🔒
There are new articles available, click to refresh the page.
Today — 28 November 2021General Security News

RATDispenser, a new stealthy JavaScript loader used to distribute RATs

28 November 2021 at 15:25

RATDispenser is a new stealthy JavaScript loader that is being used to spread multiple remote access trojans (RATs) into the wild.

Researchers from the HP Threat Research team have discovered a new stealthy JavaScript loader dubbed RATDispenser that is being used to spread a variety of remote access trojans (RATs) in attacks into the wild. Experts pointed out that the use of JavaScript is uncommon as malware file format and for this reason it is more poorly detected.

The loader is highly evasive, at the time of the analysis, it had only 11% detection rate on VirusTotal, HP experts confirmed that it was employed to distribute at least eight RAT families during 2021 (STRRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty). The experts believe that the threat actors behind the RATDispenser may be operating a malware-as-a-service model.

“As with most attacks involving JavaScript malware, RATDispenser is used to gain an initial foothold on a system before launching secondary malware that establishes control over the compromised device. Interestingly, our investigation found that RATDispenser is predominantly being used as a dropper (in 94% of samples analyzed), meaning the malware doesn’t communicate over the network to deliver a malicious payload.” reads the report published by HP.

The attack chain starts with a phishing email using a JavaScript attachment using ‘.TXT.js’ double-extension to trick victims into believing that they are opening a harmless text file.

RATDispenser

Upon launching the malicious code, the JavaScript decodes itself at runtime and writes a VBScript file to the %TEMP% folder using cmd.exe. Then the VBScript downloads and executes the final RAT payload.

HP researchers run a retrohunt over the last three months with this YARA rule and identified 155 RATDispenser samples, belonging to a three different variants. The experts also developed a wrote a Python script to recover the final payload and discovered that:

  • 145 of the 155 samples (94%) were droppers. Only 10 samples were downloaders that communicate over the network to download a secondary stage of malware
  • 8 malware families delivered as payloads
  • All the payloads were remote access Trojans (RATs), keyloggers and information stealers

STRRAT and WSHRAT accounted for 81% of the samples analyzed by the researchers. “Using each sample’s earliest scan result, on average the RATDispenser samples were only detected by 11% of available anti-virus engines, or eight engines in absolute numbers.”

HP researchers published a set of hashes, URLs, YARA rule and extraction script in the HP Threat Research GitHub repository.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, RATDispenser)

The post RATDispenser, a new stealthy JavaScript loader used to distribute RATs appeared first on Security Affairs.

North Korea-linked Zinc group posed as Samsung recruiters to target security firms

28 November 2021 at 12:11

North Korea-linked threat actors posed as Samsung recruiters in a spear-phishing campaign aimed at employees at South Korean security firms.

North Korea-linked APT group posed as Samsung recruiters is a spear-phishing campaign that targeted South Korean security companies that sell anti-malware solutions, Google TAG researchers reported.

According to the Google Threat Horizons report, the state-sponsored hackers sent fake job offers to employees at the security companies. Google TAG researchers reported that the same group, tracked as Zinc,” also targeted security researchers in past campaigns

“TAG observed a North Korean government-backed attacker group that previously targeted security researchers posing as recruiters at Samsung and sending fake job opportunities to employees at multiple South Korean information security companies that sell anti-malware solutions.” reads the Google Threat Horizons report. “The emails included a PDF allegedly claiming to be of a job description for a role at Samsung; however, the PDFs were malformed and did not open in a standard PDF reader. When targets replied that they could not open the job description, attackers responded with a malicious link to malware purporting to be a “Secure PDF Reader” stored in Google Drive which has now been blocked.”

The attackers used a malformed PDF claiming to be a job description for a role at Samsung, for this reason, the recipient was not able to open it and contacted the sender that in turn provided him with a link to a “Secure PDF Reader” app.

The app, which was stored in Google Drive, was a tainted version of the legitimate PDF reader PDFTron. Upon installing the app a backdoor is established on the victims’ devices.

North Korea-linked APT phishing

The activity of the Zinc APT group, aka Lazarus, surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFT attacks in 2016, and the Sony Pictures hack. The attackers targeted the researchers through multiple social networking platforms, including Twitter, LinkedIn, Telegram, Discord, and Keybase.

Threat actors used a network of fake profiles to get in contact with researchers of interest. In mid-2020, ZINC hackers created Twitter profiles for fake security researchers that were used to retweet security content and posting about vulnerability research. 

North Korea

Attackers used Twitter profiles for sharing links to a blog under their control (br0vvnn[.]io), to share videos of their claimed exploits, and for amplifying and retweeting posts from other accounts under their control.

Once established initial communications, the attackers would ask the targeted security researcher if they wanted to collaborate on vulnerability research together, and then shared with it a Visual Studio Project.

The Visual Studio project used by the attackers included the source code for exploiting the vulnerability along with an additional DLL that would be executed through Visual Studio Build Events, which is a backdoor.

The Visual Studio project was containing a malicious DLL that would be executed when researchers compiled the project.

