RSS Security

❌ About FreshRSS
There are new articles available, click to refresh the page.
Today — 17 May 2021General Security News

Try This One Weird Trick Russian Hackers Hate

17 May 2021 at 14:14

In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this one weird cyber defense trick.

The Commonwealth of Independent States (CIS) more or less matches the exclusion list on an awful lot of malware coming out of Eastern Europe.

The Twitter thread came up in a discussion on the ransomware attack against Colonial Pipeline, which earlier this month shut down 5,500 miles of fuel pipe for nearly a week, causing fuel station supply shortages throughout the country and driving up prices. The FBI said the attack was the work of DarkSide, a new-ish ransomware-as-a-service offering that says it targets only large corporations.

DarkSide and other Russian-language affiliate moneymaking programs have long barred their criminal associates from installing malicious software on computers in a host of Eastern European countries, including Ukraine and Russia. This prohibition dates back to the earliest days of organized cybercrime, and it is intended to minimize scrutiny and interference from local authorities.

In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country’s borders files an official complaint as a victim. Ensuring that no affiliates can produce victims in their own countries is the easiest way for these criminals to stay off the radar of domestic law enforcement agencies.

Possibly feeling the heat from being referenced in President Biden’s Executive Order on cybersecurity this past week, the DarkSide group sought to distance itself from their attack against Colonial Pipeline. In a message posted to its victim shaming blog, DarkSide tried to say it was “apolitical” and that it didn’t wish to participate in geopolitics.

“Our goal is to make money, and not creating problems for society,” the DarkSide criminals wrote last week. “From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

But here’s the thing: Digital extortion gangs like DarkSide take great care to make their entire platforms geopolitical, because their malware is engineered to work only in certain parts of the world.

DarkSide, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS) — former Soviet satellites that all currently have favorable relations with the Kremlin, including Azerbaijan, Belarus, Georgia, Romania, Turkmenistan, Ukraine and Uzbekistan. The full exclusion list in DarkSide (published by Cybereason) is below:

Image: Cybereason.

Simply put, countless malware strains will check for the presence of one of these languages on the system, and if they’re detected the malware will exit and fail to install.

[Side note. Many security experts have pointed to connections between the DarkSide and REvil (a.k.a. “Sodinokibi”) ransomware groups. REvil was previously known as GandCrab, and one of the many things GandCrab had in common with REvil was that both programs barred affiliates from infecting victims in Syria. As we can see from the chart above, Syria is also exempted from infections by DarkSide ransomware. And DarkSide itself proved their connection to REvil this past week when it announced it was closing up shop after its servers and bitcoin funds were seized.]


Will installing one of these languages keep your Windows computer safe from all malware? Absolutely not. There is plenty of malware that doesn’t care where in the world you are. And there is no substitute for adopting a defense-in-depth posture, and avoiding risky behaviors online.

But is there really a downside to taking this simple, free, prophylactic approach? None that I can see, other than perhaps a sinking feeling of capitulation. The worst that could happen is that you accidentally toggle the language settings and all your menu options are in Russian.

If this happens (and the first time it does the experience may be a bit jarring) hit the Windows key and the space bar at the same time; if you have more than one language installed you will see the ability to quickly toggle from one to the other. The little box that pops up when one hits that keyboard combo looks like this:

Cybercriminals are notoriously responsive to defenses which cut into their profitability, so why wouldn’t the bad guys just change things up start ignoring the language check? Well, they certainly can and maybe even will do that (a recent version of DarkSide analyzed by Mandiant did not perform the system language check).

But doing so increases the risk to their personal safety and fortunes by some non-trivial amount, said Allison Nixon, chief research officer at New York City-based cyber investigations firm Unit221B.

Nixon said because of Russia’s unique legal culture, criminal hackers in that country employ these checks to ensure they are only attacking victims outside of the country.

“This is for their legal protection,” Nixon said. “Installing a Cyrillic keyboard, or changing a specific registry entry to say ‘RU’, and so forth, might be enough to convince malware that you are Russian and off limits. This can technically be used as a ‘vaccine’ against Russian malware.”

Nixon said if enough people do this in large numbers, it may in the short term protect some people, but more importantly in the long term it forces Russian hackers to make a choice: Risk losing legal protections, or risk losing income.

“Essentially, Russian hackers will end up facing the same difficulty that defenders in the West must face — the fact that it is very difficult to tell the difference between a domestic machine and a foreign machine masquerading as a domestic one,” she said.

