Dec 21, 2024Ravie LakshmananRansomware / CybercrimeA dual Russian and Israeli national has been charged in the United States for allegedly being the developer of the now-defunct LockBit ransomware-as-a-service (RaaS) operation since its inception in or around 2019 through at least February 2024.Rostislav Panev, 51, was arrested in Israel earlier this August and is currently awaiting extradition, the U.S. Department of Justice (DoJ) said in a statement. Based on fund transfers to a cryptocurrency wallet owned by Panev, he allegedly earned approximately $230,000 between June 2022 and February 2024."Rostislav Panev for years built and maintained the digital weapons that enabled his LockBit co-conspirators to wreak havoc and cause billions of dollars in damage around the world," U.S. Attorney Philip R. Sellinger said.LockBit, which was one of the most prolific ransomware groups, had its infrastructure seized in February 2024 as part of an international law enforcement operation called Cronos. It gained notoriety for targeting more than 2,500 entities in at least 120 countries around the world, including 1,800 in the U.S. alone.Victims of LockBit's attacks included individuals and small businesses to multinational corporations, such as hospitals, schools, nonprofit organizations, critical infrastructure, government, and law enforcement agencies. The RaaS is believed to have netted the group at least $500 million in illicit profits.Court documents show that Panev's computer analyzed following his arrest had administrator credentials for an online repository that was hosted on the dark web and contained source code for multiple versions of the LockBit builder, which affiliates used to create custom builds of the ransomware.Also discovered were access credentials for the LockBit control panel and a tool called StealBit, which allowed the affiliate actors to exfiltrate sensitive data from compromised hosts prior to initiating the encryption process.Panev, besides writing and maintaining the LockBit malware code as well as offering technical guidance to the e-crime group, is also accused of exchanging direct messages with Dmitry Yuryevich Khoroshev, the primary administrator who also went by online alias LockBitSupp, discussing development work related to the builder and control panel."In interviews with Israeli authorities following his arrest in August, Panev admitted to having performed coding, development, and consulting work for the LockBit group and to having received regular payments in cryptocurrency for that work," the DoJ said."Among the work that Panev admitted to having completed for the LockBit group was the development of code to disable antivirus software; to deploy malware to multiple computers connected to a victim network; and to print the LockBit ransom note to all printers connected to a victim network."With the latest arrest, a total of seven LockBit members Mikhail Vasiliev, Ruslan Astamirov, Artur Sungatov, Ivan Gennadievich Kondratiev, Mikhail Pavlovich Matveev have been charged in the U.S.Despite these operational setbacks, the LockBit operators appear to be plotting a comeback, with a new version LockBit 4.0 scheduled for release in February 2025. However, it remains to be seen if the extortion gang can successfully stage a return in light of the ongoing wave of takedowns and charges.Second Netwalker Ransomware Affiliate Gets 20 Years in PrisonThe development comes as Daniel Christian Hulea, a 30-year-old Romanian affiliate of the NetWalker ransomware operation, was sentenced to 20 years in prison and ordered to forfeit $21,500,000 and his interests in an Indonesian company and a luxury resort property that was financed with ill-gotten proceeds from the attacks.Hulea previously pleaded guilty in the U.S. to charges of computer fraud conspiracy and wire fraud conspiracy back in June 2024. He was arrested in Romania on July 11, 2023, and subsequently extradited to the U.S."As part of his plea agreement, Hulea admitted to using NetWalker to obtain approximately 1,595 bitcoin in ransom payments for himself and a co-conspirator, valued at approximately $21,500,000 at the time of the payments," the DoJ said.The NetWalker ransomware operation particularly singled out the healthcare sector during the height of the COVID-19 pandemic. It was dismantled online in January 2021 when U.S. and Bulgarian authorities seized the dark web sites used by the group. In October 2022, a Canadian affiliate, Sebastien Vachon-Desjardins, was sentenced to 20 years in prison.Raccoon Stealer Developer Sentenced to 5 Years in PrisonIn related law enforcement news, the DoJ also announced the sentencing of Mark Sokolovsky, a Ukrainian national accused of being the primary developer of the Raccoon Stealer malware, to 60 months in federal prison for one count of conspiracy to commit computer intrusion.The 28-year-old conspired to offer the Raccoon infostealer as a malware-as-a-service (MaaS) to other criminal actors for $200 a month, who then deployed the malware on victims' systems using various ruses such as email phishing in order to steal sensitive data. The harvested information was used to commit financial crimes or sold to others on underground forums.Sokolovsky, who was extradited from the Netherlands in February 2024, pleaded guilty to the crime in early October and agreed to forfeit $23,975 and pay at least $910,844.61 in restitution."Mark Sokolovsky was a key player in an international criminal conspiracy that victimized countless individuals by administering malware which made it cheaper and easier for even amateurs to commit complex cybercrimes," said U.S. Attorney Jaime Esparza for the Western District of Texas.The U.S. Federal Bureau of Investigation (FBI) has set up a website where users can check whether their email address shows up in the data stolen by the Raccoon stealer malware. The MaaS operation was taken offline in March 2022 concurrent with Sokolovsky's arrest by Dutch authorities.NYC Man Gets Nearly 6 Years in Prison for Credit Card Trafficking and Money LaunderingThe latest actions also follow the sentencing of a 32-year-old New York City man, Vitalii Antonenko, to time served plus days for his involvement in a criminal scheme that infiltrated systems with SQL injection attacks in order to steal credit card and personal information and offer the data for sale on online criminal marketplaces."Once a co-conspirator sold the data, Antonenko and others used Bitcoin as well as traditional bank and cash transactions to launder the proceeds in order to disguise their nature, location, source, ownership, and control," the DoJ noted in May 2020. "The conspiracy's victims included a hospitality business and non-profit scientific research institution, both located in eastern Massachusetts."Antonenko was arrested in March 2019 on his return to the U.S. from Ukraine carrying "computers and other digital media that held hundreds of thousands of stolen payment card numbers."In September 2024, he pleaded guilty to one count of conspiracy to gain unauthorized access to computer networks and to traffic in unauthorized access devices, and one count of money laundering conspiracy.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 20, 2024Ravie LakshmananCyber Espionage / MalwareThe Lazarus Group, an infamous threat actor linked to the Democratic People's Republic of Korea (DPRK), has been observed leveraging a "complex infection chain" targeting at least two employees belonging to an unnamed nuclear-related organization within the span of one month in January 2024.The attacks, which culminated in the deployment of a new modular backdoor referred to as CookiePlus, are part of a long-running cyber espionage campaign known as Operation Dream Job, which is also tracked as NukeSped by cybersecurity company Kaspersky. It's known to be active since at least 2020, when it was exposed by ClearSky.These activities often involve targeting developers and employees in various companies, including defense, aerospace, cryptocurrency, and other global sectors, with lucrative job opportunities that ultimately lead to the deployment of malware on their machines."Lazarus is interested in carrying out supply chain attacks as part of the DeathNote campaign, but this is mostly limited to two methods: the first is by sending a malicious document or trojanized PDF viewer that displays the tailored job descriptions to the target," the Russian firm said in an exhaustive analysis."The second is by distributing trojanized remote access tools such as VNC or PuTTY to convince the targets to connect to a specific server for a skills assessment."The latest set of attacks documented by Kaspersky involve the second method, with the adversary making use of a completely revamped infection chain delivering a trojanized VNC utility under the pretext of conducting a skills assessment for IT positions at prominent aerospace and defense companies. It's worth noting that Lazarus Group's use of rogue versions of VNC apps to target nuclear engineers was previously highlighted by the company in October 2023 in its APT trends report for Q3 2023."Lazarus delivered the first archive file to at least two people within the same organization (we'll call them Host A and Host B)," researchers Vasily Berdnikov and Sojun Ryu said. "After a month, they attempted more intensive attacks against the first target."The VNC apps, a trojanized version of TightVNC called "AmazonVNC.exe," are believed to have been distributed in the form of both ISO images and ZIP files. In other cases, a legitimate version of UltraVNC was used to sideload a malicious DLL packed within the ZIP archive.The DLL ("vnclang.dll") serves as a loader for a backdoor dubbed MISTPEN, which was uncovered by Google-owned Mandiant in September 2024. It's tracking the activity cluster under the moniker UNC2970. MISTPEN, for its part, has been found to deliver two additional payloads codenamed RollMid and a new variant of LPEClient.Kaspersky said it also observed the CookieTime malware being deployed on Host A, although the exact method that was used to facilitate it remains unknown. First discovered by the company in September and November 2020, CookieTime is so named for its use of encoded cookie values in HTTP requests to fetch instructions from a command-and-control (C2) server.Further investigation of the attack chain has revealed that the threat actor moved laterally from Host A to another machine (Host C), where CookieTime was again used to drop various payloads between February and June 2024, such as follows -LPEClient, a malware that comes fitted with capabilities to profile compromised hostsServiceChanger, a malware that stops a targeted legitimate service so as to sideload a rogue DLL embedded within it using the executable via DLL side-loadingCharamel Loader, a loader malware that decrypts and loads internal resources like CookieTime, CookiePlus, and ForestTigerCookiePlus, a new plugin-based malicious program that's loaded by both ServiceChanger and Charamel Loader"The difference between each CookiePlus loaded by Charamel Loader and by ServiceChanger is the way it is executed. The former runs as a DLL alone and includes the C2 information in its resources section," the researchers pointed out."The latter fetches what is stored in a separate external file like msado.inc, meaning that CookiePlus has the capability to get a C2 list from both an internal resource and an external file. Otherwise, the behavior is the same."CookiePlus gets its name from the fact that it was disguised as an open-source Notepad++ plugin called ComparePlus when it was detected in the wild for the first time. In the attacks targeting the nuclear-related entity, it has been found to be based on another project named DirectX-Wrappers.The malware serves as a downloader to retrieve a Base64-encoded, RSA-encrypted payload from the C2 server, which is then decoded and deciphered to execute three different shellcodes or a DLL. The shellcodes are equipped with features to collect system information and make the main CookiePlus module sleep for a certain number of minutes.It's suspected that CookiePlus is a successor to MISTPEN owing to behavioral overlaps between the two malware families, including the aspect that both have disguised themselves as Notepad++ plugins."Throughout its history, the Lazarus group has used only a small number of modular malware frameworks such as Mata and Gopuram Loader," Kaspersky said. "The fact that they do introduce new modular malware, such as CookiePlus, suggests that the group is constantly working to improve their arsenal and infection chains to evade detection by security products."The findings come as blockchain intelligence firm Chainalysis revealed that threat actors affiliated with North Korea have stolen $1.34 billion across 47 cryptocurrency hacks in 2024, up from $660.50 million in 2023. This included the May 2024 breach of Japanese cryptocurrency exchange, DMM Bitcoin, which suffered a loss of $305 million at the time."Unfortunately, it appears that the DPRK's crypto attacks are becoming more frequent," the company said. "Notably, attacks between $50 and $100 million, and those above $100 million occurred far more frequently in 2024 than they did in 2023, suggesting that the DPRK is getting better and faster at massive exploits."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 19, 2024Ravie LakshmananPrivacy / Data ProtectionThe Dutch Data Protection Authority (DPA) on Wednesday fined video on-demand streaming service Netflix 4.75 million ($4.93 million) for not giving consumers enough information about how it used their data between 2018 and 2020.An investigation launched by the DPA in 2019 found that the tech giant did not inform customers clearly enough in its privacy statement about what it does with the data it collects from its users. This includes email addresses, telephone numbers, payment details, as well as information about what customers watch on the platform."Furthermore, customers did not receive sufficient information when they asked Netflix which data the company collects about them," the DPA said, adding these constitute violations of the General Data Protection Regulation (GDPR).Besides failing to clarify the purpose and legal basis for gathering the data, the company has also been accused of being unclear about what kinds of information are shared with third-parties and for what reasons, the data retention period, and security guarantees when it comes to transmitting the information to countries outside of Europe.Austrian privacy non-profit None of Your Business (noyb), which filed the complaint against Netflix in January 2019, said it's "happy" with the DPA's decision, while noting that it took almost five years to obtain it."Netflix didn't just fail to provide sufficient information about why it collects data and what it does with it," it said. "The company didn't even manage to provide a full copy of the complainant's data."Although the company has since updated its privacy statement and improved the information it provides to users, it's objecting to the fine, the DPA added."A company like that, with a turnover of billions and millions of customers worldwide, has to explain properly to its customers how it handles their personal data," Dutch DPA chairman Aleid Wolfsen said. "That must be crystal clear. Especially if the customer asks about this. And that was not in order."Noyb has also filed similar complaints against Amazon, Apple Music, Spotify, and YouTube, with the case against Spotify resulting in the music streamer facing a fine of around 5 million from the Swedish Data Protection Authority (IMY) in June 2023.The development comes as the Irish Data Protection Commission (DPC) imposed a monetary penalty of 251 million (around $263 million) on Meta for a 2018 data breach that impacted 3 million users in the European Union.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 19, 2024Ravie LakshmananCloud Security / EncryptionThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 25-01, ordering federal civilian agencies to secure their cloud environments and abide by Secure Cloud Business Applications (SCuBA) secure configuration baselines."Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services," the agency said, adding the directive "will further reduce the attack surface of the federal government networks."As part of 25-01, agencies are also recommended to deploy CISA-developed automated configuration assessment tools to measure against the baselines, integrate with the agency's continuous monitoring infrastructure, and address any deviations from the secure configuration baselines.While the baselines are currently limited to Microsoft 365 (Azure Active Directory / Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online, OneDrive, and Microsoft Teams) the cybersecurity agency said it may release additional SCuBA Secure Configuration Baselines for other cloud products.The BOD, named Implementing Secure Practices for Cloud Services, primarily requires all federal agencies to meet a series of deadlines next year -Identify all cloud tenants, including tenant name and the system owning agency/component for each tenant no later than February 21, 2025 (to be updated annually)Deploy all SCuBA assessment tools for in-scope cloud tenants no later than April 25, 2025, and either integrate the tool results feeds with CISA's continuous monitoring infrastructure or report them manually on a quarterly basis Implement all mandatory SCuBA policies no later than June 20, 2025Implement all future updates to mandatory SCuBA policies within specified timelinesImplement all mandatory SCuBA Secure Configuration Baselines and begin continuous monitoring for new cloud tenants prior to granting an Authorization to Operate (ATO)CISA is also strongly recommending all organizations to implement these policies in order to reduce potential risks and enhance resilience across the board."Maintaining secure configuration baselines is critical in the dynamic cybersecurity landscape, where vendor changes, software updates, and evolving security best practices shape the threat environment," CISA said. "As vendors frequently release new updates and patches to address vulnerabilities, security configurations must also adjust.""By regularly updating security configurations, organizations leverage the latest protective measures, reducing the risk of security breaches and maintaining robust defense mechanisms against cyber threats."CISA Pushes for Use of E2EE ServicesNews of the Binding Operational Directive comes as CISA has released new guidance on mobile communications best practices in response to cyber espionage campaigns orchestrated by China-linked threat actors like Salt Typhoon targeting U.S. telecommunications companies."Highly targeted individuals should assume that all communications between mobile devices including government and personal devices and internet services are at risk of interception or manipulation," CISA said.To that end, individuals who are senior government or senior political positions are being advised to -Use only end-to-end encrypted (E2EE) messaging applications such as SignalEnable phishing-resistant multi-factor authentication (MFA)Stop using SMS as a second factor for authenticationUse a password manager to store all passwordsSet a PIN for mobile phone accounts to prevent subscriber identity module (SIM)-swapping attacksUpdate software on a regular basisSwitch to devices with the latest hardware to take advantage of critical security featuresDo not use a personal virtual private network (VPN) due to "questionable security and privacy policies"On iPhone devices, enable Lockdown Mode, disable the option to send an iMessage as a text message, secure Domain Name System (DNS) queries, activate iCloud Private Relay, and review and restrict app permissionsOn Android devices, prioritize getting models from manufacturers that have a track record of security commitments, use Rich Communication Services (RCS) only if E2EE is enabled, configure DNS to use a trusted resolver, enable Enhanced Protection for Safe Browsing in Google Chrome, make sure Google Play Protect is enabled, and review and restrict app permissions"While no single solution eliminates all risks, implementing these best practices significantly enhances protection of sensitive communications against government-affiliated and other malicious cyber actors," CISA said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 20, 2024Ravie LakshmananCISA / VulnerabilityThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.The vulnerability, tracked as CVE-2024-12356 (CVSS score: 9.8), is a command injection flaw that could be exploited by a malicious actor to run arbitrary commands as the site user."BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain a command injection vulnerability, which can allow an unauthenticated attacker to inject commands that are run as a site user," CISA said.While the issue has already been plugged into customers' cloud instances, those using self-hosted versions of the software are recommended to update to the below versions -Privileged Remote Access (versions 24.3.1 and earlier) - PRA patch BT24-10-ONPREM1 or BT24-10-ONPREM2Remote Support (versions 24.3.1 and earlier) - RS patch BT24-10-ONPREM1 or BT24-10-ONPREM2News of active exploitation comes after BeyondTrust revealed that it was the victim of a cyber attack earlier this month that allowed unknown threat actors to breach some of its Remote Support SaaS instances.The company, which has enlisted the help of a third-party cybersecurity and forensics firm, said its investigation into the incident found that the attackers gained access to a Remote Support SaaS API key that allowed them to reset passwords for local application accounts.Its probe has since uncovered another medium-severity vulnerability (CVE-2024-12686, 6.6) which can allow an attacker with existing administrative privileges to inject commands and run as a site user. The newly discovered flaw has been addressed in the below versions -Privileged Remote Access (PRA) - PRA patch BT24-11-ONPREM1, BT24-11-ONPREM2, BT24-11-ONPREM3, BT24-11-ONPREM4, BT24-11-ONPREM5, BT24-11-ONPREM6, and BT24-11-ONPREM7 (dependent on PRA version)Remote Support (RS) - RS patch BT24-11-ONPREM1, BT24-11-ONPREM2, BT24-11-ONPREM3, BT24-11-ONPREM4, BT24-11-ONPREM5, BT24-11-ONPREM6, and BT24-11-ONPREM7 (dependent on RS version)BeyondTrust makes no mention of either of the vulnerabilities being exploited in the wild. However, it has said that all affected customers have been notified. The exact scale of the attacks, or the identities of the threat actors behind them, is not known at present.The Hacker News has reached out to the company for comment, and will update the piece if we hear back.