Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Tropic Trooper
Attack Binary Loader malware Research SMS Bomber Tropic Trooper

Chinese Hackers Disseminating SMS Bomber Tool with Hidden Malware

 

A threat cluster linked to the Tropic Trooper hacking group has been identified employing previously undocumented malware developed in Nim language to attack targets as part of a newly revealed operation. 

The new loader, codenamed Nimbda, is "bundled with a Chinese language greyware 'SMS Bomber' malware that is most likely illegally circulated through the Chinese-speaking web," according to a report by Israeli cybersecurity firm Check Point. "Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes," the researchers said. 

"Therefore the entire bundle works as a trojanized binary." SMS Bomber, as the name implies, allows the user to enter a phone number (not their own) in order to flood the victim's device with messages, perhaps rendering it useless in a denial-of-service (DoS) attack. 

The fact that the binary functions as both an SMS Bomber and a backdoor show that the assaults are not just directed at individuals who use the tool — a "somewhat unorthodox target" — but are also highly targeted. 

Tropic Trooper, also known as Earth Centaur, KeyBoy, and Pirate Panda, has a history of attacking targets in Taiwan, Hong Kong, and the Philippines, especially in the government, healthcare, transportation, and high-tech industries. 

Trend Micro last year referred to the Chinese-speaking collective as particularly clever and well-equipped, highlighting the group's capacity to develop its TTPs to stay under the radar and rely on a wide range of proprietary tools to compromise its targets. 

Check Point's most recent attack chain begins with the tainted SMS Bomber tool, the Nimbda loader, which runs an embedded executable, in this case, the legal SMS bomber payload, while simultaneously injecting a second piece of shellcode into a notepad.exe process. This initiates a three-tier infection process, which includes downloading a next-stage malware from an obfuscated IP address given in a markdown file ("EULA.md") published in an attacker-controlled GitHub or Gitee repository. The retrieved binary is an improved version of the 

Yahoyah trojan, is designed to gather data about local wireless networks in the victim machine's proximity and other system metadata and send it to a command-and-control (C2) server. Yahoyah, for its role, serves as a conduit for the final-stage malware, which is downloaded from the C2 server in the form of an image. The steganographically encoded payload is a backdoor known as TClient, which the group has used in past attacks. 

The researchers concluded, "The observed activity cluster paints a picture of a focused, determined actor with a clear goal in mind."

"Usually, when third-party benign (or benign-appearing) tools are hand-picked to be inserted into an infection chain, they are chosen to be the least conspicuous possible; the choice of an 'SMS Bomber' tool for this purpose is unsettling, and tells a whole story the moment one dares to extrapolate a motive and an intended victim."
Read more »
Windows
email spam Malicious Payload malware URLs Windows

Hackers are Using LNK Files to Deploy Malicious Payload

 

Earlier this month, researchers at McAfee Labs spotted a sophisticated technique where hackers employed email spam and malicious URLs to deliver LNK files to victims. The files command authentic applications like PowerShell, CMD, and MSHTA to download malicious files. 

LNK files are shortcut files that link to an application or file commonly found on a victim’s desktop or throughout a system and end with an .LNK extension. LNK files can be created by the user or automatically by the Windows operating system. 

To identify the true nature of these files we will go through recently identified Emotet malware. In this particular campaign, the hacker targets the victims’ by manually accessing the attached LNK file. Threat actor replaces the original shortcut icon with that of a .pdf file, so that the unsuspecting victim, once they receive the email attachment, can’t spot the difference with a basic visual inspection. 

But the threat is real. Windows shortcut files can be employed to deploy pretty much any malware onto the target endpoint, and in this case, the Emotet payload is downloaded into the victim’s %TEMP% directory. If successful, the malware will be loaded into memory using “regsvr32.exe”, while the original dropper gets deleted from the %TEMP% directory. 

Precautionary tips 

Emotet is a sophisticated and long-lasting malware that has impacted users globally. Threat Actors are constantly adapting their techniques to stay one step ahead of cybersecurity researchers. McAfee Labs is continuously monitoring the activity of Emotet and has published the guidelines to protect users from malware infection. 

