Normal view

There are new articles available, click to refresh the page.
Before yesterdaySecurity News

TheMoon bot infected 40,000 devices in January and February

26 March 2024 at 21:19

A new variant of TheMoon malware infected thousands of outdated small office and home office (SOHO) routers and IoT devices worldwide.

The Black Lotus Labs team at Lumen Technologies uncovered an updated version of “TheMoon” bot targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices. The new version of the bot has been spotted infecting thousands of outdated devices in 88 countries.

The activity of the TheMoon botnet was first spotted in 2014, and since 2017 its operators added to the code of the bot at least 6 IoT device exploits. The botnet targeted broadband modems or routers from several vendors, including Linksys, ASUS, MikroTik, D-Link, and GPON routers.

In May 2018, researchers from security firm Qihoo 360 Netlab reported that cybercriminals that targeted the Dasan GPON routers were using another new zero-day flaw affecting the same routers and recruit them in their botnet.

In February 2019, CenturyLink Threat Research Labs collected evidence that botnet actor has sold this proxy botnet as a service to other cybercrime gangs that were using it for credential brute forcing, video advertisement fraud, general traffic obfuscation and more.

TheMoon variant discovered by the Black Lotus Labs team was observed targeting over 40,000 bots from 88 countries in January and February of 2024.

Most of the bots are associated with the activity of a notorious, cybercriminal-focused proxy service, known as Faceless.

TheMoon bot Faceless service 2

According to the experts, the botnet TheMoon is enabling the growth of the Faceless service at a rate of nearly 7,000 new users per week.

“Black Lotus Labs has identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours.” reads the report published by Black Lotus Labs. “Faceless is an ideal choice for cyber-criminals seeking anonymity, our telemetry indicates this network has been used by operators of botnets such as SolarMarker and IcedID.”

The infection chain starts with a lightweight loader file. Initially, it scanned for the existence of “/bin/bash,” “/bin/ash,” or “/bin/sh.” If none of these shells were detected, the file halted its execution. However, if any of these shells were present, it proceeded to decrypt, deposit, and execute the subsequent stage payload “.nttpd.”

Afterward, it checks for the file “.nttpd.pid.” If the file doesn’t exist, it generates it and records the process’s PID along with the fixed version 26. If “.nttpd.pid” already exists, it opens the file. If the version is more recent than 26, it terminates all processes named “.nttpd.pid.”

Then the binary sets up these iptable rules that drop incoming TCP traffic on ports 8080 and 80 while accepting traffic from specific addresses.

Once the rules have been created, a thread connects to an NTP server from a roster of authentic NTP servers. The researchers believe that the malware connects the NTP to verify the infected device’s internet connection and confirm it is not operating within a sandbox environment.

Then the bot connects to C2 server by cycling through a set of hardcoded IP addresses and awaiting for instructions from the C2.

“The C2 may respond with a packet that gives a specific filename and a location from which it can be retrieved. The infected device then requests and downloads the corresponding ELF executable.” continues the report. “Thus far we have identified two subsequent modules, one appears to be a worm while the other file is named “.sox,” which is used to proxy traffic from the bot to the internet on behalf of a user.

The report includes Indicators of Compromise (IoCs) associated with this campaign. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, TheMoon)

Yesterday — 27 March 2024Security News

Finnish police linked APT31 to the 2021 parliament attack

27 March 2024 at 06:35

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to the China-linked group APT31.

The Finnish Police attributed the March 2021 attack on the parliament to the China-linked group APT31. The Finnish authorities investigated multiple offenses, including aggravated espionage, aggravated unlawful access to an information system, and aggravated violation of the secrecy of communications.

According to the police, the offences were committed between autumn 2020 and early 2021. The police immediately suspected the involvement of the China-linked cyberespionage group APT31 and now confirmed the attribution. The police announced that they had also identified one suspect.

The multi-year investigation revealed a complex criminal infrastructure used by the nation-state actors, explained the Head of Investigation, Detective Chief Inspector Aku Limnéll of the National Bureau of Investigation.

“The police have previously informed that they investigate the hacking group APT31’s connections with the incident. These connections have now been confirmed by the investigation, and the police have also identified one suspect.” reads the press release published by the Finnish Police.

The investigation relied on an international information exchange, the National Bureau of Investigation collaborated with international entities and the Finnish Security and Intelligence Service

This week, the US government announced sanctions against a pair of Chinese hackers (Zhao Guangzong and Ni Gaobin), alleged members of the China-linked APT31 group, who are responsible for “malicious cyber operations targeting U.S. entities that operate within U.S. critical infrastructure sectors.”

