Search This Blog

Showing posts with label malware. Show all posts

Bitter APT and Transparent Tribe Campaigns on Social Media

 

Facebook's parent company, Meta, has recently shut down two cyberespionage efforts on its social networking networks. Bitter APT and Transparent Tribe threat groups were behind these campaigns. Both groups have been based in South Asia.

About Bitter APT:

The first group discovered was Bitter APT or T-APT-17, which targeted firms in the government, engineering, and energy industries. The group used social engineering against targets in India, the United Kingdom, New Zealand, and Pakistan.

To install malware on target devices, it exploited a combination of hijacked websites, URL shortening services, and third-party file hosting companies. To interact with and fool their victims, the hackers impersonated activists, journalists, and young women. Bitter also utilised Dracarys, a new Android malware that exploits accessibility services.

Transparent Tribe

Transparent Tribe, also known as APT36, is less complex than Bitter APT. It employs social engineering techniques as well as widely available malware. Its most recent campaign targeted citizens in India, Pakistan, Afghanistan, Saudi Arabia, and the United Arab Emirates. 

Human rights advocates and military officials were the primary targets of the campaign. The hackers pretended to be recruiters for bogus and real firms, as well as young ladies and military personnel.

In conclusion

Social media has become a playground for cybercriminals of all sorts. Cyberspies utilise these platforms to gather intelligence and lure victims to external sites where malware may be downloaded. As a result, users are advised to exercise caution while befriending strangers online.

Hacker Uses New RAT Malware in Cuba Ransomware Attacks

 

A member of the Cuba ransomware operation is using previously unknown tactics, methods, and procedures (TTPs), such as a novel RAT (remote access trojan) and a novel local privilege escalation tool. 

Researchers at Palo Alto Networks Unit 42 dubbed the threat actor 'Tropical Scorpius,' and he is most certainly an associate of the Cuba ransomware operation. In Q1 2022, Cuba ransomware received a slight version, including a modified encryptor with more nuanced choices and the addition of quTox for live victim help. 

Tropical Scorpius, on the other hand, represents a change in tactics, perhaps making the Cuba operation more risky and obtrusive. Tropical Scorpius employs the standard Cuba ransomware payload, which has remained essentially unchanged from the operation's inception in 2019. 

Since June 2022, one of the new ways has been leveraging a legal but invalidated NVIDIA certificate stolen and released by LAPSUS to certify a kernel driver dropped during the early stages of an infection. The driver's job is to find and stop processes associated with security products in order to assist threat actors in evading discovery in the compromised environment. 

Tropical Scorpius then downloads a local privilege escalation tool that includes an attack for CVE-2022-24521, a flaw in the Windows Common Log File System Driver that was resolved as a zero-day in April 2022.

According to Unit 42, the hackers used an exploitation approach that appears to have been inspired by security researcher Sergey Kornienko's extensive write-up. Tropical Scorpius then downloads ADFind and Net Scan to accomplish lateral movement. This is also the time when the threat actor introduces a new tool capable of retrieving cached Kerberos credentials.

Another innovative approach discovered by Unit 42 researchers is the use of a ZeroLogon hack tool to get DA (domain administrator) credentials by exploiting CVE-2020-1472. Finally, Tropical Scorpius deploys "ROMCOM RAT," previously unknown malware that handles C2 connections through ICMP queries sent via Windows API calls.

ROMCOM RAT supports the following 10 commands:
  • Return connected drive information
  • Return file listings for a specified directory
  • Start up a reverse shell under the name svchelper.exe within the %ProgramData% folder
  • Upload data to C2 as ZIP file, using IShellDispatch to copy files
  • Download data and write to worker.txt in the %ProgramData% folder
  • Delete a specified file
  • Delete a specified directory
  • Spawn a process with PID Spoofing
  • Only handled by ServiceMain, received from C2 server and instructs the process to sleep for 120,000 ms
  • Iterate through running processes and gather process IDs
On June 20, 2022, Tropical Scorpius created a fresh version of ROMCOM and uploaded it for testing on VirusTotal, which referred to the same C2 address (hardcoded). The second version introduced ten new commands to the current ten, providing more complex execution, file upload, and process termination options for remote activities. Furthermore, the updated version allows you to get other payloads from the C2, such as a desktop snapper named "Screenshooter."

The introduction of Tropical Scorpius and its new TTPs implies that Cuba ransomware is becoming a more serious threat, even if the specific RaaS isn't the most prevalent in terms of victim count. Cuba, on the other hand, has chosen to keep a low profile and employ a gentler double-extortion strategy, thus the real number of victims is unclear.

Since June 2022, the group has published the stolen data of four victims on the Onion site's "free" area, although their "paid" offers haven't been updated in a long time. Given the time necessary for negotiation and extortion, the outcomes of the 'Tropical Scorpius' update may be seen in the second half of the year.


Sneak Peek: Hive’s RaaS Techniques

 

With the average ransomware pay-out expected to reach $541,010 in 2021 and some affiliates earning up to 80% of each ransom payment, it's no wonder that RaaS setups are claimed to assist nearly two-thirds of ransomware operations. 

Indeed, service providers, such as Hive, are giving threat actors a head start in their criminal careers. Hive is a new RaaS group that was discovered in June 2021. However, its aggressive tactics and frequent variation improvements have turned it into a powerful opponent in the space. While other ransomware operators, like as REvil, dominated news in its first year, 

Hive gained prominence in November 2021 by hitting Media Markt, Europe's largest consumer electronics shop.The attack piqued the interest of the RaaS industry, causing the platform's victim count to soon rise into the hundreds, with the bulk of these victims being IT and real estate enterprises in the United States. 

