Search This Blog

Payment Gateway Firm Razorpay Loses ₹7.3 Crore in Cyber Fraud Incident

 

The South East cybercrime police are investigating a fraudulent case where a hacker stole ₹7.3 crores over three months by exploiting the authorization process of Razorpay Software Private Limited, a payment gateway company to authenticate 831 failed transactions. 

The fraud came to light when officials of the payment gateway company Razorpay Software Private Limited conducted an audit of the transactions, and they couldn’t accommodate the receipt of Rs. 7,38,36,192 against 831 transactions. 

Razorpay Software Private Limited was founded by Shashank Kumar and Harshil Mathur in 2015. The company offers online payment services that allow businesses in India to collect payments via credit card, debit card, net banking, and wallets. 

On May 16, Abhishek Abhinav Anand, head of Legal Disputes and Law Enforcement at Razorpay Software Private Limited, lodged a complaint with the South East cybercrime police. The police are currently attempting to track down the hacker on the basis of online transactions.
 
An internal probe has revealed that some person or persons have tampered with and manipulated the authorization and authentication process. As a result, false ‘approvals’ were sent to Razorpay against the 831 failed transactions, resulting in a loss amounting to ₹7,38,36,192. The company provided details of the 831 failed transactions, including date, time, IP address, and other relevant information to the police. 

"Razorpay's payment gateway is at par with the industry standards on data security. During a routine payment process, an unauthorized actor(s) with malicious intent used the browser to tamper with authorization data on a few merchant sites that used an older version of Razorpay's integration, due to gaps in their payment verification process. The company has conducted an audit of the platform to ensure no other systems, no merchant data, and funds, and neither their end-consumers were affected by this incident,” Razorpay’s spokesperson stated. 

According to the ministry of electronics and information technology (Meity), between 2018 and 2021, there was an over a five-fold jump in the number of cybercrime and fraud incidents recorded by the government. 

Basically, the number of incidents surged from 208,456 in 2018 to 1,402,809 in 2021, as per the Data available with the Indian Computer Emergency Response Team (Cert-In). Indian Computer Emergency Response Team is the government agency for computer security.

 US Reclaimed $15 Million From an Ad Fraud Operation

 

The US government has recovered more than $15 million in earnings from the 3ve digital advertising fraud enterprise, which cost firms more than $29 million in unviewed ads. 

Sergey Ovsyannikov, Yevgeniy Timchenko, and Aleksandr Isaev, according to the Justice Department, accessed more than 1.7 million infected computers between December 2015 and October 2018, using tens of command and control (C&C) servers as the Kovter botnet, a click-fraud malware would quietly run in the background while connecting to sites to consume advertisements. 

A forfeiture order, according to the Justice Department, resulted in the transfer of $15,111,453.84 from Swiss bank accounts to the US government. The technique resulted in the falsification of billions of ad views and the spoofing of over 86,000 domains. According to the US Department of Justice, groups paid over $29 million for advertising never seen by real people. 

Ovsyannikov and Timchenko were arrested in 2018, pleaded guilty, and sentenced to jail terms in the United States. For this role in 3ve (pronounced "Eve"), Isaev and five others are accused of money laundering, wire fraud, computer intrusion, and identity theft, yet they stay free. 

The US also charged Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, and Dmitry Novikov, five Russian citizens, with running the Methbot ad fraud scheme, which is thought to have netted the fraudsters more than $7 million in illegal gains. 

"This forfeiture is the greatest international cybercrime recovery in the Eastern District of New York's history," said United States Attorney Peace in a press statement.

Phishing Scam Adds a Chatbot Like Twist to Steal Data

 

According to research published Thursday by Trustwave's SpiderLabs team, a newly uncovered phishing campaign aims to reassure potential victims that submitting credit card details and other personal information is safe. 

As per the research, instead of just embedding an information-stealing link directly in an email or attached document, the procedure involves a "chatbot-like" page that tries to engage and create confidence with the victim. 

Researcher Adrian Perez stated, “We say ‘chatbot-like’ because it is not an actual chatbot. The application already has predefined responses based on the limited options given.” 

Responses to the phoney bot lead the potential victim through a number of steps that include a false CAPTCHA, a delivery service login page, and finally a credit card information grab page. Some of the other elements in the process, like the bogus chatbot, aren't very clever. According to SpiderLabs, the CAPTCHA is nothing more than a jpeg file. However, a few things happen in the background on the credit card page. 

“The credit card page has some input validation methods. One is card number validation, wherein it tries to not only check the validity of the card number but also determine the type of card the victim has inputed,” Perez stated.

The campaign was identified in late March, according to the business, and it was still operating as of Thursday morning. The SpiderLabs report is only the latest example of fraudsters' cleverness when it comes to credit card data. In April, Trend Micro researchers warned that fraudsters were utilising phoney "security alerts" from well-known banks in phishing scams. 

Last year, discussions on dark web forums about deploying phishing attacks to capture credit card information grew, according to Gemini Advisory's annual report. Another prevalent approach is stealing card info directly from shopping websites. Researchers at RiskIQ claimed this week that they've noticed a "constant uptick" in skimming activity recently, albeit not all of it is linked to known Magecart malware users.

Chinese Hackers are Targeting Russian Aerospace Industry

 

Space Pirates, a Chinese cyberespionage group is targeting businesses in the Russian aerospace industry with phishing emails to deploy a novel strain of malware. 

The APT group started operating in 2017, and researchers believe it is associated with other China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27. Russian security researchers at Positive Technologies named the group "Space Pirates" due to their espionage operations focusing on stealing confidential information from companies in the aerospace field. 

