Search This Blog

Showing posts with label Security Researchers. Show all posts

Lazarus Hackers are Using Log4j to Hack US Energy Companies

 

A new cyber espionage campaign targeting US, Canadian, and Japanese energy providers has been linked to the North Korean state-sponsored Lazarus hacking group, according to security researchers.

Cisco Talos, a threat intelligence company, announced Thursday that Lazarus, also known as APT38, was observed targeting unidentified energy providers in the United States, Canada, and Japan between February and July of this year. 

According to Cisco's findings, the hackers exploited a year-old Log4j vulnerability known as Log4Shell to compromise internet-exposed VMware Horizon servers in order to gain an initial foothold on a victim's enterprise network before deploying bespoke malware known as "VSingle" and "YamaBot" to gain long-term persistent access. 

Japan's national cyber emergency response team, known as CERT, recently linked YamaBot to the Lazarus APT. Symantec first disclosed information of this espionage campaign in April of this year, attributing the operation to "Stonefly," another North Korean hacking group with some overlaps with Lazarus.

However, Cisco Talos discovered a previously unknown remote access trojan (RAT) called "MagicRAT," which is attributed to the Lazarus Group and is used by hackers for reconnaissance and credential theft.

Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura, “The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

However, in recent months, the group has shifted its focus to blockchain and cryptocurrency organisations. It has been associated with the recent thefts of $100 million in cryptocurrency from Harmony's Horizon Bridge and $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain created for the popular play-to-earn game Axie Infinity.

Pyongyang has long used stolen cryptocurrency and information theft to finance its nuclear weapons programme. In July, the United States offered a $10 million reward for data on members of state-sponsored North Korean threat groups, including Lazarus, more than doubling the amount previously offered. The State Department made the announcement in April.

The Lazarus Group is a North Korean-backed hacking organisation best known for the high-profile Sony hack in 2016 and the WannaCry ransomware attack in 2017. Lazarus is also motivated by efforts to support North Korea's state objectives, such as military R&D and evasion of international sanctions.

Zenly Addressed the Risks of User Data Exposure and Account Takeover

 

Zenly, a social app from Snap that allows users to monitor the positions of friends and family on a live map, has two flaws that potentially imperil people being tracked. The issues are a user-data disclosure vulnerability and an account-takeover vulnerability, according to the Checkmarx Security Research Team.   

Zenly is a real-time location sharing software created in 2015 by Alexis Bonillo and Antoine Martin in Paris, France. Zenly's primary role is to share and monitor locations with friends. The software may communicate not only your current position, but also your mobile direction and speed. Zenly employs dependable, effective, and precise positioning technology to pinpoint the precise location of friends or family members. 

According to Checkmarx, the vulnerability exploits the "Add by Username" procedure, which begins by searching for a known username. Then, to view requests that occur during the username search, "an environment that permits intercepting and decoding network requests to get visibility into network activities" can be employed. 

“By observing the response of the request that was executed on the /UserPublicFriends endpoint, a list of friends can be seen, although it is not displayed on the user interface of the application,” according to the analysis. “This list contains every friend of the user, one of them is Bogus_CEO (bogus CEO of Zenly, for demonstration purposes). Note that the response also contains their username, which could in turn be used to repeat this process and obtain their friends list instead.” 

According to the researchers, after the target username has been found, the same interceptor may be used to retrieve the associated phone number via a view named "Add by Username," then clicking the "Add as Friend" button.

This vulnerability's mitigation strategy can be divided into two phases. The most serious consequences are from gaining access to a user's Personally Identifiable Information (PII) without their permission. This could be avoided by eliminating the target phone number field from the reply sent when a friend request is created. The second step in this mitigation recommendation is to effectively limit or shape the data supplied by the /UserPublicFriends endpoint when a username search is performed, rather than returning an entire list of the friends' usernames. 

According to Checkmarx, the second bug appears in the user-authentication flow. This authentication uses SMS messages carrying verification numbers to validate sessions. After sending the SMS message to the user, the app uses the session token and the SMS verification code to access the /SessionVerify endpoint. 

Both vulnerabilities have been fixed, and users should update their apps to the most recent version to avoid compromise, according to the company.

Several Vulnerabilities were Discovered in the Snap-Confine Function on Linux Systems

 

Security researchers from Qualys uncovered various flaws in Canonical's Snap software packaging and deployment system. Bharat Jogi, head of vulnerability and threat research at Qualys, revealed in a blog post that they discovered many vulnerabilities in the snap-confine function on Linux operating systems, "the most important of which can be abused to escalate privilege to gain root rights." 

Canonical created Snap, a software packaging and distribution mechanism for operating systems that use the Linux kernel. The packages, known as snaps, and the tool used to use them, snapd, are compatible with a variety of Linux distributions and enable upstream software developers to deliver their applications directly to users. Snaps are standalone applications that run in a sandbox and have mediated access to the host system. Snap-confine is a software that snapd uses internally to build the execution environment for snap applications. 

If this vulnerability is successfully exploited, any unprivileged user can get root privileges on the vulnerable system. Qualys security researchers were able to independently validate the vulnerability, create an exploit, and get full root access on default Ubuntu installations. Canonical cooperated in responsible vulnerability disclosure and coordinated with both vendor and open-source distributions to announce this newly identified vulnerability as soon as the Qualys Research Team confirmed it. 