• It is important to note that Emotet is an endpoint threat spread via email, therefore endpoint detection and response (EDR) and antivirus tooling are imperative to disrupting this threat. 

• Don’t keep important files in common locations such as the Desktop, My Documents, etc. 

• Use strong passwords and enforce multi-factor authentication wherever possible. 

• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 

• Use a trusted anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 

• Avoid clicking on untrusted links and email attachments without verifying their authenticity. 

• Conduct regular backup practices and keep those backups offline or in a separate network.
Read more »
User Privacy
Credential Theft Cyber Attacks MFA Phishing Attacks Security Breach User Privacy

84% of US Businesses Experienced Identity-Related Breaches

 

According to new information from the non-profit Id Outlined Safety Alliance, the range of security breaches resulting from phishing or exploiting identities has reached epidemic proportions (IDSA). For its 2022 Developments in Securing Digital Identities report, the IDSA surveyed 500 US identity and security experts. 

In the past year, 84 % of respondents reported having suffered an identity-related hack, with the clear majority (78 %) stating that it had a direct effect on the firm. Increased identity fraud in the corporate sector daily contributes to the issue. 

When leaders prioritize identity security, risky behavior is reduced. 71 % of companies have executives who publicly address staff members about password security. In the light of that, risky security behaviors were acknowledged by 60% of IT/security stakeholders. 

Having focused on the fundamentals and investments in security outcomes 97%  will invest in identity-focused security results. MFA is a major area of interest, especially for employees and privileged users. 

The report suggested a few basic steps businesses may take to enhance security outcomes of unauthorized access. When executives discuss corporate credentials, for instance, the survey found that 72% of respondents are more cautious with their work passwords than with using personal passwords. 

However, it seems that businesses are making sense. Almost all respondents (97%) stated they intended to invest in "identification-focused security outcomes," and 94 % reported that identity investments are a part of strategic efforts, such as cloud adoption (62 %), the deployment of Zero Trust (51 %), and digital transformation activities (42% ).

According to the Anti-Phishing Working Group(APWG), phishing reached an all-time high in the first quarter of 2022. 
Read more »
Skimmer
attacks Cyber Activity JavaScript Magecart malware Skimmer

Newly Detected Magecart Infrastructure Discloses the Scale of Ongoing Campaign

 

A recently discovered Magecart skimming campaign has its origins in an earlier attack activity dating back to November 2021. 

To that end, Malwarebytes revealed in a Tuesday investigation that two malware domains identified as hosting credit card skimmer code — "scanalytic[.]org" and "js.staticounter[.]net" — are part of a larger infrastructure used to carry out the attacks. 

Jérôme Segura stated, "We were able to connect these two domains with a previous campaign from November 2021 which was the first instance to our knowledge of a skimmer checking for the use of virtual machines. However, both of them are now devoid of VM detection code. It's unclear why the threat actors removed it, unless perhaps it caused more issues than benefits." 

Based on the other domains discovered, the earliest indication of campaign activity has been around since May 2020. Magecart is a cybercrime syndicate made up of dozens of subgroups that specialise in hacks involving digital credit card fraud through the injection of JavaScript code into e-commerce shops, often on checkout pages. 

Operatives obtain access to websites either directly or through third-party firms that provide software to the targeted websites. While the attacks first received attention in 2015 for targeting the Magento e-commerce platform (the term Magecart is a combination of "Magento" and "shopping cart"), they have now spread to other platforms, including a WordPress plugin called WooCommerce. 

According to a Sucuri study published in April 2022, WordPress has surpassed Magento as the leading CMS platform for credit card skimming malware, exceeding Magento as of July 2021, with skimmers hidden in websites as false photos and seemingly harmless JavaScript theme files. 

Furthermore, during the first five months of 2022, WordPress websites accounted for 61 per cent of known credit card skimmer malware detections, followed by Magento (15.6 per cent), OpenCart (5.5 per cent), and others (17.7 per cent). 

