🔒
There are new articles available, click to refresh the page.
Today — 24 January 2022General Security News

High-Severity Rust Programming Bug Could Lead to File, Directory Deletion

24 January 2022 at 06:53
The maintainers of the Rust programming language have released a security update for a high-severity vulnerability that could be abused by a malicious party to purge files and directories from a vulnerable system in an unauthorized manner. "An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete,

Crooks tampering with QR Codes to steal victim money and info, FBI warns

24 January 2022 at 06:40

The FBI warns that cybercriminals are using malicious QR codes to steal their credentials and financial info.

The Federal Bureau of Investigation (FBI) published a public service announcement (PSA) to warn that cybercriminals are using QR codes to steal their credentials and financial info.

QR codes are widely adopted by businesses to facilitate payment. In a classic use case, a business provides customers with a QR code directing them to a site where they can make a payment.

Crooks can replace the QR code with a tampered one and hijack the sender’s payment.

Unaware people that scan the QR codes are redirected to malicious websites that are crafted to steal login and financial information.

“cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use.” reads the FBI’s PSA. “Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes. A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information.”

Malicious websites could also deliver malware on the victims’ devices or hijack their payments to accounts under their control.

“While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code,” the FBI states. 

The FBI announcement includes tips to protect people from such kind of attacks; feds recommend checking the URL obtained by scanning a QR code to make sure it is the intended site and looks authentic. Threat actors could use a malicious domain name that is similar to the intended URL but with typos or a misplaced letter.

Double-check any site navigated to from a QR code before providing login, personal, or financial information.

If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.

Never download an app from a QR code, avoid making any payment requested through unsolicited email that uses social engineering techniques to trick recipients into scanning the embedded QR code.

Do not download a QR code scanner app from unofficial stores to avoid being infected with tainted apps, most phones today have a built-in scanner through the camera app.

If users will receive a QR code from someone they know, they can reach them via an alternative channel to verify that the code is from them.

Never make payments through a site navigated to from a QR code, it is recommended to manually enter a known and trusted URL to complete the payment.

In November, the FBI Internet Crime Complaint Center (IC3) published an alert to warn the public of fraudulent schemes leveraging cryptocurrency ATMs and Quick Response (QR) codes to complete payment transactions.This payment option makes it quite impossible to recover the money stolen with fraudulent schemes.

QR codes can be used at cryptocurrency ATMs to transfer money to an intended recipient and crooks started using them to receive payments from victims.

Fraudulent schemes include online impersonation in which scammer poses as a familiar entity (i.e. The government, law enforcement, a legal office, or a utility company), romance scams, and lottery schemes (scammer attempt to convince victims that they have won an award).

In all the fraudulent schemes, scammers provide a QR code associated with the scammer’s cryptocurrency wallet that the victim has to use during the transaction. The victims are instructed to make the transition at a physical cryptocurrency ATM where inserting money that can purchase cryptocurrency before transferring them using the provided QR code.

In these schemes, the scammers are in constant online communication with the victims and provide step-by-step instructions to make the payment.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, QR codes)

The post Crooks tampering with QR Codes to steal victim money and info, FBI warns appeared first on Security Affairs.

F5 fixes 25 flaws in BIG-IP, BIG-IQ, and NGINX products

24 January 2022 at 06:15

Cybersecurity provider F5 released security patches to address 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products.

Cybersecurity firm F5 announced security patches for 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products. Most of the vulnerabilities (23) addressed by the company affect the BIG-IP application delivery controller (ADC), 13 of them have been rated as high-severity issues (CVSS score 7.5).

The issues received CVEs between CVE-2022-23010 to CVE-2022-23032.

The vulnerabilities can cause the termination of the Traffic Management Microkernel (TMM), can lead to an increase in memory resource utilization, freezing virtual servers, or executing JavaScript code.

F5 addressed the flaws with the release of versions 14.x, 15.x, and 16.x.

The security provider also addressed two high-severity vulnerabilities in BIG-IQ centralized management and NGINX controller API management tracked as CVE-2022-23009 and CVE-2022-23008 respectively.

Regarding the CVE-2022-23008 flaw, an authenticated attacker with access to the ‘user’ or ‘admin’ role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances.

All the medium-severity vulnerabilities affect BIG-IP, but the CVE-2022-23023 issue also impacts BIG-IQ as well.

The company has also addressed a low-severity vulnerability, tracked as CVE-2022-23032, that can lead to a DNS rebinding attack.

The United States Cybersecurity and Infrastructure Security Agency (CISA) published a security advisory to encourage administrators to review the F5 security advisory.

“F5 has released its January 2022 Quarterly Security Notification addressing vulnerabilities affecting multiple versions of BIG-IP, BIG-IQ, and NGINX Controller API Management. A remote attacker could exploit these vulnerabilities to either deny service to, or take control of, an affected system.” reads the advisory published by CISA.

“CISA encourages users and administrators to review the F5 security advisory and install updated software or apply the necessary mitigations as soon as possible.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

The post F5 fixes 25 flaws in BIG-IP, BIG-IQ, and NGINX products appeared first on Security Affairs.