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 20, 2024Ravie LakshmananVulnerability / Cyber AttackA now-patched critical security flaw impacting Fortinet FortiClient EMS is being exploited by malicious actors as part of a cyber campaign that installed remote desktop software such as AnyDesk and ScreenConnect. The vulnerability in question is CVE-2023-48788 (CVSS score: 9.3), an SQL injection bug that allows attackers to execute unauthorized code or commands by sending specially crafted data packets.Russian cybersecurity firm Kaspersky said the October 2024 attack targeted an unnamed company's Windows server that was exposed to the internet and had two open ports associated with FortiClient EMS."The targeted company employs this technology to allow employees to download specific policies to their corporate devices, granting them secure access to the Fortinet VPN," it said in a Thursday analysis.Further analysis of the incident found that the threat actors took advantage of CVE-2023-48788 as an initial access vector, subsequently dropping a ScreenConnect executable to obtain remote access to the compromised host."After the initial installation, the attackers began to upload additional payloads to the compromised system, to begin discovery and lateral movement activities, such as enumerating network resources, trying to obtain credentials, perform defense evasion techniques, and generating a further type of persistence via the AnyDesk remote control tool," Kaspersky said.Some of the other notable tools dropped over the course of the attack are listed below -webbrowserpassview.exe, a password recovery tool that reveals passwords stored in Internet Explorer (version 4.0 11.0), Mozilla Firefox (all versions), Google Chrome, Safari, and OperaMimikatznetpass64.exe, a password recovery toolnetscan.exe, a network scannerThe threat actors behind the campaign are believed to have targeted various companies located across Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the U.A.E. by making use of different ScreenConnect subdomains (e.g., infinity.screenconnect[.]com).Kaspersky said it detected further attempts to weaponize CVE-2023-48788 on October 23, 2024, this time to execute a PowerShell script hosted on a webhook[.]site domain in order to "collect responses from vulnerable targets" during a scan of a system susceptible to the flaw.The disclosure comes more than eight months after cybersecurity company Forescout uncovered a similar campaign that involved exploiting CVE-2023-48788 to deliver ScreenConnect and Metasploit Powerfun payloads."The analysis of this incident helped us to establish that the techniques currently used by the attackers to deploy remote access tools are constantly being updated and growing in complexity," the researchers said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 20, 2024Ravie LakshmananFirewall Security / VulnerabilitySophos has released hotfixes to address three security flaws in Sophos Firewall products that could be exploited to achieve remote code execution and allow privileged system access under certain conditions.Of the three, two are rated Critical in severity. There is currently no evidence that the shortcomings have been exploited in the wild. The list of vulnerabilities is as follows -CVE-2024-12727 (CVSS score: 9.8) - A pre-auth SQL injection vulnerability in the email protection feature that could lead to remote code execution, if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.CVE-2024-12728 (CVSS score: 9.8) - A weak credentials vulnerability arising from a suggested and non-random SSH login passphrase for High Availability (HA) cluster initialization that remains active even after the HA establishment process completed, thereby exposing an account with privileged access if SSH is enabled.CVE-2024-12729 (CVSS score: 8.8) - A post-auth code injection vulnerability in the User Portal that allows authenticated users to gain remote code execution.The security vendor said CVE-2024-12727 impacts about 0.05% of devices, whereas CVE-2024-12728 affects approximately 0.5% of them. All three identified vulnerabilities impact Sophos Firewall versions 21.0 GA (21.0.0) and older. It has been remediated in the following versions -CVE-2024-12727 - v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2)CVE-2024-12728 - v20 MR3, v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v20 MR2)CVE-2024-12729 - v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3)To ensure that the hotfixes have been applied, users are being recommended to follow the below-mentioned steps -CVE-2024-12727 - Launch Device Management > Advanced Shell from the Sophos Firewall console, and run the command "cat /conf/nest_hotfix_status" (The hotfix is applied if the value is 320 or above)CVE-2024-12728 and CVE-2024-12729 - Launch Device Console from the Sophos Firewall console, and run the command "system diagnostic show version-info" (The hotfix is applied if the value is HF120424.1 or later)As temporary workarounds until the patches can be applied, Sophos is urging customers to restrict SSH access to only the dedicated HA link that is physically separate, and/or reconfigure HA using a sufficiently long and random custom passphrase.Another security measure that users can take is to disable WAN access via SSH, as well as ensure that User Portal and Webadmin are not exposed to WAN.The development comes a little over a week after the U.S. government unsealed charges against a Chinese national named Guan Tianfeng for allegedly exploiting a zero-day security vulnerability (CVE-2020-12271, CVSS score: 9.8) to break into about 81,000 Sophos firewalls across the world.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 20, 2024Ravie LakshmananMalware / Supply Chain AttackThe developers of Rspack have revealed that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack that allowed a malicious actor to publish malicious versions to the official package registry with cryptocurrency mining malware.Following the discovery, versions 1.1.7 of both libraries have been unpublished from the npm registry. The latest safe version is 1.1.8."They were released by an attacker who gained unauthorized npm publishing access, and contain malicious scripts," software supply chain security firm Socket said in an analysis.Rspack is billed as an alternative to the webpack, offering a "high performance JavaScript bundler written in Rust." Originally developed by ByteDance, it has since been adopted by several companies such as Alibaba, Amazon, Discord, and Microsoft, among others.The npm packages in question, @rspack/core, and @rspack/cli, attract weekly downloads of over 300,000 and 145,000, respectively, indicative of their popularity.An analysis of the rogue versions of the two libraries has revealed that they incorporate code to make calls to a remote server ("80.78.28[.]72") in order to transmit sensitive configuration details such as cloud service credentials, while also collecting IP address and location details by making an HTTP GET request to "ipinfo[.]io/json."In an interesting twist, the attack also limits the infection to machines located in a specific set of countries, such as China, Russia, Hong Kong, Belarus, and Iran.The end goal of the attacks is to trigger the download and execution of an XMRig cryptocurrency miner on compromised Linux hosts upon installation of the packages by means of a postinstall script specified in the "package.json" file."The malware is executed via the postinstall script, which runs automatically when the package is installed," Socket said. "This ensures the malicious payload is executed without any user action, embedding itself into the target environment."Besides publishing a new version of the two packages sans the malicious code, the project maintainers said they invalidated all existing npm tokens and GitHub tokens, checked the permissions of the repository and npm packages, and audited the source code for any potential vulnerabilities. An investigation into the root cause of the token theft is underway."This attack highlights the need for package managers to adopt stricter safeguards to protect developers, like enforcing attestation checks, to prevent updating to unverified versions," Socket said. "But it's not totally bullet-proof.""As seen in the recent Ultralytics supply chain attack in the Python ecosystem, attackers may still be able to publish versions with attestation by compromising GitHub Actions through cache poisoning."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 19, 2024Ravie LakshmananVulnerability / Network SecurityFortinet has issued an advisory for a now-patched critical security flaw impacting Wireless LAN Manager (FortiWLM) that could lead to disclosure of sensitive information.The vulnerability, tracked as CVE-2023-34990, carries a CVSS score of 9.6 out of a maximum of 10.0."A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files," the company said in an alert released Wednesday.However, according to a description of the security flaw in the NIST's National Vulnerability Database (NVD), the path traversal vulnerability could also be exploited by an attacker to "execute unauthorized code or commands via specially crafted web requests."The flaw impacts the following versions of the product -FortiWLM versions 8.6.0 through 8.6.5 (Fixed in 8.6.6 or above)FortiWLM versions 8.5.0 through 8.5.4 (Fixed in 8.5.5 or above)The company credited Horizon3.ai security researcher Zach Hanley for discovering and reporting the shortcoming. It's worth mentioning here that CVE-2023-34990 refers to the "unauthenticated limited file read vulnerability" the cybersecurity company revealed back in March as part of a broader set of six flaws in FortiWLM."This vulnerability allows remote, unauthenticated attackers to access and abuse builtin functionality meant to read specific log files on the system via a crafted request to the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint," Hanley said at the time."This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any log file on the system."A successful exploitation of CVE-2023-34990 could allow the threat actor to read FortiWLM log files and get hold of the session ID of a user and login, thereby allowing them to exploit authenticated endpoints as well.To make matters worse, the attackers could take advantage of the fact that the web session IDs are static between user sessions to hijack them and gain administrative permissions to the appliance.That's not all. An attacker could also combine CVE-2023-34990 with CVE-2023-48782 (CVSS score: 8.8), an authenticated command injection flaw that has also been fixed in FortiWLM 8.6.6, to obtain remote code execution in the context of root.Also patched by Fortinet is a high-severity operating system command injection vulnerability in FortiManager that may allow an authenticated remote attacker to execute unauthorized code via FGFM-crafted requests.The vulnerability (CVE-2024-48889, CVSS score: 7.2) has been addressed in the below versions -FortiManager 7.6.0 (Fixed in 7.6.1 or above)FortiManager versions 7.4.0 through 7.4.4 (Fixed in 7.4.5 or above)FortiManager Cloud versions 7.4.1 through 7.4.4 (Fixed in 7.4.5 or above)FortiManager versions 7.2.3 through 7.2.7 (Fixed in 7.2.8 or above)FortiManager Cloud versions 7.2.1 through 7.2.7 (Fixed in 7.2.8 or above)FortiManager versions 7.0.5 through 7.0.12 (Fixed in 7.0.13 or above)FortiManager Cloud versions 7.0.1 through 7.0.12 (Fixed in 7.0.13 or above)FortiManager versions 6.4.10 through 6.4.14 (Fixed in 6.4.15 or above)Fortinet also noted that a number of older models, 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E, are affected by CVE-2024-48889 provided the "fmg-status" is enabled.With Fortinet devices becoming an attack magnet for threat actors, it's essential that users keep their instances up-to-date to safeguard against potential threats.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 19, 2024Ravie LakshmananMalware / BotnetJuniper Networks is warning that Session Smart Router (SSR) products with default passwords are being targeted as part of a malicious campaign that deploys the Mirai botnet malware.The company said it's issuing the advisory after "several customers" reported anomalous behavior on their Session Smart Network (SSN) platforms on December 11, 2024."These systems have been infected with the Mirai malware and were subsequently used as a DDOS attack source to other devices accessible by their network," it said. "The impacted systems were all using default passwords."Mirai, which has had its source code leaked in 2016, has spawned several variants over the years. The malware is capable of scanning for known vulnerabilities as well as default credentials to infiltrate devices and enlist them into a botnet for mounting distributed denial-of-service (DDoS) attacks.To mitigate such threats, organizations are recommended to change their passwords with immediate effect to strong, unique ones (if not already), periodically audit access logs for signs of suspicious activity, use firewalls to block unauthorized access, and keep software up-to-date.Some of the indicators associated with Mirai attacks include unusual port scanning, frequent SSH login attempts indicating brute-force attacks, increased outbound traffic volume to unexpected IP addresses, random reboots, and connections from known malicious IP addresses."If a system is found to be infected, the only certain way of stopping the threat is by reimaging the system as it cannot be determined exactly what might have been changed or obtained from the device," the company said.The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that poorly managed Linux servers, particularly publicly exposed SSH services, are being targeted by a previously undocumented DDoS malware family dubbed cShell."cShell is developed in the Go language and is characterized by exploiting Linux tools called screen and hping3 to perform DDoS attacks," ASEC said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 19, 2024Ravie LakshmananSupply Chain / Software SecurityThreat actors have been observed uploading malicious typosquats of legitimate npm packages such as typescript-eslint and @types/node that have racked up thousands of downloads on the package registry.The counterfeit versions, named @typescript_eslinter/eslint and types-node, are engineered to download a trojan and retrieve second-stage payloads, respectively."While typosquatting attacks are hardly new, the effort spent by nefarious actors on these two libraries to pass them off as legitimate is noteworthy," Sonatype's Ax Sharma said in an analysis published Wednesday."Furthermore, the high download counts for packages like "types-node" are signs that point to both some developers possibly falling for these typosquats, and threat actors artificially inflating these counts to boost the trustworthiness of their malicious components."The npm listing for @typescript_eslinter/eslint, Sonatype's analysis revealed, points to a phony GitHub repository that was set up by an account named "typescript-eslinter," which was created on November 29, 2024. Present with this package is a file named "prettier.bat." Another package linked to the same npm/GitHub account is named @typescript_eslinter/prettier. It impersonates a well-known code formatter tool of the same name, but, in reality, is configured to install the fake @typescript_eslinter/eslint library.The malicious library contains code to drop "prettier.bat" into a temporary directory and add it to the Windows Startup folder so that it's automatically run every time the machine is rebooted."Far from being a 'batch' file though, the "prettier.bat" file is actually a Windows executable (.exe) that has previously been flagged as a trojan and dropper on VirusTotal," Sharma said.On the other hand, the second package, types-node, incorporates to reach out to a Pastebin URL and fetch scripts that are responsible for running a malicious executable that's deceptively named "npm.exe.""The case highlights a pressing need for improved supply chain security measures and greater vigilance in monitoring third-party software registry developers," Sharma said.The development comes as ReversingLabs identified several malicious extensions that were initially detected in the Visual Studio Code (VSCode) Marketplace in October 2024, a month after which one additional package emerged in the npm registry. The package attracted a total of 399 downloads.The list of rogue VSCode extensions, now removed from the store, is below -EVM.Blockchain-ToolkitVoiceMod.VoiceModZoomVideoCommunications.ZoomZoomINC.Zoom-WorkplaceEthereum.SoliditySupportZoomWorkspace.Zoomethereumorg.Solidity-Language-for-EthereumVitalikButerin.Solidity-EthereumSolidityFoundation.Solidity-EthereumEthereumFoundation.Solidity-Language-for-EthereumSOLIDITY.Solidity-LanguageGavinWood.SolidityLangEthereumFoundation.Solidity-for-Ethereum-Language"The campaign started with targeting of the crypto community, but by the end of October, extensions published were mostly impersonating the Zoom application," ReversingLabs researcher Lucija Valenti said. "And each malicious extension published was more sophisticated than the last."All the extensions as well as the npm package have been found to include obfuscated JavaScript code, acting as a downloader for a second-stage payload from a remote server. The exact nature of the payload is currently not known.The findings once again emphasize the need for exercising caution when it comes to downloading tools and libraries from open-source systems and avoid introducing malicious code as a dependency in a larger project. "The possibility of installing plugins and extending functionality of IDEs makes them very attractive targets for malicious actors," Valenti said. "VSCode extensions are often overlooked as a security risk when installing in an IDE, but the compromise of an IDE can be a landing point for further compromise of the development cycle in the enterprise."