Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

United States
Cyber Crime Ransomware attack Threat actors United States

Hades Ransomware Attacks US Big Game

 

An obscure monetarily spurred threat group is utilizing the self-proclaimed Hades ransomware variant in cybercrime activities that have affected at least three victims since December 2020. Known victims incorporate a huge US transportation and logistics organization, a huge US consumer products organization, and a worldwide manufacturing organization. 

Tactics, Techniques, and Procedures (TTP) utilized to compromise a victim network, escalate privileges, move laterally, evade defenses, exfiltrate data and deploy Hades ransomware are relatively consistent with other notable ransomware operators, utilizing a mix of commodity tooling and various living-off-the-land techniques. When Hades lands on a victim's machine, it duplicates itself and relaunches itself through the command line. The 'spare' duplicate is then erased and an executable is unloaded in memory. A scan is then performed in local directories and network offers to discover content to encrypt however every Hades sample secured uses a different extension. 

Moreover, Accenture recognized extra Tor covered up services and clearnet URLs by means of different open-source reporting relating to the Hades ransomware samples. For every examined sample, the ransom notes distinguished educate the victim to install Tor browser and visit the predetermined page. The Tor pages vary just in the Victim ID that is given, demonstrating every Tor address might be particularly created for every victim. Accenture Security distinguished an aggregate of six of these addresses, showing there could be three extra victims that they are unaware of as of now. 

Right now, it is hazy if the obscure threat group works under an affiliate model, or if Hades is appropriated by a solitary group. Under an affiliate model, developers partner with affiliates who are answerable for different undertakings or phases of the operation lifecycle, for example, conveying the malware, giving starting admittance to associations, or even target selection and reconnaissance. In any case, in light of intrusion information from incident response engagements, the operators tailor their strategies and tooling to deliberately chose targets and run a more “hands-on keyboard” operation to inflict maximum damage and higher payouts. 

Likewise, Accenture recognized similarities in the Hades ransom notes to those that have been utilized by REvil ransomware operators, where parts of the ransom notes observed contain identical wording.
Read more »
Vulnerabilities and Exploits
Intel Vulnerabilities and Exploits

Black code: Two critical vulnerabilities found in Intel processors

Two new vulnerabilities have been found in Intel processors. They are undocumented capabilities of the manufacturer that allow hijacking control over the device. Access to them opens in a special mode that in most cases only Intel engineers have access to. However, in some scenarios it can also be activated by hackers. Information security experts suggest that these options may be present in all current Intel processors and see them as a major potential threat.

According to Positive Technologies experts Mark Yermolov and Dmitry Sklyarov, there are two undocumented instructions in Intel processors that allow modification of the microcode and gain control over the processor and the entire system.

"The discovered instructions allow bypassing all existing x86 architecture protection mechanisms in modern processors," said Yermolov.

The experts specified that the features found are in Intel's Atom processor family, which has been updated since 2011 to the present day.

"In theory, the vulnerabilities found can be exploited by any attacker who has the necessary information", Alexander Bulatov, Commercial Director of RuSIEM, told the publication.

In this case, the hacker would get a whole set of opportunities to control the compromised system.

“This can be either the simplest forced shutdown of the device, or flashing the processor with microcode that secretly performs certain tasks of the attacker,” explained Bulatov.

According to Yermolov, instructions can be activated remotely only in a special mode of operation of processors Red Unlock, which only Intel engineers should have access to. As Positive Technologies noted, some processors have vulnerabilities that allow third parties to enable Red Unlock mode as well.

Intel's press office said it takes Positive Technologies' research seriously and is carefully reviewing their claims.

The vulnerabilities found are potentially dangerous for users of devices based on the Intel Atom family. These are low-power processors mainly used in netbooks, tablets, POS terminals and POS machines.


Read more »
Vulnerabilities and Exploits
5G AdaptiveMobile Network Slicing Vulnerabilities and Exploits

Major Security Flaw Spotted in 5G Core Network Slicing Design

 

AdaptiveMobile security researchers have discovered a major flaw in the architecture of 5G network slicing and virtualized network functions. This vulnerability has been discovered to potentially allow data access and denial of service (DOS) attacks between different network slices on a mobile operator which leaves enterprise clients exposed to malicious cyberattacks. 

