Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Vulnerabilities and Exploits
Critical Flaws Japanese Firm Security Patch Vulnerabilities and Exploits

Japanese Automation Firm Yokogawa Patches CENTUM, Exaopc Vulnerabilities

 

Yokogawa Electric Corp., of Japan, recently patched multiple critical flaws in its control system software that can be abused to suppress alarms, read or write files, crash the server, or execute arbitrary code. 

Researchers at cybersecurity firm Dragos have identified ten critical flaws in Yokogawa’s CENTUM VP distributed control system (DCS) and the Exaopc OPC server for CENTUM systems. The remotely exploitable vulnerabilities are related to hard-coded credentials, relative path traversal, improper output neutralization for logs, OS command injection, permissions, privileges, access controls, and uncontrolled resource consumption. 

The vulnerabilities, a lot of which have been assigned a “high severity” rating, require local access to the targeted device, while others can be abused by sending specially designed packets to the Consolidated Alarm Management Software (CAMS) for the human interface station (HIS or HMI).

“Most likely, the adversary would need access to the LAN for successful exploitation,” Sam Hanson, vulnerability expert in Dragos' Threat Operations Center, stated. “However, if the HIS is somehow internet-facing then exploitation from the internet is possible.” 

Thus far, Dragos researchers have no evidence to suggest that vulnerabilities are exploited in the wild. However, in a real-world attack, a malicious actor could abuse the security loopholes to secure access to the HIS or render it useless by causing a DoS condition. 

“An adversary could use these issues to affect a loss of control and loss of view. Depending on the configuration, the adversary could manipulate physical process controls,” Hanson added. 

Japanese automation giant has released patches and mitigations for affected products. However, CENTUM CS 3000 products, which have reached the end of life, will not receive updates and users have been recommended to update to CENTUM VP. The company released details about the flaws in January and February, and the US Cybersecurity and Infrastructure Security Agency (CISA) published its own advisory in late March. 

“CENTUM VP has been targeted in the past by security researchers. HIS operations involve many file system interactions and therefore there are plenty of places for bugs (such as directory traversals) to appear,” Hanson concluded. “While security has improved over time, Dragos expects more of this type of issue to surface until Yokogawa can find a way to mitigate these issues en masse (through file system permissions, sandboxing, or utilizing a common DLL for file access, etc.).” 

Earlier this year in February, Dragos reported that 1,703 ICS/OT vulnerabilities received a CVE identifier in 2021, more than twice as many as in the previous year. More than two-thirds of the security loopholes examined by the firm impacted systems located deep within the industrial network.
Read more »
Investigation
Bitcoin Crypto Cyber Security Germany Hydra Investigation

Germany Shuts Down World's Largest Illegal Marketplace on Darknet

 

The German authorities have confiscated the servers of Hydra Market, the most well-known Russian darknet network for drug sales and money laundering. The authorities were also able to seize 543 bitcoins worth a little more than $25 million from the earnings of Hydra. 

The money seized reflects the scale of the Hydra market, which had over 19,000 registered vendor accounts serving at least 17 million clients worldwide. Hydra Market had a turnover of $1.35 billion in 2020, according to the Central Office for Combating Cybercrime (ZIT) and Germany's Federal Criminal Police Office (BKA), making it the world's largest darknet market. 

Elliptic, a blockchain analytics firm, confirmed the authorities' confiscation of digital assets today, charting the action as 88 transactions totalling 543.3 bitcoin. Hydra also provided stolen databases, falsified documents, and hacking for hire services, in addition to the core focus of narcotics and money laundering. 

An investigation into a shady area 

The BKA, operating on behalf of the Attorney General's Office in Frankfurt am Main, confiscated the market's infrastructure following a coordinated international law enforcement action, according to Hydra's homepage. This move was made possible following a lengthy examination of the platform's previously unknown operators and administrators. 

 Hydra Market had a Bitcoin Bank Mixer, which disguised all bitcoin transactions done on the platform, making it difficult for law enforcement organisations to track money gained through illicit activity, according to the BKA announcement. 