Malicious actors targeted government agencies, IT departments, and aerospace and power enterprises in Russia, Georgia as well as Mongolia. However, the majority of victims were spotted to be in Russia. Out of those, several victims operated specifically within the partially state-owned aerospace industry of the Russian Federation. 

The researchers first uncovered signs of Space Pirates' activity last summer during incident response and quickly confirmed that the malicious actors employed the same malware and infrastructure against at least four more domestic organizations since 2019. 

According to researchers, at least two attacks on Russian organizations were successful. In one instance, Space Pirates accessed at least 20 servers on the corporate network and stayed there for ten months; 1,500 internal documents were stolen, together with information about all employee accounts in one of the network domains. 

In the second assault, the Chinese attackers stayed in the network of the compromised firms for over a year, exfiltrating confidential information and deploying their malware to 12 corporate network nodes in three distinct regions. 

The Space Pirates’ unique toolkit contains a wide range of malware, including unique loaders and multiple previously undetected backdoors tracked as MyKLoadClient, BH_A006, and Deed RAT. The arsenal also includes the Zupdax backdoor along with well-known malware such as PlugX RAT, ShadowPad backdoor, Poison Ivy RAT, a modified version of PcShare, and the public ReVBShell shell. The APT group also leverages the dog-tunnel utility to tunnel traffic. 

The threat analysts believe that the overlaps between various Chinese APTs are due to tool exchanges, a common phenomenon for hackers in the region. 

“APT groups with Asian roots continue to attack Russian companies, which is confirmed by the activity of the Space Pirates group. Attackers both develop new malware that implements non-standard techniques (such as Deed RAT) and uses modifications of existing backdoors. Sometimes such modifications can have many layers of obfuscation added to counteract protections and complicate the analysis procedure – as in the case of BH_A006, built on the code of the popular Gh0st backdoor,” researchers explained. 

“A separate difficulty in the case of APT groups in the Asian region is the exact attribution of the observed activity: the frequent exchange of tools used, as well as the joint activity of various groups in some cases, significantly complicate this task.”

Costa Rica's New Government is Under Attack by a Conti Ransomware Gang

 

The Conti ransomware organization, which has hacked some Costa Rican government computer systems, has increased its threat, claiming that its ultimate goal is to overthrow the government. The Russian-speaking Conti gang tried to intensify the pressure to pay a ransom by boosting its demand to $20 million, perhaps capitalizing on the fact that President Rodrigo Chaves had just been in office for a week. 

"We are aiming to overthrow the government by a cyber attack, and we have already demonstrated all of our strength and power," the group stated on its official website. "In your government, we have insiders. We're also attempting to obtain access to your other systems, and you have no choice but to pay us." Chaves said the organization had infiltrated up to 27 institutions at various levels of government, declaring that the country was "at war" with the Conti ransomware gang but giving no indication that the ransom would be paid. 

"I appeal to every Costa Rican to go to your government and organize rallies to demand that they pay us as soon as possible if your existing government is unable to fix the situation?" A different statement on Conti's dark web page stated, "Perhaps it's worth replacing." Over the weekend, the ransomware issued a warning that it will remove the decryption keys in a week, making it impossible for Costa Rica to restore access to the ransomware-encrypted files. 

The lethal April 19 attack prompted the new administration to proclaim a state of emergency, and the gang has exposed troves of data acquired from infected systems before encryption. Conti linked the attack to an affiliate actor nicknamed "UNC1756," a play on the name given to uncategorized threat groups by threat intelligence firm Mandiant. 

If it was any other ransomware gang, according to Aaron Turner, vice president of SaaS posture at Vectra, an AI cybersecurity firm, the threat would be unnoticeable. "However, because it's Conti, and Conti has publicly connected themselves with Putin's Russia's military activities, this threat should demand a second look," he said. 

He believes that if the US supports 'enemy' troops in Russia's neighborhood, there is a strong urge for retaliation. "Fortunately for Costa Rica, Conti isn't the most sophisticated gang of ransomware operators," he said. "Costa Rica is also lucky in that Russia's invasion of Ukraine went so badly that there are likely inadequate military forces on the other side of the planet to launch a combined cyberattack and conventional strike." While the prospect of overthrow is intriguing from an academic standpoint, Turner believes the chances of Conti orchestrating a coup are extremely remote. 

Affiliates are hacker organizations that rent access to pre-developed ransomware tools to coordinate assaults on corporate networks as part of the so-called ransomware-as-a-service (RaaS) gig economy, and then share the profits with the operators. Conti has continued to target companies all over the world after suffering a large data breach of its own earlier this year amid its public support for Russia in its current war against Ukraine. 

Conti is the "most prolific ransomware-associated cybercriminal activity organization operational today," according to Microsoft's security team, which records the cybercriminal gang under the cluster DEV-0193. "DEV-0193 has hired developers from other malware operations that have shut down for varied reasons, including legal actions. The addition of developers from Emotet, Qakbot, and IcedID to the DEV-0193 umbrella is very noteworthy." 

Conti is one of the most wanted cybercriminal gangs in the world, with the US State Department offering up to $10 million in incentives for any information leading to the identity of its senior members.

Jupiter Plugin Flaws Enable Hackers to Hijack Websites

 

According to WordPress security researchers, the Jupiter Theme and JupiterX Core plugins for the WordPress content management system have a variety of vulnerabilities. A major privilege escalation issue is one of these vulnerabilities. 

