Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Threat actors. Show all posts

Exploitation of Windows SmartScreen Bypass Flaw Facilitates Deployment of DarkGate RAT

 


The operators behind the DarkGate malware have been taking advantage of a recently patched flaw in Windows SmartScreen through a phishing scheme. This campaign involves circulating counterfeit Microsoft software installers to spread the malicious code.

Researchers from Trend Micro, along with others, uncovered a vulnerability earlier this year, known as CVE-2024-21412, which allowed attackers to bypass security measures in Internet Shortcut Files. Microsoft addressed this issue in its February Patch Tuesday updates, but not before threat actors like Water Hydra and DarkGate seized the opportunity to exploit it. Trend Micro's Zero Day Initiative (ZDI) reported that DarkGate also utilized this flaw in a mid-January attack, enticing users with PDFs containing Google DoubleClick Digital Marketing (DDM) redirects, ultimately leading to compromised websites hosting the malware-laden installers.

According to Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun, the attackers manipulated Google-related domains using open redirects in conjunction with CVE-2024-21412 to circumvent Microsoft Defender SmartScreen protections, facilitating malware infections. They emphasized the effectiveness of combining fake software installers with open redirects in propagating infections.

DarkGate, described as a remote-access Trojan (RAT), has been advertised on Russian-language cybercrime forums since at least 2018 and is considered one of the most sophisticated and active malware strains. It offers various functionalities, including process injection, information theft, shell command execution, and keylogging, while employing multiple evasion techniques.

The DarkGate campaign observed by Trend Micro leverages Google Open Redirects, exploiting a previously patched SmartScreen vulnerability, CVE-2023-36025, affecting all supported Windows versions. By utilizing open redirects in Google DDM technologies, threat actors can execute malicious code when combined with security bypasses.

To defend against DarkGate's exploitation of CVE-2024-21412, Windows system administrators are advised to apply Microsoft's patch promptly. Additionally, organizations should prioritize employee training to raise awareness about the risks of installing software from untrusted sources. Continuous monitoring of the cyber environment, including identifying vulnerabilities and potential attack vectors, is crucial for effective cybersecurity defense.

In conclusion, proactive measures are necessary for both businesses and individuals to safeguard their systems against evolving threats like DarkGate and similar malware campaigns.

China Caught Deploying Remote Access Trojan Tailored for FortiGate Devices

 

The Military Intelligence and Security Service (MIVD) of the Netherlands has issued a warning regarding the discovery of a new strain of malware believed to be orchestrated by the Chinese government. Named "Coathanger," this persistent and highly elusive malware has been identified as part of a broader political espionage agenda, targeting vulnerabilities in FortiGate devices.

In a recent advisory, MIVD disclosed that Coathanger was employed in espionage activities aimed at the Dutch Ministry of Defense (MOD) in 2023. Investigations into the breach revealed that the malware exploited a known flaw in FortiGate devices, specifically CVE-2022-42475.
Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. 
Unlike some malware that relies on new, undisclosed vulnerabilities (zero-day exploits), Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. However, the advisory emphasizes that it could potentially be used in conjunction with future vulnerabilities in FortiGate devices.

Described as stealthy and resilient, Coathanger evades detection by concealing itself through sophisticated methods, such as hooking system calls to evade detection. It possesses the capability to survive system reboots and firmware upgrades, making it particularly challenging to eradicate.

According to Dutch authorities, Coathanger is just one component of a larger-scale cyber espionage campaign orchestrated by Chinese state-sponsored threat actors. These actors target various internet-facing edge devices, including firewalls, VPN servers, and email servers.

The advisory issued by Dutch intelligence underscores the aggressive scanning tactics employed by Chinese threat actors, who actively seek out both disclosed and undisclosed vulnerabilities in edge devices. It warns of their rapid exploitation of vulnerabilities, sometimes within the same day they are made public.

Given the popularity of Fortinet devices as cyberattack targets, businesses are urged to prioritize patch management. Recent reports from Fortinet highlighted the discovery of two critical vulnerabilities in its FortiSIEM solution, emphasizing the importance of prompt patching.

To mitigate the risk posed by Coathanger and similar threats, intelligence analysts recommend conducting regular risk assessments on edge devices, restricting internet access on these devices, implementing scheduled logging analysis, and replacing any hardware that is no longer supported.

Fortra's GoAnywhere MFT Software Faces Exploitation, No Evidence of Active Exploitation Detected

 

Reports on the exploitation of Fortra's GoAnywhere MFT file transfer software raised concerns due to the potential development of exploit code from a publicly released Proof of Concept (PoC). As of Thursday afternoon, there was no evidence of active exploitation.

Researchers from Shadowserver, in a post dated January 25, noted over 120 instances of exploits based on the publicly released PoC code. However, they suggested that widespread success for attackers is unlikely due to the limited exposure of admin portals (only 50) and the majority being patched.

The vulnerability, identified as CVE-2024-0204 with a CVSSv3 score of 9.8, enables hackers to remotely create a new admin user through the software’s administration portal. This issue emerged a year after the Clop ransomware gang exploited a GoAnywhere MFT zero-day vulnerability, compromising over 130 organizations. Fortra responded by releasing a patch on January 22, urging immediate action from security teams. The company had notified customers on December 4 and released the patch on December 7.

Ashley Leonard, CEO at Syxsense, emphasized the critical nature of the CVE, stating that the vulnerability allows unauthorized users to bypass authentication and create a new admin account remotely.

Despite the lack of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has not included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. CISA defines "active exploitation" based on real-time success demonstrated by threat actors in the wild.

