Search This Blog

Showing posts with label Researchers. Show all posts

Cyberspies Drop New Infostealer Malware on Govt Networks in Asia


Security researchers have discovered new cyber-espionage activity targeting Asian governments, as well as state-owned aerospace and defence companies, telecom companies, and IT organisations.
The threat group behind this action is a different cluster earlier associated with the "ShadowPad" RAT (remote access trojan) (remote access trojan). In recent campaigns, the threat actor used a much broader set of tools.

As per a report by Symantec's Threat Hunter team that dives into the activity, the intelligence-gathering attacks have been underway since at least early 2021 and are still ongoing. The current campaign appears to be almost entirely focused on Asian governments or public entities, such as:
  • Head of government/Prime Minister's office
  • Government institutions linked to finance
  • Government-owned aerospace and defense companies
  • State-owned telecoms companies
  • State-owned IT organizations
  • State-owned media companies
Symantec uses an example of an April 2022 attack to demonstrate how the espionage group breaches its government targets. The attack starts with the installation of a malicious DLL that is side-loaded by launching the executable of a legitimate application in order to load a.dat file.

The legitimate application abused by the hackers, in this case, was an 11-year-old Bitdefender Crash Handler executable. The initial.dat payload contains encrypted shellcode that can be used to directly execute commands or additional payloads from memory.

The threat actors installed ProcDump three days after gaining backdoor access to steal user credentials from the Local Security Authority Server Service (LSASS). The LadonGo penetration testing framework was side-loaded via DLL hijacking on the same day and used for network reconnaissance.

The attackers returned to the compromised machine two weeks later to install Mimikatz, a popular credential stealing tool.
Furthermore, the hackers attempted to elevate their privileges by exploiting CVE-2020-1472 (Netlogon) against two computers on the same network.

To load payloads on additional computers in the network, the attackers used PsExec to execute Crash Handler and the DLL order hijacking trick. A month after the intrusion, the threat actors gained access to the active directory server and mounted a snapshot to access user credentials and log files.

Finally, Symantec observed the use of Fscan to attempt CVE-2021-26855 (Proxylogon) exploitation against Exchange Servers in the compromised network.

Alert! Teen Hackers are Using Discord to Disseminate Malware


Avast security researchers found a Discord channel where a group of teenagers is developing, updating, promoting, and selling malware and ransomware outbreaks, allegedly to make pocket money. 

The researchers assume they are all minors since they referenced their parents and instructors frequently and casually used age-specific slurs. Researchers discovered their actions via their Discord chat. The hackers sell malware variants of Snatch, Lunar, and Rift and provide a variety of services ranging from data theft to ransomware and crypto mining. 

However, researchers discovered that teen hackers mostly give easy-to-use malware builders and toolkits, allowing users to utilise them without real programming by using the "Do it yourself" (DIY) technique. 

How does the Group function? 

To become a group member or utilise the malware-as-a-service capability, interested parties must pay a charge. The registration price ranges from €5 to €25. Avast researchers observed in their analysis that about 100 accounts have already enrolled to get access to a hacking group. The malware dissemination method is a little unusual. 

The hackers posted a YouTube video displaying a bogus crack for a popular computer game or commercial software, along with a download link in the description. To establish credibility, additional users of the Discord group leave comments on the video, thanking the originator and confirming that the connection works. This method is even more twisted than bots for commenting since it becomes hard to recognise. 

How Should One Handle Teen Hackers? 

This scenario is undoubtedly troubling. As a result, hacking ability among teenagers and minors must be channelled towards beneficial, ethical endeavours for the general benefit of the cybersecurity sector. 

Parents must communicate to their children to understand the motivational elements that drive them to distribute malware. There are several tools accessible on Discord and other platforms to assist anyone interested in pursuing a career in the cybersecurity field. 

The first step, though, is for parents to interact with their children without passing judgement. It is worth emphasising that the organisation distributes unlawful malware without comprehending the gravity of the situation and dismissing it as a prank.

New Emotet Variant Capturing Users' Credit Card Data from Google Chrome


The infamous Emotet malware has deployed a new module aimed to steal credit card data saved in the Chrome web browser. According to corporate security firm Proofpoint, which discovered the component on June 6, the credit card stealer, which only targets Chrome, has the capacity to exfiltrate the acquired information to several remote command-and-control (C2) servers. 