Privilege escalation is a malicious method that involves acquiring control of a user's account that would otherwise be inaccessible to the present user by exploiting an app or OS flaw or configuration error. By obtaining these rights, a hostile actor can do a variety of actions on the operating system or server, such as executing instructions or assisting malware infection within the network, which can result in business disruption, sensitive data exposure, or system takeover. This is a violation of privilege. 

As per the source, "This vulnerability allows any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin. The JupiterX Core plugin is required for the JupiterX theme. The classic Jupiter Theme contains a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled, but has the additional effect of elevating the user calling the function to an administrator role. In JupiterX, this functionality has been migrated to the JupiterX Core plugin. Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks."

"On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner. On a site where a vulnerable version of the JupiterX Core plugin is installed, the same functionality can also be accessed by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template." 

Jupiter is a powerful and high-quality WordPress theme builder. More than 90,000 well-known blogs, online magazines, and platforms with a high volume of user traffic use it. The vulnerability, which has been issued the tracking number CVE-2022-1654 and a CVSS score of 9.9, allows any authorised user on a website that employs vulnerable plugins to get administrator access (critical). 

After successfully exploiting the flaw, attackers have complete control over the website and may do whatever they want with it. This can include altering the site's content, installing dangerous programmes, or completely deleting the site. The attacker only has to be a simple subscriber or client on the website to exploit this vulnerability; thus, it could be said that the attack does not have strict requirements. 

CVE-2022-1654 affects Jupiter Theme 6.10.1 and older (fixed in 6.10.2), JupiterX Theme 2.0.6 and older (fixed in 2.0.7), and JupiterX Core Plugin 2.0.7 and older (fixed in 2.0.8). To improve the security vulnerabilities, one needs to either update to the latest version or disable the plugin and change the site's theme.

Private Data of Europeans Shared 376 Times Daily in Ad Sales

 

Private information about every internet user is shared hundreds of times each day as companies bid for online advertising slots. A brand-new report by the Irish Council for Civil Liberties (ICCL), uncovered that the average European user's data is shared 376 times per day and the figure rises to 747 times daily for US-based users. 

Currently, ICCL is engaged in a legal battle with the digital ad industry and the Data Protection Commission against what it describes as an epic data breach, arguing that nobody has ever specifically consented to this practice. 

The data is shared between brokers acting on behalf of those wishing to place adverts, in real-time, as a web page loads in front of someone who is reading it. The brands in the adverts themselves are not involved. 

That data can be practically anything based on the Interactive Advertising Bureau's (IAB) audience taxonomy. The basics, of course, like age, sex, location, income, and the like are included, but it doesn't stop there. All sorts of websites fingerprint their visitors and those fingerprints can later be used to target ads on unrelated websites. 

It is used to secure the most relevant bidder for the advert space on the page. This all happens automatically, in a fraction of a second, and is a multimillion-dollar industry. Personally-identifying information is not included, but campaigners argue that the volume of the data is still a violation of privacy.  

"Every day the RTB [Real Time Bidding] industry tracks what you are looking at, no matter how private or sensitive, and it records where you go. This is the biggest data breach ever recorded. And it is repeated every day," said Dr. Johnny Ryan, senior fellow at the ICCL. 

According to the ICCL report, the source of the data was a Google feed covering a 30-day period. It is made available to the industry, but not the public. The data about US web users' habits are shared in advert sales processes 107 trillion times per year and European users' data is shared 71 billion times.  

"If the exhaust of our personal data could be seen in the same way pollution can, we'd be surrounded by an almost impenetrable haze that gets thicker the more we interact with our phones.,” tech reporter Parmy Olson, said. 

Apple Launched a Safety Fix for a Zero-day Flaw

 

Apple released an emergency patch for iPhone, Mac, and iPad early last month that addressed two zero-day vulnerabilities in the various operating systems. Now, just days after the launch of iOS 15.5, Apple is asking Mac and Apple Watch owners to upgrade. 

Zero-day vulnerabilities are defects in software that the vendor is ignorant of and has not yet patched. Before a fix is released, this type of vulnerability may have publicly available proof-of-concept hacks or be actively exploited in the wild. Apple stated in security warnings released on Monday that they are aware of reports this security flaw "may have been actively exploited."

CVE-2022-22675 is a bug in AppleAVD, an audio and video extension that allows programs to run arbitrary code with kernel privileges. Apple patched the flaw in macOS Big Sur 11.6., watchOS 8.6, and tvOS 15.5 with enhanced bounds checking after unknown researchers reported it. Apple Watch Series 3 or later, Macs running macOS Big Sur, Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD are all among the affected. 
  • In 2022, Apple had five zero-day vulnerabilities. Apple patched two more zero-day vulnerabilities in January, allowing hackers to execute arbitrary code with kernel privileges (CVE-2022-22587) and track online surfing habits and user identities in real-time (CVE-2022-22594). 
  • Apple also issued security upgrades to address a new zero-day vulnerability (CVE-2022-22620) that was used to compromise iPhones, iPads, and Macs.
  •  Two more actively exploited zero-days in the Intel Graphics Driver (CVE-2022-22674) and the AppleAVD media decoder were discovered in March (CVE-2022-22675). The latter is also backported in older macOS versions, including watchOS 8.6 and tvOS 15.5. 

Apple did not previously disclose specifics about the flaw to prevent hackers from using the knowledge. While, throughout last year, Apple fixed a slew of zero-day vulnerabilities that had been discovered in the wild and targeted iOS, iPadOS, and macOS devices. 

