Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

User Privacy
attacks Data Data Breach Data Privacy data security Iranian User Data User Privacy

Predatory Sparrow's Assault on Iran's Steel Industry

 

Predatory Sparrow, also known as Gonjeshke Darande, has accepted full responsibility for last month's cyberattacks on various Iranian steel factories and has now posted the first batch of top-secret papers on its Twitter account. 

The group distributed a cache of around 20 terabytes of data. It includes company paperwork revealing the steel plants' links to Iran's strong Islamic Revolutionary Guard Corps. The group stated in a series of tweets in both English and Persian that the cache was only the beginning of what will be disclosed. 

While claiming responsibility for the June 27 attack, the group also posted a photo and video purportedly showing damage to equipment at the state-owned Khouzestan Steel Company, one of Iran's biggest steel manufacturing factories. Although both the steel firm and the Iranian government denied any serious impact, sources suggest that the attack hampered industrial operations. 

The Predatory Sparrow group explained that the attacks were carried out with caution in order to safeguard innocent people. The group also stated that the hacks were in reaction to the Islamic Republic's actions. The group goes on to say that the enterprises were targeted by international sanctions and that they will continue to operate despite the limitations. 

Regardless of Predatory Sparrow's insistence that the attacks are autonomous, it is suspected that the Israeli government is supporting the hacktivist group, given the sophistication of the operation, the nature of the attacks, and the message preceding, during, and after what looks to be an attack. Aside from the steel facilities attack, the Predatory Sparrow group has claimed responsibility for other digital attacks on key Iranian targets, including the one that crippled Iran's state-controlled gasoline distribution in October 2021 and the one that hit the Iranian railway system in August 2021. While the Iranian government continues to deny the group's accusations, each cyber strike raises new concerns.
Read more »
WordPress
Bug CVE vulnerability IP addresses malware phishing PHP Plugins Trojan Attacks WordPress

Defective WordPress Plugin Permits Full Invasion

 

According to security researchers, a campaign scanning almost 1.6 million websites was made to take advantage of an arbitrary file upload vulnerability in a previously disclosed vulnerable WordPress plugin.

Identified as CVE-2021-24284, the vulnerability that affects Kaswara Modern WPBakery Page Builder Addons, when exploited, gives an unauthorized attacker access to sites using any version of the plugin and enables them to upload and delete files or instead gain complete control of the website.

Wordfence reported the vulnerability over three months ago, and in a new alert this week it warned that attackers are scaling up their attacks, which began on July 4 and are still active. The WordPress security provider claims to have halted 443,868 attacks on client websites per day and strives to do the same till date. Daily, on average, 443,868 tries are made.

Malicious code injection  

The hacker attempts to upload a spam ZIP payload that contains a PHP file using the plugin's 'uploadFontIcon' AJAX function by sending a POST request to 'wp-admin/admin-ajax/php'.

Afterward, this file pulls the NDSW trojan, which inserts code into the target sites' legitimate Javascript files to reroute users to dangerous websites including phishing and malware-dropping sites. You've likely been infected if any of your JavaScript files contain the string "; if(ndsw==" or if these files themselves contain the "; if(ndsw==" string.

All versions of the software are vulnerable to an attack because the bug was never patched by the software creators, and the plugin is currently closed. The bug hunters stated that although 1,599,852 different sites were hit, a bulk of them wasn't hosting the plugin, and they believed that between 4,000 and 8,000 sites still have the vulnerable plugin installed.

Blocking the attackers' IP addresses is advised even if you are not utilizing the plugin. Visit Wordfence's blog for additional information on the indicators and the sources of requests that are the most common.

If you're still using it, you need to remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.
Read more »
Vault 7 leakThe Federal Court
Cyber Crime cyber espionage Data Leak Data Theft Vault 7 leakThe Federal Court

Former CIA Employee Joshua Schulte Convicted Over Massive Data Leak

 

A former Central Intelligence Agency (CIA) software engineer CIA charged with carrying out the most significant theft of classified data in the agency's history was convicted on all counts in federal court Wednesday. 

