RSS Security

❌ About FreshRSS
There are new articles available, click to refresh the page.
Today — 5 August 2021General Security News

Cryptominer ELFs Using MSR to Boost Mining Process

5 August 2021 at 16:28

The Uptycs Threat Research Team recently observed Golang-based worm dropping cryptominer binaries which use the MSR (Model Specific Register) driver.


Original research by Siddarth Sharma

The Uptycs Threat Research Team recently observed Golang-based worm dropping cryptominer binaries which use the MSR (Model Specific Register) driver to disable hardware prefetchers and increase the speed of the mining process by 15%.

The Golang-based worm which targets vulnerable *nix servers exploit known vulnerabilities in the popular web servers in order to spread itself and the embedded miner. The new variants of the worm were identified in June 2021 by our threat intelligence systems. Though some of the functionalities were similar to the malware discussed by the security firm Intezer last year, the newer variants of this malware had a bunch of activities up its sleeve.

In this blog, we will detail the usage of MSR to disable the hardware prefetcher in the cryptomining malwares. We will also cover certain new techniques employed by the attackers in the attack kill chain for the persistence and dropping of the worm into certain sensitive directories on the vulnerable servers.

Hardware Prefetcher and the MSR

Hardware prefetcher is a technique in which the processors prefetch data based on the past access behaviour by the core. The processor (or the CPU), by using hardware prefetcher, stores instructions from the main memory into the L2 cache. However, on multicore processors, the use of aggressive hardware prefetching causes hampering and results in overall degradation of system performance.

MSR registers in processor architecture are used to toggle certain CPU features and computer performance monitoring. By manipulating the MSR registers, hardware prefetchers can be disabled.

Miners Using MSR to Disable Hardware Prefetcher

A miner running with root privileges can disable the prefetcher. This is done to boost the miner execution performance, thereby increasing the speed of the mining process. We have seen Xmrig miners in our threat intelligence systems using MSR to disable the hardware prefetcher.

Xmrig miners use the RandomX algorithm which generates multiple unique programs that are generated by data selected from the dataset generated from the hash of a key block. The code to be run inside the VM is generated randomly and the resultant hash of its outcome is used as proof of work.

As RandomX programs are run in a VM, this operation is generally memory intensive. Hence, the miner disables the hardware prefetcher using the MSR. According to the documentation of Xmrig, disabling the hardware prefetcher increases the speed upto 15%.

The miner uses the modprobe msr command to load the msr driver (see Figure 1).

Figure 1: Command used to load msr driver

This is done because in modular kernels the msr driver is not automatically loaded. Once the msr driver gets loaded, a pseudo file is created in /dev/cpu/ (/dev/cpu/CPUNUM/msr). This provides an interface to read and write the model-specific registers (MSRs) of an x86 CPU. The miner accesses /dev/cpu/CPUNUM/msr to modify the existing value of the msr with the new value as shown below (see Figure 2).

fig-2Figure 2: MSR file modification

For disabling hardware prefetcher, the miner accesses the /dev/CPU/CPUNUM/msr special character file to read the old value of msr and then modifies it using pwrite system call in chunks of 8 bytes. The pseudo-code of this activity is shown below (see Figure 3).

fig-3Figure 3: Pseudo-code

Also, the “wrmsr” set to true in the miner config for enabling MSR feature is shown below (see Figure 4).

fig-4Figure:4 Config file:Miner

Wormed cyptominer: attack kill chain

  1. The attack kill chain of the wormed cryptominer starts with a Shell script which downloads the Golang worm using curl utility. 
  2. The worm scans and exploits existing server based vulnerabilities like CVE-2020-14882 and CVE-2017-11610 from the victim machine.
  3. After having access to a vulnerable server, the worm downloads another shell script which downloads a copy of the same Golang worm.
  4. The worm also writes multiple copies of itself to various sensitive directories like /boot,/efi,/grub and later drops Xmrig miner ELF in /tmp location.
  5. The miner disables the hardware prefetcher by using MSR to boost the mining process. 

The shell-script we analysed (hash: 28e9b06e5a4606c9d806092a8ad78ce2ea7aa1077a08bcf3ec1d8e3d19714f08) involved several defense evasive techniques like firewall altering, disabling monitoring agents which we have detailed in our previous blog. Alongside this, the script also used the ‘sed -i’ command to modify the /etc/hosts file with the nanopool URL as shown in the below figure (see Figure 5).

Figure 5: /etc/hosts modification

The script finally downloads the first stage worm sample from 194.145.227[.]21 as shown below (see Figure 6).

