Search This Blog

Showing posts with label servers. Show all posts

Microsoft Detects Raspberry Robin Worm in Windows Networks

According to Microsoft, a recently detected Windows worm has been discovered on the networks of hundreds of firms from numerous industry sectors. 

The malware, called Raspberry Robin, spreads via infected USB devices and was discovered by Red Canary intelligence experts in September 2021.] In early November, cybersecurity company Sekoia detected it using QNAP NAS devices as command and control servers (C2) servers, while Microsoft stated it discovered harmful artefacts tied to this worm produced in 2019. 

Redmond's findings are consistent with those of Red Canary's Detection Engineering team, which discovered this worm on the networks of several clients, including several in the technology and manufacturing industries. Despite the fact that Microsoft saw the malware communicating to Tor network addresses, the threat actors are yet to exploit the access they gained to their victims' networks. 

As already mentioned, Raspberry Robin is spreading to new Windows frameworks by means of contaminated USB drives containing a noxious .LNK document. When the USB gadget is joined and the user taps the link, the worm brings forth a msiexec interaction utilizing cmd.exe to send off a noxious document put away on the contaminated drive. It infects new Windows gadgets, speaks with its order and control servers (C2), and executes noxious payloads utilizing a few genuine Windows utilities: 
  • fodhelper (a trusted binary for managing features in Windows settings),
  • msiexec (command line Windows Installer component),
  • and odbcconf (a tool for configuring ODBC drivers).
"While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware," Red Canary researchers explained. "Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes."

Security specialists who have seen Raspberry Robin in the wild are yet to link the malware to a threat group and are yet dealing with tracking down its administrators' ultimate objective. In any case, Microsoft has labelled this mission as high-risk, considering that the attackers could download and convey extra malware inside the casualties' organizations and heighten their honours anytime.

Novel ToddyCat APT Attacking Microsoft Exchange Servers

 

ToddyCat APT has been targeting Microsoft Exchange servers in enterprises throughout Asia and Europe since at least December 2020. 

The ToddyCat APT  group boosted its attacks in February 2021 and is looking for unpatched Microsoft Exchange servers with ProxyLogon exploits to launch attacks on. A passive backdoor dubbed Samurai and a new Ninja trojan were identified while following the group's activity. Both types of malware take over compromised devices and migrate laterally throughout networks. 

Some of the organisations infiltrated by the gang in three separate countries were hacked at the same time by other Chinese-backed hackers using the FunnyDream backdoor. High-profile organisations from the government and military sectors are the targeted victims. The group appears to be focused on attaining essential goals that are linked with geopolitical objectives. 

Numerous waves of attacks 

The initial wave of strikes began in December 2020 and ended in February 2021. The group was solely targeting a few government entities in Vietnam and Taiwan at the time. Between February and May 2021, the second round of assaults began targeting organisations in a variety of nations, including Iran, Russia, India, and the United Kingdom. 

The group targeted the same set of nations in the following phase, which lasted through February 2022, as well as communities from Uzbekistan, Kyrgyzstan, and Indonesia. ToddyCat Group has expressed interest in the government and military sectors and is expected to continue operations. 

Organizations should employ threat intelligence services to remain up to date on emerging dangers and defend their networks. Additionally, they should utilise the given IOCs to improve threat detection.

Due to Security Reasons, Chrome will Limit Access to Private Networks

 

Google has announced that its Chrome browser will soon ban websites from querying and interacting with devices and servers inside local private networks, due to security concerns and past abuse from malware. 

The transition will occur as a result of the deployment of a new W3C specification known as Private Network Access (PNA), which will be released in the first half of the year. The new PNA specification introduces a feature to the Chrome browser that allows websites to request permission from computers on local networks before creating a connection.

“Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true,” as perEiji Kitamura and Titouan Rigoudy, Google. 

Internet websites will be prohibited from connecting if local hardware such as servers or routers fails to respond. One of the most important security features incorporated into Chrome in recent years is the new PNA specification. 

Cybercriminals have known since the early 2010s that they can utilize browsers as a "proxy" to relay connections to a company's internal network. For example, malicious code on a website could attempt to reach an IP address such as 192.168.0.1, which is the standard address for most router administrative panels and is only reachable from a local network. 

When users visit a fraudulent site like this, their browser can issue an automatic request to their network without their permission, transmitting malicious code that can evade router authentication and change router settings. 

These types of attacks aren't simply theoretical; they've happened previously, as evidenced by the examples provided here and here. Other local systems, such as internal servers, domain controllers, firewalls, or even locally-hosted apps (through the http://localhost domain or other locally-defined domains), could be targeted by variations of these internet-to-local network attacks. Google aims to prevent such automated attacks by incorporating the PNA specification into Chrome and its permission negotiation system. 

According to Google, PNA was included in Chrome 96, which was published in November 2021, but complete support will be available in two parts this year, with Chrome 98 (early March) and Chrome 101 (late May).

Lake County government shuts down servers after ransomware attack

After the massive cyberattack in Texas, officials from Lake County, Illinois revealed on Friday, August 23 that the county has been hit by a cyberattack that forced the shutdown of email service and several internal applications.

The officials also mentioned that the breach came in the form of ransomware, which is a type of malware that prevents users from accessing their system or personal files and demands a ransom payment in order to regain access.

Mark Pearman, director of county's information technology office said that on Thursday, August 22, the IT staff was installing cybersecurity software on 3,000 individual employee laptops and working on the process to remove the ransomware malware from 40 county servers.

The ransomware attack was first noticed by systems administrators on Thursday and to prevent it the IT staff started taking encrypted and unencrypted servers off the network.

However, the official clarified that there was no evidence of data theft from county servers and restoring the systems will take the entire week and more information about the attack will be known by Monday, August 26.

As reported, the IT department is working with the county's cybersecurity contractor, Crowdstrike to conduct a damage assessment. This process includes scanning of all the servers, almost 3,000 computers to determine those infected by the ransomware.

Almost a month ago, LaPorte County, Indiana also suffered a similar breach and the authorities paid a ransom of $132,000 worth of Bitcoins to the hackers to restore the access to affected systems.

Another ransomware hit 22 Texas town governments and recently Louisiana was also forced to declare a state of emergency after some of its school districts' networks were hacked. Now, Texas' 22 town government has become the victim of ransomware.

After all these events, National Guard Chief Gen Joseph Lengyel called the events a "cyber storm." He also mentioned that these multi-state cyber attack reiterates the need for more standardized policies and training for cyber units across the force.

More than 17,000 Domains Affected with Code which Steals Card Data



Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured Amazon S3 buckets.

Cybercriminals exploited the lack of access control in Amazon's cloud storage services and affected over 17,000 domains via automated attacks which reconstructed JavaScript code randomly, without monitoring if the code could load a payment page.

The exploit came as a part of Megacart operations, originated in the month of April; attackers injected payment card skimming code to a high number of domains with JavaScript files in poorly configured Amazon S3 buckets which granted writing permissions to the person finding them.

According to the security researchers at RiskIQ, the discovery of these S3 buckets had been automated by the authors of the campaign.

Referencing from the findings made by Yonathan Klijnsma, RiskIQ's head of threat research, "Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket."

"Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content," he added.

The fact that a large number of websites employing Amazon's cloud storage services fell short in fortifying access to the corresponding assets played a major role for Magecart campaign in realizing its malicious objectives.