Yesterday — 23 January 2022General Security News

OpenSubtitles data breach impacted 7 million subscribers

23 January 2022 at 19:39

OpenSubtitles has suffered a data breach, the maintainers confirmed that the incident impacted 7 Million subscribers.

OpenSubtitles is a popular subtitles websites, it suffered a data breach that affected 6,783,158 subscribers. Exposed data include email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes.

The administrator of the website become aware of the hack after a hacker notified them via Telegram in August 2021 demanding the payment of a ransom. The attacker also offered his support to OpenSubtitles to address the security flaws he has found on the website. Administrators of the website agreed to pay the ransom due to the low amount, but after receiving the ransom, the attackers never helped them to secure the website and on 11 January 2022 they leaked the data online.

The hack is the result of poor cyber security since its launch in 2006, administrator OSS said. It seems that the threat actor exploited a SQL injection to access the database of the website.

“In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it.” reads a data breach notification published on the website. “He asked for a BTC ransom to not disclose this to public and promise to delete the data.

“We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data.”

The financial data of the subscribers haven’t been compromised by the attacker.

Subscribers are recommended to change opensubtitles.org and opensubtitles.com and forum password. Subscribers that shared opensubtitles.org password somewhere else are recommended to change it as well.

Administrators announced the improvement of the security of the website, including the introduction of new password policy.

“The site SHOULD be more secure now, we improved the way users are connecting to the site, the accounts will be locked after some successful logins, we introduced new password policy, we removed session info from table, IP should not be spoofable anymore, Captchas on login, register, password-reset, CSRF on forms, requests will be cancelled if admins change their IP during session, user passwords are saved in safe form using hash_hmac and sha256 algo with salt and pepper, all md5() passwords are deleted. For IT geeks – yes, we are using password_hash(), with peppered sha256 password, BCRYPT and for verification password_verify()” concludes the notification. “Note that our new site, opensubtitles.com was built with stronger security concerns, and already included all the points described above.”

Subscribers can check if their data have been exposed by querying the data breach notification website Have I Been Pwned that received the list of compromised users.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, OpenSubtitles)

The post OpenSubtitles data breach impacted 7 million subscribers appeared first on Security Affairs.

US CISA added 17 flaws to its Known Exploited Vulnerabilities Catalog

23 January 2022 at 18:13

US CISA added seventeen new actively exploited vulnerabilities to the ‘Known Exploited Vulnerabilities Catalog’.

The ‘Known Exploited Vulnerabilities Catalog‘ is a list of known vulnerabilities that threat actors have abused in attacks and that are required to be addressed by Federal Civilian Executive Branch (FCEB) agencies.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Known Exploited Vulnerabilities Catalog and address the vulnerabilities in their infrastructure.

The Cybersecurity and Infrastructure Security Agency (CISA) this week added seventeen actively exploited vulnerabilities to the Catalog.

The total number of vulnerabilities included in the catalog reached this week 341 vulnerabilities.

CISA is requiring 10 of 17 vulnerabilities added this week to be addressed within February 1st, 2022.

CVE Number CVE Title Required Action Due Date
CVE-2021-32648 October CMS Improper Authentication 2/1/2022
CVE-2021-21315 System Information Library for node.js Command Injection Vulnerability 2/1/2022
CVE-2021-21975 Server Side Request Forgery in vRealize Operations Manager API Vulnerability 2/1/2022
CVE-2021-22991 BIG-IP Traffic Microkernel Buffer Overflow Vulnerability 2/1/2022
CVE-2021-25296 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-25297 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-25298 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-33766 Microsoft Exchange Server Information Disclosure Vulnerability 2/1/2022
CVE-2021-40870 Aviatrix Controller Unrestricted Upload of File Vulnerability 2/1/2022
CVE-2021-35247 SolarWinds Serv-U Improper Input Validation Vulnerability 02/04/2022
CVE-2020-11978 Apache Airflow Command Injection Vulnerability 7/18/2022
CVE-2020-13671 Drupal Core Unrestricted Upload of File Vulnerability 7/18/2022
CVE-2020-13927 Apache Airflow Experimental API Authentication Bypass Vulnerability 7/18/2022
CVE-2020-14864 Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability 7/18/2022
CVE-2006-1547 Apache Struts 1 ActionForm Denial of Service Vulnerability 07/21/2022
CVE-2012-0391 Apache Struts 2 Improper Input Validation Vulnerability 07/21/2022
CVE-2018-8453 Microsoft Windows Win32k Privilege Escalation Vulnerability 07/21/2022

One of the issues added this week is a vulnerability in the October CMS, tracked as CVE-2021-32648, which was recently exploited in attacks against websites of the Ukrainian government.

CISA also added a vulnerability, tracked as CVE-2021-35247, recently addressed by SolarWinds in Serv-U products that threat actors are actively exploited in the wild. The company pointed out that all the attack attempts failed.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Known Exploited Vulnerabilities Catalog)

The post US CISA added 17 flaws to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.

