🔒
There are new articles available, click to refresh the page.
Today — 23 October 2021General Security News

Popular NPM Package Hijacked to Publish Crypto-mining Malware

23 October 2021 at 04:42
The U.S. Cybersecurity and Infrastructure Security Agency on Friday warned of crypto-mining malware embedded in "UAParser.js," a popular JavaScript NPM library with over 6 million weekly downloads, days after the NPM repository moved to remove three rogue packages that were found to mimic the same library. <!--adsense--> The supply-chain attack targeting the open-source library saw three
Yesterday — 22 October 2021General Security News

Facebook SSRF Dashboard allows hunting SSRF vulnerabilities

22 October 2021 at 22:05

Facebook developed a new tool that allows security experts to look for Server-Side Request Forgery (SSRF) vulnerabilities in their software.

Facebook announced to have designed a new tool, named SSRF Dashboard, that allows security researchers to search for Server-Side Request Forgery (SSRF) vulnerabilities.

Server-side request forgery is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain chosen by the attacker.

“In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.”

“This tool is a simple UI where researchers can generate unique internal endpoint URLs for targeting. The UI will then show the number of times these unique URLs have been hit as a result of a SSRF attempt. Researchers can leverage this tool as part of their SSRF proof of concept to reliably determine if they have been successful.” states Facebook.

SSRF Dashboard allows researchers to create unique internal endpoint URLs that could be targeted by SSRF attacks and determine if they have been hit. The tool allows researchers to test their SSRF proof-of-concept (PoC) code.

Pentesters could report any SSRF flat to the company by including the ID of the SSRF attempt url that they used along with their PoC.

Additional information on the utility can be found here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SSRF)

The post Facebook SSRF Dashboard allows hunting SSRF vulnerabilities appeared first on Security Affairs.

Groove ransomware group calls on other ransomware gangs to hit US public sector

22 October 2021 at 20:32

Groove ransomware operators call on other ransomware groups to stop competing and join the forces to fight against the US.

The Groove ransomware gang is calling on other ransomware groups to attack US public sector after a an operation of of law enforcement shut down the infrastructure of the REvil gang.

“The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.” reported the Reuters agency.

The ransomware gang published a message in Russian language on its leak site:

Groove

The message also asks other ransomware gangs to avoid targeting Chinese companies, because China could represent a safe place for ransomware gangs in case Russia will stop tolerate ransomware operations.

“In our difficult and troubled time when the US government is trying to fight us, I call on all partner programs to stop competing, unite and start fucking up the US public sector” states the message. “I urge not to attack Chinese companies, because where do we pinch if our homeland suddenly turns away from us, only to our good neighbors – the Chinese!”

Groove ransomware

After the news of the recent shutdown of REvil’s infrastructure by law enforcement agencies, the gangs behind the Darkside and BlackMatter ransomware operations have moved 107 BTC ($6.8 million).

Omri Segev Moyal, CEO and co-founder of security firm Profero, told TheRecord that the threat actors split the funds into multiple wallets. The gang is likely moving the funds to cache out its profits. Moyal shared his findings with law enforcement.

Update: The Groove gang published another post

👀 more #ransomware revelations from the #Groove pic.twitter.com/EFHCfTa8ry

— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) October 22, 2021

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Groove ransomware group calls on other ransomware gangs to hit US public sector appeared first on Security Affairs.

'Lone Wolf' Hacker Group Targeting Afghanistan and India with Commodity RATs

22 October 2021 at 15:01
A new malware campaign targeting Afghanistan and India is exploiting a now-patched, 20-year-old flaw affecting Microsoft Office to deploy an array of commodity remote access trojans (RATs) that allow the adversary to gain complete control over the compromised endpoints. Cisco Talos attributed the cyber campaign to a "lone wolf" threat actor operating a Lahore-based fake IT company called Bunse

DarkSide ransomware operators move 6.8M worth of Bitcoin after REvil shutdown

22 October 2021 at 14:21

Darkside and BlackMatter ransomware operators have moved a large amount of their Bitcoin reserves after the recent shutdown of REvil’s infrastructure.

The gangs behind the Darkside and BlackMatter ransomware operations have moved 107 BTC ($6.8 million) after the news of the recent shutdown of REvil’s infrastructure by law enforcement agencies.

“The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.” reported the Reuters agency.

Omri Segev Moyal, CEO and co-founder of security firm Profero, told TheRecord that the threat actors split the funds into multiple wallets. The gang is likely moving the funds to cache out its profits. Moyal shared his findings with law enforcement.