"Attackers follow the money, so it was only a matter of time before they shifted their focus toward the most popular e-commerce platform on the web," Sucuri's Ben Martin stated at the time.
Read more »
User Privacy
Data Breach Data hack data security Private Data User Privacy

Former Amazon Employee Found Guilty in 2019 Capital One Data Breach

 

Paige Thompson, a 36-year-old former Amazon employee has been found guilty for her role in the theft of private data of no fewer than 100 million people in the 2019 Capital One breach. A Seattle jury convicted her of wire fraud and five counts of unauthorized access to a protected computer. 

Thompson, who operated under the online name "erratic" and worked for the tech giant till 2016, is scheduled for sentencing on September 15, 2022. Cumulatively, the offenses are punishable by up to 25 years in prison. 

"Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency," stated U.S. Attorney Nick Brown. "Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself." 

The data breach, which came to light in July 2019, involved Thompson infiltrating into Amazon's cloud computing systems and stealing the private data of nearly 100 million individuals in the U.S. and six million in Canada. That included names, dates of birth, Social Security numbers, email addresses and phone numbers, and other critical financial data, such as credit scores, limits and balances. 

According to the Department of Justice, Thompson employed a custom tool she designed herself to search for misconfigured Amazon Web Services (AWS) accounts. Subsequently, she exfiltrated sensitive data belonging to over 30 entities, counting Capital One, and deployed cryptocurrency mining software onto the bank's servers, and sent the earnings straight to her digital wallet. 

Additionally, the hacker left an online trail for authorities to follow as she boasted about her illegal activities to others via text and online forums, the Justice Department noted. The stolen data was also shared on a publicly accessible GitHub page. 

"She wanted data, she wanted money, and she wanted to brag," Assistant U.S. Attorney Andrew Friedman told the jury in the closing arguments, according to a press statement from the Justice Department. 

In August 2020, the banking giant was fined $80 million by the Office of the Comptroller of the Currency (OCC) for failing to implement proper risk management measures before shifting its IT operations to public cloud-based service. In December 2021, CapitalOne agreed to pay $190 million to settle a class-action lawsuit over the hack.
Read more »
User Privacy
Cyber Attacks Email Attacks German Cyber Security IT Systems Russian Hackers User Privacy

14 Account's Email System Targeted the Green Party of Germany

 

The foreign minister Annalena Baerbock and the economy minister Robert Habeck's email accounts were both compromised last month, according to the German Green party, which is a member of the coalition government of the nation. 

The party acknowledged a revelation published on Saturday by the German magazine Der Spiegel, but claimed that the two had stopped using official party accounts since January.

According to a report on a German magazine Der Spiegel on Thursday, the Green Party said that a total of 14 accounts, including the party's co-leaders' Omid Nouripour and Ricarda Lang, were also hacked and that certain messages were sent to other servers. The article further read that the attack also had an impact on the party's "Grüne Netz" intranet IT system, where private information is exchanged.

The party declined to acknowledge Der Spiegel's claim that an electronic trace suggested the cyberattack may have originated in Russia because of the current investigation by German authorities.

"More than these email accounts are affected," the party official claimed. The topic concerns emails using the domain "@gruene.de." The representative stated that it was yet unknown who had hacked in. The first indication of the attack came on May 30 and since June 13, when specialists determined that there had been a breach, access to the system has been restricted. 

Authorities blamed the unauthorized access on Russian state-sponsored hackers. Baerbock has consistently taken a harsh approach in response to Russia's abuse of human rights and aggression against Ukraine. Since taking office in December, Habeck has been in charge of Germany's initiatives to wean itself off of Russian energy sources.

Network logs, according to the Greens, did not reflect any signs of the increased traffic levels that would indicate the theft of a significant amount of data.
Read more »
Vulnerabilities and Exploits
Advisory Authetication CISA firmware Flaws RCEs Vulnerabilities and Exploits

CISA Alerts on Serious Flaws in Industrial Equipment & Infrastructure

 

According to the US government's CISA and private security researchers, 56 vulnerabilities have been discovered in industrial operational technology (OT) systems from ten global manufacturers, including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk. 