Molerats cyberespionage group uses public cloud services as attack infrastructure

23 January 2022 at 14:41

Cyberespionage group Molerats has been observed abusing legitimate cloud services, like Google Drive and Dropbox as attack infrastructure.

Zscaler ThreatLabz analyzed an active espionage campaign carried out by Molerats cyberespionage group (aka TA402, Gaza Hackers Team, Gaza Cybergang, and Extreme Jackal) that abuses legitimate cloud services like Google Drive and Dropbox as attack infrastructure. Public cloud services are used to host malicious payloads or for command-and-control infrastructure in attacks aimed at targets across the Middle East.

In December 2021, ThreatLabz researchers identified several macro-based MS office files that were used in attacks against entities in the Middle East. The bait files were employed in cyber espionage attacks, they contain decoy themes related to geo-political conflicts between Israel and Palestine. Similar bait files were also used in previous cyberespionage campaigns attributed to the Molerats APT group.

MoleRATs is an Arabic-speaking, politically motivated group of hackers that has been active since 2012, 

The researchers discovered that the current campaign has been active since July 2021, the threat actors switched the distribution method in December 2021 and applied minor changes in the .NET backdoor.

“The targets in this campaign were chosen specifically by the threat actor and they included critical members of banking sector in Palestine, people related to Palestinian political parties, as well as human rights activists and journalists in Turkey.” reads the analysis published by Zscaler.

The macro code embedded in the weaponized decoy document simply executes a command using cmd.exe which in turn executes a PowerShell command to download and drop the stage-2 payload from the URL (“http://45.63.49[.]202/document.html”) to the path “C:\ProgramData\document.htm”. Executes servicehost.exe

Then it renames document.htm to servicehost.exe and executes ‘servicehost.exe.’

moletats APT attacks

The .NET-based malware masquerades itself as a WinRAR application by using the icon and other resources and is obfuscated using the ConfuserEx packer.

The backdoor performs the following operations:

1. Collects the machine manufacture and machine model information using WMI which is used for execution environment checks and is later exfiltrated to C2 server.
2. Checks if it should execute in the current execution environment.
3. Creates a mutex with the name of executing binary.
4. Checks if the mutex is created successfully.
5. Determines if it is executed for the first time using the registry key value “HKCU/Software/{name_of_executing_binary}/{name_of_executing_binary}”. 
6. If the registry key doesn’t exist, the code flow goes via a mouse check function which executes the code further only if it detects a change in either of the mouse cursor coordinates. In the end, the mouse check function also creates the same registry key.

The backdoor supports multiple capabilities, such as taking snapshots, listing and uploading files, and running arbitrary commands on the compromised system.

“The major difference between the new attack chain and the old attack chain is seen in the backdoor delivery. Although we are not sure how these RAR/ZIP files were delivered but considering the past attacks they were likely delivered using Phishing PDFs. Additionally, we found a minor variation in the way the backdoor extracted the primary Dropbox account token.” Zscaler ThreatLabz researchers conclude.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Molerats APT)

The post Molerats cyberespionage group uses public cloud services as attack infrastructure appeared first on Security Affairs.

Security Affairs newsletter Round 350

23 January 2022 at 08:57

A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Pay attention to Log4j attacks, Dutch National Cybersecurity Centre (NCSC) warns
Vulnerabilities in Control Web Panel potentially expose Linux Servers to hack
US Treasury Department sanctions 4 Ukrainian officials for working with Russian intelligence
A bug in McAfee Agent allows running code with Windows SYSTEM privileges
Experts warn of anomalous spyware campaigns targeting industrial firms
Google Project Zero discloses details of two Zoom zero-day flaws
MoonBounce UEFI implant spotted in a targeted APT41 attack
Conti ransomware gang started leaking files stolen from Bank Indonesia
FBI links the Diavol ransomware to the TrickBot gang
Cisco StarOS flaws could allow remote code execution and information disclosure
Crypto.com hack impacted 483 accounts and resulted in a $34 million theft
Red Cross hit by a sophisticated cyberattack
New BHUNT Stealer targets cryptocurrency wallets
SolarWinds Serv-U bug exploited by threat actors in the wild, Microsoft warns
New DDoS IRC Bot distributed through Korean webHard platforms
UK NCSC shares guidance for organizations to secure their communications with customers
CISA warns of potential critical threats following attacks against Ukraine
Box flaw allowed to bypass MFA and takeover accounts
Is White Rabbit ransomware linked to FIN8 financially motivated group?
AlphV/BlackCat ransomware gang published data stolen from fashion giant Moncler
Financially motivated Earth Lusca threat actors targets organizations worldwide
Law enforcement shutdown the VPN service VPNLab used by many cybercriminal gangs
Microsoft releases Windows out-of-band emergency fixes for Win Server, VPN issues
A small number of Crypto.com users reported suspicious activity on their wallet
Oracle Critical Patch Update for January 2022 will fix 483 new flaws
Zoho fixes a critical vulnerability (CVE-2021-44757) in Desktop Central solutions
High-Severity flaw in 3 WordPress plugins impacts 84,000 websites
Experts warn of attacks using a new Linux variant of SFile ransomware
Kyiv blames Belarus-linked APT UNC1151 for recent cyberattack
European Union simulated a cyber attack on a fictitious Finnish power company
Microsoft spotted a destructive malware campaign targeting Ukraine
A new wave of Qlocker ransomware attacks targets QNAP NAS devices
Threat actors stole $18.7M from the Lympo NTF platform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 350 appeared first on Security Affairs.