How Hive Set Up a "Sales Department" 

The Menlo Labs research team examined interactions between the Hive ransomware gang and some of its victims in order to better comprehend this new and formidable RaaS group. Hive ransomware exploits a variety of attack vectors, including hijacked VPN credentials, weak RDP servers, and phishing emails with a Cobalt Strike payload. The examined programme was highly active, with attackers using the Hive platform putting considerable pressure on their targets. 

The Labs team discovered that Hive provides compromised victims a unique identification before encrypting their data, generally during unsociable hours, after reviewing some of the network traffic. Once this is accomplished, information about the victim is released on Hive's dark web data leak sites (DLS). The victim is then emailed an automatically created ransom letter with a link to the website, login credentials, and a call to action to contact Hive's "sales department." 

When the victim logs in, a live chat between the victim and a Hive admin is opened, during which the ransom is sought - generally in the form of Bitcoin - in return for a decryptor, a security report, and a file tree highlighting exactly what was stolen.

Hive was utilising malware written in Golang by its developers at the time the communications were reviewed by the Menlo Labs team, with the samples acquired being obfuscated to prevent detection and analysis.

However, Microsoft has now announced that Hive has produced a new variation that uses a different programming language, switching from Golang to Rust. The migration is expected to give Hive with various benefits that Rust has over other programming languages, including the use of string encryption as a strategy to make it more elusive.

Surprisingly, the new variant will also employ a different cryptographic technique.While the Golang variation embeds one encrypted key in each file it encrypts, the Rust variant has been proven to construct two sets of keys in memory, use them to encrypt the files, and then save the sets to the root of the disc it encrypts, both with the.key extension. While the new variant's key set creation differs from the previous set examined by the Menlo Labs team, its file encryption is remarkably comparable.

With these changes, the Hive danger is projected to grow much more. As a result, enterprises must prepare to battle RaaS and ransomware more extensively in the future.

FortiGuard Labs: Evolving RapperBot IoT Malware Detected

Since June, FortiGuard Labs has been monitoring the "RapperBot" family of revolving IoT malware. Although the original Mirai source code was greatly influenced by this family, it differs from other IoT malware families in that it has the capacity to brute force credentials and connect to SSH servers rather than Telnet, which was how Mirai implemented it. 

The malware is alleged to have gathered a series of hacked SSH servers, with over 3,500 distinct IP addresses used to scan and brute-force its way into the servers. The malware is named from an encoded URL to a YouTube rap music video in an early draft.

Analysis of the malware

According to the Fortinet analysis, the majority of the malware code implements an SSH 2.0 client that can connect to and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.

RapperBot turned out to be a Mirai fork with unique features, its own command and control (C2) protocol, and unusual post-compromise for a botnet. RapperBot was created to target ARM and MIPS and has limited DDoS capabilities.

The attempt to create durability on the compromised host, which effectively allows the hacker to keep ongoing access long after the malware has been uninstalled or the unit has been restarted, serves as further proof of how Mirai has deviated from its usual behavior.

RapperBot used a self-propagation technique via a remote binary downloader, which was eliminated by the hackers in mid-July, as per Fortinet researchers who watched the bot and proceeded to sample new variants.

The recent versions in circulation at the time included a shell command that switched the victim's SSH keys for the hackers. A unique file named "/.ssh/authorized keys" is used to get access by inserting the operators' SSH public key. This enables the attacker to log in and authenticate to the server using the associated private key without providing a password.

The root user "suhelper" is added by the bot to the compromised endpoints in the most recent samples that the researchers have examined. The bot also sets up a Cron job to add the user again every hour if an administrator finds the account and deletes it.

Observations 

As per Fortinet, analysts observed no new post-compromise payloads transmitted during the monitoring time, so the virus simply lays dormant on the affected Linux systems. 

Despite the botnet abandoning self-propagation in favor of persistence, it is said that the botnet underwent substantial alterations in a short period of time, the most notable of which being the removal of DDoS attack elements from the artifacts at one point, only to be reinstated a week later.

At best, the campaign's ultimate goals are still unclear, and little more action is taken after a successful compromise. It is evident that SSH servers with pre-configured or easily guessable credentials are being gathered into a botnet for some unknown future use.

Users should set secure passwords for their devices or, turn off password authentication for SSH to protect themselves from such attacks.

Russian Entities Hit by New Woody RAT Malware

 

Malwarebytes researchers discovered an unidentified malicious actor who has been victimizing Russian organizations with a brand new remote access trojan named Woody RAT for at least a year as part of a spear-phishing campaign. 

The Malware was being delivered via two methods: archive files and Microsoft Office documents compromising the Follina Windows Flaw (CVE-2022-30190). 

Like other state sponsors of cyber operations, Woody RAT facilitates a wide range of features that allows the group of threat actors to take full remote control of the system and steal important data from the infected systems. 

The team said that the attackers mainly focused on Russian organizations based on a fake domain they have registered, Malwarebytes is well aware of the fact that the attackers tried to target a Russian aerospace and defense entity known as OAK. 

“The earliest versions of this Rat were typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by @MalwareHunterTeam.” states the report published by Malwarebytes. 