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 18, 2024The Hacker NewsSoftware Security / DevSecOpsHaving been at ActiveState for nearly eight years, I've seen many iterations of our product. However, one thing has stayed true over the years: Our commitment to the open source community and companies using open source in their code.ActiveState has been helping enterprises manage open source for over a decade. In the early days, open source was in its infancy. We focused mainly on the developer case, helping to get open source on platforms like Windows.Over time, our focus shifted from helping companies run open source to supporting enterprises managing open source when the community wasn't producing it in the way they needed it. We began managing builds at scale, and supporting enterprises in understanding what open source they're using and if it's compliant and safe.Managing open source at scale in a large organization can be complex. To help companies overcome this and bring structure to their open source DevSecOps practice, we're unveiling our end-to-end platform to help manage open source complexity.The current state of open source and supply chain securityIt's inevitable that with the soaring popularity of open source comes an influx of security issues. Open source adoption in modern software applications is significant. Over 90% of applications contain open source components. Open source is now at the core of how we produce software, and we've hit a point where it's the primary vector for bad actors to get access to nearly any piece of software. Attacks have been around forever, but there's been an increasing number of incidents in recent years. The pandemic surfaced new opportunities for bad actors. When people were using their own home networks and VPNs with less stringent security measures, it started to allow for more risk. Despite return to office efforts, many IT workers are still at home, so these opportunities still exist.Additionally, many enterprises don't have processes in place for how they choose and procure open source software, so devs blindly find and incorporate it. The challenge is companies then don't know where open source code is coming from, who built it, and with what intentions. This creates multiple opportunities for attacks to happen throughout the open source software supply chain process.Open source is an open ecosystem, which makes it vulnerable 'by design.' It needs to be as open as possible to not hinder authors from contributing, but there's a real challenge of keeping it secure throughout the entire development process.Risks don't just exist when you're importing. If your build service isn't secure when you start building, you can be at risk. Many of the most recent attacks we've seen are open source software supply chain attacks not vulnerabilities. This requires a whole new approach to open source security.Reimagining the open source management processAt ActiveState, it's our mission to bring rigor to the open source supply chain. Companies can get better visibility and control over their open source code across DevSecOps by focusing on a four-step management cycle.Step 1: DiscoveryBefore you can even begin to remediate vulnerabilities, you need to know what you're using in your code. It's important to take inventory of all the open source that's running within your organization. An artifact of this effort could look like a dashboard.Step 2: Prioritization Once you have the dashboard, you can start analyzing for vulnerabilities and dependencies and prioritize which to focus on first. Understanding where the risks are in your codebase and triaging them will help you make informed decisions about next steps.Step 3: Upgrading and curatingNow comes the remediation and change management phase. You'll want to establish governance and policies for managing open source across your org to keep everyone aligned across functions and teams. You should also closely manage what dependencies are used in both production and development environments to minimize risk. In our platform, we maintain a large immutable catalogue of open source software. We keep a consistent, reproducible record of around 50 million version components, and we are constantly adding to it. It helps our users make sure they can always get back to reproducible builds. It means you can curate the entire internet for open source while trusting it's secure. Step 4: Build and deployThe build and deploy phase involves incorporating secure and safe open source components into your code - because you're not really remedied and secure until the fixes are deployed. At ActiveState, we build and track everything. From when we ingest source code to when we build it into a secure cluster. We then give it to you in a variety of formats to be deployed depending on your needs. We're the only solution (that we know of) that truly helps companies remediate and deploy, completing the full lifecycle of ensuring software supply chain security. A new ActiveState: tackling open source security challenges head-onThrough our work in open source over the past decade, we've discovered there's a gap between the passionate communities producing open source and the enterprises that want to use it in their software. We're now helping to close that gap, empowering the open source ecosystem while bringing security to organizations.The refreshed platform we've developed and focused on facilitating collaboration between various players across organizations, including developers, DevOps, and security. Our platform helps teams smoothly run a continuous cycle of managing open source. There are six key use cases we're focused on helping teams drive outcomes around.Discoverability and observability: Gain complete insight into everything from open source usage to deployment locations.Continuous open source integration: Keep your code up-to-date, avoid breaking changes, and eliminate risk.Secure environment management: Make sure your dev, test, and production environments are consistent and reproducible. Governance and policy management: Maintain a curated open source catalogue without slowing down development times.Regulatory compliance: Automatically comply with government regulations and accelerate security reviews.Beyond end-of-life support: Stay stable and secure even after systems reach end of lifeIf your team can use support for any of these use cases, our new platform can help. Explore the refreshed ActiveState platform with a Platform Enterprise Trial today.Note: This insightful article is brought to you by Pete Garcin, Senior Director of Product at ActiveState, sharing his expertise and unique perspective on the evolving challenges and solutions in open source management.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 18, 2024Ravie LakshmananCyber Attack / VulnerabilityThreat actors are attempting to exploit a recently disclosed security flaw impacting Apache Struts that could pave the way for remote code execution.The issue, tracked as CVE-2024-53677, carries a CVSS score of 9.5 out of 10.0, indicating critical severity. The vulnerability shares similarities with another critical bug the project maintainers addressed in December 2023 (CVE-2023-50164, CVSS score: 9.8), which also came under active exploitation shortly after public disclosure."An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution," according to the Apache advisory.In other words, successful exploitation of the flaw could allow a malicious actor to upload arbitrary payloads to susceptible instances, which could then be leveraged to run commands, exfiltrate data, or download additional payloads for follow-on exploitation.The vulnerability impacts the following versions, and has been patched in Struts 6.4.0 or greater -Struts 2.0.0 - Struts 2.3.37 (End-of-Life),Struts 2.5.0 - Struts 2.5.33, and Struts 6.0.0 - Struts 6.3.0.2Dr. Johannes Ullrich, dean of research for SANS Technology Institute, said that an incomplete patch for CVE-2023-50164 may have led to the new problem, adding exploitation attempts matching the publicly-released proof-of-concept (PoC) have been detected in the wild."At this point, the exploit attempts are attempting to enumerate vulnerable systems," Ullrich noted. "Next, the attacker attempts to find the uploaded script. So far, the scans originate only from 169.150.226[.]162."To mitigate the risk, users are recommended to upgrade to the latest version as soon as possible and rewrite their code to use the new Action File Upload mechanism and related interceptor."Apache Struts sits at the heart of many corporate IT stacks, driving public-facing portals, internal productivity applications, and critical business workflows," Saeed Abbasi, product manager of Threat Research Unit at Qualys, said. "Its popularity in high-stakes contexts means that a vulnerability like CVE-2024-53677 could have far-reaching implications."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 18, 2024Ravie LakshmananEmail Security / Cloud SecurityCybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims' Microsoft Azure cloud infrastructure.The campaign has been codenamed HubPhish by Palo Alto Networks Unit 42 owing to the abuse of HubSpot tools in the attack chain. Targets include at least 20,000 automotive, chemical, and industrial compound manufacturing users in Europe."The campaign's phishing attempts peaked in June 2024, with fake forms created using the HubSpot Free Form Builder service," security researchers Shachar Roitman, Ohad Benyamin Maimon, and William Gamazo said in a report shared with The Hacker News.The attacks involve sending phishing emails with Docusign-themed lures that urge recipients to view a document, which then redirects users to malicious HubSpot Free Form Builder links, from where they are led to a fake Office 365 Outlook Web App login page in order to steal their credentials.Unit 42 said it identified no less than 17 working Free Forms used to redirect victims to different threat actor-controlled domains. A significant chunk of those domains were hosted on the ".buzz" top-level domain (TLD)."The phishing campaign was hosted across various services, including Bulletproof VPS host," the company said. "[The threat actor] also used this infrastructure for accessing compromised Microsoft Azure tenants during the account takeover operation."Upon gaining successful access to an account, the threat behind the campaign has been found to add a new device under their control to the account so as to establish persistence."Threat actors directed the phishing campaign to target the victim's Microsoft Azure cloud infrastructure via credential harvesting attacks on the phishing victim's endpoint computer," Unit 42 said. "They then followed this activity with lateral movement operations to the cloud."The development comes as attackers have been spotted impersonating SharePoint in phishing emails that are designed to deliver an information stealer malware family called XLoader (a successor to Formbook).Phishing attacks are also increasingly finding novel ways to bypass email security measures, the latest among them being the abuse of legitimate services like Google Calendar and Google Drawings, as well as spoofing email security provider brands, such as Proofpoint, Barracuda Networks, Mimecast, and Virtru.Those that exploit the trust associated with Google services involve sending emails including a calendar (.ICS) file with a link to Google Forms or Google Drawings. Users who click on the link are prompted to click on another one, which is typically disguised as a reCAPTCHA or support button. Once this link is clicked, the victims are forwarded to phony pages that perpetrate financial scams.Users are advised to enable the "known senders" setting in Google Calendar to protect against this kind of phishing attack.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 17, 2024The Hacker NewsThreat Hunting / Sandbox AnalysisAddressing cyber threats before they have a chance to strike or inflict serious damage is by far the best security approach any company can embrace. Achieving this takes a lot of research and proactive threat hunting. The problem here is that it is easy to get stuck in endless arrays of data and end up with no relevant intel. To avoid this, use these five battle-tested techniques that are certain to improve your company's threat awareness and overall security.Finding threats targeting orgs in your regionThe most basic, yet high-impact way to learn about the current threat landscape for your company is to go and see what type of attacks other organizations in your region are experiencing. In most cases, threat actors attempt to target dozens of businesses at the same time as part of a single campaign. This makes it possible to catch the threat early and make correct adjustments in your organization.How it contributes to your security:More targeted and effective defense strategy.Accurate threat prioritization.Resource optimization.How it works:While there are several ways to find out about the current threat landscape in your country, ANY.RUN provides one of the most comprehensive and user-friendly solutions for this. It runs a massive public database of analysis reports on the latest malware and phishing samples, which are uploaded to ANY.RUN's sandbox by over 500,000 security professionals worldwide. Extensive data from each sandbox session is extracted and can be searched through by users via ANY.RUN's Threat Intelligence (TI) Lookup. The service offers over 40 different parameters, from IP addresses and file hashes to registry keys and mutexes, helping you pinpoint threats using the smallest indicators with accuracy.Say we want to see what type of phishing threats are targeting organizations in Germany, while excluding URLs from the search (using the NOT operator), as we wish to focus on malicious files specifically. To do this, we can type the following query into TI Lookup:threatName:"phishing" AND submissionCountry:"de" NOT taskType:"url"You can explore each sandbox session shown by TI LookupIn seconds, we get a list of public sandbox sessions which include phishing documents, emails, and other types of content submitted to ANY.RUN by users in Germany. You can observe each session closely completely for free to gain additional insights into the threats and collect invaluable intelligence.One of the sandbox sessions from the TI Lookup results, showing analysis of a phishing emailAs shown in the image above, we can view the entire attack in action along with all network and system activities recorded during the analysis.Get a 14-day FREE trial of TI Lookup to see how it can improve your organization's security.Checking suspicious system and network artifacts with TI toolsOn an average day, security departments at mid-size organizations get hundreds of alerts. Not all of them are properly followed through, which leaves a gap for attackers to exploit. Yet, simply adding one more layer of verifying all the suspicious artifacts with TI tools can potentially save organizations from considerable financial and reputational losses.How it contributes to your security:Early detection of malicious activities.Understanding of the tactics and techniques used by attackers.Quick incident response to minimize impact.How it works:A common scenario for security departments is dealing with unusual IP connections. Since there are many instances of legitimate addresses generating alerts, it's easy for some employees to get complacent and let actual malicious ones slip off the hook.To eliminate such situations, employees can check all IP addresses in TI Lookup. Here is an example of possible query:destinationIP:"78[.]110[.]166[.]82"TI Lookup provides additional info for every indicator, including domains, ports, and eventsThe service instantly notifies us about the malicious nature of this IP and supplies more context: the name of the threat (Agent Tesla) and sandbox sessions where this IP was recorded.Similarly, security professionals can check system events like the use of suspicious scripts. We can include more than one indicator at the same time, to see if any of them is linked to malicious activities. Consider this query:commandLine:"C:\\Users\\Public\\*.ps1" OR commandLine:"C:\\Users\\Public\\*.vbs"It is set up to look for two types of scripts: .ps1 and .vbs format scripts that are placed in the Public directory. Since we do not know the file names of these scripts, we can simply replace them with the * wildcard.Scripts matching the queryTI Lookup provides us with a list of matching scripts, found across numerous sandbox sessions.List of sandbox sessions featuring the requested scriptsNow, we can collect their names, see how they work as part of an attack, and take preventive measures based on the discovered intel.Exploring threats by specific TTPsWhile blocking known indicators of compromise (IOCs) is an important element of your security, they tend to change regularly. That is why a more sustainable approach is to rely on tactics, techniques, and procedures (TTPs) used by attackers to infect organizations in your industry. With TI tools, you can track threats that use TTPs of your interest, observe their behavior, and gather invaluable information on them to enhance your company's detection capabilities.How it contributes to your security:Detailed insights into attacker methods.Development of specific countermeasures.Proactive defense against emerging threats.How it works:TI Lookup provides an actionable MITRE ATT&CK matrix, which includes dozens of TTPs, which are accompanied by sandbox sessions featuring malware and phishing threats using these techniques in action.TI Lookup offers an actionable MITRE ATT&CK matrixIt is free and available even to unregistered users. You can explore how attacks are carried out and find specific threats that employ particular TTPs. TI Lookup provides samples of threats for each TTPThe image above shows how the service provides information on T1562.001, a technique used by attackers to modify security tools and avoid detection. In the center, TI Lookup lists signatures related to this technique which describe specific malicious activities. On the right, you can explore reports on relevant threats.Tracking evolving threatsThreats tend to change their infrastructure and evolve, as organizations adjust to their attacks. That is why it is vital to never lose track of the threats that once posed a risk to your company. This can be done by getting up-to-date information on the latest instances of this threat and its new indicators.How it contributes to your security:Timely actions to mitigate emerging threats.Enhanced situational awareness for security teams.Better preparation for future attacks.How it works:TI Lookup allows you to subscribe to receive notifications about updates on specific threats, indicators of compromise, indicators of behavior, as well as combinations of different data points.To receive notifications, simply enter your query and click the subscribe buttonThis lets you stay aware of new variants and evolving threats, adapting your defenses as needed almost in real time.For instance, we can subscribe to a query to receive information on new domain names and other network activities related to the Lumma Stealer:threatName:"lumma" AND domainName:""TI Lookup notifies you about new results for each subscriptionSoon, we'll see how new updates start appearing.TI Lookup showing new resultsBy clicking on the subscribed query, the new results will be displayed. In our case, we can observe new ports used in attacks involving Lumma.Enriching information from third-party reportsReports on the current threat landscape are an essential source of intelligence on attacks that may target your organizations. Yet, the information they contain may be quite limited. You can build on the existing knowledge and do your own research to uncover additional details.How it contributes to your security:Ensuring a more complete picture of the threat landscape. Threat data validation.More informed decision-making.How it works:Consider this recent attack targeting manufacturing companies with Lumma and Amadey malware. We can follow up on the findings outlined in the report to find more samples related to the campaign. To do this, we can combine two details: the name of the threat and a .dll file used by attackers:filePath:"dbghelp.dll" AND threatName:"lumma"Sandbox sessions matching the queryTI Lookup provides dozens of matching sandbox sessions, allowing you to significantly enrich the data provided in the original report and use it to inform your defenses against this attack.Improve and Speed up Threat Hunting in Your Organization with TI LookupANY.RUN's Threat Intelligence Lookup provides centralized access to the latest threat data from public malware and phishing samples.It helps organizations with:Proactive Threat Identification: Search the database to proactively identify and update your defense based on the discovered intelligence. Faster Research: Accelerate threat research by quickly connecting isolated IOCs to specific threats or known malware campaigns. Real-Time Monitoring: Monitor evolving threats by receiving updates on new results related to your indicators of interest. Incident Forensics: Enhance forensic analysis of security incidents by searching for contextual information on existing artifacts. IOC Collection: Discover additional indicators by searching the database for relevant threat information. Get a 14-day free trial of TI Lookup to test all of its capabilities and see how it can contribute to your organization's security.