Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Spyware
Apple MacOS Attack cloud storage CloudMensis Flaws malware Spyware

Experts Discover New CloudMensis Spyware Targeting Apple macOS Users

 

Researchers in cybersecurity have revealed previously unknown malware targeting Apple's macOS operating system. The malware, nicknamed CloudMensis by the Slovak cybersecurity firm ESET, is reported to exploit popular cloud storage systems like pCloud, Yandex Disk, and Dropbox only for receiving attacker orders and exfiltrating files. 

"Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures," ESET researcher Marc-Etienne M.Léveillé stated in a report published. 

CloudMensis was found in April 2022, written in Objective-C, and is intended to attack both Intel and Apple semiconductor architectures. The initial infection vector for the attacks, as well as the targets, are yet unclear. However, the malware's limited dissemination suggests that it is being utilised as a part of a carefully targeted operation targeting businesses of interest. 

ESET discovered an attack chain that exploits code execution and administrative rights to launch a first-stage payload that is used to retrieve and run a second-stage malware housed on pCloud, which exfiltrates documents, screenshots, and email attachments, among other things. 

The first-stage downloader is also known to delete evidence of Safari sandbox escape and privilege escalation attacks in 2017 that make use of four now-resolved security flaws, implying that CloudMensis may have gone undetected for many years. The implant also includes capabilities that allow it to circumvent the Transparency, Consent, and Control (TCC) security system, which requires all programmes to seek user permission before accessing files in Documents, Downloads, Desktop, iCloud Drive, and network volumes. 

It accomplishes this by exploiting another fixed security flaw known as CVE-2020-9934, which was discovered in 2020. The backdoor also allows you to access a list of running processes, capture screenshots, list files from removable storage devices, and launch shell commands and other arbitrary payloads. 

Furthermore, an examination of information from the cloud storage infrastructure reveals that the pCloud accounts were established on January 19, 2022, with compromises beginning on February 4 and spiking in March. 

M.Léveillé said, "The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets."
Read more »
Users
Cyber Security Network Outage Server Server Down Users

Microsoft Exchange Online And Outlook Email Service Hit By Outage

 

Microsoft is investigating an ongoing outage affecting Microsoft 365 services after users experienced problems signing into, accessing, and receiving emails via the outlook.com gateway and Exchange Online. 

"We're investigating an issue with users accessing or experiencing degraded functionality when using Exchange Online and http://outlook.com services," Microsoft stated in a tweet via the company's official Twitter account for updates on Microsoft 365 services. 

Admins were also warned that further information about these ongoing issues may be found in the admin centre under EX401976 and OL401977. 

"We suspect there may be unexpected network drops which are contributing to the degraded experience and are reviewing diagnostic logs to understand why," the company added. 

While Redmond did not indicate the scope of the problem, hundreds of reports on DownDetector have been reported in the last 24 hours by Outlook and Exchange Online customers who have been unable or experiencing difficulty while attempting to log in or email. In an update to the Outlook.com online site, Microsoft also noted that Microsoft 365 subscribers may be unable to access the web portal or any of its features. 

Microsoft explained, "Users may be unable to access or use outlook.com services or features. We're reviewing diagnostic information and support case data to understand the cause and establish a fix. We're investigating a potential issue and checking for impact to your organization. We'll provide an update within 30 minutes." 

Another Microsoft 365 outage occurred in June, affecting consumers worldwide who attempted to access Microsoft Teams and Exchange Online. Redmond rerouted traffic to another, healthy traffic management infrastructure and performed targeted infrastructure restarts to restore service access and functioning. On July 1, Microsoft stated it fixed the issue that caused this outage. 

"We identified a section of our network infrastructure that was performing below acceptable thresholds. We've rerouted connections to alternate infrastructure and that confirmed the issue is resolved," Redmond tweeted.
Read more »
Vulnerabilities and Exploits
API Data Sever Node.js RCE Vulnerabilities and Exploits

Prototype Bug in Blitz.js. Allows RCE on Node.js Servers

 

Blitz.js, a JavaScript web online framework, has issued a patch for a critical prototype pollution bug to prevent remote code execution (RCE) on Node.js servers. 

Prototype pollution is a specific kind of JavaScript vulnerability that allows hackers to manipulate the structure of the programming language and exploit it in multiple ways, Paul Gerste, security researcher at Sonar explained. It also allowed hackers to exploit the code in the Blitz.js app to design a reverse shell and run arbitrary commands on the server. 

