Search This Blog

Showing posts with label Microsoft. Show all posts

Chinese APT Utilizes Ransomware to Cover Cyberespionage

 

A China-based advanced persistent threat (APT) group called Bronze Starlight has been active since the start of 2021. It appears to be using double-extortion attacks and ransomware as cover for routine, state-sponsored cyberespionage and intellectual property theft. 

The distribution of post-intrusion ransomware, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0, is a feature of Bronze Starlight. Microsoft also labeled it as part of the DEV-0401 emerging threat cluster, highlighting its involvement in all phases of the ransomware attack cycle, from initial access to the payload dissemination.

China's Correlation

The threat actor has always loaded Cobalt Strike Beacon and then released ransomware on compromised computers using a malware loader known as the HUI Loader, which is solely utilized by  Chinese-based organizations. This method has not been noticed by other threat actors, according to Secureworks researchers.

Researchers from Secureworks believe that Bronze Starlight is more likely motivated by cyberespionage and intellectual property (IP) theft than financial gain due to the short lifespan of each ransomware family, victimology, and access to tools used by Chinese state hacktivists (including known vulnerabilities and the HUI Loader). HUI Loader has been used to distribute malware such as Cobalt Strike, QuasarRAT, PlugX, and SodaMaster as well as remote access trojans (RATs) at least since 2015.

Attacks carried out by the actor are distinguished by the use of vulnerabilities influencing Exchange Server, Zoho ManageEngine ADSelfService Plus, Atlassian Confluence, and Apache Log4j. This contrasts with other RaaS groups that obtain access from initial access brokers (IABs) to enter a network. 

The similarity between Ransomware 

Additionally, a familiar actor is apparent from the similarities found between LockFile, Atom Silo, Rook, Night Sky, and Pandora, the latter three of which were developed from the Babuk ransomware, the source code of which was leaked in September 2021. 

The researchers write that the use of HUI Loader to load Cobalt Strike Beacon, the configuration data for Cobalt Strike Beacon, the C2 network, and the code overlap "indicate that the same threat group is linked with these 5 ransomware families."

The use of the HUI Loader to launch next-stage encrypted payloads like PlugX and Cobalt Strike Beacons, which are used to disseminate the ransomware, is another instance of detected tradecraft. However, this technique requires first getting privileged Domain Administrator credentials. 

The main victims are American and Brazilian pharmaceutical firms, a U.S. media outlet with branches in China and Hong Kong, Lithuanian and Japanese electronic component designers and manufacturers, a U.S. legal company, and the aerospace & defense unit of an Indian conglomerate. 

To achieve this, ransomware operations not only give the threat actor a way to phish data as a result of the double extortion, but they also give them a chance to erase forensic proof of its destructive actions and distract them from data theft.

Researchers Alert About Ransomware Attacks Targeting Microsoft Cloud ‘Versioning’ Feature

Researchers detected a functionality in Office 365 that enables cybercriminals to ransom items stored on SharePoint and OneDrive. When the researchers informed Microsoft, they were assured that the system was functioning as designed and it is a feature rather than a vulnerability. 

Files stored and updated on the cloud have long been thought to be resistant to encryption extortion — the autosave and versioning capabilities should offer enough backup capability. Researchers at Proofpoint have displayed that this is a false assumption. They reported, “Our research focused on… SharePoint Online and OneDrive… and shows that ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure.” 

There are two ways to accomplish this using the Microsoft versioning feature (which allows the user to specify the maximum number of older versions to be stored). Older versions beyond this level are designed difficult, if not impossible to recover. The first attack is more theoretical than practical, while the second is undeniably practical. The maximum number of revisions of a document that may be saved by default is 500. Simply said, the attacker modifies and encrypts the file 501 times. 

The changes do not have to be significant - just enough to cause the system to save the new (encrypted) version. All versions of the document will be encrypted by the completion of the procedure, and the file will be unrecoverable without the decryption key. This is a theoretical attack. In actuality, it would be loud and easily discovered. The second method is more practical: utilise the built-in user-controlled versioning tool to reduce the number of stored versions to one. 

Every SharePoint and OneDrive document library includes a user-configurable parameter for the number of stored versions, which can be found under list settings for each document library. Setting the version limit to zero does not help an attacker since it does not erase older versions that the user can still recover. 

If the limit is set to one, the file only has to be encrypted twice before the user loses access to its contents. If information is exfiltrated before encryption, the attacker has the option of launching a second extortion attempt. The attack chain includes initial access via compromised or hijacked user identities, account takeover and discovery, versioning reduction, file exfiltration, and encryption, and extortion. 

If the file owner keeps a local copy of the file, the impact of this attack will be limited. In this case, the attacker must compromise both the endpoint and the cloud account to ensure success. Proofpoint followed the Microsoft disclosure route and submitted the vulnerability to Microsoft before publicly revealing it. 

Microsoft stated that, first, the versioning settings function properly, and that, second, previous versions of files can potentially be retrieved and restored for an additional 14 days with the aid of Microsoft Support. 

“However,” write the researchers, “Proofpoint attempted to retrieve and restore old versions through this process (i.e., with Microsoft Support) and was not successful. Secondly, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.”

Therefore, the conclusion of the story is straightforward do not think files saved and updated in the cloud are immune to extortion attempts. Ransomware mitigation procedures must still be in place.