How do I upgrade my Mac? 
  • In the corner of the screen, select the Apple menu, and 'System Preferences' will appear. 
  • Click 'Software Update' in the following menu. 
  • Then select 'Update Now' or 'Upgrade Now' from the menu. 
If you're still using an older version of the operating system, such as Big Sur, click 'Upgrade Now' to upgrade to the most recent version. Monterey is approximately 12GB in size. 

How to manually update your Apple Watch: 
  • Open the Apple Watch app on your iPhone, then tap the 'My Watch' tab. 
  • Select 'Software Update' from the General menu. 
  • Install the update. If your iPhone or Apple Watch passcode is requested, enter it. 
  • On your Apple Watch, wait for the progress wheel to display. The update could take anything from a few minutes to an hour to finish.

Researchers: Tesla Cars, Bluetooth Locks, Vulnerable to Hackers

 

Hackers can remotely unlock millions of digital locks around the world, including those on Tesla cars, due to a flaw in Bluetooth technology, according to a cybersecurity firm. 

NCC Group researcher Sultan Qasim Khan was able to open and then drive a Tesla using a small relay device tied to a laptop, which spanned a wide gap between the Tesla and the Tesla owner's phone, according to a video shared with Reuters.

"This proves that any product relying on a trusted BLE connection is vulnerable to attacks even from the other side of the world," the UK-based firm said in a statement, referring to the Bluetooth Low Energy (BLE) protocol - technology used in millions of cars and smart locks which automatically open when in close proximity to an authorised device. 

Although Khan demonstrated the hack on a Tesla Model Y from 2021, NCC NSE 0.23 percent Group claims that any smart lock that uses BLE technology, including residential smart locks, may be unlocked in the same way. A request for comment from Tesla was not immediately returned. 

"In effect, systems that people rely on to guard their cars, homes, and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware," the firm stated. "This research illustrates the danger of using technologies for reasons other than their intended purpose, especially when security issues are involved". 

According to the NCC Group, such a vulnerability is not the same as a traditional bug that can be repaired with a software patch, and BLE-based authentication was not intended for usage in locking mechanisms.

Facestealer Trojan Identified in More than 200 Apps on Google Play

 

Cybersecurity researchers at TrendMicro have identified more than 200 applications on Google Play distributing spyware called Facestealer used to steal user credentials and other sensitive data, including private keys. The worrying thing is that the number and popularity of these types of applications are increasing day by day, with some even being installed over a hundred thousand times. 

Some malicious applications that users should uninstall immediately include: Daily Fitness OL, Enjoy Photo Editor, Panorama Camera, Photo Gaming Puzzle, Swarm Photo, Business Meta Manager, and Cryptomining Farm Your Own Coin. 

Facestealer, first identified by Doctor Web in July 2021, steals Facebook information from users via malicious apps on Google Play, then uses it to infiltrate Facebook accounts, serving purposes such as scams, fake posts, and advertising bots. Similar to the Joker malware, Facestealer changes its code frequently and has multiple variations. 

"Similar to Joker, another piece of mobile malware, Facestealer changes its code frequently, thus spawning many variants," Cifer Fang, Ford Quin, and Zhengyu Dong researchers at Trend Micro stated in a new report. "Since its discovery, the spyware has continuously beleaguered Google Play." 

Since being denounced until now, the malicious apps have continuously appeared on Google Play under different guises. For example, Daily Fitness OL is ostensibly a fitness app, but its main goal is to steal Facebook data. Once the application is launched, it will send a request to download the encryption configuration. When the user logs into Facebook, the application opens a WebView browser to load the URL from the downloaded profile. 

Subsequently, a piece of JavaScript code is embedded in the web page to get the login data. After the user is successfully logged into the account, the application collects the cookie, then encrypts all the personally identifiable information (PII) and sends it to the remote server. 

In addition, TrendMicro researchers unearthed 40 fake cryptocurrency miner apps that are variants of similar apps that they discovered in August 2021. The apps trick users into subscribing to paid services or clicking on advertisements. 

To mitigate the risks, users should carefully read reviews from people who have downloaded them before. However, this is also not the optimal solution because many applications will hire highly appreciated services, for example, Photo Gaming Puzzle is rated 4.5 stars, and Enjoy Photo Editor is rated 4.1 stars. Enjoy Photo Editor surpassed 100,000 downloads before Google kicked it out of PlayStore.

Three Malware Fileless Phishing Campaigns: AveMariaRAT / BitRAT /PandoraHVNC

 

A phishing effort that was distributing three fileless malware onto a victim's device was detailed by cybersecurity experts at Fortinet's FortiGuard Labs. AveMariaRAT, BitRAT, and PandoraHVNC trojan viruses are spread by users who mistakenly run malicious attachments delivered in phishing emails. The viruses are dangerously capable of acquiring critical data from the device.
 
Cybercriminals can exploit the campaign to steal usernames, passwords, and other sensitive information, such as bank account numbers. BitRAT is particularly dangerous to victims because it can take complete control of infected Windows systems, including viewing webcam activity, listening to audio through the microphone, secretly mining for cryptocurrency that is sent to the attackers' wallet, and downloading additional malicious files.