The malicious code would lead to the installation of a backdoor that would allow the attackers to take over the target’s computer.

The attackers published a blog post titled “DOS2RCE: A New Technique To Exploit V8 NULL Pointer Dereference Bug” and shared it via Twitter. The researchers who visited the post from October 19 to 21, 2020, using the Chrome browser, were infected with a known ZINC malware. Microsoft researchers noticed that some of the victims were using fully patched browsers, a circumstance that suggests that attackers used 0-day exploits. Not all visitors to the site were infected.

Attackers also used other techniques to target security professionals, for example in some cases distributed blog posts as MHTML files that contained some obfuscated JavaScript that was pointing to a ZINC-controlled domain for further JavaScript to execute. 

In one case, attackers attempted to exploit, without success, the CVE-2017-16238 vulnerability in a vulnerable driver for the antivirus product called Vir.IT eXplorer.

The recent attacks against South Korean anti-malware suggest the interests of threat actors in compromising the supply chain of South Korean security organizations in order to target their customers.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

The post North Korea-linked Zinc group posed as Samsung recruiters to target security firms appeared first on Security Affairs.

0patch releases unofficial patches for CVE-2021-24084 Windows 10 zero-day

28 November 2021 at 10:55

0patch released free unofficial patches for Windows local privilege escalation zero-day (CVE-2021-24084) in Windows 10, version 1809 and later.

0patch released free unofficial patches for Windows local privilege escalation zero-day (CVE-2021-24084) in Windows 10, version 1809 and later. The issue doesn’t impact Windows Servers because the vulnerable functionality in not implemented in these OSs.

The issue resides in the  “Access work or school” settings of the Mobile Device Management Service. The vulnerability, discovered by the security researcher Abdelhamid Naceri, can be exploited to bypass a patch released by Microsoft in February to address another information disclosure flaw (CVE-2021-24084) reported by the same expert.

Naceri reported this month that the vulnerability has yet to be addressed and can be exploited to escalate privileges.

I mean this is still unpatched and allow LPE if shadow volume copies are enabled;
But I noticed that it doesn't work on windows 11 https://t.co/HJcZ6ew8PO

— Abdelhamid Naceri (@KLINIX5) November 15, 2021

“Namely, as HiveNightmare/SeriousSAM has taught us, an arbitrary file disclosure can* be upgraded to local privilege escalation if you know which files to take and what to do with them. We confirmed this by using the procedure described in this blog post by Raj Chandel in conjunction with Abdelhamid’s bug – and being able to run code as local administrator.” wrote 0patch co-founder Mitja Kolsek. “Two conditions need to be met in order for the local privilege escalation to work:

  1. System protection must be enabled on drive C, and at least one restore point created. Whether system protection is enabled or disabled by default depends on various parameters.  
  2. At least one local administrator account must be enabled on the computer, or at least one “Administrators” group member’s credentials cached.”

0patch released unofficial patches for:

  1. Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates
  2. Windows 10 v20H2 (32 & 64 bit)updated with November 2021 Updates
  3. Windows 10 v2004 (32 & 64 bit)updated with November 2021 Updates
  4. Windows 10 v1909 (32 & 64 bit)updated with November 2021 Updates
  5. Windows 10 v1903 (32 & 64 bit)updated with November 2021 Updates
  6. Windows 10 v1809 (32 & 64 bit)updated with May 2021 Updates

0patch will provide free micropatches for this vulnerability until Microsoft has issued an official patch. Users that want to install the micropatches can create a free account in 0patch Central, then install 0patch Agent from 0patch.com. The company pointed out that no computer reboots will be needed.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Windows)

The post 0patch releases unofficial patches for CVE-2021-24084 Windows 10 zero-day appeared first on Security Affairs.

Security Affairs newsletter Round 342

28 November 2021 at 10:38

A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Italy’s Antitrust Agency fines Apple and Google for aggressive practices of data acquisition
HAEICHI-II: Interpol arrested +1,000 suspects linked to various cybercrimes
IKEA hit by a cyber attack that uses stolen internal reply-chain emails
Marine services provider Swire Pacific Offshore (SPO) hit by Clop ransomware
Threat actors target crypto and NFT communities with Babadeda crypter
Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices
APT C-23 group targets Middle East with an enhanced Android spyware variant
New Linux CronRAT hides in cron jobs to evade detection in Magecart attacks
Several GoDaddy brands impacted in recent data breach
Iranian threat actors exploit MS MSHTML bug to steal Google and Instagram credentials
FBI warns of crooks targeting online shoppers during the holiday season
VMware addresses File Read and SSRF flaws in vCenter Server
A vulnerable honeypot exposed online can be compromised in 24 hours
Apple sues NSO Group for abusing state-sponsored Pegasus spyware
Expert discloses details of flaws in Oracle VirtualBox
Malware are already attempting to exploit new Windows Installer zero-day
Android.Cynos.7.origin trojan infected +9 million Android devices
Experts warn of RCE flaw in Imunify360 security platform
Expert released PoC exploit code for Microsoft Exchange CVE-2021-42321 RCE bug
Expert disclosed an exploit for a new Windows zero-day local privilege elevation issue
US govt warns critical infrastructure of ransomware attacks during holidays
New GoDaddy data breach impacted 1.2 million customers
Utah Imaging Associates data breach impacts 583,643 patients
Iran’s Mahan Air claims it has failed a cyber attack, hackers say the opposite
New Memento ransomware uses password-protected WinRAR archives to block access to the files
US SEC warns investors of ongoing fraudulent communications claiming from the SEC
Experts found 11 malicious Python packages in the PyPI repository
Researchers were able to access the payment portal of the Conti gang
Attackers compromise Microsoft Exchange servers to hijack internal email chains