KrebsOnSecurity asked Nixon’s colleague at Unit221B — founder Lance James — what he thought about the efficacy of another anti-malware approach suggested by Twitter followers who chimed in on last week’s discussion: Adding entries to the Windows registry that specify the system is running as a virtual machine (VM). In a bid to stymie analysis by antivirus and security firms, some malware authors have traditionally configured their malware to quit installing if it detects it is running in a virtual environment.

But James said this prohibition is no longer quite so common, particularly since so many organizations have transitioned to virtual environments for everyday use.

“Being a virtual machine doesn’t stop malware like it used to,” James said. “In fact, a lot of the ransomware we’re seeing now is running on VMs.”

But James says he loves the idea of everyone adding a language from the CIS country list so much he’s produced his own clickable two-line Windows batch script that adds a Russian language reference in the specific Windows registry keys that are checked by malware. The script effectively allows one’s Windows PC to look like it has a Russian keyboard installed without actually downloading the added script libraries from Microsoft.

To install a different keyboard language on a Windows 10 computer the old fashioned way, hit the Windows key and X at the same time, then select Settings, and then select “Time and Language.” Select Language, and then scroll down and you should see an option to install another character set. Pick one, and the language should be installed the next time you reboot. Again, if for some reason you need to toggle between languages, Windows+Spacebar is your friend.

Apple's Find My Network Can be Abused to Exfiltrate Data From Nearby Devices

17 May 2021 at 14:12
Latest research has demonstrated a new exploit that enables arbitrary data to be uploaded from devices that are not connected to the Internet by simply sending "Find My Bluetooth" broadcasts to nearby Apple devices. "It's possible to upload arbitrary data from non-internet-connected devices by sending Find My [Bluetooth Low Energy] broadcasts to nearby Apple devices that then upload the data for

Expert released PoC exploit code for Windows CVE-2021-31166 bug

17 May 2021 at 13:45

A security researcher has published a working proof-of-concept exploit code for a wormable Windows IIS server vulnerability tracked as CVE-2021-31166.

Microsoft Patch Tuesday for May 2021 security updates addressed 55 vulnerabilities in Microsoft including a critical HTTP Protocol Stack Remote Code Execution vulnerability tracked as CVE-2021-31166. The flaw could be exploited by an unauthenticated attacker by sending a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.

This stack is used by the Windows built-in IIS server, which means that it could be easily exploited if the server is enabled. The flaw is wormable and affects different versions of Windows 10, Windows Server 2004 and Windows Server 20H2.

The security researcher Axel Souchet has published over the weekend a proof-of-concept exploit code for the wormable flaw that impacted Windows IIS.

The PoC exploit code allows to crash an unpatched Windows system running an IIS server, it does not implement worming capabilities.

Anyway attackers could start triggering the vulnerability in the wild, the PoC code could be improved to be actively exploited.

I've built a PoC for CVE-2021-31166 the "HTTP Protocol Stack Remote Code Execution Vulnerability": 🔥🔥

— Axel Souchet (@0vercl0k) May 16, 2021

The public availability of the PoC exploit code is another good reason to apply Microsoft Patch Tuesday for May 2021 security updates as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

The post Expert released PoC exploit code for Windows CVE-2021-31166 bug appeared first on Security Affairs.

Why Password Hygiene Needs a Reboot

17 May 2021 at 11:35
In today's digital world, password security is more important than ever. While biometrics, one-time passwords (OTP), and other emerging forms of authentication are often touted as replacements to the traditional password, today, this concept is more marketing hype than anything else. But just because passwords aren't going anywhere anytime soon doesn't mean that organizations don’t need to

Experts Warn About Ongoing AutoHotkey-Based Malware Attacks

17 May 2021 at 11:19
Cybersecurity researchers have uncovered an ongoing malware campaign that heavily relies on AutoHotkey (AHK) scripting language to deliver multiple remote access trojans (RAT) such as Revenge RAT, LimeRAT, AsyncRAT, Houdini, and Vjw0rm on target Windows systems. At least four different versions of the campaign have been spotted starting February 2021, according to researchers from Morphisec Labs

Bitcoin down: 51% attack? No, put the blame on Elon Musk

17 May 2021 at 09:02

The price of Bitcoin falls after Elon Musk declared that its company, Tesla, may have sold holdings of the cryptocurrency

We have a long-debated about the possibility that the Bitcoin price could be influenced by threat actors through 51% attacks, but recent events demonstrate that it could be easier to manipulate its value.

A simple Tweet from an influencer could cause the fall of the price of a cryptocurrency, opening the door for any type of financial speculation.

Do you trust a cryptocurrency system that is influenced by the declaration of a single individual?

