Search This Blog

Showing posts with label Security. Show all posts

BlackCat Ransomware’s Data Exfiltration Tool Gets an Upgrade

 

A new version of the BlackCat ransomware's data exfiltration tool for double-extortion attacks has been released. Exmatter, the stealer tool, has been in use since BlackCat's initial release in November 2021.
Exmatter Evolution Symantec researchers (who track the group as Noberus) claim in a report that the ransomware group's focus appears to be on data exfiltration capabilities, which is a critical component of double-extortion attacks. 

The exfiltration tool was substantially updated in August, with various changes including the ability to exfiltrate data from a wide range of file types, including FTP and WebDav, to SFTP, and the option to create a report listing all processed files. It has also added a 'Eraser' feature to corrupt processed files, as well as a 'Self-destruct' configuration option to delete and quit if it runs in a non-valid environment.

New information  stealer

The deployment of new malware known as Eamfo, which is specifically designed to target credentials saved in Veeam backups, has increased BlackCat's ability to steal information even further.

Eamfo connects to the Veeam SQL database and uses a SQL query to steal backup credentials. It decrypts and displays credentials to an attacker once they have been extracted.

Along with expanding Exmatter's capabilities, the latest version includes extensive code refactoring to make existing features more stealthy and resistant to detection. In any case, the BlackCat operation terminates antivirus processes with an older anti-rootkit utility.

BlackCat isn't slowing down and appears to be focused on constantly evolving itself with new tools, improvements, and extortion strategies. As a result, organisations are advised to secure access points and train their employees on cybercriminal penetration techniques. Businesses should also invest more in cross-layer detection and response solutions.

Unpatched 15-year Old Python Flaw Allows Code Execution in 350k Projects

 

As many as 350,000 open-source projects are potentially vulnerable to exploitation due to a 15-year-old security vulnerability in a Python module. The open-source repositories cover a wide range of industries, including software development, artificial intelligence/machine learning, web development, media, security, and information technology management. 

The flaw, designated CVE-2007-4559 (CVSS score: 6.8), is deeply embedded in the tarfile module, and successful exploitation could result in code execution from an arbitrary file write. 

"The vulnerability is a path traversal attack in the extract and extract all functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the '..' sequence to filenames in a TAR archive," Trellix security researcher Kasimir Schulz said in a writeup.

The bug, first reported in August 2007, relates to how a specially crafted tar archive can be used to overwrite arbitrary files on a target machine simply by opening the file.

Simply put, a threat actor can exploit the flaw by uploading a malicious tarfile in a way that allows the adversary to escape the directory that a file is intended to be extracted to and achieve code execution, potentially allowing the adversary to seize control of a target device.

"Never extract archives from untrusted sources without prior inspection," the Python documentation for tarfile reads. "It is possible that files are created outside of path, e.g. members that have absolute filenames starting with '/' or filenames with two dots '..'."

The flaw is similar to a recently disclosed security flaw in RARlab's UnRAR utility (CVE-2022-30333), which could result in remote code execution. Trellix has also released a custom utility called Creosote to scan for projects vulnerable to CVE-2007-4559, revealing the vulnerability in both the Spyder Python IDE and Polemarch.

"Left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface," Douglas McKee noted.

Extended DDoS Attack With 25.3B+ Requests Thwarted

 

On June 27, 2022, the cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests. The attack, according to experts, sets a new record for Imperva's application DDoS mitigation solution. The attack, which targeted an unnamed Chinese telecommunications company, was notable for its duration, lasting more than four hours and peaking at 3.9 million RPS. 

“On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution” reads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”

The Chinese telecommunications company had previously been targeted by large attacks, and experts added that two days later, a new DDoS attack hit its website, albeit for a shorter period of time. This record-breaking attack had an average rate of 1.8 million RPS. To send multiple requests over individual connections, threat actors used HTTP/2 multiplexing or combining multiple packets into one.

The attackers' technique is difficult to detect and can bring down targets with a limited number of resources.

“Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.” continues Imperva.

This attack was launched by a botnet comprised of nearly 170,000 different IP addresses, including routers, security cameras, and compromised servers. The compromised devices can be found in over 180 countries, with the majority of them in the United States, Indonesia, and Brazil.

Akamai mitigated the largest DDoS attack ever against one of its European customers on Monday, September 12, 2022. The malicious traffic peaked at 704.8 Mpps and appears to be the work of the same threat actor as the previous record, which Akamai blocked in July and hit the same customer.

Cyberspies Drop New Infostealer Malware on Govt Networks in Asia

 

Security researchers have discovered new cyber-espionage activity targeting Asian governments, as well as state-owned aerospace and defence companies, telecom companies, and IT organisations.
The threat group behind this action is a different cluster earlier associated with the "ShadowPad" RAT (remote access trojan) (remote access trojan). In recent campaigns, the threat actor used a much broader set of tools.