The news comes amid a surge in Emotet activity since it was reactivated late last year after a 10-month pause caused by a law enforcement operation that destroyed its attack infrastructure in January 2021. Emotet, attributed to the threat actor TA542 (aka Mummy Spider or Gold Crestwood), is a sophisticated, self-propagating, and modular trojan that is distributed via email campaigns. 

According to Check Point, as of April 2022, Emotet is still the most renowned malware, with a global impact of 6% of organisations worldwide, followed by Formbook and Agent Tesla, with the malware testing new delivery methods using OneDrive URLs and PowerShell in.LNK attachments to circumvent Microsoft's macro restrictions. 

The steady increase in Emotet-related threats is further supported by the fact that the number of phishing emails, which frequently hijack existing correspondence, increased from 3,000 in February 2022 to approximately 30,000 in March, targeting organisations in various countries as part of a large-scale spam campaign. ESET stated that Emotet activity "shifted to a higher gear" in March and April 2022 and that detections increased 100-fold, indicating an 11,000 percent increase during the first four months of the year when compared to the preceding three-month period from September to December 2021. 

Japan, Italy, and Mexico have been frequent targets since the botnet's revival, according to the Slovak cybersecurity firm, with the largest wave recorded on March 16, 2022. 

Dušan Lacika, the senior detection engineer at Dušan Lacika, said, "The size of Emotet's latest LNK and XLL campaigns was significantly smaller than those distributed via compromised DOC files seen in March. This suggests that the operators are only using a fraction of the botnet's potential while testing new distribution vectors that could replace the now disabled-by-default VBA macros." 

Researchers from CyberArk also revealed a novel approach for extracting plaintext credentials directly from memory in Chromium-based web browsers. 

"Credential data is stored in Chrome's memory in cleartext format. In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager," CyberArk's Zeev Ben Porat said.

This includes cookie-related information such as session cookies, which an attacker might harvest and utilise to hijack users' accounts even if they are secured by multi-factor authentication.

This New Raspberry Robin Worm Utilizes Windows Installer to Drop Malware


A new Windows malware with worm capabilities has been identified by Red Canary intelligence investigators, and it spreads via external USB sticks. This malware is associated with the Raspberry Robin malware cluster, which was initially discovered in September 2021. (cybersecurity firm Sekoia tracks this malware as "QNAP worm"). 

The worm was discovered in many customers' networks by Red Canary's Detection Engineering team, including companies in the technology and manufacturing sectors. When a USB drive carrying a malicious.LNK file is attached, Raspberry Robin spreads to new Windows systems.

The worm launches a new process using cmd.exe to launch a malicious file stored on the infected drive after it has been attached. It reaches out to its command-and-control (C2) servers via Microsoft Standard Installer (msiexec.exe), which are most likely hosted on infected QNAP devices and utilise TOR exit nodes as additional C2 infrastructure. 

The researchers said, "While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware. Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes." 

They believe the malware downloads a malicious DLL file [1, 2] on affected workstations to resist eradication between restarts, albeit they haven't determined how it achieves persistence. This DLL is started by Raspberry Robin using two other trusted Windows utilities: fodhelper (a trusted binary for controlling features in Windows settings) and odbcconf (a tool for configuring ODBC drivers). 

The first permits it to get through User Account Control (UAC), while the second assists in the execution and configuration of the DLL. While Red Canary analysts have been able to extensively examine what the newly found malware performs on affected systems, some questions remain unanswered. 

The researchers stated, "First and foremost, we don't know how or where Raspberry Robin infects external drives to perpetuate its activity, though it's likely this occurs offline or otherwise outside of our visibility. We also don't know why Raspberry Robin installs a malicious DLL. One hypothesis is that it may be an attempt to establish persistence on an infected system, though additional information is required to build confidence in that hypothesis." 

Red Canary's report contains more technical details on the Raspberry Robin worm, including indicators of compromise (IOCs) and an ATT&CK of this malware.

Google Researchers: 'Zero-Day’ Hacks Hit Record in 2021


Following a year marked by high-profile ransomware assaults and supply-chain hacks, Google researchers have uncovered another alarming cyber milepost for 2021: a record number of "zero-day" exploits. A zero-day exploit is a previously undisclosed flaw that gives software developers exactly 0 days to fix it. As a result, the technology in question is extremely lucrative to hackers - and a disaster for cyber-security experts. 