Details of 5G network

5G, the 5th generation mobile network, is the latest global wireless standard after the previously introduced 1G, 2G, 3G, and 4G networks which makes it all the more important because it enables a new kind of network that is created to connect virtually everyone and everything including machines, objects and devices.

How does 5G network slicing works?

Network slicing basically permits a mobile operator to divide their core and radio network into multiple distinct virtual blocks that provide different amount of resources to different types of traffics.

A great benefit of 5G network slicing for network operators will be the ability to deploy only the functions necessary to support specific clients and particular market segments such as automotive, healthcare, critical infrastructure, and entertainment. 

Some of the top nations using 5G are also the ones who are most affected by the vulnerability including South Korea, United Kingdom, Germany, and the United States because multiple firms in these countries deployed networks and are selling compatible devices.

5G network loopholes 

In its investigation, AdaptiveMobile Security examined 5G core networks that contain both shared and dedicated network functions, disclosing that when a network has these ‘hybrid’ network functions that support several slices there is a lack of mapping between the application and transport layers identities.

This vulnerability in the industry standards has the potential impact of creating an opportunity for an attacker to access data and launch denial-of-service attacks across multiple slices if they have access to the 5G service-based architecture. 

“When it comes to securing 5G, the telecoms industry needs to embrace a holistic and collaborative approach to secure networks across standards bodies, working groups, operators and vendors. Currently, the impact on real-world applications of this network-slicing is only limited by the networks globally. The risks, if the fundamental flaw in the design of 5G standards had gone undiscovered, are significant,” said Dr. Silke Holtmanns, Head of 5G Security Research at AdaptiveMobile Security.
Read more »
WizCase
Data Breach Hackers Personal Data WizCase

Forex Broker Leaked Customer Records

 

White hat hackers have disclosed a significant leak of client information by online forex dealer FBS Markets. This incorporates a great many confidential records, including names, passwords, email addresses, passport numbers, national IDs, credit cards, financial transactions and more. Details of the security breach, which has since been rectified after the dealer was cautioned, were uncovered by Chase Williams, a white hat hacker and site security expert, on the website WizCase. At this stage it isn't evident whether any of the leaked information has been utilized for deceitful purposes by threat actors.

The information leak was revealed as a part of a progressing WizCase research project that scans for unstable servers, and tries to set up who the proprietors of those servers are. WizCase informed FBS of the issue. Williams said that FBS left a server containing right around 20 TB of information and over 16bn records exposed. Regardless of containing very sensitive financial data, the server was left open without any password protection of encryption. WizCase's group said the FBS data “was accessible to anyone.” “The breach is a danger to both FBS and its customers,” WizCase said. “User information on online trading platforms should be well secured to prevent similar data leaks.”

The broker said, “The protection of our clients privacy is one of the core values of FBS, and we stick to the highest protection standards. FBS has never had such major accidents. In October 2020 we faced an overheating on the server which affected our logs recording. During the time when we were setting up a new ElasticSearch server, several wrong subnet masks were added accidentally, which led to the possibility to access the server for a very limited number of people only, in a certain part of the world.” 

FBS added that it had completed a technical audit and that to its knowledge no information had been downloaded. It has contacted the customers affected and whose information may have been undermined and encouraged them on what to do. FBS has additionally moved to a more encoded VPN and has introduced an intrusion detection system. New rules for working with the forex brokers infrastructure have been applied and other safety efforts have additionally been carried out.
Read more »
REvil
attackers malware Ransomware Ransomware Attacks. reboot REvil

REvil Ransomware Gang Introduces New Malware Features which can Reboot Infected Devices

 

The ransomware gang REvil introduced a special malware feature that allows attackers to reboot infected devices after encryption. REvil emerged in April 2019 and is also recognized by the names Sodinokibi and Sodin. The ransomware gang was linked to many important attacks, including attacks in May 2020 on popular law firm Grubman Shire Meiselas and Sacks and also an attack in April 2020 on Travelex, a London-based currency exchange that paid a $2.3 million ransom for recovering its data. 