As per the technical data, the RAT is advanced malware that is equipped with multiple backdoor capabilities including writing arbitrary files to the machine, capturing screenshots, executing additional malware, enumerating directories, deleting files, and gathering a list of running processes. 

Also, the malware has two malicious codes; NET DLLs embedded inside named WoodySharpExecutor and WoodyPowerSession. WoodySharpExecutor allows the malware to run the NET code received from the C2, while WoodyPowerSession enables the malware to execute PowerShell commands and scripts received from the C2. 

Once the command threads are created the malware removes itself from the disk with the help of the ProcessHollowing technique. 

“This very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as the Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren’t any solid indicators to attribute this campaign to a specific threat actor,” concludes the report. 

New DawDropper Malware Targeting Android Devices via Play Store

Trend Micro security team has discovered a brand new phishing campaign that is distributing banking trojans on the Google Play Store. This malicious software is called DawDropper. These “Droppers” impersonate trusted apps to gain access to victims’ mobile devices and make it very legit to detect threat actors and are highly effective for malware distribution. 

Additionally, Trend Micro security researchers reported that over a dozen fake and malicious Android dropper apps are present on the Google Play store containing banking malware. 

The software (DawDropper) is very famous and, it is also offered for sale as DaaS (dropper-as-a-service) by some threat actors on the malicious web. Additionally, it used a third-party cloud service Firebase Realtime Database to evade detection and obtain a payload download address. It also hosts payloads on GitHub. 

This malicious campaign aims to gain access to users’ banking data to steal money from their banking apps including PIN codes, passwords, banking credentials, etc. Hackers can intercept text and gain complete command over affected devices through malware. 

“We found a malicious campaign that uses a new dropper variant that we have dubbed as DawDropper. Under the guise of several Android apps such as Just In Video Motion, Document Scanner Pro, Conquer Darkness, simpli Cleaner, and Unicc QR Scanner,” Trend Micro security team reported. 

The following are the names of the malicious dropper apps discovered on the Google Play Store: • Fix Cleaner, Crypto Utils, Rooster VPN, Lucky Cleaner, Extra Cleaner, Simple Cleaner, Conquer Darkness, Call Recorder APK, Unicc QR Scanner, Eagle photo editor, Call recorder pro+, Universal Saver Pro, Just In: Video Motion, Document Scanner – PDF Creator, Super Cleaner- hyper & smart. 

These apps are masqueraded as utility and productivity apps, including VPN services, QR code readers, call recorders, and document scanners. With the pretense of general utility apps, dropper apps bypass Play Store security checks. Besides DawDropper, these apps are used to download more capable and intrusive malware on a device, such as Octo (Coper), Hydra, Ermac, and TeaBot. 

Trend Micro’s blog post listed some points to help from infecting mobile devices: 

• Don’t download an app to your device without checking the user reviews in the app store. 
• Before downloading the app first research the developers and publishers of the app. 
• And, Avoid downloading apps from unknown sources.

Gootkit Loader: Targets Victims via Flawed SEO Tactics

 

Gootkit previously concealed dangerous files using freeware installers and now, it is deceiving users to download these files by engineering them as lawful documents. Looking at a flag for a PowerShell script, researchers were able to stop it from doing any harm and from delivering its payload. This approach was discovered through managed extended detection and response (MxDR). 

In order to compromise unwary users, the creators of the Gootkit access-as-a-service (AaaS) virus have reemerged. Gootkit has a history of disseminating threats including the SunCrypt ransomware, REvil (Sodinokibi) malware, Kronos trojans, and Cobalt Strike via fileless tactics.

The discoveries add to a prior report by eSentire, which stated in January that numerous attacks targeted the staff of accounting and law companies to propagate malware on compromised systems.

Gootkit is a tool of the rising underground ecosystem of access brokers, who are well-known for charging money to provide other hackers access to corporate networks, opening the door for real destructive operations like ransomware.
 
Upgraded Tactics

A search engine user initiates the attack chain by entering a specific query. A website infiltrated by Gootkit operators is displayed among the results using a black SEO method used by hackers.

The website is presented to the victim as an online forum that answers his question directly when they visit it. The malicious.js code, which is used to create persistence and inject a Cobalt Strike binary into the target system's memory, was housed in a ZIP download that was made available by this forum.

"The obfuscated script that was run when the user downloaded and accessed this file used registry stuffing to install a section of encrypted codes in the registry and add scheduled tasks for persistence. Then, utilizing PowerShell's reflective loading of the encrypted registry code, the Cobalt Strike binary that runs entirely in memory was rebuilt," reads Trend Micro's analysis.

Experts drew attention to the fact that proprietary text replacement technology has replaced base64 encoding in encrypted registries.

The Cobalt Strike binary loaded straight into the victim's system's RAM has been seen connecting to the Cobalt Strike C2's IP address, which is 89[.]238[.]185[.]13. The major payload of Cobalt Strike, a tool used for post-exploitation actions, is the beacon component.

Defensive measures

This case demonstrates,  that Gootkit is still active and developing its methods. This danger demonstrates that SEO poisoning continues to be a successful strategy for enticing unwary users. 

User security awareness training, which tries to enable people to identify and defend themselves against the most recent risks, is something that organizations can do to help. 

This incident emphasizes the value of round-the-clock supervision. Notably, cross-platform XDR stopped this assault from getting worse since it allowed us to rapidly isolate the compromised system and prevent the threat from causing more harm to the network.