 Figure 6: Shell script network traffic – Downloading Worm

First stage payload: Worm

The Worm (163ef20a1c69bcb29f436ebf1e8a8a2b6ab6887fc48bfacd843a77b7144948b9) was compiled in Golang and UPX packed. The worm used the go-bindata package to embed Xmrig miner inside itself as shown below (see Figure 7).

Figure 7: Embedded XMRig miner

Vulnerabilities exploited by the Worm

After getting downloaded in the victim system, the worm first scans for vulnerable servers from the victim system to exploit certain known web server vulnerabilities like CVE-2020-14882 and CVE-2017-11610. The scanner package used by the worm for scanning remote vulnerable servers is shown below (see Figure 8).

fig-8Figure 8: Scanner modules

The majority of the worm samples exploited the following vulnerabilities:

  1. CVE-2020-14882 – A classic path traversal vulnerability used for exploiting vulnerable web logic servers. It seemed like the attacker tried to bypass the authorization mechanism by changing the URL and performing a path traversal using double encoding on /console/images (see Figure 9).

Figure 9: Worm exploiting Path traversal vulnerability

  1. CVE-2017-11610 – A Remote Code Authentication (RCE) vulnerability in the XMLRPC interface in supervisord. XMLRPC is an interface which is provided by the wordpress. The encoded payload in <param> used by the attacker in the XMLRPC exploit is shown below (see Figure 10).

fig-10Figure 10: Encoded payload in <param>

After successful exploitation, the worm uses base64 encoded command that downloads the shell-script (hash: dfbe48ade0b70bd999abaf68469438f528b0e108e767ef3a99249a4a8cfa0176) on the remote vulnerable servers from the C2 using a base64 encoded command (see Figure 11).

fig-11-1Figure 11: Post exploitation command to deploy worm

This shell script ( downloads the worm from the C2 to deploy XMrig miner on the servers via the worm again (see Figure 12).

fig-12Figure 12: Shell-script downloading the worm

Worm dropping Xmrig miner into /tmp

The worm deploys the embedded Xmrig miner to the /tmp location on the victim server. For this action, the worm first creates a directory in /tmp by the name u0jhm2. After changing the permission using fchmod utility, it gets executed (see Figure 13).

Figure 13: Worm dropping miner in /tmp 

After execution of the miner, the miner binary(kthreaddk) gets removed using unlinkat syscall – unlinkat(AT_FDCWD, “/tmp/u0jhm2/kthreaddk”, 0).

The worm also writes copies of itself to certain sensitive directories like /boot, /boot/grub, /boot,efi, /X11 (see Figure:14,15).

Figure 14: Worm binary copying itself to /boot

fig-15Figure 15: Worm binary copying itself to /boot/efi


After writing itself to sensitive directories, the worm registers itself into the crontabs and uses fchmod to change permissions of the cron registered file, tmp.6GnMiL which later gets renamed as root (see Figure 16).

Figure 16:Writing to Cron and later changing the permission

Our threat intelligence systems identified seven similar samples of the Golang-based wormed cryptominer. Though the functionality and working of the binaries were the same, some of the worm samples register different paths like /dev/dri/by-path/<file_name>,/boot/<file_name> in crontab.

Uptycs EDR detections

Uptycs EDR armed with YARA process scanning detected the Xmrig cryptominer and the MSR modification with a threat score of 10/10 (see Figure 17).

fig-17Figure 17: Uptycs EDR detection for MSR modification and other malicious activities

Additionally, Uptycs EDR contextual detection provides additional details about the detected malware. Users can navigate to the toolkit data section in the detection alert and click on the name to find out the behavior and working of Xmrig as shown in the figure below (see Figure 18).

Figure 18: Toolkit data showing attribution


With the rise and sky-high valuation of Bitcoin and several other cryptocurrencies, cryptomining-based attacks have continued to dominate the threat landscape. Wormed cyptominer attacks have a greater threshold as they write multiple copies and also spread across endpoints in a corporate network. Alongside the mining process, modification of the MSR registers can lead to fatal performance issues of the corporate resources. The Uptycs EDR solution offers the added benefit of taking a deep dive into the events logged, providing more insights of an attack.

The Indicators of Compromise (IOCs) associated with wormed cryptomier are reported in the original report at

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MSR)

The post Cryptominer ELFs Using MSR to Boost Mining Process appeared first on Security Affairs.

Italian energy company ERG hit by LockBit 2.0 ransomware gang

5 August 2021 at 12:28

ERG SPA, an Italian energy company, reports a minor impact on its operations after the recent ransomware attack conducted by LockBit 2.0 gang.

Recently the Italian energy company ERG was hit by the LockBit 2.0 ransomware gang, now the company reported “only a few minor disruptions” for its ICT infrastructure. The company is active in the production of wind energy, solar energy, hydroelectric energy and high-yield thermoelectric cogeneration energy with low environmental impact.