According to a BKA spokesperson, no arrests have been made in this operation, and they are unable to give any other information on the evaluation of the confiscated infrastructure owing to ongoing investigations.
Read more »
Cyber Security
Bitcoin cryptocurrency Cryptocurrency Breach Cyber Security

Cryptocurrency Network Ronin Suffers Breach, Hackers Steal Millions

Ronin, a cryptocurrency network revealed a breach where threat actors swept $540 million worth of Ethereum and USDC stablecoin. The attack is one of the biggest in the history of cryptocurrency cyberattacks, particularly retrieved funds from a service called Ronin Bridge. Pulled-off attacks on "blockchain bridges" have become normal in the last two years, the Ronnie incident is a testimony to thinking hard about the problem. Blockchain bridges (network bridges) are apps that allow users to transfer digital assets from one blockchain to another. 

Cryptocurrencies can't usually interoperate, for instance, one can't do a transaction on a bitcoin platform via doge coins, hence, these "bridges" have become an important process, in the cryptocurrency world. Bridge services use 'cryptocurrency' to convert a bitcoin into another. For instance, if one goes to a bridge and uses a different cryptocurrency, like bitcoin (BTC), the bridge splits out wrapped Bitcoins (WBTC). In simple terms, it's similar to a gift card or a check that shows stored value in an open alternative format. 

Bridges require a vault of cryptocurrency coins to underwrite the total wrapped coins, and that trove is the primary target for threat actors. "Bridges will continue to grow because people will always want the opportunity to join new ecosystems. Over time, we'll professionalize, develop best practices, and there will be more people capable of building and analyzing bridge code. Bridges are new enough that there are very few experts," says James Prestwich. 

Besides the Ronin heist, hackers stole around $80 Million worth of cryptocurrency from the Qubit bridge in January, around $320 Million from the Wormhole bridge in February, and $4.2 Million a few days later from Meterio Bridge. Another thing that one should note is that Poly network had around $615 Million worth of cryptocurrency stolen in August last year, but the attackers returned the fund a few days after. "Ronin was created by the Vietnamese company Sky Mavis, which develops the popular NFT-based video game Axie Infinity. In the case of this bridge hack, it seems attackers used social engineering to trick their way into accessing the private encryption keys used to verify transactions on the network," reports the Wired.

Read more »
User Privacy
Android Spyware Mobile Security Russian Hackers User Privacy

New Android Spyware Linked to Russia Hacking Group Turla

 

A new Android spyware application has been spotted and detailed by a team of cybersecurity experts that records audio and tracks location once planted in the device. The spyware employs an identical shared-hosting infrastructure that was previously identified to be employed by a Russia-based hacking group known as Turla. 

However, it remains unclear whether the Russian hacking group has a direct connection with the recently identified spyware. It reaches through a malicious APK file that works as Android spyware and performs actions in the background, without giving any clear references to users. 

Researchers at threat intelligence firm Lab52 have discovered the Android spyware that is named Process Manager. Once installed, the malware removes its gear-shaped icon from the home screen and operates in the background, exploiting its wide permissions to access the device's contacts and call logs, track its location, send and read messages, access external storage, snap pictures, and record audio. 

The spyware collects all the data in JSON format and subsequently transmits it to a server located in Russia. It is not clear whether the app receives permissions by exploiting the Android Accessibility service or by luring users to grant their access. 

According to Lab52 researchers, authors of the Android spyware have exploited the referral system of an app called Roz Dhan: Earn Wallet Cash which is available for download on Google Play and has over 10 million downloads. The spyware attempts to download and install an application using a goo.gl that eventually helps malicious actors install it on the device and makes a profit out of its referral system.

It seems relatively odd for spyware since the cybercriminals seem to be focused on cyber espionage. According to Bleeping Computer, the strange behavior of downloading an app to earn commissions from its referral system suggests that spyware could be a part of a larger scheme that is yet to be uncovered. 

"The application, [which] is on Google Play and is used to earn money, has a referral system that is abused by the malware," the researchers said. "The attacker installs it on the device and makes a profit." 