Canonical, the publisher of Ubuntu, said in a statement that they tried to ensure that the subsystems on which the snap platform is based are utilised safely throughout the development process. They pointed out that, because of automatic refreshes, the majority of snap-distributed platform installations around the world have already been updated.

In addition, Qualys detected six more vulnerabilities. They detailed each vulnerability and asked all users to patch as soon as feasible. “Unfortunately, such a modern confinement platform involves many subsystems, and sometimes we make mistakes. Thankfully, Canonical and Ubuntu are part of a large community that includes competent security researchers. Recently, Qualys informed us that one of the tools a part of the snap platform contains a security issue,” a Canonical spokesperson said. 

“In their words: Discovering and exploiting a vulnerability in snap-confine has been extremely challenging (especially in a default installation of Ubuntu), because snap-confine uses a very defensive programming style, AppArmor profiles, seccomp filters, mount namespaces, and two Go helper programs,” the spokesperson added.

APT41 Used the New MoonBounce UEFI Malware in Targeted Attacks

 

According to the Kaspersky researchers who discovered it, a new firmware bootkit discovered in the wild demonstrates remarkable advances over previous similar tools. MoonBounce is a harmful implant that hides in a computer's UEFI firmware in the system's SPI flash - a storage component external to the hard drive, making it difficult to remove and difficult for proprietary security products to detect. UEFI is a technical specification that aids in the interoperability of computer systems' operating systems (OS) and firmware software. 

Being able to place malicious code known as a "UEFI bootkit" in the firmware is an ideal approach to avoid detection by antivirus software and other security measures running at the OS level. This has been done before, with the FinFisher malware and the ESPecter backdoor being two recent instances. In general, these tools hijack the boot sequence and initialize it before the operating system's security components. They are extremely tenacious because they nest in regions that cannot be wiped, such as reserved disk space. 

"The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx, and ExitBootServices," explains Kaspersky in the report. "Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader." 

MoonBounce is the third bootkit identified in the wild, following LoJax and MosaicRegressor, and it shows "substantial development, with a more sophisticated attack flow and better technical sophistication" when compared to predecessors. It was discovered in 2021 by Kaspersky using its Firmware Scanner, which is designed to detect threats hidden in the ROM BIOS, including UEFI firmware images.

Kaspersky discovered a plethora of evidence linking MoonBounce to APT41, ranging from the deployment of the ScrambleCross malware itself to unique certificates acquired from its C2 servers that correspond to earlier FBI reports on APT41 activities. While the United States Department of Justice discovered and charged five APT41 members in September 2020, the presence of MoonBounce and the operation around it demonstrates that the threat actors were not deterred by the legal pressure. 

According to the telemetry data, the attacks were extremely targeted, and Kaspersky only detected the firmware rootkit on one occasion. Kaspersky discovered several malware samples and loaders in other devices on the same network, however, they were non-UEFI implants. Microcin backdoor, Mimikat credential stealer, Go implant, StealthMutant loader, and ScrambleCross malware are a few examples.

Because of a Flaw in Microsoft Defender, Threat Actors can Evade Detection

 

Threat actors were able to use a vulnerability in Microsoft Defender antivirus on Windows to learn about unscanned places and plant malware there. According to several users, the issue has existed for at least eight years and affects both Windows 10 21H1 and Windows 10 21H2. According to security researchers, the list of locations that are not scanned by Microsoft Defender are insecure and accessible to any local user. 

Windows Defender is an anti-malware component of Microsoft Windows. It was first made available as a free anti-spyware download for Windows XP, and it was then bundled with Windows Vista and Windows 7. It has evolved into a full antivirus solution, replacing Microsoft Security Essentials in Windows 8 and later editions. 

Local users, regardless of their permissions, can query the registry to see which paths Microsoft Defender is not permitted to check for malware or hazardous files. According to Antonio Cocomazzi, a SentinelOne threat researcher who reported the RemotePotato0 vulnerability, there is no protection for this sensitive information, and running the "reg query" command reveals everything that Microsoft Defender is not supposed to scan, whether it is files, folders, extensions, or processes. 

Like any other antivirus software, Microsoft Defender allows customers to specify which locations (local or network) on their PCs should be excluded from malware scanning. Exclusions are routinely used to keep antivirus software from interfering with the operation of legitimate apps that have been incorrectly labeled as malware. Because the list of scanning exceptions differs from user to user, this information is useful for an attacker on the system because it informs them where they can place harmful files without fear of being detected. 

However, Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 enrolls users in particular exclusions based on their server role. These exclusions are not included in the normal exclusion lists. Exclusions for operating system files and server roles are automated because Microsoft Defender Antivirus is incorporated into Windows Server 2016 and later. Custom exclusions, on the other hand, can be specified by users. 

Although a threat actor must have local access in order to obtain the Microsoft Defender exclusions list, this is far from a stumbling block. Many attackers are already accessing stolen business networks in quest of a technique that will allow them to go laterally as silently as possible. 

According to BleepingComputer, the flaw was discovered in May by researcher Paul Bolton. Because Microsoft has yet to patch the flaw, administrators should use group policy to set Microsoft Defender while installing their systems, according to security researchers.

