Normal view
- Security Affairs
- CISA adds Microsoft Windows Print Spooler flaw to its Known Exploited Vulnerabilities catalog
CISA adds Microsoft Windows Print Spooler flaw to its Known Exploited Vulnerabilities catalog
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2022-38028 Microsoft Windows Print Spooler Privilege Escalation vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
Cisa added the flaw to the KEV catalog after Microsoft reported that the Russia-linked APT28 group (aka “Forest Blizzard”, “Fancybear” or “Strontium” used a previously unknown tool, dubbed GooseEgg, to exploit the Windows Print Spooler flaw CVE-2022-38028.
Since at least June 2020, and possibly earlier, the cyberespionage group has used the tool GooseEgg to exploit the CVE-2022-38028 vulnerability. This tool modifies a JavaScript constraints file and executes it with SYSTEM-level permissions. Microsoft has observed APT28 using GooseEgg in post-compromise activities against various targets, including government, non-governmental, education, and transportation sector organizations in Ukraine, Western Europe, and North America.
While GooseEgg is a simple launcher application, threat actors can use it to execute other applications specified at the command line with elevated permissions. In a post-exploitation scenario, attackers can use the tool to carry out a broad range of malicious activities such as remote code execution, installing backdoors, and moving laterally through compromised networks.
The vulnerability CVE-2022-38028 was reported by the U.S. National Security Agency and Microsoft addressed it with the release of Microsoft October 2022 Patch Tuesday security updates.
APT28 deployed GooseEgg to gain elevated access to target systems and steal credentials and sensitive information.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by May 14, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
- Security Affairs
- DOJ arrested the founders of crypto mixer Samourai for facilitating $2 Billion in illegal transactions
DOJ arrested the founders of crypto mixer Samourai for facilitating $2 Billion in illegal transactions
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer Samourai.
The U.S. Department of Justice (DoJ) has arrested two co-founders of the cryptocurrency mixer Samourai and seized the service. The allegations include claims of facilitating over $2 billion in illicit transactions and laundering more than $100 million in criminal proceeds.
The duo, Keonne Rodriguez (35) and William Lonergan Hill (65), are charged with operating Samourai Wallet, which DoJ states is an unlicensed money-transmitting business.
Keonne Rodriguez was the Chief Executive Officer of Samourai Wallet (“Samourai”), while William Lonergan Hill was the company’s Chief Technology Officer.
“These charges arise from the defendants’ development, marketing, and operation of a cryptocurrency mixer that executed over $2 billion in unlawful transactions and facilitated more than $100 million in money laundering transactions from illegal dark web markets, such as Silk Road and Hydra Market” reads the press release published by the DoJ.
RODRIGUEZ was arrested and is set to appear before a U.S. Magistrate Judge in the Western District of Pennsylvania. HILL was also arrested yesterday in Portugal following U.S. criminal charges. The United States aims to extradite HILL to face trial in the country.
The cryptocurrency mixer operated from about 2015 through February 2024, the DoJ states that both defendants were aware that a substantial portion of the funds that the service processed were criminal proceeds passed through Samourai for purposes of concealment.
“While offering Samourai as a “privacy” service, the defendants knew that it was a haven for criminals to engage in large-scale money laundering and sanctions evasion.” continues the DoJ. “Indeed, as the defendants intended and well knew, a substantial portion of the funds that Samourai processed were criminal proceeds passed through Samourai for purposes of concealment.”
Rodriguez and Hill implemented features in the platform aimed at aiding individuals involved in criminal activities to obscure the origin of their proceeds. One feature, “Whirlpool,” offers a cryptocurrency mixing service that batches cryptocurrency exchanges among users to hinder law enforcement tracing on the Blockchain. Another feature, “Ricochet,” adds unnecessary intermediate transactions (“hops”) when sending cryptocurrency to obscure its origin.
Both features are aimed at evading detection by law enforcement and making investigations in illicit transactions more difficult.