Polonium Assaults Against Israeli Organizations were Blocked by Microsoft

 

Microsoft stated it has banned a hacking gang known as Polonium, based in Lebanon, from utilizing the OneDrive cloud storage platform for data exfiltration and command and control while attacking and compromising Israeli firms. The internet giant's Threat Intelligence Center (MSTIC) stated it stopped over 20 malicious OneDrive apps built by Polonium and alerted affected companies, in addition to erasing the criminal accounts created by the Lebanon-based entity. 

"Across the majority of its victims, this attacker has deployed unique tools that abuse lawful cloud services for command and control (C2)." as per Microsoft's research. "POLONIUM was seen generating and using legal OneDrive accounts, then using those accounts as C2 to carry out part of the offensive operation," says the report. 

POLONIUM has been seen operating on or targeting various organizations previously penetrated by the Iran-linked MuddyWater APT (aka MERCURY). 

Since February 2022, the antagonistic group is thought to have breached more than 20 Israeli institutions and one intergovernmental body with operations in Lebanon. Manufacturing, IT, transportation, defense, government, agriculture, finance, and healthcare companies were among the targets of interest, with one cloud service provider hacked to target a downstream aviation company and law firm in a supply chain attack.

Unpatched Fortinet FortiOS SSL VPN servers vulnerable to CVE-2018-13379 exploits leveraging a critical path traversal weakness allowing login credentials theft appear to represent the first access vector for the vast majority of victims, according to Microsoft. In November 2020, a hacker disclosed the passwords for nearly 50,000 vulnerable Fortinet VPNs, just days after a list of CVE-2018-13379 one-line exploits was publicly disclosed. 

A list of roughly 500,000 Fortinet VPN passwords supposedly harvested from susceptible devices was posted online again almost a year later. The actor's campaign chains have included the usage of proprietary tools that use genuine cloud services like OneDrive and Dropbox accounts for C2 and malicious tools named CreepyDrive and CreepyBox for its victims.

This isn't the first time Iranian threat actors have used cloud services to its advantage. Cybereason revealed in October 2021 that a group called MalKamak organized an attack campaign that use Dropbox for C2 communications to remain under the radar. 

MSTIC also stated that several of the victims penetrated by Polonium had previously been targeted by another Iranian entity known as MuddyWater (aka Mercury), which the US Cyber Command has described as a "subordinate element" under MOIS. The victim overlaps support previous reports that MuddyWater is a "conglomerate" of several teams similar to Winnti (China) and the Lazarus Group (North Korea). 

Customers are encouraged to implement multi-factor authentication as well as analyze and audit partner relations to minimize any superfluous permissions to combat such risks.

Microsoft Disrupts Bohrium Hackers’ Spear-Phishing Operation

 

The Microsoft Digital Crimes Unit (DCU) recently conducted an operation and has successfully disrupted a spear-phishing operation which was conducted by the Iranian malicious actors. Tracked as Bohrium, the operation was victimizing customers in the U.S., Middle East, and India. 

Amy Hogan-Burney, the General Manager of Microsoft DCU has said that Bohrium targeted organizations from a wide range of industries, including transportation, Tech industries, government, and education. 

The evidence that was reported by Microsoft in court filings, read, “the Iranian hackers have been intentionally accessing and sending malicious software, code, and instructions to the protected computers, operating systems, and computers networks of Microsoft and the customers of Microsoft, without authorization." 

Following the attack, Microsoft has taken down 41 domains that were attacked in this campaign to establish a command and control infrastructure that allowed the hackers to execute malicious tools to help them gain access to targets' systems and exfiltrate stolen information from compromised systems. Also, some of the domains taken down have been used in the past to host and push malware payloads. 

However, Microsoft did not disclose the timeline of this spear-phishing operation. "Bohrium actors create fake social media profiles, often posing as recruiters. Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware..," 

“…This activity was uncovered by Microsoft's Threat Intelligence Center (MSTIC), which tracks the world's nation-state and cybercrime actors so we can better protect our customers,” Hogan-Burney said. 

Microsoft further explained that this action which was taken by the origination is part of a long series of lawsuits against malicious actors who are targeting Microsoft customers worldwide. 

"To date, in 24 lawsuits – five against nation-state actors – we've taken down more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors," Microsoft's Corporate Vice President for Customer Security & Trust Tom Burt said.

Previously, Microsoft has taken down many malicious campaigns including APT28 domains controlled by the ZLoader cybercrime gang and the Iran-backed APT35 (aka Charming Kitten, Phosphorus, or Ajax Security Team) threat actor.

Microsoft: Credit Card Stealers are Switching Tactics to Conceal the Attack

 

Attackers are manipulating e-commerce checkout websites and capturing payment card information by utilising picture files with a concealed malicious PHP script. According to Microsoft, card-skimming malware is increasingly employing malicious PHP scripts on web servers to modify payment sites and circumvent browser safeguards activated by JavaScript code. 

Card-skimming malware has changed its approach, according to Microsoft threat analysts. Card skimming has been dominated over the past decade by the so-called Magecart malware, which uses JavaScript code to inject scripts into checkout pages and transmit malware that grabs and steals payment card information. Injecting JavaScript into front-end processes was very conspicuous, according to Microsoft, because it might have triggered browser defences such as Content Security Policy (CSP), which prevents external scripts from loading. 