Joshua Schulte 33, was convicted by jurors in a Manhattan federal court on eight espionage charges and one obstruction charge over the so-called Vault 7 leak. He worked for the CIA's elite hacking unit and created cyber tools that could grab data undetected from computers. After quitting his job, Schulte sent the tools to the anti-secrecy group WikiLeaks. 

Vault 7 consisted of nearly 9,000 pages and shed light on a host of hacking methodologies employed by the agency. This included hacking of Apple and Android smartphones in overseas spying operations, and a bid to turn internet-linked televisions into listening devices. 

Schulte had access to "some of the country's most valuable intelligence-gathering cyber tools used to battle terrorist organizations and other malign influences around the globe," US Attorney for the Southern District of New York Damian Williams stated. 

"When Schulte began to harbor resentment toward the CIA, he covertly collected those tools and provided them to WikiLeaks, making some of our most critical intelligence tools known to the public and our adversaries.” 

He also allegedly lied to CIA and FBI investigators to conceal his tracks and was arrested in August 2017 on child pornography charges. He was indicted on the charges related to the data breach months later. 

"Schulte was aware that the collateral damage of his retribution could pose an extraordinary threat to this nation if made public, rendering them essentially useless, having a devastating effect on our intelligence community by providing critical intelligence to those who wish to do us harm," Williams added. “Today, Schulte has been convicted for one of the most brazen and damaging acts of espionage in American history." 

During the closing arguments to jurors, Schulte, who chose to defend himself at a New York City retrial, accused the CIA and FBI of making him a scapegoat for the WikiLeaks release. Schulte claimed he was made a scapegoat even though “hundreds of people had access to (the information). … Hundreds of people could have stolen it”, AP news agency reported.
Read more »
python
Code Execution Flaw CVE vulnerability Cyber Security macOS Microsoft PoC Privacy Sandbox python

Microsoft: Provide Code for MacOS App Sandbox Flaw

 


MacOS has a vulnerability that was discovered by  Microsoft, it might allow specially created code to execute freely on the system and get past the App Sandbox. 

The security flaw, identified as CVE-2022-26706 (CVSS rating: 5.5), affects iOS, iPadOS, macOS, tvOS, and watchOS. It was patched by Apple in May 2022. In October 2021, Microsoft notified Apple of the problem via Microsoft Security Vulnerability Research (MSVR) and Coordinated Vulnerability Disclosure (CVD).

Sandbox Objective

A specifically written Office document with malicious macro code that allows for system command execution and sandbox limitation bypass can be used by an attacker to exploit the bug. Although Apple's App Sandbox is intended to strictly control a third-party app's access to system resources and user data, the vulnerability allows for obfuscation of these limitations and penetration of the system.

When a user runs malicious software, the main goal of the sandbox is to prevent damage to the system and the user's data.

Microsoft researchers showed that the sandbox rules may be evaded by utilizing specially written software. The sandbox escape vulnerability could be used by an attacker to take charge of the vulnerable device with elevated privileges or to carry out malicious operations like downloading malicious payloads.

The experts originally developed a proof-of-concept (POC) exploit to produce a macro that starts a shell script using the Terminal app, but it was intercepted by the sandbox since it had been given the extended attribute com.apple.quarantine, which inhibits the execution by the Terminal, automatically. The experts then attempted to use Python scripts, but the Python application had a similar problem running files with the mentioned attribute.

"However, this restriction can be removed by using the -stdin option for the open command in the Python exploit code. Since Python had no way of knowing that the contents of its standard input came from a quarantined file, -stdin was able to get around the 'com.apple.quarantine' extended attribute restriction," according to a report by Jonathan Bar Or of the Microsoft 365 Defender Research Team.