Before yesterdayGeneral Security News

Pay attention to Log4j attacks, Dutch National Cybersecurity Centre (NCSC) warns

22 January 2022 at 20:34

The Dutch National Cybersecurity Centre (NCSC) warns organizations of risks associated with cyberattacks exploiting the Log4J vulnerability.

The Dutch National Cybersecurity Centre (NCSC) warns organizations to remain vigilant on possible attacks exploiting the Log4J vulnerability.

According to the Dutch agency, threat actors the NCSC will continue to attempt to exploit the Log4Shell flaw in future attacks.

“Partly due to the rapid actions of many organizations, the extent of active abuse appears to be not too bad at the moment. But that doesn’t mean it stops there. It is expected that malicious parties will continue to search for vulnerable systems and carry out targeted attacks in the coming period. It is therefore important to remain vigilant.” states the Dutch NCSC agency. “The NCSC advises organizations to continue to monitor whether vulnerable systems are used and to apply updates or mitigating measures where necessary. In addition, the NCSC advises directors to stay alert by informing themselves about Log4j and the possible impact of abuse on business continuity.”

The risk that cybercriminal groups and nation-state actors could exploit Log4j vulnerabilities in future attacks is still high.

Recently Microsoft posted a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware.

In the last weeks other ransomware gangs exploited the Log4Shell in their attacks, the Conti ransomware gang was the first group that exploited the CVE-2021-44228 flaw since mid December.

In the same period, Bitdefender researchers discovered that threat actors were attempting to exploit the Log4Shell vulnerability to deliver the new Khonsari ransomware on Windows machines

The NCSC will continue to share information through its website and GitHub repository, the latter contains operational information regarding the Log4shell vulnerability in the Log4j logging library. Especially CVE-2021-44228 / CVE-2021-45046 and also covers CVE-2021-4104 / CVE-2021-45105.  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, log4j)

The post Pay attention to Log4j attacks, Dutch National Cybersecurity Centre (NCSC) warns appeared first on Security Affairs.

Vulnerabilities in Control Web Panel potentially expose Linux Servers to hack

22 January 2022 at 16:29

Two critical security vulnerabilities in Control Web Panel potentially expose Linux servers to remote code execution attacks

Researchers from Octagon Networks disclosed details of two critical security flaws in Control Web Panel that potentially expose Linux servers to remote code execution attacks.

Control Web Panel is a popular open-source Linux control panel for servers and VPS that allows easy management of web hosting environments.

An attacker could chain the vulnerabilities to achieve pre-authenticated remote code execution on vulnerable Linux servers.

The first issue, tracked as CVE-2021-45467, is a file inclusion vulnerability that occurs when a web application is tricked into exposing or running arbitrary files on the webserver.

Experts focused their analysis on vulnerabilities that can be exploited by unauthenticated users or through zero-click attacks, in particular, they tested sections of the panel that are exposed without authentication in the webroot, including /user/loader.php and /user/index.php.

The expert Paulos Yibelo from Octagon Networks discovered that several PHP’s functions (including the require() and include() functions) seem to process /.%00./ as /../. Protections implemented in the application don’t allow to switch to a parent directory (using “..”) but they allow the PHP interpreter to accept a specially crafted string such as “.$00.” that allows bypassing any restriction,

Similarly, while stristr() ignores the null bytes, it still counts its size so it bypasses the check.

This means that it is possible to include any file on the server, if an attacker finds a way to write to a file, it can get preauth RCE.

Despite unix file r/w locking settings in CWP, an attacker can exploit the file inclusion bug to reach the restricted API section, which requires API key to access and is not exposed in the webroot.

Chaining this flaw with an arbitrary file writes vulnerability such as the CVE-2021-45466 flaw, an attacker can gain full remote code execution on the server.

“But by using our file inclusion, sending a request like the following will result in the server registering any API key we want.” explained the expert.

GET https://CWP/user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi&ip=192.168.1.1&keyapi=OCTAGON 

“Now we have added the api key “OCTAGON” requesting from 192.168.1.1 to have access to the full API like the following: 

GET https://CWP/api/?key=OCTAGON&api=add_server is now a valid API request.

The expert found a way to exploit a file write bug in the API section that allowed him to a .TXT file. For example, using a maliciously added key.

https://CWP/api/?key=OCTAGON&api=add_server&DHCP=<?=phpinfo()?>&fileFinal=/ 

That will write to a file called authorized_keys located in the /resources/ folder. Then, using the first file inclusion bug the expert includes it malicious authorized_keys file to get full RCE.

