Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Linux Malware. Show all posts
telecoms
Cybersecurity GPRS roaming networks GTPDOOR Linux Malware malware telecoms

Linux Malware GTPDOOR Exploits GPRS Roaming Networks to Target Telecom Companies

 

Security analysts have uncovered a fresh Linux malware named GTPDOOR, intended for deployment within telecom networks adjacent to GPRS roaming exchanges (GRX). What distinguishes this malware is its utilization of the GPRS Tunnelling Protocol (GTP) for commanding and controlling operations.

GPRS roaming enables subscribers to access their services even outside their home mobile network's coverage area. This is facilitated through a GRX, which facilitates roaming traffic via GTP between the visited and home Public Land Mobile Networks (PLMN). 

Security expert haxrob, who stumbled upon two GTPDOOR artifacts uploaded to VirusTotal originating from China and Italy, suggests that this backdoor is likely linked to a known threat actor identified as LightBasin (also known as UNC1945). 

CrowdStrike previously disclosed this actor in October 2021 for a series of attacks targeting the telecom sector to pilfer subscriber data and call metadata.

Upon execution, GTPDOOR initially alters its process name to '[syslog]', mimicking syslog invoked from the kernel, and opens a raw socket to enable the implant to receive UDP messages through the network interfaces. E

Essentially, GTPDOOR enables a threat actor with established persistence on the roaming exchange network to communicate with a compromised host by dispatching GTP-C Echo Request messages carrying a malicious payload.

These GTP-C Echo Request messages serve as a conduit for transmitting commands to execute on the infected system and relaying results back to the remote host. Furthermore, GTPDOOR can be discreetly probed from an external network by sending a TCP packet to any port number. If the implant is active, it returns a crafted empty TCP packet along with information on whether the destination port was open or responsive on the host.

According to the researcher, GTPDOOR appears tailored to reside on compromised hosts directly linked to the GRX network, which are the systems communicating with other telecommunication operator networks via GRX.
Read more »
Vulnerabilities and Exploits
Chinese Actors Linux Malware Linux Servers Malicious actor Ransomware Attacks. VMware ESXi Vulnerabilities and Exploits

Qilin Ransomware Strikes VMware ESXi

The ransomware strain Qilin has surfaced as a new danger to computers using VMware ESXi, which is a recent development in the cryptocurrency space. Concerned observers have expressed concern over the fact that this Qilin Linux version exhibits a targeted and advanced strategy that particularly targets virtualized systems.

Qilin, a mythical creature in Chinese folklore, has taken its name seriously in the cyber realm, wreaking havoc on Linux-based systems. The malware, as detailed in reports from leading cybersecurity sources like Bleeping Computer and Linux Security, has honed in on VMware ESXi, a widely used virtualization platform.

The Qilin ransomware has raised concerns due to its ability to compromise the core infrastructure of organizations. VMware ESXi, being a popular choice for virtualization in data centers, has become a prime target. The attackers employ advanced techniques to exploit vulnerabilities in ESXi servers, encrypting critical data and demanding a ransom for its release.

GridinSoft, a cybersecurity company, has provided insights into the modus operandi of Qilin. Their analysis reveals the ransomware's deliberate focus on virtual machines, particularly those hosted on VMware ESXi. The attackers leverage vulnerabilities in ESXi versions, emphasizing the need for organizations to update and patch their systems promptly.

The cybersecurity community is actively collaborating to understand and counter the Qilin threat. As organizations scramble to bolster their defenses, it's crucial to stay informed about the evolving nature of the ransomware landscape. Constant vigilance, regular updates, and a robust backup strategy are imperative to mitigate the risks associated with Qilin and similar cyber threats.

Although the Qilin ransomware is a significant concern, it also highlights the larger problem of how constantly changing cyberthreats are. According to a cybersecurity expert, "attackers are getting more skilled at focusing on critical infrastructure, and the landscape of cyber threats is dynamic.To protect against such harmful operations, cybersecurity measures that are proactive and vigilant are vital."

The Qilin ransomware, which was first discovered to target VMware ESXi, is a clear reminder of how sophisticated cyber threats are getting. To strengthen their defenses against such powerful adversaries, organizations must prioritize cybersecurity procedures, such as patch management, regular upgrades, and reliable backup plans.
Read more »
Sensitive Data Leak
Backups Encryption Tools Linux Malware malware MFA Phishing Attacks Ransomware Attacks. Sensitive Data Leak

Monti Ransomware Strikes Government Systems Again

The notorious Monti ransomware has made an ominous comeback and is now targeting government organizations. Recent reports from cybersecurity professionals indicate that this malware version has reappeared with a new and powerful encryptor, specifically targeting Linux-powered devices. The cybersecurity community has been shaken by this development, which has prompted increased vigilance and efforts to block its advancements.

The Monti ransomware first gained notoriety for its sophisticated tactics and high-profile targets. Over the years, it has undergone several transformations to enhance its capabilities and expand its reach. Its focus on government entities raises concerns about potential disruptions to critical services, sensitive data leaks, and economic implications.

Security researchers at Trend Micro have identified the ransomware's latest campaign, which involves a newly designed encryptor tailored to Linux-based systems. This adaptation showcases the malware operators' determination to exploit vulnerabilities in various environments, with a clear emphasis on government networks this time. The attackers deploy phishing emails and exploit software vulnerabilities to gain unauthorized access, underlining the importance of consistent software updates and employee training in cybersecurity best practices.