As per a report by Symantec's Threat Hunter team that dives into the activity, the intelligence-gathering attacks have been underway since at least early 2021 and are still ongoing. The current campaign appears to be almost entirely focused on Asian governments or public entities, such as:
  • Head of government/Prime Minister's office
  • Government institutions linked to finance
  • Government-owned aerospace and defense companies
  • State-owned telecoms companies
  • State-owned IT organizations
  • State-owned media companies
Symantec uses an example of an April 2022 attack to demonstrate how the espionage group breaches its government targets. The attack starts with the installation of a malicious DLL that is side-loaded by launching the executable of a legitimate application in order to load a.dat file.

The legitimate application abused by the hackers, in this case, was an 11-year-old Bitdefender Crash Handler executable. The initial.dat payload contains encrypted shellcode that can be used to directly execute commands or additional payloads from memory.

The threat actors installed ProcDump three days after gaining backdoor access to steal user credentials from the Local Security Authority Server Service (LSASS). The LadonGo penetration testing framework was side-loaded via DLL hijacking on the same day and used for network reconnaissance.

The attackers returned to the compromised machine two weeks later to install Mimikatz, a popular credential stealing tool.
Furthermore, the hackers attempted to elevate their privileges by exploiting CVE-2020-1472 (Netlogon) against two computers on the same network.

To load payloads on additional computers in the network, the attackers used PsExec to execute Crash Handler and the DLL order hijacking trick. A month after the intrusion, the threat actors gained access to the active directory server and mounted a snapshot to access user credentials and log files.

Finally, Symantec observed the use of Fscan to attempt CVE-2021-26855 (Proxylogon) exploitation against Exchange Servers in the compromised network.

New Zero-day Flaw in BackupBuddy Plugin Leaves WordPress Users at Risk

 

Wordfence, a WordPress security company, has disclosed that a zero-day vulnerability in the BackupBuddy plugin is being actively exploited. 

"This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it stated.

Users can back up their entire WordPress installation from the dashboard, including theme files, pages, posts, widgets, users, and media files, among other things. The flaw (CVE-2022-31474, CVSS score: 7.5) affects versions 8.5.8.0 to 8.7.4.1 of the plugin, which has an estimated 140,000 active installations. It was fixed in version 8.7.5, which was released on September 2, 2022. 

The problem stems from the "Local Directory Copy" function, which is intended to keep a local copy of the backups. The vulnerability, according to Wordfence, is the consequence of an insecure implementation that allows an unauthenticated threat actor to download any arbitrary file on the server. Additional information about the vulnerability has been withheld due to active in-the-wild abuse and the ease with which it can be exploited.

The plugin's developer, iThemes, said, "This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd."

Wordfence reported that the targeting of CVE-2022-31474 began on August 26, 2022, and that it has blocked nearly five million attacks since then. The majority of the intrusions attempted to read the files listed below -
  • /etc/passwd
  • /wp-config.php
  • .my.cnf
  • .accesshash
Users of the BackupBuddy plugin are encouraged to update to the most recent version. They should determine that they may have been compromised, it's recommended to reset the database password, change WordPress Salts, and rotate API keys stored in wp-config.php.

Hackers Repeatedly Targeting Financial Services in French-Speaking African Countries

 

Over the last two years, a persistent cyber-attack campaign targeting major financial institutions in French-speaking African countries has surfaced. Check Point Research (CPR) discovered the campaign and termed it 'DangerousSavanna.' To start infection chains, it used spear phishing techniques. 

The threat actors allegedly sent malicious attachment emails in French to employees in Ivory Coast, Morocco, Cameroon, Senegal, and Togo, using a variety of file types to entice victims, including PDF, Word, ZIP, and ISO files. DangerousSavanna hackers also used lookalike domains to impersonate other African financial institutions such as Tunisian Foreign Bank and Nedbank.

Sergey Shykevich, threat intelligence group manager at CPR explained, "Our suspicion is that this is a financially motivated cybercriminal, but we don't have conclusive evidence yet. Whoever it is, this threat actor, or group of actors, is highly targeted and persistent in infecting specific victims, and right now, we are aware of at least three major financial corporations that operate in these countries that have been affected."

Furthermore, the cybersecurity expert stated that Check Point's assessment indicates that this actor will continue to try to break into its targeted companies until vulnerabilities are discovered or employees make a mistake.

"Usually, when a hacker targets financial institutions directly, their main goal is to secure access to core banking systems such as payment card issuing systems, SWIFT transfers and ATM control systems," Shykevich added.

In general, the Check Point executive stated that cyber-criminals believe that the fragile economies of some African countries are linked to a lack of cybersecurity investment.

"But the finance and banking sector is actually one of the most impacted industries worldwide, experiencing 1144 weekly cyber–attacks on average," Shykevich explained.

CPR provided companies with advice on preventing spear phishing attacks in an advisory detailing some of DangerousSavanna's recent attacks. These methods include keeping systems up to date, implementing multi-factor authentication (MFA), confirming suspicious email activity before interacting, educating employees, and testing their cybersecurity knowledge on a regular basis.

The DangerousSavanna warning comes just weeks after cybersecurity firm Vade revealed that banks around the world received the majority of phishing attacks in the first half of 2022.

Experts Discovered TeslaGun Panel Used by TA505 to Manage its ServHelper Backdoor

 

Cybersecurity researchers have revealed details about a previously unknown software control panel used by TA505, a financially motivated threat group. 