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 342 appeared first on Security Affairs.

Yesterday — 27 November 2021General Security News

Italy’s Antitrust Agency fines Apple and Google for aggressive practices of data acquisition

27 November 2021 at 16:32

Italy’s antitrust regulator, Autorità Garante della Concorrenza e del Mercato (AGCM), has fined Apple and Google €10 million each their “aggressive” data practices.

Italy’s antitrust regulator, Autorità Garante della Concorrenza e del Mercato (AGCM), has fined Apple and Google €10 million each their “aggressive” data practices and the lack of transparency on the use of customers’ personal data.

Both companies were fined due to violations of the Consumer Code for aggressive practices related to the acquisition and use of consumer data for commercial purposes.

Italy’s antitrust regulator has fined both Apple and Google €10 million each for what it calls are “aggressive” data practices and not providing consumers with clear information on commercial uses of their personal data during the account creation phase. 10 million euros is the maximum fine permitted according to current legislation.

“The Authority found that both Google and Apple did not provide clear and immediate information on the acquisition and use of user data for commercial purposes.” reads the press release published by the AGCM. “In particular, Google, both in the account creation phase, which is essential for the use of all the services offered, and during the use of the services themselves, omits relevant information that the consumer needs to consciously decide to accept that the Company collects and uses their personal information for commercial purposes. Apple , both in the phase of creating the Apple ID and on the occasion of accessing the Apple Stores (App Store, iTunes Store and Apple Books), does not immediately and explicitly provide the user with any indication on the collection and use of your data for commercial purposes, emphasizing only that data collection is necessary to improve the consumer experience and use of services.”

The Italian Authority pointed out that in the account creation phase, Google pre-sets the user’s acceptance of the transfer and/or use of their data for commercial purposes.

In the case of Apple, the IT giant was accused of acquiring consent to the use of user data for commercial purposes without providing the consumer with the possibility of a prior and express consent on sharing their data.

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

The post Italy’s Antitrust Agency fines Apple and Google for aggressive practices of data acquisition appeared first on Security Affairs.

HAEICHI-II: Interpol arrested +1,000 suspects linked to various cybercrimes

27 November 2021 at 12:08

HAEICHI-II: Interpol arrested 1,003 individuals charged for several cybercrimes, including romance scams, investment frauds, and online money laundering.

Interpol has coordinated an international operation, code-named Operation HAEICHI-II, that led to the arrest of 1,003 individuals linked to various cyber-crimes such as romance scams, investment frauds, online money laundering, and illegal online gambling. The INTERPOL published more than 20 notices were published based on information relating to Operation HAECHI-II and identified 10 new fraudulent schemes.

The law enforcement operation involve police from twenty countries ( Angola, Brunei, Cambodia, Colombia, China, India, Indonesia, Ireland, Japan, Korea (Rep. of), Laos, Malaysia, Maldives, Philippines, Romania, Singapore, Slovenia, Spain, Thailand, and Vietnam) between June and September 2021.

The Interpol also involved the use of a new global stop-payment mechanism, the Anti-Money Laundering Rapid Response Protocol (ARRP), which was designed to intercept illicit funds.

Interpol HAECHI-II

The authorities blocked 2,350 bank accounts linked to the illicit proceeds of online financial crime and intercepted over 27 million dollars.

“The results of Operation HAECHI-II show that the surge in online financial crime generated by the COVID-19 pandemic shows no signs of waning,” said INTERPOL Secretary General Jürgen Stock. “It also underlines the essential and unique role played by INTERPOL in assisting member countries combat a crime which is borderless by nature.

“Only through this level of global cooperation and coordination can national law enforcement effectively tackle what is a parallel cybercrime pandemic,” added Secretary General Stock.

The announcement cited a case in Colombia, when a prominent textiles company was defrauded of more than USD 8 million through a sophisticated business email compromise (BEC) scam. The threat actors impersonated the legal representative of the company and ordered to transfer more than USD 16 million to two Chinese bank accounts. The company discovered the fraudulent activity after half of the money was transferred, then alerted local authorities..

Thanks to the use of the ARRP network and the international police cooperation over 94 percent of the money was intercepted in record time.

Interpol also warned of the use of the ‘Squid Game’ as bait in malware campaigns.