By attacking web servers with malicious PHP scripts, attackers discovered a less noisy method. In November 2021, Microsoft discovered two malicious image files on a Magento-hosted server, one of which was a fake browser favicon. Magento is a well-known e-commerce system. The images included an embedded PHP script, which did not run on the compromised web server by default. Instead, in order to only target shoppers, the PHP script only starts after validating via cookies that the web admin is not currently signed-in. 

The PHP script obtained the current page's URL and looked for the keywords "checkout" and "one page," which are linked to Magneto's checkout page. "The insertion of the PHP script in an image file is interesting because, by default, the webserver wouldn't run the said code. Based on previous similar attacks, we believe that the attacker used a PHP 'include' expression to include the image (that contains the PHP code) in the website's index page, so that it automatically loads at every webpage visit," Microsoft explained. 

Malicious PHP is increasingly being used in card-skimming malware. Last week, the FBI issued a warning about new examples of card-skimming attackers infecting US business checkout sites with web shells for backdoor remote access to the webserver using malicious PHP. Sucuri discovered that PHP skimmers targeting backend web servers were responsible for 41% of new credit card-skimming malware discovered in 2021. Magecart Group 12 is distributing new web shell malware, according to Malwarebytes, that dynamically loads JavaScript skimming code via server-side requests to online merchants. 

Malwarebytes' Jérôme Segura noted, "This technique is interesting as most client-side security tools will not be able to detect or block the skimmer. Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell."    

However, dangerous JavaScript is still used to skim cards. Card-skimming malware based on JavaScript spoofing Google Analytics and Meta Pixel (previously Facebook Pixel) scripts, for example, was discovered by Microsoft.

Costa Rica's New Government is Under Attack by a Conti Ransomware Gang

 

The Conti ransomware organization, which has hacked some Costa Rican government computer systems, has increased its threat, claiming that its ultimate goal is to overthrow the government. The Russian-speaking Conti gang tried to intensify the pressure to pay a ransom by boosting its demand to $20 million, perhaps capitalizing on the fact that President Rodrigo Chaves had just been in office for a week. 

"We are aiming to overthrow the government by a cyber attack, and we have already demonstrated all of our strength and power," the group stated on its official website. "In your government, we have insiders. We're also attempting to obtain access to your other systems, and you have no choice but to pay us." Chaves said the organization had infiltrated up to 27 institutions at various levels of government, declaring that the country was "at war" with the Conti ransomware gang but giving no indication that the ransom would be paid. 

"I appeal to every Costa Rican to go to your government and organize rallies to demand that they pay us as soon as possible if your existing government is unable to fix the situation?" A different statement on Conti's dark web page stated, "Perhaps it's worth replacing." Over the weekend, the ransomware issued a warning that it will remove the decryption keys in a week, making it impossible for Costa Rica to restore access to the ransomware-encrypted files. 

The lethal April 19 attack prompted the new administration to proclaim a state of emergency, and the gang has exposed troves of data acquired from infected systems before encryption. Conti linked the attack to an affiliate actor nicknamed "UNC1756," a play on the name given to uncategorized threat groups by threat intelligence firm Mandiant. 

If it was any other ransomware gang, according to Aaron Turner, vice president of SaaS posture at Vectra, an AI cybersecurity firm, the threat would be unnoticeable. "However, because it's Conti, and Conti has publicly connected themselves with Putin's Russia's military activities, this threat should demand a second look," he said. 

He believes that if the US supports 'enemy' troops in Russia's neighborhood, there is a strong urge for retaliation. "Fortunately for Costa Rica, Conti isn't the most sophisticated gang of ransomware operators," he said. "Costa Rica is also lucky in that Russia's invasion of Ukraine went so badly that there are likely inadequate military forces on the other side of the planet to launch a combined cyberattack and conventional strike." While the prospect of overthrow is intriguing from an academic standpoint, Turner believes the chances of Conti orchestrating a coup are extremely remote. 

Affiliates are hacker organizations that rent access to pre-developed ransomware tools to coordinate assaults on corporate networks as part of the so-called ransomware-as-a-service (RaaS) gig economy, and then share the profits with the operators. Conti has continued to target companies all over the world after suffering a large data breach of its own earlier this year amid its public support for Russia in its current war against Ukraine. 

Conti is the "most prolific ransomware-associated cybercriminal activity organization operational today," according to Microsoft's security team, which records the cybercriminal gang under the cluster DEV-0193. "DEV-0193 has hired developers from other malware operations that have shut down for varied reasons, including legal actions. The addition of developers from Emotet, Qakbot, and IcedID to the DEV-0193 umbrella is very noteworthy." 

Conti is one of the most wanted cybercriminal gangs in the world, with the US State Department offering up to $10 million in incentives for any information leading to the identity of its senior members.

ExtraReplica: Microsoft Patches Cross-Tenant Bug in Azure PostgreSQL

 

Recently, Microsoft has patched pair of security vulnerabilities in its Azure Database for PostgreSQL Flexible Server which could have been exploited to execute malicious code. On Thursday, cyber security researchers from Wiz Research published an advisory on "ExtraReplica," wherein they described it as a "cross-account database vulnerability" in Azure's infrastructure. 

The first is a privilege escalation bug in a modification that Microsoft made to the PostgreSQL engine and the second bug leverages the privilege escalation enabled by the former to give attackers cross-account access. 

Microsoft Azure is a hybrid cloud service and accounts for hundreds of thousands of enterprise customers, it also provides various services to different enterprises including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). 

It supports various programming languages, frameworks, and tools including both Microsoft-specific and third-party software and systems, as well as housing the data for various other Microsoft tools is one of its key features. 