“Basically, since 2AM UTC whoever controlled the wallet started to break the BTC into small chunks,” Moyal told The Record. “At the time of this writing, the attackers split the funds into 7 wallets of 7-8 BTC and the rest (38BTC) is stored in the following wallet: bc1q9jy4pq5su9slh56gryydwkk0qjnqxvfwzm7xl6.”

Below the list of wallets shared by the expert:

  • 15WpW77a5zuMYUENyW3tFAvovgjbURBNdc
  • 1FysrVjFC8y1exHiSXWfHxWwHqwDEmDGcT
  • 12WLsWxC12hDWRAPYdaVCKxu3u5atL9DFc
  • 1EPJax1dzPr79yCuGM3BxHNRhpKesYnM4Y
  • 122rgzWWjHypxz51XydiuRvzATqYvEFoAk
  • 1HjFQLdGP4DFJR1TgXk9WUiGFMoomMmyax
  • 1KMV2LUcTJ8KF2chY32ErMtGUWXvRvWfrC
  • 16hJwHm4c6M2A6CytimipRDVhUeXVD2QrB 
  • bc1q9jy4pq5su9slh56gryydwkk0qjnqxvfwzm7xl6 (current major holder wallet)

Dear #bitcoin exchange platform, please block the following wallets from the incoming transactions: https://t.co/NwNiIno5mX

Attackers have split the BTC into 7 wallets with what looks like preparation to convert to other exchange or cashout somehow.

— Omri Segev Moyal (@GelosSnake) October 22, 2021

In May, the Colonial Pipeline facility in Pelham, Alabama, was hit by a cybersecurity attack and its operators were forced to shut down its systems. The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies.

The New York Times reported that Colonial Pipeline paid the hackers almost $5 million worth of cryptocurrency to receive a decryption key that allowed it to restore the encrypted files. Because the tool was too slow, the company used its backups to restore the systems.

In the aftermath of the attack, Darkside gang shut down its operations, fearing the response of law enforcement. The group also claimed that the feds seized part of its infrastructure and some wallets it was using for its operations.

In July the group rebranded its operation with the name BlackMatter.

Nevertheless, the gang re-launched in July with new infrastructure and under the new name of BlackMatter.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

The post DarkSide ransomware operators move 6.8M worth of Bitcoin after REvil shutdown appeared first on Security Affairs.

Hackers Set Up Fake Company to Get IT Experts to Launch Ransomware Attacks

22 October 2021 at 13:28
The financially motivated FIN7 cybercrime gang has masqueraded as yet another fictitious cybersecurity company called "Bastion Secure" to recruit unwitting software engineers under the guise of penetration testing in a likely lead-up to a ransomware scheme. "With FIN7's latest fake company, the criminal group leveraged true, publicly available information from various legitimate cybersecurity

Researchers Discover Microsoft-Signed FiveSys Rootkit in the Wild

22 October 2021 at 12:41
A newly identified rootkit has been found with a valid digital signature issued by Microsoft that's used to proxy traffic to internet addresses of interest to the attackers for over a year targeting online gamers in China. Bucharest-headquartered cybersecurity technology company Bitdefender named the malware "FiveSys," calling out its possible credential theft and in-game-purchase hijacking

FIN7 cybercrime gang creates fake cybersecurity firm to recruit pentesters for ransomware attacks

22 October 2021 at 11:02

FIN7 hacking group created fake cybersecurity companies to hire experts and involve them in ransomware attacks tricking them of conducting a pentest.

The FIN7 hacking group is attempting to enter in the ransomware business and is doing it with an interesting technique. The gang space creates fake cybersecurity companies that hire experts requesting them to carry out pen testing attacks under the guise of pentesting activities.

FIN7 is a Russian criminal group that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.

One of the companies created by the cyber criminal organizations with this purpose is Combi Security, but researchers from Gemini Advisory discovered other similar organizations by analyzing the site of another fake cybersecurity company named Bastion Security.

The Bastion Secure website is hosted on the Russian domain registrar Beget, which is popular in the Russian cybercrime communities. Most of the submenus of the site return a Russian-language HTTP 404 error, a circumstance that suggests the site creators were Russian speakers. At the time of the report, some of the HTTP 404 errors remain unfixed.

The website is a clone of the website of Convergent Network Solutions Ltd, Bastion Secure’s ‘About’ page states that is a spinoff of the legitimate cybersecurity firm that anyway not linked to the criminal gang.