According to a report released Tuesday (April 19) by Google's Project Zero, a team of specialist bug hunters, hackers attacked a total of 58 zero-day defects affecting key software suppliers in 2021. In 2020, there were 25 flaws, compared to 21 in 2019. Since Project Zero began tracking zero-days in 2014, this is the largest number of zero-days ever recorded. 

Ms Maddie Stone, a security researcher at Project Zero, stated in a blog post about the findings that the trend could be attributed to an enhancement in identification from companies like Microsoft, Apple, and Google, who now publicly report their findings around zero-day concerns, rather than a spike in hacks. 

Hackers have utilized the attack approach in recent years to install powerful spyware on smartphones, which has then been used to spy on journalists, lawmakers, human rights activists, and others. Last year, suspected Chinese state-sponsored hackers used such vulnerabilities to compromise Microsoft Exchange servers. 

Ms Stone of Google stated that the data contained some surprises. Despite the recent attention on spyware abuse, cyber-security researchers are still unable to find zero-day vulnerabilities that allow hackers to exploit systems. 

She wrote, "We know that messaging applications like WhatsApp, Signal, Telegram, etc are targets of interest to attackers and yet there's only one messaging app, in this case, iMessage, zero-day found this past year." 

Since 2014, the team has discovered two such flaws, one in WhatsApp in 2019 and the other in iMessage in 2021. According to Ms Stone, the majority of individuals on the planet are not at risk of being targeted by a zero-day attack. 

Nonetheless, she believes that such attacks have a widespread influence. "These zero-days tend to have an outsized impact on society so we need to continue doing whatever we can to make it harder for attackers to be successful."

Researchers Disclosed Details of NSA Equation Group’s Bvp47 Backdoor


Pangu Lab researchers have revealed information of a Linux top-tier APT backdoor dubbed as Bvp47, which is linked to the US National Security Agency (NSA) Equation Group. 

The term "Bvp47" is derived from several references to the string "Bvp" and the numerical figure "0x47" used in the encryption algorithm. The Bvp47 backdoor was first identified in 2013 during a forensic examination into a security breach at a Chinese government entity. The backdoor was discovered on Linux computers after an in-depth forensic assessment of a host in a key domestic department, according to the experts. The malware seemed to be a top-tier APT backdoor, but to further investigate the malicious code needed the attacker’s asymmetric encrypted private key to activate the remote control function.

The hacking group, The Shadow Brokers disclosed a trove of data reportedly taken from the Equation Group in 2016 and 2017, including a slew of hacking tools and exploits. The hackers disclosed a new dump at the end of October 2016, this time featuring a list of systems compromised by the NSA-linked Equation Group. The Bvp47 backdoor was identified by Pangu Lab researchers within material exposed by The Shadow Brokers. In ten years, the Equation Group attacked over 287 targets in 45 countries, including Russia, Japan, Spain, Germany, and Italy, according to stolen data. 

Governments, telecommunications, aircraft, energy, financial institutions, nuclear research, oil and gas, military, transportation, and companies researching encryption technologies were among the industries targeted by the group. The attacks involving the Bvp47 backdoor have been termed "Operation Telescreen" by Pangu Lab. The malicious code was created to allow operators to gain long-term control over compromised devices. 

The report published by the experts stated, “The implementation of Bvp47 includes complex code, segment encryption and decryption, Linux multi-version platform adaptation, rich rootkit anti-tracking techniques, and most importantly, it integrates advanced BPF engine used in advanced covert channels, as well as cumbersome communication encryption and decryption process”  

Experts believe there was no security against the backdoor's network attack capacity, which is loaded with zero-day vulnerabilities. The Pangu Lab research covers technical specifics about the backdoor as well as information about the Equation Group's relationship with the US National Security Agency. The Equation Group's engagement is based on exploits found in the encrypted archive file "eqgrp-auction-file.tar.xz.gpg" released by the Shadow Brokers following a failed 2016 auction.

By Attacking Healthcare, Education, and Government Systems, FritzFrog Botnet Grew Tenfold


The FritzFrog botnet, which has been active for over two years, has revived with an alarming infection rate, growing tenfold in just a month of attacking healthcare, education, and government networks via an unprotected SSH server. FritzFrog, a malware developed in Golang that was discovered in August 2020, is both a worm and a botnet that targets the government, education, and finance sectors. 

The malware fully assembles and executes the malicious payload in memory, making it volatile. Furthermore, because of its unique P2P implementation, there is no central Command & Control (C&C) server giving commands to FritzFrog. It is self-sufficient and decentralised. Despite FritzFrog's harsh brute-force tactics for breaching SSH servers, it is strangely efficient at targeting a network equitably. 