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 17, 2024Ravie LakshmananCyber Espionage / MalwareA suspected South Asian cyber espionage threat group known as Bitter targeted a Turkish defense sector organization in November 2024 to deliver two C++-malware families tracked as WmRAT and MiyaRAT."The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads," Proofpoint researchers Nick Attfield, Konstantin Klinger, Pim Trouerbach, and David Galazin said in a report shared with The Hacker News.The enterprise security company is tracking the threat actor under the name TA397. Known to be active since at least 2013, the adversary is also referred to as APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali.Prior attacks conducted by the hacking group have targeted entities in China, Pakistan, India, Saudi Arabia, and Bangladesh with malware such as BitterRAT, ArtraDownloader, and ZxxZ, indicating a heavy Asian focus.Bitter has also been linked to cyber attacks that have led to the deployment of Android malware strains like PWNDROID2 and Dracarys, per reports from BlackBerry and Meta in 2019 and 2022, respectively.Earlier this March, cybersecurity company NSFOCUS revealed that an unnamed Chinese government agency was subjected to a spear-phishing attack by Bitter on February 1, 2024, that delivered a trojan capable of data theft and remote control.The latest attack chain documented by Proofpoint involved the threat actor using a lure about public infrastructure projects in Madagascar to entice prospective victims into launching the booby-trapped RAR archive attachment.Present within the RAR archive was a decoy file about a World Bank public initiative in Madagascar for infrastructure development, a Windows shortcut file masquerading as a PDF, and a hidden alternate data stream (ADS) file containing PowerShell code.ADS refers to a feature that was introduced in the New Technology File System (NTFS) used by Windows to attach and access data streams to a file. It can be used to smuggle additional data into a file without affecting its size or appearance, thereby giving threat actors a sneaky way to conceal the presence of a malicious payload inside the file record of a harmless file.Should the victim launch the LNK file, one of the data streams contains code to retrieve a decoy file hosted on the World Bank site, while the second ADS includes a Base64-encoded PowerShell script to open the lure document and set up a scheduled task responsible for fetching the final-stage payloads from the domain jacknwoods[.]com.Both WmRAT and MiyaRAT, as previously detailed by QiAnXin, come with standard remote access trojan (RAT) capabilities, allowing the malware to collect host information, upload or download files, take screenshots, get geolocation data, enumerate files and directories, and run arbitrary commands via cmd.exe or PowerShell.It's believed that the use of MiyaRAT is reserved for high-value targets owing to the fact that it has been selectively deployed in only a handful of campaigns."These campaigns are almost certainly intelligence collection efforts in support of a South Asian government's interests," Proofpoint said. "They persistently utilize scheduled tasks to communicate with their staging domains to deploy malicious backdoors into target organizations, for the purpose of gaining access to privileged information and intellectual property."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 17, 2024Ravie LakshmananMalware / Credential TheftA new social engineering campaign has leveraged Microsoft Teams as a way to facilitate the deployment of a known malware called DarkGate."An attacker used social engineering via a Microsoft Teams call to impersonate a user's client and gain remote access to their system," Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta said."The attacker failed to install a Microsoft Remote Support application but successfully instructed the victim to download AnyDesk, a tool commonly used for remote access."As recently documented by cybersecurity firm Rapid7, the attack involved bombarding a target's email inbox with "thousands of emails," after which the threat actors approached them via Microsoft Teams by masquerading as an employee of an external supplier.The attacker then went on to instruct the victim to install AnyDesk on their system, with the remote access subsequently abused to deliver multiple payloads, including a credential stealer and the DarkGate malware.Actively used in the wild since 2018, DarkGate is a remote access trojan (RAT) that has since evolved into a malware-as-a-service (MaaS) offering with a tightly controlled number of customers. Among its varied capabilities are conducting credential theft, keylogging, screen capturing, audio recording, and remote desktop.An analysis of various DarkGate campaigns over the past year shows that it's known to be distributed via two different attack chains that employ AutoIt and AutoHotKey scripts. In the incident examined by Trend Micro, the malware was deployed via an AutoIt script.Although the attack was blocked before any data exfiltration activities could take place, the findings are a sign of how threat actors are using a diverse set of initial access routes for malware propagation.Organizations are recommended to enable multi-factor authentication (MFA), allowlist approved remote access tools, block unverified applications, and thoroughly vet third-party technical support providers to eliminate the vishing risk.The development comes amid a surge in different phishing campaigns that have leveraged various lures and tricks to dupe victims into parting with their data -A large-scale YouTube-oriented campaign in which bad actors impersonate popular brands and approach content creators via email for potential promotions, partnership proposals, and marketing collaborations, and urge them to click on a link to sign an agreement, ultimately leading to the deployment of Lumma Stealer. The email addresses from YouTube channels are extracted by means of a parser.A quishing campaign that makes use of phishing emails bearing a PDF attachment containing a QR code attachment, which, when scanned, directs users to a fake Microsoft 365 login page for credential harvesting.Phishing attacks take advantage of the trust associated with Cloudflare Pages and Workers to set up fake sites that mimic Microsoft 365 login pages and bogus CAPTCHA verification checks to supposedly review or download a document. Phishing attacks that use HTML email attachments that are disguised as legitimate documents like invoices or HR policies but contain embedded JavaScript code to execute malicious actions such as redirecting users to phishing sites, harvesting credentials, and deceiving users into running arbitrary commands under the pretext of fixing an error (i.e., ClickFix).Email phishing campaigns that leverage trusted platforms like Docusign, Adobe InDesign, and Google Accelerated Mobile Pages (AMP) to get users to click on malicious links that are designed to harvest their credentials.Phishing attempts that claim to be from Okta's support team in a bid to gain access to users' credentials and breach the organization's systems.Phishing messages targeting Indian users that are distributed via WhatsApp and instruct the recipients to install a malicious bank or utility app for Android devices that are capable of stealing financial information.Threat actors are also known to swiftly capitalize on global events to their advantage by incorporating them into their phishing campaigns, often preying on urgency and emotional reactions to manipulate victims and persuade them to do unintended actions. These efforts are also complemented by domain registrations with event-specific keywords."High-profile global events, including sporting championships and product launches, attract cybercriminals seeking to exploit public interest," Palo Alto Networks Unit 42 said. "These criminals register deceptive domains mimicking official websites to sell counterfeit merchandise and offer fraudulent services." "By monitoring key metrics like domain registrations, textual patterns, DNS anomalies and change request trends, security teams can identify and mitigate threats early."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Even the best companies with the most advanced tools can still get hacked. It's a frustrating reality: you've invested in the right solutions, trained your team, and strengthened your defenses. But breaches still happen.So, what's going wrong? The truth is, that attackers are constantly finding new ways to slip through cracks that often go unnoticedeven in well-prepared organizations. The good news? These cracks can be found and fixedif you know where to look.Join John Paul Cunningham, CISO at Silverfort, for a must-attend webinar that uncovers why breaches still happen and how to close the gaps in your security. John Paul will break down complex ideas into clear, actionable steps to help you protect your company.This webinar isn't about more toolsit's about seeing the risks you've missed and learning practical ways to address them before attackers take advantage.What You'll Learn:In this webinar, you'll discover:Why breaches still happen: How attackers bypass even strong security measures.What you might be missing: Hidden vulnerabilities that often go unnoticed.How to fix blind spots: Simple ways to find and address overlooked risks.Aligning security with business goals: How to get leadership buy-in and make security a priority.Why You Should AttendIf you're a cybersecurity professional, a leader, or anyone concerned about protecting your organization, this session will help you:Understand where modern attacks are coming from.Spot common gaps in your defenses and address them.Get clear, actionable steps to improve security right away.Don't wait until a breach exposes what you missed. Join us for this free, insightful session to strengthen your defenses.Register Now It's Free!Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

A new phishing campaign has been observed employing tax-themed lures to deliver a stealthy backdoor payload as part of attacks targeting Pakistan.Cybersecurity company Securonix, which is tracking the activity under the name FLUX#CONSOLE, said it likely starts with a phishing email link or attachment, although it said it couldn't obtain the original email used to launch the attack."One of the more notable aspects of the campaign is how the threat actors leverage MSC (Microsoft Common Console Document) files to deploy a dual-purpose loader and dropper to deliver further malicious payloads," security researchers Den Iuzvyk and Tim Peck said.It's worth noting that the abuse of specially crafted management saved console (MSC) files to execute malicious code has been codenamed GrimResource by Elastic Security Labs.The starting point is a file with double extensions (.pdf.msc) that masquerades as a PDF file (if the setting to display file extensions is disabled) and is designed to execute an embedded JavaScript code when launched using the Microsoft Management Console (MMC).This code, in turn, is responsible for retrieving and displaying a decoy file, while also covertly loading a DLL file ("DismCore.dll") in the background. One such document used in the campaign is named "Tax Reductions, Rebates and Credits 2024," which is a legitimate document associated with Pakistan's Federal Board of Revenue (FBR)."In addition to delivering the payload from an embedded and obfuscated string, the .MSC file is able to execute additional code by reaching out to a remote HTML file which also accomplishes the same goal," the researchers said, adding that persistence is established using scheduled tasks.The main payload is a backdoor capable of setting up contact with a remote server and executing commands sent by it to exfiltrate data from compromised systems. Securonix said the attack was disrupted 24 hours after initial infection.It's currently not clear who is behind the malware campaign, although the threat actor known as Patchwork has been previously observed using a similar tax-related document from FBR in early December 2023."From the highly obfuscated JavaScript used in the initial stages to the deeply concealed malware code within the DLL, the entire attack chain exemplifies the complexities of detecting and analyzing contemporary malicious code," the researchers said."Another notable aspect of this campaign is the exploitation of MSC files as a potential evolution of the classic LNK file which has been popular with threat actors over the past few years. Like LNK files, they also allow for the execution of malicious code while blending into legitimate Windows administrative workflows."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

A Serbian journalist had his phone first unlocked by a Cellebrite tool and subsequently compromised by a previously undocumented spyware codenamed NoviSpy, according to a new report published by Amnesty International."NoviSpy allows for capturing sensitive personal data from a target's phone after infection and provides the ability to turn on the phone's microphone or camera remotely," the company said in an 87-page technical report.An analysis of forensic evidence points to the spyware installation occurring when the phone belonging to independent journalist Slavia Milanov was in the hands of the Serbian police during his detention in early 2024.Some of the other targets included youth activist Nikola Risti, environmental activist Ivan Milosavljevi Buki, and an unnamed activist from Krokodil, a Belgrade-based organization promoting dialogue and reconciliation in the Western Balkans.The development marks one of the first known instances where two disparate highly invasive technologies were used in combination to facilitate snooping and the exfiltration of sensitive data.NoviSpy, in particular, is engineered to harvest various kinds of information from compromised phones, including screenshots of all actions on the phone, targets' locations, audio and microphone recordings, files, and photos. It's installed using the Android Debug Bridge (adb) command-line utility and manifests in the form of two applications -NoviSpyAdmin (com.serv.services), which requests extensive permissions to collect call logs, SMS messages, contact lists, and record audio through the microphoneNoviSpyAccess (com.accesibilityservice), which abuses Android's accessibility services to stealthily collect screenshots from email accounts and messaging apps like Signal and WhatsApp, exfiltrate files, track location, and activate cameraExactly who developed NoviSpy is currently not known, although Amnesty told 404 Media that it could have either been built in-house by Serbian authorities or acquired from a third-party. Development of the spyware is said to have been ongoing since at least 2018."Together, these tools provide the state with an enormous capability to gather data both covertly, as in the case of spyware, and overtly, through the unlawful and illegitimate use of Cellebrite mobile phone extraction technology," Amnesty International noted.The non-governmental organization further noted that the Serbian Security Information Agency (BIA) has been publicly linked to the procurement of spyware tools since at least 2014, using various offerings such as FinFisher's FinSpy, Intellexa's Predator, and NSO Group's Pegasus to covertly spy on protest organizers, journalists and civil society leaders.In a statement shared with the Associated Press, Serbia's police characterized the report as "absolutely incorrect" and that "the forensic tool is used in the same way by other police forces around the world."Responding to the findings, Israeli company Cellebrite said it's investigating the claims of misuse of its tools and that it would take appropriate measures, including terminating its relationship with relevant agencies, if they are found to be in violation of its end-user agreement.In tandem, the research also uncovered a zero-day privilege escalation exploit used by Cellebrite's universal forensic extraction device (UFED) a software/system that allows law enforcement agencies to unlock and gain access to data stored on mobile phones to gain elevated access to a Serbian activist's device.The vulnerability, tracked as CVE-2024-43047 (CVSS score: 7.8), is a user-after-free bug in Qualcomm's Digital Signal Processor (DSP) Service (adsprpc) that could lead to "memory corruption while maintaining memory maps of HLOS memory." It was patched by the chipmaker in October 2024.Google, which initiated a "broader code review process" following the receipt of kernel panic logs generated by the in-the-wild (ITW) exploit earlier this year, said it discovered a total of six vulnerabilities in the adsprpc driver, including CVE-2024-43047."Chipset drivers for Android are a promising target for attackers, and this ITW exploit represents a meaningful real-world example of the negative ramifications that the current third-party vendor driver security posture poses to end-users," Seth Jenkins of Google Project Zero said."A system's cybersecurity is only as strong as its weakest link, and chipset/GPU drivers represent one of the weakest links for privilege separation on Android in 2024."The development comes as the European arm of the Center for Democracy and Technology (CDT), alongside other civil society organizations such as Access Now and Amnesty International, sent a letter to the Polish Presidency of the Council of the European Union, calling for prioritizing action against abuse of commercial surveillance tools.It also follows a recent report from Lookout about how law enforcement authorities in Mainland China are using a lawful intercept tool codenamed EagleMsgSpy to gather a wide range of information from mobile devices after having gained physical access to them.Earlier this month, the Citizen Lab further revealed that the Russian government detained a man for donating money to Ukraine and implanted spyware, a trojanized version of a call recorder app, on his Android phone before releasing him.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Dec 16, 2024Ravie LakshmananMalvertising / Threat IntelligenceCybersecurity researchers have shed light on a previously undocumented aspect associated with ClickFix-style attacks that hinge on taking advantage of a single ad network service as part of a malvertising-driven information stealer campaign dubbed DeceptionAds."Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising delivering over 1 million daily 'ad impressions' [in the last ten days] and causing thousands of daily victims to lose their accounts and money through a network of 3,000+ content sites funneling traffic," Nati Tal, head of Guardio Labs, said in a report shared with The Hacker News.The campaigns, as documented by several cybersecurity companies in recent months, involve directing visitors of pirated movie sites and others to bogus CAPTCHA verification pages that instruct them to copy and execute a Base64-encoded PowerShell command, ultimately leading to the deployment of information stealers like Lumma.The attacks are no longer confined to a single actor, with Proofpoint recently stating that multiple "unattributed" threat clusters have embraced the clever social engineering approach to deliver remote access trojans, stealers, and even post-exploitation frameworks such as Brute Ratel C4.Guardio Labs said it was able to trace the origins of the campaign to Monetag, a platform that claims to offer several ad formats to "monetize websites, social traffic, Telegram Mini Apps," with threat actors also leveraging services like BeMob ad-tracking to cloak their malicious intent. Monetag is also tracked by Infoblox under the names Vane Viper and Omnatuor.The campaign effectively boils down to this: website owners (i.e., threat actors) register with Monetag, after which traffic is redirected to a Traffic Distribution System (TDS) operated by the malvertising ad network, ultimately taking visitors to the CAPTCHA verification page."By supplying a benign BeMob URL to Monetag's ad management system instead of the direct fake captcha page, the attackers leveraged BeMob's reputation, complicating Monetag's content moderation efforts," Tal explained. "This BeMob TDS finally redirects to the malicious CAPTCHA page, hosted on services like Oracle Cloud, Scaleway, Bunny CDN, EXOScale, and even Cloudflare's R2."Following responsible disclosure, Monetag has removed over 200 accounts linked to the threat actor. BeMob, in a similar effort, removed the accounts that were used for cloaking. That said, there are signs that the campaign has resumed again as of December 5, 2024.The findings once again highlight the need for content moderation and robust account validation to prevent fake registrations."From deceptive publisher sites offering pirated or clickbait content to complex redirect chains and cloaking techniques, this campaign underscores how ad networks, designed for legitimate purposes, can be weaponized for malicious activities," Tal said."The result is a fragmented chain of responsibilities, with ad networks, publishers, ad statistics services, and hosting providers each playing a role yet often avoiding accountability."