The first phishing mail appears to be a payment report from a reputable source, with a brief request to view a linked Microsoft Excel document. This file contains dangerous macros, and when you open it, Microsoft Excel warns you about using macros. If the user disregards the warning and accepts the file, malware is downloaded. The malware is retrieved and installed onto the victim's computer using Visual Basic Application (VBA) scripts and PowerShell. For the three various types of malware that can be installed, the PowerShell code is divided into three pieces. This code is divided into three sections and employs the same logic for each virus: 
  • A dynamic mechanism for conducting GZip decompression is included in the first "$hexString." 
  • The second "$hexString" contains dynamic PowerShell code for decompressing the malware payload and an inner.Net module file for deploying it. 
  • The GZip-compressed malware payload is contained in the "$nona" byte array. The following PowerShell scripts are retrieved from the second $hexString and are used to decompress the malware payload in $nona and to deploy the malware payload into two local variables using the inner.Net module. 
The study doesn't explain as to why the phishing email contains three malware payloads, but it's conceivable that with three different types of malware to deploy, the cybercriminals will have a better chance of gaining access to whatever critical information they're after. 

Phishing is still one of the most prevalent ways for cyber thieves to deliver malware because it works – but there are steps you can take to avoid being a victim. Mysterious emails claiming to offer crucial information buried in attachments should be avoided, especially if the file requires users to allow macros first. Using suitable anti-spam and anti-virus software and training workers on how to recognize and report phishing emails, businesses may help workers avoid falling victim to phishing emails.

Alert! Scam Pixelmon NFT Website Hosts Password-stealing Malware

 

A bogus Pixelmon NFT site tempts visitors with free tokens and collectables while infecting them with spyware that steals their cryptocurrency wallets. Pixelmon is a popular NFT project with plans to create an online metaverse game where users can gather, train, and battle other players with pixelmon pets. 

The project has attracted a lot of attention, with nearly 200,000 Twitter followers and over 25,000 Discord members. Threat actors have replicated the original pixelmon.club website and built a fake version at pixelmon[.]pw to deliver malware to take advantage of this interest. Instead of providing a demo of the project's game, the malicious site provides executables that install password-stealing malware on a device. 

The website is selling a package named Installer.zip that contains a faulty executable that does not infect customers with malware. However, MalwareHunterTeam, which was the first to identify this malicious site, detected other dangerous files transmitted by it, allowing to see what malware it was spreading. Setup.zip, which contains the setup.lnk file, is one of the files sent by this fraudulent site. Setup.lnk is a Windows shortcut that runs a PowerShell command to download pixelmon[.]pw's system32.hta file. 

When BleepingComputer tested these malicious payloads, the System32.hta file downloaded Vidar, a password-stealing malware that is no longer widely used. Security researcher Fumik0_, who has previously examined this malware family, confirmed this. When launched, the Vidar sample from the threat actor connects to a Telegram channel and retrieves the IP address of a malware's command and control server. The malware will then obtain a configuration instruction from the C2 and download further modules to steal data from the afflicted device. 

Vidar malware may steal passwords from browsers and apps, as well as scan a computer for files with certain names, which it subsequently sends to the threat actor. The C2 commands the malware to seek for and steal numerous files, including text files, cryptocurrency wallets, backups, codes, password files, and authentication files, as seen in the malware setup below. Because this is an NFT site, visitors are expected to have bitcoin wallets installed on their PCs. 

As a result, threat actors focus on looking for and stealing cryptocurrency-related files. While the site is presently not distributing a functioning payload, BleepingComputer has observed evidence that the threat actors have been modifying the site in recent days, as payloads that were available two days ago are no longer available. 

One can expect this campaign to continue to be active, and working threats to be added soon, based on the site's activity. Due to the high number of fraudsters attempting to steal the bitcoin from NFT projects, one should always double-check that the URL they are viewing is indeed associated with  their interested project.

Five Eyes Agencies Warn Managed Service Providers of Cyber Attacks

 

The Five Eyes alliance of cybersecurity authorities from the United States, the United Kingdom, Australia, New Zealand, and Canada last week published a joint advisory warning of threats targeting managed service providers (MSPs) and their customers. 

The advisory recommends customers of MSPs in the member nations on how to guard sensitive details and reassess security posture and contractual agreements with their service providers based on individual risk tolerance. MSPs are a prime target for cybercriminals and nation-state actors–because attacking an MSP can lead to additional downstream victims (as we witnessed with Kaseya and the SolarWinds assaults.)

"As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it's critical that MSPs and their customers take recommended actions to protect their networks," Jen Easterly, director of US's Cybersecurity and Infrastructure Security Agency (CISA) stated. 

"We know that MSPs that are vulnerable to exploitation significantly increase downstream risks to the businesses and organizations they support. Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain," she added. 

The alert is the result of a collaborative effort among the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation in the U.S.; the National Cyber Security Centers in the United Kingdom and New Zealand; the Australian Cyber Security Center; and the Canadian Center for Cyber Security. 

Mitigation tips 

In the advisory issued on the second day of the NCSC's Cyber UK conference, where several senior figures from the cybersecurity agencies have met to discuss the issue of global cyber threats, the authorities recommend that MSP customers ensure that their MSPs implement the following measures and controls: 

• To counter initial assault, enhance the security of vulnerable devices, protect internet-facing services and defend against brute-force and phishing attacks. 
• Improve monitoring and logging processes for the delivery infrastructure activities used to provide services to the customer. 
• Enable multifactor authentication across all customer services and products. 
• Periodically erase obsolete accounts and infrastructure and apply updates to the infrastructure whenever available and necessary. 
• Develop incident response and recovery plans. 
• Understand and proactively manage supply chain risk. 
• Adopt transparent processes and, at the same time, manage account authentication and authorization.

Iranian Hackers Launch Cyberattack Against US and the UK 

 

Secureworks, a cybersecurity firm, has detected a new attack attributed to the Iranian hacker organization known as APT34 or Oilrig, which utilized custom-crafted tools to target a Jordanian diplomat. APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453 are advanced persistent threat (APT) actors known for targeting activists, government organizations, journalists, and other entities. 