To mitigate the risks, Lab52 researchers have recommended Android users avoid installing any unknown or suspicious apps on their devices. Users should also review the app permissions they grant to limit access of third parties to their hardware.
Read more »
Mirai botnet
CVE vulnerability Data Breach DDOS Attacks Huawei IoT devices Mirai botnet

Due to New Router Flaws, Beastmode Botnet Has a Greater DDoS Potential

 

Beastmode (or B3astmode), a Mirai-based decentralized denial-of-service (DDoS) botnet, has extended its list of exploits to include three new ones, all of which target various models of Totolink devices.

Totolink is a well-known electronics sub-brand of Zioncom which recently published firmware patches to address three critical-severity flaws. DDoS botnet programmers wasted little time in adding these holes to their arsenal to take advantage of the window of opportunity before Totolink router customers installed the security patches. Beastmode has gained control of vulnerable routers, giving it access to hardware resources it can use to execute DDoS attacks.

The following is a list of vulnerabilities in TOTOLINK routers: 

  • CVE-2022-26210 (CVSS 9.8) - A command injection vulnerability that could be used to execute arbitrary code. 
  • CVE-2022-26186 is a vulnerability that affects computers (CVSS score: 9.8) TOTOLINK N600R and A7100RU routers are vulnerable to a command injection vulnerability. 
  • CVE-2022-25075 to CVE-2022-25084 (CVE-2022-25075 to CVE-2022-25084) (CVSS scores: 9.8) - A buffer overflow vulnerability has been discovered in certain TOTOLINK routers, resulting in code execution.  

CVE-2021-4045 is used to target the TP-Link Tapo C200 IP camera, which the researchers haven't seen in any other Mirai-based campaign. For the time being, the exploit has been implemented incorrectly and does not operate. "Device users must still update its camera software to correct this issue," the researchers suggest, citing indications of continued development. 

Although the flaws affect different devices, they all have the same effect: they allow the attacker to insert commands to download shell scripts via the wget command and infect the device with Beastmode. The shell scripts differ depending on which devices have been infected and which exploit has been used.

The vulnerabilities were not the only ones introduced to the Beastmode botnet; its creators also added the following previous bugs:

D-Link is affected by CVE-2021-45382, a remote code execution bug. DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L are the DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L. 
  • CVE-2021-4045 — Unauthenticated remote code execution bug in the TP-Link Tapo C200 IP camera. 
  • CVE-2017-17215 —  Unauthenticated remote code execution problem in Huawei HG532
  • CVE-2016-5674 — Remote execution of arbitrary PHP code through the log argument in the Netgear ReadyNAS product line.
Ensure to deploy the available security updates which correct the vulnerabilities mentioned above to prevent Mirai versions from seizing control of any router or IoT devices. Totolink users should go to the vendor's download center, choose the device model, and download and install the most recent firmware version available. 

A slow internet connection is one of the symptoms if your router has been exploited. Additional indicators include the device heating up more than usual, inability to get into the administration panel, changing settings, or an unresponsive device, which a typical user is likely to overlook.
Read more »
Spain
Cyber Attacks Data Stolen Databreach Iberdrola Spain

1.3 million Iberdrola Customers Hit In Cyberattack

 

A few days ago, the Iberdrola group was hit by a cyberattack that successfully exposed the sensitive credentials of 1.3 million customers, the company confirmed. 

The company further added that the computer breach was stopped within a few hours and the matter was resolved the same day. However, unfortunately, the attack has affected 1.3 million users. The hackers, reportedly, could only access name, surname, and ID. They failed to get access to bank, tax, or electricity consumption data. The next day, once the breach was closed, the company detected massive attacks that did not achieve its objective. 

Following the attack, a statement was released by the company for its customers in which Iberdrola assured that all the necessary steps have been taken to mitigate the impact of the attack and no financial data such as bank details, account numbers, or credit cards details have been violated. Additionally, for future safety, the company has recommended its customers be more cautious of any emails or communications impersonating to be from Iberdrola. 

"If you have received the statement issued by the company, you must be vigilant and regularly monitor what information circulates on the Internet to detect if your private data is being used without your consent," the representatives added. 