“One Purple Notice requested by Colombia during the operation details a malware-laden mobile application using the name and branding of the Netflix show ‘Squid Game’. Masquerading as a product affiliated with the popular television series, the app was in fact a Trojan horse virus that, once downloaded, was able to hack the user’s billing information and subscribe to paid ‘premium’ services without the user’s explicit approval. While flagged in Colombia, the app has also targeted users in other countries.” concludes the announcement.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Operation HAEICHI-II)

The post HAEICHI-II: Interpol arrested +1,000 suspects linked to various cybercrimes appeared first on Security Affairs.

IKEA hit by a cyber attack that uses stolen internal reply-chain emails

27 November 2021 at 10:41

Threat actors are targeting IKEA employees in an internal phishing campaign leveraging stolen reply-chain emails.

According to BleepingComputer, threat actors are targeting IKEA employees in phishing attacks using stolen reply-chain emails.

Once compromised the mail servers, threat actors use the access to reply to the company’s internal emails in reply-chain attacks. Sending the messages from the organizations allows the attackers to bypass detection. Threat actors also exploit the access to internal emails to target business partners.

“In internal emails seen by BleepingComputer, IKEA is warning employees of an ongoing reply-chain phishing cyber-attack targeting internal mailboxes. These emails are also being sent from other compromised IKEA organizations and business partners.” reports BleepingComputer.

“There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA,” reads the emails sent by IKEA to its employees. “This means that the attack can come via email from someone that you work with, from any external organisation, and as a reply to an already ongoing conversations. It is therefore difficult to detect, for which we ask you to be extra cautious.”

The above message warns employees and explains that the fraudulent messages are difficult to distinguish because have an internal source. The download links contained in the phishing messages have seven digits at the end, the company support desk told employees to report any suspicious message. The company also shared an example of a phishing email sent to its employees.

A good practice consists of contacting the sender over a different channel (i.e. Microsoft Teams chat, phone) in order to inform him of the fraudulent message.

The multinational conglomerate also disabled the possibility for its employees to release emails from quarantine, to avoid that employees can believe that the messages were isolated for error by the email filters.

Recently Trend Micro spotted a malware campaign aimed at Microsoft Exchange servers that exploits ProxyShell and ProxyLogon issues and uses stolen internal reply-chain emails to avoid detection.

The attacks were orchestrated by Squirrelwaffle, a threat actor known for sending malicious spam as replies to existing email chains. The investigation into three incidents revealed that attackers used exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell).

Once compromised the Exchange servers, threat actors use the access to reply to the company’s internal emails in reply-chain attacks containing links to weaponized documents.

“In the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).” reads the analysis published by Trend Micro. “Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails.”

The emails originate from the same internal network, appear to be a continuation of a previous discussion between two employees. The attacker did not use tools for lateral movement or execute malware on the Exchange servers to avoid detection.

The emails use weaponized Office documents or include a link to them. Upon enabling the content, malicious macros are executing to download and install the malware, such as QbotCobalt Strike, and SquirrelWaffle.

The excel sheets used in this campaign contain malicious Excel 4.0 macros used to download and execute the malicious DLL.

microsoft exchange servers

Experts recommend securing their Microsoft Exchange servers by installing security updates published by Microsoft.

BleepingComputer researchers were able to verify the download links included in the phishing messages. The links poin to a zip archive called ‘charts.zip’ that contains a weaponized Excel document. Upon opening the file and enabling the macros the infection chain will start.

The final payload installed as part of the attack is the Qbot trojan, but similar campaigns also deployed Emotet. Both malware were involved in attacks to gain access to target networks and deploy a ransomware strain.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, IKEA)

The post IKEA hit by a cyber attack that uses stolen internal reply-chain emails appeared first on Security Affairs.

Italy's Antitrust Regulator Fines Google and Apple for "Aggressive" Data Practices

27 November 2021 at 06:34
Italy's antitrust regulator has fined both Apple and Google €10 million each for what it calls are "aggressive" data practices and for not providing consumers with clear information on commercial uses of their personal data during the account creation phase. The Autorità Garante della Concorrenza e del Mercato (AGCM) said "Google and Apple did not provide clear and immediate information on the
Before yesterdayGeneral Security News

Marine services provider Swire Pacific Offshore (SPO) hit by Clop ransomware

26 November 2021 at 22:53

Marine services provider Swire Pacific Offshore (SPO) has suffered a Clop ransomware attack that resulted in the theft of company data.

Clop ransomware hit Marine services provider Swire Pacific Offshore (SPO) and stole company data, but did not affected global operations.

“Swire Pacific Offshore (SPO) has discovered that it was the target of a cyberattack which involved unauthorised access to its IT systems. The unauthorised access has resulted in the loss of some confidential proprietary commercial information and has resulted in the loss of some personal data.” reads the media statement published by SPO. “The cyberattack has not materially affected SPO’s global operations.”

The company announced to have taken immediate actions to reinforce existing security measures and to mitigate the potential impact of the security breach.