Some of these flaws obtained CVSS severity ratings as high as 9.8 out of 10. This is especially unfortunate given that these devices are employed in vital infrastructure throughout the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and construction and automation industries. 

Remote code execution (RCE) and firmware vulnerabilities are the most serious security problems. If exploited, these flaws might allow criminals to shut down electricity and water infrastructure and damage the food supply. This is not to claim that all or any of these situations are practically achievable; rather, these are the kind of devices and processes involved. 

Forescout's Vedere Labs uncovered the flaws in devices produced by 10 vendors and used by the security firm's customers and termed them OT:ICEFALL. As per the researchers, the vulnerabilities affect at least 324 enterprises worldwide – a figure that is likely to be far higher in reality because Forescout only has access to its own clients' OT devices. In addition to the previously mentioned firms, the researchers discovered weaknesses in Bently Nevada, Emerson, JTEKT, Omron, Phoenix Contact, and Yokogawa devices.

OT Devices are insecure by design

The majority of issues are found in level 1 and level 2 OT devices. Physical processes are controlled by level 1 devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs), whereas level 2 devices include supervisory control and data acquisition (SCADA) and human-machine interface systems.

In addition to the 56 highlighted in a Vedere report today, the threat-hunting team uncovered four more that are still being kept under wraps owing to responsible disclosure. One of the four allows an attacker to compromise credentials, two let an attacker to change the firmware of OT systems, and the fourth is an RCE through memory write flaw. 

Many of these flaws are the consequence of OT products' "insecure-by-design" build, according to Forescout's head of security research Daniel dos Santos. Several OT devices lack fundamental security protections, making them simpler for criminals to exploit, he said. 

Since that earlier analysis, "there have been real-word real incidents, real malware that has abused insecure-by-design functionality of devices to cause disruption and physical damage, like Industroyer in Ukraine in 2016, or Triton in the Middle East in 2017. One instance of insecure-by-design is unauthenticated protocols. So basically, whenever you interact with the device you can call sensitive functions on the device, invoke this function directly without it asking for a password," dos Santos stated.

The security researchers found nine vulnerabilities related to protocols that have no authentication on them: CVE-2022-29953, CVE-2022-29957, CVE-2022- 29966, CVE-2022-30264, CVE-2022-30313, CVE-2022-30317, CVE-2022-29952 and CVE-2022-30276. 

The majority of these may be used to download and run firmware and logic on other people's devices, resulting in RCEs, or shutdowns and reboots that can create a denial of service circumstances. In an ideal world, equipment employing these protocols is not linked to computers and other systems in such a way that a network intruder may abuse them. 

Credential compromise: Most common issue

Five of the flaws were noted more than once by Vedere Labs because they had various possible consequences. More than a third of the 56 vulnerabilities (38%) can be exploited to compromise user login credentials, while 21% might allow a criminal to change the firmware if exploited, and 14% are RCEs. 

Other vulnerability categories include denial of service and configuration manipulation (eight percent), authentication bypass (six percent), file manipulation (three percent), and logic manipulation (two percent). 

Fixing these security flaws will be difficult, according to the researchers, since they are the consequence of OT products being vulnerable by design, or because they need modifications in device firmware and supported protocols. 

As a result, they did not reveal all of the technical information for the faulty OT devices, which explains the lack of depth. They did, however, advise users to read each vendor's security advisory, which is expected to be released today or soon. Furthermore, where possible, the security shop suggests disconnecting OT and industrial control system networks from corporate networks and the internet.
Read more »
User Security
Chrome Extensions Cyber Security Fingerprint User Privacy User Security

Google Chrome Extensions can be Employed to Track Your Online Activity

 

A web developer going by the alias ‘z0ccc’ has created a website that can generate a unique online tracking fingerprint based on Chrome extensions installed on the visiting browser. 

The methodology is primarily based on securing the extensions’ web-accessible resources, a type of file within the extension’s infrastructure that web pages can access. The file can consequently be employed to detect installed extensions and create a fingerprint of a visiting user based on the combination of installed extensions. 