Blitz is designed on top of Next.js, a React-based framework, and adds components to turn it into a full-stack web development platform. One of the popular components of Blitz.js is its ‘Zero-API’ layer, which allows the customer to employ specific functions to call server-side business logic without having to design API code. 

Additionally, it makes an RPC call to the server in the background and returns the response to the client function call. Gerste identified a chain of exploits that could be exploited via the prototype pollution bug and lead to RCE. 

The attackers target Node.js by sending a JSON request, a browser service that enables two-way data exchange with any JSON data server without exposing users’ data, to the server, which triggers the routing function of Blitz.js to load a JavaScript file with the polluted prototype. This allows the hacker to employ the malicious JavaScript object to implement arbitrary code. 

In an ideal scenario, the hacker would design and run a file on the server. But Blitz.js does not support upload functionality. However, it has a CLI wrapper script that uses JavaScript’s spawn() function to launch a new process. 

The attacker could use this function to launch a CLI process and run an arbitrary command on the server. The vulnerability can be triggered without any authentication, which means any user who can access the Blitz.js application will be able to launch RCE attacks.  

“This attack technique leverages a code pattern that isn’t a vulnerability in itself,” Gerste explained. “Prototype pollution can influence the target application in a very invasive way, and it would require a lot of work to get rid of all code that could be influenced by prototype pollution.” 

In his blog post, the researcher mentioned some general recommendations to safeguard JavaScript apps against prototype pollution, including freezing 'object.prototype or using the --disable-proto=delete flag in Node.js

“I think prototype pollution is still unknown to many JavaScript developers,” Gerste added. “I don’t see developers often use the patterns that we recommended in our article. With our blog posts, we try to help educate JavaScript developers and share this knowledge.”
Read more »
User Privacy
Albanian Cyber Army Backups Cyber Attacks Microsoft Russia-Ukraine War User Privacy

Albania's Government Networks Were Disabled Amid Cyberattack

 

According to a report from the Albanian National Agency for the Information Society, a cyberattack from an anonymous source led the Albanian government to shut down the websites of the prime minister's office and the parliament. 

Most Albanian nationals and tourists from other countries utilize the e-Albania website, which currently acts as a hub for several formerly operational civil state offices. 

According to the Albanian National Agency for the Information Society (AKSHI), "we have been compelled to shut down government systems to survive these unprecedented and dangerous strikes until the enemy attacks are neutralized."

Only a few crucial services, like online tax filing, are still operating since they are provided by servers that were not targeted in the attack, while the majority of desk services for the public were disrupted.

Both the duration of the government systems' downtime and the identity of the cyberattack's perpetrator are unknown. According to Albanian media, the attack was comparable to those targeting critical systems in Ukraine, Belgium, Malta, Netherland, Germany, Lithuania, and Belgium.

While there have been instances of 'independent hacker groups' attacking countries in the past, Oliver Pinson-Roxburgh, CEO of cybersecurity platform Defense.com, said it is unlikely that such a group would be able to operate on this scale.

The report states that due to the early detection, the government's essential systems were able to shut down safely and they are all "backed-up and safe."

It said that to resolve the issue and 'restore normalcy,' Albanian officials were working with Microsoft and Jones Group International experts.



Read more »
Tor Network
attacks Browser Cyber Security Software SSL Stripping Tor Network

Tor Browser 11.5 Adds Censorship Detection & Circumvention

 

Tor Project's flagship anonymizing browser has been upgraded to make it simpler for users to avoid government attempts to prohibit its usage in various locations. According to the non-profit organisation that controls the open source software, Tor Browser 11.5 would change the user experience of connecting to Tor from strongly censored locations. 

It replaces a "manual and confusing procedure" in which users have to maintain their own Tor Network settings to figure out how to utilise a bridge to unblock Tor in their location. Because various bridge settings may be required in different countries, the Tor Project stated that the manual effort placed an undue hardship on restricted users. 

Connection Assist is its answer, and it will automatically apply the bridge configuration that should perform best in a user's exact location. China, Russia, Belarus, and Turkmenistan are among the countries that have blocked the Tor Network. Volunteers from these and other impacted nations are encouraged to apply to be alpha testers so that their feedback may be shared with the community. 