SPO reported the security breach incident to the relevant authorities, it is also notifying potentially affected parties.

Clop ransomware published on its dark web leak site sample of the stolen data, that includes passports, payroll information, bank account details, email addresses, and more.

Swire Pacific Offshore

In the past, other major organizations in the shipping industry were hit by ransomware attacks, including Maersk, COSCO, International Maritime Organization (IMO), MSC, Pitney Bowes, and CMA CGM.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SPO)

The post Marine services provider Swire Pacific Offshore (SPO) hit by Clop ransomware appeared first on Security Affairs.

The Internet is Held Together With Spit & Baling Wire

26 November 2021 at 19:03

A visualization of the Internet made using network routing data. Image: Barrett Lyon, opte.org.

Imagine being able to disconnect or redirect Internet traffic destined for some of the world’s biggest companies — just by spoofing an email. This is the nature of a threat vector recently removed by a Fortune 500 firm that operates one of the largest Internet backbones.

Based in Monroe, La., Lumen Technologies Inc. [NYSE: LUMN] (formerly CenturyLink) is one of more than two dozen entities that operate what’s known as an Internet Routing Registry (IRR). These IRRs maintain routing databases used by network operators to register their assigned network resources — i.e., the Internet addresses that have been allocated to their organization.

The data maintained by the IRRs help keep track of which organizations have the right to access what Internet address space in the global routing system. Collectively, the information voluntarily submitted to the IRRs forms a distributed database of Internet routing instructions that helps connect a vast array of individual networks.

There are about 70,000 distinct networks on the Internet today, ranging from huge broadband providers like AT&T, Comcast and Verizon to many thousands of enterprises that connect to the edge of the Internet for access. Each of these so-called “Autonomous Systems” (ASes) make their own decisions about how and with whom they will connect to the larger Internet.

Regardless of how they get online, each AS uses the same language to specify which Internet IP address ranges they control: It’s called the Border Gateway Protocol, or BGP. Using BGP, an AS tells its directly connected neighbor AS(es) the addresses that it can reach. That neighbor in turn passes the information on to its neighbors, and so on, until the information has propagated everywhere [1].

A key function of the BGP data maintained by IRRs is preventing rogue network operators from claiming another network’s addresses and hijacking their traffic. In essence, an organization can use IRRs to declare to the rest of the Internet, “These specific Internet address ranges are ours, should only originate from our network, and you should ignore any other networks trying to lay claim to these address ranges.”

In the early days of the Internet, when organizations wanted to update their records with an IRR, the changes usually involved some amount of human interaction — often someone manually editing the new coordinates into an Internet backbone router. But over the years the various IRRs made it easier to automate this process via email.

For a long time, any changes to an organization’s routing information with an IRR could be processed via email as long as one of the following authentication methods was successfully used:

-CRYPT-PW: A password is added to the text of an email to the IRR containing the record they wish to add, change or delete (the IRR then compares that password to a hash of the password);

-PGPKEY: The requestor signs the email containing the update with an encryption key the IRR recognizes;

-MAIL-FROM: The requestor sends the record changes in an email to the IRR, and the authentication is based solely on the “From:” header of the email.

Of these, MAIL-FROM has long been considered insecure, for the simple reason that it’s not difficult to spoof the return address of an email. And virtually all IRRs have disallowed its use since at least 2012, said Adam Korab, a network engineer and security researcher based in Houston.

All except Level 3 Communications, a major Internet backbone provider acquired by Lumen/CenturyLink.

“LEVEL 3 is the last IRR operator which allows the use of this method, although they have discouraged its use since at least 2012,” Korab told KrebsOnSecurity. “Other IRR operators have fully deprecated MAIL-FROM.”

Importantly, the name and email address of each Autonomous System’s official contact for making updates with the IRRs is public information.

Korab filed a vulnerability report with Lumen demonstrating how a simple spoofed email could be used to disrupt Internet service for banks, telecommunications firms and even government entities.

“If such an attack were successful, it would result in customer IP address blocks being filtered and dropped, making them unreachable from some or all of the global Internet,” Korab said, noting that he found more than 2,000 Lumen customers were potentially affected. “This would effectively cut off Internet access for the impacted IP address blocks.”

The recent outage that took Facebook, Instagram and WhatsApp offline for the better part of a day was caused by an erroneous BGP update submitted by Facebook. That update took away the map telling the world’s computers how to find its various online properties.

Now consider the mayhem that would ensue if someone spoofed IRR updates to remove or alter routing entries for multiple e-commerce providers, banks and telecommunications companies at the same time.

“Depending on the scope of an attack, this could impact individual customers, geographic market areas, or potentially the [Lumen] backbone,” Korab continued. “This attack is trivial to exploit, and has a difficult recovery. Our conjecture is that any impacted Lumen or customer IP address blocks would be offline for 24-48 hours. In the worst-case scenario, this could extend much longer.”