Watch Out For This Raccoon Stealer 2.0 With New Capabilities


Raccoon Stealer also named Legion, Mohazo, and Racealer, a high-risk trojan-type application that attacks the system and steals personal credentials is back with a second upgraded version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and advanced operational capacity. 

The trojan whose services are being offered by various hacker groups on hacker forums, when installed on one's system can lead to various cyber issues. 

The Raccoon Stealer operation was taken down in march 2022 when its operators reported that one of the lead developers of the forum was killed during Russia’s invasion of Ukraine. Also, the team promised its come back with a second upgraded version with more capabilities. 

“We expect a resurgence of Raccoon Stealer v2, as developers implemented a version tailored to the needs of cybercriminals (efficiency, performance, stealing capabilities, etc.) and scaled their backbone servers to handle large loads,” Sekoia told in the report. 

According to the malware developers, the upgraded Raccoon version was built from scratch using C/C++, featuring a new back-end, front-end, and code to steal credentials and other data. 

Raccoon Stealer 2.0 uses a fake Malwarebytes website to steal personal information including Basic system fingerprinting info, browser passwords, cookies, autofill data, saved credit cards, browser passwords, cookies, and autofill data, and saved credit cards. 

Other information that Raccoon Stealer steals is given below:

• Cryptocurrency wallets and web browser extensions including MetaMask, TronLink, BinanceChain, and Ronin
• Exodus, Atomic, JaxxLiberty, Binance, Coinomi, Electrum, Electrum-LTC, and ElectronCash
• Individual files located on all disks
• Screenshot capturing
• Installed applications list

The data can be misused in various ways, such as transferring users' funds in crypto-wallets and other accounts (e.g., PayPal, bank accounts, etc.). Victims could, therefore, lose their savings. Moreover, hijacked accounts (e.g., Facebook, emails, etc.) can be misused to borrow money. 

The subscription cost of the Stealer which has already attacked over 100,000 devices, is $200 per month. It has become one of the most named viruses on the underground forums in 2019. 

Data Spyware Delivered via Telegram & Discord Bots

Hackers have utilized these messaging apps in a variety of ways to transmit their own malware, according to Intel 471's research. They have discovered ways to host, distribute, and execute various activities on these platforms, which they mostly exploit in cooperation with data theft in order to be able to steal credentials or other information from unwary users.

According to a recent study from Intel 471, threat actors are using the multifaceted nature of messaging apps — in particular, their content-creation and program-sharing components — as a basis for information stealing.

Tactics & Techniques

Researchers at Intel 471 have found a number of data thefts that are openly accessible and depend on Telegram or Discord to operate.

Additionally, these hackers conduct similar attacks against the Roblox and Minecraft gaming sites. Discord's content delivery network (CDN) is regularly used to store malware, as per researchers, because the platform doesn't place limitations on file storage.

One Telegram-focused botnet, dubbed X-Files, includes features that may be accessible through Telegram's bot commands. Once the malware has been installed on a victim's computer, criminal actors can take credit card information, login credentials, session cookies, and passwords, and send them to a Telegram channel of their choice. 

Several browsers, including Google Chrome, Chromium, Opera, Slimjet, and Vivaldi, may import data into X-Files. Although Prynt Stealer, another stealer, operates similarly, it lacks the built-in Telegram commands.

The following malware families have been seen hosting harmful payloads on Discord CDN: PrivateLoader,  Discoloader, Colibri, Warszone RAT, Modi loader, Raccoon thief, Smokeloader Amadey,  Tesla agent thief, GuLoader, Autohotkey, and njRAT.

Cautions

The entry threat for malicious actors is reduced by automation in well-known chat platforms. Data theft might be the initial step in initiating a targeted attack against an enterprise, even though they can not alone cause as much harm as malware like a data wiper or ransomware.

Although messaging services like Discord and Telegram are not often utilized for corporate activities, their popularity and the surge in remote work have increased the attack surface available to cybercriminals.




Spyware Group ‘Knotweed’ Employs Windows and Adobe Bugs to Target Firms Worldwide

 

Microsoft has unearthed an Austrian “cyber mercenary” group employing Windows and Adobe exploits to target organizations with spyware since at least 2021. 

Security analysts at Microsoft’s Threat Intelligence Center and Security Response Center said the organization is a private-sector offensive actor (PSOA) called Decision Supporting Information Research Forensic (DSIRF), but dubbed by Microsoft with the codename Knotweed. 

A cyber-weapons broker has launched multiple attacks on law firms, banks, and strategic consultancies in countries across the globe via spyware — dubbed Subzero — that allows its users to remotely and silently infiltrate a victim’s computer, phone, network infrastructure, and internet-linked devices.

"DSIRF has been linked to the development and attempted sale of a malware toolset called Subzero, which enables customers to hack into their targets' computers, phones, network infrastructure, and internet-connected devices," Microsoft said in a blog post. 

DSIRF promotes Subzero as a “next generation cyber warfare” tool that can secure full control of a victim’s PC, steal passwords and disclose its real-time location, according to a copy of an internal presentation released by Netzpolitik, a German news website, in 2021. 

The report claims that DSIRF, which reportedly has links to the Russian state, promoted its tool for use during the 2016 U.S. presidential election. The German government was also considering the purchase and use of Subzero to enhance its cyber defense. 

Microsoft said it has issued a software update to mitigate the use of the identified vulnerabilities. The tech giant has also released signatures of the malware to shield Windows users from exploits Knotweed was employing to help deliver its malware. 