The CWP maintainers have already addressed the flaw with security updates released this month.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Control Web Panel)

The post Vulnerabilities in Control Web Panel potentially expose Linux Servers to hack appeared first on Security Affairs.

Experts Find Strategic Similarities b/w NotPetya and WhisperGate Attacks on Ukraine

22 January 2022 at 14:47
Latest analysis into the wiper malware that targeted dozens of Ukrainian agencies earlier this month has revealed "strategic similarities" to NotPetya malware that was unleashed against the country's infrastructure and elsewhere in 2017. The malware, dubbed WhisperGate, was discovered by Microsoft last week, which said it observed the destructive cyber campaign targeting government, non-profit,

US Treasury Department sanctions 4 Ukrainian officials for working with Russian intelligence

22 January 2022 at 13:20

The U.S. Treasury Department announced sanctions against four current and former Ukrainian government officials for collaborating with Russia.

The U.S. Treasury Department this week announced sanctions against four current and former Ukrainian government officials for having supported influence activities carried out by the Russian government. The officials are accused of having gathered sensitive information about critical infrastructure in Ukraine.

“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned four individuals engaged in Russian government-directed influence activities to destabilize Ukraine.” reads the press release published by U.S. Treasury Department. “This action is separate and distinct from the broad range of high impact measures the United States and its Allies and partners are prepared to impose in order to inflict significant costs on the Russian economy and financial system if it were to further invade Ukraine.”

According to the US agency, Russia’s security service, the Federal Security Service (FSB), recruited Ukrainian citizens in key positions to destabilize the political and social contest country.

The four individuals were involved in the influence campaign with different roles, the suspects have supported threat actors in carrying out an influence campaign.

Two of the four individuals, Taras Kozak and Oleh Voloshyn, who are two current Ukrainian Members of Parliament from the party led by Victor Medvedchuk (Medvedchuk), supported Russian disinformation by amplifying false narratives and undermining Ukrainian sovereignty.

Kozak controls several news channels in Ukraine and is accused of having supported the Russian intelligence to denigrate senior members of Ukrainian President Volodymyr Zelenskyy’s inner circle, accusing them of mismanagement of the COVID-19 pandemic.

Voloshyn has worked with Russia-linked actors to undermine Ukrainian government officials and advocate on behalf of Russia.

Vladimir Sivkovich, former Deputy Secretary of the Ukrainian National Security and Defense Council, supported Russian intelligence in carrying out influence operations to support the decision for Ukraine to officially cede Crimea to Russia in exchange for a drawdown of Russian-backed forces in the Donbas.

Volodymyr Oliynyk, is a former Ukrainian official, who currently resides in Moscow. He shares Russia’s anti-Western sentiments and in 2021, he worked for the FSB to gather information about Ukrainian critical infrastructure. 

“As Russia has pursued broad cyber operations against critical infrastructure, it has focused on disrupting one critical infrastructure sector in particular: Ukraine’s energy sector. Russia has also degraded Ukraine’s access to energy products in the middle of winter. Acting” continues the Treasury Department.

The US agency ordered to block all property and interests in property of the designated individuals described above that are in the United States or in the possession or control of U.S. persons. Any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked. 

“The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person, or the receipt of any contribution or provision of funds, goods, or services from any such person.” concludes the Agency

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, FSB)

The post US Treasury Department sanctions 4 Ukrainian officials for working with Russian intelligence appeared first on Security Affairs.

Molerats Hackers Hiding New Espionage Attacks Behind Public Cloud Infrastructure

22 January 2022 at 10:57
An active espionage campaign has been attributed to the threat actor known as Molerats that abuses legitimate cloud services like Google Drive and Dropbox to host malware payloads and for command-and-control and the exfiltration of data from targets across the Middle East. The cyber offensive is believed to have been underway since at least July 2021, according to cloud-based information

Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes

22 January 2022 at 07:13
In yet another instance of software supply chain attack, dozens of WordPress themes and plugins hosted on a developer's website were backdoored with malicious code in the first half of September 2021 with the goal of infecting further sites. The backdoor gave the attackers full administrative control over websites that used 40 themes and 53 plugins belonging to AccessPress Themes, a Nepal-based

Critical Bugs in Control Web Panel Expose Linux Servers to RCE Attacks

22 January 2022 at 04:04
Researchers have disclosed details of two critical security vulnerabilities in Control Web Panel that could be abused as part of an exploit chain to achieve pre-authenticated remote code execution on affected servers. Tracked as CVE-2021-45467, the issue concerns a case of a file inclusion vulnerability, which occurs when a web application is tricked into exposing or running arbitrary files on

A bug in McAfee Agent allows running code with Windows SYSTEM privileges

21 January 2022 at 22:19

McAfee addressed a security flaw in its McAfee Agent software for Windows that allows running arbitrary code with SYSTEM privileges.