Read more »
Vulnerabilities and Exploits
Attacker Bugs Drones Flaws Transmitter Vulnerabilities and Exploits

Vulnerabilities in the ExpressLRS Protocol Enable the Takeover of Drones

 

The ExpressLRS protocol for radio-controlled (RC) drones is vulnerable to flaws that might allow device takeover. Researchers warn of vulnerabilities in the ExpressLRS protocol for radio-controlled (RC) drones, which may be exploited to take control of unmanned vehicles. 

ExpressLRS is a high-performance open-source radio control link that achieves maximum range while maintaining minimal latency. An attacker may take control of any receiver by watching the communication from the connected transmitter, according to a recently released alert. After watching traffic from a similar transmitter, it is feasible to take control of any receiver using merely a normal ExpressLRS compatible transmitter. 

An attacker may be able to extract a portion of the identity shared by the receiver and transmitter due to security flaws in the binding process. The examination of this section, along with a brute force attack, can lead to the discovery of the remaining part of the identifier. Once the attacker has acquired the whole identifier, it may use a transmitter to take control of the craft holding the receiver without knowing the binding phrase. This attack scenario is software-capable when utilising typical ExpressLRS compliant hardware. 

“ExpressLRS uses a ‘binding phrase’, built into the firmware at compile time to bind a transmitter to a receiver. ExpressLRS states that the binding phrase is not for security, it is anti-collision.” reads a bulletin published by NccGroup. 

“Due to weaknesses related to the binding phase, it is possible to extract part of the identifier shared between the receiver and transmitter. A combination of analysis and brute force can be utilised to determine the remaining portion of the identifier. Once the full identifier is discovered, it is then possible to use an attacker’s transmitter to control the craft containing the receiver with no knowledge of the binding phrase. This is possible entirely in software using standard ExpressLRS compatible hardware.” 

The ExpressLRS protocol encrypts the phrase using the hashing technique MD5, which is known to be cryptographically weak. The experts discovered that the "sync packets" that are transferred at regular intervals between transmitter and receiver for synchronisation reasons leak a significant portion of the binding phrase's unique identity (UID). The remaining portion may be determined via brute-force assaults or by watching packets over the air without brute-forcing the sequences. 

The advisory read, “Three weaknesses were identified, which allow for the discovery of the four bytes of the required UID to take control of the link. Two of these issues relate to the contents of the sync packet.”

“(i) The sync packet contains the final three bytes of the UID. These bytes are used to verify that the transmitter has the same binding phrase as the receiver, to avoid a collision. Observation of a single sync packet, therefore, gives 75% of the bytes required to take over the link. (ii) The CRC initialiser uses the final two bytes of the UID sent with the sync packet, making it extremely easy to create a CRC check.” 

The third weakness occurs in the FHSS sequence generation. 

“Due to weaknesses in the random number generator, the second 128 values of the final byte of the 4-byte seed produce the same FHSS sequence as the first 128,” the advisory concludes. 

Experts advised the users against transmitting the UID via the control connection while adding that the data used to construct the FHSS sequence should not be sent wirelessly. They also suggest that the random number generator be improved by employing a more secure approach or modifying the present algorithm to deal with repeated sequences.
Read more »
Web Servers
Cyber Attacks Fake Updates Ransomware User Security Web Servers

HavanaCrypt Ransomware Deployed Via Fake Google Updates

 

Trend Micro researchers have unearthed a new ransomware family dubbed ‘HavanaCrypt’ being deployed as a fake Google Software Update application. 

The ransomware launches multiple anti-virtualization checks and employs a Microsoft web hosting service IP address for its command and control (C&C) server, which allows it to bypass detection. HavanaCrypt also leverages a namespace method function in its execution process, a report from Trend Micro explained. 

“It disguises itself as a Google software update application and uses a Microsoft web hosting service IP address as its command-and-control server to circumvent detection,” Trend Micro said in a blog. 