The procedure was previously demonstrated in 2019, but the website has only recently been designed. Some extensions can bypass detection by using secret tokens required to access their web resources, but there is novel” resource timing comparison” technique to detect if an extension is installed on the endpoint or not. 

"Resources of protected extensions will take longer to fetch than resources of extensions that are not installed,” z0ccc explained on the project’s GitHub page. “By comparing the timing differences, you can accurately determine if the protected extensions are installed." 

To illustrate this fingerprinting technique, the web developer designed an Extension Fingerprints website that will examine a visitor's browser for the existence of web-accessible resources in 1,170 popular extensions available on the Google Chrome Web Store. 

The methodology also operates with extensions installed from the Chrome Web Store in Chromium browsers, such as Microsoft Edge. It can spot Edge extensions from Microsoft’s dedicated store, but z0ccc’s website doesn’t support this feature. 

Interestingly, the technique doesn’t work for Firefox extensions as the browser extension IDs are unique for every browser instance, making the web-accessible resources URL impossible to identify by third parties. 

To restrict fingerprinting via browser extension detection, Chrome users can limit the number of extensions they install on their Chrome and Chromium browsers. Installing more extensions and in unique combinations increases the risk of having multiple tracking hash, which facilitates fingerprinting.

"This is definitely a viable option for fingerprinting users," z0ccc explained in the blog post. "Especially using the 'fetching web accessible resources' method. If this is combined with other user data (like user agents, timezones etc.) users could be very easily identified."
Read more »
Zero- day vulnerability
API Bug Apple CVE vulnerability Google Security Tools Vulnerabilities and Exploits Vulnerability and Exploits. Zero- day vulnerability

Google: 5-year-old Apple Flaw Exploited

 

Google Project Zero researchers have revealed insights into a vulnerability in Apple Safari that has been extensively exploited in the wild. The vulnerability, known as CVE-2022-22620, was first patched in 2013, but experts identified a technique to overcome it in 2016. 

Apple has updated a zero-day vulnerability in the WebKit that affects iOS, iPadOS, macOS, and Safari and could have been extensively exploited in the wild, according to CVE org. 

In February, Apple patched the zero-day vulnerability; it's a use-after-free flaw that may be accessed by processing maliciously generated web content, spoofing credentials, and resulting in arbitrary code execution ."When the issue was first discovered in 2013, the version was patched entirely," Google Project Zero's Maddie Stone stated. "Three years later, amid substantial restructuring efforts, the variant was reintroduced. The vulnerability remained active for another five years before being addressed as an in-the-wild zero-day in January 2022." 

While the flaws in the History of API bug from 2013 and 2022 are fundamentally the same, the routes to triggering the vulnerability are different. The zero-day issue was then reborn as a "zombie" by further code updates made years later. 

An anonymous researcher discovered the flaw, and the corporation fixed it with better memory management. Maddie Stone examined the software's evolution over time, beginning with the code of Apple's fix and the security bulletin's description of the vulnerability, which stated that the flaw is a use-after-free flaw. 

“As an offensive security research team, we can make assumptions about the main issues that current software development teams face: Legacy code, short reviewer turn-around expectations, under-appreciation and under-rewarding of refactoring and security efforts, and a lack of memory safety mitigations” the report stated. 

"In October, 40 files were modified, with 900 additions and 1225 removals. The December commit modified 95 files, resulting in 1336 additions and 1325 removals," Stone highlighted. 

Stone further underlined the need of spending appropriate time to audit code and patches to minimize instances of duplication of fixes and to understand the security implications of the modifications being made, citing that the incident is not unique to Safari.
Read more »
Ransomware
attacks Cyber Attacks IP Access Protection Passwords QNAP Ransomware

QNAP NAS Devices Struck by eCh0raix Ransomware Attacks

 

The ech0raix ransomware has resumed targeting vulnerable QNAP Network Attached Storage (NAS) systems this week, as per user complaints and sample uploads on the ID Ransomware site.

ech0raix (also known as QNAPCrypt) began attacking QNAP customers in many large-scale waves in the summer of 2019 when attackers brute-forced their entry into Internet-exposed NAS equipment. Since then, victims of this ransomware strain have discovered and reported numerous further campaigns, in June 2020, May 2020, and a large wave of assaults targeting devices with weak passwords that began in mid-December 2021 (just before Christmas) and gradually declined towards early February 2022. 