More action is needed on a broader level, given that DSIRF will not be the last PSOA to target organizations, as Microsoft researchers explained in a brief sent to Congress on Wednesday. 

"We are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms," researchers explained. "We welcome Congress's focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world."

Alert! Check if you have these Android Malware Apps Installed With 10M+ Downloads

 

A fresh batch of harmful Android applications containing adware and malware that have been installed on almost 10 million mobile devices has been discovered on the Google Play Store. 

The apps pretend to be picture editors, virtual keyboards, system optimizers, wallpaper changes, and other things. Their primary functionality, however, is to display invasive advertisements, subscribe users to premium services, and hijack victims' social network accounts. 

The Dr Web antivirus team discovered several dangerous applications, which they highlighted in a study published. Google has removed the great majority of the offered applications, however, three remain available for download and installation via the Play Store at the time of writing. Also, if anyone installed any of these applications before they were removed from the Play Store, then will need to manually delete them from the device and conduct an antivirus check to remove any leftovers. 

The latest dangerous Android applications Dr Web found adware apps that are variations on existing families that initially surfaced on the Google Play Store in May 2022. When the applications are installed, they ask for permission to overlay windows over any app and can add themselves to the battery saver's exclusion list, allowing them to run in the background even after the victim shuts the app. Furthermore, they hide their app drawer icons or replace them with anything resembling a fundamental system component, such as "SIM Toolkit."

"This app "killed" my phone. It keep'd crashing , i couldn't even enter password to unlock phone and uninstall it. Eventually, I had to make a complete wipe out (factory reset), to regain phone. DO NOT , install this app !!!!," read a review of the app on the Google Play Store. 

Joker applications, which are infamous for incurring false payments on victims' mobile phones by subscribing them to premium services, are the second kind of harmful apps spotted on the Play Store. Two of the featured applications, 'Water Reminder' and 'Yoga - For Beginner to Advanced,' have 100,000 and 50,000 downloads, respectively, in the Play Store. Both deliver the claimed functionality, but they also execute malicious operations in the background, interacting with unseen or out-of-focus WebView objects and charging consumers. 

Finally, Dr. Web identifies two Facebook account stealers that are disseminated through picture editing applications and use cartoon effects on ordinary images. These applications are 'YouToon - AI Cartoon Effect' and 'Pista - Cartoon Photo Effect,' and they have been downloaded over 1.5 million times in the App Store. 

Android malware will always find a way into the Google Play Store, and apps can occasionally linger there for months, so users should not blindly trust any app or no apps. As a result, it is critical to read user reviews and ratings, visit the developer's website, read the privacy policy, and pay close attention to the permissions sought during installation. 
  • Photo Editor: Beauty Filter (gb.artfilter.tenvarnist)
  • Photo Editor: Retouch & Cutout (de.nineergysh.quickarttwo)
  • Photo Editor: Art Filters (gb.painnt.moonlightingnine)
  • Photo Editor - Design Maker (gb.twentynine.redaktoridea)
  • Photo Editor & Background Eraser (de.photoground.twentysixshot)
  • Photo & Exif Editor (de.xnano.photoexifeditornine)
  • Photo Editor - Filters Effects (de.hitopgop.sixtyeightgx)
  • Photo Filters & Effects (de.sixtyonecollice.cameraroll)
  • Photo Editor : Blur Image (de.instgang.fiftyggfife)
  • Photo Editor : Cut, Paste (de.fiftyninecamera.rollredactor)
  • Emoji Keyboard: Stickers & GIF (gb.crazykey.sevenboard)
  • Neon Theme Keyboard (com.neonthemekeyboard.app)
  • Neon Theme - Android Keyboard (com.androidneonkeyboard.app)
  • Cashe Cleaner (com.cachecleanereasytool.app)
  • Fancy Charging (com.fancyanimatedbattery.app)
  • FastCleaner: Cashe Cleaner (com.fastcleanercashecleaner.app)
  • Call Skins - Caller Themes (com.rockskinthemes.app)
  • Funny Caller (com.funnycallercustomtheme.app)
  • CallMe Phone Themes (com.callercallwallpaper.app)
  • InCall: Contact Background (com.mycallcustomcallscrean.app)
  • MyCall - Call Personalization (com.mycallcallpersonalization.app)
  • Caller Theme (com.caller.theme.slow)
  • Caller Theme (com.callertheme.firstref)
  • Funny Wallpapers - Live Screen (com.funnywallpapaerslive.app)
  • 4K Wallpapers Auto Changer (de.andromo.ssfiftylivesixcc)
  • NewScrean: 4D Wallpapers (com.newscrean4dwallpapers.app)
  • Stock Wallpapers & Backgrounds (de.stockeighty.onewallpapers)
  • Notes - reminders and lists (com.notesreminderslists.app)

Windows 11: Account Lockout Policy Set Against Brute Force Attacks

Brute force exploits are injected into ransomware and other sorts of unauthorized access since they typically rely on automated methods to test a massive amount of passwords for one or more user accounts. 

Beginning with Insider Preview version 22528.1000, Windows 11 automatically mitigates such exploits by capping the number of unsuccessful sign-in attempts at 10, for a period of 10 minutes.

"In order to reduce RDP and other brute force password vectors, DEFAULT account lockout policy is now enabled in Win11 builds. The command will make brute forcing more tricky, which is decent. This technique is frequently used in Human Operated Ransomware and other attacks," stated David Weston, vice president of OS and enterprise security at Microsoft.