The MalwareHunter team researchers recently tweeted that the REvil operators have introduced two new command lines named 'AstraZeneca' and 'Franceisshit,' in Windows Safe Mode, which is utilized to reach the initialization screen for Windows devices. 

"'AstraZeneca' is used to run the ransomware sample itself in the safe mode, and 'Franceisshit' is used to run a command in the safe mode to make the PC run in normal mode after the next reboot," team of MalwareHunter tweeted. 

However it is not special, but the strategy is definitely uncommon, said the analysts. REvil implements this feature most likely as it will help the Ranking software to avoid detection by certain security devices because these functions allow attackers to encrypt the files in windows safe mode. 

"Causing a Windows computer to reboot in safe mode can disable software, potentially even antivirus or anti-ransomware software, that is working to keep your computer safe," says Erich Kron, security awareness advocate at the security firm KnowBe4. "This would then allow the attackers to make changes that may otherwise not be allowed in normal running mode." 

By tracking computers for unusual rebooting activities and by implementing successful data loss protection checks, organizations can deter malicious acts. Since REvil mainly uses compromised RDPs and mail phishing for distribution, it is essential for organizations, ideally through multi-factor authentication, to ensure that all Internet-accessible RDP instances are protected and that their employees are trained on high-quality security sensitives which can help them identify and track phishing attacks. 

Lately, the gang allegedly attacked Taiwan PC maker ‘Acer’ in an on-site version of Microsoft Exchange server, exploiting the unpatched ProxyLogon defect. 

The REvil Gang has gradually strengthened its malware and adapted various new methods of extortion. As of now, it frequently aims at bigger companies looking for significantly greater pay-outs, names, and shames via its devoted leak and targets cyber-insurance victims.
Read more »
hackers group
Anonymous Anonymous Hackers Cyber Attacks hackers group

Anonymous Hackers reportedly exposed the anti-Russian activities of the British Council

The Anonymous hacker group published an analysis of documents belonging to various British government agencies, including the Foreign Office, according to the local media reports. 

Anonymous previously accused British authorities and media organizations of influencing Russian-language media and attempting to shape the minds of their audiences in the way the West wants. In support of their position, the hackers published hundreds of copies of files that they called documents of the British Foreign and Parliamentary Ministries and organizations working for the authorities.

The analysis notes that the purpose of such manipulations is to change power in Russia and change the Kremlin's foreign policy.

It is also pointed out that the council is cooperating with British intelligence to be more effective.

The hackers noted the organization's activity in Russia's neighboring states: in the Caucasus, Moldova, Belarus and Ukraine.

"The British Council's operations in the Baltic States are well documented: they are designed to socially unite Russian-speaking communities in these countries, to make sure they have strong ties among themselves and feel an affinity with British and European values and culture, and are resistant to destabilizing narratives. Brilliant brainwashing," writes Anonymous.

The group cites photocopies of files to prove their claims, which include a call for proposals for communication in English in the South Caucasus, Moldova, and Belarus for fiscal years 2019-2022. Anonymous claims that it is a copy of the Foreign Ministry document, but there are no logos or markings on it to confirm this.

According to this document, the British State was willing to allocate 650,000 pounds per year for English language training in the regions, so the total cost of the three-year program should not exceed 1.95 million pounds.

However, according to Anonymous, the real purpose of the humanitarian programs of the British authorities in the post-Soviet space is "to break the foundations of the regime in Russia or to change its foreign policy".


Read more »
Israeli Voters
6.5 Million Data Breach Elector Software Israeli Voters

Personal Details of 6.5 Million Israeli Voters Leaked Online

 

A database with the names and ID numbers of all the eligible voters in Israel was leaked online by anonymous hackers on Monday, a year after an identical breach and a day before the country’s fourth election in less than two years.

The source of the data seems to be the app elector designed by the software firm Elector Software for the Israeli political party Likud. The threats some of which were sent directly to the firm, included warnings that the threat actors would leak data that was allegedly stolen from the app, as well as private information on the firm’s CEO Tzur Yemin, and his family unless the app ceases operating. 