Ransomware groups have historically utilized file transfer software in their tactics, with examples like REvil using GoAnywhere MFT for deploying malware and exfiltrating sensitive data. Though REvil is no longer active, similar tactics persist, and groups like LockBit are known to exploit new vulnerabilities swiftly. Security experts advise organizations leveraging the software to patch immediately, considering the potential threat.

Callie Guenther, senior manager of cyber threat research at Critical Start, highlighted the relative ease of exploiting the Fortra GoAnywhere MFT vulnerability, described as a "1998 style" path traversal flaw. With the PoC available and the simplicity of exploitation, there are concerns that threat actors might start scanning for vulnerable instances of GoAnywhere MFT to exploit the flaw. While it's uncertain if CISA will include this flaw in the KEV catalog, they have previously issued advisories for similar vulnerabilities and added a remote code injection issue in Fortra's GoAnywhere MFT (CVE-2023-0669) to the catalog.

Records of Crucial Cases May Have Been Compromised by a Cyberattack on Victoria's Court System


Ransomware used to assault Victoria's court system

An independent expert believes that ransomware was used to assault Victoria's court system and that the attack was coordinated by Russian hackers.

According to a representative for Court Services Victoria (CSV), hackers gained access to a portion of the audio-visual archive of the court system. This would imply that hearing records including witness testimony from extremely private situations might have been obtained or pilfered.

To alert those whose court appearances were compromised by hackers, CSV is currently setting up a contact center for those who think they might have been impacted.

Though some hearings from before November may have also been impacted, the recordings came from hearings held between November 1 and December 21. 

Before Christmas break, on December 21, staff members' laptops were locked and warnings stating "YOU HAVE BEEN PWND" were displayed on displays. This was the first indication that the attack had taken place.

Court employees received a message that linked them to a text file with threats from hackers on the publication of files taken from the court system. The message also included instructions on how to retrieve the files from the address on the dark web.

Records from the County Court spanning nearly two months were retrieved.

County Court cases have been most badly impacted, according to a Tuesday morning report from CSV.

All criminal and civil proceedings that were uploaded to the network between November 1 and December 21 might have been viewed, including at least two instances of past and present child sex abuse.

Recordings from the Criminal Division, the Practice Court, the Court of Appeal, and two regional proceedings in November may have been accessed, severely impacting the Supreme Court as well.

One October hearing from the Children's Court might have persisted on the network, but none of the sessions from November or December have been compromised.

Expert: The attack was most likely the product of Russian hackers

Having reviewed the evidence of the attack, independent cyber security expert Robert Potter concluded that the court system was most likely the target of a Russian phishing attack that used Qilin, a commercial ransomware.


New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections

 

Security researchers have outlined a fresh variant of a dynamic link library (DLL) search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and Windows 11.

The new method, disclosed in a report by cybersecurity firm Security Joes and exclusively shared with The Hacker News, exploits executables commonly present in the trusted WinSxS folder, utilizing the classic DLL search order hijacking technique. By doing so, adversaries can avoid the need for elevated privileges when attempting to run malicious code on a compromised system, introducing potentially vulnerable binaries into the attack chain.

DLL search order hijacking involves manipulating the search order used to load DLLs, allowing the execution of malicious payloads for purposes such as defense evasion, persistence, and privilege escalation. This technique targets applications that do not specify the full path to required libraries, relying on a predefined search order to locate DLLs on disk.

Threat actors exploit this behavior by relocating legitimate system binaries into non-standard directories that contain malicious DLLs, named after legitimate ones. This tricks the system into loading the attack code-containing library instead of the authentic one.

The unique aspect introduced by Security Joes focuses on files within the trusted "C:\Windows\WinSxS" folder. WinSxS, short for Windows side-by-side, is a crucial Windows component used for OS customization and updates to ensure compatibility and integrity.

According to Ido Naor, co-founder and CEO of Security Joes, the discovery diverges from traditional cyber attack methods, providing a more subtle and stealthy exploitation technique. The strategy involves identifying vulnerable binaries in the WinSxS folder and combining them with DLL search order hijacking methods. This entails strategically placing a custom DLL with the same name as a legitimate DLL into an actor-controlled directory, triggering code execution when executing a vulnerable file in the WinSxS folder.

Security Joes emphasized the potential for additional binaries in the WinSxS folder susceptible to this DLL search order hijacking, urging organizations to take precautions. They recommended examining parent-child relationships between processes, particularly focusing on trusted binaries, and closely monitoring activities performed by binaries in the WinSxS folder, including network communications and file operations.

Mr. Cooper Data Breach: 14 Million Customers Exposed

A major data breach at mortgage giant Mr. Cooper compromised the personal data of an astounding 14 million consumers, according to a surprising disclosure. Sensitive data susceptibility in the digital age is a worry raised by the occurrence, which has shocked the cybersecurity world.

Strong cybersecurity procedures in financial institutions are vital, as demonstrated by the breach, confirmed on December 18, 2023, and have significant consequences for the impacted persons. The hackers gained access to Mr. Cooper's networks and took off with a wealth of private information, including social security numbers, names, addresses, and other private information.

TechCrunch reported on the incident, emphasizing the scale of the breach and the potential consequences for those impacted. The breach underscores the persistent and evolving threats faced by organizations that handle vast amounts of personal information. As consumers, it serves as a stark reminder of the importance of vigilance in protecting our digital identities.