"The group frequently changes its malware attack strategies in response to global cybercrime trends," Swiss cybersecurity firm PRODAFT said in a report shared with The Hacker News. "It opportunistically adopts new technologies in order to gain leverage over victims before the wider cybersecurity industry catches on."

TA505, also known as Evil Corp, Gold Drake, Dudear, Indrik Spider, and SectorJ04, is an aggressive Russian cybercrime syndicate that is responsible for the infamous Dridex banking trojan and has been connected to a number of ransomware campaigns in recent years. It's also linked to the Raspberry Robin attacks, which first surfaced in September 2021, with similarities discovered between the malware and Dridex. Other malware families linked with the group include FlawedAmmyy, the Neutrino botnet, and ServHelper, a backdoor capable of downloading FlawedGrace, a remote access trojan.

The adversary is said to use the TeslaGun control panel to manage the ServHelper implant, acting as a command-and-control (C2) framework to commandeer the compromised machines. Furthermore, the panel allows attackers to issue commands and send a single command to all victim devices in go or configure the panel so that a predefined command is automatically executed when a new victim is added to the panel.

Aside from the panel, threat actors have been observed using a remote desktop protocol (RDP) tool to connect to the targeted systems via RDP tunnels.

"The TeslaGun panel has a pragmatic, minimalist design. The main dashboard only contains infected victim data, a generic comment section for each victim, and several options for filtering victim records," the researchers said.

According to PRODAFT's analysis of TeslaGun victim data, the group's phishing and targeted campaigns have reached at least 8,160 people July 2020. A majority of those victims are located in the U.S. (3,667), followed by Russia (647), Brazil (483), Romania (444), and the U.K. (359).

"It is clear that TA505 is actively looking for online banking or retail users, including crypto-wallets and e-commerce accounts," the researchers noted, citing comments made by the adversarial group in the TeslaGun panel.

The findings also arrive as the US Department of Health and Human Services (HHS) issued a warning about the group's significant threats to the health sector, including data exfiltration attacks aimed at stealing intellectual property and ransomware operations.

The agency's Health Sector Cybersecurity Coordination Center (HC3) said in an advisory published late last month, "Evil Corp has a wide set of highly-capable tools at their disposal. These are developed and maintained in-house, but are often used in conjunction with commodity malware, living-off-the-land techniques and common security tools that were designed for legitimate and lawful security assessments."

Feds, npm Issue Supply Chain Security Alert to Avoid Another SolarWinds

 

The lessons learned from the SolarWinds software supply chain attack were turned into tangible guidance this week when the United States Cybersecurity and Infrastructure Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) released a joint best practises framework for developers to prevent future supply chain attacks.

In addition to the recommendations from the US government, developers received npm Best Practices from the Open Source Security Foundation in order to establish supply chain security open-source best practices.

"The developer holds a critical responsibility to the security of our software," the agencies said about the publication, titled Securing the Software Supply Chain for Developers. "As ESF examined the events that led up to the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer."

Meanwhile, OpenSSF announced that the npm code repository has grown to encompass 2.1 million packages.

Developers like Michael Burch, director of application security for Security Journey, praise the industry's proactive framework, but Burch adds that it is now up to the cybersecurity sector to put these guidelines into action, particularly a recommendation to implement software bills of materials (SBOMs).

Burch  concluded, "What we need now is the AppSec community to come together on the back of this guidance, and create a standard format and implementation for SBOMs to boost software supply chain security." 

In-Depth Look at Ragnar Locker Ransomware Targeting Vital Industries

 

The Ragnar group, responsible for the Ragnar Locker ransomware, has been active since 2019, targeting critical industries and using double extortion. The FBI warned in March 2022 that at least 52 entities from ten critical industry sectors had been affected. 

In August 2022, the group launched an attack on Greek gas supplier Desfa, claiming to have stolen sensitive data. Cybereason researchers examined Ragnar Locker's encryption process. Ragnar Locker performs a location check during execution. Execution is stopped if the location is any country in the Commonwealth of Independent States (CIS).

It then gathers host information, such as the computer and user names, as well as the machine GUID and Windows version. A custom hashing function concatenates and conceals this data. The combined hashes are used to name a new event. Ragnar Locker then attempts to locate existing file volumes by utilising the Windows APICreateFileW.

The encrypted list of services contained within the Ragnar Locker code is decrypted. VSS, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, kaseya, vmcompute, Hyper-v, vmms, Dfs are all included. If any of these are discovered to be running services, the malware terminates them.

The malware then decrypts and prepares an embedded RSA public key for use. It decrypts the ransom note and then proceeds to delete any shadow copies of the host via vssadmin.exe and Wmic.exe.

The ransom note also states in the analysed sample, "Also, all of your sensitive and private information was gathered, and if you decide NOT to pay, we will upload it for public view!" Tor's Ragnar Locker data leak site (http [://] rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd [.] onion/) currently lists approximately 70 claimed victims.

The note demands a ransom of 25 bitcoins, but suggests that if contact is made within two days, this can be negotiated. However, it warns that if no contact is made within 14 days, the ransom will double, and the decryption key will be destroyed if no payment agreement is reached within 21 days. It also states that the attackers customised the ransom amount based on the victim's "network size, number of employees, annual revenue."