Firmware Attacks can Leave Persistent Malware in the SSD's Hidden Section

 

Korean researchers have created a set of assaults against some solid-state drives (SSDs) that could allow malware to be planted at a position beyond the user's and security solutions' reach. The attack models are designed for drives with flex capacity characteristics and target a hidden section on the device known as over-provisioning, which is extensively used by SSD manufacturers these days for performance improvement on NAND flash-based storage systems. 

The over-provisioning region is invisible to the operating system and any applications that run on it, including security and anti-virus software. The SSD manager dynamically adjusts this space against the workloads when the user runs different applications, depending on how write or read-intensive they are. 

Flex capacity is a feature of Micron Technology SSDs that allows storage devices to automatically modify the sizes of raw and user-allocated space to improve performance by absorbing write workload volumes. It is a dynamic system that builds and changes a buffer of space which typically consumes between 7% and 25% of total disk capacity. 

Hardware-level assaults provide the highest level of persistence and stealth. In the past, sophisticated actors worked hard to execute such concepts against HDDs, concealing dangerous code in unreachable disk sectors. One assault modeled by researchers at Korea University in Seoul targets an invalid data area containing non-erased information that resides between the usable SSD space and the over-provisioning (OP) area, the amount of which depends on the two. According to the research article, a hacker can adjust the size of the OP region using the firmware manager, resulting in exploitable invalid data space. 

In a second attack model, the OP region is used as a covert location where a threat actor can hide malware that users cannot monitor or remove. According to the research article, "It is assumed that two storage devices SSD1 and SSD2 are connected to a channel in order to simplify the description. Each storage device has 50% OP area. After the hacker stores the malware code in SSD2, they immediately reduce the OP area of SSD1 to 25% and expand the OP area of SSD2 to 75%." 

"At this time, the malware code is included in the hidden area of SSD2. A hacker who gains access to the SSD can activate the embedded malware code at any time by resizing the OP area. Since normal users maintain 100% user area on the channel, it will not be easy to detect such malicious behaviour of hackers," the article added.

To counteract the first type of assault, the researchers advise that SSD manufacturers wash the OP area with a pseudo-erase algorithm that has no effect on real-time performance. Implementing valid-invalid data rate monitoring systems that monitor the ratio inside SSDs in real-time is a potentially effective security measure against injecting malware in the OP area for the second type of attack.

Web Applications Attacks are on the Rise

 

Imperva Research Labs discovered that attacks are increasing by 22% per quarter in a survey of approximately 4.7 million web application-related cyber security incidents. Worryingly, the pace of increase in such attacks has continued to rise, with a 67.9% increase from Q2 2021 to Q3. One of the most noticeable rises was in Remote Code Execution (RCE) / Remote File Inclusion (RFI) assaults, which increased by 271%. RCE / RFI attacks are used by hackers to steal information, compromise servers, or even take over websites and manipulate their content. 

“Application security was traditionally very low on CISOs’ priority list but, as the attacks targeting applications increase in frequency, it’s getting more attention,” said Eugene Dzihanau, Senior Director of Technology Solutions at EPAM Systems. “The application layer is quickly becoming more exposed to the outside world, drastically increasing the attack surface. Applications are deployed on the public cloud, mobile phones, and IoT devices. Also, applications process a lot more data than before, making them a more frequent target of an attack.” 

As a result of the growth in web app attacks, there has been a significant increase in data breaches. Imperva Research Labs discovered earlier this year that online applications are the source of 50% of all data breaches. With the frequency of breaches increasing by 30% each year and the number of records stolen increasing by an astounding 224%, it is anticipated that 40 billion records will be compromised by the end of 2021, with web application vulnerabilities expected to be responsible for roughly 20 billion. 

“The pandemic placed immense urgency on businesses to get all kinds of digital transformation projects live as quickly as possible, and that is almost certainly a driving factor behind this surge in attacks,” says Peter Klimek, Director of Technology at Imperva. 

The changing nature of application development is also extremely important. Developments such as the rapid growth of APIs and the shift to cloud-native computing are advantageous to DevOps, but these changes in application architecture and the accompanying increased attack surface are making security teams' tasks much harder, according to Peter. 

During the pandemic, losses from fraud and cybercrime have spiraled out of control, with the National Fraud Intelligence Bureau estimating that over £1.3 billion was lost in the first half of 2021 alone, more than three times the amount lost in the same period in 2020. These estimates indicate that the problem will increase during 2022.

The usual approach of the security team identifying vulnerabilities and the development team correcting them will not work; Dzihanau said that the feedback cycle must be swift and collaborative.

Blister Malware Silently Slips Through Windows Defences

 

Cybersecurity researchers have revealed details of an evasive malware campaign that uses valid code signing certificates to bypass security defences and remain undetected, with the purpose of distributing Cobalt Strike and BitRAT payloads on infected systems. Elastic Security researchers dubbed the binary, a loader, "Blister," and the malware samples had negligible to zero detections on VirusTotal. The infection vector utilized to stage the attack, as well as the eventual goals of the infiltration, are unknown. 

A notable aspect of the attacks is that they make use of a legitimate Sectigo code signing certificate. The malware has been seen signed with the certificate in question since September 15, 2021. Elastic stated that it has contacted the company in order to get the exploited certificates revoked. "Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned executables," researchers Joe Desimone and Samir Bousseaden said. "Their use allows attackers to remain under the radar and evade detection for a longer period of time." 