The Tor Project has revised its Tor Network settings to improve the user experience for people who still want to manually configure their software. There is also a new HTTPS-only default option for users, which protects consumers by encrypting communication between their system and the web servers it communicates with. 

“This change will help protect our users from SSL stripping attacks by malicious exit relays, and strongly reduces the incentive to spin up exit relays for man-in-the-middle attacks in the first place,” it stated. 

Although the Tor Browser is often linked with illicit black web browsing, it is also a useful tool for activists, journalists, dissidents, and NGO workers working under harsh government regimes.
Read more »
Webshell
Backdoor malware Sever HAck VoIP System Webshell

Large-Scale Malware Campaign Targets Elastix VoIP Systems

 

Threat analysts at Palo Alto Networks' Unit 42 have unearthed a massive campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples between December 2021 and March 2022. 

Elastix is a unified communications server software, based on projects such as Digium’s Asterisk, FreePBX, and more. 

The hackers' goal was to inject a PHP web shell that could run arbitrary commands on the compromised communications server and exploit a remote code execution (RCE) vulnerability tracked as CVE-2021-45461, with a critical severity rating of 9.8 out of 10. 

The campaign is still active and shares multiple similarities to another operation in 2020 that was reported by researchers at cybersecurity firm Check Point. 

According to the researchers, enterprise servers are sometimes a higher-value target than computers, laptops, or other firm endpoints. Servers are usually more powerful devices and could be exploited, for example, as part of a potent botnet generating thousands of requests per second. 

In this campaign, the researchers spotted two separate attack groups employing initial exploitation scripts to drop a small-size shell script. The script installs an obfuscated PHP backdoor on the web server, manufactures multiple root user accounts, and sets a scheduled task to ensure recurring re-infection of the system. 

"This dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system," security researchers explained. 

The IP addresses of the hackers are in the Netherlands, but DNS data points to Russian adult sites. The payload delivery infrastructure is only partially active, at the moment. 

The PHP web shell – which is injected with a random junk string to bypass signature-based defenses –consists of several layers of Base64 encoding and is guarded by a hardcoded “MD5 authentication hash” mapped to the victim’s IP address. 

The web shell also accepts an admin parameter and supports arbitrary commands, along with a series of built-in default commands for file reading, directory listing, and reconnaissance of the Asterisk open-source PBX platform. 

“The strategy of implanting web shells in vulnerable servers is not a new tactic for malicious actors. The only way to catch advanced intrusions is through a defense-in-depth strategy. Only by orchestrating multiple security appliances and applications in a single pane can defenders detect these attacks,” Palo Alto Networks concludes.
Read more »
Proofpoint
APT attacks China Cyber Attacks Iranian hackers Lazarus Group Malicious Emails Proofpoint

Proofpoint Analysis : APT Groups Target Journalists


APT organizations that are allegedly affiliated with China, North Korea, Iran, and Turkey are described in detail by researchers in a Proofpoint report released on Thursday. Attacks started in early 2021 and are still happening, according to researchers.

Targeted phishing attacks are linked to several threat actors who have independently focused on acquiring journalist credentials and sensitive data as well as tracking their locations. 

Targeting journalist

Proofpoint monitored the activities of the APT group TA412 also known as Zirconium, which attacked journalists based in the US. The nation-state hackers implanted a hyperlinked invisible item within an email body by using phishing emails that contained web beacons such as tracking pixels, tracking beacons, and web bugs.

Journalists based in the US who were being targeted were investigating matters of domestic politics and national security and writing about subjects that favored Beijing.
  • By February 2022, Zirconium had resumed its operations against journalists using the same tactics, with a particular emphasis on those who were reporting the Russia-Ukraine conflict.
  • Proofpoint discovered another Chinese APT organization known as TA459 in April 2022 that was targeting journalists with RTF files that, when viewed, released a copy of the Chinoxy malware. These hackers specifically targeted journalists covering Afghan foreign affairs.
  • Early in 2022, the TA404 group, also known as Lazarus, targeted a media company with a base in the United States. As lures, the attackers utilized phishing messages with job offers.
  • Finally, Turkish threat actors identified as TA482 planned campaigns to harvest credentials from journalists' social media accounts.
Not all hackers, however, are motivated to work hard to breach journalist data. This strategy has mostly been used by Iranian actors, like TA453 or Charming Kitten, who had sent emails to academics and Middle East policy experts while pretending to be reporters.