“Similarly, RODRIGUEZ and HILL possessed and transmitted to potential investors marketing materials that discussed how Samourai’s customer base was intended to include criminals seeking privacy or the subversion of safeguards and reporting requirements by financial institutions.” continues the press release. “For example, in Samourai’s marketing materials, RODRIGUEZ and HILL similarly acknowledge that the individuals most likely to use a service like Samourai include individuals engaged in criminal activities, including “Restricted Markets.”
The DoJ also shared an excerpt from Samourai’s marketing materials showing the founders acknowledging that its revenues will be derived from “Dark/Grey Market participants” seeking to “swap their bitcoins with multiple parties” to avoid detection:
Since the launch of Whirlpool in 2019 and Ricochet in 2017, the mixer processed over 80,000 BTC (equivalent to over $2 billion), generating approximately $3.4 million in fees for Whirlpool transactions and $1.1 million for Ricochet transactions.
The joint operation conducted by US authorities with the help of Europol and law enforcement authorities in Iceland, and Portugal, led to the seizure of Samourai’s web servers and domain (https://samourai.io/). The police also issued a seizure warrant for Samourai’s mobile application on the Google Play Store, the app was removed from the Google Play Store in the United States.
The authorities charged the defendants with one count of conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison, and one count of conspiracy to operate an unlicensed money transmitting business, which carries a maximum sentence of five years in prison.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, mixer)
Network Threats: A Step-by-Step Attack Demonstration
- The Hacker News
- DOJ Arrests Founders of Crypto Mixer Samourai for $2 Billion in Illegal Transactions
DOJ Arrests Founders of Crypto Mixer Samourai for $2 Billion in Illegal Transactions
Google fixed critical Chrome vulnerability CVE-2024-4058
Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics layer engine.
Google addressed four vulnerabilities in the Chrome web browser, including a critical vulnerability tracked as CVE-2024-4058.
The vulnerability CVE-2024-4058 is a Type Confusion issue that resides in the ANGLE graphics layer engine. An attacker can exploit this vulnerability to execute arbitrary code on a victim’s machine.
This critical flaw was reported by Toan (suto) Pham and Bao (zx) Pham of Qrious Secure on 2024-04-02, the researchers have been awarded a $16,000 bounty.
The IT giant also fixed a high-severity flaw tracked as CVE-2024-4059. The flaw is an Out of bounds read that resides in the in V8 API. The vulnerability was discovered by Eirik on 2024-04-08.
Google also fixed another high-severity flaw tracked as CVE-2024-4060. The flaw is Use after free in Dawn, which is an open-source and cross-platform implementation of the WebGPU standard. The vulnerability was reported by wgslfuzz on 2024-04-09.
The Stable channel has been updated to 124.0.6367.78/.79 for Windows and Mac. Linux version 124.0.6367.78 will be rolled out over the coming days/weeks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Google)
Google Postpones Third-Party Cookie Deprecation Amid U.K. Regulatory Scrutiny
State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage
- Security Affairs
- Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks
Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November 2023 to breach government networks.
Cisco Talos warned that the nation-state actor UAT4356 (aka STORM-1849) has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide.
Cisco Talos researchers tracked this cyber-espionage campaign as ArcaneDoor.
Early in 2024, a customer contacted Cisco to report a suspicious related to its Cisco Adaptive Security Appliances (ASA). PSIRT and Talos launched an investigation to support the customer.
The experts discovered that the UAT4356 group deployed two backdoors, respectively called “Line Runner” and “Line Dancer.”
Cisco reported that the sophisticated attack chain employed by the attackers impacted a small set of customers. The experts have yet to identify the initial attack vector, however, they discovered the threat actors exploited two vulnerabilities (CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)) as zero-days in these attacks.