Guardicore Labs has been monitoring FritzFrog with its honeypot network for some time. "We started monitoring the campaign’s activity, which rose steadily and significantly with time, reaching an overall of 13k attacks on Guardicore Global Sensors Network (GGSN). Since its first appearance, we identified 20 different versions of the Fritzfrog binary," said the company in a report published in August 2020, authored by security researcher Ophir Harpaz.

Researchers at internet security firm Akamai discovered a new version of the FritzFrog malware, which has intriguing new features such as the use of the Tor proxy chain. The new botnet variation also reveals signs of its operators planning to enhance capabilities to target WordPress servers. 

Athough the Akamai global network of sensors identified 24,000 attacks, the botnet has claimed only 1,500 victims thus far. The majority of infected hosts are in China, although affected systems can also be found in a European TV network, a Russian healthcare organisation, and other East Asian universities. The perpetrators have included a filtering list to avoid low-powered devices like Raspberry Pi boards, and the malware also includes code that lays the basis for targeting WordPress sites. 

Given that the botnet is renowned for cryptocurrency mining, this feature is an odd inclusion. However, Akamai believes that the attackers have discovered new means of monetization, such as the deployment of ransomware or data leaks. This functionality is currently dormant while it is being developed. The researchers point out that FritzFrog is always in development, with bugs being resolved on a daily basis. 

FritzFrog targets any device that exposes an SSH server, therefore administrators of data centre servers, cloud instances, and routers must be careful, according to the researchers. Some security tips from Akamai include enabling system login auditing with alerting, monitoring the authorized_hosts file on Linux, configuring an explicit allow list for SSH login, and so on.

CoinStomp Malware is Aimed at Asian Cloud Service Providers


Researchers have uncovered a new malware family that mines cryptocurrencies using cloud services. According to Cado Security, the malware, dubbed CoinStomp, is comprised of shell scripts that "try to target cloud compute instances hosted by cloud service providers for the purpose of mining cryptocurrencies." According to the company's researchers, the overall goal of CoinStomp is to silently breach instances in order to harness computational resources to illicitly mine for cryptocurrency, a type of attack known as cryptojacking. 

So far, a handful of attacks have targeted cloud service companies in Asia. Clues in code also referenced Xanthe, a cryptojacking threat group previously linked to the Abcbot botnet. However, the clue – found in a defunct payload URL – is insufficient to determine who is behind CoinStomp and may have been included in an "attempt to dodge attribution," according to the team. 

CoinStomp includes a variety of intriguing features. One example is its reliance on "timestomping." Timestomping is the process of modifying the timestamps of files dumped or used during a malware attack. This approach is commonly used as an anti-forensics strategy to confound investigators and thwart remedial efforts. Although the Rocke gang has previously utilized timestomping in cryptojacking assaults, it is not a common technique. On Linux, timestomping is simple with the -t flag of the touch command. 

"It seems likely that timestomping was employed to obfuscate usage of the chmod and chattr utilities, as forensic tools would display the copied versions of these binaries as being last accessed (executed) at the timestamp used in the touch command," Cado Security noted. 

Furthermore, the malware will attempt to mess with the cryptographic policies of Linux servers. Because these policies can prevent malicious executables from being dumped or run, the creator of CoinStomp has included options to disable system-wide cryptographic policies via a kill command. "This could undo attempts to harden the target machine by administrators, ensuring that the malware achieves its objectives," the researchers say. 

CoinStomp will then use a reverse shell to connect to its command-and-control (C2) server. The script then downloads and runs additional payloads as system-wide systemd services with root access. These include binaries that might be used to develop backdoors and a customized version of XMRig, which is genuine Monero mining software that has been abused for criminal purposes.

Emotet Spam Campaigns Use Unconventional IP Addresses to Avoid Detection


Trend Micro discovered Emotet spam campaigns that used hexadecimal and octal representations of IP addresses to avoid detection using pattern matching. Both processes rely on social engineering to deceive users into enabling document macros and automate malware execution. When these standards are received, operating systems (OS) automatically transform the data to the dotted decimal quad representation in order to commence the request from remote servers.

Users and enterprises are advised to detect, block, and enable the appropriate security measures to prevent compromise while using Emotet for second-stage malware transmission such as TrickBot and Cobalt Strike. 