McAfee (now Trellix) has addressed a high-severity vulnerability, tracked as CVE-2022-0166, that resides in McAfee Agent software for Windows. An attacker can exploit this flaw to escalate privileges and execute arbitrary code with SYSTEM privileges.

The McAfee Agent is the distributed component of McAfee ePolicy Orchestrator (McAfee ePO). It downloads and enforces policies, and executes client-side tasks such as deployment and updating. The Agent also uploads events and provides additional data regarding each system’s status. It must be installed on each system in your network that you wish to manage.

The CVE-2022-0166 flaw was discovered by CERT/CC vulnerability analyst Will Dormann.

“A privilege escalation vulnerability in the McAfee Agent prior to 5.7.5. McAfee Agent uses openssl.cnf during the build process to specify the OPENSSLDIR variable as a subdirectory within the installation directory.” reads the advisory published by McAfee. “A low privilege user could have created subdirectories and executed arbitrary code with SYSTEM privileges by creating the appropriate pathway to the specifically created malicious openssl.cnf file.”

The security firm addressed the vulnerability with the release of McAfee Agent 5.7.5 on January 18.

The issue affects Agent versions prior of 5.7.5 and allows unprivileged attackers to run code using NT AUTHORITY\SYSTEM account privileges.

An unprivileged user can place a specially-crafted openssl.cnf in a location used by McAfee Agent, to execute arbitrary code with SYSTEM privileges on a Windows system running a vulnerable version of the agent software.

“By placing a specially-crafted openssl.cnf in a location used by McAfee Agent, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable McAfee Agent software installed.” reads the advisory published by CERT/CC.

The vulnerability is only exploitable locally, anyway, experts warn that this issue could be chained with other issues to compromise the target system and elevate permissions to carry out additional malicious activities.

McAfee also addressed a command Injection vulnerability, tracked as CVE-2021-31854, in software Agent for Windows prior to 5.7.5. An attacker could exploit this vulnerability to inject arbitrary shell code into the file cleanup.exe.

“The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree. An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges.” states the advisory.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, McAfee)

The post A bug in McAfee Agent allows running code with Windows SYSTEM privileges appeared first on Security Affairs.

Experts warn of anomalous spyware campaigns targeting industrial firms

21 January 2022 at 19:27

Researchers spotted several spyware campaigns targeting industrial enterprises to steal credentials and conduct financial fraud.

Researchers from Kaspersky Lab have uncovered multiple spyware campaigns that target industrial firms to steal email account credentials and carry out fraudulent activities.

Threat actors sent spear-phishing messages from compromised corporate accounts to their contacts, the email carry malicious attachments. The attackers use off-the-shelf spyware, but in order to avoid detection they limited the scope and lifetime of each sample to the bare minimum

These attacks were aimed at a very limited number of targets, they employed several spyware families, such as AgentTesla/Origin Logger, HawkEye, Noon/Formbook, Masslogger, Snake Keylogger, Azorult, Lokibot.

Kaspersky labeled these campaigns as ‘anomalous’ due to their very short-lived nature, roughly 25 days.

“The lifespan of the “anomalous” attacks is limited to about 25 days. And at the same time, the number of attacked computers is less than 100, of which 40-45% are ICS machines, while the rest are part of the same organizations’ IT infrastructure.” reads the analysis published by Kaspersky. “This has become a trend: around 21.2% of all spyware samples blocked on ICS computers worldwide in H1 2021 were part of this new limited-scope short-lifetime attack series and, depending on the region, up to one-sixth of all computers attacked with spyware were hit using this tactic.”

Attackers used to target less than one hundred systems for each campaign, more than half are ICS (integrated computer systems) systems deployed in industrial environments.

Unlike common spyware attacks, most of the samples employed in these campaigns were configured to use SMTP-based (rather than FTP or HTTP(s)) C2s as a one-way communication channel, a circumstance that suggests it was used only to exfiltrate data from infected systems.

Kaspersky researchers speculate the stolen data is used by threat actors to go deeper in the compromise network and to target other organizations in order to collect more credentials.

The attackers use corporate mailboxes compromised in previous attacks as the C2 servers for further attacks.

“Amongst attacks of this kind, we’ve noticed a large set of campaigns that spread from one industrial enterprise to another via hard-to-detect phishing emails disguised as the victim organizations’ correspondence and abusing their corporate email systems to attack through the contact lists of compromised mailboxes.” continues the report.

“Curiously, corporate antispam technologies help the attackers stay unnoticed while exfiltrating stolen credentials from infected machines by making them ‘invisible’ among all the garbage emails in spam folders.”

spyware campaigns 2

The experts have identified over 2,000 corporate email accounts belonging to industrial companies that were used as C2 servers for successive spyware campaigns. The number of stolen and sold corporate email accounts that were abused has been estimated to be greater than 7000.

Many of the email RDP, SMTP, SSH, cPanel, and VPN account credentials siphoned by the attackers were made available on dark web marketplaces and sold to other threat actors.