“Concerning the recent rumours in the media on hacker attacks on institutions and companies, ERG reports that it has experienced only a few minor disruptions to its ICT infrastructure, which are currently being overcome, also thanks to the prompt deployment of its internal cybersecurity procedures.” reads the notice published by ERG.

“The company confirms that all its plants are operating smoothly and have not experienced any downtime, thus ensuring continuous business operations.”

Concerning the rumours in the media on hacker attacks on institutions and companies ERG reports that it has experienced only a few minor disruptions to ICT infrastructure which are currently being overcome to the prompt deployment of its internal #cybersecurity procedures (1/2)

— ERG (@ERGnow) August 4, 2021

ERG added that all its plants are operating smoothly and have not experienced any downtime, thus ensuring continuous business operations

The ransomware gang has already added the Italian company to the list of victims published on its leak site. The crooks will start leaking the stolen data on August 14, 2021, at 00:00:00.

LockBit 2.0 ERG

The LockBit ransomware operations began in September 2019, but in June 2021 the group launched the LockBit 2.0 ransomware-as-a-service.

ERG isn’t the only Italian organization under attack, multiple Italian companies were targeted with an unprecedented wave of ransomware attacks in the last weeks.

A major cyber attack paralyzed the IT systems at the region Lazio health portal which is used by residents for COVID-19 vaccine registration. According to sources informed about the event, the attack was carried out by the RansomEXX ransomware, as first reported by BleepingComputer that received a copy of the ransom note used in the attack.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, LockBit 2.0)

The post Italian energy company ERG hit by LockBit 2.0 ransomware gang appeared first on Security Affairs.

Ransomware Gangs and the Name Game Distraction

5 August 2021 at 11:38

It’s nice when ransomware gangs have their bitcoin stolen, malware servers shut down, or are otherwise forced to disband. We hang on to these occasional victories because history tells us that most ransomware moneymaking collectives don’t go away so much as reinvent themselves under a new name, with new rules, targets and weaponry. Indeed, some of the most destructive and costly ransomware groups are now in their third incarnation.

A rough timeline of major ransomware operations and their reputed links over time.

Reinvention is a basic survival skill in the cybercrime business. Among the oldest tricks in the book is to fake one’s demise or retirement and invent a new identity. A key goal of such subterfuge is to throw investigators off the scent or to temporarily direct their attention elsewhere.

Cybercriminal syndicates also perform similar disappearing acts whenever it suits them. These organizational reboots are an opportunity for ransomware program leaders to set new ground rules for their members — such as which types of victims aren’t allowed (e.g., hospitals, governments, critical infrastructure), or how much of a ransom payment an affiliate should expect for bringing the group access to a new victim network.

I put together the above graphic to illustrate some of the more notable ransom gang reinventions over the past five years. What it doesn’t show is what we already know about the cybercriminals behind many of these seemingly disparate ransomware groups, some of whom were pioneers in the ransomware space almost a decade ago. We’ll explore that more in the latter half of this story.

One of the more intriguing and recent revamps involves DarkSide, the group that extracted a $5 million ransom from Colonial Pipeline earlier this year, only to watch much of it get clawed back in an operation by the U.S. Department of Justice.

After acknowledging someone had also seized their Internet servers, DarkSide announced it was folding. But a little more than a month later, a new ransomware affiliate program called BlackMatter emerged, and experts quickly determined BlackMatter was using the same unique encryption methods that DarkSide had used in their attacks.

DarkSide’s demise roughly coincided with that of REvil, a long-running ransomware group that claims to have extorted more than $100 million from victims. REvil’s last big victim was Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. That attack let REvil deploy ransomware to as many as 1,500 organizations that used Kaseya.

REvil demanded a whopping $70 million to release a universal decryptor for all victims of the Kaseya attack. Just days later, President Biden reportedly told Russian President Vladimir Putin that he expects Russia to act when the United States shares information on specific Russians involved in ransomware activity.

A REvil ransom note.

Whether that conversation prompted actions is unclear. But REvil’s victim shaming blog would disappear from the dark web just four days later.

Mark Arena, CEO of cyber threat intelligence firm Intel 471, said it remains unclear whether BlackMatter is the REvil crew operating under a new banner, or if it is simply the reincarnation of DarkSide.

But one thing is clear, Arena said: “Likely we will see them again unless they’ve been arrested.”

Likely, indeed. REvil is widely considered a reboot of GandCrab, a prolific ransomware gang that boasted of extorting more than $2 billion over 12 months before abruptly closing up shop in June 2019. “We are living proof that you can do evil and get off scot-free,” Gandcrab bragged.