Lumen told KrebsOnSecurity that it continued offering MAIL-FROM: authentication because many of its customers still relied on it due to legacy systems. Nevertheless, after receiving Korab’s report the company decided the wisest course of action was to disable MAIL-FROM: authentication altogether.

“We recently received notice of a known insecure configuration with our Route Registry,” reads a statement Lumen shared with KrebsOnSecurity. “We already had mitigating controls in place and to date we have not identified any additional issues. As part of our normal cybersecurity protocol, we carefully considered this notice and took steps to further mitigate any potential risks the vulnerability may have created for our customers or systems.”

Level3, now part of Lumen, has long urged customers to avoid using “Mail From” for authentication, but until very recently they still allowed it.

KC Claffy is the founder and director of the Center for Applied Internet Data Analysis (CAIDA), and a resident research scientist of the San Diego Supercomputer Center at the University of California, San Diego. Claffy said there is scant public evidence of a threat actor using the weakness now fixed by Lumen to hijack Internet routes.

“People often don’t notice, and a malicious actor certainly works to achieve this,” Claffy said in an email to KrebsOnSecurity. “But also, if a victim does notice, they generally aren’t going to release details that they’ve been hijacked. This is why we need mandatory reporting of such breaches, as Dan Geer has been saying for years.”

But there are plenty of examples of cybercriminals hijacking IP address blocks after a domain name associated with an email address in an IRR record has expired. In those cases, the thieves simply register the expired domain and then send email from it to an IRR specifying any route changes.

While it’s nice that Lumen is no longer the weakest link in the IRR chain, the remaining authentication mechanisms aren’t great. Claffy said after years of debate over approaches to improving routing security, the operator community deployed an alternative known as the Resource Public Key Infrastructure (RPKI).

“The RPKI includes cryptographic attestation of records, including expiration dates, with each Regional Internet Registry (RIR) operating as a ‘root’ of trust,” wrote Claffy and two other UC San Diego researchers in a paper that is still undergoing peer review. “Similar to the IRR, operators can use the RPKI to discard routing messages that do not pass origin validation checks.”

However, the additional integrity RPKI brings also comes with a fair amount of added complexity and cost, the researchers found.

“Operational and legal implications of potential malfunctions have limited registration in and use of the RPKI,” the study observed (link added). “In response, some networks have redoubled their efforts to improve the accuracy of IRR registration data. These two technologies are now operating in parallel, along with the option of doing nothing at all to validate routes.”

[1]: I borrowed some descriptive text in the 5th and 6th paragraphs from a CAIDA/UCSD draft paper — IRR Hygiene in the RPKI Era (PDF).

Further reading:

Trust Zones: A Path to a More Secure Internet Infrastructure (PDF).

Reviewing a historical Internet vulnerability: Why isn’t BGP more secure and what can we do about it? (PDF)

Threat actors target crypto and NFT communities with Babadeda crypter

26 November 2021 at 15:50

Morphisec researchers spread cryptocurrency malware dubbed Babadeda in attacks aimed at crypto and NFT communities.

Morphisec researchers spotted a new crypto-malware strain, tracked as Babadeda, targeting cryptocurrency, non-fungible token (NFT), and DeFi passionates through Discord channels.

Threat actors are attempting to exploit the booming market for NFTs and crypto games. Babadeda is able to bypass antivirus solutions. According to the researchers, this crypto-malware was recently employed in several campaigns to deliver information stealers, RATs, and ransomware like LockBit.

Most of the attacks observed by the researchers that targeted crypto communities are based on the Discord platform, threat actors shared download links via Discord channels 

“In the campaign that we observed, a threat actor took advantage of these features in order to phish victims. The threat actor sent users a private message inviting them to download a related application that would supposedly grant the user access to new features and/or additional benefits. Because the actor created a Discord bot account on the official company discord channel, they were able to successfully impersonate the channel’s official account.” reads the report published by Morphisec.

babadeda

In one of the attacks analyzed by Morphisec, threat actor sent decoy messages to potential victims via Discord channels related to games such as Mines of Dalarnia. The messages urge the recipients to download an application. The link included in the message redirects users to a phishing domain that contains a download link for the Babadeda installer.

One of the decoy sites used in this campaign includes an HTML object written in Russian, a circumstance that suggests that the threat actors may have a Russian origin. The list of RATs used by this campaign includes BitRAT and Remcos.

“As demonstrated above, Babadeda is a highly dangerous crypter. Targeting cryptocurrency users through trusted attack vectors gives its distributors a fast-growing selection of potential victims. Once on a victim’s machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine — or of stopping it from executing.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, babadeda)

The post Threat actors target crypto and NFT communities with Babadeda crypter appeared first on Security Affairs.

Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices

26 November 2021 at 14:39

Resecurity researchers found a zero-day vulnerability in the TP-Link enterprise device with model number TL-XVR1800L.

Resecurity, a Los Angeles-based cybersecurity company has identified an active a zero-day vulnerability in the TP-Link device with model number TL-XVR1800L (Enterprise AX1800 Dual Band Gigabit Wi-Fi 6 Wireless VPN Router), which is primarily suited to enterprises.