A ransomware gang with an Iranian operational connection has been linked to a succession of file-encrypting malware operations targeting institutions in Israel, the United States, Europe, and Australia.

"Elements of Cobalt Mirage activities have been reported as Phosphorus and TunnelVision," Secureworks, which tracks the cyberespionage group, said today. "The group appears to have switched to financially motivated attacks, including the deployment of ransomware." 

The threat actor used recently obtained access to breach the network of a nonprofit organization in the United States in January 2022, where they built a web shell which was then used to drop further files, according to the researchers. 

The threat actor has seemingly carried out two types of intrusions, one of which involves opportunistic ransomware assaults using genuine tools like BitLocker and DiskCryptor for financial benefit. The second round of attacks is more focused, with the primary purpose of securing access and acquiring intelligence, with some ransomware thrown in for good measure.

Initial access routes are enabled by scanning internet-facing servers for web shells and exploiting them as a route to move laterally and activate the ransomware, which is vulnerable to widely reported holes in Fortinet appliances and Microsoft Exchange Servers. 

The spear-phishing email, which Fortinet discovered, was sent to a Jordanian diplomat and pretended to be from a government colleague, with the email address faked accordingly. The email included a malicious Excel attachment with VBA macro code that creates three files: a malicious binary, a configuration file, and a verified and clean DLL. The macro also adds a scheduled job that runs every four hours to provide the malicious application (update.exe) persistence. 

Another unique discovery concerns two anti-analysis methods used in the macro: the manipulating of sheet visibility in the spreadsheet and a check for the presence of a mouse, both of which may not be available on malware analysis sandbox services.

Secureworks detailed a January 2022 attack on an undisclosed US charity organization but said the exact means by which full volume encryption capability is triggered is unknown. In mid-March 2022, another attack aimed at a US local government network is thought to have used Log4Shell holes in the target's VMware Horizon architecture to perform reconnaissance and network scanning tasks. 

While the group has managed to breach a huge number of targets around the world, the security researchers believe that "their capacity to leverage on that access for financial gain or information collection is limited." Secureworks determines that the group's use of publicly available tools for ransomware activities proves that it is still a threat.

SaaS App Vanity URLs Can Be Spoofed for Phishing & Social Engineering

 

Researchers warn that vanity links made by businesses to add their brand to well-known cloud services could become a handy vector for phishing attacks and a technique to deceive users. Cloud services that don't check whether subdomains have been modified may allow URLs that appear to be from "varonis.box.com" or "apple.zoom.us," according to a Varonis advisory released on Wednesday. 

In the instance of Box.com, this could result in a malicious document; in the case of Zoom, it could result in a data-gathering webinar unrelated to the stated brand. The issue arises when a cloud service permits the usage of a vanity subdomain but does not validate it or use it to provide services. More than six months ago, Varonis warned Box.com and Zoom of the problem, as well as Google, whose URLs to Google Docs might be spoofed. 

The issues are essentially fixed, according to the company. According to Or Emanuel, director of research and security at Varonis, the vulnerability is likely to occur for other providers. "We think it is more than just those three SaaS services," he says, adding that attackers can also use the predictability of the subdomains to select potential victims. "Because of the vanity URLs, it makes it very easy for threat actors to scan all the subdomains of all the big Fortune companies with different cloud providers." 

Attackers use well-known companies to hide dangerous code and phishing sites, which allows them to dupe victims into trusting false e-mail messages and website links. In 2019, for example, three-quarters of businesses learned that the lookalike domain had been created by a third party using a top-level domain other than.COM. Varonis' research takes a different approach to the problem. 

Rather than looking at top-level domains, the company's researchers looked into ways to abuse the subdomains that many cloud service providers allow their customers to use. "Not only do vanity URLs feel more professional, but they also provide a sense of security for end-users," Varonis stated in the advisory. "Most people are likelier to trust a link at varonis.box.com than a generic app.box.com link. However, if someone can spoof that subdomain, then trusting the vanity URL can backfire."

When a customer is permitted to utilise their brand as a subdomain, such as varonis.zoom.us, a software-as-a-service (SaaS) application is vulnerable to the attack since the subdomain is no longer validated when the link is provided to a third party, such as participants in a conference call or webinar. In the case of Zoom's service, attackers may design a webinar that asks registrants a series of social engineering-friendly questions, rebrand the webinar as a well-known organisation, and then modify the resulting URL to the targeted URL. 

The original domain — for example, attacker.zoom.us — might be changed to varonis.zoom.us without affecting the link's functioning. A well-branded page might trick a victim into providing personal information, especially if the subdomain indicates that the host is a well-known organisation. In the case of Box.com, a link like app.box.com/f/abcd1234 may be modified to varonis.app.box.com/f/abcd1234 to make it look like an official form gathering information while actually sending it to the attacker.  

"The more interesting attacks from a data protection standpoint are when you have forms for registration or file-sharing requests," Emanuel says. "When the threat actor controls these pages, they can ask for any information they want, and it seems totally legit. It's really hard to determine that it's not a page that the company owns." 

This type of social engineering is beneficial in phishing assaults, as well as persuading people to click on links or download suspicious files. According to the FBI's annual Internet Crime Complaint Center (IC3) report, losses from cybercrime, including phishing attacks, reached approximately $7 billion in 2021. According to Emanuel, cloud providers should verify that any URL change is confirmed by the link's encoding. 