Finally, Proofpoint draws attention to the activities of Iranian hackers TA457, who initiated media-targeting efforts every 2 to 3 weeks between September 2021 and March 2022.

It's also essential to understand the wide attack surface—all the various web channels used for information and news sharing—that an APT attacker can exploit. Finally, exercising caution and confirming an email's identity or source can stop an APT campaign in its early stages.
Read more »
malware
Botnet Cyber Attacks DDOS Attack IoT devices malware

Mantis Botnet Behind Largest HTTPS DDoS Attack Targeting Cloudflare Users

 

A botnet called Mantis has been linked to record-breaking assaults targeting nearly 1,000 Cloudflare customers. 

In June 2022, DDoS mitigation firm Cloudflare disclosed that it successfully thwarted a record-breaking DDoS attack of 26 million requests per second. Just a couple of months earlier in April, Cloudflare also mitigated a previous record-breaking attack of 15.3 million requests per second. Mantis has now been linked to both attacks. 

For the attacks, the majority of traffic originated from Indonesia, the US, Brazil, and Russia with the French OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the US-based iboss (ASN 137922), and the Libyan Ajeel (ASN 37284) being the top source networks. In the past month alone, over 3,000 HTTP DDoS attacks have been launched against Cloudflare customers.

While previous record-setting DDoS attacks have predominately been generated from botnets that have exploited the rapid proliferation of IoT devices, the latest assaults have increased their intensity by exploiting far more powerful devices. 

Cloudflare’s Product Manager Omer Yoachimik stated that the attack last month “originated mostly from cloud service providers as opposed to residential internet service providers, indicating the use of hijacked virtual machines and powerful servers to generate the attack—as opposed to much weaker Internet of Things devices.” 

In one attack on an unnamed customer last month, more than 212 million HTTPS requests were generated from over 1,500 networks across 121 countries in under 30 seconds. 

The most impacted industry verticals include internet and telecom, media, gaming, finance, business, and shopping, of which over 20% of the attacks targeted U.S. firms, followed by Russia, Turkey, France, Poland, Ukraine, the U.K., Germany, the Netherlands, and Canada. 

According to Cloudflare researchers, the botnet is identical to the shrimp and is less than 10cm in length. Despite being so small, the claws of mantis shrimps can generate a shock wave with a force of 1,500 Newtons at speeds of 83 km/h from a standing start. 

“The Mantis botnet operates a small fleet of approximately 5,000 bots, but with them can generate a massive force — responsible for the largest HTTP DDoS attacks we have ever observed,” explained Yoachimik.
Read more »
User Privacy
Credential Theft Data Leak Healthcare Privacy User Privacy

Data of 4,000 Patients at VCU Health Exposed

 

A recent incident compromising the privacy of user-protected health information has been reported by Virginia Commonwealth University Health System. 

The institution revealed the confidential health information of almost 4,000 individuals for 16 years. According to VCU Health's research, the information was available to donors, and recipients as early as January 4, 2006.

There is no proof, according to VCU Health, that any information has been exploited. There were 4,441 donors and beneficiaries in total for this incidence.

On February 7, 2022, a data leak was discovered. On March 29 and May 27, 2022, additional details about the categories of data involved, were disclosed. The information which could be seen in the medical records of other transplant patients or donors included names, Social Security numbers, lab results, medical record numbers, and dates of service.

Customers who are notified have been reminded to keep an eye out for any fraudulent behavior by regularly monitoring their financial account statements. Individuals who may have had their Social Security data exposed have been provided free credit monitoring. 

''Many health care systems are built in a way that sensitive data, such as SSNs, DOBs, or other PII/PHI, is either not shared at all, is at least hidden on the screen by default, and reading them requires additional step-up verification.'' The Synopsys Software Integrity Group's Ashutosh Rana, a senior security consultant, stated. 


Read more »
Vulnerabilities and Exploits
attacks CISO Log4j Report Research Risk Vulnerabilities and Exploits

Homeland Security Warns Log4j’s 'Endemic' Threats for Years to Come

 

The US Department of Homeland Security (DHS) published the Cyber Safety Review Board's (CSRB) first report into the December 2021 Log4j incident, when a variety of vulnerabilities with this Java-based logging framework were revealed, this week. 

The report's methodology comprised 90 days of interviews and information requests with around 80 organisations and individuals, including software developers, end users, security specialists, and businesses. 