The U.S. Treasury Department has sanctioned a tech company based in Wuhan, the Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), used by the Chinese Ministry of State Security (MSS) as a front in attacks against organizations in the U.S. critical infrastructure sector.

UK, Australia and New Zealand are also accusing China-linked APT31 of cyber operations against UK institutions and parliamentarians.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT31)

The DDR Advantage: Real-Time Data Defense

27 March 2024 at 12:12

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build a real-time data defense.

In cybersecurity, and in life, by the time you find out that something went wrong it is often too late. The advantage of Data Detection and Response (DDR) is that you no longer have to wait until the milk is spilled. With DDR, your organization can have real-time data defense.

Here’s how it works.

What is Data Detection and Response (DDR)? And why do we need it?

Before you think, “Oh no, not another –DR acronym,” and keep scrolling – wait. Data Detection and Response is in a class of its own and shares the common surname in name only.

Status-quo cybersecurity works by securing the “boxes” in which our data resides. Twenty years ago, that used to be on-premises networks surrounded by the “perimeter.” Then, the perimeter died drastically and was replaced with email servers and cloud repositories. Now, it’s data lakes and environments so complex that a box can hardly be seen. Or, in the case of the cloud, it morphs so much that it is barely recognizable.

This is not good for advocates of data protection but great for attackers who thrive in our confusion and in the gaps that exist between the boxes. After all, you can’t secure what you can’t see, and today’s environments obfuscate the true location of data so well that we, as security practitioners, can hardly keep up with it.

Advantages of Data Detection and Response

The IEEE Computer Society lists the top five benefits of DDR as:

  1. Innovative data classification | DDR solutions sort and label data by content and lineage, meaning not only what it is but where it came from. Sometimes, the history tells the story – was this information kept in high-clearance databases only to end up on Chad’s Slack? Something must be off.
  2. Protects data in motion | As they state, “Data is most at risk when in motion, so that’s when DDR scans it.” The real damage is done when data travels (outside of the enterprise, from a person who has access to one who does not, to a mysterious external server in Belize…), isn’t it?
  3. Follows data across all assets | DDR doesn’t start in one box (say OneDrive) and then picks its job back up again when the data has landed in another box (say the corporate email server). Instead, it follows all the steps in between, and it follows the data itself.
  4. Real-time exfiltration protection | By alerting teams at the first sign of trouble (instead of the last) DDR gives SOCs a fighting chance of stopping the threat in real-time.
  5. Data-centric approach | By connecting monitoring, alerts, and additional protections to the actual data, DDR gives organizations more accurate data classification and more gapless coverage.

The second benefit is what we’ll be focusing on today.

DDR Knows What Your Data Did Last Summer

Then, along came a revolutionary idea. What if we don’t protect the boxes but rather the data itself? DDR would, in effect, “tag” data so that a GPS-type homing beacon would keep a gapless record of where it went, who accessed it, what they did with it, and (with the help of some cyber sleuthing) perhaps why.

The most important thing is that DDR enables teams to chart the safe route for certain types of sensitive data (as classified by the team) and deny any “funny business” attempted with said data beyond that. And the proof is in where the data goes, not where it sleeps at night.

As Data Detection and Response provider Cyberhaven explains,

“Data sitting on a file server, or in a Google Drive folder, or in a Snowflake database untouched for months or even years doesn’t have much insider risk until an employee does something with it… When an employee accesses that data on the file server, tries to share the Google Drive folder, or exports data from Snowflake, that’s when the risk to data increases. Data Detection and Response relies on real-time monitoring, detection of risks, and response to better protect data.”

Spotting Data Fouls in Real-Time

Knowing where exactly your data is getting off to is advantageous for several reasons, but perhaps none so important as being able to spot threats to your data in real-time. If SOCs receive an alert that an employee is trying to send confidential merger documents to their personal email, teams will be made aware of the attempt as it is happening, giving them a chance to respond.

Notifying a SOC that a sensitive repository has been breached is important, but it is not as important as letting them know when any data has left that repository. Conversely, an employee may send sensitive financial data to their personal cloud repository without ever having breached a protected system to get it – perhaps they are in finance and have legitimate access to the database.

Being able to spot real-time data fouls is a key advantage that DDR brings to the table, and the fact that these errors are being caught right at the cusp of an obviously illicit activity is itself a vetting system that prevents false positives.

In today’s data-centric world, it is becoming necessary to keep closer and closer tabs on our information. With the risk of insider threats high – Verizon estimates nearly one in five breaches originate from the inside – and the threat of ever more subtle external tactics, it is more important than ever to not look at only boxes and buckets but the data itself – and most importantly, what people are doing with it.  