“In this research, we identified over 25 different marketplaces where data stolen in the credential gathering campaigns targeting industrial companies that we investigated was being sold. At these markets, various sellers offer thousands of RDP, SMTP, SSH, cPanel, and email accounts, as well as malware, fraud schemes, and samples of emails and webpages for social engineering.” concludes the report. “A statistical analysis of metadata for over 50,000 compromised RDP accounts sold in marketplaces shows that 1,954 accounts (3.9%) belong to industrial companies.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, spyware campaigns)

The post Experts warn of anomalous spyware campaigns targeting industrial firms appeared first on Security Affairs.

Crime Shop Sells Hacked Logins to Other Crime Shops

21 January 2022 at 17:11

Up for the “Most Meta Cybercrime Offering” award this year is Accountz Club, a new cybercrime store that sells access to purloined accounts at services built for cybercriminals, including shops peddling stolen payment cards and identities, spamming tools, email and phone bombing services, and those selling authentication cookies for a slew of popular websites.

Criminals ripping off other crooks is a constant theme in the cybercrime underworld; Accountz Club’s slogan  — “the best autoshop for your favorite shops’ accounts” — just normalizes this activity by making logins stolen from users of various cybercrime shops for sale at a fraction of their account balances.

The site says it sells “cracked” accounts, or those that used passwords which could be easily guessed or enumerated by automated tools. All of the credentials being sold by Accountz provide access to services that in turn sell access to stolen information or hijacked property, as in the case of “bot shops” that resell access to infected computers.

One example is Genesis Market, where customers can search for stolen credentials and authentication cookies from a broad range of popular online destinations. Genesis even offers a custom-made web browser where you can load authentication cookies from botted PCs and waltz right into the account without having to enter a username or password or mess with multi-factor authentication.

Accountz is currently selling four different Genesis logins for about 40-50 percent of their unspent balances. Genesis mostly gets its inventory of botted computers and stolen logins from resellers who specialize in deploying infostealer malware via email and booby-trapped websites. Likewise, it appears Accountz also derives much of its stock from a handful of resellers, who presumably are the same ones doing the cybercrime service account cracking.

The Genesis bot shop.

In essence, Accountz customers are paying for illicit access to cybercrime services that sell access to compromised resources that can be abused for cybercrime. That’s seriously meta.

Accountz says its inventory is low right now but that it expects to offer a great deal more stock in the coming days. I don’t doubt that’s true, and it’s somewhat remarkable that services like this aren’t more common: From reporting my “Breadcrumbs” series on prominent cybercrime actors, it’s clear that a great many cybercriminals will use the same username and password across multiple services online.

What’s more, relatively few cybercrime shops online offer their users any sort of multi-factor authentication. That’s probably because so few customers supply their real contact information when they sign up. As a result, it is often far easier for customers to simply create a new account than it is to regain control over a hacked one, or to change a forgotten password. On top of that, most shops have only rudimentary tools for blocking automated login attempts and password cracking activity.

It will be interesting to see whether any of the cybercrime shops most heavily represented in the logins for sale at Accountz start to push back. After all, draining customer account balances and locking out users is likely to increase customer support costs for these shops, lower customer satisfaction, and perhaps even damage their reputations on the crime forums where they peddle their wares.

Oh, the horror.

Google Project Zero discloses details of two Zoom zero-day flaws

21 January 2022 at 14:40

Google Project Zero experts disclosed details of two zero-day flaws impacting Zoom clients and Multimedia Router (MMR) servers.

Google Project Zero researchers Natalie Silvanovich disclosed details of two zero-day vulnerabilities in Zoom clients and Multimedia Router (MMR) servers. An attacker could have exploited the now-fixed issues to crash the service, execute malicious code, and even leak the content of portions of the memory.

The researcher focused its search for bugs in the Zoom client software, including zero-day issues that allowed her to take over the victim’s system without requiring any user interaction.

The two vulnerabilities have been fixed on November 24, 2021, they are a buffer overflow information leakage issue tracked as CVE-2021-34423 and CVE-2021-34424 respectively.

The CVE-2021-34423 vulnerability, is a buffer overflow issue that received a CVSS score of 9.8. An attacker can trigger the vulnerability to execute arbitrary code or crash the service or application.

The experts focused the analysis on the RTP (Real-time Transport Protocol) traffic used for audio and video communications. Silvanovich discovered that manipulating the contents of a buffer that supports reading different data types by sending a malformed chat message, could trigger the flaw causing the client and the MMR server to crash.

“Note that the string buffer is allocated based on a length read from the msg_db_t buffer, but then a second length is read from the buffer and used as the length of the string that is read. This means that if an attacker could manipulate the contents of the msg_db_t buffer, they could specify the length of the buffer allocated, and overwrite it with any length of data (up to a limit of 0x1FFF bytes, not shown in the code snippet above).” reads the analysis published by Project Zero. “I tested this bug by hooking SSL_write with Frida, and sending the malformed packet, and it caused the Zoom client to crash on a variety of platforms.”