Emotet first surfaced in 2014, when researchers found a relatively simple banking Trojan transmitted via phishing emails. It evolved several times over the years into a Malware-as-a-Service botnet, allowing access to compromised computers to those willing to pay. Unfortunately, there were a plethora of them, including ransomware gangs like Ryuk and the data-stealing malware Trickbot. These immediately took advantage of the initial access provided by Emotet, picking and choosing which victims to target with subsequent payloads. 

According to Europol, Emotet's capability to move laterally among devices on a network made it one of the most durable pieces of malware detected in recent years. In reality, it has become one of the most serious threats researchers have seen in recent years, constantly ranking among the top ten campaigns detected, with over 1.6 million victim machines, according to the DoJ. 

The samples researchers discovered begin with an email-attached document that employs Excel 4.0 Macros, an antiquated technology intended to automate repetitive processes in Excel that malicious actors have exploited to distribute malware. In this scenario, abusing the feature allows the malware to execute once the document is opened using the auto-open macro. Carets are used to obfuscate the URL, and the host contains a hexadecimal representation of the IP address. 

When the macro is run, it invokes cmd.exe > mshta.exe with the URL containing the hex representation of the IP address as an argument, which downloads and executes HTML application (HTA) code from the remote host. 

Between November and December 2021, traces of Emotet were seen arbitrarily dropping Cobalt Strike beacons. However, during this year, operators were notably more picky about which targets the beacons were dropped on. Evasion strategies like this could be interpreted as proof that attackers are continuing to innovate in order to defeat pattern-based detection technologies. Furthermore, the atypical use of hexadecimal and octal IP addresses may result in evasion of current solutions reliant on pattern matching.

SysJoker, a New Backdoor for Windows, macOS, and Linux has been Discovered


A new multi-platform backdoor malware known as 'SysJoker' has been discovered in the wild, targeting Windows, Linux, and macOS and capable of evading detection on all three platforms. SysJoker was identified during an active attack on a renowned educational institution's Linux-based web server.

Researchers discovered that SysJoker also has Mach-O and Windows PE versions after further examination. They believe that the SysJoker attack began in the second half of 2021, based on C2 domain registration and samples detected in VirusTotal. 

SysJoker disguises itself as a system update and creates its C2 by decoding a string from a text file housed on Google Drive. The C2 changed three times during Intezer's analysis, showing that the attacker was active and monitoring for affected machines. 

Intezer believes SysJoker is targeting certain targets based on victimology and malware behavior. SysJoker was submitted to VirusTotal with the TypeScript file extension .ts. An infected npm package could be used as an attack vector for this malware. 

The malware is written in C++, and while each variant is customized for the targeted operating system, they all go undetected by VirusTotal, a malware scanning website that employs 57 different antivirus detection engines. On Windows, SysJoker deploys a first-stage dropper in the form of a DLL that uses PowerShell commands to perform tasks such as fetching the SysJoker ZIP from a GitHub repository, unzipping it on “C:\ProgramData\RecoverySystem\” and executing the payload. 

After then, the virus waits for up to two minutes before establishing a new directory and cloning itself as an Intel Graphics Common User Interface Service ("igfxCUIService.exe"). “Next, SysJoker will gather information about the machine using Living off the Land (LOtL) commands. SysJoker uses different temporary text files to log the results of the commands,” explains Intezer’s report. "These text files are deleted immediately, stored in a JSON object and then encoded and written to a file named “microsoft_Windows.dll”.” 

The report includes detailed indicators of compromise (IOCs) that administrators can use to detect the presence of SysJoker on an infected device. 

On Windows, the malware files are located under the "C:\ProgramData\RecoverySystem" folder, at C:\ProgramData\SystemData\igfxCUIService.exe, and C:\ProgramData\SystemData\microsoft_Windows.dll. On Linux, the files and directories are created under “/.Library/” while persistence is established by creating the following cron job: @reboot (/.Library/SystemServices/updateSystem). On macOS, the files are created on "/Library/” and persistence is achieved via LaunchAgent under the path: /Library/LaunchAgents/

Stolen TikTok Videos have Infiltrated YouTube Shorts


Scammers are taking full advantage of the debut of Google's new TikTok competitor, YouTube Shorts, which has proven to be an excellent platform for feeding stolen content to billions of engaged viewers. Researchers have cautioned that this content is being exploited to conduct rackets such as advertising adult dating websites, hustling diet pills, and selling marked-up commodities. Although YouTube Shorts is still in beta, scammers have had plenty of time to shift their best TikTok-tested flimflams over to the Google cosmos, which is already populated by billions of viewers. 