Last week, threat actors threatened to expose Israel’s full voter registry. The hackers initially shared links to download the data they claim to have stolen. The files were encrypted, while the threat actors were threatening to distribute the password unless the use of the Elector app was discontinued. 

Earlier this week, the hackers revealed the password via websites that don’t require registration allowing anyone to access them. The attackers identified as ‘The Israeli Autumn’, declared they were forced to release the information due to the failure of authorities to deal with Elector. 

Leaked data included the voter registration details of 6,528,565 Israelis and the private details of 3,179,313 of Israeli’s estimated 9.3 million total population (full names, phone numbers, ID card numbers, home addresses, gender, age, and political preferences). 

In February 2020, an Israeli web developer named Ran Bar-Zik, discovered that the app’s web had left exposed. An API endpoint that permitted him to get a list of the site’s admins and their account details, including passwords. Using those passwords, Bar-Zik said he was able to access a database containing the personal details of Israel voters.
Read more »
Windows
Botnet Exploit Kits malware SMB Windows

New Worm Capabilities Targets Windows Machines

 

A malware that has verifiably targeted exposed Windows machines through phishing and exploit kits have been retooled to add new "worm" capabilities. Purple Fox, which originally showed up in 2018, is an active malware campaign that as of, not long ago required user interaction or some kind of third-party tool to infect Windows machines. However, the assailants behind the campaign have now upped their game and added new functionality that can force its way into victims' systems on its own, as indicated by new Tuesday research from Guardicore Labs.

“Guardicore Labs have identified a new infection vector of this malware where internet-facing Windows machines are being breached through SMB password brute force,” Guardicore Labs Amit Serper said. In addition to these new worm abilities, Purple Fox malware now additionally incorporates a rootkit that permits the threat actors to conceal the malware on the machine and make it hard to distinguish and eliminate, he said. 

Researchers examined Purple Fox's most recent activity and discovered two huge changes to how assailants are spreading malware on Windows machines. The first is that the new worm payload executes after a victim machine is undermined through a weak exposed service. Purple Fox additionally is utilizing a past strategy to contaminate machines with malware through a phishing effort, sending the payload by means of email to exploit a browser vulnerability, researchers observed. When the worm infects a victim's machine, it creates a new service to establish persistence and execute a simple command that can iterate through a number of URLs that include the MSI for installing Purple Fox on a compromised machine, said Serper. 

“msiexec will be executed with the /i flag, in order to download and install the malicious MSI package from one of the hosts in the statement,” he explained. “It will also be executed with the /Q flag for ‘quiet’ execution, meaning, no user interaction will be required.”

Gadgets caught in this botnet incorporate Windows Server machines running IIS form 7.5 and Microsoft FTP, and servers running Microsoft RPC, Microsoft Server SQL Server 2008 R2, and Microsoft HTTPAPI httpd 2.0, and Microsoft Terminal Service.
Read more »
University of Miami
Clop Ransomware Data Breach Ransomware University of Colorado University of Miami

Data From These Two Universities Stolen and Published Online by Clop Ransomware Group

 

The Clop ransomware group has officially published online the grades and social security numbers for students at the University of Colorado and the University of Miami. 

From December, threat agents related to the Clop Ransomware Group had started to attack Accellion FTA servers and steal the data stored on their servers. These servers are used by companies to exchange confidential files and information with non-organizational people. The ransomware gang approached the companies and asked for $10 million in bitcoins and if the demand is not fulfilled then they would publish the stolen information on the internet. 

Since February, the team of Clop Ransomware has started to publish the compromised files that were stolen due to the flaws in the Accellion FTA file-sharing servers. Later this week the Clop Ransomware Gang began posting screenshots of compromised files from the Accellion FTA server that is used by Miami University and Colorado University. In February, Colorado University (CU) revealed a cyberattack that mentioned that the threat actors had stolen data through a vulnerability of Accellion FTA. 

The actors behind the Clop ransomware have started to post compromised data screenshots, including university files, university grades, academic records, registration details, and biographical information of students. 

While the University of Miami did not report any data breach, it used a protected 'SecureSend' file sharing program that had since been shut down. "Please be advised that the secure email application SecureSend (secure.send.miami.edu) is currently unavailable, and data shared using SecureSend is not accessible," reads the University's SecureSend page. 