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 16, 2024Ravie LakshmananMalware / CybercrimeCybersecurity researchers have discovered a new PHP-based backdoor called Glutton that has been put to use in cyber attacks targeting China, the United States, Cambodia, Pakistan, and South Africa.QiAnXin XLab, which discovered the malicious activity in late April 2024, attributed the previously unknown malware with moderate confidence to the prolific Chinese nation-state group tracked Winnti (aka APT41)."Interestingly, our investigation revealed that Glutton's creators deliberately targeted systems within the cybercrime market," the company said. "By poisoning operations, they aimed to turn the tools of cybercriminals against them a classic 'no honor among thieves' scenario."Glutton is designed to harvest sensitive system information, drop an ELF backdoor component, and perform code injection against popular PHP frameworks like Baota (BT), ThinkPHP, Yii, and Laravel. The ELF malware also shares "near-complete similarity" with a known Winnti tool known as PWNLNX.Despite the links to Winnti, XLab said it cannot definitely link the backdoor to the adversary owing to the lack of stealth techniques typically associated with the group. The cybersecurity company described the shortcomings as "uncharacteristically subpar."This includes the lack of encrypted command-and-control (C2) communications, the use of HTTP (instead of HTTPS) for downloading the payloads, and the fact that the samples are devoid of any obfuscation.At its heart, Glutton is a modular malware framework capable of infecting PHP files on target devices, as well as plant backdoors. It's believed that initial access is achieved via the exploitation of zero-day and N-day flaws and brute-force attacks.Another unconventional approach involves advertising on cybercrime forums compromised enterprise hosts containing l0ader_shell, a backdoor injected into PHP files, effectively allowing the operators to mount attacks on other cybercriminals.The primary module that enables the attack is "task_loader," which is used to assess the execution environment and fetch additional components, including "init_task," which is responsible for downloading an ELF-based backdoor that masquerades as the FastCGI Process Manager ("/lib/php-fpm"), infecting PHP files with malicious code for further payload execution, and collecting sensitive information and modifying system files.The attack chain also includes a module named "client_loader," a refactored version of "init_task," that makes use of an updated network infrastructure and incorporates the ability to download and execute a backdoored client. It modifies systems files like "/etc/init.d/network" to establish persistence.The PHP backdoor is a fully-featured backdoor that supports 22 unique commands that allow it to switch C2 connections between TCP and UDP, launch a shell, download/upload files, perform file and directory operations, and run arbitrary PHP code. In addition, the framework makes it possible to fetch and run more PHP payloads by periodically polling the C2 server."These payloads are highly modular, capable of functioning independently or being executed sequentially via task_loader to form a comprehensive attack framework," XLab said. "All code execution occurs within PHP or PHP-FPM (FastCGI) processes, ensuring no file payloads are left behind, thus achieving a stealthy footprint."One other notable aspect is the use of the HackBrowserData tool on systems used by cybercrime operators to steal sensitive information with a likely goal to inform future phishing or social engineering campaigns."In addition to targeting traditional 'whitehat' victims through cybercrime, Glutton demonstrates a strategic focus on exploiting cybercrime resources operators," XLab said. "This creates a recursive attack chain, leveraging the attackers' own activities against them."The disclosure comes weeks after XLab detailed an updated version of the APT41 malware called Mlofe that adds improved persistence mechanisms and "embeds an RC4-encrypted kernel driver to mask traces of files, processes, and network connections."Once installed, the Linux backdoor is equipped to communicate with a C2 server to receive and execute various commands, including collecting device and process information, launching shell, managing processes, carrying out file and directory operations, and uninstalling itself."Melofee offers straightforward functionality with highly effective stealth capabilities," it said. "Samples of this malware family are rare, suggesting that attackers may limit its use to high-value targets."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 16, 2024Ravie LakshmananCryptocurrency / Phishing AttackCybersecurity researchers are calling attention to a new kind of investment scam that leverages a combination of social media malvertising, company-branded posts, and artificial intelligence (AI) powered video testimonials featuring famous personalities, ultimately leading to financial and data loss."The main goal of the fraudsters is to lead victims to phishing websites and forms that harvest their personal information," ESET noted in its H2 2024 Threat Report shared with The Hacker News.The Slovak cybersecurity company is tracking the threat under the name Nomani, a play on the phrase "no money." It said the scam grew by over 335% between H1 and H2 2024, with more than 100 new URLs detected daily on average between May and November 2024.The attacks play out through fraudulent ads on social media platforms, in several cases targeting people who have previously been scammed by making use of Europol- and INTERPOL-related lures about contacting them for help or getting their stolen money refunded by clicking on a link.These ads are published from a mix of fake and stolen legitimate profiles associated with small businesses, governmental entities, and micro-influencers with tens of thousands of followers. Other distribution channels include sharing these posts on Messenger and Threads, as well as sharing deceptively positive reviews on Google."Another large group of accounts frequently spreading Nomani ads are newly created profiles with easy-to-forget names, a handful of followers, and very few posts," ESET pointed out.The websites these links direct to have been found to request for their contact information and visually imitate local news media; abuse logos and branding of specific organizations; or claim to advertise cryptocurrency management solutions with ever-changing names such as Quantum Bumex, Immediate Mator, or Bitcoin Trader.In the next step, cybercriminals use the data gathered from the phishing domains to directly call the victims and manipulate them into investing their money into non-existent investment products that falsely show phenomenal gains. In some cases, victims are duped into taking out loans or installing remote access apps on their devices."When these victim 'investors' request payout of the promised profits, the scammers force them to pay additional fees and to provide further personal information such as ID and credit card information," ESET said. "In the end, the fraudsters take both the money and data and disappear following the typical pig butchering scam."There is evidence to suggest that Nomani is the work of Russian-speaking threat actors given the presence of source code comments in Cyrillic and the use of Yandex tools for visitor tracking.Similar to major scam operations like Telekopye, it's suspected that there are different groups who are in charge of managing each and every aspect of the attack chain: Theft, creation, and abuse of Meta accounts and ads, building the phishing infrastructure, and running the call centers."By using social engineering techniques and building trust with the victims, scammers often outmaneuver even the authorization mechanisms and verification phone calls the banks use to prevent fraud," ESET said.The development comes as South Korean law enforcement agencies said it took down a large-scale fraud network that defrauded nearly $6.3 million from victims with fake online trading platforms as part of an operation called MIDAS. More than 20 servers utilized by the fraud ring have been seized and 32 people involved in the scheme have been arrested.Besides luring victims with SMS and phone calls, users of the illicit home trading system (HTS) programs were enticed into investing their funds by watching YouTube videos and joining KakaoTalk chat rooms."The program communicates with the servers of real brokerage firms to get real-time stock price information, and uses publicly available chart libraries to create visual representations," the Financial Security Institute (K-FSI) said in a presentation given at the Black Hat Europe conference last week."However, no actual stock trades are made. Rather, the program's core feature, a screen capture function, is used to spy on users' screens, collect unauthorized information, and refuse to return money."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Run by the team at orchestration, AI, and automation platform Tines, the Tines library contains pre-built workflows shared by real security practitioners from across the community, all of which are free to import and deploy via the Community Edition of the platform. Their bi-annual "You Did What with Tines?!" competition highlights some of the most interesting workflows submitted by their users, many of which demonstrate practical applications of large language models (LLMs) to address complex challenges in security operations.One recent winner is a workflow designed to automate CrowdStrike RFM reporting. Developed by Tom Power, a security analyst at The University of British Columbia, it uses orchestration, AI and automation to reduce the time spent on manual reporting.Here, we'll share an overview of the workflow, plus a step-by-step guide for getting it up and running.The problem - time-consuming reportingThe workflow's builder, Tom Power, explains, "The CrowdStrike Falcon sensor goes into Reduced Functionality Mode (RFM), usually because the operating system (OS) or kernel version is too old or too new for the sensor to support in kernel mode. Every week, SecOps would log into the Falcon console, and filter the host management console for endpoints in RFM for the last week. We would generate the report and download it."This process provided critical data for identifying kernel updates causing RFM, particularly for Linux endpoints. However, it required the team to manually check whether CrowdStrike had released a new sensor version compatible with the latest kernel updates."The entire process took about 30 minutes each week," Tom adds. "Over the course of a year, that added up to more than 25 hours of time we could have spent on other cybersecurity priorities."The solution - automated RFM reporting with AITom's workflow automates the tracking and reporting of Falcon Sensor RFM across hosts. By leveraging Tines' AI-driven Automatic Mode, it generates custom code to streamline report creation. The workflow not only produces regular, consistent reports but also enables management to monitor trends in RFM occurrences, supporting proactive system health management and faster decision-making.The automated workflow eliminates the need for manual reporting by allowing analysts to submit requests via a simple web form. Within minutes, the workflow retrieves data, processes it, and delivers an actionable email report, complete with detailed insights and a CSV attachment.Example output:Here's a sample of the auto-generated email and report received by the team:Here are some of the key benefits of using this workflow:Frees analysts to focus on high-priority cybersecurity tasks.Reduces manual effort and the potential for human error.Delivers consistent, reliable reports for improved productivity.Enhances decision-making by providing real-time insights.Boosts morale by removing a tedious and repetitive task.Workflow overviewTools used:Tines - a workflow orchestration, AI and automation platform that's popular with security teams. It's possible to use the free Community Edition of Tines to build and run this workflow if you don't have a paid account. AI must be enabled on your tenant. CrowdStrike - endpoint detection and response (EDR) platform. This workflow integrates with CrowdStrike Falcon's API to retrieve data about endpoints in Reduced Functionality Mode (RFM). While Falcon provides robust endpoint visibility, it lacks native automation for recurring RFM reports.The workflow is initiated when a web form is submitted, triggering the process to generate CrowdStrike RFM reports.The first action retrieves a list of device IDs from CrowdStrike Falcon's API. If the list is larger than what CrowdStrike returns in the first batch, multiple calls are made to paginate through the full list.Once all the device details are retrieved, the workflow consolidates them into a single resource. This resource acts as the foundation for analysis, where the number of Linux, Windows, and Mac hosts is calculated and appended to the data.Using the consolidated resource, the workflow generates an HTML summary table to present the data in a structured format. This table is then converted into a CSV file, making it suitable for reporting purposes.The CSV report is emailed to stakeholders for review. To maintain efficiency and data hygiene, the workflow purges the temporary resource after the email is sent, ensuring it is ready for the next cycle.By automating these steps, the workflow eliminates manual effort, reduces the risk of errors, and provides consistent, up-to-date reporting on devices in reduced functionality mode across the environment.Configuring the workflow - step-by-step guide Log into Tines or create a new account.Ensure AI is enabled on your tenant. For this, you need to be the tenant owner. Select the account settings drop-down in the top left of your screen, and check the box to turn AI on. Create your CrowdStrike credential. From the credentials page, select New credential, scroll down to the CrowdStrike credential and complete the required fields.Navigate to the pre-built workflow in the library.Select import. This should take you straight to your new pre-built workflow.Configure your actions. For example, you may like to edit the layout of the Tines page that kicks off the workflow.Test the workflow. Submit an image via the form to test your workflow.Publish your workflow and share the Page URL with your desired users.Building in other automation platformsYou could use another no-code automation platform to build a similar service, although it's worth noting that some of the features in this workflow are unique to Tines:Pages: This workflow is kicked off by a submission to a form on a web page. This is built using Tines' Pages feature.Alternative: Use a scheduled trigger to kick off the workflow. Event Transform in Automatic Mode: This feature uses build-time AI to compose Python code based on the guidance and the input the builder provides. Once you save your changes, the code is locked in place. This means that when the action runs, only the code executes, and no AI is involved.Alternative: Write Python code manually to transform your data.If you'd like to explore AI in Tines for yourself or test out this workflow, you can sign up for a free account including AI functionality.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Dec 13, 2024The Hacker NewsIoT Security / Operational TechnologyIran-affiliated threat actors have been linked to a new custom malware that's geared toward IoT and operational technology (OT) environments in Israel and the United States.The malware has been codenamed IOCONTROL by OT cybersecurity company Claroty, highlighting its ability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms."While the malware is believed to be custom-built by the threat actor, it seems that the malware is generic enough that it is able to run on a variety of platforms from different vendors due to its modular configuration," the company said.The development makes IOCONTROL the tenth malware family to specifically single out Industrial Control Systems (ICS) after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, PIPEDREAM (aka INCONTROLLER), COSMICENERGY, and FrostyGoop (aka BUSTLEBERM) to date.Claroty said it analyzed a malware sample extracted from a Gasboy fuel management system that was previously compromised by the hacking group called Cyber Av3ngers, which has been linked to cyber attacks exploiting Unitronics PLCs to breach water systems. The malware was embedded within Gasboy's Payment Terminal, otherwise called OrPT.This also means that the threat actors, given their ability to control the payment terminal, also had the means to shut down fuel services and potentially steal credit card information from customers."The malware is essentially a cyberweapon used by a nation-state to attack civilian critical infrastructure; at least one of the victims were the Orpak and Gasboy fuel management systems," Claroty said.The end goal of the infection chain is to deploy a backdoor that's automatically executed every time the device restarts. A notable aspect of IOCONTROL is its use of MQTT, a messaging protocol widely used in IoT devices, for communications, thereby allowing the threat actors to disguise malicious traffic.What's more, command-and-control (C2) domains are resolved using Cloudflare's DNS-over-HTTPS (DoH) service. This approach, already adopted by Chinese and Russian nation-state groups, is significant, as it allows the malware to evade detection when sending DNS requests in cleartext.Once a successful C2 connection is established, the malware transmits information about the device, namely hostname, current user, device name and model, timezone, firmware version, and location, to the server, after it awaits further commands for execution.This includes checks to ensure the malware is installed in the designated directory, execute arbitrary operating system commands, terminate the malware, and scan an IP range in a specific port."The malware communicates with a C2 over a secure MQTT channel and supports basic commands including arbitrary code execution, self-delete, port scan, and more," Claroty said. "This functionality is enough to control remote IoT devices and perform lateral movement if needed."Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 13, 2024The Hacker NewsCybercrime / CryptocurrencyThe U.S. Department of Justice (DoJ) has indicted 14 nationals belonging to the Democratic People's Republic of Korea (DPRK or North Korea) for their alleged involvement in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organizations."The conspirators, who worked for DPRK-controlled companies Yanbian Silverstar and Volasys Silverstar, located in the People's Republic of China (PRC) and the Russian Federation (Russia), respectively, conspired to use false, stolen, and borrowed identities of U.S. and other persons to conceal their North Korean identities and foreign locations and obtain employment as remote information technology (IT) workers," the DoJ said.The IT worker scheme generated at least $88 million for the North Korean regime over a span of six years, it's been alleged. In addition, the remote workers engaged in information theft, such as proprietary source code, and threatened to leak the data unless a ransom was paid. The illicit proceeds obtained in this manner were then routed through U.S. and Chinese financial systems back to Pyongyang.The DoJ said it's aware of one employer that sustained hundreds of thousands of dollars in damages after it refused to yield to the extortion demand of a North Korean IT worker, who then ended up leaking the confidential information online.The identified individuals are below -Jong Song Hwa ()Ri Kyong Sik ()Kim Ryu Song ()Rim Un Chol ()Kim Mu Rim ()Cho Chung Pom ()Hyon Chol Song ()Son Un Chol ()Sok Kwang Hyok ()Choe Jong Yong ()Ko Chung Sok ()Kim Ye Won ()Jong Kyong Chol (), and Jang Chol Myong ()The 14 conspirators are said to have worked in various capacities ranging from senior company leaders to IT workers. The two sanctioned companies have employed at least 130 North Korean IT workers, referred to as IT Warriors, who participated in "socialism competitions" organized by the firms to generate money for DPRK. The top performers were awarded bonuses and other prizes.The development is the latest in a series of actions the U.S. government has taken in recent years to address the fraudulent IT worker scheme, a campaign tracked by the cybersecurity community under the moniker Wagemole.The DoJ said it has since seized 29 phony website domains (17 in October 2023 and 12 in May 2024) used by DPRK IT workers to mimic Western IT services firms to support the bona fides of their attempts to land remote work contracts for U.S. and other businesses worldwide. The agency said it has also cumulatively seized $2.26 million (including $1.5 million seized in October 2023) from bank accounts tied to the scheme. Separately, the Department of State has announced a reward offer of up to $5 million for information on the front companies, the individuals identified, and their illicit activities."DPRK IT worker schemes involve the use of pseudonymous email, social media, payment platform and online job site accounts, as well as false websites, proxy computers, virtual private networks, virtual private servers, and unwitting third-parties located in the United States and elsewhere," the DoJ said. "The conspirators used many techniques to conceal their North Korean identities from employers."One such method is the use of laptop farms in the U.S. by paying people residing in the country to receive and set up company-issued laptops and allow the IT workers to remotely connect through software installed on them. The idea is to give the impression that they are accessing work from within the U.S. when, in reality, they are located in China or Russia.All the 14 conspirators have been charged with conspiracy to violate the International Emergency Economic Powers Act, conspiracy to commit wire fraud, conspiracy to commit money laundering, and conspiracy to commit identity theft. Eight of them have been charged with aggravated identity theft. If convicted, each of them faces a maximum penalty of 27 years in prison.Radiant Capital Crypto Heist Linked to Citrine SleetThe IT worker scam is just one of the many methods that North Korea has embraced to generate illicit revenue and support its strategic objectives, the others being cryptocurrency theft and targeting of banking and blockchain companies.Earlier this month, decentralized finance (DeFi) platform Radiant Capital attributed a North Korea-linked threat actor dubbed Citrine Sleet to the $50 million cryptocurrency heist that took place following a breach of its systems in October 2024.The adversary, also called Gleaming Pisces, Labyrinth Chollima, Nickel Academy, and UNC4736, is a sub-cluster within the Lazarus Group. It's also known for orchestrating a persistent social engineering campaign dubbed Operation Dream Job that aims to entice developers with lucrative job opportunities to dupe them into downloading malware.It's worth noting that these efforts also take different forms depending on the activity cluster behind them, which can vary from coding tests (Contagious Interview) to collaborating on a GitHub project (Jade Sleet).The attack targeting Radiant Capital was no different in that a developer of the company was approached by the threat actor in September on Telegram by posing as a trusted former contractor, ostensibly soliciting feedback about their work as part of a new career opportunity related to smart contract auditing.The message included a link to a ZIP archive containing a PDF file that, in turn, delivered a macOS backdoor codenamed INLETDRIFT that, besides displaying a decoy document to the victim, also established stealthy communications with a remote server ("atokyonews[.]com")."The attackers were able to compromise multiple developer devices," Radiant Capital said. "The front-end interfaces displayed benign transaction data while malicious transactions were signed in the background. Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages."Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 14, 2024Ravie LakshmananMalware / Cyber ThreatThai government officials have emerged as the target of a new campaign that leverages a technique called DLL side-loading to deliver a previously undocumented backdoor dubbed Yokai."The target of the threat actors were Thailand officials based on the nature of the lures," Nikhil Hegde, senior engineer for Netskope's Security Efficacy team, told The Hacker News. "The Yokai backdoor itself is not limited and can be used against any potential target."The starting point of the attack chain is a RAR archive containing two Windows shortcut files named in Thai that translate to "United States Department of Justice.pdf" and "United States government requests international cooperation in criminal matters.docx."The exact initial vector used to deliver the payload is currently not known, although Hegde speculated that it would likely be spear-phishing due to the lures employed and the fact that RAR files have been used as malicious attachments in phishing emails.Launching the shortcut files causes a decoy PDF and Microsoft Word document to be opened, respectively, while also dropping a malicious executable stealthily in the background. Both the lure files relate to Woravit Mektrakarn, a Thai national who is wanted in the U.S. in connection with the disappearance of a Mexican immigrant. Mektrakarn was charged with murder in 2003 and is said to have fled to Thailand.The executable, for its part, is designed to drop three more files: A legitimate binary associated with the iTop Data Recovery application ("IdrInit.exe"), a malicious DLL ("ProductStatistics3.dll"), and a DATA file containing information sent by an attacker-controlled server. In the next stage, "IdrInit.exe" is abused to sideload the DLL, ultimately leading to the deployment of the backdoor.Yokai is responsible for setting up persistence on the host and connecting to the command-and-control (C2) server in order to receive command codes that allow it to spawn cmd.exe and execute shell commands on the host.The development comes as Zscaler ThreatLabz revealed it discovered a malware campaign leveraging Node.js-compiled executables for Windows to distribute cryptocurrency miners and information stealers such as XMRig, Lumma, and Phemedrone Stealer. The rogue applications have been codenamed NodeLoader.The attacks employ malicious links embedded in YouTube video descriptions, leading users to MediaFire or phony websites that urge them to download a ZIP archive that is disguised as video game hacks. The end goal of the attacks is to extract and run NodeLoader, which, in turn, downloads a PowerShell script responsible for launching the final-stage malware."NodeLoader uses a module called sudo-prompt, a publicly available tool on GitHub and npm, for privilege escalation," Zscaler said. "The threat actors employ social engineering and anti-evasion techniques to deliver NodeLoader undetected."It also follows a spike in phishing attacks distributing the commercially available Remcos RAT, with threat actors giving the infection chains a makeover by employing Visual Basic Script (VBS) scripts and Office Open XML documents as a launchpad to trigger the multi-stage process.In one set of attacks, executing the VBS file leads to a highly obfuscated PowerShell script that downloads interim payloads, ultimately resulting in the injection of Remcos RAT into RegAsm.exe, a legitimate Microsoft .NET executable.The other variant entails using an Office Open XML document to load an RTF file that's susceptible to CVE-2017-11882, a known remote code execution flaw in Microsoft Equation Editor, to fetch a VBS file that subsequently proceeds to fetch PowerShell in order to inject Remcos payload into the memory of RegAsm.exe.It's worth pointing out that both methods avoid leaving writing files to disk and load them into valid processes in a deliberate attempt to evade detection by security products."As this remote access trojan continues to target consumers through phishing emails and malicious attachments, the need for proactive cybersecurity measures has never been more critical," McAfee Labs researchers said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 14, 2024Ravie LakshmananBotnet / Ad FraudGermany's Federal Office of Information Security (BSI) has announced that it has disrupted a malware operation called BADBOX that came preloaded on at least 30,000 internet-connected devices sold across the country.In a statement published earlier this week, authorities said they severed the communications between the devices and their command-and-control (C2) servers by sinkholing the domains in question. Impacted devices include digital picture frames, media players, and streamers, and likely phones and tablets."What all of these devices have in common is that they have outdated Android versions and were delivered with pre-installed malware," the BSI said in a press release.BADBOX was first documented by HUMAN's Satori Threat Intelligence and Research team in October 2023, describing it as a "complex threat actor scheme" that involves deploying the Triada Android malware on low-cost, off-brand Android devices by exploiting weak supply chain links.Once connected to the internet, the malware embedded into the devices can collect a wide range of data such as authentication codes, and install additional malware.The operation, assessed to be operating out of China, also comprises an ad fraud botnet called PEACHPIT that's designed to spoof popular Android and iOS apps and their own fraudulent traffic from the BADBOX-infected devices through the apps. The fake impressions are then sold through programmatic advertising."This complete loop of ad fraud means they were making money from the fake ad impressions on their own fraudulent, spoofed apps," HUMAN said at the time. "Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plugging it in, and unknowingly opening this backdoor malware."The BSI said that devices compromised by BADBOX are also capable of acting as a residential proxy service, allowing other threat actors to route their internet traffic through them while simultaneously evading detection. They could also be used to create online accounts on Gmail and WhatsApp.In addition to instructing all internet providers in the country with more than 100,000 subscribers to redirect traffic to the sinkhole, the agency is urging consumers to disconnect affected devices from the internet with immediate effect.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 13, 2024The Hacker NewsLinux / VulnerabilityA security flaw has been disclosed in OpenWrt's Attended Sysupgrade (ASU) feature that, if successfully exploited, could have been abused to distribute malicious firmware packages.The vulnerability, tracked as CVE-2024-54143, carries a CVSS score of 9.3 out of a maximum of 10, indicating critical severity. Flatt Security researcher RyotaK has been credited with discovering and reporting the flaw on December 4, 2024. The issue has been patched in ASU version 920c8a1."Due to the combination of the command injection in the imagebuilder image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision," the project maintainers said in an alert.OpenWrt is a popular open-source Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic.Successful exploitation of the shortcoming could essentially allow a threat actor to inject arbitrary commands into the build process, thereby leading to the production of malicious firmware images signed with the legitimate build key.Even worse, a 12-character SHA-256 hash collision associated with the build key could be weaponized to serve a previously built malicious image in the place of a legitimate one, posing a severe supply chain risk to downstream users."An attacker needs the ability to submit build requests containing crafted package lists," OpenWrt noted. "No authentication is required to exploit the vulnerabilities. By injecting commands and causing hash collisions, the attacker can force legitimate build requests to receive a previously generated malicious image."RyotaK, who provided a technical breakdown of the bug, said it's not known if the vulnerability was ever exploited in the wild because it has "existed for a while." Users are recommended to update to the latest version as soon as possible to safeguard against potential threats.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 13, 2024Ravie LakshmananCyber Attack / MalwareA now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials.The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to "mysterious unattributed threat") by Datadog Security Labs, that involves phishing and several trojanized GitHub repositories hosting proof-of-concept (PoC) code for exploiting known security flaws."Victims are believed to be offensive actors including pentesters and security researchers, as well as malicious threat actors and had sensitive data such as SSH private keys and AWS access keys exfiltrated," researchers Christophe Tafani-Dereeper, Matt Muir, and Adrian Korn said in an analysis shared with The Hacker News.It's no surprise that security researchers have been an attractive target for threat actors, including nation-state groups from North Korea, as compromising their systems could yield information about possible exploits related to undisclosed security flaws they may be working on, which could then be leveraged to stage further attacks.In recent years, there has emerged a trend where attackers attempt to capitalize on vulnerability disclosures to create GitHub repositories using phony profiles that claim to host PoCs for the flaws but actually are engineered to conduct data theft and even demand payment in exchange for the exploit.The campaigns undertaken by MUT-1244 not only involve making use of trojanized GitHub repositories but also phishing emails, both of which act as a conduit to deliver a second-stage payload capable of dropping a cryptocurrency miner, as well as stealing system information, private SSH keys, environment variables, and contents associated with specific folders (e.g., ~/.aws) to File.io.One such repository was "github[.]com/hpc20235/yawpp," which claimed to be "Yet Another WordPress Poster." Prior to its takedown by GitHub, it contained two scripts: One to validate WordPress credentials and another to create posts using the XML-RPC API.But the tool also harbored malicious code in the form of a rogue npm dependency, a package named @0xengine/xmlrpc that deployed the same malware. It was originally published to npm in October 2023 as a JavaScript-based XML-RPC server and client for Node.js. The library is no longer available for download.It's worth noting that cybersecurity firm Checkmarx revealed last month that the npm package remained active for over a year, attracting about 1,790 downloads.The yawpp GitHub project is said to have enabled the exfiltration of over 390,000 credentials, likely for WordPress accounts, to an attacker-controlled Dropbox account by compromising unrelated threat actors who had access to these credentials through illicit means.Another method used to deliver the payload entails sending phishing emails to academics in which they are tricked into visiting links that instruct them to launch the terminal and copy-paste a shell command to perform a supposed kernel upgrade. The discovery marks the first time a ClickFix-style attack has been documented against Linux systems."The second initial access vector that MUT-1244 utilizes is a set of malicious GitHub users publishing fake proof-of-concepts for CVEs," the researchers explained. "Most of them were created in October or November [2024], have no legitimate activity, and have an AI-generated profile picture."Some of these bogus PoC repositories were previously highlighted by Alex Kaganovich, Colgate-Palmolive's global head of offensive security red team, in mid-October 2024. But in an interesting twist, the second-stage malware is through four different ways -Backdoored configure compilation fileMalicious payload embedded in a PDF fileUsing a Python dropperInclusion of a malicious npm package "0xengine/meow""MUT-1244 was able to compromise the system of dozens of victims, mostly red teamers, security researchers, and anyone with an interest in downloading PoC exploit code," the researchers said. "This allowed MUT-1244 to gain access to sensitive information, including private SSH keys, AWS credentials, and command history."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns."BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims," Lookout said in an analysis. "Both BoneSpy and PlainGnome collect data such as SMS messages, call logs, phone call audio, photos from device cameras, device location, and contact lists."Gamaredon, also called Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder, is a hacking group affiliated with Russia's Federal Security Service (FSB).Last week, Recorded Future's Insikt Group revealed the threat actor's use of Cloudflare Tunnels as a tactic to conceal its staging infrastructure hosting malicious payloads such as GammaDrop.It's believed that BoneSpy has been operational since at least 2021. On the other hand, PlainGnome emerged only earlier this year. Targets of the campaign possibly include Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan based on VirusTotal submissions of the artifacts. There is no evidence at this stage that the malware was used to target Ukraine, which has been the group's sole focus.Back in September 2024, ESET also disclosed that Gamaredon unsuccessfully attempted to infiltrate targets in several NATO countries, namely Bulgaria, Latvia, Lithuania, and Poland in April 2022 and February 2023. Lookout has theorized that the targeting of Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan "may be related to worsening relations between these countries and Russia since the outbreak of the Ukraine invasion."The attribution of the new malware to Gamaredon stems from the reliance on dynamic DNS providers and overlaps in IP addresses that point to command-and-control (C2) domains used in both mobile and desktop campaigns.BoneSpy and PlainGnome share a crucial difference in that the former, derived from the open-source DroidWatcher spyware, is a standalone application, whereas the latter acts as a dropper for a surveillance payload embedded within it. PlainGnome is also a custom-made malware but one that requires the victim to grant it permission to install other apps through REQUEST_INSTALL_PACKAGES.Both surveillance tools implement a broad range of functions to track location, gather information about the infected device, and collect SMS messages, call logs, contact lists, browser history, audio recordings, ambient audio, notifications, photos, screenshots, and cellular service provider details. They also attempt to gain root access.The exact mechanism by which the malware-laced apps are distributed remains unclear, but it's suspected to involve targeted social engineering, masquerading themselves as battery charge monitoring apps, photo gallery apps, a fake Samsung Knox app, and a fully functional-but-trojanized Telegram app."While PlainGnome, which first surfaced this year, has many overlaps in functionality with BoneSpy, it does not appear to have been developed from the same code base," Lookout said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Dec 12, 2024Ravie LakshmananVulnerability / Cloud SecurityCybersecurity researchers are warning that thousands of servers hosting the Prometheus monitoring and alerting toolkit are at risk of information leakage and exposure to denial-of-service (DoS) as well as remote code execution (RCE) attacks."Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and API keys," Aqua security researchers Yakir Kadkoda and Assaf Morag said in a new report shared with The Hacker News.The cloud security firm also said that the exposure of the "/debug/pprof" endpoints used for determining heap memory usage, CPU usage, and others, could serve as a vector for DoS attacks, rendering the servers inoperable.As many as 296,000 Prometheus Node Exporter instances and 40,300 Prometheus servers have been estimated to be publicly accessible over the internet, making them a huge attack surface that could put data and services at risk.The fact that sensitive information, such as credentials, passwords, authentication tokens, and API keys, could be leaked through internet-exposed Prometheus servers has been documented previously by JFrog in 2021 and Sysdig in 2022."Unauthenticated Prometheus servers enable direct querying of internal data, potentially exposing secrets that attackers can exploit to gain an initial foothold in various organizations," the researchers said.In addition, it has been found that the "/metrics" endpoint can not only reveal internal API endpoints, but also data about subdomains, Docker registries, and images -- all valuable information for an attacker conducting reconnaissance and looking to expand their reach within the network.That's not all. An adversary could send multiple simultaneous requests to endpoints like "/debug/pprof/heap" to trigger CPU and memory-intensive heap profiling tasks that can overwhelm the servers and cause them to crash.Aqua further called out a supply chain threat that involves using repojacking techniques to leverage the name associated with deleted or renamed GitHub repositories and introduce malicious third-party exporters.Specifically, it discovered that eight exporters listed in Prometheus' official documentation are vulnerable to RepoJacking, thereby allowing an attacker to recreate an exporter with the same name and host a rogue version. These issues have since been addressed by the Prometheus security team as of September 2024."Unsuspecting users following the documentation could unknowingly clone and deploy this malicious exporter, leading to remote code execution on their systems," the researchers said.Organizations are recommended to secure Prometheus servers and exporters with adequate authentication methods, limit public exposure, monitor "/debug/pprof" endpoints for any signs of anomalous activity, and take steps to avoid RepoJacking attacks.