Tesla CEO Elon Musk published a Twitter on Sunday to confirm that his company sold or is going to sell the rest of its bitcoin holdings and the news that had a dramatic impact on the Bitcoin value.

bitcoin falls

Bitcoiners are going to slap themselves next quarter when they find out Tesla dumped the rest of their #Bitcoin holdings.

With the amount of hate @elonmusk is getting, I wouldn’t blame him…

— Mr. Whale (@CryptoWhale) May 16, 2021

Bitcoin’s price plummeted after Musk’s posts and is yet to recover, this implies that the price of the most popular cryptocurrency depends on the account of a single man. If someone is able to hack his account can make a lot of money influencing the prices of cryptocurrencies.

Media pointed out that the alleged sale comes just days after Musk declared that Tesla planned to hold rather than sell the Bitcoin it already has.

“A potential sale comes just days after Musk said the company planned to hold rather than sell the bitcoin it already has and intended to use it for transactions as soon as mining transitions to more sustainable energy. Tesla did not immediately respond to a request for comment.” reported CNBC.

Tesla representatives have yet to provide any comment on the event.

In an SEC filing in February, Tesla announced that it bought $1.5 billion worth of bitcoin, then it earned $101 million from sales of bitcoin during the quarter.

Even if Musk has always sustained cryptocurrencies, last week his company “suspended vehicle purchases using bitcoin.” The move was the result of concern over “rapidly increasing use of fossil fuels for bitcoin mining,” and also in that case it had an impact on the price of bitcoin that dropped about 5% in the first minutes after the announcement.

Musk also influenced the price of another cryptocurrency, dogecoin, with the announcement that SpaceX would accept dogecoin as payment to launch “DOGE-1 mission to the Moon.” The announcement pumped up the price of the coin.

Is this really good for cryptocurrencies? Or we are faced with a new real threat to their credibility.

What will be the reason for the next bubble? I focus on sustainability and respect for the environment for cryptocurrencies.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Musk)

The post Bitcoin down: 51% attack? No, put the blame on Elon Musk appeared first on Security Affairs.

U.S. Pipeline Ransomware Attackers Go Dark After Servers and Bitcoin Are Seized

17 May 2021 at 07:26
Just as Colonial Pipeline restored all of its systems to operational status in the wake of a crippling ransomware incident a week ago, DarkSide, the cybercrime syndicate behind the attack, claimed it lost control of its infrastructure, citing a law enforcement seizure. All the dark web sites operated by the gang, including its DarkSide Leaks blog, ransom collection site, and breach data content

Conti ransomware demanded $20M ransom to Ireland Health Service Executive

17 May 2021 at 06:19

Ireland Health Service Executive (HSE) refuses to pay a $20 million ransom demand after its systems were hit by the Conti ransomware gang.

Ireland’s Health Service Executive that was forced to shut down its IT systems on Friday after being targeted with a significant ransomware attack. The Health Service Executive opted to shut down its infrastructure as a precaution to avoid the threat from spreading.

The authorities launched an investigation into the incident that began at around 4.30am on Friday, the government experts are working to determine the extent of the security breach.

The incident caused cancellations and disruption to services at multiple hospitals in the country, fortunately the ongoing coronavirus vaccination campaign was not affected.

“There is a significant ransomware attack on the HSE IT systems. We have taken the precaution of shutting down all our our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.” reads a statement published by the HSE.” Vaccination appointments are going ahead as normal.”

“We’ve taken a precautionary measure to shut down a lot of our major systems to protect them,” chief executive Paul Reid told broadcaster RTE. “We are at the very early stages of fully understanding the threats, the impact and trying to contain it.”

Now new details about the attack were reported by the media, the HSE shut down all of their IT systems due to a Conti ransomware attack.

Researchers from BleepingComputer revealed that the Conti ransomware gang demanded a $20 million ransom.

“Yesterday, a cybersecurity researcher shared a screenshot of a chat between Conti and Ireland’s HSE with BleepingComputer.” reported BleepingComputer. “Conti further stated that they would provide a decryptor and delete the stolen data if a ransom of $19,999,000 is paid to the threat actors.”

The Conti ransomware gang claims to have stolen 700 GB of sensitive data from the HSE over two weeks. Stolen info includes patient documents, contracts, financial statements, and payroll.

Taoiseach Micheál Martin, the Prime Minister of Ireland, confirmed in a press release that they will not pay ransom.

Conti ransomware operators run a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections. Experts speculate the operators are members of a Russia-based cybercrime group known as Wizard Spider.

Since August 2020, the group has launched its leak site to threaten its victim to release the stolen data.