The Line Dancer in-memory implant that acts as a memory-resident shellcode interpreter that allows adversaries to execute arbitrary shellcode payloads. On compromised ASA devices, attackers utilize the host-scan-reply field to deliver shellcode, bypassing the need for CVE-2018-0101 exploitation. By redirecting the pointer to the Line Dancer interpreter, attackers can interact with the device through POST requests without authentication. Threat actors used Line Dancer to execute various commands, including disabling syslog, extracting configuration data, generating packet captures, and executing CLI commands. Additionally, Line Dancer hooks into the crash dump and AAA processes to evade forensic analysis and establish remote access VPN tunnels.
The Line Runner allows attackers to maintain persistence on compromised ASA devices. It exploits a legacy capability related to VPN client pre-loading, triggering at boot by searching for a specific file pattern on disk0:. Upon detection, it unzips and executes a Lua script, providing persistent HTTP-based backdoor access. This backdoor survives reboots and upgrades, allowing threat actors to maintain control. Additionally, the Line Runner was observed retrieving staged information facilitated by the Line Dancer component.
“ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective.” reads the alert published by Cisco, which also includes Indicators of Compromise (IOCs). “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ASA)
Hackers hijacked the eScan Antivirus update mechanism in malware campaign
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute backdoors and cryptocurrency miners.
Avast researchers discovered and analyzed a malware campaign that exploited the update mechanism of the eScan antivirus to distribute backdoors and crypto miners.
Threat actors employed two different types of backdoors and targeted large corporate networks
The researchers believe the campaign could be attributed to North Korea-linked AP Kimsuky. The final payload distributed by GuptiMiner was also XMRig.
“GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.” reads the analysis published by Avast. “The main objective of GuptiMiner is to distribute backdoors within big corporate networks.”
The threat actors behind this campaign exploited a vulnerability in the update mechanism of the Indian antivirus provider eScan that allowed them to carry out a man-in-the-middle attack to distribute the malware. Avast already reported the issue to eScan and the India CERT. eScan acknowledged the flaw and addressed it on July 31, 2023. The issue in the update mechanism was present for at least five years.
The infection process begins when eScan requests an update from the update server. However, the attackers carry out a MitM attack and replace the legitimate update package with a malicious one. Subsequently, eScan unpacks and installs the package, which results in the sideloading of a DLL by eScan’s clean binaries. This DLL facilitates the continuation of the process, leading to the execution of multiple shellcodes and intermediary PE loaders.
The researchers noticed that the downloaded package file is replaced with a malware-laced one on the wire because the process doesn’t use an HTTPS connection.
Below the infection chain described by Avast:
- The eScan updater triggers the update
- The downloaded package file is replaced with a malicious one on the wire because of a missing HTTPS encryption (MitM is performed)
- A malicious package
updll62.dlz
is downloaded and unpacked by eScan updater - The contents of the package contain a malicious DLL (usually called
version.dll
) that is sideloaded by eScan. Because of the sideloading, the DLL runs with the same privileges as the source process – eScan – and it is loaded next time eScan runs, usually after a system restart - If a mutex is not present in the system (depends on the version, e.g.
Mutex_ONLY_ME_V1
), the malware searches forservices.exe
process and injects its next stage into the first one it can find - Cleanup is performed, removing the update package
GuptiMiner operates its own DNS servers to provide legitimate destination domain addresses of C2 servers through DNS TXT responses.
GuptiMiner connects directly to malicious DNS servers, bypassing the DNS network entirely. This use of the DNS protocol resembles telnet and is not considered DNS spoofing, which typically occurs within the DNS network. Although the servers requested by GuptiMiner exist, it’s likely an evasion tactic.
In the second-stage the shellcode from the PNG file extracts and executes the Gzip loader. This loader is a simple PE that decompresses another shellcode using Gzip and executes it in a separate thread that kiads the Stage 3 malware Puppeteer.
Puppeteer orchestrates the core functionality of the malware, including the cryptocurrency mining as well as the backdoor deployment.
Surprisingly, the ultimate payload disseminated by GuptiMiner can be also XMRig, which was somewhat unexpected given the level of sophistication of this campaign.