And wouldn’t you know it: Researchers have found GandCrab shared key behaviors with Cerber, an early ransomware-as-a-service operation that stopped claiming new victims at roughly the same time that GandCrab came on the scene.


The past few months have been a busy time for ransomware groups looking to rebrand. BleepingComputer recently reported that the new “Grief” ransomware startup was just the latest paintjob of DoppelPaymer, a ransomware strain that shared most of its code with an earlier iteration from 2016 called BitPaymer.

All three of these ransom operations stem from a prolific cybercrime group known variously as TA505, “Indrik Spider” and (perhaps most memorably) Evil Corp. According to security firm CrowdStrike, Indrik Spider was formed in 2014 by former affiliates of the GameOver Zeus criminal network who internally referred to themselves as “The Business Club.”

The Business Club was a notorious Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide. In 2015, the FBI offered a standing $3 million bounty for information leading to the capture of the Business Club’s leader — Evgeniy Mikhailovich Bogachev. By the time the FBI put a price on his head, Bogachev’s Zeus trojan and later variants had been infecting computers for nearly a decade.

The alleged ZeuS Trojan author, Evgeniy Mikhaylovich Bogachev. Source: FBI

Bogachev was way ahead of his colleagues in pursuing ransomware. His Gameover Zeus Botnet was a peer-to-peer crime machine that infected between 500,000 and a million Microsoft Windows computers. Throughout 2013 and 2014, PCs infected with Gameover were seeded with Cryptolocker, an early, much-copied ransomware strain allegedly authored by Bogachev himself.

CrowdStrike notes that shortly after the group’s inception, Indrik Spider developed their own custom malware known as Dridex, which has emerged as a major vector for deploying malware that lays the groundwork for ransomware attacks.

“Early versions of Dridex were primitive, but over the years the malware became increasingly professional and sophisticated,” CrowdStrike researchers wrote. “In fact, Dridex operations were significant throughout 2015 and 2016, making it one of the most prevalent eCrime malware families.”

That CrowdStrike report was from July 2019. In April 2021, security experts at Check Point Software found Dridex was still the most prevalent malware (for the second month running). Mainly distributed via well-crafted phishing emails — such as a recent campaign that spoofed QuickBooks — Dridex often serves as the attacker’s initial foothold in company-wide ransomware attacks, CheckPoint said.


Another ransomware family tied to Evil Corp. and the Dridex gang is WastedLocker, which is the latest name of a ransomware strain that has rebranded several times since 2019. That was when the Justice Department put a $5 million bounty on the head of Evil Corp., and the Treasury Department’s Office of Foreign Asset Control (OFAC) said it was prepared to impose hefty fines on anyone who paid a ransom to the cybercrime group.

Alleged Evil Corp leader Maksim “Aqua” Yakubets. Image: FBI

In early June 2021, researchers discovered the Dridex gang was once again trying to morph in an effort to evade U.S. sanctions. The drama began when the Babuk ransomware group announced in May that they were starting a new platform for data leak extortion, which was intended to appeal to ransomware groups that didn’t already have a blog where they can publicly shame victims into paying by gradually releasing stolen data.

On June 1, Babuk changed the name of its leaks site to payload[dot]bin, and began leaking victim data. Since then, multiple security experts have spotted what they believe is another version of WastedLocker dressed up as payload.bin-branded ransomware.

“Looks like EvilCorp is trying to pass off as Babuk this time,” wrote Fabian Wosar, chief technology officer at security firm Emsisoft. “As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations.”

Experts are quick to point out that many cybercriminals involved in ransomware activity are affiliates of more than one distinct ransomware-as-a-service operation. In addition, it is common for a large number of affiliates to migrate to competing ransomware groups when their existing sponsor suddenly gets shut down.

All of the above would seem to suggest that the success of any strategy for countering the ransomware epidemic hinges heavily on the ability to disrupt or apprehend a relatively small number of cybercriminals who appear to wear many disguises.

Perhaps that’s why the Biden Administration said last month it was offering a $10 million reward for information that leads to the arrest of the gangs behind the extortion schemes, and for new approaches that make it easier to trace and block cryptocurrency payments.