Another intriguing component of this campaign is what looks to be a novel malware loader with few VirusTotal detections. It's known as the BLISTER loader. The loader is likely spliced into genuine libraries like colorui.dll to guarantee that the majority of the on-disk footprint contains known-good code and metadata. The loader can be written to disc from simple dropper executables at first. One such dropper saves a signed BLISTER loader to %temp%\Framwork\axsssig.dll and runs it with rundll32. BLISTER's LaunchColorCpl is a popular DLL export and entry point name. 

BLISTER uses a basic 4-byte XOR routine to decode bootstrapping code stored in the resource area when it is run. The bootstrapping code is extensively obfuscated and sleeps for 10 minutes at first. This is almost certainly an attempt to avoid sandbox analysis. It decrypts the embedded malware payload after the delay. CobaltStrike and BitRat have been identified as embedded malware payloads by researchers. When the embedded payload is decoded, it is either loaded into the current process or injected into a newly generated WerFault.exe process.

Elastic Security has alerted Sectigo that Blister's code signing certificate has been revoked; nonetheless, the company has also produced a Yara rule to assist organizations in identifying the new malware.

Iran-Linked Hackers Attacked Israel's Government and Business Sector

 

In the latest episode of cyberwarfare between the rival states, an Iran-linked hacking gang hit seven Israeli targets in a 24-hour span, according to an Israeli cybersecurity firm. The Israeli "government and business sector" were among the targets of the "Charming Kitten" attack, according to a statement issued late Wednesday by Tel Aviv-based Check Point. 

"Check Point has blocked these attacks, as we witnessed communications between a server used by this group and the targets in Israel," said the firm. "Our reports of the last 48 hours prove that both criminal hacking groups and nation-state actors are engaged in the exploration of this vulnerability."

Charming Kitten, also known as Phosphorous, APT35, Ajax Security Team, ITG18, NewsBeef, and NewsCaster, is a threat actor that has been active since at least 2011 and has targeted entities in the Middle East, the United States, and the United Kingdom. FireEye classified the group as a nation-state-based advanced persistent threat on December 15, 2017, despite its lack of sophistication. Research conducted by FireEye in 2018 suggested that APT35 may be expanding their malware capabilities and intrusion campaigns. Since then, the gang has been known to use phishing to spoof firm websites, as well as false accounts and DNS domains to steal victims' passwords. 

Allegations of cyberwarfare between Iran and Israel have grown more serious in recent months. In October, Israel was implicated in a series of cyberattacks on Iranian infrastructure, including the country's fuel distribution system. The disruption had an unusual impact because it shut down the IT system that allowed Iranians to fill their tanks for free or at reduced prices using a digital card issued by the authorities.

Another reportedly Iran-linked hacker organization, "Black Shadow," claimed responsibility for a cyber-attack on an Israeli internet service provider in October. One of the sites targeted in that incident was Israel's largest LGBTQ dating service, with the hackers demanding ransom payments in exchange for sensitive private information such as the HIV status of the site's users. 

According to the finance ministry, Israel, which prides itself as a cybersecurity leader, hosted a "international cyber financial war game" last week. The United States, Britain, and the United Arab Emirates, which established diplomatic ties with Israel last year, were among those who took part. Germany, Switzerland, and the International Monetary Fund were all present, according to the ministry. Shira Greenberg, a chief economist at Israel's finance ministry, said the exercise underlined "the importance of coordinated global action by governments and central banks in the face of cyber-financial threats."

Phorpiex Variant Used for Cryptocurrency Assaults in Ethiopia, Nigeria, India, and Other Countries

 

Check Point Research has found new cryptocurrency-related assaults in Ethiopia, Nigeria, India, and 93 other countries. The attackers are employing a variation of the Phorpiex botnet known as "Twizt" by Check Point to steal cryptocurrency through a technique known as "crypto clipping." Because wallet addresses are so long, most systems copy them and allow you to just paste them in during transactions. Cybercriminals have used Twizt to replace the intended wallet address with the wallet address of the threat actor. 

Phorpiex, a long-lasting botnet known for extortion tactics and the use of old-school worms delivered via removable USB drives and instant messaging apps, began broadening its infrastructure in recent years in order to become more durable and deliver more hazardous payloads. The Phorphiex botnet is still active today, with a massive network of bots generating a wide range of malicious activities. These operations, which previously comprised extortion and spamming, have grown to encompass cryptocurrency mining. Researchers also saw a surge in data exfiltration and ransomware delivery in 2018, with the bot installer releasing Avaddon, Knot, BitRansomware (DSoftCrypt/ReadMe), Nemty, GandCrab, and Pony ransomware, among other malware. 

Check Point researchers reported intercepting 969 transactions, stating that Twizt "can operate without active command and control servers, enabling it to bypass security systems," implying that each computer infected can expand the botnet. 

Twizt operators have stolen 3.64 Bitcoin, 55.87 Ether, and $55,000 in ERC20 tokens in the last year, totaling around $500,000. 26 ETG were stolen in one incident alone. Phorpiex bots hijacked over 3,000 transactions worth nearly 38 Bitcoin and 133 Ether between April 2016 and November 2021. The cybersecurity firm stated that this was merely a subset of the attacks that were taking place. 