The ransomware is the latest in a series of malware that poses as a legitimate application. This year alone has seen ransomware masquerading as Windows 10, Google Chrome, and Microsoft Exchange updates. 

HavanaCrypt modus operandi 

HavanaCrypt is a .NET-compiled application, that employs an open-source tool called Obfuscar to obfuscate its code. Once installed on a system, HavanaCrypt examines the AutoRun registry to see whether the "GoogleUpdate" registry is already present. If not, it continues with the routine. 

The malware then undertakes a four-stage assessment of whether the compromised device is running in a virtualized environment. 

First, it checks for services used by common virtualization applications such as VMWare Tools and vmmouse. Then it scans for files related to virtual applications, followed by a check for specific file names employed in virtual environments. Finally, it compares the machine's MAC address with unique identifier prefixes usually employed in virtual machine settings. If any of the checks show the infected machine to be in a virtual environment, the malware terminates itself. 

Additionally, the malware designs a text file that logs all the directories containing the encrypted files. The file is named foo.txt and the ransomware encrypts it as well. No ransom note is dropped. 

"It is highly possible that the ransomware's author is planning to communicate via the Tor browser because Tor is among the directories that it avoids encrypting files in. It should be noted that HavanaCrypt also encrypts the text file foo.txt and does not drop a ransom note. This might be an indication that HavanaCrypt is still in its development phase," said Bharat Mistry, technical director at Trend Micro.
Read more »
Vulnerability and Exploits.
API Bug Business Security CVE vulnerability HTTP Patch Fix SAP Vulnerabilities and Exploits Vulnerability and Exploits.

SAP Security Patch for July: Six High Priority Notes

The July 2022 patch release from SAP was released in addition to 27 new and updated SAP Security Notes. The most serious of these problems is information disclosure vulnerability CVE-2022-35228 (CVSS score of 8.3) in the BusinessObjects Business Intelligence Platform's central administration console.

Notes for SAP Business One 

The three main areas that are impacted by the current SAP Security Notes are as follows, hence Onapsis Research Labs advises carefully reviewing all the information:
  • In integration cases involving SAP B1 and SAP HANA, with a CVSS score of 7.6(CVE-2022-32249), patches a significant information release vulnerability. The highly privileged hackers take advantage of the vulnerability to access confidential data that could be used to support further exploits.
  • With a CVSS rating of 7.5 (CVE-2022-28771),  resolves a vulnerability with SAP B1's license service API. An unauthorized attacker can disrupt the app and make it inaccessible by sending bogus HTTP requests over the network if there is a missing authentication step.
  • A CVSS score of 7.4(CVE-2022-31593), is the third High Priority note. This notice patches SAP B1 client vulnerability that allowed code injection. An attacker with low privileges can use the vulnerability to manipulate the application's behavior.
On July 20, 2022, SAP announced 17 security notes to fix vulnerabilities of medium severity, the bulk of which affect the NetWeaver Enterprise Portal and Business Objects.

Cross-site scripting (XSS) vulnerabilities in the NetWeaver Enterprise Portal were addressed in six security notes that SAP published, each of which had a CVSS score of 6.1. Medium-severity problems in Business Objects are covered by five more security notes.

The SAP July Patch Day illustrates the value of examining all SAP Security Notes prior to applying patches. 

Read more »
Threat actor
AiTM Phishing Authentication Cyber Fraud Fraud phishing Proxy Server Scam Threat actor

Microsoft: Large-Scale AiTM Phishing Attacks Against 10K+Organizations

 

More than 10,000 companies were targeted in a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites. Microsoft identified a large-scale phishing effort that employed adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user's sign-in session, and circumvent authentication even when the victim had activated MFA. 

Threat actors utilise AiTM phishing to set up a proxy server between a target user and the website the user desires to access, which is the phishing site controlled by the attackers. The proxy server enables attackers to intercept communications and steal the target's password and a session cookie. 