Although the University of Miami never confirmed a security incident, still screenshots of patient information were released by the Clop ransomware operation. This information covers medical history, demographic analyses, and telephone numbers and email addresses. The data supposedly robbed from the University of Miami belongs to the patients of the health system of the University. 

"While we believe based on our investigation to date that the incident is limited to the Accellion server used for secure file transfers, we continue to enhance our cybersecurity program to further safeguard our systems from cyber threats. We continue to serve our University community consistent with our commitment to education, research, innovation, and service," the University of Miami wrote. 

The ransomware gang has only published few screenshots at this time but is likely to release more documents to force victims to pay in the future.
Read more »
Vulnerabilities and Exploits
$25 000 Bug Bounty GitHub Vulnerabilities and Exploits

GitHub Awards $25,000 Bug Bounty to the Google Employee

 

GitHub awarded $25,000 to the security researcher, Teddy Katz for discovering a bug and patching it. On March 17, bug bounty hunter and Google employee Teddy Katz published a note regarding a GitHub flaw discovered in the communication system between repositories and the organization’s workflow automation software, GitHub actions.

The security flaw was tracked as CVE-2022-22862 and was reported as an improper access control susceptibility that “allowed an authenticated user with the ability to fork a repository to disclose Action secrets for the parent repository of the fork.”

Katz identified the working method of GitHub and how it manages to pull requests. Every single pull request is meant to have a base branch, and this is often the main branch of a repository. Pull request designers can lay the base branch pointer. However, the bug bounty hunter recognized that it was possible to set branches to commits, and while this ended in errors due to merge conflicts, GitHub Actions converted the bug into something more dangerous. 

GitHub executes merge pull request stimulations to stop pull request creators from accessing repository secrets. According to Katz, this “breaks the GitHub actions permission model” and evades Actions secrets restrictions.

“Since the base branch is part of the base repository itself and not part of a fork, workflows triggered by pull_request_target are trusted and run with access to secrets. We just created a pull request where the base branch is a commit hash, not a branch. And anyone can create a new commit hash in the base repository since GitHub shares commits between forks,” Katz explained. 

An attacker could split public repositories that use GitHub Actions, design a pull request, and then set a malicious Actions workflow and separately commit to a fork – gaining access to repository secrets in the process.

“It would be difficult to conceal the malware for long – the malicious package would almost certainly be unpublished in a matter of hours or days depending on how fast the maintainers/npm security team were able to respond. Once it was exploited like this, the underlying GitHub vulnerability would probably have been noticed and fixed as well,” Katz stated.
Read more »
Russian Cyber Security
Central Bank of Russia Cyber Security Russia Russian Cyber Security

Russia's Central Bank has warned of hackers targeting banks' mobile apps

 The Central Bank of Russia has warned of the emergence of a group of hackers investigating vulnerabilities in banks' mobile applications.

The Bank of Russia has detected a shift in hackers' attention from the banking infrastructure to customers' financial mobile applications in order to steal data or money from their accounts. The regulator suggests that a highly skilled hacker group has emerged in the financial market specializing in the deep analysis of mobile applications in order to detect and exploit weaknesses and vulnerabilities.

The survey is based on information exchange between the Central Bank and financial market participants. 818 organizations, including 365 banks, are currently included to it.

"The data available to the Bank of Russia suggests the emergence of at least one group of attackers focused on the skilled hacking of financial mobile applications," the survey said.

The Central Bank cited two examples in which cybercriminals discovered vulnerabilities in mobile apps and used them for hacking. As a result, in the first case, a server containing files with the personal data of a bank's customers - more than 100,000 lines - was published on the Web: Name, gender, mobile phone number, email address, place of work, account and bank card number, account type, currency. In the second case, the hackers managed to steal money by logging into the bank's mobile app and, when making a transfer, substituting their account number with that of another bank customer, who became the victim.

"These two examples are not the only cases of attacks on mobile applications of financial institutions that have occurred recently," the review specifies. In this regard, the Central Bank has recommended banks to strengthen the protection of mobile components of remote service systems.


Read more »
Subscribe to: Comments (Atom)