The list of victims of the group includes IoT chip maker Advantech, and Broward County Public Schools (BCPS).

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Health Service Executive)

The post Conti ransomware demanded $20M ransom to Ireland Health Service Executive appeared first on Security Affairs.

Yesterday — 16 May 2021General Security News

Avaddon Ransomware gang hacked France-based Acer Finance and AXA Asia

16 May 2021 at 17:44

Avaddon ransomware gang has breached the France-based financial consultancy firm Acer Finance.

Avaddon ransomware gang made the headlines again, the cybercrime gang has breached the France-based financial consultancy firm Acer Finance.

Acer Finance operates as an investment management company. The Company offers risk management, mutual funds, analysis, financial planning, and advisory services. Acer Finance serves individuals, entrepreneurs, and institutional investors in France.

The Avaddon ransomware gang is giving Acer Finance 240 hours to communicate and cooperate with them before start leaking the stolen valuable company documents. 

Avaddon Acer Finance

The ransomware gang claims to have stolen confidential company information about clients and employees.

“You can congratulate us on the successful attack on the company, we also have about a lot of confidential information of clients, a lot of confidential information of employees, banking, personal correspondence, contracts, agreements, forms of payment, a lot of data from the secretariat, licenses and much more.” reads the statement published by the group on its leak site.

The hackers pointed out that there is no way to decrypt data without their decryptor, they also threatened the company to target it with a DDoS attack in case they will refuse to pay the ransom.

As proof of the hack, the group published several ID cards, personal documents, contracts, and a screenshot of the folders containing stolen data.

Avaddon Acer Finance 2

The group also announced to have hacked the Asian branch of Axa and stole three terabytes of data

It is curious that recently Axa announced that in France it will no longer reimburse ransomware payments for its customers. The decision is the result of the increased number of ransomware attacks and the large ransom demanded by cybercriminals.

Last week, the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) warned of an ongoing Avaddon ransomware campaign targeting organizations worldwide in multiple industries, including government, finance, energy, manufacturing, and healthcare.

The alert published by the ACSC provides a list of countries under attack which includes the US, UK, Germany, France, China, Italy Brazil, India, UAE, France, and Spain.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Avaddon)

The post Avaddon Ransomware gang hacked France-based Acer Finance and AXA Asia appeared first on Security Affairs.

Two flaws could allow bypassing AMD SEV protection system

16 May 2021 at 15:35

The chipmaker AMD published guidance for two new attacks against its SEV (Secure Encrypted Virtualization) protection technology.

Chipmaker AMD has issued guidance for two attacks (CVE-2020-12967, CVE-2021-26311) that allow bypassing the SEV (Secure Encrypted Virtualization) technology implemented to prevent rogue operating systems on virtual machines.

The chipmaker is aware of two research papers, respectively titled “SEVerity: Code Injection Attacks against Encrypted Virtual Machines” and “undeSErVed trust: Exploiting Permutation-Agnostic Remote Attestation,” related to the two attacks above. The findings about the two attacks will be presented by two research teams at this year’s 15th IEEE Workshop on Offensive Technologies (WOOT’21).

AMD Secure Encrypted Virtualization (SEV) isolates virtual machines and the hypervisor, but the two attacks can allow threat actors to inject arbitrary code into the virtual machine even if the protection mechanism is in place.

The first flaw, tracked as CVE-2020-12967, is caused by the lack of nested page table protection in the AMD SEV/SEV-ES feature which could potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise the server hypervisor.

The second vulnerability, tracked as CVE-2021-26311, resides in the AMD SEV/SEV-ES feature. According to the security advisory, the memory can be rearranged in the guest address space that is not detected by the attestation mechanism which could be used by a malicious hypervisor to potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise the server hypervisor.

The vulnerabilities impact all AMD EPYC processors, 1st/2nd/3rd Gen AMD EPYC™ Processors and AMD EPYC™ Embedded Processors.

The vendor has provided mitigation in the SEV-SNP feature which is available for enablement in 3rd Gen AMD EPYC™ processors. Customers could mitigate the attacks by enabling SEV-SNP, which is only supported on 3rd Gen AMD EPYC™.  

Customers using prior generations of EPYC processors, which do not support SEV-SNP, should follow security best practices.

The vendor published the following acknowledgement:

  • CVE-2020-12967:  Mathias Morbitzer, Martin Radev and Erick Quintanar Salas from Fraunhofer AISEC and Sergej Proskurin and Marko Dorfhuber from Technical University of Munich
  • CVE-2021-26311: Luca Wilke, Jan Wichelmann, Florian Sieck and Thomas Eisenbarth from University of Lübeck

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, AMD)

The post Two flaws could allow bypassing AMD SEV protection system appeared first on Security Affairs.