Threat actors started business email compromise (BEC) attacks against other targets after obtaining the credentials and session cookies needed to access users' mails. Since September 2021, Microsoft specialists think the AiTM phishing effort has targeted over 10,000 companies. 

Phishing using AITM 

By impersonating the Office online authentication page, the landing sites utilised in this campaign were meant to attack the Office 365 authentication process. Microsoft researchers discovered that the campaign's operators utilise the Evilginx2 phishing kit as its AiTM infrastructure. Threat actors utilised phishing emails with an HTML file attachment in several of the attacks seen by the experts. The message alerted recipients that they had a voice message in order to deceive them into opening the file.
 
The analysis published by Microsoft states, “This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable.”

“By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.” 

After capturing the session cookie, the attackers inserted it into their browser to bypass the authentication procedure, even if the receiver had activated MFA for his account. Microsoft advises organisations to use systems that enable Fast ID Online (FIDO) v2.0 and certificate-based authentication to make their MFA deployment "phish-resistant."

Microsoft also advises establishing conditional access controls if an attacker attempts to utilise a stolen session cookie and monitoring for suspicious or anomalous activity, such as sign-in attempts with suspicious features and odd mailbox operations. 

“This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organisations put in place to defend themselves against potential attacks. While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place," concludes the report.
Read more »
Technology
Key Fob Bug Keyless Cars Rolling Code Security flaw Technology

Honda Key Fob Flaw Allows Hackers to Start Car Remotely

 

Cybersecurity researchers have disclosed a security bug in Honda’s keyless entry system that could allow hackers to remotely unlock and start potentially all models of Honda cars. 

Over the weekend, researchers Kevin2600 and Wesley Li from Star-V Lab published a technical report and videos on a vulnerability, dubbed Rolling-PWN, in the rolling codes mechanism of the remote keyless system of Honda cars, which enabled them to open car doors without the key fob present. 

The vulnerability is tracked as CVE-2021-46145 (medium severity) and is described as an issue "related to a non-expiring rolling code and counter resynchronization" in the keyfob subsystem in Honda. 

The keyless entry system in modern cars depends on the rolling codes mechanism generated by a pseudorandom number generator (PRNG) algorithm, ensuring that unique strings are employed each time the keyfob button is pressed. 

“Vehicles have a counter that checks the chronology of the generated codes, increasing the count upon receiving a new code. Non-chronological codes are accepted, though, to cover situations of accidental presses of the keyfob, or when the vehicle is out of range,” researchers explained. 

The researchers identified that the counter in Honda vehicles is resynchronized when the car vehicle gets lock/unlock commands in a consecutive sequence, causing the car to accept codes from previous sessions that should have been invalidated. 

The hacker equipped with software-defined radio (SDR) equipment can capture a consecutive sequence of codes and replay them at a later time to unlock the vehicle and starts its engine. 

The vulnerability is believed to affect all Honda vehicles on the market, but the researchers examined the attack on the 10 most popular models of Honda of the last decade including Civic 2012, X-RV 2018, C-RV 2020, Accord 2020, Odyssey 2020, Inspire 2021, Fit 2022, Civic 2022, VE-1 2022, and Breeze 2022. 

“We can confirm researcher claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours. However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away. Furthermore, Honda regularly improves security features as new models are introduced that would thwart this and similar approaches,” Honda’s spokesperson stated.
Read more »
Zoho
fake domain Gmail Malicious Emails malware Ransom RAT Scam Zoho

Luna Moth: Hackers After the Subscription Scam 

Luna Moth is a brand-new data extortion group that has been breaking into businesses to spoof users' data. If the victims don't pay a ransom to prevent the information from being made public, hackers threaten to make the records publicly accessible. 

The hacker group adopted the alias Luna Moth and has been engaged in phishing efforts since at least March in which remote access tools (RAT) were distributed, enabling corporate data theft.