According to Alexander Chailytko, cybersecurity research and innovation manager at Check Point Software, the new variant of Phorpiex poses two major concerns. "First, Tiwzt is able to operate without any communication with C&C; therefore, it is easier to evade security mechanisms, such as firewalls, in order to do damage. Second, Twizt supports more than 30 different cryptocurrency wallets from different blockchains, including major ones such as Bitcoin, Ethereum, Dash, Monero," Chailytko said. 

"This makes for a huge attack surface, and basically anyone who is utilizing crypto could be affected. I strongly urge all cryptocurrency users to double-check the wallet addresses they copy and paste, as you could very well be inadvertently sending your crypto into the wrong hands," Chailytko added.

PHP Re-Infectors: The Malware that Never Goes Away

 

Threat actors typically infect sites for monetary gain, to improve their SEO rankings for malware or spam campaigns, and for a variety of other objectives. If the malware is readily and swiftly removed, the attack's objective is defeated. Researchers discovered a modified index.php in the majority of cases of this form of infection. According to the researchers, it makes little difference if your site is not using WordPress; attackers will normally replace the index.php with an infected copy of the WordPress index.php file. 

The index.php file is a PHP file that serves as the entrance for any website or application. It is a template file that contains a variety of codes that will be given as PHP code. Because the system will be used by anyone with a simple HTML website, it will also be modified before delivery. 

It has also been observed that hundreds, if not thousands, of infected.htaccess files are dispersed throughout the website directories. This is intended to block custom PHP files or tools from executing on the site or to enable dangerous files to run if some mitigation is already in place. In rare cases, the attackers will leave a copy of the original index.php file entitled old-index.php or 1index.php on the server. In most situations, the infected files will have 444 permissions, and attempting to remove or clean those files directly is futile because the malware will immediately make a new infected duplicate. 

In rare situations, malware will be found in the memory of php-fpm. If index.php is still being recreated, run top to see if php-fpm is present. According to the researchers, you can try to delete OPCache, albeit this normally does not solve the problem. 

OPcache boosts PHP performance by keeping pre-compiled script bytecode in shared memory, eliminating the need for PHP to load and parse scripts on every request. As a result, malware can remain in OPcache after being removed from the site files or database. 

Though attackers are constantly seeking new ways to infect websites, there are several typical procedures that customers may take to reduce the number of infections. Put your website behind a firewall and change all admin passwords on a regular basis. This includes the admin dashboard, CPanel/FTP, ssh, and email; always keep all plugins, themes, and CMS up to date; and delete any unnecessary plugins or themes.

Half of Sites Still Using Legacy Crypto Keys

 

While the internet is growing more secure gene but slightly more than half of the websites' cryptographic keys are still generated using legacy encryption algorithms, as per the new research.

Security firm Venafi enlisted the assistance of renowned researcher Scott Helme to examine the world's top one million websites over the last 18 months. The TLS Crawler Report demonstrated some progress in a few areas. 

Nearly three-quarters of websites (72 per cent) now actively redirect traffic to HTTPS, a 15 per cent increase since March 2020. Even better, more than half of the HTTPS sites evaluated are using TLSv1.3, the most recent version of TLS. It has now surpassed TLSv1.2 as the most widely used protocol version. 

Furthermore, nearly one in five of the top one million websites now use the more secure HSTS (HTTP Strict Transport Security), which increased 44 per cent since March 2020. Even better, in the last six years of monitoring, the number of top one million sites using EV certificates has dropped to its lowest level ever. These are known for their slow, manual approval processes, which cause end users too much discomfort. 

Let's Encrypt, on the other hand, is now the most popular Certificate Authority for TLS certificates, with 28 per cent of sites using it. There is, however, still more to be done. 

According to the report, approximately 51% of sites still produce authentication keys using legacy RSA encryption techniques. These, along with TLS, help to verify and secure connections between physical, virtual, and IoT devices, APIs, applications, and clusters. 

ECDSA, a public key cryptography encryption technique with increased computational complexity and smaller authorization keys, is a far more secure alternative to RSA. As per Venafi, this implies they require less bandwidth to establish an SSL/TLS connection, making them perfect for mobile apps and IoT and embedded device support. 

Helme explained, "I would have expected that the rise in adoption of TLSv1.3 usage would have driving the ECDSA numbers up much more. One of the main reasons to keep RSA around for authentication is legacy clients that don't support ECDSA yet, but that seems at odds with the huge rise in TLSv1.3 which isn't supported by legacy clients. We also continue to see the use of RSA 3072 and RSA 4096 in numbers that are concerning.” 

“If you're using larger RSA keys for security reasons then you should absolutely be on ECDSA already which is a stronger key algorithm and offers better performance. My gut feeling here is that there's a lot of legacy stuff out there or site operators just haven't realized the advantages of switching over to ECDSA.”

Due to a Vulnerability in the TLD Registrar's Website, Attackers May Have Modified the Nameservers

 

Due to a vulnerability in the TLD registrar's website, attackers may have changed the name-servers of any domain under Tonga's country code top-level domain (ccTLD), according to security researchers. With approximately 513 million results from a Google search for '.to' pages, the weakness provided potential miscreants with a plethora of potential targets for a variety of large-scale attacks. The Tonga Network Information Center (Tonic) was "extremely quick" in resolving the bug in under 24 hours after online security firm Palisade exposed the issue, following a pen test, on October 8, 2021, according to a Palisade blog post. 