Salesforce Release Updates — A Cautionary Tale for Security Teams

5 August 2021 at 10:30
On the surface, Salesforce seems like a classic Software-as-a-Service (SaaS) platform. Someone might even argue that Salesforce invented the SaaS market. However, the more people work with the full offering of Salesforce, the more they realize that it goes beyond a traditional SaaS platform's capabilities. For example, few people talk about managing the security aspects of Salesforce Release

A Wide Range of Cyber Attacks Leveraging Prometheus TDS Malware Service

5 August 2021 at 10:12
Multiple cybercriminal groups are leveraging a malware-as-a-service (MaaS) solution to distribute a wide range of malicious software distribution campaigns that result in the deployment of payloads such as Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish against individuals in Belgium as well as government agencies, companies, and corporations in the U.S. <!--adsense-->Dubbed "

Unpatched Security Flaws Expose Mitsubishi Safety PLCs to Remote Attacks

5 August 2021 at 09:33
Multiple unpatched security vulnerabilities have been disclosed in Mitsubishi safety programmable logic controllers (PLCs) that could be exploited by an adversary to acquire legitimate user names registered in the module via a brute-force attack, unauthorizedly login to the CPU module, and even cause a denial-of-service (DoS) condition. The security weaknesses, disclosed by Nozomi Networks,

Cisco fixes critical, high severity vulnerabilities in VPN routers

5 August 2021 at 06:08

Cisco fixed critical, high severity pre-auth security vulnerabilities impacting multiple Small Business VPN routers.

Cisco addressed critical and high severity pre-auth security vulnerabilities that impact multiple Small Business VPN routers.

An attacker could exploit the issues to trigger a denial of service condition or execute commands and arbitrary code on impacted multiple Small Business VPN routers.

The two vulnerabilities, tracked as CVE-2021-1609 and CVE-2021-1602, resides in the web-based management interfaces. Both flaws could be exploited by a remote, unauthenticated attacker without any user interaction, just by

CVE-2021-1609 affects the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers, it received a CVSS score of 9.8.

“This vulnerability exists because HTTP requests are not properly validated. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device or cause the device to reload, resulting in a DoS condition.” reads the advisory.

The CVE-2021-1602 affects RV160, RV160W, RV260, RV260P, and RV260W VPN routers, it received a CVSS score of 8.2.

“This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface.” states the advisory.

Cisco pointed out that the remote management feature is disabled by default on the impacted VPN routers.

“The web-based management interface for these devices is available through local LAN connections by default and cannot be disabled there. The interface can also be made available through the WAN interface by enabling the remote management feature. By default, the remote management feature is disabled on affected devices.” continues the advisory.

The IT giant says no workarounds are available to secure the devices, the Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting the above flaws.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, VPN routers)

The post Cisco fixes critical, high severity vulnerabilities in VPN routers appeared first on Security Affairs.

Cisco Issues Critical Security Patches to Fix Small Business VPN Router Bugs

5 August 2021 at 06:02
Networking equipment major Cisco has rolled out patches to address critical vulnerabilities impacting its Small Business VPN routers that could be abused by a remote attacker to execute arbitrary code and even cause a denial-of-service (DoS) condition. The issues, tracked as CVE-2021-1609 (CVSS score: 9.8) and CVE-2021-1610 (CVSS score: 7.2), reside in the web-based management interface of the
Yesterday — 4 August 2021General Security News

Advanced Technology Ventures discloses ransomware attack and data breach

4 August 2021 at 21:39

The American venture capital firm Advanced Technology Ventures (ATV) disclosed a ransomware attack, crooks also stole data of some private investors.

Advanced Technology Ventures (ATV) is an American venture capital firm with more than $1.8 billion in capital under management. The venture capital firm this week disclosed a ransomware attack, threat actors have also stolen the personal information of some of its private investors.

ATV reported that the security breach took place in July, the ransomware operators stole financial information stored on two servers before encrypting them.

“On July 9, 2021 the Company learned from its third-party information technology provider that there had been anomalous activity on two identical ATV servers (the “Servers”) on which the Company stored financial reporting information. The Company soon determined that the Servers had been encrypted by a ransomware attack. On July 26, 2021, the Company learned that there was evidence of both unauthorized access to and exfiltration of the contents of the Servers.” reads a data breach notification letter sent to affected Maine residents.

Stolen data includes names, emails, phone numbers, and Social Security Numbers of some private investors.

Advanced Technology Ventures states that 300 individuals have been affected.

“We are not at this time aware of any fraud or misuse of your information as a result of this incident,” states the company. “We also required all employees to change their access credentials and deployed additional endpoint protection on our corporate network to help prevent this type of incident from reoccurring in the future,”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Advanced Technology Ventures discloses ransomware attack and data breach appeared first on Security Affairs.

Several Malware Families Targeting IIS Web Servers With Malicious Modules

4 August 2021 at 20:30
A systematic analysis of attacks against Microsoft's Internet Information Services (IIS) servers has revealed as many as 14 malware families, 10 of them newly documented, indicating that the Windows-based web server software continues to be a hotbed for natively developed malware for close to eight years. The findings were presented today by ESET malware researcher Zuzana Hromcova at the Black

US CISA and NSA publish guidance to secure Kubernetes deployments

4 August 2021 at 16:15

US CISA and NSA released new guidance that provides recommendations on how to harden Kubernetes deployments and minimize the risk of hack.

