Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Trojan Attacks
Crypto Wallets DeFi IP Address Lazarus Group malware NFTs North Korea Remote Code Execution Spear Phishing attacks Trojan Attacks

Hackers in Dprk use Trojanized DeFi Wallet App to Steal Bitcoin

 

North Korean government-linked hackers have now been circulating a trojanized version of a DeFi Wallet for holding bitcoin assets to obtain access to cryptocurrency users' and investors' systems.

Securing economic benefits is one of the primary motives for the Lazarus threat actor, with a focus on the cryptocurrency industry. The Lazarus group's targeting of the financial industry is increasing as the price of cryptocurrencies rises and the appeal of the non-fungible asset (NFT) and decentralized finance (DeFi) enterprises grows.

In this attack, the threat actor used web servers in South Korea to distribute malware and communicate with the implants that had been placed. Kaspersky Lab researchers recently identified a malicious version of the DeFi Wallet software that installed both the legal app and a backdoor disguised as a Google Chrome web browser executable. When the trojanized DeFi application was launched on the machine, it introduced a full-featured backdoor with a compilation date of November 2021. It's unknown how the hackers spread the word, but phishing emails or contacting victims through social media are both possibilities. 

Although it's not clear how the threat actor persuaded the victim to run the Trojanized program (0b9f4612cdfe763b3d8c8a956157474a), it is believed they used a spear-phishing email or social media to contact the victim. The Trojanized application initiates the previously unknown infection technique. This installation package masquerades as DeFi Wallet software, but it actually contains a legal binary that has been packed with the installer. 

The virus installed in this manner, as per the researchers, has "sufficient capabilities to manage" the target host by issuing Windows commands, uninstalling, starting or killing processes, enumerating files and related information, or connecting the computer to a particular IP address. 

The malware operator can also collect relevant data (IP, name, OS, CPU architecture) and the discs (kind, free space available), files from the command and control server (C2), and retrieve a list of files stored in a specified area using additional functionalities. According to Japan CERT, the CookieTime malware group known as LCPDot has been linked to the DPRK operation Dream Job, which enticed victims with phony job offers from well-known firms. 

Google's Threat Analysis Group (TAG) revealed recent activity related to Dream Job earlier this month, finding North Korean threat actors used a loophole for a zero-day, remote code execution bug in Chrome to aim at people working for media, IT companies, cryptocurrency, and fintech companies. "The CookieTime cluster has linkages with the Manuscrypt and ThreatNeedle clusters, which are also attributed to the Lazarus organization," Kaspersky adds. 

The links between the current trojanized DeFiWallet software and other malware attributed to North Korean hackers go beyond the virus code to the C2 scripts, which overlap many functions and variable names. It's worth mentioning that Lazarus is the umbrella name for all state-sponsored North Korean threat operations. Within the DPRK, however, several threat groups are operating under different institutions/departments of the country's intelligence establishment. 

Mandiant analysts prepared an evaluation of the DPRK's cyber program structure using data collected over 16 months from its digital activity tracking for the entire country, OSINT monitoring, defector reporting, and imaging analysis. Targeting bitcoin heists is certainly within the scope of financially motivated units inside the country's Reconnaissance General Bureau's 3rd Bureau (Foreign Intelligence), according to their map (RGB).   
Read more »
Supply Chain
Cyber Security NCSC Researcher Risks Russia Supply Chain

NCSC Suggests to Reconsider Russian Supply Chain Risks

 

One of the UK's top security agencies has encouraged the public sector, critical infrastructure (CNI), and other institutions to rethink the hazards of any "Russian-controlled" elements of their supply chain. 

There is no evidence that the Russian government is preparing to compel private providers to harm UK interests, according to Ian Levy, technical director of the National Cyber Security Centre (NCSC). That doesn't rule out the possibility of it happening or happening in the future, he continued. 

"Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed. The war has proven many widely held beliefs wrong and the situation remains highly unpredictable. In our view, it would be prudent to plan for the possibility that this could happen. In times of such uncertainty, the best approach is to make sure your systems are as resilient as you can reasonably make them,” Levy argued. 

All UK public sector organisations, those supplying services to Ukraine, CNI enterprises, organisations performing the activity that could be regarded as being in opposition to Russian interests, and high-profile institutions whose compromise would be a PR success for the Kremlin are all covered by the new NCSC guidelines. 

Levy continued, “You may choose to remove Russian products and services proactively, wait until your contract expires (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk. Whatever you choose, remember that cybersecurity, even in a time of global unrest, remains a balance of different risks. Rushing to change a product that’s deeply embedded in your enterprise could end up causing the very damage you’re trying to prevent.” 

Even those companies which aren’t likely to be a target should remember that global sanctions could impact the availability of any Russian technology services. There was some good news from the NCSC. Levy said individuals using Kaspersky products could continue to do so relatively safely. He claimed that “massive, global cyber-attacks” are unlikely to be launched due to the conflict.
Read more »
LAPSUS$
British Police Cyber Attacks Data Theft hackers group LAPSUS$

British Police Charge Teenagers in LAPSUS$ Gang Connection

 

The Police force of London city who has been investigating the Lapsus$ malicious group announced on Friday that it has charged two of the seven teenagers, a 16-year-old and a 17-year-old for their illegal connections to the LAPSUS$ data extortion group. 

The two teenagers have been charged with unauthorized access to a computer with the intention to impair the reliability of data, fraud by false representation, and unauthorized access to a computer with the intention to hinder access to data, the police force stated. 

According to a member of the police, charges come when the Police moved to catch seven suspected LAPSUS$ group members aged between 16 and 21 on March 25. 

“Both teenagers have been charged with: three counts of unauthorized access to a computer with intent to impair the reliability of data; one count of fraud by false representation and one count of unauthorized access to a computer with intent to hinder access to data,” Detective Inspector Michael O’Sullivan, from the City of London Police, said in a statement. 

In a short span of a few months, the LAPSUS$ hacker group has gained infamy in the crowded digital extortion market for their hacking records including stealing and publishing the source code of multiple top-tier technology companies on their Telegram channel, which has more than 58,000 subscribers. It's worth noting that it has exceedingly high-level of access to some of the biggest companies in the world. 

Data has shown that in the past few months, Lapsus$ has extracted data from various global giants, including Samsung, Nvidia, Microsoft, Vodafone, and Qualcomm, with the latest target being the Globant. 

The group of hackers came into the spotlight after attacking Okta, a company that facilitates organizations with security services. 

"In today's environment, threat actors favor using ransomware to encrypt data and systems and often extort victims for significant amounts of cryptocurrency in exchange for decryption keys, sometimes turning up the pressure with the threat of publishing stolen data…" 

"…LAPSUS$, however, is unusual in its approach – for this group, notoriety most often appears to be the goal, rather than financial gain”, Palo Alto Networks' Unit 42 team reported.
Read more »
Ukraine
Anonymous Cyber Attacks Cyber War Russia Ukraine

Anonymous Wages a Cyber War Against Russia, Targets Oligarchs

Anonymous continues its attacks against Putin and Russia, recently, the latest attack is targeted against the Russian investment agency 'Marathon Group.' Anonymous keeps attacking Russian firms owned by oligarchs, last week, the group announced the hacking of Thozis Corp and in the most recent incident, the group claims responsibility behind the Marathon group hack. Marathon group is a Russian investment firm, the owner is oligarch Alexander Vinokuro, the EU sanctioned him recently. Vinokurov is the son-in-law of Russian Foreign Minister Lavrov. Anonymous breached the organization's systems and leaked 62,000 emails (a 52 GB archive) through DDoSecrets (Distributed Denial of Secrets). 

DDoSecrets is a non for profit whistleblower website launched in 2018. "JUST IN: #Anonymous has hacked & released 62,000 emails from the Marathon Group, a Russian investment firm owned by oligarch Alexander Vinokurov, currently under EU sanctions. Vinokurov is also the son-in-law of Russian Foreign Minister Lavrov" tweets @YourAnonTV. The group also takes responsibility for the hacking of Belarus government website associated with Volozhin Economy, a city in the Minsk region of Belarus. 

"Anonymous makes an intrusion into a website of the Government of Belarus dedicated to the Economy of Volozhin, a Belarusian city in the Minsk region" tweets @Anonymous_Link. The Anonymous group tweeted that due to the nature of the leak, DDoSecrets is willing to offer the data to journalists and researchers. "Hackers leaked 15GB of data stolen from the Russian Orthodox Church's charitable wing & released roughly 57,500 emails via #DDoSecrets. #DDoSecrets noted that due to the nature of the data, at this time it is only being offered to journalists & researchers," tweets @YourAnonTV What else has Anonymous done to Russia? 

In March, Anonymous declared to wage a "cyber war" against a Russia. Since then, Anonymous has claimed responsibility for launching various attacks on the Russian government, news websites and organizations, and leaked data of prominent firms like Roskomnadzor, a federal agency which censors Russian media. "Many CIS files were erased, hundreds of folders were renamed to "putin_stop_this_war" and email addresses and administrative credentials were exposed," said Jeremiah Fowler, cybersecurity company Security Discovery's Co-founder.

Read more »
User Security
Calendar app Cyber Attacks Email Attacks Phishing Attacks User Security

Threat Actors Abuse Calendly App to Steal Account Credentials

 

Cyber criminals have unearthed a new vector of assault to utilize during phishing campaigns. Calendly, a free scheduling app, permits malicious actors to use email to lure the victim to a meeting with the title and link they choose. This increases the authenticity of the phishing email as it seems to come from a legitimate firm. 

Earlier this year in February, security analysts at INKY, an email monitoring firm, discovered specific instances where the phishing actors titled the meeting "You have received a new fax document" with an embedded link to "preview" the document. The link instead brought victims to a webpage that looked like a Microsoft site but actually was set up to steal Microsoft account credentials. 

The webpage also contained a common methodology employed by attacker in newer phishing campaigns to ensure credentials are free of typos, in which the victim is lured to enter their credentials twice, due to the credentials being "invalid.” 

The victim is then sent to the domain of their email address to minimize the likelihood of realizing the compromise and reporting it as phishing. According to INKY, majority of the methodologies employed in this campaign are standard, the use of Calendly has not been previously spotted. 

“The app is committed to protecting users against phishing attacks with built-in security tools such as a next-gen web application firewall, anomalous traffic pattern alerts as well as fraudulent IP tracking capabilities,” the Calendly spokesperson stated. 

“In this instance, a malicious link was inserted into a customized booking page. Phishing attacks violate our Terms of Service and accounts are immediately terminated when found or reported. We have a dedicated team that constantly enhances our security techniques, and we will continue to refine and stay vigilant to protect our users and combat such attacks.”

Calendly has also detailed a couple of steps that should help users improve their security. The company advises reviewing the sender’s email address and display name. In the attack described by INKY, the email claimed to be sent by Microsoft but came from a non-Microsoft domain. Another red flag would be prompting a user for credentials to copy and send back to their command-and-control (C2) infrastructure. 

To protect against credential harvesting, another option is to use a password manager. The use of password manager is a simple method to avoid entering credentials into malicious phishing websites, due to the phishing domain not being the same as the impersonated websites. A password manager will not autofill the password, and will alert the users that the website they're on is not authentic.
Read more »
Technology
Blockchain Crypto Fintech Ola Finance Technology

Ola Finance: Attackers Stole $4.7M in 'Re-Entrancy' Exploit

 

According to a post-mortem report released by the developers, the decentralised lending platform Ola Finance was exploited for approximately $4.67 million in a "re-entrancy" assault on Thursday. 

Ola runs a decentralised finance (DeFi) platform that spans multiple blockchains, and the hack on Thursday targeted the Fuse network. For financial services such as lending and borrowing, DeFi refers to the use of smart contracts rather than third parties. 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 wrapped ether, 26.25 wrapped bitcoin, and 1,240,000.00 FUSE were obtained using Ola's services on the Fuse network. 

At current pricing, all of that is worth more than $4.67 million. The attack took use of a re-entrancy flaw in the ERC677 token standard. Reentrancy is a frequent issue that allows attackers to deceive a smart contract into stealing assets by repeatedly calling a protocol. An authorization for a smart contract address to communicate with a user's wallet address is known as a call. 

The attacker used a 515 WETH flash loan from the WETH-WBTC pair on Voltage Finance to execute the initial heist transaction. The attacker avoided a flash loan in subsequent transactions by using funds that had already been stolen, according to the post-mortem study. Voltage is a decentralised trading protocol for the Fuse network that enables for automated trading of DeFi coins. 

Attackers were able to fool Voltage's smart contracts by transferring wrapped assets — which they generated using flash loans, a type of short-term uncollateralized borrowing, asking the smart contract send payments from Voltage to the hacker's addresses The attack, according to Ola Finance, could not be replicated on any of the lending networks it supports. The developers stated, “We will investigate each token’s 'transfer' logic to make sure no problematic token standards are in use.” 

 Meanwhile, Voltage stated it was in contact with third parties to track down the attacker and devise a method to compensate those who had been harmed.
Read more »
Yahoo
API GitHub malware Microsoft 365 Microsoft Azure TLS Certificates URL Yahoo

To Mimic Microsoft, Phishing Employs Azure Static Web Pages

 

Microsoft Azure's Static Web Apps service is being exploited by phishing attacks to acquire Microsoft, Office 365, Outlook, and OneDrive passwords. Azure Static Web Apps is a Microsoft tool that allows to build and deploy full-stack web apps to Azure using code via GitHub or Azure DevOps.

MalwareHunterTeam, a security expert, uncovered the campaign. Attackers might imitate custom branding and website hosting services to install static landing phishing sites, according to the study. Users using Microsoft, Office 365, Outlook, and OneDrive services are being targeted by attackers who are actively mimicking Microsoft services. 

Several of the web pages and login pages in these phishing attempts are nearly identical to official Microsoft pages. Azure Static Web Apps is a program that uses a code repository to build and publish full-stack apps to Azure. 

Azure Static Apps has a process that is customized to a developer's everyday routine. Code changes are used to build and distribute apps. Azure works exclusively with GitHub or Azure DevOps to watch a branch of their choice when users establish an Azure Static Web Apps resource. A build is automatically done, and your app and API are published to Azure every time they post patches or allow codes into the watched branch. 

Targeting Microsoft users with the Azure Static Web App service is a great strategy. Because of the *.1.azurestaticapps.net wildcard TLS certificate, each landing page gets its own secure page padlock in the address bar. After seeing the certificate granted by Microsoft Azure TLS Issuing CA 05 to *.1.azurestaticapps.net, even the most skeptical targets will be fooled, certifying a fraud site as an official Microsoft login screen in the eyes of potential victims.

Due to the artificial veil of security supplied by the legitimate Microsoft TLS certs, such landing sites are also useful when targeting users of other platforms, such as Rackspace, AOL, Yahoo, or other email providers. 

When trying to figure out if one is being targeted by a phishing assault, the typical advice is to double-check the URL whenever we're asked to enter one's account credentials in a login. Unfortunately, phishing efforts that target Azure Static Web Apps render this advice nearly useless, since many users will be fooled by azurestaticapps.net subdomain and genuine TLS certificate.
Read more »
VPN
Data Breach Data Wiping Malware ESET Microsoft Russian Hackers Supply Chain Ukraine Ukrainian Cyber Security VPN

Viasat: Acid Rain Virus Disable Satellite Modems

 

The cyberattack which targeted the KA-SAT satellite broadband service to erase SATCOM modems on February 24 used a newly discovered data wiper virus. It impacted thousands in Ukraine and thousands more across Europe. 

A cybersecurity firm, SentinelOne, claims to have discovered a malware sample, which disrupted internet connectivity on February 24. The malware, called AcidRain, which was also likely utilized in the Viasat breach, is a Unix executable application which is meant to attack MIPS-based devices. This could indicate the attackers' lack of experience with the filesystem and firmware of the targeted devices, or their desire to create a reusable tool.

The same sample came from SkyLogic, the Viasat operator in charge of the damaged network, which is also situated in Italy. The software sample was also tagged with the moniker "ukrop," which could be a reference to the Ukraine Operation. 

The researchers underscored that Viasat did not offer technical indicators of compromise or a detailed incident response report. Instead, rogue commands damaged modems in Ukraine and other European countries, according to the satellite industry. The SentinelOne duo were perplexed as to how valid orders could produce such mayhem in the modem, "scalable disruption is more feasibly performed by delivering an update, script, or executable," they added. 

The program wipes the system and various storage device files completely. AcidRain executes an initial repetitive replacement and removal of non-standard files in the filesystem if the malware is launched as root "Juan Andres Guerrero-Saade and Max van Amerongen," SentinelOne threat experts, revealed. 

The wipers overwrite file structures with up to 0x40000 bytes of data or utilize MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB input/output control (IOCTL) service calls to erase data on compromised devices. 

The fact Viasat has supplied nearly 30,000 modems to get clients back online since the February 2022 attack and is still shipping more to speed up service restoration, suggests that SentinelOne's supply-chain threat scenario is correct. The IOCTLs used by this virus also resemble those used by the VPNFilter malware 'dstr' wiper plugin, a destructive program linked to Russian GRU hackers. 

The Ukrainian Computer Emergency Response Team recently stated a data wiper known as DoubleZero had been used in assaults on Ukrainian businesses. On the same day that Russia invaded Ukraine, they discovered IsaacWiper, a data wiper, and HermeticWizard, a new worm which dropped HermeticWiper payloads. ESET has discovered a fourth data-destroying malware strain called CaddyWiper, which wipes data across Windows domains and eliminates user data and partition information from associated drivers. 

Microsoft discovered a sixth wiper, now known as WhisperGate, in mid-January, which was being used in data-wiping attacks targeting Ukraine while masquerading as ransomware.
Read more »
Underground Forum
Info Stealer malware Russian Hacking Forums Underground Forum

Info Stealing BlackGuard Malware is Advertised for Sale on Russian Hacking Forums

 

A sophisticated information stealer dubbed BlackGuard is gaining the attention of the cybercrime community. The malware is advertised for sale on multiple Russian hacking forums with a lifetime price of $700 or a subscription of $200 per month. 

This low value and ease of access may permit a thrifty menace actor to loot hundreds of cryptocurrency wallets, financial institution accounts, and much with little to no work, researchers at Zscaler who spotted and analyzed the malware explained. 

The malware was first spotted on Russian-language hack forums in January 2022, but then it was distributed privately and was at the testing stage. As with all modern information-stealers, BlackGuard exfiltrates information from almost any application that processes sensitive user data, with a focus on crypto assets. In an infected system, BlackGuard looks for the following applications to steal user data from them: 
  • Web browsers: Passwords, cookies, autofill, and history from Chrome, Opera, Firefox, MapleStudio, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements Browser, Epic Privacy Browser, uCozMedia, Coowon, liebao, QIP Surf, Orbitum, Comodo. 
  • Wallet browser extensions: Binance, coin98, Phantom, Mobox, XinPay, Math10, Metamask, BitApp, Guildwallet, iconx, Sollet, Slope Wallet, Starcoin, Swash, Finnie, KEPLR, Crocobit, OXYGEN, Nifty, Liquality, Auvitas wallet, Math wallet, MTV wallet, Rabet wallet, Ronin wallet, Yoroi wallet, ZilPay wallet, Exodus, Terra Station, Jaxx 
  • Cryptocurrency wallets: AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus, LitecoinCore, Monero, Jaxx, Zcash, Solar, Zap, AtomicDEX, Binance, Frame, TokenPocket, Wassabi 
  •  Email: Outlook 
  •  Messengers: Telegram, Signal, Tox, Element, Pidgin, Discord 

The gathered information is bundled in a ZIP file, also known as logs, and is sent to the attackers’ C&C server via a POST request, along with a system profile report that assigns a unique identifier to the victim’s equipment.

In terms of bypassing BlackGuard’s capabilities are still under development, but some systems are already in place to avoid detection and analysis. First, the malware is packed with a crypter, and the code is obfuscated using base64. Finally, it will inspect the operating system’s processes and try to block any actions linked to antivirus software or sandboxing once it landed on a vulnerable workstation.

How to avoid the installation of malware? 

To mitigate the risks, you must avoid visiting shady websites and downloading files from untrustworthy or dubious sources. Furthermore, use two-factor authentication, keep your OS and applications updated, and use strong and unique passwords for all your online accounts. If you believe that your computer is already compromised, researchers recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.
Read more »
USA
Cyber defense Data Breach data security NSA USA

NSA Employee Indicted for 'Leaking Top Secret Info' To a Woman

 

Recently, the United States Department of Justice (DoJ) has claimed that an NSA employee has been sharing highly sensitive data of national security with an individual who allegedly is a private sector employee. 

According to a DoJ announcement and the indictment, an NSA staffer named Mark Unkenholz "held a TOP SECRET/Sensitive Compartmented Information (SCI) clearance and had lawful access to classified information relating to the national defense." 

The indictment has been unleashed on Thursday in U.S. District Court in Baltimore, which has accused Mark Unkenholz, 60 years old employee of the NSA office that engages with private industry, sent 13 unauthorized emails to the woman who was referred to as “RF” from February 2018 to June 2020, each email was containing top secret information relating to national defense. 

Following the incident, the court said that "reason to believe [the info] could be used to the injury of the United States or to the advantage of any foreign nation." Further, the justice departs reported that the RF also had a TOP SECRET/SCI clearance from April 2016 until approximately June 2019 through the company she was working for which was named Company 1, however when she switched the company 1 to company 2 her clearance lapsed. 

According to the indictment's timeline, Unkenholz sent the files to RF when she was working at Company 1 and at Company 2. It shows that RF's clearance was not sufficient for these sensitive materials. 
 
Also, Unkenholz used his personal email address for this act and according to the regulations, the personal email address is not considered as an authorized storage location for sensitive data. In this case, Unkenholz has been charged with 13 counts of willful retention of national defense information on top of the 13 counts of “willful transmission.” Each charge approves 10 years in federal prison.
Read more »
Vulnerabilities and Exploits
Bugs CVE vulnerability Flaws Mallicious code Rockwell Automation Vulnerabilities and Exploits

Severe Flaws in Rockwell PLC Could Allow Attackers to Implant Malicious Code

 

Rockwell Automation's programmable logic controllers (PLCs) and engineering workstation software have two new security flaws that might be exploited by an intruder to introduce malicious code into affected systems and silently manipulate automation operations. 

In a way similar to Stuxnet and the Rogue7 assaults, the vulnerabilities have the ability to impair industrial operations and cause physical damage to factories. 

Claroty's Sharon Brizinov noted in a write-up published, "Programmable logic and predefined variables drive these [automation] processes, and changes to either will alter the normal operation of the PLC and the process it manages." 

The following is a list of two flaws – 
  • CVE-2022- (CVSS score: 10.0) — A remotely exploited weakness that allows a hostile actor to write user-readable "textual" computer code to a memory location independent from the compiled code that is being executed (aka bytecode). The problem is in Rockwell's ControlLogix, CompactLogix, and GuardLogix control systems' PLC firmware. 
  • CVE-2022-1159 =This vulnerability has a CVSS score of 7.7. Without the user's knowledge, an attacker with administrative access to a workstation running the Studio 5000 Logix Designer application can disrupt the compilation process and inject code into the user programme. 

Successfully exploiting the flaws could enable an attacker to change user programmes and download malicious code to the controller, effectively changing the PLC's normal operation and allowing rogue commands to be sent to the industrial system's physical devices. 

Brizinov explained, "The end result of exploiting both vulnerabilities is the same: The engineer believes that benign code is running on the PLC; meanwhile, completely different and potentially malicious code is being executed on the PLC." 

Because of the severity of the weaknesses, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning outlining mitigation actions that users of the affected hardware and software can take as part of a "comprehensive defence-in-depth strategy."
Read more »
Subscribe to: Comments (Atom)