Mr. Cooper has taken swift action in response to the breach, acknowledging the severity of the situation. The company is actively working to contain the fallout and assist affected customers in securing their information. In a statement to Help Net Security, Mr. Cooper reassured customers that it is implementing additional security measures to prevent future breaches.

The potential motives behind the attack, emphasize the lucrative nature of stolen personal data on the dark web. The breached information can be exploited for identity theft, financial fraud, and other malicious activities. This incident underscores the need for organizations to prioritize cybersecurity and invest in advanced threat detection and prevention mechanisms.

"The Mr. Cooper data breach is a sobering reminder of the evolving threat landscape," cybersecurity experts have stated. To safeguard their consumers' confidence and privacy, businesses need to invest heavily in cybersecurity solutions and maintain a watchful eye."

In light of the growing digital landscape, the Mr. Cooper data breach should be seen as a wake-up call for companies and individuals to prioritize cybersecurity and collaborate to create a more secure online environment.

SMBs Witness Surge in ‘Malware Free’ Attacks


According to the first-ever SMB Threat Report from Huntress, a company that offers security platforms and services to SMBs and managed service providers (MSPs), the most common threats that small and medium businesses (SMBs) faced in Q3 2023 were "malware free" attacks, attackers' growing reliance on legitimate tools and scripting frameworks, and BEC scams.

“Malware Free” Attacks on the Rise

In 44% of cyberattack incidents, attackers tend to deploy malware. However, in the remaining 56% of events, scripting frameworks (like PowerShell) and remote monitoring and management (RMM) software were used along with "living off the land" binaries (LOLBins).

The increased use of RMM software has turned out to be a concerning trend that is challenging to reverse.

“At the SMB level, LOLBin use is especially concerning given the state of monitoring and review for many organizations. Many critical entities—from local school districts to medical offices—may find themselves at best leveraged for cryptomining or botnet purposes, and at worst, the victims of disruptive ransomware,” the researchers noted.

The researchers notes that in over 65% of security incidents, threat actors utilize RMM software as their methods for persistence or remote access mechanisms following the initial access to the victim user's system.

Since RMM tools are largely used as legitimate software, in case they are used for any intrusion purpose, they can readily evade anti-malware security and blend in with the environment when employed for infiltration purposes. Additionally, few small businesses audit the use of RMM tools.

“In some cases, Huntress has observed adversaries diversifying among several RMM tools, such as using a combination of commercial and open-source items, to ensure redundant access to victim environments,” the researchers noted. “Therefore, monitoring RMM tool use and deployment within defended or managed environments is an increasingly important security hygiene measure to ensure owners and operators can identify potential malicious installations.”

Additional Findings

Affiliates of ransomware and operators of business email compromise (BEC) persist in their targeting of end users through the use of phishing.

Notably, malicious forwarding or other inbox rules were engaged in 64% of identity-focused assaults that SMBs faced in Q3 2023, while logins from strange or suspect places were linked to 24% of these attacks.

“While the ultimate goal of such activity remains, in most cases, BEC, defensive visibility and adversary kill-chain dependencies mean these actions are largely caught at the account takeover (ATO) phase of operations,” the experts concluded.

In 2023, Qakbot-related cybersecurity incidents have declined, with this downward trend anticipated to continue.

The findings further note that 60% of ransomware incidents were caused by uncategorized, unknown or "defunct" ransomware strains. This demonstrates a variation in the kind of ransomware frequently observed in corporate settings, where "known-variant ransomware deployments" are the primary target.

“Whether for monetization purposes through ransomware or BEC, or potentially even state-directed espionage activity, SMBs remain at risk from a variety of entities,” the researchers added. 

The researchers further raised concerns towards the adversaries that are exploiting the gaps in  users’ visibility and awareness over evading security controls. While spam filtering and a solid anti-malware program used to be enough for a small business to "get by," the current threat landscape makes these straightforward efforts inadequate.


Report: September Sees Record Ransomware Attacks Surge

 

In September, a notable surge in ransomware attacks was recorded, as revealed by NCC Group's September Threat Pulse. Leak sites disclosed details of 514 victims, marking a significant 153% increase compared to the same period last year. This figure surpassed the previous high set in July 2023 at 502 attacks.

Among the fresh wave of threat actors, LostTrust emerged as the second most active group, accounting for 10% of all attacks with a total of 53. Another newcomer, RansomedVC, secured the fourth spot with 44 attacks, making up 9% of the total. LostTrust, believed to have formed in March of the same year, mirrors established threat actors' tactics of employing double extortion.

Notably, well-established threat actors remained active in September. Lockbit maintained its lead from August, while Clop's activity diminished, responsible for only three ransomware attacks in September.

In line with previous trends, North America remained the primary target for ransomware attacks, experiencing 258 incidents in September.

Europe followed as the second most targeted region with 155 attacks, trailed by Asia with 47. Nevertheless, there was a 3% rise in attacks on North America and a 2% increase on Europe, while Asia saw a 6% decrease from the previous month. This indicates a shifting focus of threat actors towards Western regions.

Industrials continued to bear the brunt of attacks, comprising 40% (19) of the total, followed by Consumer Cyclicals at 21% (10), and Healthcare at 15% (7). The sustained focus on Industrials is unsurprising, given the allure of Personally Identifiable Information (PII) and Intellectual Property (IP) for threat actors. 

The Healthcare sector witnessed a notable surge, experiencing 18 attacks, marking an 86% increase from August. This trend aligns with patterns observed earlier in the year, suggesting that August's dip was an anomaly. The pharmaceutical industry's susceptibility to ransomware attacks continues due to the potential financial impact.