Speaking of zero trust, Dave Lewis, the global advisory CISO for Duo Security, offered some words of advice that could sum up the rationale of DDR in a soundbite: “Don’t trust something simply because it’s inside your firewall — there’s no reason for that.” Or, inside any of your access-controlled spaces, we might add. Instead, he suggests, “Assume everything’s on fire.” And more often than you want to, you’ll be right.

However, DDR is one of the only tools on the market that can track the fire at its impetus, and that’s wherever data made its first wrong step.

About the Author Katrina Thompson: An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DDR Advantage)

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

27 March 2024 at 15:11

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the 2023 Pwn2Own to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2023-24955 Microsoft SharePoint Server Code Injection Vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

Microsoft addressed the remote code execution flaw in SharePoint Server, tracked as CVE-2023-24955 (CVSS Score 7.2), in May 2023. The Star Labs team demonstrated the vulnerability at the Pwn2Own Vancouver 2023 hacking competition. The vulnerability was part of an exploit chain that allowed the white hat hackers to obtain code execution on the target server.

“In a network-based attack, an authenticated attacker as a Site Owner could execute code remotely on the SharePoint Server.” reads the advisory published by Microsoft.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by April 16, 2024.

This week CISA also added the following vulnerabilities to its catalog.

  • CVE-2023-48788 Fortinet FortiClient EMS SQL Injection Vulnerability
  • CVE-2021-44529 Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
  • CVE-2019-7256 Nice Linear eMerge E3-Series OS Command Injection Vulnerability

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, CISA)

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

27 March 2024 at 20:33

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening to leak three terabytes of alleged stolen data.

The INC Ransom extortion gang added the National Health Service (NHS) of Scotland to the list of victims on its Tor leak site. The cybercrime group claims to have stolen three terabytes of data and is threatening to leak them.

Scotland’s NHS, or National Health Service, is the publicly funded healthcare system serving Scotland. It provides a wide range of healthcare services, including hospitals, general practitioners (GPs), mental health services, and community healthcare. The Scottish Government oversees the NHS in Scotland, and it operates separately from the NHS systems in England, Wales, and Northern Ireland.

“3 terabytes of data will be published soon. NHSScotland currently employs approximately 140,000 staff who work across 14 territorial NHS Boards, seven Special NHS Boards and one public health body. Each NHS Board is accountable to Scottish Ministers, supported by the Scottish Government Health and Social Care Directorates. Territorial NHS Boards are responsible for the protection and the improvement of their population’s health and for the delivery of frontline healthcare services. Special NHS Boards support the regional NHS Boards by providing a range of important specialist and national services.” reads the announcement published by the INC Ransom group.

The group published the images of medical documents as proof of the hack and will publish the stolen data if the NHS does not pay the ransom.

National Health Service (NHS) of Scotland

The cyber attack occurred on March 15, 2023.

“Meanwhile, work continues to assess the consequences of the incursion into NHS systems, and the concern that those responsible may have acquired a significant amount of data including patient and staff-specific information.” reads the incident notice initially published by the company.

NHS Dumfries and Galloway has confirmed that crooks obtained at least a “limited amount” of patient data following a cyberattack.”

“We absolutely deplore the release of confidential patient data as part of this criminal act.” said the chief executive of the NHS board, Jeff Ace. ““This information has been released by hackers to evidence that this is in their possession. We are continuing to work with Police Scotland, the National Cyber Security Centre, the Scottish government and other agencies in response to this developing situation.”  “NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population.”

Ace confirmed that the National Health Service (NHS) of Scotland will notify impacted patients.

“This incident remains contained to NHS Dumfries and Galloway and there have been no further incidents across NHS Scotland as a whole.” a spokesperson for the Scottish government told The Guardian.

“The Scottish government is working with the health board, Police Scotland and other agencies, including the National Crime Agency and National Cyber Security Centre, to assess the level of this breach and the possible implications for individuals concerned.”

The INC RANSOM has been active since 2023, it claimed responsibility for the breach of at least 65 organizations to date.

The victims of the group include Xerox Corp and Ejército del Peru’.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, National Health Service (NHS) of Scotland)

Today — 28 March 2024Security News

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

28 March 2024 at 00:38

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during the Pwn2Own Vancouver 2024.

Google addressed several vulnerabilities in the Chrome web browser this week, including two zero-day vulnerabilities, tracked as CVE-2024-2886 and CVE-2024-2887, which were demonstrated during the Pwn2Own Vancouver 2024 hacking competition.

The high-severity vulnerability CVE-2024-2886 is a use after free issue that resides in the WebCodecs. The flaw was demonstrated by Seunghyun Lee (@0x10n) of KAIST Hacking Lab during the Pwn2Own 2024.

The high-serverity vulnerability CVE-2024-2887 is a type confusion issue that resides in WebAssembly. Manfred Paul demonstrated the vulnerability during the Pwn2Own 2024.

Google also addressed the following vulnerabilities:

  • [$10000][327807820] Critical CVE-2024-2883: Use after free in ANGLE. Reported by Cassidy Kim(@cassidy6564) on 2024-03-03
  • [TBD][328958020] High CVE-2024-2885: Use after free in Dawn. Reported by wgslfuzz on 2024-03-11

“The Stable channel has been updated to 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 to Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log.” reads the advisory published by the It giant.

The IT giant did not reveal if the vulnerabilities have been actively exploited in the wild.

Mozilla last week addressed two zero-day vulnerabilities in the Firefox web browser exploited during the recent Pwn2Own Vancouver 2024 hacking competition.

The researcher Manfred Paul (@_manfp), who won the competition, exploited the two vulnerabilities, respectively tracked CVE-2024-29944 and CVE-2024-29943.

On Day Two, Paul demonstrated a sandbox escape of Mozilla Firefox by using an OOB Write for the RCE and an exposed dangerous function bug. He earned $100,000 and 10 Master of Pwn points for this hack.

Below is the description of both issues, according to the advisory the vulnerability CVE-2024-29944 affects Desktop Firefox only, it does not affect mobile versions of Firefox:

  • CVE-2024-29943: An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination.
  • CVE-2024-29944: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. 

Mozilla released Firefox 124.0.1 and Firefox ESR 115.9.1 to address both issues.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

28 March 2024 at 12:14

Google’s Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively exploited zero-day vulnerabilities in 2023.

Google’s Threat Analysis Group (TAG) and its subsidiary Mandiant reported that in 2023 97 zero-day vulnerabilities were exploited in attacks, while in 2022 the actively exploited zero-day flaws were 62.

In 2023, Google (TAG) and Mandiant discovered 29 out of 97 vulnerabilities exploited in the wild.

In 2023, the researchers observed 36 zero-day vulnerabilities exploited in the wild targeting enterprise-specific technologies, while 61 vulnerabilities affected end-user platforms and products such as mobile devices, operating systems, browsers, and other applications.

google zero-days

The researchers reported that the investments into exploit mitigations for across browsers and operating systems are impacting the offensive capabilities of threat actors.

Out of the eight in-the-wild zero-day issues targeting Chrome in 2023, none of the vulnerabilities impacted the Document Object Model (DOM) and there were use-after-free issues.

“In 2023 there were no use-after-free vulnerabilities exploited in Chrome for the first time since we began seeing Chrome zero days in-the-wild. Both Chrome and Safari have made exploiting JavaScript Engine vulnerabilities more complex through their V8 heap sandbox and JITCage respectively. Exploits must now include bypasses for these mitigations instead of just exploiting the bug directly.” reads the report published by Google TAG.

The researchers reported that Lockdown mode on iOS makes it difficult for attackers to exploit zero-day flaws.

In 2023, the researchers observed a surge in zero-day vulnerabilities in third-party components and libraries that can impact all products that use them.

In 2023, the researchers attributed a combined total of 48 out of 58 zero-day vulnerabilities to commercial surveillance vendors (CSVs) and government espionage actors, while 10 zero-day flaws were attributed to financially motivated actors.

The financially motivated threat actors exploited a total of ten zero-day vulnerabilities, and the cybercrime group FIN11 was one of the most active with the active exploitation of three separate zero-day flaws. The researchers also tracked at least four ransomware groups exploiting four zero-day vulnerabilities.

“FIN11 appears to have invested heavily in zero-day exploitation in the last several years. From late 2020 to early 2021, the group also exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA), demonstrating a years-long focus by these actors on identifying and exploiting zero-days. Additionally, we tracked the exploitation of four additional zero-day vulnerabilities by four ransomware families in 2023.” continues the report.

The Chinese government made the headlines because government-linked APT groups exploited 12 zero-day vulnerabilities in 2023, which marks a notable increase from seven in 2022.

“While it is near impossible to predict the number of zero-days for 2024, it remains clear that the pace of zero-day discovery and exploitation will likely remain elevated when compared to pre-2021 numbers. Regardless of the number, it is clear that the steps we as security researchers and product vendors are taking are having an impact on attackers. However, we must recognize that our successes will likely manifest as actors increasingly targeting wider and more varied products, as the tried and true methods increasingly become less viable.” concludes the report. “Zero-day exploitation is no longer just a niche capability accessible to only a handful of actors, and we anticipate that the growth we have seen across the last few years will likely continue, as vendors continue to make other avenues of compromise less accessible and as threat actors focus increasing resources on zero-day exploitation.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, zero-day vulnerabilities)

❌
❌