The researchers speculate that using the miner could be a diversionary tactic.
“During our research, we’ve also found an information stealer which holds a rather similar PDB path as was used across the whole GuptiMiner campaign.” concludes the report. “What is truly interesting, however, is that this information stealer might come from Kimsuky operations.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, eScan antivirus)
U.S. Treasury Sanctions Iranian Firms and Individuals Tied to Cyber Attacks
Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike
Major Security Flaws Expose Keystrokes of Over 1 Billion Chinese Keyboard App Users
US offers a $10 million reward for information on four Iranian nationals
The Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their role in cyberattacks against the U.S..
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on four Iranian nationals for their involvement in cyberattacks against the U.S. government, defense contractors, and private companies. OFAC has also sanctioned two front companies, Mehrsam Andisheh Saz Nik (MASN) and Dadeh Afzar Arman (DAA) linked to the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC).
The Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) is an organization within the Iranian government responsible for cybersecurity and cyber warfare. It is considered a major threat by many countries, including the United States, due to its involvement in various malicious cyber activities.
The Iranian nationals were involved in attacks against more than a dozen U.S. companies and government entities. The individuals launched spear-phishing and malware attacks. The U.S. Department of Justice and the Federal Bureau of Investigation unsealed an indictment against the four individuals for their roles in these cyber operations.
“Iranian malicious cyber actors continue to target U.S. companies and government entities in a coordinated, multi-pronged campaign intended to destabilize our critical infrastructure and cause harm to our citizens,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “The United States will continue to leverage our whole-of-government approach to expose and disrupt these networks’ operations.”
Iranian cyber actors persist in targeting the United States through various malicious cyber activities, including ransomware attacks on critical infrastructure and spear phishing campaigns against individuals, companies, and government entities.
The four Iranian nationals are Hossein Harooni, Reza Kazemifar, Komeil Baradaran Salmani, and Alireza Shafie Nasab — are accused of participating in a malware operation using spear-phishing and other hacking techniques to harvest hundreds of thousands of corporate employee accounts.
Alireza Shafie Nasab and Reza Kazemifar Rahman targeted the U.S. entities while employed by MASN. Kazemifar was involved in the attacks against the Department of the Treasury. Hosein Mohammad Harooni targeted the Treasury Department and other U.S. entities using spear phishing and social engineering. Komeil Baradaran Salmani operated with several IRGC-CEC front companies and was involved in spear-phishing campaigns targeting various U.S. entities, including the Department of the Treasury.
“As a result of today’s action, all property and interests in property of the designated persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons.” reads the announcement. “In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action.”
The four men are still at large.
The Department of State also announced a $10 million reward for information leading to the arrest of the four Iranian nationals.
In February, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on six Iranian government officials associated with cyberattacks targeting critical infrastructure organizations in the US and abroad.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Iran)
The street lights in Leicester City cannot be turned off due to a cyber attack
A cyber attack on Leicester City Council resulted in certain street lights remaining illuminated all day and severely impacted the council’s operations
The Leicester City Council suffered a cyber attack that severely impacted the authority’s services in March and led to the leak of confidential documents. The ransomware group behind the attack leaked multiple documents, including rent statements and applications to buy council houses. The attack occurred on March 7 and crippled the city council’s IT systems.
Some lights have been stuck in all day due to the cyber attack and the council is unable to turn them off.
“Beaumont Leys resident Roger Ewens, 65, noticed the street lights in his road were on constantly and asked the city council why. He was surprised when he received a reply blaming the cyber attack for affecting the “central management system” and leading to the streetlights “misbehaving”.” reported the website LeicesterLive.
The issue with street lighting should be fully resolved by the end of next week.