MSBuild tool used to deliver RATs filelessly

16 May 2021 at 11:31

Hackers abuses Microsoft Build Engine (MSBuild) to filelessly deliver malware on targeted Windows systems, including RAT and password-stealer.

Researchers from Anomali observed threat actors abusing Microsoft Build Engine (MSBuild) to filelessly deliver remote access trojans and RedLine Stealer password-stealing malware on targeted Windows systems.

“Anomali Threat Research discovered a campaign in which threat actors used MSBuild – a tool used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” – to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.” reads a report published by Anomali.

The campaign has begun in April 2021 and is still ongoing, experts pointed out that it has low or zero detections.

MSBuild is a free and open-source build tool set for managed code as well as native C++ code and was part of .NET Framework. It is used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” – to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.

The MSBuild files employed in the attacks spotted by the experts contained encoded executables and shellcode, some of which were hosted on Russian image-hosting site (joxi[.]net). At the time of this writing, the way the .proj files were distributed has yet to be discovered, anyway the files were used by attackers to execute Remcos or RedLine Stealer.

msbuild Infection-chain

The use of MSBuild allows the attackers to avoid detection while loading the malicious code into memory.

Most of the samples analyzed by Anomali were used to deliver the Remcos RAT, while others were also delivering the Quasar RAT and RedLine Stealer.

Remcos is a commercial software that can be used for remote control, remote admin, remote anti-theft, remote support and pentesting. The Quasar RAT is available for free on GitHub, many other attackers used it in their campaigns, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats.

“The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations,” concludes Anomali. “This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MSBuild)

The post MSBuild tool used to deliver RATs filelessly appeared first on Security Affairs.

Security Affairs newsletter Round 314

16 May 2021 at 09:51

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

CISA MAR report provides technical details of FiveHands Ransomware
SQL injection issue in Anti-Spam WordPress Plugin exposes User Data
TsuNAME flaw exposes DNS servers to DDoS attacks
City of Tulsa, is the last US city hit by ransomware attack
City of Tulsa, is the latest US city hit by ransomware attack
FBI confirmed that Darkside ransomware gang hit Colonial Pipeline
Threat actors added thousands of Tor exit nodes to carry out SSL stripping attacks
WhatsApp will not deactivate accounts for not accepting new privacy terms
Apple was aware that XcodeGhost impacted 128 Million iOS Users in 2015
FBI and Australia ACSC agencies warn of ongoing Avaddon ransomware attacks
Google open sources cosign tool for verifying containers
Hackers target Windows users exploiting a Zero-Day in Reader
Researcher hacked Apple AirTag two weeks after its launch
FragAttacks vulnerabilities expose all WiFi devices to hack
How Companies Need to Treat User Data and Manage Their Partners
Maybe dont call Saul? Over 30,000 VoIP devices identifiable worldwide, some with suspected vulnerabilities
Microsoft Patch Tuesday for May 2021 fix 4 critical flaws
NSA and ODNI analyze potential risks to 5G networks
TeaBot Android banking Trojan targets banks in Europe
Biden signed executive order to improve the Nations Cybersecurity
Cisco fixes AnyConnect Client VPN zero-day disclosed in November
Security at Bay: Critical Infrastructure Under Attack
US CISA and FBI publish joint alert on DarkSide ransomware
Colonial Pipeline likely paid a $5M ransom to DarkSide
Darkside gang lost control of their servers and funds
Irelands Health Service Executive hit by ransomware attack
Magecart gang hides PHP-based web shells in favicons
Rapid7 says source code, credentials accessed as a result of Codecov supply-chain attack
Scheme flooding fingerprint technique may deanonymize Tor users

If you want also receive the International Press subscribe for free to the Security Affairs newsletter here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 314 appeared first on Security Affairs.

Pakistan-linked Transparent Tribe APT expands its arsenal

16 May 2021 at 08:39

Alleged Pakistan-Linked cyber espionage group, tracked as Transparent Tribe, targets Indian entities with a new Windows malware.

Researchers from Cisco Talos warn that the Pakistan-linked APT group Transparent Tribe expanded its Windows malware arsenal. The group used the new malware dubbed ObliqueRAT in cyberespionage attacks against Indian targets.