US CISA and NSA released new guidance that provides recommendations to harden Kubernetes deployments.

Kubernetes is an open-source container-orchestration system for automating computer application deployment, scaling, and management. In recent months the number of cyberattacks against misconfigured Kybernetes systems has surged, threat actors mainly used the to illegally mine cryptocurrencies.

The guidance details the security challenges associated with setting up and securing a Kubernetes cluster. The advisory also includes recommendations to harden the installs and to properly configure them.

It guides system administrators and developers of National Security Systems on how to deploy Kubernetes with example configurations for the recommended hardening measures and mitigations.

Below is the list of mitigations provided by the US agencies:

  • Scan containers and Pods for vulnerabilities or misconfigurations.
  • Run containers and Pods with the least privileges possible.
  • Use network separation to control the amount of damage a compromise can cause.
  • Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
  • Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface.
  • Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
  • Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.

The guidance states that the three common sources of compromise in Kubernetes are supply chain risks, malicious threat actors, and insider threats.

“Supply chain risks are often challenging to mitigate and can arise in the container build cycle or infrastructure acquisition. Malicious threat actors can exploit vulnerabilities and misconfigurations in components of the Kubernetes architecture, such as the control plane, worker nodes, or containerized applications. Insider threats can be administrators, users, or cloud service providers. Insiders with special access to an organization’s Kubernetes infrastructure may be able to abuse these privileges.” states the guidance.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, LockBit 2.0)

The post US CISA and NSA publish guidance to secure Kubernetes deployments appeared first on Security Affairs.

China-linked APT31 targets Russia for the first time

4 August 2021 at 15:25

China-linked APT31 group employed a new strain of malware in attacks aimed at entities in Mongolia, Belarus, Canada, the US, and Russia.

Researchers from Positive Technologies reported that China-linked APT31 group has been using a new piece of malware in a recent wave of attacks targeting Mongolia, Belarus, Canada, the United States, and Russia.

Experts found many similarities between the malware and the DropboxAES RAT that was first spotted by researchers at Secureworks and that was previously attributed to APT31. Positive Technologies pointed out that the two samples were the same malware with only minor differences.

APT31 (aka Zirconium) is a China-linked APT group that was involved in multiple cyber espionage operations, it made the headlines recently after Check Point Research team discovered that the group used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool, years before it was leaked online by Shadow Brokers hackers.

In July 2021, the French national cyber-security agency ANSSI warned of ongoing attacks against a large number of French organizations conducted by the Chine-linked APT31 cyberespionage group. The state-sponsored hackers are hijacking home routers to set up a proxy mesh of compromised devices to conceal its attack infrastructure. The campaign began at the beginning of 2021 and is still ongoing, the alert published by the French agency includes a list of 161 IP addresses associated with hijacked devices that were involved in the attack.

The technique allows masquerading the actual source of attacks against France entities.

Researchers reported that the attackers employed the new malware in approximately 10 attacks aimed at the above states between January and July 2021.

APT31 employed a new dropper that leverages DLL sideloading to execute the malicious binary on the target machine.

“The main objective of the dropper, the appearance of the main function of which is shown in Figure 1, is the creation of two files on the infected computer: a malicious library and an application vulnerable to DLL Sideloading (this application is then launched). Both files are always created over the same path: C:\ProgramData\Apacha. In the absence of this directory, it is created and the process is restarted.” reads the analysis published by the experts.

The application launched by the dropper loads the malicious library and calls one of its functions. The library mimics the legitimate MSVCR100.dll which is included in Visual C ++ for Microsoft Visual Studio. Experts pointed out that the size of the malicious library employed in the attack is much smaller than the legitimate one.


In order to avoid detection, threat actors also signed the dropper used in some attacks with a valid digital signature likely stolen.

The malware employed in the attacks allows operators to steal information from infected systems, get info on mapped drives, search for files and documents, create a process, create a new stream with a file download from the server, create a new stream sending the file to the server, create a directory, or delete itself.

“In the study PT ESC specialists analyzed new versions of the malware used by APT31 in attacks from January to July this year. The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular. We believe that further instances will be revealed soon of this group being used in attacks, including against Russia, along with other tools that might be identified by code correspondence or network infrastructure.” Positive Technologies concludes.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, APT31)

The post China-linked APT31 targets Russia for the first time appeared first on Security Affairs.