How does the scam work?

The Luna Moth ransomware gang has been analyzed by the incident response team at cybersecurity firm Sygnia, it was noted that the actor is attempting to establish a reputation under the name Silent Ransom Group (SRG).

In a report published, Sygnia claims that although the goal of Luna Moth, also known as TG2729, is to acquire key data, its method of operation is similar to that of a scammer.

The organization has been posing as Zoho MasterClass Inc. and Duolingo over the last three months, operating a widespread phishing scam.  The malicious emails are sent from Gmail accounts that were altered to look like official company email accounts, claiming to be from the Zoho Corporation or Duolingo.

Domains used

In April 2022, the first verified campaign-related domain was registered. Hostwinds, a service provider, hosts both the exfiltration and phishing domains, which are both listed under Namecheap.

The two primary sets of domains and IPs that make up Luna Moth infrastructure  can be tied to subscription fraud:

  • Domains with the XYZ TLD, such as maaays[.]xyz, are exfiltration domains. The organization uses these domains as the endpoint for the exfiltrated data when using the Rclone obfuscation method.
  • Phishing sites like masterzohoclass[.]com that pretend to be associated with Duolingo or Zoho. The majority of these domains only last for four hours or less.

Standard tools

Atera, Splashtop, Syncro, and AnyDesk are just a couple of good remote administration tools (RATs) that the hackers mainly employ to control compromised devices. These tools also give the hackers some flexibility and persistence: even if one of the RATs is taken out of the system, the others can still reinstall it. Furthermore, off-the-shelf tools like SharpShares, and SoftPerfect Network Scanner,  are being utilized by the group.

The tools are saved on spyware with fake names that make them appear to be legitimate These technologies enable threat actors to conduct basic reconnaissance tasks, acquire access to additional resources, and steal data from compromised networks in addition to RATs.



Read more »
Scammers
Cisco counterfeit Cyber Fraud fake Fraudulent Mail Fraud Scam Scammers

CEO of Multiple Fake Companies Charged in $1bn Counterfeit Scheme to Traffic Fake Cisco Devices

 

Last Friday, the US Department of Justice (DOJ) revealed that a Florida citizen named Ron Aksoy had been arrested and alleged with selling thousands of fake and counterfeit Cisco goods over 12 years. 

Aksoy, also known as Dave Durden, would have operated at least 19 firms based in New Jersey and Florida, as well as at least 15 Amazon stores, around 10 eBay storefronts, and many additional corporations worth more than $1 billion. Aksoy faces three counts of mail fraud, four counts of wire fraud, and three counts of trafficking in counterfeit products. 

According to court records, the fraudulent firms purchased tens of thousands of counterfeit Cisco networking equipment from China and Hong Kong and resold them to consumers in the United States and across the world, fraudulently advertising the items as new and authentic. Chinese counterfeiters modified earlier, lower-model goods (some of which had been sold or dumped) to look to be authentic versions of newer, improved, and more expensive Cisco gear. 

As a result, the fraudulent and counterfeit items had severe performance, functionality, and safety issues, costing users tens of thousands of dollars. According to the indictment, between 2014 and 2022, Customs and Border Protection (CBP) confiscated approximately 180 shipments of counterfeit Cisco equipment being transported to the Pro Network Entities (the fraudulent firm name under which Aksoy operated) from China and Hong Kong. 

In response to some of these seizures, Aksoy would have filed fraudulent official papers to CBP using the pseudonym "Dave Durden," which he also used to contact with Chinese co-conspirators. The entire enterprise reportedly generated over $100 million in income, with Aksoy keeping a sizable portion while his co-conspirators received the remainder. Potential victims have been advised to get in touch with authorities. 

The DOJ has developed a publicly available list of Pro Network firms, as well as the accused criminal's eBay and Amazon stores.
Read more »
Subscribe to: Comments (Atom)