Satnam Narang, a Tenable analyst, has been analyzing social media for over a decade and discovered that scammers are having great success stealing TikTok's most viral videos and exploiting them on YouTube Shorts to get viewers to click on a variety of sites and links. Narang examined 50 distinct YouTube channels and discovered that, as of December, they had accumulated 3.2 billion views across at least 38,293 videos stolen from TikTok creators. He stated that the YouTube channels had over 3 million subscribers. 

The most common type of fraud Narang discovered was the use of extremely popular TikTok videos, especially challenges showing gorgeous women, to serve links to adult dating sites that run affiliate programmes that pay for clicks.

These websites pay affiliates on a cost per action (CPA) or cost per lead (CPL) basis to incentivize them. Scammers, on the other hand, have started taking advantage of these affiliate offers to gain cash by duping users of social media networks. Scammers only need to persuade consumers to visit these adult dating websites and sign up with an email address, whether valid or not. When a visitor to an adult dating website becomes a registered user, the fraudster is able to get anywhere from $2–$4 for the successful CPL conversion. 

“While adult-dating scams proliferate across many platforms, the introduction of YouTube Shorts, with its enormous potential reach and built-in audience, is fertile ground that will only serve to help these scams become even more widespread,” Narang explained. “This trend is alarming because of how successful these tactics have become so quickly on YouTube Shorts, based on the volume of video views and subscribers on these fake channels promoting stolen content.” 

Viewers of YouTube Shorts were also offered advertisements with viral TikTok exercise videos for trending products, such as the pants dubbed "the leggings" on social media. The famous leggings, with a seam across the back to improve even the flattest posterior, were being offered on YouTube Shorts at a markup by scammers expecting the new breed of customers wouldn't notice the padded price, Narang discovered.

According to Chainalysis, Around $2.2 Billion was Stolen from DeFi Protocols in 2021


Chainalysis, a blockchain data platform, has issued a new report on cryptocurrency crime patterns, revealing that $14 billion in cryptocurrency was sent to unlawful addresses in 2021, nearly doubling the level observed in 2020. However, those figures do not tell the entire story. 

The use of cryptocurrencies is increasing quicker than ever before. Total transaction volume across all cryptocurrencies tracked by Chainalysis increased to $15.8 trillion in 2021, up 567% from totals in 2020. It's no surprise that more fraudsters are utilising cryptocurrency, given its rapid adoption. 

According to Chainalysis data, around $2.2 billion was directly stolen from DeFi protocols in 2021. Chainalysis projected that illegitimate addresses presently possess at least $10 billion in cryptocurrency as of 2022, with the majority owned by wallets involved in cryptocurrency theft, darknet markets, and frauds.  

Researchers at Chainalysis discovered that cybercriminals made 82% more money via scamming last year, raking in $7.8 billion in cryptocurrencies from victims. Chainalysis uncovered $2.8 billion from a scam known as "rug pulls" among the $7.8 billion. Developers in these scams construct seemingly genuine cryptocurrency ventures before stealing investor funds and disappearing. 

"We believe rug pulls are common in DeFi for two related reasons. One is the hype around the space. DeFi transaction volume grew 912% in 2021, and the incredible returns on decentralized tokens like Shiba Inu have many excited to speculate on DeFi tokens," Chainalysis said. "At the same time, it's very easy for those with the right technical skills to create new DeFi tokens and get them listed on exchanges, even without a code audit. Many investors could likely have avoided losing funds to rug pulls if they'd stuck to DeFi projects that have undergone a code audit – or if DEXes required code audits before listing tokens." 

Many of the high-profile attacks on DeFi exchanges in the previous year, according to Chainalysis, "may be linked back to errors in the smart contract code governing those protocols, which hackers exploit to steal funds." 

The end-of-year attack on DeFi protocol Grim Finance rounded off a tumultuous year for DeFi hacks. More than $77 million was stolen from AscendEX a week before the attack on Grim Finance. A few days before, the blockchain gaming startup Vulcan Forged said that over $140 million had been stolen from their users. 

Cybercriminals stole over $120 million from the DeFi platform Badger in November. Other 2021 incidents include the theft of about $600 million from Poly in August and $34 million from Cream Finance in September. Around $200 million was taken from the PancakeBunny platform in May.

Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers


Researchers have provided a detailed look at a system called DoubleFeature, which is dedicated to logging the various stages of post-exploitation resulting from the Equation Group's deployment of DanderSpritz, a full-featured malware architecture. 

DanderSpritz was discovered on April 14, 2017, when a hacker group known as the Shadow Brokers published a report titled "Lost in Translation" that included the exploit tool and others. EternalBlue, a cyberattack exploit created by the US National Security Agency (NSA) that allowed threat actors to carry out the NotPetya ransomware attack on unpatched Windows PCs, was also included in the leaks. 

The tool is a modular, covert, and fully functioning framework for post-exploitation activities on Windows and Linux that depends on dozens of plugins. One of them is DoubleFeature, which serves as a "diagnostic tool for victim machines carrying DanderSpritz," according to Check Point researchers in a new paper released Monday. 

The Israeli cybersecurity firm added, "DoubleFeature could be used as a sort of Rosetta Stone for better understanding DanderSpritz modules, and systems compromised by them. It's an incident response team's pipe dream." 

DoubleFeature is a Python-based dashboard that doubles as a reporting utility to exfiltrate logging information from an infected system to an attacker-controlled server. It's designed to keep track of the types of tools that could be deployed on a target machine. A specific executable named "DoubleFeatureReader.exe" is used to interpret the output. 

Data Breach Prevention 

Some of the plugins monitored by DoubleFeature include remote access tools called UnitedRake (aka EquationDrug) and PeddleCheap, a stealthy data exfiltration backdoor dubbed StraitBizarre, an espionage platform called KillSuit (aka GrayFish), a persistence toolset named DiveBar, a covert network access driver called FlewAvenue, and a validator implant named MistyVeal that verifies if the compromised system is indeed an authentic victim machine and not a research environment. 

The researchers stated, "Sometimes, the world of high-tier APT tools and the world of ordinary malware can seem like two parallel universes." 

"Nation-state actors tend to [maintain] clandestine, gigantic codebases, sporting a huge gamut of features that have been cultivated over decades due to practical need. It turns out we too are still slowly chewing on the 4-year-old leak that revealed DanderSpritz to us, and gaining new insights."

Google: Cryptocurrency Miners are Targeting Compromised Cloud Accounts


Google has warned that cryptocurrency miners are using hacked Google Cloud accounts for computationally intensive mining.

Details were disclosed by Google's cybersecurity team in a study published on Wednesday. The "Threat Horizons" study seeks to give intelligence that will assist firms in keeping their cloud systems safe. 

Google wrote in an executive summary of the report, “Malicious actors were observed performing cryptocurrency mining within compromised Cloud instances.” 

Cryptocurrency mining is a for-profit industry that frequently necessitates enormous quantities of computational power, which Google Cloud users may purchase. Google Cloud is a cloud-based storage technology that allows consumers to store data and files off-site. 

As per Google, 86 per cent of the 50 newly hacked Google Cloud accounts were used to mine cryptocurrencies. Bitcoin mining software was downloaded in the majority of cases within 22 seconds of the account being hacked. Around 10% of the affected accounts were also used to perform scans of other publicly available resources on the internet in order to locate susceptible systems, while the remaining 8% were utilised to attack new targets. 

According to Google, malicious actors were able to get access to Google Cloud accounts by exploiting inadequate consumer security procedures. Almost half of the compromised accounts were the result of criminals acquiring access to an internet-facing Cloud account that had either no password or had been hacked. 

As a result, these Google Cloud accounts were vulnerable to being scanned and brute-forced. A quarter of the compromised accounts were the result of flaws in third-party software installed by the owner. Bitcoin, the world's most popular cryptocurrency, has been criticized for consuming excessive amounts of energy. Bitcoin mining consumes more energy than several countries. When authorities investigated a suspected cannabis farm in May, they discovered it was actually an illegal bitcoin mine. 

“The cloud threat landscape in 2021 was more complex than just rogue cryptocurrency miners, of course,” wrote Bob Mechler, director of the office of the chief information security officer at Google Cloud, and Seth Rosenblatt, security editor at Google Cloud, in a blog post. 

They also stated that Google researchers discovered a phishing attack by the Russian group APT28/Fancy Bear at the end of September and that Google stopped the attack. Google researchers also discovered a North Korean government-backed threat organisation that impersonated Samsung recruiters in order to deliver harmful attachments to the staff at various South Korean anti-malware protection firms, they noted.