The identified vulnerability enables Remote Code Execution (RCE) which grants the ability to takeover of the device and then use it for malicious purposes, as well as to steal sensitive data too. It’s likely this vulnerability is present in other devices from the same family.

The affected device is orientated towards the enterprise segment and supports Wi-Fi 6 (the next-generation wireless standard which is faster than 802.11ac). Wi-Fi 6 officially arrived in late 2019, and Wi-Fi 6 enabled hardware was released throughout 2020. The main goal of this new standard is enhancing throughput-per-area in high-density scenarios, such as corporate offices, shopping malls and dense residential apartments.

Resecurity notified TP-Link on November 19th 2021, and received acknowledgment the very next day. TP-Link said they’re going to release a patch in a week (currently the 0-day vulnerability is in the wild). Resecurity shared Proof-of-Concept with TP-Link of how Remote Code Execution was achieved on the target device, along with multiple other vulnerabilities.

TP-Link

Below is the video PoC of the zero-day exploitation:

According to Resecurity, the vulnerability was identified by the cause of abnormal traffic monitoring which consisted of a network of “honeypot” sensors to emulate common IoT devices developed by Resecurity are to hunt for malice on the internet.

Ongoing attacks were discovered by Resecurity’s researchers while monitoring the activity of a threat actor know for targeting networks and IoT devices since early October 2021.

Notably, the productized version of 0-day exploit was initially spotted by Resecurity’s HUNTER unit “in the wild” known as “TP-Linker”, the tool available for sale in the Chinese-speaking segment of the Dark Web.

Based on additional context – the actors are attacking insecure IoT devices and are involved in large-scale traffic manipulation including online-banking theft activity.

It’s not the 1st time TP-Link has faced critical vulnerabilities in their product line up, such bugs are widely leveraged by threat actors building IoT-based botnets like Mirai for further DDoS attacks and other malicious activities.

Insecurity of IoT devices remains a challenging cybersecurity issue and creates a vast flaw in the external network perimeter of companies which allows attackers to penetrate and steal sensitive data too.

Last year researchers found thousands of vulnerable TP-Link routers which took more than a year for the company to publish patches on their website. This year, cybersecurity researchers from the Flashback Team found and exploited critical vulnerabilities in another device by TP-Link Archer AC1750 at Pwn2Own Tokyo

Follow me on Twitter: @securityaffairs and Facebook

About the author: Resecurity Chief Executive Officer Gene Yoo

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

The post Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices appeared first on Security Affairs.

Hackers Targeting Biomanufacturing Facilities With Tardigrade Malware

26 November 2021 at 13:20
An advanced persistent threat (APT) has been linked to cyberattacks on two biomanufacturing companies that occurred this year with the help of a custom malware loader called "Tardigrade." That's according to an advisory published by Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) this week, which noted that the malware is actively spreading across the sector with the likely goal of

Crypto Hackers Using Babadeda Crypter to Make Their Malware Undetectable

26 November 2021 at 10:32
A new malware campaign has been discovered targeting cryptocurrency, non-fungible token (NFT), and DeFi aficionados through Discord channels to deploy a crypter named "Babadeda" that's capable of bypassing antivirus solutions and stage a variety of attacks. "[T]his malware installer has been used in a variety of recent campaigns to deliver information stealers, RATs, and even LockBit ransomware,

CronRAT: A New Linux Malware That’s Scheduled to Run on February 31st

26 November 2021 at 08:08
Researchers have unearthed a new remote access trojan (RAT) for Linux that employs a never-before-seen stealth technique that involves masking its malicious actions by scheduling them for execution on February 31st, a non-existent calendar day. Dubbed CronRAT, the sneaky malware "enables server-side Magecart data theft which bypasses browser-based security solutions," Sansec Threat Research said

APT C-23 group targets Middle East with an enhanced Android spyware variant

26 November 2021 at 07:07

A threat actor, tracked as APT C-23, is using new powerful Android spyware in attacks aimed at targets in the Middle East.

The APT C-23 cyberespionage group (also known as GnatSpy, FrozenCell, or VAMP) continues to target entities in the Middle East with enhanced Android spyware masqueraded as seemingly harmless app updates (i.e. AndroidUpdate,, Telegram). The spyware is delivered to specific users via SMS text messages containing download links.

Experts from Sophos reported that recently discovered variants of Android spyware implement new features to avoid being removed by the users and to security firms that attempt to dismantle C2 infrastructure.

APT-C-23 group is using Android spyware since at least 2017, most of the targets were in the Palestinian Territories

“The new variants appear in the form of an app that purports to install updates on the target’s phone, with names that include App Updates, System Apps Updates, or Android Update Intelligence. Sophos suspects that the apps are delivered to specific users by means of SMS text messages linking to downloads.” reads the analysis published by Sophos.

None of the apps analyzed by the researchers have been hosted on the official Google Play Store.