The Operation Transparent Tribe (Operation C-Major, APT36, and Mythic Leopard) was first spotted by Proofpoint Researchers in Feb 2016, in a series of cyber espionage operations against Indian diplomats and military personnel in some embassies in Saudi Arabia and Kazakhstan. At that time, the researchers tracked the sources IP in Pakistan, the attacks were part of a wider operation that relies on multi-vector such as watering hole websites and phishing email campaigns delivering custom RATs dubbed Crimson and Peppy. These RATs are capable of exfiltrate information, take screenshot, and record webcam streams.

Transparent Tribe has been active since at least 2013, it targeted entities across 27 countries, most of them in Afghanistan, Germany, India, Iran, and Pakistan.

In the recent wave of attacks, threat actors employed domains mimicking legitimate Indian military and defense organizations, and other domains posing as content-hosting sites that were used to host malicious artifacts.

“Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco Talos’ previous research has mainly linked this group to CrimsonRAT, but new campaigns show they are expanding their Windows malware arsenal with ObliqueRAT.” read the analysis published Cisco Talos. “While military and defense personnel continue to be the group’s primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting.”

These domains were used to distribute weaponized docs used to deliver CrimsonRAT and ObliqueRAT. Experts observed the hackers using resume documents and archives, such as ZIPs and RARs, with alluring themes distributing CrimsonRAT.

Email and maldoc lures employed to deliver the malware used multiple themes, including conference agendas, honeytrap lures and diplomatic themes.

“The actors recently deviated from the CrimsonRAT infection chains to make their ObliqueRAT phishing maldocs appear more legitimate. For example, attackers leveraging ObliqueRAT started hosting their malicious payloads on compromised websites instead of embedding the malware in the maldoc.” continues the report. “In one such case in early 2021, the adversaries used iiaonline[.]in, the Indian Industries Association’s legitimate website, to host ObliqueRAT artifacts.”

Transparent Tribe

In other attacks, the group used fake domains for the 7th Central Pay Commission (7CPC) of India and an Indian think tank called Center For Land Warfare Studies (CLAWS),

“Transparent Tribe relies heavily on the use of maldocs to spread their Windows implants,” the researchers said. “While CrimsonRAT remains the group’s staple Windows implant, their development and distribution of ObliqueRAT in early 2020 indicates they are rapidly expanding their Windows malware arsenal.”

Experts noticed that the Transparent Tribe’s TTPs remained largely unchanged since 2020, but the cyberspies continues to implement new lures as part of its arsenal.

Talos researchers also published the Indicators of Compromise (IoCs) for the new attacks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

The post Pakistan-linked Transparent Tribe APT expands its arsenal appeared first on Security Affairs.

Before yesterdayGeneral Security News

European police dismantle major online investment fraud ring that causes €30 Million in losses

15 May 2021 at 16:41

A joint operation of European law enforcement agencies and coordinated by Europol dismantled a criminal ring involved in investment fraud.

A joint investigation of European law enforcement agencies supported by Europol and Eurojust dismantled a large criminal network involved in investment fraud and money laundering. The operation, led by Germany, involved authorities from Bulgaria, Israel, Latvia, North-Macedonia, Poland, Spain, and Sweden.

The crime ring caused losses of approximately €30 million (US$36 million) to hundreds of victims, at least €7 million in losses in Germany alone.

The authorities arrested 11 people (5 in Bulgaria, 1 in Israel, and 5 in Spain) and searched dozen of locations were searched in Bulgaria, Israel, Poland, North Macedonia and Sweden. The agents seized numerous electronic devices, real estate, jewellery, high-end vehicles, and approximately €2 million in cash, authorities have also frozen multiple bank accounts controlled or owned by shell companies based in different EU countries that were used to launder illegal profits.

The crooks set up at least four online trading platforms that offered significant profits from investments in cryptocurrencies and high-risk options to potential investors. The crime ring published ads for the trading platforms on various social media platforms and search engines.

“The criminal network created different trading online platforms advertising substantial profits from investments in high-risk options and cryptocurrencies. The criminal group ran at least four of such professionally looking trading platforms, luring victims through advertisements in social media and search engines.” reads the press release published by the Europol. “The members of the criminal group were posing as experienced brokers when contacting the victims via the call centre they had set-up. The suspects were using manipulated software to show the gains from the investments and to motivate the victims to invest even more.”

According to the press release, 300 complaints were filed in Spain.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, PLA Unit 61419)

The post European police dismantle major online investment fraud ring that causes €30 Million in losses appeared first on Security Affairs.

Major hacking forums XSS and Exploit ban ads from ransomware gangs

15 May 2021 at 12:31

XSS forum (previously known as DaMaGeLab) one of the most popular hacking forums, announced that it would ban the ads published by ransomware gangs.