The surge in ransomware attacks can be attributed in part to the emergence of new threat actors, notably RansomedVC. Operating similarly to established organizations like 8Base, RansomedVC also functions as a penetration testing entity. 

However, their approach to extortion incorporates compliance with Europe's General Data Protection Regulation (GDPR), pledging to report any vulnerabilities discovered in the target's network. This unique approach intensifies pressure on victims to meet ransom demands, as GDPR allows for fines of up to 4% of a victim's annual global turnover.

RansomedVC garnered attention by claiming responsibility for the attack on Sony, a major Japanese electronics company, on September 24th. In this incident, RansomedVC compromised the company's systems and offered to sell stolen data. This successful targeting of a global giant like Sony highlights the significant impact RansomedVC is exerting, indicating its continued activity in the months ahead.

Matt Hull, Global Head of Threat Intelligence at NCC Group, commented on the situation, noting that the surge in attacks in September was somewhat anticipated for this time of year. However, what sets this apart is the sheer volume of these attacks and the emergence of new threat actors playing a major role in this surge. Groups like LostTrust, Cactus, and RansomedVC stand out for their adaptive techniques, putting extra pressure on victims. 

The adoption of the double extortion model and the embrace of Ransomware as a Service (Raas) by these new threat actors signify an evolving landscape in global ransomware attacks. Hull predicts that other groups may explore similar methods in the coming months to increase pressure on victims.

Cyber Militarization: Navigating the Digital Battlefield

Technology and the internet are now ubiquitous, creating vulnerabilities and enabling the militarization of cyberspace. This trend poses a number of threats to global security, including accidental or deliberate conflict between states, empowerment of non-state actors, and new arms races. The international community must cooperate to address this issue, developing norms and rules, building trust, and investing in cybersecurity.

Cyberspace once considered a relatively neutral domain for communication and information sharing, is now increasingly becoming a battlefield where nation-states vie for power and influence. The articles linked in this discussion shed light on the complex issue of militarization in cyberspace.

Kaspersky, a leading cybersecurity company, delves into the subject in their blog post, "How to Deal with Militarizing Cyberspace." They emphasize the growing concerns about the use of cyberspace for military purposes, such as cyberattacks and espionage. This article emphasizes the need for international cooperation and cybersecurity measures to address the challenges posed by this evolving landscape.

In the blog post from EasyTech4All, titled "The Inevitability of Militarization of CyberAI," the focus is on the convergence of artificial intelligence and cyber warfare. It highlights the significant role AI plays in enhancing military capabilities in cyberspace. This shift underlines the need for discussions and regulations to govern the use of AI in military operations.

Additionally, the document from the Cooperative Cyber Defence Centre of Excellence (CCDCOE) titled "The Militarization Of Cyberspace" offers an in-depth examination of the historical context and evolution of militarization in cyberspace. It explores the various facets of this phenomenon, from the development of offensive cyber capabilities to the establishment of cyber commands in military structures.

The militarization of cyberspace raises critical questions about the use of cyber tools for aggressive purposes, the potential for escalation, and the importance of international agreements to prevent cyber warfare. The interconnectedness of the global economy and critical infrastructure further amplifies the risks associated with cyber warfare.

To address these challenges, a multi-faceted approach is essential. This includes the development of international norms and regulations governing cyber warfare, cooperation between nations, investment in cybersecurity, and continuous monitoring of cyber threats.

Cyberspace militarization is a complex and evolving issue that requires our attention. By exploring the articles and materials provided, we gain a glimpse into the many facets of this challenge, from its historical roots to the use of AI in warfare. As technology advances, it becomes increasingly important to use cyberspace in an ethical and responsible manner. It is up to us all to ensure that the digital realm remains a force for good and progress, rather than a catalyst for instability and conflict.

Pro-Palestinian Hacktivists Reportedly Employ Crucio Ransomware

 

In a recent development, a newly emerged pro-Palestine hacking collective identifying itself as the 'Soldiers of Solomon' has claimed responsibility for infiltrating more than 50 servers, security cameras, and smart city management systems located within the Nevatim Military area.

According to the group's statement, they employed a ransomware strain dubbed 'Crucio,' hinting at a possible utilization of Ransomware-as-a-Service. Additionally, they assert to have gained access to an extensive cache of data amounting to a staggering 25 terabytes.

In an unconventional public relations move, the Soldiers of Solomon disseminated this information via email to multiple threat intelligence firms, including Falconfeeds, alongside other influential entities actively engaged on Twitter.

To substantiate their claims, the group supplied visual evidence obtained from the breached CCTV systems, as well as images showcasing altered desktop wallpapers bearing their statement, as per Falconfeeds.

The year 2023 has witnessed a resurgence of hostilities between Israel and Palestine, culminating in a full-scale armed conflict. The longstanding discord between the two nations, which traces back to the early 20th century, has witnessed significant escalations since 2008. 

Reports indicate that while the 2014 conflict was marked by unprecedented devastation, the 2023 altercation raises concerns about an even higher casualty count.

The conflict zone in Gaza has become a focal point for retaliatory strikes from both hacktivist groups and Threat Actors (TAs), a trend anticipated given similar patterns observed since 2012. 

Cyberattacks have increasingly become complementary strategies within the context of contemporary warfare, a phenomenon noted even prior to the onset of the Russia-Ukraine conflict in early 2022.