According to the report, security vulnerabilities in the software could be used to bypass Azure's tenant isolation, which prevents software-as-a-service (SaaS) systems users from accessing resources belonging to other tenants. 

Also, ExtraReplica's core attack vector is based on a flaw that gave full access to customer data across multiple databases in a region without authorization, researchers from cloud security vendor Wiz Research recently added. 

"An attacker could create a full copy of a target database in Azure PostgreSQL [Flexible Server], essentially exfiltrating all the information stored in the database…," 

 “…The vulnerabilities would have allowed attackers to bypass firewalls configured to protect the hosted databases unless an organization had configured it for private access only but this is not the default configuration," says Ami Luttwak, co-founder and CTO at Wiz. 

Following the attack, Microsoft said it has mitigated the security vulnerabilities in the second week of January 2022, less than 48 hours after Wiz had warned about the attack. However, the company said that its research showed no evidence that hackers has exploited the vulnerabilities to access customer data.

New Nimbuspwn Linux Flaws Could Provide Attackers Root Access

 

Microsoft uncovered vulnerabilities in Linux systems that could be used to grant attackers root access if they were chained together. 

The flaws, dubbed "Nimbuspwn," are detected in networkd-dispatcher, a dispatcher daemon for systemd-networkd connection status changes in Linux, and are labelled as CVE-2022-29799 and CVE-2022-29800. As part of a code review and dynamic analysis effort, Microsoft found the vulnerabilities while listening to signals on the System Bus. 

Microsoft’s Jonathan Bar Or explained, “Reviewing the code flow for networkd-dispatcher revealed multiple security concerns, including directory traversal, symlink race, and time-of-check-time-of-use race condition issues, which could be leveraged to elevate privileges and deploy malware or carry out other malicious activities.”
 
“The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.” 

He went on to state that ransomware attackers might use Nimbuspwn as a route for root access in order to have a significant impact on affected machines. Clayton Craft, the maintainer of the networkd-dispatcher, apparently worked promptly to remedy the flaws after responsibly revealing the bugs. 

Linux users who are affected are recommended to apply patches as soon as they become available. Although Nimbuspwn has the potential to affect a huge number of people, attackers would first need local access to the targeted systems in order to exploit the flaws. 

Mike Parkin, senior technical engineer at Vulcan Cyber argued, “Any vulnerability that potentially gives an attacker root-level access is problematic. Fortunately, as is common with many open-source projects, patches for this new vulnerability were quickly released.” 

“While susceptible configurations aren’t uncommon, exploiting these vulnerabilities appears to require a local account and there are multiple ways to mitigate them beyond the recommended patching. There is currently no indication that these vulnerabilities have been exploited in the wild.”

This New Malware Uses Windows Bugs to Conceal Scheduled Tasks

 

Microsoft has found a new malware employed by the Chinese-backed Hafnium hacking group to create and hide scheduled activities on compromised Windows PCs in order to sustain persistence. 

Cyberespionage attacks by the Hafnium threat group have previously targeted US defence businesses, think tanks, and researchers. It's also one of the state-sponsored groups Microsoft has tied to the global exploitation of the ProxyLogon zero-day vulnerability, which affected all supported Microsoft Exchange versions last year. 

The Microsoft Detection and Response Team (DART) stated, "As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defence evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification." 

Tarrask, a hacking tool, hides them from "schtasks /query" and Task Scheduler by removing the related Security Descriptor registry value, which is a previously undiscovered Windows flaw. 

By re-establishing dropped connections to command-and-control (C2) infrastructure, the threat group was able to keep access to the infected devices even after reboots. While the Hafnium operators could have deleted all on-disk artefacts, including all registry keys and the XML file uploaded to the system folder, this would have destroyed persistence between restarts. 

The "hidden" tasks can only be discovered by performing a manual search of the Windows Registry for scheduled tasks that do not have an SD (security descriptor) Value in their Task Key. 

Admins can additionally check for important events associated to tasks "hidden" by Tarrask malware by enabling the Security.evtx and Microsoft-Windows-TaskScheduler/Operational.evtx logs. Microsoft also suggests setting logging for 'TaskOperational' in the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log and keeping an eye on outbound connections from crucial Tier 0 and Tier 1 assets. 

DART added, "The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique."

LAPSUS$ Group Targets SuperCare Health

 


SuperCare Health, a California-based respiratory care provider, has revealed a data breach that exposed the personal details of over 300,000 patients. Someone had access to specific systems between July 23 and July 27, 2021. By February 4, the company had assessed the scope of the data breach, learning the attackers had also acquired patient files including sensitive personal information such as:
  • Names, addresses, and birth dates.
  • A medical group or a hospital.
  • Along with health insurance details, a patient's account number and a medical record number are required. 
  • Data about one's health, such as diagnostic and treatment information. 
  • A small number of people's Social Security numbers and driver's license information were also revealed. 

"We have no reason to suspect any information was published, shared, or misused," according to SuperCare Health, but all possibly impacted patients should take extra security precautions to avoid identity theft and fraud. 

On March 25, the company notified all affected customers and implemented extra security steps to prevent the following breaches. The breach has affected 318,379 people, according to the US Department of Health and Human Services. Based on the number of people affected, this is presently among the top 50 healthcare breaches disclosed in the last two years. SuperCare Health further told, "We have reported the event to a Federal Bureau of Investigation and it will cooperate to help us identify and prosecute those involved." 