FIN7 fake security companies

FIN7, operating under the guise of Bastion Secure, published job offers for programmers (PHP, C++, Python), system administrators, and reverse engineers. The job offers for IT specialist positions ranged between $800 and $1,200 USD a month, which is a good salary for this type of position in post-Soviet states.

The gang was looking for administrators to map out compromised companies’ networks and locate sensitive data, including backup. The initial access to the target organizations was obtained through phishing attacks or by purchasing access on dark web forums.

Once gained access to the target network, the threat actors could then drop malware and ransomware. 

“Bastion Secure offered a job offer to a Gemini source and, in the process, provided the source with files that analysts later determined were for the post-exploitation tools Carbanak and Lizar/Tirion. These two tools have been previously attributed to FIN7 and establish the link between Bastion Secure and FIN7.” reads the analysis of Gemini Advisory. “The tasks that were assigned to the Gemini source by FIN7—operating under the guise of Bastion Secure—matched the steps taken to prepare a ransomware attack, providing further evidence that FIN7 has continued to expand into the ransomware sphere.”

A Gemini’s source applied for a job position and was hired, the gang gave him access to a set of post-exploitation tools known to be in the FIN7’s arsenal, such as Carbanak and Lizar/Tirion. The group, through a fake pentesting activity assigned to Bastion Secure, provided access to the network of a target company.

“The files provided to the source by Bastion Secure included files for a software component titled “Command Manager” that was, in fact, a disguised version of the client component of Carbanak (see image 12). Gemini determined this by analyzing the software’s functionality and concluded that it is an updated version of previously identified versions of Carbanak.” continues the expert. “The main functions of the Carbanak command manager are collecting information about an infected computer and obtaining remote access to the infected computer. The files contained an obfuscated PowerShell script that ultimately launches the Lizar/Tirion injector and payload. “

They requested the hired pentesters to conduct reconnaissance and gather the information that could allow them to conduct the attack, such as user and admin accounts’ credentials, and backups.

“Although cybercriminals looking for unwitting accomplices on legitimate job sites is nothing new, the sheer scale and blatancy with which FIN7 operates continue to surpass the behavior shown by other cybercriminal groups. Not only is FIN7 looking for unwitting victims on legitimate job sites, but also attempting to obfuscate its true identity as a prolific cybercriminal and ransomware group by creating a fabricated web presence through a largely legitimate-appearing website, professional job postings, and company info pages on Russian-language business development sites.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post FIN7 cybercrime gang creates fake cybersecurity firm to recruit pentesters for ransomware attacks appeared first on Security Affairs.

FiveSys, a new digitally-signed rootkit spotted by Bitdefender experts

22 October 2021 at 07:50

Bitdefender researchers discovered a new Rootkit named FiveSys that abuses Microsoft-Issued Digital Signature signature to evade detection.

FiveSys is a new rootkit discovered by researchers from Bitdefender, it is able to evade detection by abusing a Microsoft-issued digital signature.

Driver packages that pass Windows Hardware Lab Kit (HLK) testing can be digitally-signed by Microsoft WHQL (Windows Hardware Quality Labs). If your driver package is digitally-signed by WHQL, it can be distributed through the Windows Update program or other Microsoft-supported distribution mechanisms.

Obtaining a WHQL release signature is part of the Windows Hardware Lab Kit (HLK). A WHQL release signature consists of a digitally-signed catalog file.

Microsoft is aware that Vxers have devised a method to digitally sign their rootkits through this process. After Bitdefender has reported the discovery, Microsoft has revoked the signature for FiveSys.

FiveSys

In June, the company announced it is investigating a threat actor distributing malicious drivers in attacks aimed at the gaming industry in China. The actor submitted drivers that were built by a third party for certification through the Windows Hardware Compatibility Program (WHCP). One of the drivers signed by Microsoft, called Netfilter, was a malicious Windows rootkit that was spotted while connecting to a C2 in China.

The IT giant pointed out that its WHCP signing certificate was not exposed and that its infrastructure was not compromised by hackers.

The FiveSys rootkit uses the same technique to remain under the radar, it is very similar to the Undead malware and likely originate from China where is used to target domestic games.

The rootkit was used by threat actors to redirect internet traffic to a custom proxy server.