Sam Curry and other Palisade researchers uncovered an SQL injection vulnerability on the registrant website, which could be used to gain plaintext DNS master passwords for.to domains. Once signed in, they may modify the DNS settings for these domains and redirect traffic to their own website. According to Curry, the attacker might then steal cookies and local browser storage and therefore access victim sessions, among other assaults. 

An attacker may send crafted accounts if they gained control of google.to, an official Google domain for redirects and OAuth authorization processes. OAuth is a popular authorization mechanism that allows websites and web applications to request limited access to another application's user account. Importantly, OAuth enables the user to authorize this access without revealing their login credentials to the requesting application. This implies that instead of handing over complete control of their account to a third party, users can fine-tune which data they want to disclose. 

The fundamental OAuth protocol is extensively used to integrate third-party functionality that requires access to certain data from a user's account. For example, an application may utilise OAuth to request access to your email contacts list in order to recommend individuals to connect with. The same approach, however, is also used to enable third-party authentication services, allowing users to log in with an account they have with another website. 

As with .io, .to domains are extensively used to generate short links that are used to reset user passwords, for affiliate marketing, and to drive users to company resources. Curry argued that link shortening services used by Amazon (amzn.to), Uber (ubr.to), and Verizon (vz.to) may have been misused by altering the '.to' pages to which these giant brands' tweets connected for their millions of Twitter followers. 

Curry speculated that attackers "could likely steal a very big amount of money" from customers of tether.to, the official platform for purchasing Tether stable coin - even if they "only owned this domain for a short period of time." However, Eric Gullichsen, administrator of the.to ccTLD, stated that “various security and monitoring and throttling systems we already had in place would have defeated many of the exploits used during the pen test, had the security researchers’ IP addresses not been whitelisted to enable their testing.”

Laptops, Vehicles and Medical Gadgets Could all be Vulnerable to an Intel Chip Flaw

 

Intel Processors have a vulnerability that could compromise laptops, vehicles, and embedded systems, according to researchers. The vulnerability (CVE-2021-0146) allows unauthorized users with physical access to gain elevated privileges on the system by enabling testing or debugging modes on multiple Intel processor lines.

In terms of scope, the vulnerability affects the Pentium, Celeron, and Atom processors of the Apollo Lake, Gemini Lake, and Gemini Lake Refresh platforms. Laptops, mobile devices, embedded systems, medical equipment, and a range of internet of things (IoT) offerings are all powered by these chips. 

“According to a study by Mordor Intelligence, Intel ranks fourth in the IoT chip market, while its Intel Atom E3900 series IoT processors, which also contain the CVE-2021-0146 vulnerability, are used by car manufacturers in more than 30 models, including, according to unofficial sources, in Tesla’s Model 3,” Positive Technologies noted in a writeup. 

Mark Ermolov, Dmitry Sklyarov (both from Positive Technologies), and Maxim Goryachy (an independent researcher) discovered the bug, which received a score of 7.1 out of 10 on the CVSS vulnerability-severity scale.

“One example of a real threat is lost or stolen laptops that contain confidential information in encrypted form,” says Mark Ermolov. “Using this vulnerability, an attacker can extract the encryption key and gain access to information within the laptop. The bug can also be exploited in targeted attacks across the supply chain. For example, an employee of an Intel processor-based device supplier could, in theory, extract the Intel CSME firmware key and deploy spyware that security software would not detect." 

This vulnerability is especially problematic since it makes it easier to recover the root encryption key used in Intel PTT (Platform Trust Technology) and Intel EPID (Enhanced Privacy ID) technologies in systems designed to prevent unlawful copying of digital information. For digital rights management, a number of Amazon e-book models, for example, use Intel EPID-based protection. An intruder might use this flaw to steal the root EPID key from a device (e-book), then use Intel EPID technology to download electronic contents in file form, copy, and distribute them, according to Ermolov.

Manufacturers should be more cautious in their approach for providing security for debug mechanisms in the future to minimize difficulties and probable bypassing of built-in protection, according to researchers.

To Target Security Firms, the Zinc Group Disguised as Samsung Recruiters

 

According to Google TAG researchers, a spear-phishing campaign targeting South Korean security organisations that market anti-malware solutions was carried out by a North Korean-linked APT group posing as Samsung recruiters. The state-sponsored hackers, according to the Google Threat Horizons report, issued false job offers to employees at security firms. In previous campaigns, the same gang, known as Zinc, attacked security experts, according to Google TAG researchers. 

“TAG observed a North Korean government-backed attacker group that previously targeted security researchers posing as recruiters at Samsung and sending fake job opportunities to employees at multiple South Korean information security companies that sell anti-malware solutions.” reads the Google Threat Horizons report. 

According to Google, the emails included a PDF that purported to be a job description for a position at Samsung, but the PDFs were malformed and wouldn't open in a conventional PDF reader. If the targets complained that they couldn't open the job offer archive, the hackers promised to assist them by providing a link to a "Secure PDF Reader" app that they could download. 

Google, on the other hand, claims that this file was a modified version of PDFTron, a genuine PDF reader, that was altered to install a backdoor trojan on the victims' machines. 

The Zinc APT group, also known as Lazarus, increased its activities in 2014 and 2015, and its members generally utilised custom-tailored malware in their assaults. This threat actor has been active since at least 2009, and potentially as early as 2007, and has been involved in both cyber espionage and sabotage campaigns aiming at destroying data and disrupting systems. 