In the last several months, several healthcare institutions have revealed massive data breaches. Monongalia Health System (400,000 people affected), South Denver Cardiology Associates (287,000 people affected), Norwood Clinic (228,000 people affected), and Broward Health (228,000 people affected) are among the organizations on the list (1.3 million). 

Last week, the Health Department issued an advisory to healthcare groups, warning companies about the impact of a major cybercrime attack by the Lapsus$ cybercrime group. In recent months, the hackers have targeted Samsung, NVIDIA, Vodafone, Ubisoft, Globant, Microsoft, and Okta, among others. The organization takes information, often source code, and threatens to release it unless they are paid.

LAPSUS$ steals confidential information from organizations which have been hacked, then threatens to disclose or publish the information if the requested amount is not paid. The LAPSUS$ extortion ring, on the other hand, has abandoned the typical ransomware strategies of file encryption and computer lockout. 

According to the notice, the Health Department is aware of healthcare institutions which have been hacked as a result of the Okta attack; Okta has verified that more than 300 of its clients have been affected by the breach. In the light of the incident, Police in the United Kingdom have identified and charged several accused members of the Lapsus$ gang.

 Hazardous Redirect Web Server Evokes Malicious Campaigns On Over 16,500 Sites

 

Parrot is a novel TDS system for online traffic redirection that runs on a few servers hosting over 16,500 sites from government agencies, universities, adult platforms, and personal blogs. The service was apparently also utilized in the context of various cyber-attacks aiming at diverting victims to phishing or sites which result in malware being installed on the systems. Reportedly, all of this is dependent on individual user characteristics such as location, language, operating system, and browser.

TDS services are purchased by threat actors undertaking malicious campaigns to filter incoming traffic and route it to a final destination which serves harmful material. Advertisers and marketers utilize TDS legitimately. Most TDS services are used regularly by professionals in the marketing industry, which is why there are credible reports demonstrating how similar campaigns were executed in the recent past. 

Security analysts working with Avast have revealed that the Parrot has been identified as they recently made assertions about how the campaign was used for FakeUpdate, which delivered update warnings regarding remote access trojans, sometimes known as RATs, using fake browsers. 

Avast threat experts found Parrot TDS, which is presently being utilized for a campaign called FakeUpdate, which distributes remote access trojans (RATs) via phony browser update alerts. The effort appears to have begun in February 2022, however, there have been traces of Parrot activity dating back to October 2021.

"One of the primary differences between Parrot TDS and other TDS is its broad nature and a large number of possible victims," says Avast in the research. "Apart from servers hosting poorly secured CMS sites, such as WordPress sites, the hijacked websites we discovered appear to have nothing in common."

Avast services prevented more than 600,000 of its users from visiting these compromised sites in March 2022 alone, demonstrating the Parrot redirection gateway's huge reach. The majority of the people who were redirected were from Brazil, India, the United States, Singapore, and Indonesia. 

They have been known to accomplish this by redirecting the victim to special URLs with extensive network profiles and meticulously built software. While the TDS may be primarily focused on the RAT initiative, security experts believe some of the impacted servers also serve as hosts for various phishing sites.  

Those landing sites seem just like a genuine Microsoft login page, prompting visitors to input there login credentials. The best strategy to deal with malicious redirections for web users is to keep an up-to-date internet security solution running at all times. Avast advises administrators of possibly compromised web servers to take the following steps: 

  •  Use an antivirus to scan all files on the webserver. 
  •  Replace all original JavaScript and PHP files on the webserver. 
  •  Use the most recent CMS and plugin versions. 
  •  Look for cron jobs or other automatically executing processes on the webserver. 
  •  Always use unique and strong credentials for all services and accounts, and utilize two-factor authentication whenever possible. 
  • Use some of the security plugins for WordPress and Joomla which are available.

Viasat: Acid Rain Virus Disable Satellite Modems

 

The cyberattack which targeted the KA-SAT satellite broadband service to erase SATCOM modems on February 24 used a newly discovered data wiper virus. It impacted thousands in Ukraine and thousands more across Europe. 

A cybersecurity firm, SentinelOne, claims to have discovered a malware sample, which disrupted internet connectivity on February 24. The malware, called AcidRain, which was also likely utilized in the Viasat breach, is a Unix executable application which is meant to attack MIPS-based devices. This could indicate the attackers' lack of experience with the filesystem and firmware of the targeted devices, or their desire to create a reusable tool.

The same sample came from SkyLogic, the Viasat operator in charge of the damaged network, which is also situated in Italy. The software sample was also tagged with the moniker "ukrop," which could be a reference to the Ukraine Operation. 

The researchers underscored that Viasat did not offer technical indicators of compromise or a detailed incident response report. Instead, rogue commands damaged modems in Ukraine and other European countries, according to the satellite industry. The SentinelOne duo were perplexed as to how valid orders could produce such mayhem in the modem, "scalable disruption is more feasibly performed by delivering an update, script, or executable," they added. 

The program wipes the system and various storage device files completely. AcidRain executes an initial repetitive replacement and removal of non-standard files in the filesystem if the malware is launched as root "Juan Andres Guerrero-Saade and Max van Amerongen," SentinelOne threat experts, revealed. 

The wipers overwrite file structures with up to 0x40000 bytes of data or utilize MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB input/output control (IOCTL) service calls to erase data on compromised devices. 