“The main purpose of the rootkit is to redirect internet traffic and route it to a custom proxy server. To achieve this, the
driver serves locally a Proxy Autoconfguration Script to the browser. The driver will periodically update this autoconfguration script. The script has a list of domains/URLs for which it
redirects traffc to an endpoint under the attacker’s control.” reads the report published by Bitdefender.

The rootkit is able to redirect both http and https traffic, in the latter case, it installs a custom root certificate to about browser’s warnings of the unknown identity of the proxy server.

The malware maintains a list of digital signatures used to detect drivers associated with Netfilter and fk_undead malware families and prevent that they are loaded.

Bitdefender identified several user mode binaries that are used to fetch and execute the malicious drivers onto the target machines. According to the experts, FiveSys uses four drivers, but at this time they have only detected only two of them.

“It also has an estimated four drivers, but in our research, we only managed to isolate two:

  • PacSys(PC.sys) is responsible for delivering the proxy autoconfguration script (the *.PAC fle, hence the name probably).
  • Up.sys downloads an executable and starts it using an embedded dll which it injects from kernel mode.
    Both drivers can protect the other module too, and reinstall it if it gets deleted.
  • Even though, technically speaking, the malware families are not among the sophisticated ones, the fact that they
    abuse digital signatures in this manner seriously undermines the credibility of this protection mechanism.”

To minimize the chance of a C2 takedown, the rootkit uses a built-in list of 300 domains on the “.xyz” TLD that are randomly generated and that stored in an encrypted form inside the binary.

Upon contacting the C2, the rootkit will select a random domain from the list, each such domain having several DNS A records.

The paper published by Bitdefender also includes indicators of compromise (IoCs.)

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post FiveSys, a new digitally-signed rootkit spotted by Bitdefender experts appeared first on Security Affairs.

Before yesterdayGeneral Security News

Evil Corp rebrands their ransomware, this time is the Macaw Locker

21 October 2021 at 22:40

Evil Corp cybercrime gang is using a new ransomware called Macaw Locker to evade US sanctions that prevent victims from paying the ransom.

Evil Corp has launched a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments.

Bleeping Computer, citing Emsisoft CTO Fabian Wosar, reported that the Macaw Locker ransomware is the latest rebrand of Evil Corp. The Macaw Locker ransomware encrypts victims’ files and append the .macaw extension to the file name of the encrypted files. The malware drops ransom notes (macaw_recover.txt) in each folder, the ransom note includes the link to a unique victim negotiation page.

The Evil Corp cybercrime group (aka the Dridex gang Indrik Spider, the Dridex gang, and TA505) has been active in cybercrime activities since 2007. The group started its operations by developing and distributing the infamous Dridex banking Trojan, then it switched to ransomware operation by infecting victims’ computer networks with the BitPaymer ransomware.

In 2019, the U.S. Department of Justice (DoJ) has charged Russian citizens Maksim V. (32) and Igor Turashev (38) for distributing the infamous Dridex banking Trojan, and for their involvement in international bank fraud and computer hacking schemes.

The US Government announced sanctions for ransomware negotiation firms that will support victims of the Evil Corp group in the ransom payments.

Due to these sanctions, Evil Corp launched several ransomware operations that employed different strains of ransomware, such as WastedLocker, Hades, Phoenix Locker, and PayloadBin.

The Macaw Locker was recently involved in attacks against Olympus and the Sinclair Broadcast Group.

An example of real-world consequences from the ransoming of Sinclair Broadcasting Group.

The group behind the attack is Evil Corp. and their new "Macaw Locker". https://t.co/iNJgnCvK5q

— vx-underground (@vxunderground) October 21, 2021

Bleeping Computer also reported that Macaw Locker operators demanded $28 million and $40 million ransom worth of Bitcoin in two separate attacks against unnamed companies.

Experts speculate that after the exposure of the Macaw Locker operation, Evil Corp will rebrand their ransomware again.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Macaw Locker)

The post Evil Corp rebrands their ransomware, this time is the Macaw Locker appeared first on Security Affairs.

A flaw in WinRAR could lead to remote code execution

21 October 2021 at 20:10

A vulnerability in the WinRAR is a trialware file archiver utility for Windows could be exploited by a remote attacker to hack a system.

Positive Technologies researcher Igor Sak-Sakovskiy discovered a remote code execution vulnerability, tracked as CVE-2021-35052, in the popular WinRAR trialware file archiver utility for Windows.

The vulnerability affects the trial version of the utility, the vulnerable version is 5.70.