The group was chaired by Ignacio Galán who brought forth the same attacks that took place in the Cercanías service in Madrid, in the Congress of Deputies, or in other European institutions. However, he said that the attackers have not had access to critical data. Further, Iberdrola revealed that “we were warned by the United States government about the possibility of a cyber-attack after the invasion of Ukraine.”

Iberdrola is a giant Spanish multinational electric utility company that has more than 34,000 employees serving around 31.67 million customers. The company has the largest shareholders in the global market. According to the 2013 report, the largest shareholder of the company was Qatar Investment Holding, Norges Bank, Kutxabank, and CaixaBank.

Read more »
Technology
Apps Blockchain Crypto Discord NFT Technology

Bored Ape & Other Major NFT Project Discords Hacked by Fraudsters

 

The Discords of several prominent NFT projects were hacked last week as part of a phishing scheme to mislead members into handing up their digital jpegs. 

In tweets, the Bored Ape Yacht Club, Nyoki, and Shamanz all confirmed Discord hacks. The Discords of NFT projects Doodles and Kaiju Kingz were also attacked, according to screenshots released by independent blockchain investigator Zachxbt. Doodles and Kaiju Kingz both confirmed that they had been hacked on their Discords. 

“Oh no, our dogs are mutating,” read one of the phishing posts posted in the BAYC Discord by a compromised bot viewed by Motherboard.

“MAKC can be staked for our $APE token. Holders of MAYC + BAYC will be able to claim exclusive rewards just by simply minting and holding our mutant dogs.” 

The hack's purpose was to get users to click a link to "mint" a phoney NFT by submitting ETH and, in some cases, an NFT to wrap into a token. 

“STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised,” the official BAYC Twitter account said early Friday morning. 

“We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now.” 

"Along with blue-chip projects like BAYC, and Doodles, our server was also compromised today due to a recent large-scale hack," the Nyoki’s tweet said. 

On blockchain explorer Etherscan, two wallet addresses have been linked to the hacks and are now dubbed Fake Phishing5519 and Fake Phishing5520. The 5519 wallet, which sent 19.85 ETH to the 5520 wallets, stole at least one Mutant Ape Yacht Club NFT (a BAYC offshoot by developer Yuga Labs) and soon sold it. Early Friday morning, this second wallet delivered 61 ETH ($211,000) to the mixing service Tornado Cash. The wallet's most recent transaction is a transfer of.6 ETH to an inactive wallet, which subsequently sent the same amount to an extremely active wallet with 1,447 ETH ($5 million), 6 million Tether coins ($6 million), and a variety of other tokens. 

This is not the first or last attack on crypto assets on Discord, which, while being a gaming-focused network, serves as a crucial centre for the great majority of projects. Crypto projects already have to deal with hacks that take advantage of smart contract flaws, but the fact that so many of them are also on Discord subjects them to frauds that exploit the power of the platform itself. 

Several high-profile accounts have already fallen prey to schemes that hacked bots responsible for channel-wide announcements and pushed websites in order to steal ETH, NFTs, or wallets.
Read more »
USA
Cyber crimes Cyber Security Increasing data Threats Russia Ukraine USA

Biden Prolongs National Emergency Amid Increasing Cyber Threats

 

In the backdrop of the Russia-Ukraine conflict, the increasing risk of cybersecurity threats against U.S. national security, economy, and foreign policy has prompted President Joe Biden to extend the state of national emergency which was originally declared by former President Barack Obama in April 2015. 

The national emergency period has been extended after the Cybersecurity and Infrastructure Security Agency has published a warning regarding possible Russian state-sponsored cyberattacks against U.S. organizations following the invasion of Ukraine. 

The war between Russia and Ukraine will be the main topic at Thursday's NATO meeting, in which Biden's administration will rally western allies and announce a new round of financial sanctions against the Russian government, and Biden is expected to announce sanctions on hundreds of Russians serving in the country's lower legislative body, it is being observed that further sanctions will increase cybersecurity threats against U.S government. 

Last month, U.S. organizations have been altered by the CISA and the FBI regarding the potential spillover of data wiping attacks against Ukraine. 