The fact Viasat has supplied nearly 30,000 modems to get clients back online since the February 2022 attack and is still shipping more to speed up service restoration, suggests that SentinelOne's supply-chain threat scenario is correct. The IOCTLs used by this virus also resemble those used by the VPNFilter malware 'dstr' wiper plugin, a destructive program linked to Russian GRU hackers. 

The Ukrainian Computer Emergency Response Team recently stated a data wiper known as DoubleZero had been used in assaults on Ukrainian businesses. On the same day that Russia invaded Ukraine, they discovered IsaacWiper, a data wiper, and HermeticWizard, a new worm which dropped HermeticWiper payloads. ESET has discovered a fourth data-destroying malware strain called CaddyWiper, which wipes data across Windows domains and eliminates user data and partition information from associated drivers. 

Microsoft discovered a sixth wiper, now known as WhisperGate, in mid-January, which was being used in data-wiping attacks targeting Ukraine while masquerading as ransomware.

V8 Type Confusion Vulnerability Hits Google Chrome & Microsoft Edge Browser

 

Following the discovery of a V8 vulnerability in Chrome and Edge that has been exploited in the wild, ZDNet recommends that users running Windows, macOS, or Linux update their Chrome builds to version 99.0.4844.84, as an out-of-band security update was recently released by Google to address the issue. 

Concerning the V8 Vulnerability:

There isn't much information available about this recently discovered vulnerability, as Google stated that it will wait for the bulk of users to update their browsers before acting. As per Google, “Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.” 

What is known is that the bug in question has been assigned CVE-2022-1096, which is a zero-day "type confusion in V8" bug and was reported on March 23, 2022, by an "anonymous" researcher. V8 is a JavaScript engine that is completely free and open-source. The Chromium Project created it for Google Chrome and Chromium web browsers. 

Lars Bak is the person who came up with the idea for the project. It's worth noting that the first version of Firefox was released in 2008, almost simultaneously with the initial version of Chrome. Because the V8 vulnerability affected Edge as well, Microsoft Office issued a statement on the subject, stating that the issue had been resolved in Edge version 99.0.1150.55. 

Microsoft’s notice reads, “The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.”

BitRAT Malware Spreading Via Unofficial Microsoft Windows Activators

 

A new BitRAT malware distribution campaign is ongoing, targeting people who want to utilise unauthorised Microsoft licence activators to activate unlicensed Windows OS versions for free. 

BitRAT is a strong remote access trojan that can be purchased for as little as $20 (lifetime access) on cybercrime forums and dark web markets. As a result, each buyer has their own malware dissemination strategy, which may include phishing, watering holes, or trojanized software. Threat actors are delivering BitRAT malware as a Windows 10 Pro licence activator on webhards in a new BitRAT malware distribution campaign identified by AhnLab researchers. 

Webhards are popular online storage services in South Korea that receive a steady stream of visitors via direct download links posted on social media platforms or Discord. Threat actors are increasingly exploiting webhards to deliver malware due to their widespread use in the region. Based on some of the Korean characters in the code snippets and how it was distributed, the actor behind the current BitRAT campaign appears to be Korean. To use Windows 10, one must first purchase and activate a Microsoft licence. 

While there are ways to get Windows 10 for free, one must have a valid Windows 7 licence to do so. Those who don't want to deal with licencing concerns or who don't have a licence to upgrade frequently resort to pirating Windows 10 and using unapproved activators, many of which are infected with malware.'W10DigitalActiviation.exe' is the malicious file presented as a Windows 10 activator in this campaign, and it has a simple GUI with a button to "Activate Windows 10." 

Rather than activating the Windows licence on the host system, the "activator" will download malware from a threat actors' hardcoded command and control server. The retrieved payload is BitRAT, which is installed as 'Software Reporter Tool.exe' in the %TEMP% folder and added to the Startup folder. Exclusions for Windows Defender are also included by the downloader to guarantee that BitRAT is not detected. The downloader deletes itself from the system after the malware installation process is completed, leaving just BitRAT behind. 

BitRAT is marketed as a powerful, low-cost, and versatile malware that can steal a variety of sensitive data from the host computer.BitRAT includes features such as keylogging, clipboard monitoring, camera access, audio recording, credential theft through web browsers, and XMRig coin mining. 

 It also includes a remote control for Windows PCs, hidden virtual network computing (hVNC), and SOCKS4 and SOCKS5 reverse proxy (UDP). On that front, ASEC's investigators discovered considerable code similarities between TinyNuke and its derivative, AveMaria,(Warzone). The RATs' hidden desktop capability is so valuable that some hacking groups, such as the Kimsuky, have included them in their arsenal only to use the hVNC tool.

Microsoft Fixes Critical Azure Bug That Exposed Customer Data

Microsoft has discovered a new vulnerability in the Azure Automation service, addressed as ‘AutoWarp’, that could have allowed malicious actors to take full control of other Azure customers' credentials. 

Microsoft Azure Automation Service facilitates various functions such as process automation, configuration management, and update management features with each scheduled job running inside isolated sandboxes for each Azure customer. 

According to Orca Security's Cloud Security Researcher Yanir Tsarimi, the vulnerability could allow cyber actors to steal other Azure customers' Managed Identities authentication tokens from an internal server that organizes the sandboxes of other users.

"Someone with malicious intentions could've continuously grabbed tokens, and with each token, widen the attack to more Azure customers. This attack could mean full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer. We discovered large companies at risk (including a global telecommunications company, two car manufacturers, a banking conglomerate, big four accounting firms, and more)." Yanir Tsarimi said. 