This was done to ensure that the board met with a wide range of representatives and understand the complexities of how different attack surfaces are constructed and defended. According to the report, although standardised and reusable "building blocks" are essential for developing and expanding software, they also allow any possible vulnerability to be mistakenly included in multiple software packages, putting any organization that uses those programs at risk. 

According to the report, while Log4j remains dangerous, the government-wide approach helped tone down the vulnerability. The board also noted the need for extra financing to help the open-source software security community, which is primarily comprised of volunteers. 

Industry experts, such as Michael Skelton, senior director of security operations at Bugcrowd, said of Log4J: “Dealing with it is a marathon, one that will take years to resolve. Java and Log4j are prevalent everywhere, not only in core projects but in dependencies that other projects rely on, making detection and mitigation not as simple an exercise as it may be with other vulnerabilities.” 

John Bambenek, the principal threat hunter at Netenrich, was more critical of the report’s timing, believing that “anyone still vulnerable is highly unlikely to read this report or in much of a position to do anything about it if they did. Most of the American economy is small to medium businesses that almost always never have a CISO and likely not even a CIO. Until we find ways to make the public without security budgets safe, no high-level list of best practices will move the ball significantly.” 

The CSRB report went on to state that, thankfully, it is unaware of any large Log4j-based attacks on critical infrastructure assets or systems, and that efforts to hack Log4j happened at a lesser level than many experts expected. 

The paper, however, emphasises that the Log4j incident is "not over" and will continue to be an "endemic vulnerability" for many years, with considerable risk persisting. The research concluded with 19 actionable recommendations for government and business, which were divided into four divisions. They were as follows:
  • Address Continued Risks of Log4j
  • Drive Existing Best Practices for Security Hygiene
  • Build a Better Software Ecosystem
  • Investments in the Future
Read more »
Ransomware
Businesses Cyber Attacks North Korean Hackers Ransom Ransomware

North Korean Hackers Employ H0lyGh0st Ransomware to Target Businesses

 

Researchers from Microsoft’s Threat Intelligence Center (MSTIC) this week claimed that the North Korean hackers are employing the H0lyGh0st ransomware to target small and midsize businesses worldwide. 

The hacking group, which calls itself H0lyGh0st and is tracked by Microsoft as DEV-0530, has been employing ransomware since at least June 2021 and has successfully exploited multiple businesses since September 2021. 

The activities of DEV-0530 are similar to other ransomware gangs out there. The group engages in double extortion, threatening to publish personal data stolen from victims unless a ransom is paid. 

In recent years, North Korean hackers have siphoned hundreds of millions of dollars from foreign businesses to help their country which is struggling economically due to the U.S. sanctions and the COVID-19 pandemic. However, it is equally possible that the hackers are employing ransomware for personal gain, which could explain an “often-random selection of victims.” 

According to Microsoft, the activities of DEV-0530 are partially linked to a group known as Plutonium (also known as DarkSeoul or Andariel). Both groups have been spotted operating from the same infrastructure, employing custom malware controllers with similar names, and emailing accounts belonging to each other. 

“MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” Microsoft says. 

The researchers also identified that the hacker’s activities are consistent with the UTC+9 time zone employed in North Korea. DEV-0530’s first malicious payload was spotted in June last year, BLTC_C.exe, which was classified as SiennaPurple, despite its lack of complexity compared to other variants in the same ransomware family. More powerful derivatives of the malware were released later, between October 2021 and May 2022, and were based on the Go programming language. 

In November 2021 DEV-0530 successfully exploited several small-to-midsized businesses in the manufacturing, finance, education, and event and meeting planning sectors in multiple nations. Likely opportunistic, the attacks exploited vulnerabilities such as CVE-2022-26352 on public-facing web assets for initial access. 

Subsequently, the hackers would steal “a full copy of the victims’ files” and then shift to encrypt the contents on the system, appending the .h0lyenc extension to impacted files. In addition to dropping a ransom note, the attackers emailed the victim to inform them that their data was stolen and encrypted by H0lyGh0st. 

“Based on our investigation, the attackers frequently asked victims for anywhere from 1.2 to 5 Bitcoins. However, the attackers were usually willing to negotiate and, in some cases, lowered the price to less than one-third of the initial asking price. As of early July 2022, a review of the attackers’ wallet transactions shows that they have not successfully extorted ransom payments from their victims,” Microsoft researchers explained.
Read more »
Subscribe to: Comments (Atom)