Setting Lockout Policy

By establishing a threshold of between 1 and 999 failed sign-in attempts that would cause a user account to be locked, IT security professionals already had the option of preventing brute force attacks using the account lockout policy.

The Account lockout threshold policy enables configuring the maximum number of unsuccessful sign-in attempts before a user account is locked. Once locked, an account cannot be used again until the administrator unlocks it or until the time period provided by the Account lockout duration policy setting has passed. 

It suggested restricting the account lockout time to no more than 15 minutes and setting the account lockout threshold to a high enough number to cater to users mistakenly mistyping their passwords.

However, the reset account lockout countdown will eventually run out, giving the user three more opportunities if they wait and try to log in again the following day, effectively making it appear as though there have been no failed logins.

The effectiveness of brute force attacks is considerably reduced by restricting the amount of password entry tries, but Microsoft warns that threat actors could abuse this security feature to perform denial-of-service (DoS) attacks by locking multiple user accounts in an enterprise.


Experts Discover New CloudMensis Spyware Targeting Apple macOS Users

 

Researchers in cybersecurity have revealed previously unknown malware targeting Apple's macOS operating system. The malware, nicknamed CloudMensis by the Slovak cybersecurity firm ESET, is reported to exploit popular cloud storage systems like pCloud, Yandex Disk, and Dropbox only for receiving attacker orders and exfiltrating files. 

"Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures," ESET researcher Marc-Etienne M.Léveillé stated in a report published. 

CloudMensis was found in April 2022, written in Objective-C, and is intended to attack both Intel and Apple semiconductor architectures. The initial infection vector for the attacks, as well as the targets, are yet unclear. However, the malware's limited dissemination suggests that it is being utilised as a part of a carefully targeted operation targeting businesses of interest. 

ESET discovered an attack chain that exploits code execution and administrative rights to launch a first-stage payload that is used to retrieve and run a second-stage malware housed on pCloud, which exfiltrates documents, screenshots, and email attachments, among other things. 

The first-stage downloader is also known to delete evidence of Safari sandbox escape and privilege escalation attacks in 2017 that make use of four now-resolved security flaws, implying that CloudMensis may have gone undetected for many years. The implant also includes capabilities that allow it to circumvent the Transparency, Consent, and Control (TCC) security system, which requires all programmes to seek user permission before accessing files in Documents, Downloads, Desktop, iCloud Drive, and network volumes. 

It accomplishes this by exploiting another fixed security flaw known as CVE-2020-9934, which was discovered in 2020. The backdoor also allows you to access a list of running processes, capture screenshots, list files from removable storage devices, and launch shell commands and other arbitrary payloads. 

Furthermore, an examination of information from the cloud storage infrastructure reveals that the pCloud accounts were established on January 19, 2022, with compromises beginning on February 4 and spiking in March. 

M.Léveillé said, "The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets."

Large-Scale Malware Campaign Targets Elastix VoIP Systems

 

Threat analysts at Palo Alto Networks' Unit 42 have unearthed a massive campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples between December 2021 and March 2022. 

Elastix is a unified communications server software, based on projects such as Digium’s Asterisk, FreePBX, and more. 

The hackers' goal was to inject a PHP web shell that could run arbitrary commands on the compromised communications server and exploit a remote code execution (RCE) vulnerability tracked as CVE-2021-45461, with a critical severity rating of 9.8 out of 10. 

The campaign is still active and shares multiple similarities to another operation in 2020 that was reported by researchers at cybersecurity firm Check Point. 

According to the researchers, enterprise servers are sometimes a higher-value target than computers, laptops, or other firm endpoints. Servers are usually more powerful devices and could be exploited, for example, as part of a potent botnet generating thousands of requests per second. 

In this campaign, the researchers spotted two separate attack groups employing initial exploitation scripts to drop a small-size shell script. The script installs an obfuscated PHP backdoor on the web server, manufactures multiple root user accounts, and sets a scheduled task to ensure recurring re-infection of the system. 

"This dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system," security researchers explained. 

The IP addresses of the hackers are in the Netherlands, but DNS data points to Russian adult sites. The payload delivery infrastructure is only partially active, at the moment. 

The PHP web shell – which is injected with a random junk string to bypass signature-based defenses –consists of several layers of Base64 encoding and is guarded by a hardcoded “MD5 authentication hash” mapped to the victim’s IP address. 

The web shell also accepts an admin parameter and supports arbitrary commands, along with a series of built-in default commands for file reading, directory listing, and reconnaissance of the Asterisk open-source PBX platform. 

“The strategy of implanting web shells in vulnerable servers is not a new tactic for malicious actors. The only way to catch advanced intrusions is through a defense-in-depth strategy. Only by orchestrating multiple security appliances and applications in a single pane can defenders detect these attacks,” Palo Alto Networks concludes.

Mantis Botnet Behind Largest HTTPS DDoS Attack Targeting Cloudflare Users

 

A botnet called Mantis has been linked to record-breaking assaults targeting nearly 1,000 Cloudflare customers. 

In June 2022, DDoS mitigation firm Cloudflare disclosed that it successfully thwarted a record-breaking DDoS attack of 26 million requests per second. Just a couple of months earlier in April, Cloudflare also mitigated a previous record-breaking attack of 15.3 million requests per second. Mantis has now been linked to both attacks. 