Microsoft team said that the security flaw has been fixed by blocking access to auth tokens to all sandboxes except the one that has authentic access permission. 

Following the incident, the company informed all its affected Azure users and recommended the best security practices for further protection of the system.

Researchers Reveal New Side-Channel Attack on Homomorphic Encryption

 

A group of academics from North Carolina State University and Dokuz Eylul University have revealed the "first side-channel attack" on homomorphic encryption, which may be used to disclose data while the encryption process is in progress. 

Aydin Aysu, one of the authors of the study, stated, "Basically, by monitoring power consumption in a device that is encoding data for homomorphic encryption, we are able to read the data as it is being encrypted. This demonstrates that even next generation encryption technologies need protection against side-channel attacks." 

Homomorphic Encryption is a kind of encryption that enables specific sorts of computations to be done directly on encrypted data without the need to first decrypt it. It's also designed to protect privacy by permitting sensitive data to be shared with other third-party services, such as data analytics organisations, for additional processing while the base data remains encrypted and, as a result, unavailable to the service provider. 

To put it another way, the purpose of homomorphic encryption is to make it easier to establish end-to-end encrypted data storage and computation services that don't require the data owner to provide their secret keys with third-party services. The researchers proposed a data leakage attack based on a vulnerability found in Microsoft SEAL, the tech giant's open-source implementation of the technology, that could be abused in a way that enables the recovery of a piece of plaintext message that is homomorphically encrypted, successfully undoing the privacy safeguards.

The attack, dubbed RevEAL, takes advantage of a "power-based side-channel leakage of Microsoft SEAL prior to v3.6 that implements the Brakerski/Fan-Vercauteren (BFV) protocol" and "targets the Gaussian sampling in the SEAL's encryption phase and can extract the entire message with a single power measurement," as per the researchers. 

SEAL versions 3.6 and after, released on December 3, 2020, and beyond, employ a different sampling technique, according to the researchers, who also warn that future versions of the library may have a "different vulnerability." 

Kim Laine, Microsoft's principal research manager who heads the Cryptography and Privacy Research Group, stated in the release notes, "Encryption error is sampled from a Centered Binomial Distribution (CBD) by default unless 'SEAL_USE_GAUSSIAN_NOISE' is set to ON. Sampling from a CBD is constant-time and faster than sampling from a Gaussian distribution, which is why it is used by many of the NIST PQC finalists."

Microsoft Accounts Attacked by Russian-Themed Credential Theft

 

The Ukrainian conflict is being capitalized by malicious emails notifying Microsoft users of "unusual sign-in activity" from Russia. While there are valid concerns that the Russian-Ukrainian conflict would launch a global cyber warfare conflagration, small-time cybercriminals are stepping up their efforts amid the crisis. 

According to Malwarebytes, which discovered a slew of spam emails referencing Russian hacking activities. Phishing emails to Microsoft users have begun to circulate, warning of Moscow-led account hacking and attempting to steal credentials and other personal information. The messages' subject line reads, "Microsoft account unusual sign-in activity." The text in the body is as follows:  

“Unusual sign-in activity
We detected something unusual about a recent sign-in to the Microsoft account
Sign-in details
Country/region: Russia/Moscow
IP address:
Date: Sat, 26 Feb 2022 02:31:23 +0100
Platform: Kali Linux
Browser: Firefox
A user from Russia/Moscow just logged into your account from a new device, If this wasn’t you, please report the user. If this was you, we’ll trust similar activity in the future.
Report the user
Thanks,
The Microsoft account team”

According to Malwarebytes' Tuesday research, the emails then include a button to "report the user" as well as an unsubscribe option. When you click the button, a new message is created with the short subject line "Report the user." Microsoft account protection is referenced in the recipient's email address. Using email to answer could expose users to a variety of threats. 

The researchers explained, “People sending a reply will almost certainly receive a request for login details, and possibly payment information, most likely via a bogus phishing page. It’s also entirely possible the scammers will keep everything exclusively to communication via email. Either way, people are at risk of losing control of their accounts to the phishers. The best thing to do is not reply, and delete the email.” 

As usual, the spam contains red flags in the form of grammatical problems, such as misspellings like "acount." To put it another way, it's not a highly sophisticated attempt, but it's clever. Climbing curiosity (or terror) is a catnip for social engineers, as it is with any significant world event. 

“Given current world events, seeing ‘unusual sign-in activity from Russia’ is going to make most people do a double, and it’s perfect spam bait material for that very reason. [The emails] (deliberately or not) could get people thinking about the current international crisis. Being on your guard will pay dividends over the coming days and weeks, as more of the below is sure to follow,” stated researchers. 

The email is targeted just at Microsoft account holders, but the good news is that Outlook is sending it directly to spam.. However, the firm pointed out that, “depending on personal circumstance and/or what’s happening in the world at any given moment, one person’s ‘big deal’ is another one’s ‘oh no, my stuff.’ That’s all it may take for some folks to lose their login, and this mail is perhaps more salient than most for the time being.”

PDC Discovered a Phishing Campaign that Spoofs Power BI Emails to Harvest Microsoft Credentials

 

The Cofense Phishing Defense Center (PDC) has discovered a new phishing effort that impersonates Power BI emails in order to steal Microsoft credentials. Power BI is a business intelligence-focused interactive data visualisation programme developed by Microsoft. It's a component of the Microsoft Power Platform. 