Ragnar Locker begins the encryption process once the ransom note is complete. The files like autoruns.inf, boot.ini, bootfront.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, ntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db; specific processes and objects such as Windows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, $Recycle.bin, ProgramData, All Users; and files with the extensions .db, .sys, .dll, lnk, .msi, .drv, .exe.are among those excluded.

Other files' filenames are sent to the encryption function, which encrypts them and appends the suffix '.ragnar [hashed computer name]'. Ragnar Locker creates a notepad.exe process after encryption and displays the ransom note on the user's screen.

The stolen data used in the double extortion process is continuously exfiltrated until it reaches the point of encryption. According to Loic Castel, a principal security analyst at Cybereason's Global SOC, “In general, ransomware operatives doing double extortion always require full privileges on the network they are looking to encrypt.. Between the initial access phase (when they take control of an asset, for instance through spearphishing) and the encryption phase, they have access to many machines, which they can extract data from and send through exfiltration services / external domains.”

As per the FBI alert, data exfiltration occurred nearly six weeks after the initial access and continued for about ten days before the encryption process began. Ragnar Locker primarily targets critical industry companies. 

“Ragnar Locker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention,” warned the FBI in its March 2022 alert.

WatchGuard Firewall Exploit Threatens Appliance Takeover

 

WatchGuard has fixed multiple vulnerabilities in two major firewall brands, ranging in severity from medium to critical. Two of the flaws, when combined, permitted Ambionics security engineer Charles Fol to gain pre-authentication remote root on any WatchGuard Firebox or XTM appliance. 

Both the Firebox and XTM product lines were implicated in a number of hacking attacks earlier this year, with Russian state-sponsored threat actor Sandworm exploiting a privilege escalation vulnerability to build the Cyclops Blink botnet, which was shut down in April. 

WatchGuard released three firmware updates over a four-month period, patching a number of critical vulnerabilities.

Complete access as root

Fol told The Daily Swig, “By combining the two latter, a remote, unauthenticated attacker can get complete access to the firewall system as a super user, or root. This is the worst possible impact. He or she can now read or change the configuration, intercept traffic, et cetera. The first one, in some cases, allows an attacker to obtain the master credentials of the authentication servers, and possibly use this to connect as an administrator on the firewall.”

Fol believes that as a result of the numerous security alerts generated during his research, including those relating to Cyclops Blink, fewer WatchGuard users now have their administration interface exposed on the internet.

"The first vulnerability, Xpath, is accessible through the standard, client interface, and as such is much more likely to be exposed; a quick shodan search revealed around 350,000 instances," he said.

He recommends that users remove their administration interface from the internet and keep their systems up to date. Fol stated that he reported the flaws at the end of March and received a prompt response. A month later, the security team at WatchGuard confirmed that a patch would be available on June 21.

That 'Clean' Google Translate App is Actually Windows Crypto-mining Malware

 

 
The Turkish-speaking group responsible for Nitrokod, which has been active since 2019 is said to have infected thousands of systems in 11 countries. Nitrokod, a crypto mining Trojan, is usually disguised as a clean Windows app and functions normally for days or weeks before its hidden Monero-crafting code is executed. What's interesting is that the apps offer a desktop version of services that are normally only available online.

"The malware is dropped from applications that are popular, but don't have an actual desktop version, such as Google Translate, keeping the malware versions in demand and exclusive," Check Point malware analyst Moshe Marelus wrote in a report Monday.

"The malware drops almost a month after the infection, and following other stages to drop files, making it very hard to analyze back to the initial stage."

Nitrokod also uses other translation applications, such as Microsoft Translator Desktop, and MP3 downloader programmes in addition to Google Translate. On some websites, malicious applications will highlight about being "100% clean," despite the fact that they are infected with mining malware. Nitrokod has been productive in spreading its malicious code through download sites such as Softpedia. Since December 2019, the Nitrokod Google Translator app has been downloaded over 112,000 times, according to Softpedia.

Nitrokod programmers, according to Check Point, are patient, taking a long time and multiple steps to conceal the malware's presence inside an infected PC before installing aggressive crypto mining code. Due to the lengthy, multi-stage infection efforts, the campaign went unnoticed for years before being discovered by cybersecurity experts.

"Most of their developed programs are easily built from the official web pages using a Chromium-based framework. For example, the Google translate desktop application is converted from the Google Translate web page using the CEF [Chromium Embedded Framework] project. This gives the attackers the ability to spread functional programs without having to develop them."

After the program is downloaded and the user launches the software, an actual Google Translate app, built using Chromium as described above, is installed and runs normally. Simultaneously, the software quietly fetches and saves a series of executables, eventually scheduling one specific.exe to run every day once unpacked. This extracts another executable that connects to a remote command-and-control server, retrieves Monero miner code configuration settings, and begins the mining process, with generated coins sent to the miscreants' wallets. To conceal its tracks, some of the early-stage code will self-destruct.

One stage also looks for known virtual-machine processes and security products, which may indicate that the software is being researched. If one is discovered, the programme will terminate. If the programme is allowed to run, it will create a firewall rule that will allow incoming network connections.