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 11, 2024Ravie LakshmananMalware / Endpoint SecurityA newly devised technique leverages a Windows accessibility framework called UI Automation (UIA) to perform a wide range of malicious activities without tipping off endpoint detection and response (EDR) solutions."To exploit this technique, a user must be convinced to run a program that uses UI Automation," Akamai security researcher Tomer Peled said in a report shared with The Hacker News. "This can lead to stealthy command execution, which can harvest sensitive data, redirect browsers to phishing websites, and more."Even worse, local attackers could take advantage of this security blindspot to execute commands and read/write messages from/to messaging applications like Slack and WhatsApp. On top of that, it could also be potentially weaponized to manipulate UI elements over a network.First available in Windows XP as part of the Microsoft .NET Framework, UI Automation is designed to provide programmatic access to various user interface (UI) elements and help users manipulate them using assistive technology products, such as screen readers. It can also be used in automated testing scenarios."Assistive technology applications typically need access to the protected system UI elements, or to other processes that might be running at a higher privilege level," Microsoft notes in a support document. "Therefore, assistive technology applications must be trusted by the system, and must run with special privileges.""To get access to higher IL processes, an assistive technology application must set the UIAccess flag in the application's manifest and be launched by a user with administrator privileges."The UI interactions with elements in other applications are achieved by making use of the Component Object Model (COM) as an inter-process communication (IPC) mechanism. This makes it possible to create UIA objects that can be used to interact with an application that's in focus by setting up an event handler that's triggered when certain UI changes are detected.Akamai's research found that this approach could also open up an avenue for abuse, allowing malicious actors to read/write messages, steal data entered in websites (e.g., payment information), and execute commands that redirect victims to malicious websites when a currently displayed web page in a browser refreshes or changes."In addition to the UI elements currently shown on the screen that we can interact with, more elements are loaded in advance and placed in a cache," Peled noted. "We can also interact with those elements, such as reading messages not shown on the screen, or even set the text box and send messages without it being reflected on the screen."That said, it bears noting that each of these malicious scenarios is an intended feature of UI Automation, just like how Android's accessibility services API has become a staple way for malware to extract information from compromised devices."This goes back to the intended purpose of the application: Those permissions levels have to exist in order to use it," Peled added. "This is why UIA is able to bypass Defender the application finds nothing out of the ordinary. If something is seen as a feature rather than a bug, the machine's logic will follow the feature."From COM to DCOM: A Lateral Movement Attack VectorThe disclosure comes as Deep Instinct revealed that the Distributed COM (DCOM) Remote Protocol, which allows software components to communicate over a network, could be exploited to remotely write custom payloads to create an embedded backdoor.The attack "allows the writing of custom DLLs to a target machine, loading them to a service, and executing their functionality with arbitrary parameters," security researcher Eliran Nissan said. "This backdoor-like attack abuses the IMsiServer COM interface."That said, the Israeli cybersecurity company noted that an attack of this kind leaves clear indicators of compromise (IoCs) that can be detected and blocked. It further requires the attacker and victim machines to be in the same domain."Until now, DCOM lateral movement attacks have been exclusively researched on IDispatch-based COM objects due to their scriptable nature," Nissan said. The new 'DCOM Upload & Execute' method "remotely writes custom payloads to the victim's [Global Assembly Cache], executes them from a service context, and communicates with them, effectively functioning as an embedded backdoor.""The research presented here proves that many unexpected DCOM objects may be exploitable for lateral movement, and proper defenses should be aligned."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 11, 2024Ravie LakshmananMalware / Cyber EspionageThe Russian nation-state actor tracked as Secret Blizzard has been observed leveraging malware associated with other threat actors to deploy a known backdoor called Kazuar on target devices located in Ukraine.The new findings come from the Microsoft threat intelligence team, which said it observed the adversary leveraging the Amadey bot malware to download custom malware onto "specifically selected" systems associated with the Ukrainian military between March and April 2024.The activity is assessed to be the second time since 2022 that Secret Blizzard, also known as Turla, has latched onto a cybercrime campaign to propagate its own tools in Ukraine."Commandeering other threat actors' access highlights Secret Blizzard's approach to diversifying its attack vectors," the company said in a report shared with The Hacker News.Some of the other known methods employed by the hacking crew include adversary-in-the-middle (AitM) campaigns, strategic web compromises (aka watering hole attacks), and spear-phishing.Secret Blizzard has a track record of targeting various sectors to facilitate long-term covert access for intelligence collection, but their primary focus is on ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies across the world.The latest report comes a week after the tech giant, along with Lumen Technologies Black Lotus Labs, revealed Turla's hijacking of 33 command-and-control (C2) servers of a Pakistan-based hacking group named Storm-0156 to carry out its own operations.The attacks targeting Ukrainian entities entail commandeering Amadey bots to deploy a backdoor known as Tavdig, which is then used to install an updated version of Kazuar, which was documented by Palo Alto Networks Unit 42 in November 2023.The cybercriminal activity tied to Amadey, which often includes the execution of the XMRig cryptocurrency miner, is being tracked by Microsoft under the moniker Storm-1919.It's believed that Secret Blizzard either used the Amadey malware-as-a-service (MaaS) or accessed the Amadey command-and-control (C2) panels stealthily to download a PowerShell dropper on target devices. The dropper comprises a Base64-encoded Amadey payload that's appended by a code segment, which calls back to a Turla C2 server."The need to encode the PowerShell dropper with a separate C2 URL controlled by Secret Blizzard could indicate that Secret Blizzard was not directly in control of the C2 mechanism used by the Amadey bot," Microsoft said.The next phase involves downloading a bespoke reconnaissance tool with an aim to collect details about the victim device and likely check if Microsoft Defender was enabled, ultimately enabling the threat actor to zero in on systems that are of further interest.At this stage, the attack proceeds to deploy a PowerShell dropper containing the Tavdig backdoor and a legitimate Symantec binary that's susceptible to DLL side-loading. Tavdig, for its part, is used to conduct additional reconnaissance and launch KazuarV2.Microsoft said it also detected the threat actor repurposing a PowerShell backdoor tied to a different Russia-based hacking group called Flying Yeti (aka Storm-1837 and UAC-0149) to deploy a PowerShell dropper that embeds Tavdig.Investigation into how Secret Blizzard gained control of the Storm-1837 backdoor or Amadey bots to download its own tools is presently ongoing, the tech giant noted.Needless to say, the findings once again highlight the threat actor's repeated pursuit of footholds provided by other parties, either by purchasing the access or stealing them, to conduct espionage campaigns in a manner that obscures its own presence."It is not uncommon for actors to use the same tactics or tools, although we rarely see evidence of them compromising and using other actors' infrastructure," Sherrod DeGrippo, director of Threat Intelligence Strategy at Microsoft, told The Hacker News."Most state-sponsored threat actors have operational objectives that rely on dedicated or carefully compromised infrastructure to retain the integrity of their operation. This is potentially an effective obfuscation technique to frustrate threat intelligence analysts and make attribution to the correct threat actor more difficult."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 10, 2024Ravie LakshmananMobile Security / CryptocurrencyCybersecurity researchers have shed light on a sophisticated mobile phishing (aka mishing) campaign that's designed to distribute an updated version of the Antidot banking trojan."The attackers presented themselves as recruiters, luring unsuspecting victims with job offers," Zimperium zLabs Vishnu Pratapagiri researcher said in a new report."As part of their fraudulent hiring process, the phishing campaign tricks victims into downloading a malicious application that acts as a dropper, eventually installing the updated variant of Antidot Banker in the victim's device."The new version of the Android malware has been codenamed AppLite Banker by the mobile security company, highlighting its abilities to siphon unlock PIN (or pattern or password) and remotely take control of infected devices, a feature recently also observed in TrickMo.The attacks employ a variety of social engineering strategies, often luring targets with the prospect of a job opportunity that claims to offer a "competitive hourly rate of $25" and excellent career advancement options.In a September 2024 post identified by The Hacker News on Reddit, several users said they received emails from a Canadian company named Teximus Technologies about a job offer for a remote customer service agent.Should the victim engage with the purported recruiter, they are directed to download a malicious Android app from a phishing page as part of the recruitment process, which then acts as a first-stage responsible for facilitating the deployment of the main malware on the device.Zimperium said it discovered a network of phony domains that are used to distribute the malware-laced APK files that masquerade as employee-customer relationship management (CRM) apps.The dropper apps, besides employing ZIP file manipulation to evade analysis and bypass security defenses, instruct the victims to register for an account, after which it's engineered to display a message asking them to install an app update in order to "keep your phone protected." Furthermore, it advises them to allow the installation of Android apps from external sources."When the user clicks the 'Update' button, a fake Google Play Store icon appears, leading to the installation of the malware," Pratapagiri said. "Like its predecessor, this malicious app requests Accessibility Services permissions and abuses them to overlay the device's screen and carry out harmful activities. These activities include self-granting permissions to facilitate further malicious operations."The newest version of Antidot is packed in support for new commands that allow the operators to launch "Keyboard & Input" settings, interact with the lock screen based on the set value (i.e., PIN, pattern, or password), wake up the device, reduce screen brightness to the lowest level, launch overlays to steal Google account credentials, and even prevent it from being uninstalled.It also incorporates the ability to hide certain SMS messages, block calls from a predefined set of mobile numbers received from a remote server, launch the "Manage Default Apps" settings, and serve fake login pages for 172 banks, cryptocurrency wallets, and social media services like Facebook and Telegram.Some of the other known features of the malware include keylogging, call forwarding, SMS theft, and Virtual Network Computing (VNC) functionality to remotely interact with the compromised devices.Users proficient in languages such as English, Spanish, French, German, Italian, Portuguese, and Russian are said to be the targets of the campaign."Given the malware's advanced capabilities and extensive control over compromised devices, it is imperative to implement proactive and robust protection measures to safeguard users and devices against this and similar threats, preventing data or financial losses."The findings come as Cyfirma revealed that high-value assets in Southern Asia have become the target of an Android malware campaign that delivers the SpyNote trojan. The attacks have not been attributed to any known threat actor or group."The continued use of SpyNote is notable, as it highlights the threat actors' preference for leveraging this tool to target high-profile individuals despite being publicly available on various underground forums and telegram channels," the company said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 10, 2024Ravie LakshmananVulnerability / Threat AnalysisUsers of Cleo-managed file transfer software are being urged to ensure that their instances are not exposed to the internet following reports of mass exploitation of a vulnerability affecting fully patched systems.Cybersecurity company Huntress said it discovered evidence of threat actors exploiting the issue en masse on December 3, 2024. The vulnerability, which impacts Cleo's LexiCom, VLTransfer, and Harmony software, concerns a case of unauthenticated remote code execution.The security hole is tracked as CVE-2024-50623, with Cleo noting that the flaw is the result of an unrestricted file upload that could pave the way for the execution of arbitrary code.The Illinois-based company, which has over 4,200 customers across the world, has since issued another advisory (CVE pending), warning of a separate "unauthenticated malicious hosts vulnerability that could lead to remote code execution."The development comes after Huntress said the patches released for CVE-2024-50623 do not completely mitigate the underlying software flaw. The issue impacts the below products and is expected to be patched later this week -Cleo Harmony (up to version 5.8.0.23)Cleo VLTrader (up to version 5.8.0.23)Cleo LexiCom (up to version 5.8.0.23)In the attacks detected by the cybersecurity company, the vulnerability has been found to be exploited to drop multiple files, including an XML file that's configured to run an embedded PowerShell command that's responsible for retrieving a next-stage Java Archive (JAR) file from a remote server.Specifically, the intrusions leverage the fact files placed in the "autorun" sub-directory within the installation folder and are immediately read, interpreted, and evaluated by the susceptible software.As many as at least 10 businesses have had their Cleo servers compromised, with a spike in exploitation observed on December 8, 2024, at around 7 a.m. UTC. Evidence gathered so far pins the earliest date of exploration to December 3, 2024.Victim organizations span consumer product companies, logistics and shipping organizations, and food suppliers. Users are advised to ensure that their software is up-to-date to ensure that they are protected against the threat.Ransomware groups like Cl0p (aka Lace Tempest) have previously set their sights on various managed file transfer tools in the past, and it looks like the latest attack activity is no different.According to security researcher Kevin Beaumont (aka GossiTheDog), "Termite ransomware group operators (and maybe other groups) have a zero-day exploit for Cleo LexiCom, VLTransfer, and Harmony."Cybersecurity company Rapid7 said it also has confirmed successful exploitation of the Cleo issue against customer environments. It's worth noting that Termite has claimed responsibility for the recent cyber attack on supply chain firm Blue Yonder.Broadcom's Symantec Threat Hunter Team told The Hacker News that "Termite appears to be using a modified version of Babuk ransomware, which, when executed on a machine, encrypts targeted files and adds a .termite extension.""Since we saw that Blue Yonder had an instance of Cleo's software open to the internet via Shodan, and Termite has claimed Blue Yonder amongst its victims, which was also confirmed by their listing and open directory of files, I'd say that Gossi is correct in his statement," Jamie Levy, Huntress' Director of Adversary Tactics, told the publication."For what it's worth, there have been some rumblings that Termite might be the new Cl0p, there is some data that seems to support this as Cl0p's activities have waned while Termite's activities have increased. They are also operating in some similar fashions. We're not really in the attribution game, but it wouldn't be surprising at all if we are seeing a shift in these ransomware gangs at the moment."(This is a developing story. Please check back for more updates.)Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

This week's cyber world is like a big spy movie. Hackers are breaking into other hackers' setups, sneaky malware is hiding in popular software, and AI-powered scams are tricking even the smartest of us. On the other side, the good guys are busting secret online markets and kicking out shady chat rooms, while big companies rush to fix new security holes before attackers can jump in.Want to know who's hacking who, how they're doing it, and what's being done to fight back? Stick aroundthis recap has the scoop. Threat of the WeekTurla Hackers Hijack Pakistan Hackers' Infrastructure Imagine one hacker group sneaking into another hacker group's secret hideout and using their stuff to carry out their own missions. That's basically what the Russia-linked Turla group has been doing since December 2022. They broke into the servers of a Pakistani hacking team called Storm-0156 and used those servers to spy on government and military targets in Afghanistan and India. By doing this, Turla not only got easy access to important information but also made it way harder for anyone to figure out who was actually running the show. This is a classic move for Turlathey often hijack other hackers' operations to hide their tracks and make it super confusing to tell who's really behind these attacks. Top NewsUltralytics and @solana/web3.js Libraries Targeted by Supply Chain Attacks In two separate incidents, unknown threat actors managed to push malicious versions of the popular Ultralytics library for Python and @solana/web3.js package for npm that contained code to drop a cryptocurrency miner and a drainer, respectively. The maintainers have since released updated versions to address the issue. New Android Malware DroidBot Targets Over 70 Financial Institutions Dozens of banking institutions, cryptocurrency exchanges, and national organizations have become the target of a newly discovered Android remote access trojan (RAT) called DroidBot. The malware is capable of gathering a wide range of information from compromised devices. A majority of the campaigns distributing the malware have targeted users in Austria, Belgium, France, Italy, Portugal, Spain, Turkey, and the United Kingdom. DroidBot has been observed operating under a malware-as-a-service (MaaS) model for a monthly fee of $3,000.A Busy Week of Law Enforcement Actions Europol last week announced the disruption of a clearnet marketplace called Manson Market that facilitated online fraud on a large scale by acting as a hub for stolen financial information. A 27-year-old and a 37-year-old have been arrested in Germany and Austria, respectively, in connection with the operation. They are currently in pretrial detention. Separately, the law enforcement agency said it also dismantled an invite-only encrypted messaging service called MATRIX that's created by criminals for criminal purposes, including drug trafficking, arms trafficking, and money laundering.Tibetans and Uyghurs Become the Target of Earth Minotaur A newly christened threat activity cluster dubbed Earth Minotaur has been found leveraging the MOONSHINE exploit kit to deliver a new backdoor called DarkNimbus as part of long-term surveillance operations targeting Tibetans and Uyghurs. In the attack chains documented by Trend Micro, the attackers leveraged WeChat as a conduit to deploy the backdoor. The use of MOONSHINE has been previously linked to other groups like POISON CARP and UNC5221, suggesting some kind of tool sharing.Salt Typhoon Guidance Issued Australia, Canada, New Zealand, and the U.S. issued a joint guidance for organizations to safeguard their networks against threats posed by Salt Typhoon, which has been recently linked to a spate of cyber attacks directed against telecommunication companies in the U.S., including AT&T, T-Mobile, and Verizon. As many as eight telecom companies in the U.S., with dozens of other nations, are estimated to be affected as a result of the campaign.Malware Campaign Leverages Corrupt Word and ZIP Files New phishing campaigns ongoing since at least August 2024 have been taking advantage of corrupted Microsoft Office documents and ZIP archives as a way to bypass email defenses. "By manipulating specific components like the CDFH and EOCD, attackers can create corrupted files that are successfully repaired by applications but remain undetected by security software," ANY.RUN said. Trending CVEsHeads up! Some popular software has serious security flaws, so make sure to update now to stay safe. The list includes CVE-2024-41713 (Mitel MiCollab), CVE-2024-51378 (CyberPanel), CVE-2023-45727 (Proself), CVE-2024-11680 (ProjectSend), CVE-2024-11667 (Zyxel), CVE-2024-42448 (Veeam), CVE-2024-10905 (SailPoint IdentityIQ), CVE-2024-5921 (Palo Alto Networks GlobalProtect), CVE-2024-29014 (SonicWall), CVE-2014-2120 (Cisco Adaptive Security Appliance), CVE-2024-20397 (Cisco NX-OS), CVE-2024-52338 (Apache Arrow), CVE-2024-52316 (Apache Tomcat), CVE-2024-49803, CVE-2024-49805 (IBM Security Verify Access