Additionally, Cyble Research & Intelligence Labs (CRIL) has been meticulously curating intelligence amidst the fog of cyber-attacks, monitoring the activities of hacktivists and various threat actors to discern noteworthy developments in the cyber theatre. They have observed a diverse array of malicious techniques being employed by hacktivists and threat actors to exploit vulnerabilities in critical infrastructures and disrupt their operations.

SaphhireStealer: New Malware in Town, Possess More Capabilities


A new malware called ‘SapphireStealer’ has been observed by Cisco Talos researchers. The malware came to light in December 2022 in Cisco’s public release, where they witnessed it frequently in public malware repositories, stealing browser credential databases and files containing sensitive user information. 

Researchers observed a rise in sales (and offers for rent) of the new stealer on different underground forums and illicit marketplaces. 

Cisco Talos threat researcher Edmund Brumaghin is certain with his observation that SapphireStealer possesses numerous entities that are modifying its code base, in order to accommodate additional data exfiltration processes, leading to the formation of many variations.

According to Brumaghin, the freshly compiled versions of the malware began "being uploaded to public malware repositories beginning in mid-January 2023, with consistent upload activity being observed through the first half of 2023."

Researchers say that several malware versions are already in use by multiple threat actors, amplifying their efficiency and effectiveness in their operations over time. 

Capabilities of SapphireStealer

Apparently, the malware is designed to steal sensitive information from targeted systems. This information may include host information, screenshots, cached browser credentials and files stored on the system that match a predefined list of file extensions. Also, it is capable of determining the presence of credential databases for browser applications including Chrome, Yandex, Edge and Opera.

On execution, the malware creates a working directory and launches a file grabber that searches the victim's Desktop folder for files with the following file extensions: .txt, .pdf, .doc,.docx, .xml, .img, .jpg, and.png.

Subsequently, the malware compiles all of the logs into a compressed package called log.zip, which it then sends to the attacker over Simple Mail Transfer Protocol "using credentials defined in the portion of code responsible for crafting and sending the message." 

After the logs are successfully exfiltrated, the malware deletes the working directory it had previously created and stops running.

Moreover, the malware operators are said to have released a malware downloader – FUD-Loader – which uses HTTP/HTTPS communications to retrieve more executables from infrastructure under the control of the attacker. It then saves the retrieved content to disk and executes it to continue the infection process.

"In most of the cases where this loader was used, it retrieved the SapphireStealer binary payloads being hosted on the infrastructure described in the next section, allowing us to attribute those samples to the same threat actor," the researchers said.

"One of the byproducts of readily available and open-source malware codebases is that the barrier to entry into financially motivated cybercrime has continued to decrease over time," the researchers added.

The researchers further explained how stealers make it possible for attackers with less operational skill to launch an attack, which may be quite harmful to corporate environments because the data obtained is frequently used for more attacks that are followed.  

North Korea-Backed Hackers Breach US Tech Company to Target Crypto Firms


A North Korean state-sponsored hacking group has recently breached a US IT management company, in a bid to further target several cryptocurrency companies, cybersecurity experts confirmed on Thursday. 

The software company – JumpCloud – based in Louisville, Colorado reported its first hack late in June, where the threat actors used their company’s systems to target “fewer than 5” of their clients. 

While the IT company did not reveal the identity of its affected customers, cybersecurity firms CrowdStrike Holding and Alphabet-owned Mandiant – managing JumpCloud and its client respectively – claims that the perpetrators are known for executing heists targeting cryptocurrency. 

Moreover, two individuals that were directly connected to the issue further confirmed the claim that the JumpCloud clients affected by the cyberattack were in fact cryptocurrency companies. 

According to experts, these North Korea-backed threat actors, who once targeted firms piecemeal are now making efforts in strengthening their approach, using tactics like a “supply chain attack,” targeting companies that could provide them wider access to a number of victims at once.

However, Pyongyang’s mission to the UN did not respond to the issue. North Korea has previously denied claims of it being involved in cryptocurrency heists, despite surplus evidence claiming otherwise.

CrowdStrike has identified the threat actors as “Labyrinth Collima,” one of the popular North Korea-based operators. The group, according to Mandiant, works for North Korea’s Reconnaissance General Bureau (RGB), its primary foreign intelligence agency.

However, the U.S. cybersecurity agency CISA and the FBI did not confirm the claim. 

Labyrinth Chollima is one of North Korea’s most active hackers, claiming responsibility for some of the most notorious and disruptive cyber threats in the country. A staggering amount of funds has been compromised as a result of its cryptocurrency theft: An estimated $1.7 billion in digital currency was stolen by North Korean-affiliated entities, according to data from blockchain analytics company Chainalysis last year.

JumpCloud hack first came to light earlier this month when an email from the firm reached its customers, mentioning how their credentials would be changed “out of an abundance of caution relating to an ongoing incident.”

Adam Meyers, CrowdStrike’s Senior Vice President for Intelligence further warns against Pyongyang’s hacking squads, saying they should not be underestimated. "I don't think this is the last we'll see of North Korean supply chain attacks this year," he says.  

Google: Gmail Users Warned of a Security Flaw in its New Feature


Google has recently issued a warning to its 1.8 billion Gmail users following a security flaw that was discovered in one of its latest security functions.

The feature, Gmail checkmark system was introduced to assist users distinguish between certified businesses and organizations and legitimate emails from potential scammers. This is made possible through a blue checkmark, included in the function.

However, threat actors were able to take advantage of this feature, raising questions about the general security of Gmail.