Throughout the various stages, the attackers deliver the next stage using password-protected RAR-encrypted files to make them more difficult to detect. According to Marelus, Check Point researchers were able to investigate the crypto mining campaign using the vendor's Infinity extended detection and response (XDR) platform.

Montenegro's State Infrastructure Struck by Cyber Attack Officials

 

An unprecedented cyber attack on Montenegro's government digital infrastructure occurred, and the government promptly implemented measures to mitigate its impact. Montenegro immediately reported the attack to other NATO members. 

“Certain services were switched off temporarily for security reasons but the security of accounts belonging to citizens and companies and their data have not been jeopardised,” said Public Administration Minister Maras Dukaj. 

The attack, according to the Minister, began on Thursday night. The US embassy in Montenegro recommended US citizens limit their movement and travel within the country to the necessities and keep their travel documents up to date and easily accessible, fearing that the attack would disrupt government infrastructure for identifying people living in Montenegro and transportation. The National Security Agency issued a warning to critical infrastructure organisations.

“A persistent and ongoing cyber-attack is in process in Montenegro,” reported the website of the U.S. Embassy in the capital Podgorica. 

“The attack may include disruptions to the public utility, transportation (including border crossings and airport), and telecommunication sectors.” 

EPCG, the state-owned power utility, has switched to manual handling to avoid any potential damage, according to Milutin Djukanovic, president of EPCG. The company decided to temporarily disable some of its clients' services as a safety measure. The government believes the attack was carried out by a nation-state actor.

“Outgoing Prime Minister Dritan Abazovic called a session of the National Security Council for Friday evening to discuss the attack. Abazovic said it was politically motivated following the fall of his government last week,” reported Reuters.

Previous Attacks

Montenegro was targeted by the Russia-linked hacker group APT28 in June 2017 after it officially joined the NATO alliance, amidst strong opposition from the Russian government, which threatened retaliation.

Montenegro experienced massive and prolonged cyberattacks against government and media websites in February 2017, for the second time in a few months. FireEye researchers who analysed the attacks discovered malware and exploits associated with the notorious Russia-linked APT group known as APT28 (aka Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit, and Tsar Team).

Another massive attack was launched against the country's institutions during the October 2016 elections, sparking speculation that the Russian Government was involved. At the time, hackers launched spear phishing attacks against Montenegro, using weaponized documents related to a NATO secretary meeting and a visit by a European army unit to the country.

The hackers distributed the GAMEFISH backdoor (also known as Sednit, Seduploader, JHUHUGIT, and Sofacy), a malware used only by the APT28 group in previous attacks. Marshal Sir Stuart Peach, Chairman of NATO's Military Committee (MC), announced the Alliance's effort to counter Russian hybrid attacks in January 2020.

The term "hybrid warfare" refers to a military strategy that combines political warfare, irregular warfare, and cyberwarfare with other methods of influencing, such as fake news, diplomacy, lawfare, and foreign electoral intervention.

Binance Executive: Scammers Created a 'Deep Fake Hologram' of him to Fool Victims

 

According to a Binance public relations executive, fraudsters created a deep-fake "AI hologram" of him to scam cryptocurrency projects via Zoom video calls.

Patrick Hillmann, chief communications officer at the crypto hypermart, stated he received messages from project teams thanking him for meeting with them virtually to discuss listing their digital assets on Binance over the past month. This raised some suspicions because Hillmann isn't involved in the exchange's listings and doesn't know the people messaging him.

"It turns out that a sophisticated hacking team used previous news interviews and TV appearances over the years to create a 'deep fake' of me," Hillmann said. "Other than the 15 pounds that I gained during COVID being noticeably absent, this deep fake was refined enough to fool several highly intelligent crypto community members."

Hillmann included a screenshot of a project manager asking him to confirm that he was, in fact, on a Zoom call in his write-up this week. The hologram is the latest example of cybercriminals impersonating Binance employees and executives on Twitter, LinkedIn, and other social media platforms.

Scams abound in the cryptocurrency world.
Despite highlighting a wealth of security experts and systems at Binance, Hillman insisted that users must be the first line of defence against scammers. He wrote that they can do so by being vigilant, using the Binance Verify tool, and reporting anything suspicious to Binance support.

“I was not prepared for the onslaught of cyberattacks, phishing attacks, and scams that regularly target the crypto community. Now I understand why Binance goes to the lengths it does,” he added.

The only proof Hillman provided was a screenshot of a chat with someone asking him to confirm a Zoom call they previously had. Hillman responds: “That was not me,” before the unidentified person posts a link to somebody’s LinkedIn profile, telling Hillman “This person sent me a Zoom link then your hologram was in the zoom, please report the scam”.

The fight against deepfakes
Deepfakes are becoming more common in the age of misinformation and artificial intelligence, as technological advancements make convincing digital impersonations of people online more viable.

They are sometimes highly realistic fabrications that have sparked global outrage, particularly when used in a political context. A deepfake video of Ukrainian President Volodymyr Zelenskyy was posted online in March of this year, with the digital impersonation of the leader telling citizens to surrender to Russia.

