kits to install backdoors in the computers of the researchers. Microsoft also announced that it had monitored the assault and saw Lazarus exchanging MHTML files containing malicious java scripts with the researchers. The server command and control at the time of the investigation was down and therefore no further payloads were investigated by Microsoft. 

Recently in this social-engineering campaign, South Korean cybersecurity company ENKI claimed that Lazarus attacked MHTML files on their squad. Although the attacks were ineffective, they analyzed payloads downloaded from MHT files and found that they contained a vulnerability exploit for Internet Explorer. 

MHT/MHTML is a file format that is used by Internet Explorer to store a web page and services in one file. MHT / MHTML file is sometimes also known as MIME HTML. The MHT file transmitted to ENKI investigators was confirmed to be an exploit of Chrome 85 RCE and called "Chrome_85_RCE_Full_Exploit_Code.mht." 

On further executing the MHT/MHTML file, Internet Explorer will automatically start to display the MHT file contents. ENKI stated that a malicious javascript would download two payloads with one containing a zero-day version of Internet Explorer if the execution of the script was allowed. ENKI has affirmed that they have reported the bug to Microsoft and for which they were later contacted by a Microsoft employee. 

Concerning the aforementioned incident, Microsoft has said that they have investigated every aspect of the report and will surely provide an update in near future, “Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible.”

Maze Ransomware and its Various Campaigns Continue to Threaten the Cyber World


Ever since this year began, the Maze ransomware has been hitting headlines. Recently researchers discovered more samples of Maze in numerous industries making it one of the major threats for the cyber-world.

Another form of the "ChaCha" ransomware, Maze surfaced in mid-2019 and has been wreaking havoc ever since, across continents and any organization it could get it hands-on.

Per sources, Maze is most usually dispensed by way of emails loaded with malicious Exel and Word attachments. But that’s not the only method of distribution.

According to reports, cyber-criminals also use “exploit kits” by the name of “Spelevo”. Sources mention that in previous cases it has been used to exploit Flash Player vulnerabilities, CVE-2018-15982 and CVE-2018-4878. Other exploits that Maze has abused include CVE-2018-8174 (Internet Explorer) and CVE-2018-1150 (Pulse VPN).

Maze ransomware initially tries to get a strong idea of the target device’s internal surroundings and begins to create a place for itself. Once that’s done it tries to access user privileges to carry lateral movements and kick start the file encryption throughout drives. But, before the encryption, files are exfiltrated so as to be used for future compulsion in any way possible.

If the security system of a device isn’t laden with necessary protective gauges it could possibly crash completely under the pressure of Maze ransomware. The infection could put sensitive information at large and incapacitate operations almost killing the company’s finances.

Per sources, Maze ransomware has shown its hold across industries like construction, education, energy, finance, government, healthcare, hospitality, law, life sciences, media and communications, pharma, technology, and telecommunications. McAfee, in March, made available a detailed report about the Maze ransomware.

According to a report, there’s an “Anti-Ransomware Protection module” which hunts ransomware related encryption-based activities. It allows users to keep track of the activities.

Per sources, lately, Maze ransomware was spotted compromising several IT service providers. It also set up a footing in another victim device’s network via insecure Remote Desktop Protocol or by using brute-force on the account of the local administrator.
Cloud backups too aren’t safe from the Maze ransomware because they are widely tracked on the vulnerable networks. With the login credentials, all backed-up data could be sent to the threat-actors via a server under their control.

The solution for any such occurrences is as repetitive as ever; stronger security mechanisms, better passwords especially remote systems with remote access possibilities and of course, heftier protection measures.



Internet Explorer Targeted by North Korean Hackers: How to Stay Safe?



In a recent cybersecurity issue, some hackers from North Korea are attacking Internet Explorer by exploiting a vulnerability, which is said to be a zero-day flaw. The company Microsoft has not yet spoken on the issue and is still silent. 



Users should immediately stop using Internet Explorer for a while to stay safe from the hackers, suggest cybersecurity experts. If the users still prefer to use Microsoft software, they can download the latest Edge Browser by Microsoft. The Edge browser is safe from the attack as well as offers a better user experience while browsing than Internet Explorer. Other secured browsers include Google Chrome and Mozilla Firefox.

But if the users still want to use the traditional software, cybersecurity experts at Tom's Guide suggest downloading a limited time user account that is safe for any software modification.

Microsoft has scheduled to release its next security patch, not until the 11th of February, therefore, its a long wait before the latest update is issued.

Microsoft reveals the Flaw-

In an online advisory published on 17th January, Microsoft explained the vulnerability, saying the flaw allows the hacker to corrupt the memory and perform arbitrary coding. If achieved successfully, the hacker has full access to the system, the same as the genuine user.

"Let us imagine a scenario where the hacker hosts a website on the web, which is specially made to exploit the vulnerability via Internet Explorer, in this case, the hacker can lure the user to visit the website by sending him emails," says Microsoft.

Once the hacker has access to the admin user rights, the user system is hacked and the hacker has command over the system. He can modify the programs, install or delete any existing software or worse, delete important data.

The hackers are likely to be from North Korea-

One should not ignore this vulnerability because it has ties to hackers from North Korea. The attack on Internet Explorer seems to be similar to the one that affected the Mozilla firefox. Researchers at Qihoo 360 discovered the attack and accused Darkhotel, a group of hackers from North Korea, for carrying out this activity.

Microsoft Advises Its Users to Stop Using Its Legacy Internet Explorer Web Browser


Microsoft's cyber security expert Chris Jackson advises users to quit utilizing the 'legacy' internet browser, which Microsoft formally ended in 2015 encouraging them to move to a much more 'modern browser' that is fully informed regarding current web guidelines as well as standards.

In a blog entry post the 'Perils of using Internet Explorer as your Default Browser ' Jackson clarified with explanation with several reasons as to why the users should switch.

“Internet Explorer is a compatibility solution, we're not supporting new web standards for it and, while many sites work fine, developers by and large just aren't testing for Internet Explorer these days. They're testing on modern browsers.”


'...As new apps are coming out with greater frequency, what we want to help you do is avoid having to miss out on a progressively larger portion of the web,' he adds later.

While he includes further that it's commonly fine for users to utilize Internet Explorer in an undertaking situation, yet they would secure themselves better on the off chance if they change to a more up to date browser.