Russian Federal Agencies Were Attacked With Chinese Webdav-O Virus

4 August 2021 at 12:49
An amalgam of multiple state-sponsored threat groups from China may have been behind a string of targeted attacks against Russian federal executive authorities in 2020. The latest research, published by Singapore-headquartered company Group-IB, delves into a piece of computer virus called "Webdav-O" that was detected in the intrusions, with the cybersecurity firm observing similarities between

INFRA:HALT flaws impact OT devices from hundreds of vendors

4 August 2021 at 11:33

INFRA:HALT is a set of vulnerabilities affecting a popular TCP/IP library commonly OT devices manufactured by more than 200 vendors.

Security researchers from security teams at Forescout and JFrog have disclosed today 14 vulnerabilities that impact a popular TCP/IP library named NicheStack commonly used in industrial equipment and Operational Technology (OT) devices manufactured by more than 200 vendors.

NicheStack (aka InterNiche stack) is a proprietary TCP/IP stack developed originally by InterNiche Technologies and acquired by HCC Embedded in 2016

NicheStack is used by several devices in the Operational Technology (OT) and critical infrastructure space, such as the popular Siemens S7 line of PLCs.

“The new vulnerabilities allow for Remote Code Execution, Denial of Service, Information Leak, TCP Spoofing, or DNS Cache Poisoning.” states the report. “Forescout Research Labs and JFrog Security Research exploited two of the Remote Code Execution vulnerabilities in their lab and show the potential effects of a successful

The flaw could be exploited by a threat actor that has gained access to the OT network of an organization.

Below is the list of vulnerabilities discovered by the experts:

InfraHalt flaws

“INFRA:HALT confirms earlier findings of Project Memoria, namely similar vulnerabilities appearing in different implementations, both open and closed source. In fact, INFRA:HALT includes examples of memory corruption like in
AMNESIA:33, weak ISN generation like in NUMBER:JACK and DNS vulnerabilities like in NAME:WRECK” continues the report.

InfraHalt flaws 2

The experts also provided an estimation of the impact of the INFRA:HALT vulnerabilities, the analysis was based on the following sources:

  • A legacy InterNiche website listing its main customers, which includes a total of almost 200 device vendors.
  • Shodan Queries show around 6,400 OT devices connected online in March. Experts “found
    more than 6,400 instances of devices running NicheStack (using the simple query “InterNiche”). Of those devices, the large majority (6360) run an HTTP server (query “InterNiche Technologies Webserver”), while the others ran mostly FTP (“Welcome to InterNiche embFtp server”), SSH (“SSH2.0-InternicheSSHServer (c)InterNiche”) or Telnet (“Welcome to InterNiche Telnet Server”) servers.”
  • Forescout Device Cloud. Forescout Device Cloud is a repository of information of 13+ million devices monitored by Forescout appliances. Experts found more than 2,500 device instances from 21 vendors.

HCC Embedded has released firmware patches to address the INFRA:HALT issues.

The researchers also released Forescout’s Project Amnesia scanner to allow organizations to determine if the devices they are using are affected by these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, OT)

The post INFRA:HALT flaws impact OT devices from hundreds of vendors appeared first on Security Affairs.

New Chinese Spyware Being Used in Widespread Cyber Espionage Attacks

4 August 2021 at 10:28
A threat actor presumed to be of Chinese origin has been linked to a series of 10 attacks targeting Mongolia, Russia, Belarus, Canada, and the U.S. from January to July 2021 that involve the deployment of a remote access trojan (RAT) on infected systems, according to new research. The intrusions have been attributed to an advanced persistent threat named APT31 (FireEye), which is tracked by the

Critical Flaws Affect Embedded TCP/IP Stack Widely Used in Industrial Control Devices

4 August 2021 at 06:46
Cybersecurity researchers on Wednesday disclosed 14 vulnerabilities affecting a commonly-used TCP/IP stack used in millions of Operational Technology (OT) devices manufactured by no fewer than 200 vendors and deployed in manufacturing plants, power generation, water treatment, and critical infrastructure sectors. The shortcomings, collectively dubbed "INFRA:HALT," target NicheStack, potentially
Before yesterdayGeneral Security News

Cyber Defense Magazine – August 2021 has arrived. Enjoy it!

3 August 2021 at 22:57

Cyber Defense Magazine August 2021 Edition has arrived. We hope you enjoy this month’s edition…packed with over 148 pages of excellent content.

Cyber Defense eMagazine August Edition for 2021
Grab this PDF version and help fund our operations:

Here’s the Yumpu Magazine Version

Here’s a free PDF Version hosted on our site:

Mobile Version
The Black Unicorn Report for 2021 
Grab this PDF version and help fund our operations:

Yumpu Magazine Version

Free PDF Version hosted on our site

Mobile Version
Thank you so much for your continued support as we are now at Black Hat 2021.
Our award winners for 7 categories in the Black Unicorn Award are here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Cyber Defense Magazine)

The post Cyber Defense Magazine – August 2021 has arrived. Enjoy it! appeared first on Security Affairs.