Across the years the APT-C-23 threat group has implemented additional spying capabilities, below is the list of functionalities currently implemented:

  • Collects SMS, contacts, call logs
  • Collects images and documents
  • Recording audio, incoming and outgoing calls, including WhatsApp calls
  • Taking screenshots and recording video of the screen
  • Taking pictures using the camera
  • Hiding its own icon
  • Reading notifications from WhatsApp, Facebook, Facebook Messenger, Telegram, Skype, IMO Messenger, or Signal
  • Canceling notifications from built-in security apps (such as Samsung SecurityLogAgent, Xiaomi MIUI SecurityCenter, Huawei SystemManager), as well as from Android system apps, package Installer, and its own notifications

Upon opening the app, it requests that the user grant the app permissions to perform surveillance actions such as to access to the microphone to record audio and all files stored on the device.

The malicious apps use social engineering to ask the user to grant advanced permissions. They justify the need for the additional features with fake argumentation, for instance, the request to “Enable Notifications” claims that the app needs this functionality or else “you won’t receive notifications in real time.”

APT C-23

The app asks the user to Enable the device admin permission or “system won’t secure your internet connection.”

Once the app has obtained all the permissions, it changes its icon and name to disguise itself using an icon of one of the popular apps such as Google Play, Youtube, Google, or Botim (a VOIP calling app). Then, the next time the victim will open the spyware, the malware will also launch the real app whose disguise it wears to avoid raising suspicion.

“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play. Updating Android OS and applications should be done via Android Settings and Google Play respectively, instead of relying on a third-party app.” concludes the analysis. “Users should be particularly wary of apps asking for sensitive permissions such as device admin, notification access, or those requiring superuser/root access. Users can view the apps currently having device admin and notification access permissions by browsing to Settings and searching for “Device admin apps” and “Notification access” respectively.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Cyclone)

The post APT C-23 group targets Middle East with an enhanced Android spyware variant appeared first on Security Affairs.

Israel Bans Sales of Hacking and Surveillance Tools to 65 Countries

26 November 2021 at 05:10
Israel's Ministry of Defense has dramatically restricted the number of countries to which cybersecurity firms in the country are allowed to sell offensive hacking and surveillance tools to, cutting off 65 nations from the export list. The revised list, details of which were first reported by the Israeli business newspaper Calcalist, now only includes 37 countries, down from the previous 102:

New Linux CronRAT hides in cron jobs to evade detection in Magecart attacks

25 November 2021 at 22:07

Security researchers discovered a new Linux RAT, tracked as CronRAT, that hides in scheduled cron jobs to avoid detection.

Security researchers from Sansec have discovered a new Linux remote access trojan (RAT), tracked as CronRAT, that hides in the Linux task scheduling system (cron) on February 31st.

Threat actors hides the malware in the task names, then the malicious code is constructed using several layers of compression and base64 decoding.

CronRAT is employed in Magecart attacks against online stores web stores and enables attackers to steal credit card data by deploying online payment skimmers on Linux servers.

Researchers explained that CronRAT malware is undetected by many antivirus engines, it leverages the fact that many security products do not scan the Linux cron system.

Below is the list of capabilities implemented by CronRAT:

  • Fileless execution
  • Timing modulation
  • Anti-tampering checksums
  • Controlled via binary, obfuscated protocol
  • Launches tandem RAT in separate Linux subsystem
  • Control server disguised as “Dropbear SSH” service
  • Payload hidden in legitimate CRON scheduled task names

“CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system.” reads the post published by Sansec. “https://sansec.io/research/cronrat”

In the attacks investigated by Sansec, CronRAT was used to inject payment skimmers (aka Magecart) in server-side code.

E-skimming attacks are moving from the browser to the server because the back-end is usually unprotected compared with the browser, Sansec director of threat research Willem de Groot explained.

The CronRAT adds a number of tasks to crontab with the date specification “52 23 31 2 3,” which would generate a run time error when executed despite are syntactically valid. However, the researchers pointed out that the run time error will never happen because the tasks are scheduled to run on a day that doesn’t exist.

CronRAT

Once executed, the malware contacts a command and control (C2) server (47.115.46.167) using a feature of the Linux kernel that enables TCP communication via a file.

The malware contacts the server over TCP via port 443 using a fake banner for the Dropbear SSH service.

Sansec found instance of CronRAT on multiple online stores, including a nation’s largest outlet. The experts had to rewrite part of their eComscan algorithm in order to detect this innovative threat.

“CronRAT is currently undetected by other security vendors.” concludes Sansec.

Pierluigi Paganini

(SecurityAffairs – hacking, Magecart)

The post New Linux CronRAT hides in cron jobs to evade detection in Magecart attacks appeared first on Security Affairs.

Product Releases Should Not Be Scary

25 November 2021 at 17:52
Every Product Manager and Software Developer should know that pushing feature updates to production via traditional channels is as archaic as painting on cave walls. The smart are always quick to adapt to new, innovative technologies, and this mindset is exactly what makes normal companies great. The landscape is changing fast, especially in IT. Change isn't just necessary, but more often than
❌