The threat actor's methods have baffled the security community, which believes the organisation tried to obtain unreleased vulnerabilities and exploits from some of their naive and negligent members, as tracked by Microsoft under the codename "Zinc." 

 The attacks were ascribed to the same team of North Korean hackers who previously attacked security researchers on Twitter and other social networks in late 2020 and into 2021, according to the Google Threat Analysis Group, the Google security team that discovered the malicious emails. 

 The attack against South Korean antivirus makers could be different since compromising their employees could give the group access to the tools they need to launch a targeted supply chain attack on South Korean enterprises that use their anti-malware software.

CronRAT is a Linux Malware that Hides in Cron Jobs with Invalid Dates

 

Researchers have discovered a novel Linux remote access trojan (RAT) that uses a never-before-seen stealth approach that includes scheduling malicious actions for execution on February 31st, a non-existent calendar day. CronRAT, according to Sansec Threat Research, "enables server-side Magecart data theft that avoids browser-based security solutions." The RAT was spotted on multiple online stores, including the country's largest outlet, according to the Dutch cybersecurity firm. 

CronRAT takes advantage of the Linux task scheduling system cron, which allows tasks to be scheduled on days that do not exist on the calendar, such as February 31st. Even if the day does not exist in the calendar, the Linux cron system accepts date requirements as long as they have a proper format, which implies the scheduled task will not run. CronRAT relies on this to maintain its anonymity. According to research released by Sansec, it hides a "sophisticated Bash programme" in the names of scheduled tasks. 

"The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3," the researchers explained. "These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st." 

The RAT also employs a variety of obfuscation techniques to make analysis more difficult, such as hiding code behind encoding and compression barriers and implementing a custom binary protocol with random checksums to get around firewalls and packet inspectors before establishing communications with a remote control server and waiting for further instructions. The attackers linked to CronRAT can run any code on the infected system with this backdoor access, according to the researchers. 

"Digital skimming is moving from the browser to the server and this is yet another example," Sansec's Director of Threat Research, Willem de Groot, said. "Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface." 

Sansec describes the new malware as “a serious threat to Linux eCommerce servers,” due to its capabilities such as fileless execution, timing modulation, anti-tampering checksums, controlled via binary, obfuscated protocol, launches tandem RAT in separate Linux subsystem, control server disguised as “Dropbear SSH” service and payload hidden in legitimate CRON scheduled task names.

A URL Parsing Bug Left an Internal Google Cloud Project Open to SSRF Attacks

 

According to security researcher David Schütz, a URL parsing flaw exposed an internal Google Cloud project to server-side request forgery (SSRF) attacks. The bug, which Schütz detailed in a video and blog post, might have allowed an attacker to gain access to sensitive resources and perhaps launch harmful code.

Server-side request forgery is a web security flaw that allows an attacker to force a server-side application to send HTTP requests to any domain the attacker chooses. The attacker may cause the server to connect to internal-only services within the organization's infrastructure in a conventional SSRF attack. They may also be able to force the server to connect to arbitrary external systems, exposing sensitive data such as authorization credentials. 

Unauthorized activities or access to data within the company can often arise from a successful SSRF attack, either in the vulnerable application itself or on other back-end systems with which the programme can interface. The SSRF vulnerability could allow an attacker to execute arbitrary commands in some circumstances. An SSRF vulnerability that establishes connections with external third-party systems could lead to malicious attacks that appear to come from the company that hosts the vulnerable application. 

While researching Discovery Documents, data structures that give specifications for Google API services, Schütz discovered the problem. While looking through the Discovery Documents, Schütz came upon an intriguing service named Jobs API, which had the appearance of being an internal service. The Jobs API led him to an application on the Google App Engine that acted as a proxy, allowing him to access the API through Google's public product marketing pages. The proxy acted as an intermediate between the user and the API, which meant it had an access token that could be used to launch SSRF attacks. 

Request URLs were run via a whitelist to restrict access to internal Google resources. Schütz, however, was able to fool the URL parser and bypass the whitelist, allowing him to send requests to any server he wanted. This allowed him to send requests from the proxy app to a Google Cloud VPS server. The request revealed the proxy app's access token, which he could then use to send requests to other Google Cloud projects.

“This issue feels like an industry-wide problem since different applications are parsing URLs based on different specifications,” Schütz said. “After disclosing the initial issue in the Google JS library, I have already seen this getting fixed in products from different companies as well. Even though, this issue still keeps popping up even at Google. This SSRF is a great example of it.”

Diebold Nixdorf ATM Bugs Allowed Attackers to Alter Firmware & Steal Cash

 

Security researchers at Positive Technologies have disclosed information on several vulnerabilities in Diebold Nixdorf ATMs that could have permitted an intruder to change the system's firmware and take cash. 

The vulnerabilities, known as CVE-2018-9099 and CVE-2018-9100, were discovered in the Wincor Cineo ATMs' CMD-V5 and RM3/CRS dispensers – one in each device – and were patched a few years ago. In 2016, Diebold acquired Wincor Nixdorf, and the two firms eventually merged. 

During research approved by the vendor, Positive Technologies found that, while the ATMs had a range of security mechanisms in place to combat blackbox attacks, such as end-to-end encrypted communication with the cash dispenser, it was actually easy to get past them.