The popular hacking forum XSS forum, previously known as DaMaGeLab, announced that that it would ban the ads published by ransomware gangs. The forum is one the most important places of aggregation where ransomware gangs offer their services and attempt to recruit new affiliates in their networks.

The decision to ban ads published by ransomware gangs was an attempt to avoid attracting attention from law enforcement, the forum also prohibits any affiliated program. The recent ransomware attack against the Colonial Pipeline conducted by the Darkside gang triggered the response of the US authorities that resulted in the seizure of their servers.

At the time of this writing, ads from ransomware gangs are still allowed on some hacking forums, but another popular cybercrime forum, Exploit, banned this activity.

Admins of Exploit will also remove affiliate programs from the hacking forum:

“We are glad to see pentesters, malware specialists, coders, but we are not happy with lockers – they attract a lot of attention. This type of activity is not good to us in view of the fact that networks are locked indiscriminately we do not consider it appropriate for RaaS partner programs to be present on our forum. It was decided to remove all affiliate programs and prohibit them as a type of activity on our forum.” reads the statement published by the admins.

Another one bites the dust – forum Exploit bans #ransomware

— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) May 14, 2021
ransomware ban
Source Twitter

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Major hacking forums XSS and Exploit ban ads from ransomware gangs appeared first on Security Affairs.

QNAP warns of eCh0raix ransomware and Roon Server zero-day attacks

15 May 2021 at 08:41

QNAP warns of an actively exploited Roon Server zero-day flaw and eCh0raix ransomware attacks on its NAS devices.

QNAP warns customers of threat actors that are targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.

The Taiwanese vendor was informed of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.

“The eCh0raix ransomware has been reported to affect QNAP NAS devices. Devices using weak passwords may be susceptible to attack.” reads the advisory published by the vendor. “We strongly recommend users act immediately to protect their data.”

The company recommends customers to perform the following actions:

  1. Use stronger passwords for your administrator accounts.
  2. Enable IP Access Protection to protect accounts from brute force attacks.
  3. Avoid using default port numbers 443 and 8080.

Independent experts observed a surge in eCh0raix ransomware infection reports between April 19 and April 26.

In the same period, the vendor also warned its users of an ongoing AgeLocker ransomware outbreak.

Unfortunately, the bad news for NAS owners are not ended, the vendor also issued another security advisory to warn of an actively exploited zero-day vulnerability affecting Roon Labs’ Roon Server 2021-02-01 and earlier versions.

“The QNAP security team has detected an attack campaign in the wild related to a vulnerability in Roon Server. QNAP NAS running the following versions of Roon Server may be susceptible to attack: Roon Server 2021-02-01 and earlier.

“We have already notified Roon Labs of the issue and are thoroughly investigating the case. We will release security updates and provide further information as soon as possible.” reads the advisory.”

QNAP recommends users not to expose their devices to the internet, it also recommends disabling Roon Server to prevent potential attacks.

Below the instruction to disable Roon Server NAS devices:

  • Log on to QTS as administrator.Open the App Center and then click .
  • A search box appears.Type “Roon Server” and then press ENTER.
  • Roon Server appears in the search results.Click the arrow below the Roon Server icon.Select Stop.
  • The application is disabled.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, IoT)

The post QNAP warns of eCh0raix ransomware and Roon Server zero-day attacks appeared first on Security Affairs.

Scheme flooding fingerprint technique may deanonymize Tor users

14 May 2021 at 22:19

FingerprintJS experts devised a fingerprinting technique, named scheme flooding, that could allow identifying users across different desktop browsers, including the Tor Browser.

FingerprintJS experts devised a new fingerprinting technique, named scheme flooding, that could allow identifying users while browsing websites using different desktop browsers, including the Tor Browser.

The technique allows to profile users while visiting websites with an ordinary browser, such as Safari, Chrome, and Firefox, and identify their online activity even when they attempt to protect their anonymity using the Tor browser.

The scheme flooding technique leverages custom URL schemes to determine the applications installed by the users

“The vulnerability uses information about installed apps on your computer in order to assign you a permanent unique identifier even if you switch browsers, use incognito mode, or use a VPN.” reads the post published by FingerprintJS. “The scheme flooding vulnerability allows for third party tracking across different browsers and thus is a violation of privacy.”

The scheme flooding vulnerability could be exploited by an attacker to generate a 32-bit cross-browser device identifier that tests the presence of a list of 32 popular applications on the visitors’ system.

Experts pointed out that the analysis of the list of installed applications on your device can allows to discover your habits and other info like occupation and age.

