Search This Blog

Showing posts with label Mallicious Attacks. Show all posts

Researchers Discover Kimusky Infra Targeting South Korean Politicians and Diplomats

 

Kimusky, a North Korean nation-state group, has been linked to a new wave of nefarious activities targeting political and diplomatic entities in its southern counterpart in early 2022. 

The cluster was codenamed GoldDragon by Russian cybersecurity firm Kaspersky, with infection chains resulting to the implementation of Windows malware designed to file lists, user keystrokes, and stored web browser login credentials. South Korean university professors, think tank researchers, and government officials are among the potential victims. 

Kimsuky, also known as Black Banshee, Thallium, and Velvet Chollima, is a prolific North Korean advanced persistent threat (APT) group that targets entities globally, but with a primary focus on South Korea, to gather intelligence on various topics of interest to the regime.

The group, which has been active since 2012, has a history of using social engineering tactics, spear-phishing, and watering hole attacks to obtain sensitive information from victims.

Late last month, cybersecurity firm Volexity linked the actor to an intelligence-gathering mission aimed at siphon email content from Gmail and AOL using Sharpext, a malicious Chrome browser extension.

The latest campaign employs a similar tactic, with the attack sequence initiated by spear-phishing messages containing macro-embedded Microsoft Word documents supposedly comprising content related to geopolitical issues in the region. Alternative initial access routes are also said to use HTML Application (HTA) and Compiled HTML Help (CHM) files as decoys in order to compromise the system.

Whatever method is used, the initial access is followed by a remote server dropping a Visual Basic Script that is orchestrated to fingerprint the machine and retrieve additional payloads, including an executable capable of exfiltrating sensitive information.

The attack is unique in that it sends the victim's email address to the command-and-control (C2) server if the recipient clicks on a link in the email to download additional documents. If the request does not include the expected email address, a harmless document is returned.

To complicate matters even further, the first-stage C2 server forwards the victim's IP address to another VBS server, which compares it to an incoming request generated after the target opens the bait document. The two C2 servers' "victim verification methodology" ensures that the VBScript is distributed only when the IP address checks are successful, indicating a highly targeted approach.

"The Kimsuky group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis. The main difficulty in tracking this group is that it's tough to acquire a full-infection chain," Kaspersky researcher Seongsu Park concluded.

Russian Sberbank: Facing Massive Waves of DDoS Attacks

 

Sberbank, Russia's banking and financial services company, has been the target of unprecedented hacking attacks. The bank was hit by the largest distributed denial-of-service (DDoS) attack in its history earlier this month. Thousands of internet users have been targeting Sberbank in recent months, according to Sergei Lebed, vice president and director of cybersecurity at Sberbank, who spoke to the audience at the Positive Hack Days conference. 

Sberbank is Russia's largest financial institution and Europe's third-largest, with total assets exceeding $570 billion. Following Russia's invasion of Ukraine, the entity was among the first to be sanctioned, and its operations on the European continent have been severely limited as a result. Since the beginning of the crisis in February, hackers aligned with Ukraine have targeted Sberbank. 

This action, according to the bank, is ongoing. waves of agressive attacks Sberbank claims to have repelled the most significant DDoS attack it has ever witnessed on May 6, 2022, with a rate of 450GB/sec. DDoS assaults deplete resources, making online services inaccessible to clients, causing business interruption and financial losses. 

A botnet with 27,000 compromised devices in the United States, the United Kingdom, Japan, and Taiwan generated the malicious traffic that enabled the attack against Sberbank's main website. According to Lebed, fraudsters employed various strategies to carry out this cyberattack, including code injections into advertising scripts, malicious Chrome extensions, and DDoS-wielding Docker containers. 

As per Lebed, they have detected over 100,000 internet users hitting them in the last few months, with 46 simultaneous DDoS attempts on various Sberbank services reported in March. Many of these attacks took advantage of online streaming and movie theatre traffic, a strategy used by pro-Russian threat groups against critical Ukrainian websites. Visitors' web browsers run carefully constructed code found in injected scripts, which generates a large number of requests to certain URLs, in this example under Sberbank's domain. 

"Today, the bank faces cyberattacks around the clock. Sberbank's Security Operation Center analyzes cyber threats 24/7 and promptly responds to them," stated Sergei Lebed/

"However, when it comes to companies in other sectors, most of them have never encountered anything like this before and may suffer damages," cautionedSberbank's vice president.

DDoS attacks of this magnitude are likely to persist as long as geopolitical tensions create a polarised atmosphere, and as Sberbank's announcement concludes, they may decrease in number but increase in power. This is consistent with Radware's research from yesterday, which detailed a 36-hour 1.1 Tbps DDoS attack on a US service provider, indicating that threat actors are becoming significantly more capable even compared to last year.

FiveSys Rootkit Exploits Microsoft-Issued Digital Signature

 

A rootkit termed FiveSys can potentially avoid detection and enter Windows users' PCs by abusing a Microsoft-issued digital signature, as per the Bitdefender security experts, 

Microsoft introduced rigorous requirements for driver packages that aim to receive a WHQL (Windows Hardware Quality Labs) digital signature to prevent certain types of malicious attacks, and starting with Windows 10 build 1607, it prevents kernel-mode drivers from being loaded without such a certificate. 

Malware developers, on the other hand, seem to have discovered a way to bypass Microsoft's certification and obtain digital signatures for their rootkits, allowing them to target victims without raising suspicion. 

Microsoft confirmed in June that intruders had successfully submitted the Netfilter rootkit for certification via the Windows Hardware Compatibility Program. Now, Bitdefender's researchers warn that the FiveSys rootkit also has a Microsoft-issued digital signature, implying that this might soon become an emerging trend in which adversaries successfully verify their malicious drivers and signed by Microsoft. 

According to the researchers, FiveSys is comparable to the Undead malware that was first disclosed a few years ago. Furthermore, the rootkit, like Netfilter, is aimed towards the Chinese gaming industry. 

Bitdefender stated, “The attackers seem to originate from China and target several domestic games. We can confidently attribute this campaign to several threat actors, as their tools share the same functionality but are vastly different in implementation.” 

The rootkit directs Internet traffic to a custom proxy server using a frequently updated autoconfiguration script that comprises a list of domains/URLs. Furthermore, the rootkit can prohibit drivers from the Netfilter and fk_undead malware families from being loaded by using a list of digital signatures. 

Moreover, FiveSys offers a built-in list of 300 supposedly randomly created domains that are encrypted and are intended to circumvent possible takedown attempts. Bitdefender also claims to have discovered multiple user-mode binaries that are used to obtain and execute malicious drivers on target PCs. 

FiveSys appears to use four drivers in all, although only two of them were isolated by the security experts. After discovering the abuse, Microsoft cancelled FiveSys' signature.

While the rootkit is being used to steal login credentials from gaming accounts, it is likely that it may be utilised against other targets in the future. However, by following a few easy cybersecurity safeguards, one can prevent falling prey to such or similar assaults.

Botezatu recommended,  "In order to stay safe, we recommend that users only download software from the vendor's website or from trusted resources. Additionally, modern security solutions can help detect malware – including rootkits – and block their execution before they are able to start."