Chris Plummer, a cybersecurity expert, found that cybercriminals could deceive Gmail into thinking their bogus businesses were real. This way, they shattered the trust Gmail users were supposed to have in the checkmark system.

"The sender found a way to dupe @gmail's authoritative stamp of approval, which end users are going to trust. This message went from a Facebook account to a UK netblock, to O365, to me. Nothing about this is legit," says Plummer.

Prior to these findings, Google dismissed the claims, calling this to be “intended behavior.” But after the issue gained a significant response following Plummer’s tweet related to the flaw, Google finally acknowledged the error.

Later, Google admitted its mistake and conducted a proper investigation into the matter. The flaw’s security was acknowledged, with Google labeling it as a ‘P1’ fix, which indicates it to be in the topmost priority status.

"After taking a closer look we realized that this indeed doesn't seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on […] We apologize again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this! We'll keep you posted with our assessment and the direction that this issue takes," Google said in a statement.

Google’s warning serves as a caution to online users that security features too are vulnerable to flaws, regardless of how much advancement they may attain. Thus it is important to have a vigilant outlook on the ‘safety’ features. Users must also be careful when involving themselves with email communication.  

Ghost Sites: Attackers are now Exposing Data From Deactivated Salesforce Sites


Varonis Threat Lab researchers recently discovered that Salesforce ‘ghost sites,’ that are no longer in use, if improperly deactivated and unmaintained may remain accessible and vulnerable of being illicitly used by threat actors. They noted how by compromising the host header, a hacker may gain access to sensitive PII and business data.

With the help of Salesforce Sites, businesses can build specialized communities where partners and clients could work collaboratively.

But when these communities are no longer required, they are frequently preserved rather than shut down. These sites aren't examined for vulnerabilities since they aren't maintained, and the administrators don't update the security measures in accordance with contemporary guidelines.

Apparently, Varonis Threat Labs on its recent findings discovered that since these ghost sites were not properly deactivated, they were easily accessible to attackers who were using them to put illicit data, exploiting the sites.

They added that the exposed data did not only consist of the old data of the sites, but also fresh records that were disclosed to guest user, who shared configuration in the Salesforce environment.

Salesforce Ghost Sites

According to Varonis Threat Labs, Salesforce ghost sites are created when a company, instead of using unappealing internet URLs uses a custom domain name. This is done so that the organization’s partners could browse the sites. . “This is accomplished by configuring the DNS record so that ‘partners.acme.org’ [for example] points to the lovely, curated Salesforce Community Site at “partners.acme.org. 00d400.live.siteforce.com[…]With the DNS record changed, partners visiting “partners.acme.org” will be able to browse Acme’s Salesforce site. The trouble begins when Acme decides to choose a new Community Site vendor,” the researchers said.

Companies might switch out a Salesforce Experience Site for an alternative, just like they would with any other technology. Varonis Threat Labs stated, "Acme subsequently updates the DNS record of 'partners.acme.org' to link toward a new site that might function in their AWS environment." The Salesforce Site is no longer present from the users' perspective, and a new Community page is now accessible. The new page may not be functioning in the environment or connected to Salesforce in any way, and no blatant integrations are visible.

However, the study found that a lot of businesses only modify DNS entries. “They do not remove the custom domain in Salesforce, nor do they deactivate the site. Instead, the site continues to exist, pulling data and becoming a ghost site,” a researcher said.

Attackers exploit these sites simply by changing the host header. They mislead Salesforce into believing that the site was accessed as https://partners.acme.org/ making the sites accessible to the attackers.

Although these sites can also be accessed through their whole internal URLs, an intruder would find it difficult to recognize these URLs. However, locating ghost sites is significantly simpler when utilizing tools that index and archive DNS information, like SecurityTrails and comparable technologies.

What is the Solution

Varonis Threat Labs advised that the sites that are no longer in use should be properly deactivated. They also recommended to track all Salesforce sites and their respective users’ permissions, involving both community and guest users. Moreover, the researchers created a guide on ‘protecting your active Salesforce Communities against recon and data theft.’ 

Rheinmetall Hit by BlackBasta Ransomware: Disruption to Arms Production

Arms manufacturer Rheinmetall has recently confirmed that it fell victim to a ransomware attack orchestrated by the BlackBasta ransomware group. The cyberattack has caused significant disruption to the company's operations, including its arms production capabilities.

Rheinmetall, a prominent German defense contractor, specializes in manufacturing a wide range of military and security equipment. The attack on such a high-profile player in the defense industry underscores the growing threat of ransomware attacks targeting critical infrastructure and sensitive sectors.

The BlackBasta ransomware group, known for its aggressive tactics and targeting of large organizations, has been identified as the perpetrator of the attack. The group employs sophisticated techniques to infiltrate and encrypt the victim's systems, demanding a ransom payment in exchange for the decryption keys.

Rheinmetall has not disclosed the specific ransom amount demanded by the attackers or whether it has chosen to engage in negotiations. However, the incident highlights the potentially devastating impact that ransomware attacks can have on crucial industries, potentially leading to operational disruptions and financial losses.

The immediate consequences of the attack have been felt within Rheinmetall's production facilities, causing delays and interruptions to ongoing arms manufacturing processes. The company has initiated an extensive investigation to assess the extent of the breach and mitigate any potential long-term damage to its operations and reputation.

In response to the attack, Rheinmetall has taken immediate measures to contain the breach and secure its systems. It has engaged external cybersecurity experts to assist in the recovery process and strengthen its defenses against future threats. Additionally, the company has implemented stringent security protocols and is enhancing employee training on cybersecurity best practices.