The experts could check if an application is installed using built-in custom URL scheme handlers, for example, by entering skype:// in the address bar of the browser is possible to check the installation of Skype.

To exploit the technique experts provides the following procedure:

  1. Prepare a list of application URL schemes that you want to test. The list may depend on your goals, for example, if you want to check if some industry or interest-specific applications are installed.
  2. Add a script on a website that will test each application from your list. The script will return an ordered array of boolean values. Each boolean value is true if the application is installed or false if it is not.
  3. Use this array to generate a permanent cross-browser identifier. 
  4. Optionally, use machine learning algorithms to guess your website visitors’ occupation, interests, and age using installed application data.

Even if most browsers implements safety mechanisms to prevent such exploits, a combination of CORS policies and browser window features can be used to bypass them.

The experts successfully tested the technique on Chrome 90 (Windows 10, macOS Big Sur), Firefox 88.0.1 (Ubuntu 20.04, Windows 10, macOS Big Sur), Safari 14.1 (macOS Big Sur), Tor Browser 10.0.16 (Ubuntu 20.04, Windows 10, macOS Big Sur), Brave 1.24.84 (Windows 10, macOS Big Sur), Yandex Browser 21.3.0 (Windows 10, macOS Big Sur), and Microsoft Edge 90 (Windows 10, macOS Big Sur). Opera was not tested.

“The exact steps to make the scheme flooding vulnerability possible may vary by browser, but the end result is the same. Getting a unique array of bits associated with a visitor’s identity is not only possible, but can be used on malicious websites in practice. Even Tor Browser can be effectively exploited by tricking a user into typing one character per application we want to test.” concludes the experts.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, PLA Unit 61419)

The post Scheme flooding fingerprint technique may deanonymize Tor users appeared first on Security Affairs.

Darkside gang lost control of their servers and funds

14 May 2021 at 19:29

The operators of the Darkside ransomware announced that they have lost control of their infrastructure and part of the funds the gang obtained from the victims.

Darkside ransomware operators say they have lost control of their servers and funds resulting from their extortion activity, the funds were transferred to an unknown wallet.

“The funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who breach networks and deploy the ransomware), were transferred to an unknown wallet, Darksupp said.” reported TheRecord.

The news was revealed by a member of REvil ransomware gang, known as ‘UNKN,’ in a forum post on the Exploit hacking forum. The post was first spotted by Recorded Future researcher Dmitry Smilyanets, it includes a message allegedly from DarkSide explaining how the gang lost access to their blog, payment servers, and DDoS servers as a result of an action conducted by law enforcement action.


“Since the first version, we have promised to speak honestly and openly about problems. A few hours ago, we lost access to the public part of our infrastructure, namely:

  • Blog.
  • Payment server.
  • DOS servers.”

reads the post from UNKN. “Now these servers are unavailable via SSH, the hosting panels are blocked. Hosting support, apart from information “at the request of law enfocement agencies”, does not provide any other information.”

Researchers from security firm Intel471 revealed that on May 13, 2021, DarkSide operators announced they would immediately cease operations of their RaaS program. The ransomware gang also said they would issue decryptors to all their affiliates for the victims. The group also said it plans to compensate all outstanding financial obligations by May 23, 2021. 

Yesterday, President Biden said that the US government doesn’t believe that the attack on the Colonial Pipeline was carried out by a Russia-linked threat actor, he pointed out that US authorities will go after the criminal gang responsible for the attack.

“We do not believe — I emphasize, we do not believe the Russian government was involved in this attack.  But we do have strong reason to believe that criminals who did the attack are living in Russia.  That’s where it came from — were from Russia.” said Biden.    
“We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks. We’re also going to pursue a measure to disrupt their ability to operate.  And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.”
In the same hours, the leak site operated by DarkSide gang was not available and media outlets speculated it was seized by feds, but BleepingComputer noticed that the Tor payment server used by the group was still up and running.

Other experts speculate the gang opted for an exit scam keeping for them the ransom paid by the victims of its network of affiliates.

Please vote Security Affairs as Best Personal cybersecurity Blog

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, DarkSide)

The post Darkside gang lost control of their servers and funds appeared first on Security Affairs.

Hackers Using Microsoft Build Engine to Deliver Malware Filelessly

14 May 2021 at 16:01
Threat actors are abusing Microsoft Build Engine (MSBuild) to filelessly deliver remote access trojans and password-stealing malware on targeted Windows systems. The actively ongoing campaign is said to have emerged last month, researchers from cybersecurity firm Anomali said on Thursday, adding the malicious build files came embedded with encoded executables and shellcode that deploy backdoors,