On Twitter, one version of the deepfake was viewed over 120,000 times. In its fight against disinformation, the European Union has targeted deepfakes, recently requiring tech companies such as Google, Facebook, and Twitter to take countermeasures or face heavy fines.

Researchers Discover Kimusky Infra Targeting South Korean Politicians and Diplomats

 

Kimusky, a North Korean nation-state group, has been linked to a new wave of nefarious activities targeting political and diplomatic entities in its southern counterpart in early 2022. 

The cluster was codenamed GoldDragon by Russian cybersecurity firm Kaspersky, with infection chains resulting to the implementation of Windows malware designed to file lists, user keystrokes, and stored web browser login credentials. South Korean university professors, think tank researchers, and government officials are among the potential victims. 

Kimsuky, also known as Black Banshee, Thallium, and Velvet Chollima, is a prolific North Korean advanced persistent threat (APT) group that targets entities globally, but with a primary focus on South Korea, to gather intelligence on various topics of interest to the regime.

The group, which has been active since 2012, has a history of using social engineering tactics, spear-phishing, and watering hole attacks to obtain sensitive information from victims.

Late last month, cybersecurity firm Volexity linked the actor to an intelligence-gathering mission aimed at siphon email content from Gmail and AOL using Sharpext, a malicious Chrome browser extension.

The latest campaign employs a similar tactic, with the attack sequence initiated by spear-phishing messages containing macro-embedded Microsoft Word documents supposedly comprising content related to geopolitical issues in the region. Alternative initial access routes are also said to use HTML Application (HTA) and Compiled HTML Help (CHM) files as decoys in order to compromise the system.

Whatever method is used, the initial access is followed by a remote server dropping a Visual Basic Script that is orchestrated to fingerprint the machine and retrieve additional payloads, including an executable capable of exfiltrating sensitive information.

The attack is unique in that it sends the victim's email address to the command-and-control (C2) server if the recipient clicks on a link in the email to download additional documents. If the request does not include the expected email address, a harmless document is returned.

To complicate matters even further, the first-stage C2 server forwards the victim's IP address to another VBS server, which compares it to an incoming request generated after the target opens the bait document. The two C2 servers' "victim verification methodology" ensures that the VBScript is distributed only when the IP address checks are successful, indicating a highly targeted approach.

"The Kimsuky group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis. The main difficulty in tracking this group is that it's tough to acquire a full-infection chain," Kaspersky researcher Seongsu Park concluded.

Spanish Banking Trojan Attacks Various Industry Verticals

 

A new campaign aimed at delivering the Grandoreiro banking trojan has targeted organisations in the Spanish-speaking countries of Mexico and Spain. 

"In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America," Zscaler said in a report.

The ongoing attacks, which began in June 2022, have been observed to target the automotive, civil and industrial construction, logistics, and machinery sectors in Mexico and the chemicals manufacturing industries in Spain via multiple infection chains. 

The attack chain involves using spear-phishing emails written in Spanish to trick potential victims into clicking on an embedded link that retrieves a ZIP archive from which a loader disguised as a PDF document is extracted to trigger the execution. To activate the infections, the phishing messages prominently incorporate themes revolving around payment refunds, litigation notifications, mortgage loan cancellation, and deposit vouchers.

"This [loader] is responsible for downloading, extracting and executing the final 400MB 'Grandoreiro' payload from a Remote HFS server which further communicates with the [command-and-control] Server using traffic identical to LatentBot," Zscaler researcher Niraj Shivtarkar said.

The loader is also intended to collect system information, retrieve a list of installed antivirus solutions, cryptocurrency wallets, banking, and mail apps, and then exfiltrate the data to a remote server.

Grandoreiro is a modular backdoor with a plethora of functionalities that enable it to record keystrokes, execute arbitrary commands, mimic mouse and keyboard movements, restrict access to specific websites, auto-update itself, and establish persistence via a Windows Registry change. It has been observed in the wild for at least six years.

Furthermore, the malware is written in Delphi and employs techniques such as binary padding to increase binary size by 200MB, CAPTCHA implementation for sandbox evasion, and C2 communication through subdomains generated by a domain generation algorithm (DGA).

The CAPTCHA technique, in specific, necessitates the victim to manually complete the challenge-response test in order to execute the malware in the compromised machine, implying that the implant is not executed unless and until the CAPTCHA is solved.

According to the findings, Grandoreiro is constantly evolving into sophisticated malware with novel anti-analysis characteristics, granting the attackers full remote access and posing significant threats to employees and their organisations.

The information comes just over a year after Spanish authorities apprehended 16 members of a criminal network in connection with the operation of Mekotio and Grandoreiro in July 2021.

New Grandoreiro Banking Malware Campaign Targeting Spanish Manufacturers

 

The notorious 'Grandoreiro' banking trojan was discovered in recent attacks targeting employees of a chemicals manufacturer in Spain and automotive and machinery manufacturers in Mexico. The malware has been active in the wild since at least 2017 and continues to be one of the most serious threats to Spanish-speaking users. 

The most recent campaign, discovered by Zscaler analysts, began in June 2022 and is still ongoing. It entails the deployment of a Grandoreiro malware variant with several new anti-detection and anti-analysis features, as well as a redesigned C2 system.