The incident involving Rheinmetall serves as a stark reminder to organizations across all sectors of the critical importance of maintaining robust cybersecurity measures. Ransomware attacks continue to evolve in sophistication and scale, targeting both public and private entities. The consequences of a successful attack can be severe, ranging from financial losses to reputational damage and even threats to national security.

Organizations must adopt a proactive approach to cybersecurity, including regular system updates, robust backup procedures, and comprehensive incident response plans. By prioritizing cybersecurity measures, organizations can minimize the risk of falling victim to ransomware attacks and other cyber threats.

Critical WordPress Plugin Vulnerability Enables Hackers To Exploit Over 1M Sites


Threat actors are apparently exploiting two security flaws in the Elementor Pro and Ultimate Addons for Elementor WordPress plugins, in an effort to remotely execute arbitrary code and completely compromise unpatched targets.

As reported by the Threat Intelligence team at Wordfence, reports of threat actors attempting to exploit the two issues in ongoing attacks had appeared as of May 6.

Elementor Pro 

Elementor Pro is a paid plugin with an estimated number of over 1 million active installs, enabling users to quickly and easily develop WordPress websites from scratch, with the aid of a built-in theme builder, a visual form widget designer, and custom CSS support.

The Elementor Pro vulnerability is an RCE (Remote Code Execution) bug rated as Critical. It enables attackers with registered user access to upload arbitrary files to the affected websites and remotely execute code.

In order to preserve access to the compromised sites, attackers who successfully exploit this security issue can either install backdoors or webshells, obtain full admin access to completely compromise the site, or even entirely eliminate the site.

In case they are unable to register as users, they can exploit the second vulnerability in the over 110,000-site-installed Ultimate Addons for Elementor WordPress plugin, which will let them sign up as subscriber-level users on any site using the plugin even if user registration is disabled.

"Then they proceed to use the newly registered accounts to exploit the Elementor Pro [..] vulnerability and achieve remote code execution," as Wordfence discovered.

Mitigation Measures 

In order to protect oneself from the ongoing attacks, it is advised to update your Elementor Pro to version 2.9.4, that patches the remote code execution vulnerability.

Users of the Ultimate Addons for Elementor will have to upgrade to version 1.24.2 or later. To be sure that your website has not already been compromised, Wordfence advises taking the following actions:

  • Check for any unknown subscriber-level users on your site. 
This may indicate that your site has been compromised as a part of this active campaign. If so, remove those accounts. 
  • Check for files named “wp-xmlrpc.php.” 
These may indicate any compromise. So, it is advised to check your site for evidence of this file. 
  • Delete any unknown files or folders found in /wp-content/uploads/elementor/custom-icons/ directory.
The presence of files here following the creation of a rogue subscriber-level account is an obvious indication of compromise.  

Million-Dollar Ransom Demanded by Ransomware Gang 

 


On the threat landscape in recent years, alarming numbers of ransomware groups sprung up. This is just as mushrooms grow from the ground after a shower. 

In recent months, an emerging ransomware group called 'Money Message' has appeared. This group targets victims worldwide and demands ransoms of up to a million dollars to safeguard confidential data. In addition to the Chinese airline with annual revenue of approximately $1 billion, there have been at least two other victims of the group's activities. A screenshot of the accessed file system is provided as proof that the group claims to have stolen data from the company. After that, five more successful ransomware attacks have been reported, the latest being on April 4. 

Money Message has currently listed two victims on its leak site - an Asian airline with over $1 billion in assets and an unnamed vendor of computer hardware that deals in personal computers. Ransomware encryptors are also written in C++ and contain a JSON configuration file embedded into the code. This file is used to determine the encryption process on the victim's device. 

In this configuration file, you can specify which folders will be blocked from encryption by this setting. As part of this document, you will also find information regarding what extensions should be added, what services and processes should be terminated, whether logging is enabled, as well as likely domain login names and passwords that would be used to encrypt other devices. The victim can contact the threat actors via a link provided. 

The victim will be able to reach a Tor negotiation site. Although Money Message uses an encryptor that is not as advanced as ChaCha20/ECDH encryption, its operation still encrypts devices and steals data even if the encryption method used is not very sophisticated. There is no append extension when encrypting files, however, you can change this according to the type of victim you are encrypting. As per Rivitna, a security researcher who has worked on encrypted files for more than a decade, the encryptor uses ChaCha20 and ECDH encryptions. 

In the latest posting from Money Message, the company has also been playing up the dramatics. This gang has put up a reveal counter on their website, which reportedly counts down to the moment that they reveal the target and that the data they have will be published. 

The ransomware then creates a ransom note titled ‘money_message.log’ that contains a link that is used as a means of negotiating with threat actors after encrypting the device. We will explore this further on. 

In addition, if the ransom is not paid, any stolen information will be published on the company's data leak site. This will enable you to receive a ransom refund. 

Upon publishing a document containing the information of travelers, Money Message published a report after three days. 

Additionally, an insurance company in the United States, as well as a distributor of iron and glass products were affected. Money Message extorted a lot of money from its users over the years, and when that ransom was not paid, the exfiltrated data was published in the public domain. 

As Money Message appears not to be a sophisticated malware threat, it is still a serious threat to businesses, as it targets them, steals data from them, and extorts them for money. 

As a result, a growing number of ransomware groups are frequently emerging highlighting the fact that there are more and more threats against organizations each day. Take measures to ensure that your privacy is protected by implementing proper security measures.   