China-linked APT groups target telecom companies in Southeast Asia

3 August 2021 at 20:55

China linked APT groups have targeted networks of at least five major telecommunications companies operating in Southeast Asia since 2017.

Cybereason researchers identified three clusters of activity associated with China-linked threat actors that carried out a series of attacks against networks of at least five major telecommunications companies located in South Asia since 2017.

“The goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers,” states the report published by Cybereason.

The three clusters were linked to the China-linked APT groups tracked as Soft Cell (aka Gallium), Naikon APT (aka APT30 or Lotus Panda), and TG-3390 (aka APT27 or Emissary Panda).

Below are the details of each cluster:

  • Cluster A: Operated by Soft Cell, the activity associated with this cluster started in 2018 and continued through Q1 2021.
  • Cluster B: Operated by the Naikon APT, the activity associated with this cluster was first observed in Q4 2020 and continued through Q1 2021.
  • Cluster C: It was classified by Cybereason as a “mini-cluster” with a unique OWA backdoor that was deployed by cyberspies across multiple Microsoft Exchange and IIS servers. The analysis of the backdoor shows many similarities with a known backdoor, tracked as Iron Tiger, employed in campaigns conducted by the Group-3390 (APT27 / Emissary Panda). The activity related to this cluster was observed between 2017 and Q1 2021.
China-linked APT groups

The attackers spent a significant effort to avoid detection, like the HAFNIUM attacks, the threat actors exploited the ProxyLogon vulnerabilities affecting Microsoft Exchange Servers to gain access to the targeted networks.

“They then proceeded to compromise critical network assets such as Domain Controllers (DC) and billing systems which contain highly sensitive information like Call Detail Record (CDR) data, allowing them access to the sensitive communications of anyone using the affected telecoms’ services.” continues the analysis..

Naikon APT employed a backdoor tracked “Nebulae” that supports common backdoor capabilities, including the ability to collect LogicalDrive information, manipulate files and folders, download and upload files from and to the command-and-control server, list/execute/terminate processes on compromised devices.

Experts found multiple overlaps between the activities of the clusters, below the hypothesis elaborated by the experts:

  • One hypothesis is that the clusters represent the work of two or more teams with different sets of expertise (e.g initial access team, foothold, telco-technology specialized team, etc.) all working together and reporting to the same Chinese threat actor. 
  • A second hypothesis is that there are two or more Chinese threat actors with different agendas / tasks that are aware of each other’s work and potentially even working in tandem. 
  • Another plausible hypothesis is that the clusters are not interconnected and that the threat actors are working independently with no collaboration, or even piggybacking on the access achieved by one of the actors involved. 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, China-linked APT)

The post China-linked APT groups target telecom companies in Southeast Asia appeared first on Security Affairs.

Cisco fixed Remote Code Execution issue in Firepower Device Manager On-Box software

3 August 2021 at 14:19

Cisco addressed a vulnerability in the Firepower Device Manager (FDM) On-Box software that allows attackers to execute arbitrary code on vulnerable devices.

Cisco has addressed a vulnerability in the Firepower Device Manager (FDM) On-Box software, tracked as CVE-2021-1518, that could be exploited by an attacker to execute arbitrary code on vulnerable devices.

FDM On-Box allows administrators to manage the firewall without a centralized manager like the FMC and provides diagnostics capabilities.

The flaw resides in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software, it is due to lack of proper sanitization of user input on specific REST API commands.

“A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system of an affected device.” states the report.

“This vulnerability is due to insufficient sanitization of user input on specific REST API commands. An attacker could exploit this vulnerability by sending a crafted HTTP request to the API subsystem of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system. To exploit this vulnerability, an attacker would need valid low-privileged user credentials.”

The flaw received a CVSS score of 6.3, it was reported by Positive Technologies security researchers Nikita Abramov and Mikhail Klyuchnikov.

An attacker could exploit the vulnerability by sending a special HTTP request to the API subsystem of a device affected by the flaw.

The flaw could be exploited by an attacker having valid user credentials.

The vulnerability impacts FDM On-Box versions 6.3.0, 6.4.0, 6.5.0, 6.6.0, and 6.7.0. Cisco fixed the vulnerability with the release of software versions, 6.4.4, and

The good news is that Cisco experts are not aware of attacks in the wild exploiting this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, LockBit 2.0)

The post Cisco fixed Remote Code Execution issue in Firepower Device Manager On-Box software appeared first on Security Affairs.