The researchers found out the command encryption between the ATM computer and the cash dispenser, bypassed it, swapped the ATM firmware with an older version, and abused the flaws to direct the device to distribute cash. 

While encryption is utilized to protect against blackbox attacks, the researchers observed that an attacker might steal the encryption keys and then spoof their own firmware to load on the compromised ATM. The researchers were able to determine the elements involved in the check process in the code responsible for confirming the firmware signature and in the firmware, particularly the public key and the signed data itself. 

Positive Technologies explained, “As a signature verification algorithm, RSA was used with an exponent equal to 7, and the bit count of the key was determined by the size of the public part N. It turned out that if you fitted into the offsets at which the signature and public key were written, you could set almost any length.” 

An attacker requires to discover a means to transmit orders to the dispenser and define the amount of money in each cassette before withdrawing money from the ATM. Diebold Nixdorf, which published fixes for these vulnerabilities in 2019, suggests activating physical authentication when an operator conducts firmware installation to further prevent unauthorised access. The firm warned earlier this year that jackpotting assaults against RM3-based Cineo systems in Europe were on the surge.

To Stay Under the Radar, Magecart Credit Card Skimmer Avoids VMs

 

A new Magecart threat actor is utilizing a digital skimmer to steal people's payment card information from their browsers. It uses a unique kind of evasion to circumvent virtual machines (VM) so it only targets actual victims and not security researchers. Researchers from Malwarebytes found the new campaign, which adds an extra browser process that checks a user's PC for VMs using the WebGL JavaScript API, according to a blog post published Wednesday. 

It accomplishes this by determining whether the operating system's graphics card driver is a software renderer fallback from the hardware (GPU) renderer. The skimmer is searching for the words swiftshader, llvmpipe, and VirtualBox in the script. SwiftShader is used by Google Chrome, while llvmpipe is used by Firefox as a backup renderer. 

 “By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in the post. 

Magecart is an umbrella term for various threat organizations that infect e-commerce websites with card-skimming scripts on checkout pages in order to steal money and personal information from customers. Because security researchers are so familiar with their activities, they are always seeking new and inventive ways to avoid being detected. 

The most frequent way for evading detection, according to Segura, is detecting VMs used by security researchers and sandboxing solutions that are intended to pick up Magecart activity. "It is more rare to see the detection of virtual machines via the browser for web-based attacks," he said. Threat actors typically filter targets based on geolocation and user-agent strings, according to Segura. 

Researchers discovered that if the machine passes the check, the process of personal data exfiltration can proceed regularly. The customer's name, address, email, phone number, and credit card information are all scraped by the skimmer. “It also collects any password (many online stores allow customers to register an account), the browser’s user-agent, and a unique user ID. The data is then encoded and exfiltrated to the same host via a single POST request,” said Segura. 

To help consumers avoid being targeted and compromised by the campaign, Malwarebytes has released the skimmer code as well as a thorough list of indicators of compromise in its post.

Exmatter: A New Data Exfiltration Tool Used in Attacks

 

Security researchers have identified a new data exfiltration tool aimed to help ransomware groups using the BlackMatter variant steals information faster. The custom tool is the third of its sort discovered, according to the Symantec Threat Hunter team, following the development of the Ryuk Stealer tool and the LockBit-linked StealBit. It's called "Exmatter," and it's meant to steal specific file types from specific directories before uploading them to a site controlled by BlackMatter attackers. 

This method of narrowing down data sources to only those considered most profitable or business-critical is intended to speed up the entire exfiltration process, presumably, so threat actors may finish their attack stages before being interrupted.

Exmatter is obfuscated and compiled as a.NET executable. When run, it looks for the strings "nownd" and "-nownd" in the command line arguments. If either is detected, it uses the "ShowWindow" API like ShowWindow(Process.GetCurrentProcess().MainWindowHandle, 0) to try to conceal its own window. It also excludes files with attributes like FileAttributes.System, FileAttributes.Temporary, and FileAttributes.Directory, as well as files with fewer than 1,024 bytes in size. 

Multiple versions of Exmatter have been discovered, implying that the attackers have continued to improve the tool in order to exfiltrate a large number of high-value data in as little time as possible. 

The directory "C:Program FilesWindows Defender Advanced Threat ProtectionClassificationConfiguration" on the exclusion list has been replaced with "C:Program FilesWindows Defender Advanced Threat Protection" in a second variant. The file types ".xlsm" and ".zip" have been added to the list of acceptable files. A WebDav client was added to a third version of the note. According to the code structure, SFTP is still the preferred protocol, with WebDav serving as a backup. 

BlackMatter is tied to the Coreid cybercriminal organization, which was previously responsible for the Darkside malware. It has been one of the most active targeted ransomware operators in recent months, and its tools have been utilized in a number of high-profile attacks, including the May 2021 Darkside attack on Colonial Pipeline, which disrupted petroleum supply to the US East Coast. Coreid uses a RaaS approach, collaborating with affiliates to carry out ransomware operations and then takes a cut of the profits.

“Like most ransomware actors, attacks linked to Coreid steal victims’ data and the group then threatens to publish it to further pressure victims into paying the ransom demand,” Symantec concluded. “Whether Exmatter is the creation of Coreid itself or one of its affiliates remains to be seen, but its development suggests that data theft and extortion continues to be a core focus of the group.”