A fresh series of ech0raix assaults have been validated by an increase in the amount of ID Ransomware submissions and users reporting getting affected on the BleepingComputer forums, with the first hit on June 8. 

Although just a few dozen ech0raix samples have been submitted, the real number of successful assaults is likely to be larger because only a subset of victims will utilize the ID Ransomware service to detect the ransomware that encrypted their devices. 

While this ransomware has been used to encrypt Synology NAS systems since August 2021, this time victims have solely reported attacks on QNAP NAS systems. The attack vector employed in the current ech0raix campaign is unknown until QNAP releases additional information on these attacks. 

How to Protect NAS Against Attacks 

While QNAP is yet to give a warning to consumers about these assaults, the firm has already recommended users secure their data from potential eCh0raix attacks 
  • by using stronger passwords for administrator accounts
  • activating IP Access Protection to protect accounts from brute force assaults, 
  • and preventing the use of the default port numbers 443 and 8080 
In this security advice, QNAP gives extensive step-by-step instructions for changing the NAS password, enabling IP Access Protection, and changing the system port number. 

Customers are also advised by the Taiwanese hardware manufacturer to stop Universal Plug and Play (UPnP) port forwarding on their routers to avoid exposing their NAS systems to Internet-based assaults. One can also stop SSH and Telnet connections and enable IP and account access prevention by following these step-by-step instructions. QNAP also urged users on Thursday to protect their devices against continuous DeadBolt ransomware threats. 

"According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series," the NAS maker stated.

"QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet."
Read more »
Technology
cryptocurrency DeFi Exchange DeFi Hack Flash Loan Attack Technology

Hackers Target Inverse Finance in a Flash Loan Oracle Attack

 

Inverse Finance, a decentralized autonomous organization (DAO) has suffered a flash loan assault, where hackers stole $1.26 million in Tether (USDT) and Wrapped Bitcoin (WBTC). This comes just two months after the Defi exchange witnessed an exploit where the hackers siphoned $15.6 million in a price oracle manipulation exploit. 

"Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said. 

Inverse Finance is an Ethereum-based decentralized finance (DeFi) protocol that facilitates the borrowing and lending of cryptos. The latest exploit worked by employing a flash loan attack where hackers take a flash loan from a Defi platform. Subsequently, they pay it back in the same transaction, causing the price of the crypto asset to surge and then quickly withdraw their investments. 

Upon discovering the attack, the defi protocol temporarily paused borrowing and took down DOLA stablecoin from the money market saying that it is investigating the incident, while no user funds were at risk. 

It later confirmed that only the hacker’s deposited collateral was impacted in the incident. In a tweet, the company requested the attackers to return the funds in return for a “generous bounty”. 

The hacker in total secured 99,976 USDT and 53.2 WBTC from the attacks. As soon as the hack was successful, the attackers routed the funds via Tornado Cash, a cryptocurrency mixing or tumbling protocol designed to obscure where funds came from. Coincidentally, the service is popular for money laundering.

It should be noted that the significant rise in Defi which facilitates crypto-denominated lending outside traditional banking, has been a major factor in the increase in stolen funds and frauds. Threat actors have targeted DeFis the most, in yet another warning for those dabbling in this emerging segment of the crypto industry.

“DeFi is one of the most exciting areas of the wider cryptocurrency ecosystem, presenting huge opportunities to entrepreneurs and cryptocurrency users alike,” as per a report by Chainalysis. 

Last year, more stolen funds flowed to DeFi platforms (51 percent) and centralized exchanges received less than 15 percent of the total stolen funds, Chainalysis wrote in its annual Crypto Crime report. “This is likely due to exchanges’ embrace of AML and KYC processes, which threaten the anonymity of cybercriminals,” the report added.
Read more »
Subscribe to: Comments (Atom)