For the attacks, the majority of traffic originated from Indonesia, the US, Brazil, and Russia with the French OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the US-based iboss (ASN 137922), and the Libyan Ajeel (ASN 37284) being the top source networks. In the past month alone, over 3,000 HTTP DDoS attacks have been launched against Cloudflare customers.

While previous record-setting DDoS attacks have predominately been generated from botnets that have exploited the rapid proliferation of IoT devices, the latest assaults have increased their intensity by exploiting far more powerful devices. 

Cloudflare’s Product Manager Omer Yoachimik stated that the attack last month “originated mostly from cloud service providers as opposed to residential internet service providers, indicating the use of hijacked virtual machines and powerful servers to generate the attack—as opposed to much weaker Internet of Things devices.” 

In one attack on an unnamed customer last month, more than 212 million HTTPS requests were generated from over 1,500 networks across 121 countries in under 30 seconds. 

The most impacted industry verticals include internet and telecom, media, gaming, finance, business, and shopping, of which over 20% of the attacks targeted U.S. firms, followed by Russia, Turkey, France, Poland, Ukraine, the U.K., Germany, the Netherlands, and Canada. 

According to Cloudflare researchers, the botnet is identical to the shrimp and is less than 10cm in length. Despite being so small, the claws of mantis shrimps can generate a shock wave with a force of 1,500 Newtons at speeds of 83 km/h from a standing start. 

“The Mantis botnet operates a small fleet of approximately 5,000 bots, but with them can generate a massive force — responsible for the largest HTTP DDoS attacks we have ever observed,” explained Yoachimik.

Defective WordPress Plugin Permits Full Invasion

 

According to security researchers, a campaign scanning almost 1.6 million websites was made to take advantage of an arbitrary file upload vulnerability in a previously disclosed vulnerable WordPress plugin.

Identified as CVE-2021-24284, the vulnerability that affects Kaswara Modern WPBakery Page Builder Addons, when exploited, gives an unauthorized attacker access to sites using any version of the plugin and enables them to upload and delete files or instead gain complete control of the website.

Wordfence reported the vulnerability over three months ago, and in a new alert this week it warned that attackers are scaling up their attacks, which began on July 4 and are still active. The WordPress security provider claims to have halted 443,868 attacks on client websites per day and strives to do the same till date. Daily, on average, 443,868 tries are made.

Malicious code injection  

The hacker attempts to upload a spam ZIP payload that contains a PHP file using the plugin's 'uploadFontIcon' AJAX function by sending a POST request to 'wp-admin/admin-ajax/php'.

Afterward, this file pulls the NDSW trojan, which inserts code into the target sites' legitimate Javascript files to reroute users to dangerous websites including phishing and malware-dropping sites. You've likely been infected if any of your JavaScript files contain the string "; if(ndsw==" or if these files themselves contain the "; if(ndsw==" string.

All versions of the software are vulnerable to an attack because the bug was never patched by the software creators, and the plugin is currently closed. The bug hunters stated that although 1,599,852 different sites were hit, a bulk of them wasn't hosting the plugin, and they believed that between 4,000 and 8,000 sites still have the vulnerable plugin installed.

Blocking the attackers' IP addresses is advised even if you are not utilizing the plugin. Visit Wordfence's blog for additional information on the indicators and the sources of requests that are the most common.

If you're still using it, you need to remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.

Luna Moth: Hackers After the Subscription Scam 

Luna Moth is a brand-new data extortion group that has been breaking into businesses to spoof users' data. If the victims don't pay a ransom to prevent the information from being made public, hackers threaten to make the records publicly accessible. 

The hacker group adopted the alias Luna Moth and has been engaged in phishing efforts since at least March in which remote access tools (RAT) were distributed, enabling corporate data theft.

How does the scam work?

The Luna Moth ransomware gang has been analyzed by the incident response team at cybersecurity firm Sygnia, it was noted that the actor is attempting to establish a reputation under the name Silent Ransom Group (SRG).

In a report published, Sygnia claims that although the goal of Luna Moth, also known as TG2729, is to acquire key data, its method of operation is similar to that of a scammer.

The organization has been posing as Zoho MasterClass Inc. and Duolingo over the last three months, operating a widespread phishing scam.  The malicious emails are sent from Gmail accounts that were altered to look like official company email accounts, claiming to be from the Zoho Corporation or Duolingo.

Domains used

In April 2022, the first verified campaign-related domain was registered. Hostwinds, a service provider, hosts both the exfiltration and phishing domains, which are both listed under Namecheap.

The two primary sets of domains and IPs that make up Luna Moth infrastructure  can be tied to subscription fraud:

  • Domains with the XYZ TLD, such as maaays[.]xyz, are exfiltration domains. The organization uses these domains as the endpoint for the exfiltrated data when using the Rclone obfuscation method.
  • Phishing sites like masterzohoclass[.]com that pretend to be associated with Duolingo or Zoho. The majority of these domains only last for four hours or less.

Standard tools

Atera, Splashtop, Syncro, and AnyDesk are just a couple of good remote administration tools (RATs) that the hackers mainly employ to control compromised devices. These tools also give the hackers some flexibility and persistence: even if one of the RATs is taken out of the system, the others can still reinstall it. Furthermore, off-the-shelf tools like SharpShares, and SoftPerfect Network Scanner,  are being utilized by the group.