"Significant malicious cyber-enabled activities originating from or directed by persons located, in whole or in substantial part, outside the United States continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. Therefore, I have determined that it is necessary to continue the national emergency declared in Executive Order 13694 with respect to significant malicious cyber-enabled activities," said Biden. 

On Tuesday, Biden's national security adviser Jake Sullivan said that the administration believes that right now "they have effective posture today for what's necessary today," but further he said that Biden and NATO allies will discuss "longer-term adjustments to NATO force posture on the eastern flank."
Read more »
Magecart
Crypto Hacking Cyber Security data security Magecart

Mattress Company Hit by a Magecart Attack, Suffers Data Breach

Emma Sleep Company confirmed that it was hit by a Magecart attack which allowed hackers to steal customer's credit card and debit card data from the company website. The customers were told about the attack via emails last week. The company mentioned "subject to a cyberattack leading to the theft of personal data" but didn't specify in the message the date of breach incident. The attack was sophisticated, targeting checkout process of the company website and stealing personal information, including credit card data, whether the customer made a purchase doesn't matter. 

It is believed to be a Magecart attack, as suggested by the Adobe Magento e-commerce platform. "Currently there is "no evidence" personal or payment data has been abused in the wild, the company said to customers in the email. Nevertheless, it advised them to contact their banks or credit card provider and "follow their advice," and check for unusual or suspicious activity," reports The Register. The Magecart attack has affected customers across 12 countries, associated with a malicious code that was attached to checkout pages that skimmed card data from a user's browser. 

The attack was targeted, and the hacker made copy-cat URLs according to the needs. According to the mattress company, it is positive that the digital platforms were upto date with the latest security fixes. In a famous Magecart attack that happened in 2018 where it exposed 40 million British Airways customers' data (it was fined €20m for the act), it used shady skimming techniques to extract credit cards and debit cards credentials. The hackers get access to the site either via third-party apps or directly, and deploy malicious JavaScript which is responsible for stealing the information. 

The company admits that the security measures had been implemented in an effective way, in accordance with the Javascript code implementation and dynamically loaded from the hacker's server and via highly advanced escape techniques to evade detection, and also plan out countermeasures to avoid analysis. Hence, the technology that kept track of scripts in the web pages couldn't identify it. 

"In February this year, Adobe issued two out-of-bounds patches in a single week when critical security bugs affecting its Magento/Adobe Commerce product emerged, with the vendor warning the vulns were being actively exploited," reports the Register.
Read more »
Vulnerabilities and Exploits
Covert Attacks Reverse Engineering Side Channel Attacks Vulnerabilities and Exploits

Multi-GPU Systems are Vulnerable to Covert and Side Channel Assaults

 

A team led by Pacific Northwest National Laboratory (PNNL) academic researchers has published a research paper explaining a side-channel assault targeting architectures that depend on several graphics processing units (GPUs) for resource-intensive computational operations. 

Multi-GPU systems are employed in high-performance computing and cloud data centers and are shared between multiple users, meaning that the protection of applications and data flowing through them is critical. 

“These systems are emerging and increasingly important computational platforms, critical to continuing to scale the performance of important applications such as deep learning. They are already offered as cloud instances offering opportunities for an attacker to spy on a co-located victim,” the researchers stated in their paper. 

Researchers from Pacific Northwest National Laboratory, Binghamton University, University of California, and an independent contributor, used the Nvidia Ampere-generation DGX -1 system containing two GPUs attached using a combination of custom interconnect (NVLink) and PCIe connections for their demonstrations. 

The researchers reverse-engineered the cache hierarchy, demonstrating how an assault on a single GPU can hit the L2 cache of a connected GPU and cause a contention issue on a linked GPU. They also showed that the malicious actor could “recover the cache hit and miss behavior of another workload,” essentially allowing for the fingerprinting of an application operating on the remote GPU. 

In reverse engineering the caches and poking around the shared Non-Uniform Memory Access (NUMA) configuration the team unearthed "the L2 cache on each GPU caches the data for any memory pages mapped to that GPU's physical memory (even from a remote GPU)." 

Additionally, the researchers demonstrated proof-of-concept side-channel assaults where they recovered the memorygram of the accesses of a remote victim and used it to fingerprint applications on the victim GPU and to spot the multiple neurons in a concealed layer of a machine learning model. 

To precisely spot applications based on their memorygram, the academics designed a deep learning network to accurately identify applications based on their memorygram and say that this can be used as a base for future attacks that not only identify a target application but also infer information about it.

“This attack can be used to identify and reverse engineer the scheduling of applications on a multi-GPU system (simply by spying on all other GPUs in a GPU-box), identify target GPUs that are running a specific victim application, and even identify the kernels running on each GPU,” the researchers added.

While GPUs do have some defenses to thwart side-channel attacks on a single GPU, they are not designed to mitigate this new type of assaults, which are conducted from the user-level and do not require system-level features necessary in other assaults.
Read more »
Trojan Attacks
Crypto Wallets DeFi IP Address Lazarus Group malware NFTs North Korea Remote Code Execution Spear Phishing attacks Trojan Attacks

Hackers in Dprk use Trojanized DeFi Wallet App to Steal Bitcoin

 

North Korean government-linked hackers have now been circulating a trojanized version of a DeFi Wallet for holding bitcoin assets to obtain access to cryptocurrency users' and investors' systems.

Securing economic benefits is one of the primary motives for the Lazarus threat actor, with a focus on the cryptocurrency industry. The Lazarus group's targeting of the financial industry is increasing as the price of cryptocurrencies rises and the appeal of the non-fungible asset (NFT) and decentralized finance (DeFi) enterprises grows.

In this attack, the threat actor used web servers in South Korea to distribute malware and communicate with the implants that had been placed. Kaspersky Lab researchers recently identified a malicious version of the DeFi Wallet software that installed both the legal app and a backdoor disguised as a Google Chrome web browser executable. When the trojanized DeFi application was launched on the machine, it introduced a full-featured backdoor with a compilation date of November 2021. It's unknown how the hackers spread the word, but phishing emails or contacting victims through social media are both possibilities. 

Although it's not clear how the threat actor persuaded the victim to run the Trojanized program (0b9f4612cdfe763b3d8c8a956157474a), it is believed they used a spear-phishing email or social media to contact the victim. The Trojanized application initiates the previously unknown infection technique. This installation package masquerades as DeFi Wallet software, but it actually contains a legal binary that has been packed with the installer. 

The virus installed in this manner, as per the researchers, has "sufficient capabilities to manage" the target host by issuing Windows commands, uninstalling, starting or killing processes, enumerating files and related information, or connecting the computer to a particular IP address. 

The malware operator can also collect relevant data (IP, name, OS, CPU architecture) and the discs (kind, free space available), files from the command and control server (C2), and retrieve a list of files stored in a specified area using additional functionalities. According to Japan CERT, the CookieTime malware group known as LCPDot has been linked to the DPRK operation Dream Job, which enticed victims with phony job offers from well-known firms. 

Google's Threat Analysis Group (TAG) revealed recent activity related to Dream Job earlier this month, finding North Korean threat actors used a loophole for a zero-day, remote code execution bug in Chrome to aim at people working for media, IT companies, cryptocurrency, and fintech companies. "The CookieTime cluster has linkages with the Manuscrypt and ThreatNeedle clusters, which are also attributed to the Lazarus organization," Kaspersky adds. 

The links between the current trojanized DeFiWallet software and other malware attributed to North Korean hackers go beyond the virus code to the C2 scripts, which overlap many functions and variable names. It's worth mentioning that Lazarus is the umbrella name for all state-sponsored North Korean threat operations. Within the DPRK, however, several threat groups are operating under different institutions/departments of the country's intelligence establishment. 

Mandiant analysts prepared an evaluation of the DPRK's cyber program structure using data collected over 16 months from its digital activity tracking for the entire country, OSINT monitoring, defector reporting, and imaging analysis. Targeting bitcoin heists is certainly within the scope of financially motivated units inside the country's Reconnaissance General Bureau's 3rd Bureau (Foreign Intelligence), according to their map (RGB).   
Read more »
Subscribe to: Comments (Atom)