The ramifications of a successful Monti ransomware attack on government systems could be dire. It could lead to halted public services, jeopardized confidential information, and the potential compromise of national security. As the attackers continue to refine their techniques, the need for a multi-layered security approach becomes paramount. This includes robust firewalls, intrusion detection systems, regular data backups, and continuous monitoring to promptly identify and mitigate any potential breaches.

The Monti ransomware's resurgence serves as further evidence of how cyber dangers are always changing. Cybercriminals are broadening their objectives to include industries that house sensitive data and essential infrastructure in addition to enhancing their attack routes. In order to effectively stop the ransomware's comeback, government agencies, business enterprises, and cybersecurity specialists must work together to exchange threat intelligence, best practices, and preventative measures.

Security companies are working hard to investigate the ransomware's behavior, extract the decryption keys, and create solutions that might be able to mitigate its effects in response to this most recent threat. However, prevention is still the best course of action. Government organizations must prioritize cybersecurity by putting money into cutting-edge technology, doing frequent vulnerability scans, and encouraging a cybersecurity awareness culture among staff members.

Read more »
virus
APT Cyber Attacks Cybersecurity Linux Malware malware North Korea SET SimplexTea virus

Linux Malware Set to Be Deployed by North Korean APT Group

 


There is a shred of growing evidence that North Korean actors were responsible for the 3CX software supply chain hack, as found by ESET researchers. The newly discovered piece of malware extends the evidence that a North Korean group hacked the supply chain. 

In analyzing the backdoor, researchers from cybersecurity firm Eset found that it was tied to Pyongyang's latest fake job recruitment campaign, Operation Dream Job. This campaign recruits people for Pyongyang jobs. The Eset report indicates that North Korean hackers produce and use malware that works on all major desktop operating systems, including Windows, MacOS, and Linux. 

There is no connection between Linux malware and the 3CX supply-chain attack disclosed in late March by Lazarus Group. However, ESET researchers said they were confident that the 3CX attack was conducted by this company. This is even though it does not seem related to the Linux malware. As the name suggests, this is less a distinct organization than it is an umbrella term for a variety of North Korean hacking groups, some state-sponsored, and some criminal, that work for the Hermit Kingdom, and that are based in the country. 

A Trojan attack on 3CX's source code by North Korean hackers was publicly reported in late March, revealing their source code was stolen. A research team from Mandiant reported this week that they had traced the infection source to a previous attack on Trading Technologies' software supply chain. 

Trading Technologies develops software used in financial trading. Researchers from Symantec said on Friday that they had identified two more victims of the Trading Technologies hack that occurred earlier this week. 

There was no doubt throughout this whole investigation that the 3CX case had a North Korean connection from the very start. On March 29, a CrowdStrike engineer posted a message on a Reddit thread in which he reported that this had happened. 

It has also been confirmed that a North Korean nexus was involved in the attack by a preliminary report to be presented to 3CX by Mandiant - hired to investigate the breach. As well as Syphos, Check Point, Broadcom, Trend Micro, and other security companies have also provided summaries of the events. Most of them attribute the compromise to a group aligned with North Korea, citing various reasons. 

In addition to having more than 600,000 clients, 3CX according to their website, boasts several big names in the field. These include American Express, BMW, Air France, Toyota, IKEA, and many others. Shodan's search, conducted on March 30, found over 240,000 phone management systems exposed by 3CX. Huntress, a managed security service provider, reported on March 13, that it received 2,783 incident reports where the binary 3CXDesktopApp.exe matches known malicious hashes. In addition, it has a 3CX-certified certificate attached. 

HSBC, a British multinational bank with a presence in more than 155 countries, offered software development services involving Linux backdoors revealed by ESET researchers. It is believed that anyone who double-clicked on the PDF offer letter downloaded ESET's SimplexTea backdoor for Linux, an operating system known for its lack of security.

SimplexTea has similarities to Bluecall, a North Korean backdoor for Windows computers that had already been identified. This includes the use of domains to construct secure TLS connections similar to SimplexTea domains.  

It is also worth noting that the SimplexTea backdoor used the same core implementation of the A5/1 cipher used by North Korean hackers to sabotage Sony Pictures' release of the comedy "The Interview", which depicts Kim Jong Un's death by fiery helicopter as a camera pans through the company's offices. 

In addition to this direct connection, Eset also mentions that it shares the network infrastructure with the Trojanized VoIP software that serves as the backdoor for the 3CX hackers. As a command-and-control domain, each of these programs uses journalide.org as its point of control. There is also a similar method of loading the configuration files for SimplexTea malware and 3CX malware. 

In a statement released by ESET, the North Korean actors have been identified as the Lazarus Group. Despite this, Mandiant has identified the documents as likely associated with UNC4736, also known as AppleJeus, a Pyongyang hacking activity motivated by profit. 

According to Conversant Group's chief executive officer, John Anthony Smith, this Linux-based malware attack shows how threat actors are continuously expanding their arsenals, targets, tactics, and reach to circumvent security controls and practices in place. There is a growing trend among threat actors to expand the range of their malware variants to affect more systems, he added.
Read more »
Subscribe to: Posts (Atom)