The tools are saved on spyware with fake names that make them appear to be legitimate These technologies enable threat actors to conduct basic reconnaissance tasks, acquire access to additional resources, and steal data from compromised networks in addition to RATs.



Businesses Hit By The Ransomware 0mega

 

Launched in May 2022, this new ransomware operation known as 0mega uses a double-extortion method to target corporations all over the world and seeks millions of dollars in ransom. 

Since a ransomware sample for the 0mega operation is not yet detected, not much is known about the encryption method used. However, what's known is that the malware adds the .0mega extension to the encrypted file names and produces ransom letters with the filename extension DECRYPT-FILES.txt, according to BleepingComputer. 

Such ransom notes are made specifically for each victim, and they typically include the name of the business and a list of the various kinds of data that were stolen. Additionally, some notes contain threats that, in the scenario that a ransom is not paid, the 0mega gang will reveal the information to commercial partners and trade associations. 

The victims can contact the ransomware group using the "help" chat feature of the Tor payment negotiation site included in ransom notes. It includes a special code to get in touch with the operators via the negotiating site. 

Like practically all ransomware operations that target businesses, 0mega has a specific site for data leaks where malicious actors disseminate stolen information if a ransom is not paid. 152 GB of data that was stolen from an electronics repair business in a May incident is now hosted on 0mega's leak site. 

Last week, though, there was a second victim who has since been eliminated, suggesting that the business has perhaps paid a ransom. In a published blog post The digest 'Crypto ransomware', researchers Lawrence Abrams and Andrew Ivanov discusss the malware in detail.

Hackers Used Fake LinkedIn Job Offer to Steal $625M

 

Earlier this year, Ronin Network (RON), the blockchain network behind the popular crypto games Axie Infinity and Axie DAO, experienced the greatest crypto attack against a decentralised financial network ever reported. 

The United States issued advice in May 2022, stating that highly competent hackers from North Korea were attempting to get work by posing as IT freelancers. The Axie Infinity attack was socially engineered, with the North Korean government-backed hacker organisation Lazarus into Sky Mavis' network by giving one of the company's workers a PDF file carrying malware. Lazarus' participation in such a high-profile breach should come as no surprise. 

In January 2022, analysts from several crypto security organizations concluded that North Korean hackers had stolen $1.3 billion from cryptocurrency exchanges throughout the world, with the famed Lazarus group as their top suspect. 

Axie Infinity Hack 

The employee, an ex-senior engineer at the firm, fell for the trap and opened the PDF, believing it was a high-paying job offer from another company. However, this firm did not exist in reality.

During the recruitment process, the ex-employee disclosed sensitive personal information that attackers utilised to steal from the organisation. Sky Mavis' staff are regularly threatened by sophisticated spear-phishing attempts on multiple social networks, according to the company. In this case, one person, who does not even work at Sky Mavis, was duped. 

How was Ronin hacked? 

According to The Block, at the time of the attack, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin. 

“The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” Sky Mavis stated.

To get access to the company's networks, the attacker needed to seize five out of nine validators. The spyware-laced PDF allowed the attacker to gain control of four validators and get entry to the community-run Axie DAO (Decentralized Autonomous Organization), from which they gained control of the fifth validator. After breaching the network, the attackers took $25 million in USDC stablecoin and 173,600 ether (about $597 million) from Axie Infinity's treasury, totaling $625 million in crypto. 

Nonetheless, the Ronin sidechain upped the number of validators to 11 to improve security, and Sky Mavis is reimbursing Axie Players who lost crypto as a result of the hack. In April 2022, the company raised $150 million in funding. 

The US administration alleges that the assault was carried out by the renowned North Korean hacking organisation Lazarus. This organisation specialises in such attacks. This is hardly Lazarus' first foray into the blockchain sector. However, Lazarus using social engineering to infiltrate a company's networks is unusual. In reality, the Slovak internet security company ESET notified LinkedIn users in June 2020 about Lazarus' involvement in a complex LinkedIn recruiting fraud targeting military and aerospace industries.

Callback Malware Campaign Imitates CrowdStrike and Other Big Cybersecurity Organizations


About the Attack

Earlier this month, CrowdStrike Intelligence found a callback phishing campaign copying big cybersecurity companies, including CrowdStrike. The phishing emails say that the receiver's (e-mail) company has been compromised and that the victim should contact the given phone number. The campaign incorporates similar social-engineering techniques that were used in the recent callback campaigns like WIZARD SPIDER'S 2021 Bazaar all campaign. 

The campaign is likely to include common genuine remote administration tools (RATs) for access in initial stage, off the shelf penetration testing tools for lateral movement, and execution of ransomware or extorting data. The callback campaign incorporates emails that look like it originates from big security companies, the message says that the security company found a potential issue in the receiver's network. As we have noticed in the earlier campaigns, the threat actor gives the recipient a phone number to call. 

In the past, callback campaign operators have tried to convince victims to install commercial RAT software to get an early foothold on the network. "For example, CrowdStrike Intelligence identified a similar callback campaign in March 2022 in which threat actors installed AteraRMM followed by Cobalt Strike to assist with lateral movement and deploy additional malware," says CrowdStrike. 

Current Situation 

Currently, CrowdStrike intelligence can't confirm the version in use, the callback operators will most probably use ransomware to monetize their operations. "This assessment is made with moderate confidence, as 2021 BazarCall campaigns would eventually lead to Conti ransomware — though this ransomware-as-a-service (RaaS) recently ceased operations. This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches," says CrowdStrike.