The infection chain begins with an email purporting to be from the Mexican Attorney General's Office or the Spanish Public Ministry, depending on the target. The message's subject matter includes state refunds, notices of litigation changes, mortgage loan cancellations, and other items.

The email contains a link that takes recipients to a website where they can download a ZIP archive. That file contains the Grandoreiro loader module disguised as a PDF file in order to trick the victim into running it. Once this occurs, the loader retrieves a Delphi payload in the form of a compressed 9.2MB ZIP file from a remote HTTP file server ("http://15[.]188[.]63[.]127:36992/zxeTYhO.xml") and extracts and executes it.

The loader gathers system information, retrieves a list of installed antivirus programmes, cryptocurrency wallets, and e-banking apps, and sends it to the C2. To avoid sandbox analysis, the final payload is signed with a certificate stolen from ASUSTEK and has an inflated size of 400MB thanks to "binary padding."

In one case, as security analyst Ankit Anubhav pointed out on Twitter, Grandoreiro even asks the victim to solve a CAPTCHA to run on the system, which is yet another attempt to avoid detection. Finally, Grandoreiro is made persistent between reboots by adding two new Registry keys and setting it to launch at system startup.

Grandoreiro features

One of the new features in the latest Grandoreiro variant sampled by Zscaler is the use of DGA (domain generation algorithm) for C2 communications, which makes mapping and taking down the malware's infrastructure difficult.

The C2 communication pattern is now the same as LatentBot's, with "ACTION+HELLO" beacons and ID-based cookie value responses. The similarities between the two malware strains were discovered by Portuguese cybersecurity blogger Pedro Taveres in 2020, but the C2 communication techniques were only recently incorporated into Grandoreiro's code.

The malware on the host has the following backdoor capabilities:
  • Keylogging
  • Auto-Updation for newer versions and modules
  • Web-Injects and restricting access to specific websites
  • Command execution
  • Manipulating windows
  • Guiding the victim's browser to a specific URL
  • C2 Domain Generation via DGA (Domain Generation Algorithm)
  • Imitating mouse and keyboard movements
Outlook

The recent campaign suggests that Grandoreiro's operators prefer to carry out highly targeted attacks rather than send large volumes of spam emails to random recipients.

Furthermore, the malware's continuous evolution, which provides it with stronger anti-analysis and detection avoidance features, lays the groundwork for stealthier operations. While Zscaler's report does not go into detail about the current campaign's objectives, Grandoreiro's operators have previously demonstrated financial motivations, so the case is assumed to be the same.

'RedAlpha': This Chinese Cyberspy Group is Targeting Governments & Humanitarian Entities

 

RedAlpha, a Chinese state-sponsored cyberespionage group, has been observed targeting numerous government organisations, humanitarian organisations, and think tanks over the last three years. 

The advanced persistent threat (APT) actor, also known as Deepcliff and Red Dev 3, has been active since at least 2015, focusing on intelligence collection and surveillance of ethnic and religious minorities such as the Tibetan and Uyghur communities. 

According to cybersecurity firm Recorded Future, RedAlpha has registered hundreds of domains impersonating global government, think tank, and humanitarian organisations such as Amnesty International, the American Institute in Taiwan (AIT), the International Federation for Human Rights (FIDH), the Mercator Institute for China Studies (MERICS), and Radio Free Asia (RFA).

According to Recorded Future, the attacks are consistent with previous RedAlpha targeting of entities of interest to the Chinese Communist Party (CCP). Taiwanese organisations were also targeted, most likely for intelligence gathering. The campaign's goal has been to collect credentials from targeted individuals and organisations in order to gain access to their email and other communication accounts.

“RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China,” Recorded Future notes.

The cyberespionage group is known for using weaponized websites - which mimics well-known email service providers or specific organisations - as part of its credential-theft campaigns, but the APT registered more than 350 domains last year.

This activity was distinguished by the use of resellerclub[.]com nameservers, as well as the use of virtual private server (VPS) hosting provider Virtual Machine Solutions LLC (VirMach), overlapping WHOIS registrant information (including names, email addresses, and phone numbers), consistent domain naming conventions, and the use of specific server-side components.

About RedAlpha:

The group has recorded hundreds of domains typosquatting major email and storage service providers, including Yahoo (135 domains), Google (91 domains), and Microsoft (70), as well as domains typosquatting multiple countries' ministries of foreign affairs (MOFAs), Purdue University, Taiwan's Democratic Progressive Party, and the aforementioned and other global government, think tank, and humanitarian organisations.

The cyberespionage group registered at least 16 domains impersonating the Berlin-based non-profit organisation MERICS during the first half of 2021, which coincided with the Chinese MOFA sanctioning the think tank.

“In many cases, observed phishing pages mirrored legitimate email login portals for the specific organizations named above. We suspect that this means they were intended to target individuals directly affiliated with these organizations rather than simply imitating these organizations to target other third parties,” Recorded Future says.