Power BI is a set of software services, apps, and connectors that work together to transform disparate data sources into coherent, visually immersive, and interactive insights. Data can be read directly from a database, a webpage, or structured files like spreadsheets, CSV, XML, and JSON. Power BI offers cloud-based BI (business intelligence) services known as "Power BI Services," as well as a desktop interface known as "Power BI Desktop."

It provides data warehouse functionality such as data preparation, data discovery, and interactive dashboards. Microsoft added a new service called Power BI Embedded to its Azure cloud platform in March 2016. The ability to import custom visualisations is a key differentiator of the product. 

The email appears to be a genuine Microsoft notification. There are a couple of reasons how this happens. Threat actors have grown accustomed to using authentic Microsoft notifications into their phishing designs. Researchers also saw them use stolen credentials to generate a legitimate-looking notification from a legitimate Microsoft instance. They noticed that the threat actor in this email employed a common theme to entice the recipient to click on the links. 

After clicking the link in the email, the user is taken to a website that appears to be a legitimate Microsoft log-in page. The first sign that anything is wrong with the page, aside from the lack of conventional imagery, is that the URL does not look anything like what is specified in the email or linked with Microsoft services. 

Following the recipient's input of their credentials, the attack concludes with an error message indicating that there was a problem with the account verification. This is yet another Microsoft spoof used by the threat actor to divert the recipient's attention away from the fact that they were not routed to the Power BI report they anticipated to view. This makes the recipient less likely to suspect that they have just given away their credentials. 

"Cofense continues to observe credential phishing as a major threat to organizations. This is why it’s critical to condition users to identify and report suspicious messages to the security operations team. Attacks such as this one are effective at eluding common email security controls, and are – by design — overlooked by end users," the company said.

Trickbot has Corrupted over 140,000 Devices

 

As per cyber threat intelligence firm Test Level Analysis (CPR), Trickbot, a financial Trojan infection that targets businesses and consumers for personal data, has infected over 140,000 devices belonging to customers of Amazon, Microsoft, Google, and 57 other organizations since November 2020. The investigation focuses on Trickbot, a well-known banking Trojan that was first discovered in 2016 and has since expanded into a botnet, ransomware, and malware ecosystem.

Threat actors have frequently used the bedfellows to mount multiple attacks in the past. TrickBot was frequently provided as a payload in specialized email phishing attacks by Emotet, though TrickBot has also delivered Emotet samples — the hazardous scenario at hand currently.

CPR has detected how Trickbot's writers are targeting high-profile individuals in order to steal and corrupt valuable sensitive data. At the same time, everyone should understand the people in charge of the infrastructure are highly skilled in virus development. Trickbot is mostly used to steal financial information, account credentials, personally identifying information, and even bitcoin. It's a modular malware that can be adapted to a variety of different use scenarios, which makes it far more dangerous.

More than 140,000 devices infected, according to Alexander Chailytko, Check Point's cybersecurity, research, and innovation manager, seem to be mostly computers belonging to the general population, as well as "some companies." The data gathered represents telemetry which has been obtained from its clients, however, it is "greater than" 140,000. As a result, the security vendor may have more or less visibility in specific parts of the world, according to Chailytko. 

"Trickbot has affected one out of every 45 enterprises. Over the previous few months, we've noticed a decrease in Trickbot campaign activity," the cybersecurity researcher stated. Users may defend it against Trickbot by only opening documents from reputable sources, using separate unique passwords profiles, and updating similar functionality and antivirus updated with the latest.  

Microsoft Discreetly Upgrades Defender Antivirus to Patch a Major Flaw

 

Microsoft Defender, a protection software, has recently been updated to fix a severe security concern. The issue, which was traced back to 2014 and impacts Windows 10, lets users exclude some locations from antivirus scanning, in turn allowing malware to be installed. 

Due to a misconfigured registry key, this weakness, which has been present since 2014, allows users to access antivirus security safeguards. As a result, the key HKLM\Software\Microsoft\Windows Defender\Exclusions contains all spaces which aren't scanned by antivirus software. The issue is that the key is quite easy to obtain, as long as the 'Everyone' group has access to it. To change the contents of Windows, users are required to use a command prompt or a small click in the Settings menu. 

On Twitter, security researcher Antonio Cocomazzi says, Microsoft has patched the problem on Windows 10 20H2 PCs after deploying the February 2022 Patch Windows updates. Another researcher, Will Dormann of CERT/CC, validated this information, stating they acquired the privileges to change without installing any updates, implying the change might have been applied by both Windows updates and Microsoft Defender’s cybersecurity updates. 

After determining which directories were assigned to the antivirus block list, attackers might transmit and operate malware from a prohibited folder on an exploited Windows PC without danger of detection and neutralization. The permissions for Windows advanced security setups for Defender restrictions have been modified, with the 'Everyone' group deleted from the Register key's permission. 

  • The Exclusions Register key now has new permissions.
  • Access to Defender exclusions is now blocked.
  • Users with admin credentials are now required to access the database of exclusions through the command prompt or when creating exclusions using the Windows Security setup screen on Windows 10 systems in which this change has already been carried out. 
Microsoft is yet to comment on this problem, which was found as of late and has existed since the introduction of Windows 10. However, it is clear that Redmond's publisher has taken the appropriate steps. Furthermore, administrator rights are now required to view the list of locations blocked by the antivirus.