According to Varonis, both Box.com and Google have fixed the issues, albeit the errors still present for Google Forms and Google Docs when using the "Publish to the web" function. When the subdomain is changed, Zoom will notify users. Furthermore, users should be wary of links, particularly if the connected page requires too much information or leads to further links or files. 

"We recommend educating your coworkers about the risk associated with clicking on such links and especially submitting PII and other sensitive information via forms, even if they appear to be hosted by your company’s sanctioned SaaS accounts," Varonis stated in the advisory.

New Version of 'Sysrv' Botnet is Targeting Windows and Linux Servers

 

Microsoft recently unearthed a new version of the Sysrv botnet, tracked as Sysrv-K, capable of abusing bugs in WordPress and Spring Framework to install crypto-mining malware on vulnerable Windows and Linux servers. The variant has been upgraded with multiple features, including scanning for unpatched WordPress and Spring deployments. 

"The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers" by exploiting various vulnerabilities, the Microsoft Security Intelligence team tweeted. These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins as well as newer vulnerabilities like CVE-2022-22947." 

CVE-2022-22947 (CVSS score of 10) is a code injection critical vulnerability in Spring Cloud Gateway that exposes applications to code injection assaults, allowing unauthenticated, remote attackers to achieve remote code execution. 
 
Sysrv-K scans for WordPress configuration files for their backups, in an attempt to steal database credentials and take over the webserver. Moreover, the botnet packs updated communication capabilities, such as support for Telegram. 

“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and hostnames, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” the Microsoft team added. 

The botnet has been active since at least December 2020, but its activity was documented in April 2021 by multiple security researchers. Sysrv-K secures control of web servers by scanning the internet to locate web servers and then uses various vulnerabilities such as path traversal, remote file disclosure, arbitrary file downloads, and remote code execution. Once the malware runs on a Windows or Linux device, Sysrv-K deploys a cryptocurrency miner. 

After killing competing cryptocurrency miners and deploying its own payloads, the botnet auto-spreads over the network via brute force attacks using SSH private keys collected from various locations on infected servers (e.g., bash history, ssh config, and known_hosts files). 

Subsequently, the botnet aggressively scans the Internet for more vulnerable Windows and Linux systems to add to its army of Monero mining bots. To mitigate the risks, organizations are recommended to secure all of their internet-facing systems by installing available security patches in a timely manner and by applying security best practices.

Users' Crypto Wallets are Stolen by Fake Binance NFT Mystery Box Bots

 

Researchers have discovered a new campaign to disperse the RedLine Stealer — a low-cost password seeker sold on underground forums — by mutating oneself with the data malware from GitHub repositories using a fake Binance NFT mystery box bots, an array of YouTube videos that take advantage of global interest in NFTs. 

The enticement is the promise of a bot that will automatically purchase Binance NFT Mystery Boxes as they become available. Binance mystery boxes are collections of non-fungible token (NFT) things for users to purchase in the hopes of receiving a one-of-a-kind or uncommon item at a discounted price. Some of the NFTs obtained in such boxes can be used in online blockchain games to add unusual cosmetics or identities. However, the bot is a hoax. According to Gustavo Palazolo, a malware analyst at Netskope Threat Labs, the video descriptions on the YouTube pages encourage victims to accidentally download RedLine Stealer from a GitHub link. 

In the NFT market, mystery boxes are popular because they provide individuals with the thrill of the unknown as well as the possibility of a large payout if they win a rare NFT. However, marketplaces such as Binance sell them in limited quantities, making some crates difficult to obtain before they sell out. 

"We found in this attempt that the attacker is also exploiting GitHub in the threat flow, to host the payloads," Palazolo said. "RedLine Stealer was already known for manipulating YouTube videos to proliferate through false themes," Palazolo said. The advertising was spotted by Netskope in April. "While RedLine Stealer is a low-cost malware, it has several capabilities that might do considerable harm to its victims, including the loss of sensitive data," Palazolo said. This is why prospective buyers frequently use "bots" to obtain them, and it is exactly this big trend that threat actors are attempting to exploit. 

The Ads were uploaded during March and April 2022, and each one includes a link to a GitHub repository that purports to host the bot but instead distributes RedLine. "BinanceNFT.bot v1.3.zip" is the name of the dropped file, which contains a program of a similar name, which is the cargo, a Visual C++ installation, and a README.txt file. Because RedLine is written in.NET, it demands the VC redistributable setup file to run, whereas the prose file contains the victim's installation instructions.

If the infected machine is found in any of the following countries, the virus does not run, according to Palazolo: Armenia, Azerbaijan,  Belarus,  Kazakhstan,  Kyrgyzstan,  Moldova,  Russia,  Tajikistan Ukraine, and Uzbekistan.

The repository's GitHub account, "NFTSupp," began work in March 2022, according to Palazolo. The same source also contains 15 zipped files including five different RedLine Stealer loaders. "While each of the five loaders we looked at is slightly different, they all unzip and inject RedLine Stealer in the same fashion, as we discussed earlier in this report. The oldest sample we identified was most likely created on March 11, 2022, and the newest sample was most likely compiled on April 7, 2022," he said. These promotions, on the other hand, use rebrand.ly URLs that lead to MediaFire downloads. This operation is also spreading password-stealing trojans, according to VirusTotal. 

RedLine is now available for $100 per month on a subscription basis to independent operators, and it allows for the theft of login passwords and cookies from browsers, content from chat apps, VPN keys, and cryptocurrency wallets. Keep in mind that the validity of platforms like YouTube and GitHub doesn't really inherently imply content reliability, as these sites' upload checks and moderation systems are inadequate.