Video Calling Apps Target Children

 

Eden Kamar, a Ph.D. student in cybersecurity at the Hebrew University of Jerusalem, and Dr. C. Jordan Howell, a cybercrime specialist at the University of South Florida, collaborated to highlight the various methods that pedophiles prey on young children in the US. 

Howell explained that the team intended to understand how sexual predators first approach kids in chatrooms to start a dialogue before using devious means to gain their trust and record child porn. Around October 2021 and May 2022, the study was conducted.

The research started by developing a number of automated chatbots which never initiated a conversation and were set to only respond to users that identified as being at least 18 years old.

In 30 randomly chosen chatrooms for teenagers, the chatbots had roughly 1,000 conversations with potential pedophiles. Then, 38 percent of online predators emailed unwanted links, according to Howell. In text chats seen on public platforms, the bots asked predators for their "a/s/l"—age, sex, location—after which, once the bot identified herself as a 13 or 14-year-old female, the predators returned with a video link.

A surprising 41% of links went to Whereby, a competitor of Zoom that offers video and audio conferencing. According to the company's website, it was founded in Norway ten years ago and has worked with organizations like Spotify and Netflix.

Howell added that after exploring the company's website, the researchers discovered that Whereby permits users to manage other participants' webcams without their knowledge.

19% of the links contained malicious malware, and another 5% sent users to well-known phishing websites. Phishing sites are intended to obtain personal information, including home addresses, while malware sites can be used to remotely access a child's computer. Phishing attempts can also offer a predator access to a child's computer password, which can be used to log in and manage a camera from a distance.

Clipper Virus: 451 PyPI Packages Deploy Chrome Extensions to Steal Crypto


Threat actors have recently released more than 451 distinct Python packages on the official Python Package Index (PyPI) repository in an effort to infect developer systems with the clipper virus. 

The libraries were discovered by software supply chain security firm Phylum, which said the ongoing activity is a continuation of a campaign that was first made public in November 2022. 

How Did Threat Actors Use Typosquatting? 

In an initial finding, it was discovered that popular packages including beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow were being mimicked via typosquatting. 

For each of the aforementioned, the threat actors deploy between 13 and 38 typosquatting variations in an effort to account for a wide variety of potential mistypes that could lead to the download of the malicious package. 

In order to evade detection, the malicious actors deployed a new obfuscation tactic that was not being utilized in the November 2022 wave. Instead, they are now using a random 16-bit combination of Chinese ideographs for function and variable identifiers. 

Researchers at Phylum emphasized that the code makes use of the built-in Python functions and a series of arithmetic operations for the string generation system. This way, even if the obfuscation produces a visually striking outcome, it is not extremely difficult to unravel. 

"While this obfuscation is interesting and builds up extremely complex and highly obfuscated looking code, from a dynamic standpoint, this is trivial[…]Python is an interpreted language, and the code must run. We simply have to evaluate these instances, and it reveals exactly what the code is doing,” reads a Phylum report. 

Malicious Browser Extensions 

For taking control of the cryptocurrency transactions, the malicious PyPi packages create a malicious Chromium browser extension in the ‘%AppData%\Extension’ folder, similar to the November 2022 attacks. 

It then looks for Windows shortcuts pertaining to Google Chrome, Microsoft Edge, Brave, and Opera, followed by hijacking them to load the malevolent browser extension using the '--load-extension' command line argument. 

For example, a Google Chrome shortcut would be hijacked to "C:\Program Files\Google\Chrome\Application\chrome.exe --load-extension=%AppData%\\Extension". 

After the web browser is launched, the extension will load, and malicious JavaScript will monitor for cryptocurrency addresses copied to the Windows clipboard. When a crypto address is found, the browser extension will swap it out for a list of addresses that are hardcoded and under the control of the threat actor. By doing this, any sent cryptocurrency transaction funds will be sent to the wallet of the threat actor rather than the intended receiver. 

By including cryptocurrency addresses for Bitcoin, Ethereum, TRON, Binance Chain, Litecoin, Ripple, Dash, Bitcoin Cash, and Cosmos in this new campaign, the threat actor has increased the number of wallets that are supported. 

These findings illustrate the ever-emerging threats that developers face from supply chain attacks, with threat actors inclining to methods like typosquatting to scam users into installing fraudulent packages.  

Data Theft Feature Added by Russian Nodaria APT

An updated piece of information-stealing malware is being used against targets in Ukraine by the Nodaria spy organization, also known as UAC-0056. The malware was created in Go and is intended to gather a variety of data from the infected computer, including screenshots, files, system information, and login passwords.

The two-stage threat known as graphiron consists of a downloader and a payload. The downloader has the addresses of command-and-control (C&C) servers hardcoded in. It will look for active processes when it is executed and compare them to a blacklist of malware analysis tools.

If no processes on the blacklist are discovered, this will connect to a C&C server, download the payload, and then decrypt it before adding it to autorun. The downloader is set up to run only once. It won't try again or send a signal if it is unable to download and run the payload.

Graphiron shares several characteristics with earlier Nodaria tools like GraphSteel and GrimPlant. Advanced features allow it to execute shell commands, gather system data, files, login passwords, screenshots, and SSH keys. Further, it uses port 443 to communicate with the C2 server, and all communications are encrypted using an AES cipher.

Attacks against Georgia and Kyrgyzstan have been carried out by Nodaria since at least March 2021. The recognized tools used by the group include WhisperGate, Elephant Dropper and Downloader, SaintBot downloader, OutSteel information stealer, GrimPlant, and GraphSteel information stealer.