“This vulnerability allows an attacker to intercept and modify requests sent to the user of the application. This can be used to achieve Remote Code Execution (RCE) on a victim’s computer. It has been assigned the CVE ID – CVE-2021-35052.” reads the post published by Sak-Sakovskiy. “We found this vulnerability by chance, in WinRAR version 5.70.”

The researchers installed the software and noticed that it was producing a JavaScript error, the specific error indicates that the Internet Explorer engine is rendering this error window.

Winrar

After a series of test, the expert noticed that after the trial period has expired, the software started displaying the error message, one time out of three executions. This window used to display the error uses mshtml.dll implementation for Borland C++ in which WinRAR has been written.

The expert used Burp Suite as a default Windows proxy to intercept traffic generated when the message is displayed.

The analysis of the response code sent when WinRAR alerts the user about the end of the free trial period via “notifier.rarlab[.]com” revealed that modifying it to a “301 Moved Permanently” redirect message if was possible to cache the redirection to a malicious domain for any subsequent request. Experts also noticed that an attacker with access to the same network domain carry out ARP spoofing attacks to remotely launch applications, retrieve local host information, and run arbitrary code.

“Next, we attempted to modify intercepted responses from WinRAR to the user. Instead of intercepting and changing the default domain “notifier.rarlab.com” responses each time with our malicious content, we noticed that if the response code is changed to “301 Moved Permanently” then the redirection to our malicious domain “attacker.com” will be cached and all requests will go to the “attacker.com”.” continues the expert. “Next, we attempted to modify intercepted responses from WinRAR to the user. Instead of intercepting and changing the default domain “notifier.rarlab.com” responses each time with our malicious content, we noticed that if the response code is changed to “301 Moved Permanently” then the redirection to our malicious domain “attacker.com” will be cached and all requests will go to the “attacker.com”.”

Winrar

Experts pointed out that vulnerabilities in third-party software pose serious risks to organizations, they can be exploited to access any resource of the system and potentially of the network hosting it.

“It’s impossible to audit every application that could be installed by a user and so policy is critical to managing the risk associated with external applications and balancing this risk against the business need for a variety of applications. Improper management can have wide reaching consequences.” concludes the post.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, WinRAR)

The post A flaw in WinRAR could lead to remote code execution appeared first on Security Affairs.

Before and After a Pen Test: Steps to Get Through It

21 October 2021 at 17:52
An effective cybersecurity strategy can be challenging to implement correctly and often involves many layers of security. Part of a robust security strategy involves performing what is known as a penetration test (pen test). The penetration test helps to discover vulnerabilities and weaknesses in your security defenses before the bad guys discover these. They can also help validate remedial

Administrators of bulletproof hosting sentenced to prison in the US

21 October 2021 at 15:17

The United States Department of Justice sentenced two individuals that were providing bulletproof hosting to various malware operations.

The United States Department of Justice sentenced to prison two individuals involved in providing bulletproof hosting to various malware operations, including Citadel, SpyEye, Zeus, and the Blackhole exploit kit.

The two individuals, Aleksandr Skorodumov (33) of Lithuania, and Pavel Stassi (30) of Estonia, administrated the bulletproof hosting service between 2009 and 2015.

The duo, along with Russian nationals Aleksandr Grichishkin and Andrei Skvortsov, founded an organization that was offering bulletproof hosting, they rented the attack infrastructure (IP addresses, servers, and domains) to crooks who used it to spread multiple malware families and conducted several malicious activities.

The defendants helped their clients to evade detection by monitoring sites used to blocklist technical infrastructure used for crime. Every time a content was flagged as malicious, the defendants moved it to new infrastructure and used false or stolen identities to register it.

Skvortsov was responsible for the marketing activity of the group, while Grichishkin was the organization’s day-to-day leader and oversaw its personnel.

Skorodumov was one of the organization’s lead systems administrators, he configured and managed the clients’ domains and IP addresses, provided technical assistance to help clients optimize their malware and botnets.

Stassi conducted several administrative tasks for the group, such as registering webhosting and financial accounts using stolen and/or false personal information.

Skorodumov was sentenced to 48 months in prison and Stassi to 24 months in prison.

Grichishkin and Skvortsov are pending sentencing and have already pleaded guilty, both face up to 20 years in prison.