Appliance), CVE-2024-12053 (Google Chrome), CVE-2024-38193 (Microsoft Windows), and CVE-2024-12209 (WP Umbrella: Update Backup Restore & Monitoring plugin). Around the Cyber WorldResearchers Debut New VaktBLE Framework A group of academics from the ASSET (Automated Systems SEcuriTy) Research Group at the Singapore University of Technology and Design has unveiled a novel jamming technique called VaktBLE that can be used to defend against low-level Bluetooth Low Energy (BLE) attacks. "VaktBLE presents a novel, efficient, and (almost) deterministic technique to silently hijack the connection between a potentially malicious BLE central and the target peripheral to be protected," the researchers explained. "This creates a benevolent man-in-the-middle (MiTM) bridge that allows us to validate each packet sent by the BLE central." (Please embed this video - https://www.youtube.com/watch?v=RhDDp_HExsk)FBI Warns of AI-Enabled Financial Fraud The U.S. Federal Bureau of Investigation (FBI) is warning that cybercriminals are exploiting generative artificial intelligence (AI) to generate synthetic content and commit fraud at scale. This comprises the use of AI tools to produce realistic images, audio, and video clips of people, celebrities, and topical events; generate fraudulent identification documents; create fictitious social media profiles; craft convincing messages; assist with language translation; generate content for counterfeit websites; and even embed chatbots that aim to trick victims into clicking on malicious links. "Criminals use AI-generated text to appear believable to a reader in furtherance of social engineering, spear-phishing, and financial fraud schemes such as romance, investment, and other confidence schemes or to overcome common indicators of fraud schemes," the FBI said.Lateral Movement Techniques on macOS Cybersecurity researchers have highlighted the different ways threat actors are exploiting SSH, Apple Remote Desktop, and Remote Apple Events (RAE) to facilitate lateral movement on Apple macOS systems. "Lateral movement refers to the techniques cyber attackers use to navigate through a network after compromising an initial system," Palo Alto Networks Unit 42 said. "This phase is crucial for attackers to achieve their ultimate objectives, which might include data exfiltration, persistence or further system compromise." The disclosure comes as new research has revealed how the legitimate Windows Event Logs utility wevtutil.exe could be exploited to carry out malicious activities and slip past security controls unnoticed, a technique known as living-off-the-land. "Using wevtutil.exe as part of a chain of LOLBAS utilities can further obfuscate actions," Denwp Research's Tonmoy Jitu said. "For instance, an attacker could export logs using wevtutil.exe, compress the exported file with makecab.exe, [and] use certutil.exe to upload the file to a remote location."Another Scattered Spider Hacker Arrested in the U.S. U.S. authorities have arrested a 19-year-old teenager named Remington Goy Ogletree (aka remi) for his role in the Scattered Spider cybercrime syndicate and breaching a U.S. financial institution and two unnamed telecommunications firms. "From at least October 2023 through at least May 2024, Ogletree perpetuated a scheme to defraud in which he called and sent phishing messages to U.S.- and foreign-based company employees to gain unauthorized access to the companies' computer networks," per a complaint filed in late October 2024. "Once Ogletree had access to the victim companies' networks, Ogletree accessed and stole confidential data, including data that was later posted for sale on the dark web, and, at times, used the companies' services to facilitate the theft of cryptocurrency from unwitting victims. As a result of Ogletree's scheme, victims have suffered over $4 million in losses." The charges come weeks after the U.S. government indicted five other members of the infamous hacking crew. Scattered Spider is believed to be part of a broader loose-knit cybercrime group called The Com. According to a new report published by CyberScoop, The Com and a child sextortion sub-cluster known as 764 are engaging in financially motivated cybercrime tactics such as SIM swapping, IP grabbing, ATM skimming, and social engineering to commit violent crimes.FTC Takes Action Against 2 Data Brokers The U.S. Federal Trade Commission (FTC) has banned Virginia-based Gravy Analytics and its subsidiary Venntel from tracking and selling sensitive location data from users, including selling data about consumers' visits to health-related locations and places of worship, without their consent. It has also been ordered to establish a sensitive data location program. It's alleged that the two companies "obtained consumer location information from other data suppliers and claimed to collect, process, and curate more than 17 billion signals from around a billion mobile devices daily." The data was gathered from ordinary mobile apps, and then sold to other businesses or government agencies. Venntel's data is reportedly used by controversial surveillance company Babel Street to power its product Locate X, which can be used to precisely monitor a user's whereabouts without a warrant. The FTC also accused Mobilewalla, a Georgia-based data broker, of purposefully tracking users by collecting massive amounts of sensitive consumer data, like visits to health clinics and places of worship, from real-time bidding exchanges and third-party aggregators. "Mobilewalla exploited vulnerabilities in digital ad markets to harvest this data at a stunning scale," the FTC said. In a related move, the Consumer Financial Protection Bureau (CFPB) proposed new rules to curb the sale of sensitive personal and financial information, such as Social Security numbers and banking details, to other parties without a legitimate reason. The development also comes as FTC announced an enforcement action against facial recognition firm IntelliVision Technologies for deceptively marketing its software as being accurate and that it "performs with zero gender or racial bias" without providing any evidence to back up its claims. Expert WebinarLearn How Experts Secure Privileged Accounts In this expert-led webinar, learn proven techniques for managing privileged access and stopping cyber threats before they escalate. We'll show you how to discover hidden accounts, gain full visibility into user activities, enforce least privilege policies, and create a stronger security posture that protects your organization's critical assets.Understanding Blind Spots in Advanced Security Systems Discover why even well-prepared companies still experience breaches, and learn how to strengthen your defenses in this webinar with Silverfort's CISO, John Paul Cunningham. Explore common vulnerabilities, modern threats, tactics to spot hidden risks, and strategies to align security efforts with business goals. Gain actionable insights to protect your organization. Cybersecurity ToolsVanir Security Patch Validation Tool Vanir is an open-source tool from Google that helps developers quickly find and fix missing security patches in their Android code. Instead of relying on version numbers or build info, Vanir compares source code to known vulnerabilities, ensuring better accuracy and coverage. By connecting with the Open Source Vulnerabilities database, Vanir always stays up-to-date. With a 97% accuracy rate, it reduces manual work, speeds up patch adoption, and helps ensure that devices receive critical security updates more quickly.garak LLM Vulnerability Scanner garak is a free tool that scans large language models (LLMs) for weaknesses. Think of it like nmap, but for LLMs. It tries to break models by testing them with many different probes, looking for failures like hallucinations, data leaks, misinformation, or prompt injections. Each time it finds a flaw, garak logs the exact prompt, response, and reason, so you know what to fix. With dozens of plugins and thousands of tests, garak adapts over time as the community adds new, tougher challenges. Tip of the WeekTurn Your PC into a Malware 'No-Go' Zone Malware often avoids running if it suspects it's in a research lab or test environment. By placing fake clueslike virtual machine-related registry keys, empty folders named after analysis tools, or dummy driverson your PC, you can trick malware into thinking it's being watched. Tools like Malcrow (open-source) and Scarecrow (free) create fake indicatorsvirtual machine keys, dummy processes, or tool-like entriesto fool it into retreating. This might make certain threats back off before causing harm. Although this trick isn't perfect, it can add a subtle extra layer of security, alongside your antivirus and other defenses. Just remember to test changes carefully and keep things believable. It won't stop every attacker, but it might deter less sophisticated malware from targeting your system.ConclusionAs you think about this week's threats, consider some less common tactics. For example, plant fake "decoy" files on your networkif someone opens them, you'll know there's a problem. Keep a clear record of every piece of code you use, so if something strange shows up, you can spot it right away. Also, try controlling who can talk to whom on your network, making it harder for attackers to move around. These simple steps can help you stay one step ahead in a world where cyber risks are always changing.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Dec 09, 2024Ravie LakshmananThreat Intelligence / MalwareThe threat actors linked to the Black Basta ransomware have been observed switching up their social engineering tactics, distributing a different set of payloads such as Zbot and DarkGate since early October 2024."Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user's email to numerous mailing lists simultaneously," Rapid7 said. "After the email bomb, the threat actor will reach out to the impacted users."As observed back in August, the attackers make initial contact with prospective targets on Microsoft Teams, pretending to be support personnel or IT staff of the organization. In some instances, they have also been observed impersonating IT staff members within the targeted organization.Users who end up interacting with the threat actors are urged to install legitimate remote access software such as AnyDesk, ScreenConnect, TeamViewer, and Microsoft's Quick Assist. The Windows maker is tracking the cybercriminal group behind the abuse of Quick Assist for Black Basta deployment under the name Storm-1811.Rapid7 said it also detected attempts made by the ransomware crew to leverage the OpenSSH client to establish a reverse shell, as well as send a malicious QR code to the victim user via the chats to likely steal their credentials under the pretext of adding a trusted mobile device.However, cybersecurity company ReliaQuest, which also reported on the same campaign, theorized the QR codes are being used to direct users to further malicious infrastructure.The remote access facilitated by the installation of AnyDesk (or its equivalent) is then used to deliver additional payloads to the compromised host, including a custom credential harvesting program followed by the execution of Zbot (aka ZLoader) or DarkGate, which can serve as a gateway for follow-on attacks."The overall goal following initial access appears to be the same: to quickly enumerate the environment and dump the user's credentials," Rapid7 security researcher Tyler McGraw said."When possible, operators will also still attempt to steal any available VPN configuration files. With the user's credentials, organization VPN information, and potential MFA bypass, it may be possible for them to authenticate directly to the target environment."Black Basta emerged as an autonomous group from the ashes of Conti in the wake of the latter's shutdown in 2022, initially leaning on QakBot to infiltrate targets, before diversifying into social engineering techniques. The threat actor, which is also referred to as UNC4393, has since put to use various bespoke malware families to carry out its objectives -KNOTWRAP, a memory-only dropper written in C/C++ that can execute an additional payload in memoryKNOTROCK, a .NET-based utility that's used to execute the ransomwareDAWNCRY, a memory-only dropper that decrypts an embedded resource into memory with a hard-coded keyPORTYARD, a tunneler that establishes a connection to a hard-coded command-and-control (C2) server using a custom binary protocol over TCPCOGSCAN, a .NET reconnaissance assembly used to gather a list of hosts available on the network"Black Basta's evolution in malware dissemination shows a peculiar shift from a purely botnet-reliant approach to a hybrid model that integrates social engineering," RedSense's Yelisey Bohuslavskiy said.The disclosure comes as Check Point detailed its analysis of an updated Rust variant of the Akira ransomware, highlighting the malware authors' reliance on ready-made boilerplate code associated with third-party libraries and crates like indicatif, rust-crypto, and seahorse.Ransomware attacks have also employed a variant of the Mimic ransomware called Elpaco, with Rhysida infections also employing CleanUpLoader to aid in data exfiltration and persistence. The malware is often disguised as installers for popular software, such as Microsoft Teams and Google Chrome."By creating typosquatted domains resembling popular software download sites, Rhysida tricks users into downloading infected files," Recorded Future said. "This technique is particularly effective when coupled with SEO poisoning, in which these domains are ranked higher in search engine results, making them appear as legitimate download sources."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 07, 2024Ravie LakshmananCybersecurity / Election FraudIn a historic decision, Romania's constitutional court has annulled the result of the first round of voting in the presidential election amid allegations of Russian interference.As a result, the second round vote, which was scheduled for December 8, 2024, will no longer take place. Clin Georgescu, who won the first round, denounced the verdict as an "officialized coup" and an attack on democracy."The electoral process for the election of the President of Romania will be resumed in its entirety, with the Government to establish a new date for the election of the President of Romania, as well as a new calendar program for the implementation of the necessary actions," the Constitutional Court of Romania said.The judiciary body said the decision is pursuant to Article 146(f) of the Constitution, emphasizing the need to ensure the fairness and legality of the electoral process. The decision is final and binding.The development comes days after declassified documents released by the Romanian government alleged a pro-Russian influence campaign that leveraged a network of 25,000 accounts on social media platform TikTok to promote Georgescu in a coordinated effort.That said, it's currently not clear from the document whether Georgescu was aware of the alleged campaign or assisted in it. Russia has denied any interference in the election process.Separately, the Romanian Intelligence Service (SRI) disclosed that the E.U. and North Atlantic Treaty Organization (NATO) member state was the target of more than 85,000 intrusion attempts before and during the first round of the election that was designed to gain access to election websites and IT systems."The mode of operation, as well as the scale of the cyber campaign, lead to the conclusion that the attacker possesses considerable resources, consistent with a mode of operation specific to a state-sponsored attacker," the SRI said.In a statement released Friday, the U.S. State Department spokesperson Matthew Miller said: "Romanians must have confidence that their elections reflect the democratic will of the Romanian people and are free of foreign malign influence aimed at undermining the fairness of their elections."The European Commission, in a press statement on Thursday, said it has stepped up its monitoring of TikTok, urging the platform to "freeze and preserve data related to actual or foreseeable systemic risks its service could pose on electoral processes and civic discourse in the E.U."To that end, it has been asked to retain internal documents and information regarding the design and functioning of its recommender systems, in addition to details on how it's addressing the risk of intentional manipulation through a technique called coordinated inauthentic behavior (CIB).The development comes as TikTok revealed this week that it disrupted two small clusters in late November 2024, each comprising 78 and 12 accounts, respectively, that covertly campaigned for Georgescu and independent political candidate Mircea Geoan.Back in September, the popular social media service said it took down a network of 22 accounts operating from Romania that were found to make use of inauthentic accounts to spread misinformation and amplify narratives critical of the government. The network had a total of 300,000 followers between them."The networks we have detected specifically targeting the Romanian elections have so far been small scale operations coordinated on TikTok that operated domestically," it said. "We also look closely at off platform activity to prevent covert influence operations and deceptive behaviours."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 07, 2024Ravie LakshmananMalware / Web3 SecurityCybersecurity researchers have warned of a new scam campaign that leverages fake video conferencing apps to deliver an information stealer called Realst targeting people working in Web3 under the guise of fake business meetings."The threat actors behind the malware have set up fake companies using AI to make them increase legitimacy," Cado Security researcher Tara Gould said. "The company reaches out to targets to set up a video call, prompting the user to download the meeting application from the website, which is Realst infostealer."The activity has been codenamed Meeten by the security company, owing to the use of names such as Clusee, Cuesee, Meeten, Meetone, and Meetio for the bogus sites.The attacks entail approaching prospective targets on Telegram to discuss a potential investment opportunity, urging them to join a video call hosted on one of the dubious platforms. Users who end up on the site are prompted to download a Windows or macOS version depending on the operating system used.Once installed and launched on macOS, users are greeted with a message that claims "The current version of the app is not fully compatible with your version of macOS" and that they need to enter their system password in order for the app to work as expected.This is accomplished by means of an osascript technique that has been adopted by several macOS stealer families such as Atomic macOS Stealer, Cuckoo, MacStealer, Banshee Stealer, and Cthulhu Stealer. The end goal of the attack is to steal various kinds of sensitive data, including from cryptocurrency wallets, and export them to a remote server.The malware is also equipped to steal Telegram credentials, banking information, iCloud Keychain data, and browser cookies from Google Chrome, Microsoft Edge, Opera, Brave, Arc, Cc Cc, and Vivaldi.The Windows version of the app Nullsoft Scriptable Installer System (NSIS) file that's signed with a likely stolen legitimate signature from Brys Software Ltd. Embedded within the installer is an Electron application that's configured to retrieve the stealer executable, a Rust-based binary, from an attacker-controlled domain."Threat actors are increasingly using AI to generate content for their campaigns," Gould said. "Using AI enables threat actors to quickly create realistic website content that adds legitimacy to their scams, and makes it more difficult to detect suspicious websites."This is not the first time fake meeting software brands have been leveraged to deliver malware. Earlier this March, Jamf Threat Labs revealed that it detected a counterfeit website called meethub[.]gg to propagate a stealer malware that shares overlaps with Realst.Then in June, Recorded Future detailed a campaign dubbed markopolo that targeted cryptocurrency users with bogus virtual meeting software to drain their wallets by using stealers like Rhadamanthys, Stealc, and Atomic.The development comes as the threat actors behind the Banshee Stealer macOS malware shut down their operations after the leak of their source code. It's unclear what prompted the leak. The malware was advertised on cybercrime forums for a monthly subscription of $3,000.It also follows the emergence of new stealer malware families like Fickle Stealer, Wish Stealer, Hexon Stealer, and Celestial Stealer, even as users and businesses searching for pirated software and AI tools are being targeted with RedLine Stealer and Poseidon Stealer, respectively."The attackers behind this campaign are clearly interested in gaining access to organizations of Russian-speaking entrepreneurs who use software to automate business processes," Kaspersky said of the RedLine Stealer campaign.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE