There are new articles available, click to refresh the page.
Today — 27 October 2021General Security News

The 9th edition of the ENISA Threat Landscape (ETL) report is out!

27 October 2021 at 13:47

I’m proud to announce the release of the 9th edition of the ENISA Threat Landscape (ETL) on the state of the cybersecurity threat landscape.

The Europen Agency for cybersecurity ENISA releases its ENISA Threat Landscape 2021 (ETL) report, which is the annual analysis on the state of the cybersecurity threat landscape.

This edition reports events and analyses related to the period between April 2020 up to July 2021.

The bad news is the cybersecurity threats are on the rise, and ransomware attacks rank as a prime threat for the period. Supply-chains attacks also rank among the most dangerous threats due to the catastrophic cascading effects. The document identified threats, attack techniques, notable incidents, and related trends, it also provides recommendations to mitigate the risk of exposure.

“Given the prominence of ransomware, having the right threat intelligence at hand will help the whole cybersecurity community to develop the techniques needed to best prevent and respond to such type of attacks. Such an approach can only rally around the necessity now emphasised by the European Council conclusions to reinforce the fight against cybercrime and ransomware more specifically.” states EU Agency for Cybersecurity Executive Director, Juhan Lepassaar.

The level of sophistication of attacks and their impact continues to increase. The experts highlight an increase in the surface of attacks of organizations due to an ever-growing online presence.

Below are the 9 threat groups analyzed in details in the report over the reporting period:

  1. Ransomware;
  2. Malware;
  3. Cryptojacking;
  4. E-mail related threats;
  5. Threats against data;
  6. Threats against availability and integrity;
  7. Disinformation – misinformation;
  8. Non-malicious threats;
  9. Supply-chain attacks.

Key trends

The COVID-19 crisis has created possibilities for adversaries who used the pandemic as a dominant lure in campaigns for email attacks for instance. Monetisation appears to be the main driver of such activities.

The techniques that threat actors are resorting to are numerous. The non-exhaustive list below presents some of the most prevalent ones identified in the report, across all threats:

  • Ransomware as a Service (RaaS)-type business models;
  • Multiple extortion ransomware schemes;
  • Business Email Compromise (BEC);
  • Phishing-as-a-service (PhaaS);
  • Disinformation-as-a-Service (DaaS) business model; etc.

The report has been drawn up with the support of the ENISA Cyber Threat Landscapes Working Group (CTL working group).

The content of the report content is based on open source analysis, expert opinions, intelligence reports, incident analysis and security research reports.

Enjoy the report:

ENISA Threat Landscape Report 2021

ENISA Threat Landscape Supply Chain                                                                               

ENISA Threat Landscape Report 2020

Infographic Threat Landscape Mapping during COVID-19

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, threat landscape)

The post The 9th edition of the ENISA Threat Landscape (ETL) report is out! appeared first on Security Affairs.

Hackers Using Squirrelwaffle Loader to Deploy Qakbot and Cobalt Strike

27 October 2021 at 13:47
A new spam email campaign has emerged as a conduit for a previously undocumented malware loader that enables the attackers to gain an initial foothold into enterprise networks and drop malicious payloads on compromised systems. "These infections are also used to facilitate the delivery of additional malware such as Qakbot and Cobalt Strike, two of the most common threats regularly observed

[eBook] The Guide to Centralized Log Management for Lean IT Security Teams

27 October 2021 at 13:03
One of the side effects of today’s cyber security landscape is the overwhelming volume of data security teams must aggregate and parse. Lean security teams don’t have it any easier, and the problem is compounded if they must do it manually. Data and log management are essential for organizations to gain real-time transparency and visibility into security events.  XDR provider Cynet has offered

Cyber Attack in Iran Reportedly Cripples Gas Stations Across the Country

27 October 2021 at 11:16
A cyber attack in Iran left petrol stations across the country crippled, disrupting fuel sales and defacing electronic billboards to display messages challenging the regime's ability to distribute gasoline. Posts and videos circulated on social media showed messages that said, "Khamenei! Where is our gas?" — a reference to the country's supreme leader Ayatollah Ali Khamenei. Other signs read, "

North Korea-linked Lazarus APT targets the IT supply chain

27 October 2021 at 09:03

North Korea-linked Lazarus APT group is extending its operations and started targeting the IT supply chain on new targets.

North Korea-linked Lazarus APT group is now targeting also IT supply chain, researchers from Kaspersky Lab warns.

The activity of the Lazarus APT group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

The APT group used a new variant of the BLINDINGCAN backdoor in attacks aimed at a Latvian IT vendor and a South Korean think tank, respectively in May and June.

The nation-state actor used its multi-platform malware framework MATA framework.

The MATA malware framework could target Windows, Linux, and macOS operating systems, the malware framework implements a wide range of features that allow attackers to fully control the infected systems.

According to the experts from Kaspersky that first analyzed the framework, the MATA campaign has been active at least since April of 2018.

Kaspersky experts reported that the Lazarus APT is building supply-chain attack capabilities with an updated DeathNote (aka Operation Dream Job) malware cluster that is an updated variant of the BlindingCan RAT. The use of the BlindingCan RAT was first documented by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in August 2020. The BlindingCan was employed in attacks on US and foreign companies operating in the military defense and aerospace sectors.

The BLINDINGCAN RAT implements the following built-in functions-:

  • Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
  • Get operating system (OS) version information
  • Get Processor information
  • Get system name
  • Get local IP address information
  • Get the victim’s media access control (MAC) address.
  • Create, start, and terminate a new process and its primary thread
  • Search, read, write, move, and execute files
  • Get and modify file or directory timestamps
  • Change the current directory for a process or file
  • Delete malware and artifacts associated with the malware from the infected system

The CISA MAR provided indicators of compromise (IoCs), Yara rules, and other technical info that could be used by system administrators to discover compromise systems within their networks.

“Our investigation revealed indications that point to Lazarus building supply-chain attack capabilities. In one case, we found that the infection chain stemmed from legitimate South Korean security software executing a malicious payload; and in the second case, the target was a company developing asset monitoring solutions in Latvia, an atypical victim for Lazarus.” reads the report published by Kaspersky.

This is the first IT supply chain attack conducted by Lazarus that was documented by Kaspersky researchers.

Ariel Jungheit from Kaspersky’s Global Research and Analysis Team (GReAT) explained the dangers of supply chain attacks like the SolarWinds hack and warned of nation-state actors investing in such capabilities.

“When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year,” Jungheit said. “With threat actors investing in such capabilities, we need to stay vigilant and focus defense efforts on that front.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attack)

The post North Korea-linked Lazarus APT targets the IT supply chain appeared first on Security Affairs.

Latest Report Uncovers Supply Chain Attacks by North Korean Hackers

27 October 2021 at 07:14
Lazarus Group, the advanced persistent threat (APT) group attributed to the North Korean government, has been observed waging two separate supply chain attack campaigns as a means to gain a foothold into corporate networks and target a wide range of downstream entities. The latest intelligence-gathering operation involved the use of MATA malware framework as well as backdoors dubbed BLINDINGCAN 

Operations at Iranian gas stations were disrupted today. Cyber attack or computer glitch?

27 October 2021 at 07:08

A cyberattack has disrupted gas stations from the National Iranian Oil Products Distribution Company (NIOPDC) across Iran.

A cyber attack has disrupted gas stations from the state-owned National Iranian Oil Products Distribution Company (NIOPDC) across Iran. The attack also defaced the screens at the gas pumps and gas price billboards.

In multiple cities, the billboards were displaying messages like “Khamenei! Where’s our fuel?” and “Free gas at [local gas station’s name].”

After the attack, the screens at the impacted NIOPDC gas stations were showing the words “cyebrattack 64411,” which is the phone number for the office of Supreme Leader Ayatollah Ali Khamenei.

NIOPDC currently manages more than 3,500 gas stations across the country.

The operations at the gas pumps were interrupted immediately after the incident because the employees were not able to charge customers for the fuel they were buying.

Fuel pump display shows "حمله سایبری" which means "Cyber attack" #Iran pic.twitter.com/4AgeiAbixN

— Aleph א (@no_itsmyturn) October 26, 2021

At this time, no one claimed responsibility for the attack, but Iranian authorities speculate the incident was the result of a cyber attack orchestrated by a foreign, hostile state.

The Iranian TV confirmed that the root cause of the incident is a nationwide cyber-attack that targeted petrol stations.

Iran's state TV has confirmed reports of a nationwide cyber-attack targeting petrol stations, quoting sources close to the country's Supreme National Security Council. pic.twitter.com/LQheyUe2Qd

— Shayan Sardarizadeh (@Shayan86) October 26, 2021

The message “cyberattack 64411” was also shown on the billboards of Iranian train stations during another attack that took place in July and that hit Iran’s railroad system.

A Ministry of Oil spokesperson downplayed the news of a “cyberattack” and stated that the incident was caused by a software glitch.

At the time of this writing, the operations at the gas stations have resumed.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

The post Operations at Iranian gas stations were disrupted today. Cyber attack or computer glitch? appeared first on Security Affairs.

Yesterday — 26 October 2021General Security News

Dark HunTOR: Police arrested 150 people in dark web drug bust

26 October 2021 at 21:45

Dark HunTOR: Police corps across the world have arrested 150 individuals suspected of buying or selling illicit goods on the dark web marketplace DarkMarket.

A joint international operation, tracked as Dark HunTOR, conducted by law enforcement across the world resulted in the arrest of 150 suspects allegedly involved in selling and buying illicit goods in DarkMarket marketplace.

The authorities arrested 65 suspects in the United States, 47 in Germany, 24 in the United Kingdom, 4 in Italy, 4 in the Netherlands, 3 in France, 2 in Switzerland, and one in Bulgaria.

Dark HunTOR operation

DarkMarket, the world’s largest black marketplace on the dark web, has been taken offline in January as a result of an international operation conducted by law enforcement from Germany, Australia, Denmark, Moldova, Ukraine, the United Kingdom (the National Crime Agency), and the USA (DEA, FBI, and IRS) with the support of the Europol.

The figures related to the DarkMarket at the time of the shut down were impressive:

  • almost 500 000 users;
  • more than 2 400 sellers
  • over 320 000 transactions;
  • more than 4 650 bitcoin and 12 800 Monero transferred

The overall transactions, at the current rate, corresponding to a sum of more than €140 million.

The marketplace was an important point of aggregation for online cybercriminals that traded all kinds of drugs, counterfeit money, stolen or counterfeit credit card details, anonymous SIM cards and malware.

The authorities seized more than €26.7 million (USD 31 million) in cash and virtual currencies, as well as 234 kg of drugs and 45 firearms. The police seized 152 kg of amphetamine, 27 kg of opioids and over 25 000 ecstasy pills. 

“Operation Dark HunTOR stems from the takedown earlier this year of DarkMarket, the world’s then-largest illegal marketplace on the dark web. At the time, German authorities arrested the marketplace’s alleged operator and seized the criminal infrastructure, providing investigators across the world with a trove of evidence. Europol’s European Cybercrime Centre (EC3) has since been compiling intelligence packages to identify the key targets.” states the press release published by the Europol. “As a result, 150 vendors and buyers who engaged in tens of thousands of sales of illicit goods were arrested across Europe and the United States. A number of these suspects were considered as High-Value Targets by Europol.”

Europol says that the Dark HunTOR investigation is still ongoing.

The Italian police also shut down the DeepSea and Berlusconi dark web marketplaces as part of the Dark HunTOR operation. According to the press release, the two marketplaces had over 100 000 announcements of illegal products. The authorities arrested four administrators and seized €3.6 million in cryptocurrencies. 

“The point of operations such as the one today is to put criminals operating on the dark web on notice: the law enforcement community has the means and global partnerships to unmask them and hold them accountable for their illegal activities, even in areas of the dark web,” said Jean-Philippe Lecouffe, Europol’s Deputy Executive Director of Operations.

“The FBI continues to identify and bring to justice drug dealers who believe they can hide their illegal activity through the Darknet,” said FBI Director Christopher A. Wray. “Criminal darknet markets exist so drug dealers can profit at the expense of others’ safety. The FBI is committed to working with our JCODE and EUROPOL law enforcement partners to disrupt those markets and the borderless, worldwide trade in illicit drugs they enable.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

The post Dark HunTOR: Police arrested 150 people in dark web drug bust appeared first on Security Affairs.

Expert managed to crack 70% of a 5,000 WiFi network sample in Tel Aviv

26 October 2021 at 19:57

A researcher from the security firm CyberArk has managed to crack 70% of Tel Aviv’s Wifi Networks starting from a sample of 5,000 gathered WiFi.

CyberArk security researcher Ido Hoorvitch demonstrated how it is possible to crack WiFi at scale by exploiting a vulnerability that allows retrieving a PMKID hash.

Hoorvitch has managed to crack 70% of a 5,000 WiFi network sample in Tel Aviv to demonstrate that it is easy to compromise WiFi networks.CyberArk security researcher Ido Hoorvitch first wandered in the city center with WiFi sniffing equipment to gather a sample of 5,000 network hashes to use in the research.

The expert gathered 5,000 WiFi network hashes by strolling the streets in Tel Aviv with simple WiFi sniffing equipment composed of an AWUS036ACH ALFA Network card ($50) that can work in monitoring mode and is able to inject packets.

The expert used the free and open-source packet analyzer.WireShark running on Ubuntu.

wireshark wifi

The PMKID is calculated by using a hashing function having the PMK, the PMK Name, the MAC_AP and the MAC_STA as input.

The PMK is calculated from the following parameters:

  • Passphrase– The WiFi password — hence, the part that we are really looking for.
  • SSID – The name of the network. It is freely available at the router beacons (Figure 3).
  • 4096 – Static integer for all PMK

Hoorvitch used an attack technique devised by Jens “atom” Steube’s (Hashcat’s lead developer) to retrieve the PMKIDs that allowed him to derive the password.

“All of this changed with the atom’s groundbreaking research, which exposed a new vulnerability targeting RSN IE (Robust Security Network Information Element) to retrieve a PMKID hash (will be explained in a bit) that can be used to crack the target network password. PMKID is a hash that is used for roaming capabilities between APs. The legitimate use of PMKID is, however, of little relevance for the scope of this blog. Frankly, it makes little sense to enable it on routers for personal/private use (WPA2-personal), as usually there is no need for roaming in a personal network.” reads the post published by Hoorvitch.

The attack technique is clientless, this means that an attacker doesn’t need to carry out the attack in real-time, he just needs to capture a single frame and eliminate wrong passwords and malformed frames that are disturbing the cracking process.

The expert first used “mask attack” as a Hashcat cracking method, he used a combination of dictionary + rules and mask attack because many Israeli citizens have the bad habit of using their cellphone numbers as WiFi passwords. 

Israeli phone numbers have 10 digits and starts with 05, so it’s only eight digits, this means that remained only 8 digits to guess. Using a standard laptop, Hoorvitch successfully cracked 2,200 passwords at an average speed of nine minutes per password.

“Each digit has 10 options (0-9), hence 10**8 possible combinations. One hundred million seems like a lot of combinations, but our monster rig calculates at the speed of 6819.8 kH/s which translates into 6,819,000 hashes per second.” continues the post. “A cracking rig is not required as my laptop can get to 194.4 kH/s, which translates into 194,000 hashes per second. That equals more than enough computing power to cycle through the possibilities necessary to crack the passwords. Consequently, it took my laptop roughly 9 minutes to break a single WiFi password with the characteristics of a cellphone number. (10**8)/194,000 = ~516 (seconds)/60 = ~9 minutes.”

In a second phase, the expert used a standard dictionary attack technique leveraging the ‘Rockyou.txt’ dictionary.

He cracked another 1,359 passwords using this technique, most of cracked passwords contain only digits or only lower-case characters.

The expert pointed out that only routers supporting roaming features are vulnerable to the PMKID attack, however, the research demonstrated that routers manufactured by major vendors are vulnerable.

“In total, we cracked more than 3,500 WiFi network in and around Tel Aviv – 70% of our sample.” concludes the expert. “The threat of a compromised WiFi network presents serious risk to individuals, small business owners and enterprises alike. And as we’ve shown, when an attacker can crack more than 70% of WiFi networks in a major global city with relative ease, greater attention must be paid to protecting oneself.”

Below are the recommendations provided by the expert to protect themselves:

  1. Choose a complex password. A strong password should include at least one lower case character, one upper case character, one symbol, one digit. It should be at least 10 characters long. It should be easily remembered and hard to anticipate. Bad example: Summer$021
  2. Change the default username and password of your router.
  3. Update your router firmware version.
  4. Disable weak encryption protocols (as WAP or WAP1).
  5. Disable WPS.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, WiFi)

The post Expert managed to crack 70% of a 5,000 WiFi network sample in Tel Aviv appeared first on Security Affairs.

FBI Raids Chinese Point-of-Sale Giant PAX Technology

26 October 2021 at 17:30

U.S. federal investigators today raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations.

FBI agents entering PAX Technology offices in Jacksonville today. Source: WOKV.com.

Headquartered in Shenzhen, China, PAX Technology Inc. has more than 60 million point-of-sale terminals in use throughout 120 countries. Earlier today, Jacksonville, Fla. based WOKV.com reported that agents with the FBI and Department of Homeland Security (DHS) had raided a local PAX Technology warehouse.

In an official statement, investigators told WOKV only that they were executing a court-authorized search at the warehouse as a part of a federal investigation, and that the inquiry included the Department of Customs and Border Protection and the Naval Criminal Investigative Services (NCIS). The FBI has not responded to requests for comment.

Several days ago, KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.

According to that source, the payment processor found that the PAX terminals were being used both as a malware “dropper” — a repository for malicious files — and as “command-and-control” locations for staging attacks and collecting information.

“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”

KrebsOnSecurity reached out to PAX Technology’s CEO on Sunday. The company has not yet responded to requests for comment.

The source said two major financial providers — one in the United States and one in the United Kingdom — had already begun pulling PAX terminals from their payment infrastructure, a claim that was verified by two different sources.

“My sources say that there is tech proof of the way that the terminals were used in attack ops,” the source said. “The packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software. PAX is now claiming that the investigation is racially and politically motivated.”

The source was unable to share specific details about the strange network activity that prompted the FBI’s investigation. But it should be noted that point-of-sale terminals and the technology that supports them are perennial targets of cybercriminals.

It is not uncommon for payment terminals to be compromised remotely by malicious software and made to collect and transmit stolen information. Indeed, some of history’s largest cyberheists involved point-of-sale malware, including the 2008 breach at Heartland Payment Systems that exposed 100 million payment cards, and the 2013-2014 string of breaches at Target, Home Depot and elsewhere that led to the theft of roughly another 100 million cards.

Even if it were publicly proven today that the company’s technology was in fact a security risk, my guess is few retailers would be quick to do much about it in the short run. The investigation into PAX Technology comes at a dicey time for retailers, many of whom are gearing up for the busy holiday shopping season. What’s more, global computer chip shortages are causing lengthy delays in procuring new electronics.

Ranzy Locker ransomware hit tens of US companies in 2021

26 October 2021 at 14:54

The FBI published a flash alert to warn of the activity of the Ranzy Locker ransomware that had already compromised tens of US companies.

The FBI published a flash alert to warn of Ranzy Locker ransomware operations that had already compromised at least 30 US companies this year.

The gang has been active since at least 2020, threat actors hit organizations from various industries.

“Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector.” reads the flash alert.

The attack vector most used by the Ranzy Locker ransomware operators are brute force attempts targeting Remote
Desktop Protocol (RDP) credentials. In recent attacks, the group also exploited known Microsoft Exchange Server vulnerabilities and used phishing messages to target computer networks.

Once gained access to the target network, the ransomware gang attempts to locate sensitive data, including customer information, PII related files, and financial records. The Ranzy Locker ransomware targets Windows systems, including servers and virtual machines.

In some cases the group implemented a double model of extortion, threatening victims to leak the stolen data if they don’t pay the ransom.

The flash alert also includes indicators of compromise (IOCs) associated with Ranzy Locker operations and Yara rules to detect the threat.

Below are the recommended mitigations included in the alert:

  • Implement regular backups of all data to be stored as air gapped, password protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
  • Implement network segmentation, such that all machines on your network are not accessible from every other machine.
  • Install and regularly update antivirus software on all hosts, and enable real time detection.
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Use double authentication when logging into accounts or services.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Ranzy Locker ransomware)

The post Ranzy Locker ransomware hit tens of US companies in 2021 appeared first on Security Affairs.

Over 10 Million Android Users Targeted With Premium SMS Scam Apps

26 October 2021 at 11:18
A global fraud campaign has been found leveraging 151 malicious Android apps with 10.5 million downloads to rope users into premium subscription services without their consent and knowledge. The premium SMS scam campaign — dubbed "UltimaSMS" — is believed to commenced in May 2021 and involved apps that cover a wide range of categories, including keyboards, QR code scanners, video and photo

UltimaSMS subscription fraud campaign targeted millions of Android users

26 October 2021 at 08:32

UltimaSMS, a massive fraud campaign is using Android apps with million of downloads to subscribe victims to premium subscription services.

Researchers from Avast have uncovered a widespread premium SMS scam on the Google Play Store, tracked as UltimaSMS, the name comes from the first apps they discovered called Ultima Keyboard 3D Pro.

Threat actors used at least 151 Android apps with 10.5 million downloads from over 80 countries to subscribe victims to premium subscription services.

Attackers used a fake photo editor, spam call blockers, camera filter, games, and other apps and promoted them via Instagram and TikTok channels.

Most of the downloads were made by users in the Middle East, such as Egypt, Saudi Arabia, and Pakistan.

Upon installing the apps, they check their location, International Mobile Equipment Identity (IMEI), and phone number to determine which country area code and language to use for the scam. When the victim opens the app, it will be displayed a screen that requests to enter their phone number, and in some cases, email address to gain access to the app’s advertised service or product.

“Upon entering the requested details, the user is subscribed to premium SMS services that can charge upwards of $40 per month depending on the country and mobile carrier. Instead of unlocking the apps’ advertised features, which users might assume should happen, the apps will either display further SMS subscriptions options or stop working altogether.” reads the analysis published by Avast.”The sole purpose of the fake apps is to deceive users into signing up for premium SMS subscriptions” 

Once the app has obtained the required permissions, it subscribes the victim to SMS service that could cost up to $40 per month depending on the country and mobile carrier.

ultimaSMS scam

Avast shared its findings with Google that quickly removed the apps, according to the experts the operators behind this campaign are racking up thousands of dollars in charges.

Experts recommend disabling the premium SMS option for their carrier and recommend users avoid entering a phone number unless they trust the app.

Mobile users are advised to read the fine print before entering details and carefully check reviews before installing an app.

Recently, security researchers from Zimperium have uncovered a piece of malware, dubbed GriftHorse, that was used for a similar purpose and that has infected more than 10 million Android smartphones across more than 70 countries.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post UltimaSMS subscription fraud campaign targeted millions of Android users appeared first on Security Affairs.

Malicious Firefox Add-ons Block Browser From Downloading Security Updates

26 October 2021 at 07:41
Mozilla on Monday disclosed it blocked two malicious Firefox add-ons installed by 455,000 users that were found misusing the Proxy API to impede downloading updates to the browser. The two extensions in question, named Bypass and Bypass XM, "interfered with Firefox in a way that prevented users who had installed them from downloading updates, accessing updated blocklists, and updating remotely

Kansas Man pleads guilty to hacking the Post Rock Rural Water District

26 October 2021 at 06:51

Kansas man Wyatt Travnichek admitted in court to tampering with the computer systems at the Post Rock Rural Water District.

Kansas man Wyatt A. Travnichek pleaded guilty to tampering with the computer system at a drinking water treatment facility at the Post Rock Rural Water District. The man also pleaded guilty to one count of reckless damage to a protected computer system during unauthorized access. 

In April, the United States Department of Justice charged Wyatt A. Travnichek, of Ellsworth County, Kansas, for accessing and tampering with the computer system of the Ellsworth County Rural Water District.

Travnichek accessed the computer systems of the Public Water System on about March 27, 2019, without authorization.

Travnichek worked for the Ellsworth County Rural Water District for roughly one year, he was remote monitoring the plan by accessing the Post Rock computer system.

Once gained access to the public water system, the man allegedly performed malicious actions that halted the processes at the facility that impacted the cleaning and disinfecting procedures.

The attack against the critical infrastructure posed a serious risk to the safety and health of an entire community.

According to the indictment, the man hacked the system with the intent to harm the Ellsworth Rural Water District No. 1, aka Post Rock Rural Water District.

The Kansan man used his cell phone to access the computer systems of the Public Water System, but at the time he declared that on the night of the incident (March 27, 2019) he was intoxicated and was able to explain what has really happened.

“Ensuring the security of our nations cyber infrastructure is one of the FBI’s top priorities and the plea underscores the joint dedication to that effort by the FBI, EPA and the Kansas Bureau of Investigation. There is no doubt that Travnichek’s intentional actions directly placed the public in harm’s way. The plea should send a clear message to anyone who attempts to tamper with public facilities – law enforcement will remain resolute in investigating any and all threats that put the public’s health at risk,” said FBI Special Agent in Charge Charles Dayoub. 

“Protecting America’s drinking water is a top EPA priority,” said Special Agent in Charge Lance Ehrig of the EPA’s Criminal Investigation Division in Kansas.  “EPA will continue our focused efforts with DOJ and the states as we investigate and pursue any threats that might be directed toward vital community drinking water resources.”

The EPA and the FBI recommend a prison sentence of 12 months and one day in prison.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post Kansas Man pleads guilty to hacking the Post Rock Rural Water District appeared first on Security Affairs.

Before yesterdayGeneral Security News

Unknown ransomware gang uses SQL injection bug in BillQuick Web Suite to deploy ransomware

25 October 2021 at 21:13

An unknown ransomware gang leverages a critical SQL injection flaw in the BillQuick Web Suite time and billing solution to deploy ransomware.

An unknown ransomware gang is exploiting a critical SQL injection flaw, tracked as CVE-2021-42258, in the popular billing software suite BillQuick Web Suite time to deploy ransomware.

The attacks were first spotted this month by researchers from security firm Huntress that were also able to demonstrate the exploit. The ransomware gang exploited the CVE-2021-42258 flaw to gain access to the computer network of an US engineering company and deploy ransomware.

BQE has a self-proclaimed user base of 400,000 users worldwide, for this reason this campaign is alarming the experts.

“Hackers were able to successfully exploit CVE-2021-42258—using it to gain initial access to a US engineering company—and deploy ransomware across the victim’s network.” reads the post published by Huntress Labs. “Our team was able to successfully recreate this SQL injection-based attack and can confirm that hackers can use this to access customers’ BillQuick data and run malicious commands on their on-premises Windows servers.”

The researchers demonstrated that to trigger the vulnerability an attacker could navigate to the login page and enter a single quote (`’`). Experts also noticed that the error handlers for this page display a full traceback that could contain sensitive information about the server-side code.

Huntress Labs reported the flaw to BQE Software that addressed it on October 7.

The experts also found eight other BillQuick zero-day vulnerabilities tracked as  CVE-2021-42344CVE-2021-42345CVE-2021-42346CVE-2021-42571CVE-2021-42572CVE-2021-42573CVE-2021-42741CVE-2021-42742.

BleepingComputer speculates that the gang has been spreading this ransomware since at least May 2020 and it borrows large portion of code from other AutoIT-based ransomware families.

“Once deployed on target systems, it will add the [email protected] extension to all encrypted files but, as mentioned above, BleepingComputer has not seen it drop a ransom note during any known attacks.” reported BleepingComputer.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post Unknown ransomware gang uses SQL injection bug in BillQuick Web Suite to deploy ransomware appeared first on Security Affairs.

Conti Ransom Gang Starts Selling Access to Victims

25 October 2021 at 19:49

The Conti ransomware affiliate program appears to have altered its business plan recently. Organizations infected with Conti’s malware who refuse to negotiate a ransom payment are added to Conti’s victim shaming blog, where confidential files stolen from victims may be published or sold. But sometime over the past 48 hours, the cybercriminal syndicate updated its victim shaming blog to indicate that it is now selling access to many of the organizations it has hacked.

A redacted screenshot of the Conti News victim shaming blog.

“We are looking for a buyer to access the network of this organization and sell data from their network,” reads the confusingly worded message inserted into multiple recent victim listings on Conti’s shaming blog.

It’s unclear what prompted the changes, or what Conti hopes to gain from the move. It’s also not obvious why they would advertise having hacked into companies if they plan on selling that access to extract sensitive data going forward. Conti did not respond to requests for comment.

“I wonder if they are about to close down their operation and want to sell data or access from an in-progress breach before they do,” said Fabian Wosar, chief technology officer at computer security firm Emsisoft. “But it’s somewhat stupid to do it that way as you will alert the companies that they have a breach going on.”

The unexplained shift comes as policymakers in the United States and Europe are moving forward on efforts to disrupt some of the top ransomware gangs. Reuters recently reported that the U.S. government was behind an ongoing hacking operation that penetrated the computer systems of REvil, a ransomware affiliate group that experts say is about as aggressive and ruthless as Conti in dealing with victims. What’s more, REvil was among the first ransomware groups to start selling its victims’ data.

REvil’s darknet victim shaming site remains offline. In response, a representative for the Conti gang posted a long screed on Oct. 22 to a Russian language hacking forum denouncing the attack on REvil as the “unilateral, extraterritorial, and bandit-mugging behavior of the United States in world affairs.”

“Is there a law, even an American one, even a local one in any county of any of the 50 states, that legitimize such indiscriminate offensive action?” reads the Conti diatribe. “Is server hacking suddenly legal in the United States or in any of the US jurisdictions? Suppose there is such an outrageous law that allows you to hack servers in a foreign country. How legal is this from the point of view of the country whose servers were attacked? Infrastructure is not flying there in space or floating in neutral waters. It is a part of someone’s sovereignty.”

Conti’s apparent new direction may be little more than another ploy to bring victim companies to the negotiating table, as in “pay up or someone will pay for your data or long-term misery if you don’t.”

Or maybe something just got lost in the translation from Russian (Conti’s blog is published in English). But by shifting from the deployment of ransomware malware toward the sale of stolen data and network access, Conti could be aligning its operations with many competing ransomware affiliate programs that have recently focused on extorting companies in exchange for a promise not to publish or sell stolen data.

However, as Digital Shadows points out in a recent ransomware roundup, many ransomware groups are finding it difficult to manage data-leak sites, or hosting stolen data on the dark web for download.

After all, when it takes weeks to download one victim’s data via Tor — if indeed the download succeeds at all — the threat of leaking sensitive data as a negotiation tactic loses some of its menace. It’s also a crappy user experience. This has resulted in some ransomware groups exposing data using public file-sharing websites, which are faster and more reliable but can be taken down through legal means quite quickly.

Data leak sites also can offer investigators a potential way to infiltrate ransomware gangs, as evidenced by the recent reported compromise of the REvil gang by U.S. authorities.

“On 17 Oct 2021, a representative of the REvil ransomware gang took it to a Russian-speaking criminal forum to reveal that their data-leak sites had been ‘hijacked’,” Digital Shadows’ Ivan Righi wrote. “The REvil member explained that an unknown individual accessed the hidden services of REvil’s website’s landing page and blog using the same key owned by the developers. The user believed that the ransomware gang’s servers had been compromised and the individual responsible for the compromise was ‘looking for’ him.”

A recent report by Mandiant revealed that FIN12 — the group believed to be responsible for both Conti and the Ryuk ransomware operation — has managed to conduct ransomware attacks in less than 3 days, compared to more than 12 days for attacks involving data exfiltration.

Seen through those figures, perhaps Conti is merely seeking to outsource more of the data exfiltration side of the business (for a fee, of course) so that it can focus on the less time-intensive but equally profitable racket of deploying ransomware.

“As Q4 comes near, it will be interesting to see if issues relating to managing data leak sites will discourage new ransomware groups [from pursuing] the path of data-leak sites, or what creative solutions they will create to work around these issues,” Righi concluded. “The Ryuk ransomware group has proven itself to remain effective and a top player in the ransomware threat landscape without the need for a data-leak site. In fact, Ryuk has thrived by not needing a data leak site and data exfiltration.”

A critical RCE flaw affects Discourse software, patch it now!

25 October 2021 at 14:27

US CISA urges administrators to address a critical remote code execution flaw, tracked as CVE-2021-41163, in Discourse installs.

Discourse is a popular open-source Internet forum and mailing list management software application. The US CISA published a security advisory to urge administrators to fix a critical remote code execution flaw, tracked as CVE-2021-41163, in Discourse installs. The vulnerability received a CVSS v3 score of 10.0.

“Discourse—an open source discussion platform—has released a security advisory to address a critical remote code execution (RCE) vulnerability (CVE-2021-41163) in Discourse versions 2.7.8 and earlier.” reads the advisory published by the researchers.

The vulnerability was discovered by the researcher joernchen of Phenoelit who also published technical details about the flaw.

CISA recommends development teams install versions 2.7.9 or later that address the vulnerability, or apply the necessary workarounds.

Discourse also published an advisory about the issue, the flaw is a validation bug in the upstream as-SDK-Sns gem that can lead to the RCE. An attacker could exploit the vulnerability via a maliciously crafted request.

The CVE-2021-41163 has been addressed in the latest stable, beta and tests-passed versions of Discourse. The development team recommends to block at an upstream proxy every request with a path starting /webhooks/aws.

“In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. To workaround the issue without updating, requests with a path starting /webhooks/aws path could be blocked at an upstream proxy.” reads the advisory published by the NIST.

A quick search of Discourse installs using the Shodan search engine reveals the existence of 8,639 potentially exploitable systems, most of them in the US.


Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-41163)

The post A critical RCE flaw affects Discourse software, patch it now! appeared first on Security Affairs.

Red TIM Research found two rare flaws in Ericsson OSS-RC component

25 October 2021 at 13:42

The Red Team Research (RTR), the bug’s research division from Italian Telecommunication firm TIM, found 2 new vulnerabilities affecting the Ericsson OSS-RC.

What is the OSS (Operations Support System)?

The Operations Support System – Radio and Core (OSS-RC) provides a centralized interface into the radio and core components.

The Operations Support Systems are all those systems used by companies that provide communication services for networks’ integrated function.

Let’s consider the case of the activation of a new line for a customer, while the order and customer data are collected through the CRM, the configuration of the network is automated through the OSS.

For example, let’s consider the case of a client that requires the activation of a new telephone line. The systems that handle these requests/CRM gather user data, but it isn’t able to configure the network to provide the service to the customer. The OSSs allow telecommunications carriers to automate this process and also to carry out management operations of the networks, such as the update of the base-band systems located on the buildings of our cities.

Unfortunately, OSS systems also represent a “single-point-of-failure,” a Remote Code Execution (RCE) vulnerability affecting an OSS can allow attackers to potentially compromise all connected systems, including basebands.

The vulnerabilities have been reported to Ericsson by the researchers Alessandro Bosco, Mohamed Amine Ouad, and by the head of laboratory Massimiliano Brolli.

Below is the list of flaws reported to the vendor since 2001 and included in the National Vulnerability Database of the United States of America. They were only 10, two of which reported by the TIM.

Ericsson di Operations Support System OSS-RC 1

Below the details for the two flaws published on the official page of the TIM RTR project.


In OSS-RC systems of the release 18B and older customer documentation browsing libraries under ALEX are subject to Cross-Site Scripting. This problem is completely resolved in new Ericsson library browsing tool ELEX used in systems like Ericsson Network Manager.

  • Vulnerability Description: Improper Neutralization of Input During Web Page Generation (‘Reflected Cross-site Scripting’). – CWE-79 Software Version: <=18B NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-32569 CVSv3: 6.1 Severity: Medium Credits: Alessandro Bosco, Mohamed Amine Ouad, Massimiliano Brolli
  • NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to.


In OSS-RC systems of the release 18B and older during data migration procedures certain files containing usernames and passwords are left in the system undeleted but in folders accessible by top privileged accounts only.

  • Vulnerability Description: Incomplete Cleanup. – CWE-459 Software Version: <=18B NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-32571 CVSv3: 4.9 Severity: Medium Credits: Alessandro Bosco, Mohamed Amine Ouad, Massimiliano Brolli
  • NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to.

Ethics in the search for vulnerabilities, in this historical period, is something very important and once identified, these vulnerabilities not documented (c.d. zeroday) must be immediately reported to the vendor avoiding to provide public information that allows their active exploitation by Threat Actors (TA) on systems without patches.

The TIM RTR laboratory has already discovered over 60 zero-day issues in the last two years, 4 of these vulnerabilities received a CSSV score of 9.8.

TIM is a leading company in the research of zero-day vulnerabilities and the results demonstrate the success of the RTR project.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post Red TIM Research found two rare flaws in Ericsson OSS-RC component appeared first on Security Affairs.