RedAlpha has also shown a consistent focus on targeting Taiwanese entities over the last three years, including through multiple domains mimicking the American Institute in Taiwan (AIT), the de facto embassy of the United States of America. The hacking group was also noticed spreading its campaigns to target Brazilian, Portuguese, Taiwanese, and Vietnamese ministries of foreign affairs, as well as India's National Informatics Centre (NIC).

“We identified multiple overlaps with previous publicly reported RedAlpha campaigns that allowed us to assess this is very likely a continuation of the group’s activity. Of note, in at least 5 instances the group appeared to re-register previously owned domains after expiry,” Recorded Future notes.

The cybersecurity firm has discovered a connection between RedAlpha and a Chinese information security firm - email addresses used to register spoofing domains appear in job listings and other web pages associated with the organisation - and believes the threat actor is based in China.

“The group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities. This targeting, coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity,” Recorded Future concludes.

Over 1,900 Signal User Data Exposed

 

The attacker involved in the latest Twilio data leak may have obtained phone numbers and SMS registration codes for 1,900 Signal users.

“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” the Signal team shared on Monday.

Twilio offers phone number verification services (through SMS) to Signal. Earlier this month, several Twilio employees were duped into receiving SMS messages that seemed to be from the company's IT department. The attacker gained access to information pertaining to 125 Twilio client accounts, including Signal's.

“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” the Signal team explained.

As previously stated, the attacker was able to re-register at least one of the three numbers they specifically sought for.

“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected,” the team noted. That’s because that data is stored on the users’ device and Signal has no access to or copy of it. “And this information certainly is not available to Twilio, or via the access temporarily gained by Twilio’s attackers,” the team added.

Unfortunately, if the attacker was successful in re-registering an account, they might impersonate the user by sending and receiving Signal communications from that phone number.

Signal is immediately contacting potentially affected users of this vulnerability through SMS. The business has unregistered Signal on all devices that these 1,900 users are now using (or that an attacker has registered for them) and is requesting that they re-register Signal with their phone number on their preferred device.

Furthermore, they are advising them to enable registration lock (Signal Settings (profile) > Account > Registration Lock) for their account, which is a function that aids in the prevention of this sort of fraud.

The attacker was able to obtain either the phone numbers of 1,900 registered Signal users or the SMS verification code they used to register with Signal as a result of this.

“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against. We strongly encourage users to enable the registration lock. While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” the team concluded.

Google Fined $60M+ for Misleading Australians About Collecting Location Data

 

Google was fined $60 million by the Australian Competition and Consumer Commission (ACCC) for deceiving Australian Android users about the collection and utilization of their location data for over two years, between January 2017 and December 2018. 

According to the Australian Competition watchdog, the tech giant continued to follow some of its customers' Android phones even after they deleted "Location History" in the device's settings. While consumers were misled to believe that option would deactivate location tracking, another account setting, "Web & App Activity," which was enabled by default, allowed the firm to "collect, retain, and use personally identifiable location data." 

According to the ACCC, based on available data, more than 1.3 million Australian Google accounts have been impacted. 

"Google, one of the world's largest companies, was able to keep the location data collected through the 'Web & App Activity' setting and that retained data could be used by Google to target ads to some consumers, even if those consumers had the "Location History" setting turned off," stated ACCC Chair Gina Cass-Gottlieb. 

"Personal location data is sensitive and important to some consumers, and some of the users who saw the representations may have made different choices about the collection, storage and use of their location data if the misleading representations had not been made by Google." 

In October 2019, Australia's competition watchdog initiated proceedings against Google. The Australian Federal Court ruled in April 2021 that Google had violated the Australian Consumer Law by deceiving customers regarding the gathering and use of their location data. 

By 20 December 2018, Google has taken corrective action and resolved all faults that had led to this fine, with users no longer being shown deceptive information implying that halting location history will stop collecting information about the areas they go with their devices. 

"Companies need to be transparent about the types of data that they are collecting and how the data is collected and may be used so that consumers can make informed decisions about who they share that data with," Cass-Gottlieb added.

Reddit Enabled Attackers to Perform Mod Actions due to IDOR Flaw

 

Due to a vulnerability in Reddit, attackers were able to execute moderator activities or elevate normal users to mod status without the necessary authorization.  Since Reddit admins have the ability to pin or remove content, block other users, and modify subreddit metadata, the weakness may have allowed for all sorts of mischief. 

According to a recent HackerOne report, a bug researcher with the handle 'high ping ninja' discovered that while attempting to access the mod logs using GraphQL, Reddit failed to validate if the user was a moderator of a certain subreddit. 

“You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of that subreddit,” they explained. 

On August 3, an insecure direct object reference (IDOR) flaw was reported and patched on the same day. Insecure direct object references (IDOR) are a form of access control vulnerability that occurs when an application directly accesses objects using user-supplied data. 

The word IDOR gained popularity after appearing in the OWASP Top Ten in 2007. It is, however, simply one of several access control implementation errors that can lead to access restrictions being evaded. IDOR vulnerabilities are most often connected with horizontal privilege escalation, although they can also occur with vertical privilege escalation. 

“I increased severity to high based on our program policy,” a member of the Reddit triage team said in the disclosure notes. The researcher received a $5,000 bug reward for his discovery.