“Every day, transnational organized cybercriminals deploy malware that ravages our economy and victimizes our citizens and businesses,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division. “The criminal organizations that purposefully aid these actors — the so-called bulletproof hosters, money launderers, purveyors of stolen identity information, and the like — are no less responsible for the harms these malware campaigns cause, and we are committed to holding them accountable. Prosecutions like this one increase the costs and risks to cybercriminals and ensure that they cannot evade responsibility for the enormous injuries they cause to victims.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post Administrators of bulletproof hosting sentenced to prison in the US appeared first on Security Affairs.

Bug in Popular WinRAR Software Could Let Attackers Hack Your Computer

21 October 2021 at 13:16
A new security weakness has been disclosed in the WinRAR trialware file archiver utility for Windows that could be abused by a remote attacker to execute arbitrary code on targeted systems, underscoring how vulnerabilities in such software could beсome a gateway for a roster of attacks. Tracked as CVE-2021-35052, the bug impacts the trial version of the software running version 5.70. "This

Product Overview: Cynet SaaS Security Posture Management (SSPM)

21 October 2021 at 13:07
Software-as-a-service (SaaS) applications have gone from novelty to business necessity in a few short years, and its positive impact on organizations is clear. It’s safe to say that most industries today run on SaaS applications, which is undoubtedly positive, but it does introduce some critical new challenges to organizations.  As SaaS application use expands, as well as the number of

Malicious NPM Packages Caught Running Cryptominer On Windows, Linux, macOS Devices

21 October 2021 at 11:00
Three JavaScript libraries uploaded to the official NPM package repository have been unmasked as crypto-mining malware, once again demonstrating how open-source software package repositories are becoming a lucrative target for executing an array of attacks on Windows, macOS, and Linux systems. The malicious packages in question — named okhsa, klow, and klown — were published by the same

US Bureau of Industry and Security bans export of hacking tools to authoritarian regimes

21 October 2021 at 07:17

The Commerce Department’s Bureau of Industry and Security (BIS) would ban U.S. firms from selling hacking tools to authoritarian regimes.

The Commerce Department’s Bureau of Industry and Security (BIS) would introduce a new export control rule aimed at banning the export or resale of hacking tools to authoritarian regimes. 

The rule announced by the BIS tightens export controls on technology that could be used by adversaries to conduct malicious cyber activities and surveillance of private citizens resulting in human rights abuse.

The rull will become effective in 90 days and will ban the export of “cybersecurity items” for National Security (NS) and Anti-terrorism (AT) reasons.

“Specifically, this rule establishes a new control on these items for National Security (NS) and Anti-terrorism (AT) reasons, along with a new License Exception Authorized Cybersecurity Exports (ACE) that authorizes exports of these items to most destinations except in the circumstances described. These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it.” reads the announcement published by the Bureau of Industry and Security, Commerce.

The new License Exception Authorized Cybersecurity Exports would allow the export, reexport and transfer (in-country) of ‘cybersecurity items’ to most destinations, while retaining a license requirement for exports to countries of national security or weapons of mass destruction concern.  The license will be required for those countries subject to a U.S. arms embargo.

The complete list includes states of weapons of mass destruction or national security concern or subject to a U.S. arms embargo.

The rule is consistent with the result of BIS’s negotiations in the Wassenaar Arrangement (W.A.) multilateral export control regime and results from a review of comments from Congress, the private sector, academia, civil society, and other stakeholders.

U.S. Secretary of Commerce Gina M. Raimondo explained that the new rule aims at preventing the use of this technology by threat actors that could hit US computer networks threaten U.S. national security.

“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights. The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.” said U.S. Secretary of Commerce Raimondo.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Bureau of Industry and Security)

The post US Bureau of Industry and Security bans export of hacking tools to authoritarian regimes appeared first on Security Affairs.

U.S. Government Bans Sale of Hacking Tools to Authoritarian Regimes

21 October 2021 at 07:43
The U.S. Commerce Department on Wednesday announced new rules barring the sales of hacking software and equipment to authoritarian regimes and potentially facilitate human rights abuse for national security (NS) and anti-terrorism (AT) reasons. The mandate, which is set to go into effect in 90 days, will forbid the export, reexport and transfer of "cybersecurity items" to countries of "national

Hackers Stealing Browser Cookies to Hijack High-Profile YouTube Accounts

21 October 2021 at 07:03
Since at least late 2019, a network of hackers-for-hire have been hijacking the channels of YouTube creators, luring them with bogus collaboration opportunities to broadcast cryptocurrency scams or sell the accounts to the highest bidder. That's according to a new report published by Google's Threat Analysis Group (TAG), which said it disrupted financially motivated phishing campaigns targeting
❌