SonicWall Urges Admins to Fix SSLVPN SMA1000 Flaws

 

SonicWall is urging customers to fix multiple high-risk security vulnerabilities in its Secure Mobile Access (SMA) 1000 Series line of products, which might allow attackers to evade authorization and compromise unpatched devices. 

Enterprises utilise SonicWall SMA 1000 SSLVPN solutions to ease end-to-end secure remote access to business resources in on-premises, cloud, and hybrid data centre environments. The first bug (a high-severity unauthenticated access control bypass) has been assigned CVE-2022-22282, however, the other two (a hard-coded cryptographic key and an open redirect, both of medium severity) are currently awaiting a CVE ID. 

"SonicWall strongly urges that organizations using the SMA 1000 series products upgrade to the latest patch," the company says in a security advisory published this week. 

SonicWall, on the other hand, stated that no evidence of these vulnerabilities being exploited in the field was discovered. The vulnerabilities do not affect SMA 1000 series devices running versions prior to 12.4.0, SMA 100 series products, CMS, or remote access clients, according to the company. The following SMA 1000 Series models are affected by security flaws: 6200, 6210, 7200, 7210, and 8000v (ESX, KVM, Hyper-V, AWS, Azure). 

The most serious of the three flaws is CVE-2022-22282, which allows unauthenticated attackers to bypass access control and obtain access to internal resources. This vulnerability can be remotely exploited in low-complexity attacks that don't involve any user input. If left unpatched and abused by attackers, the hard-coded cryptographic key flaw can have catastrophic repercussions, allowing them to get access to encrypted passwords. 

According to MITRE's CWE database, "The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question." 

Threat actors would most likely seek ways to compromise SMA 1000 series VPN appliances because they are utilised to protect remote connections into corporate networks. SonicWall also warned in July 2021 that end-of-life SMA 100 series and Secure Remote Access systems will be more vulnerable to ransomware assaults. 

SonicWall's products are used by over 500,000 commercial clients in 215 countries and territories across the world, with many of them deployed on the networks of government agencies and the world's major corporations.

Nearly 15 Million People Impacted by ElasticSearch Misconfiguration

 

Cybersecurity researchers at Website Planet have unearthed two misconfigured ElasticSearch servers owned by an anonymous organization using open-source data analytics software developed by SnowPlow Analytics, a London-based software vendor. 

The software allows entities to gather and examine information about their websites’ users apparently without their knowledge. It is worth noting that a web analytics tool can collect versatile data metrics. The collected information is then used for designing an extensive, detailed profile for site visitors.

According to researchers, both servers were unencrypted and required no password authorization. The unsecured servers exposed 359,019,902 records, nearly 579.4 GB of data. The exposed servers contained detailed logs of website user traffic — information that belongs to users of various websites collecting data with the open-source technology, including the following. 

• Referrer page 
• Timestamp IP 
• Geolocation data 
• Web page visited 
• User-agent data of website visitors 

The servers contained user information collected over two months in 2021. The first server contained data from September 2021 with 242,728,328 records or 389.7 GB of data gathered between September 2nd, 2021, and October 1st, 2021. 

The second server contained December 2021 data featuring 116,291,574 records or 189.7 GB of data collected between December 1st, 2021, and December 27th, 2021. Nearly 4 to 100 records of users appear on the two servers, and given that there are multiple logs for each user, this exposure might affect at least 15 million people, the researchers added. 

It is worth noting that the compromised data could have been accessed by anyone with eyes, and included geolocation and IP addresses. Additionally, the servers were live and actively updating new information at the time when they were discovered. However, neither ElasticSearch nor SnowPlow Analytics is responsible for this exposure because the company that owns the misconfigured servers is at fault. 

The data leak might have a far-reaching impact because users worldwide are affected by this exposure. However, it is unclear whether the servers were accessed by a third party with malicious intent or not. Fortunately, both exposed servers were secured after Website Planet sent alerts to concerned authorities.

To secure the data, users can employ Virtual Private Network (VPN) which hides the online activity and IP address, making the user anonymous to on-site tracking and cookies. People can also use the Tor browser to access the internet anonymously and maintain their data privacy.

HP Fixes UEFI Flaws Affecting 200+ Computers

 

HP released updates for two high-severity flaws in the UEFI firmware of more than 200 laptops, workstations, and other products on Wednesday. 

CVE-2021-3808 and CVE-2021-3809 are the two flaws, which have a CVSS score of 8.8. HP credited Aruba Threat Labs' Nicholas Starke and a researcher going by the online handle "yngweijw" with reporting the issues but did not disclose technical details on either of the flaws. 

The company did, however, provide a list of affected products, which includes a variety of corporate notebooks and desktop PCs, as well as desktop workstations, retail point-of-sale devices, and thin client PCs. 

“Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities,” HP notes in its advisory. 

According to Starke, HP took almost six months to fix CVE-2021-3809, the issue he disclosed. He adds that the security flaw is due to a SMI (System Management Interrupt) handler called from System Management Mode (SMM), a highly privileged x86 processor execution mode. The SMI handler, according to Starke, may be triggered from a kernel execution context like a Windows Kernel Driver, enabling an attacker to determine the memory location of a specific function and overwrite it in physical memory to refer to attacker code. 

“This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM). Executing in SMM gives an attacker full privileges over the host to further carry out attacks,” Starke added.

While the majority of the vulnerable devices have already received firmware updates, a handful has yet to receive them. Users can check HP's advisory for more information on the impact and upgrades. HP also released warnings this week that outline the updates Intel have released to address several firmware and software vulnerabilities affecting its CPUs and chipsets, as well as HP products.