The CVE-2021-34424 is a process memory exposure flaw that received a CVSS score of 7.5. An attacker can trigger the flaw to potentially gain insight into arbitrary areas of the product’s memory.

The second flaw is caused by the lack of a NULL check that allows to leak data from the memory by joining a Zoom meeting via a web browser.

“This bug allows the attacker to provide a string of any size, which then gets copied out of bounds up until a null character is encountered in memory, and then returned. It is possible for CVE-2021-34424 to return a heap pointer, as the MMR maps the heap that gets corrupted at a low address that does not usually contain null bytes, however, I could not find a way to force a specific heap pointer to be allocated next to the string buffer that gets copied out of bounds. C++ objects used by the MMR tend to be virtual objects, so the first 64 bits of most object allocations are a vtable which contains null bytes, ending the copy.” continues the analysis.

The researcher pointed out that lack of ASLR in the Zoom MMR process exposed users to the risk of attacks, the good news it that Zoom has recently enabled it.

Project Zero experts also pointed out that the closed nature of Zoom also heavily impacted the analysis. Unlike most video conferencing systems, Zoom use a proprietary protocol that make it hard to analyze it.

“Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it,” Silvanovich concludes. “While the Zoom Security Team helped me access and configure server software, it is not clear that support is available to other researchers, and licensing the software was still expensive.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

The post Google Project Zero discloses details of two Zoom zero-day flaws appeared first on Security Affairs.

MoonBounce UEFI implant spotted in a targeted APT41 attack

21 January 2022 at 11:59

Researchers have spotted China-linked APT41 cyberespionage group using a UEFI implant, dubbed MoonBounce, to maintain persistence.

Kaspersky researchers spotted the China-linked APT41 cyberespionage group using a UEFI implant, dubbed MoonBounce, to maintain persistence.

At the end of 2021, researchers discovered a UEFI firmware-level compromise by analyzing logs from its Firmware Scanner.

Threat actors compromised a single component within the firmware image to intercept the original execution flow of the machine’s boot sequence and inject the sophisticated implant.

UEFI implants like MoonBounce allow attackers to achieve persistence on the target system that is resilient to disk formatting or replacement. In the case of MoonBounce, the bootkit is implanted on the SPI flash memory of the motherboard. A UEFI bootkit implanted in the firmware could not be detected by AVs and any defense solution running on the OS level.

“The purpose of the implant is to facilitate the deployment of user-mode malware that stages execution of further payloads downloaded from the internet;” reads the analysis published by Kaspersky. “The infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint;”

The attackers incorporated the UEFI implant into the CORE_DXE component of the firmware (aka the DXE Foundation), which is invoked early on at the DXE (Driver Execution Environment) phase of the UEFI boot sequence. 

MoonBounce

The infection leverages a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx and ExitBootServices. Attackers used these hooks to hijack the flow of these functions to malicious shellcode and append them to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot sequence (Windows loader).

“This multistage chain of hooks facilitates the propagation of malicious code from the CORE_DXE image to other boot components during system startup, allowing the introduction of a malicious driver to the memory address space of the Windows kernel.” continues the analysis. “This driver, which runs during the initial phases of the kernel’s execution, is in charge of deploying user-mode malware by injecting it into an svchost.exe process, once the operating system is up and running.”

The UEFI implant used by APT41 is to deploy additional user-mode malware used to execute further payloads downloaded from C2 infrastructure.

Kaspersky pointed out that the attack that investigated is fileless, this means that it does not leave any traces on the hard drive and its components only operate in memory.

The researchers spotted other non-UEFI implants in the network targeted with the MoonBounce that were communicating with the same infrastructure that hosted the staging payload.

The researchers explained that the MoonBounce UEFI bootkit was employed in a very targeted attack, the sophisticated malware was detected in a single case.

“We traced some of the commands executed by the attackers after gaining a foothold in the network, which point to lateral movement and exfiltration of information from particular machines. This aligns in profile with some of the previous operations by APT41, wherein intrusions were typically made to intervene in the targeted companies’ supply chain, or to heist sensitive intellectual property and personally identifiable information.” continues the report. “The usage of the UEFI implant in particular indicates the actor’s aim to establish a longstanding foothold within the network, as would be expected in an ongoing espionage activity.”

The c is the third publicly documented case of firmware rootkit used in attacks in the wild, previous attacks leveraging this family of malware were related to the FinSpy surveillance spyware tool and a cyber espionage campaign uncovered by ESET that were spreading the ESPecter bookit.

“MoonBounce marks a particular evolution in this group of threats by presenting a more complicated attack flow in comparison to its predecessors and a higher level of technical competence by its authors, who demonstrate a thorough understanding of the finer details involved in the UEFI boot process,” Kaspersky concludes.

In order to prevent such kinds of attacks Kaspersky recommends regularly updating UEFI firmware, verifying that BootGuard, where applicable, is enabled, and enabling Trust Platform Modules and deployment of a security product that is able to inspect the firmware images.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MoonBounce)

The post MoonBounce UEFI implant spotted in a targeted APT41 attack appeared first on Security Affairs.

❌