“We are aware of a number of streetlights that are staying on during the day. This is due to a technical issue connected to the recent cyber attack, when we were forced to shut down our IT systems. It means we are currently not able to remotely identify faults in the street lighting system.” said a city council spokesperson. “The default mode for faults is that the lights stay on to ensure that roads are not left completely unlit and become a safety concern. “There are a number of steps required to resolve the problem, and we are working through these as quickly as we can.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Leicester City)
eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners
CoralRaider Malware Campaign Exploits CDN Cache to Spread Info-Stealers
North Korea-linked APT groups target South Korean defense contractors
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting defense industry entities.
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting defense industry entities to steal defense technology information.
North Korea-linked APT groups Lazarus, Andariel, and Kimsuky hacked multiple defense companies in South Korea, reported the National Police Agency.
The state-sponsored hackers hacked into the subcontractors of defense companies by exploiting vulnerabilities in the targeted systems and deployed malware.
“North Korean hacking organizations sometimes infiltrated defense companies directly, and their security is relatively low. Hacking into vulnerable defense industry partners and stealing the defense industry company’s server account information. Afterwards, it was discovered that threat actors had infiltrated major servers without permission and distributed malware.” reads the Police’s advisory shared by BleepingComputer.
The National Police Agency and the Defense Acquisition Program Administration (DAPA) conducted a series of special inspections of the environments of the targeted organizations.
The joint inspections occurred between January 15 and February 16 and impacted organizations implemented protective measures.
The Police states that the attacks are carried out in the form of an all-out war that see the contribution of multiple APT groups. The government experts warned that the attackers employed sophisticated hacking techniques.
The South Korea National Police Agency provided details of multiple attacks carried out by different APT groups.
In one case, the Lazarus APT group successfully breached an organization due poorly protected infrastructure. The group gained access to the network of a defense industry company since November 2022. The hackers deployed a malware and took control of the company’s internal network and exfiltrared important data from, including information stored on the computers of employees in the development team. The hackers breached at least 6 internal computers and stolen data were sent to overseas cloud servers
In a second case attributed to the Andariel APT group, threat actors used an account of an employee of a company that maintains the server of a defense industry company. The attackers stole the account in October 2022 and used it to deploy malware on the servers of defense subcontractors. The malware was used to exfiltrate technical data of valuable defense technology. The Police noticed that the employee was using the same password for personal and work accounts.
In a third attack linked to Kimsuky, the APT group exploited a vulnerability in the email server of a defense subcontractor between April and July 2023. Attackers exploited the flaw to download large files containing technical data without any authentication.
The National Police Agency recommends that defense companies and their subcontractors enhance their cybersecurity.
“North Korea’s hacking attempts targeting defense technology will continue.” concludes the advisory. “The National Police Agency will continue to track and investigate state-sponsored hacking organizations linked to North Korea.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, North Korea)
Apache Cordova App Harness Targeted in Dependency Confusion Attack
Webinar: Learn Proactive Supply Chain Threat Hunting Techniques
Unmasking the True Cost of Cyberattacks: Beyond Ransom and Recovery
Police Chiefs Call for Solutions to Access Encrypted Data in Serious Crime Cases
German Authorities Issue Arrest Warrants for Three Suspected Chinese Spies
- Security Affairs
- U.S. Gov imposed Visa restrictions on 13 individuals linked to commercial spyware activity
U.S. Gov imposed Visa restrictions on 13 individuals linked to commercial spyware activity
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the commercial spyware business.
The US Department of State is imposing visa restrictions on 13 individuals involved in the development and sale of commercial spyware or their immediate family members. The measure aims to counter the misuse of surveillance technology targeting journalists, academics, human rights defenders, dissidents, and US Government personnel, as documented in the Country Reports on Human Rights Practices.
“the Department is taking steps to impose visa restrictions on 13 individuals who have been involved in the development and sale of commercial spyware or who are immediate family members of those involved.” reads the announcement. “These individuals have facilitated or derived financial benefit from the misuse of this technology, which has targeted journalists, academics, human rights defenders, dissidents and other perceived critics, and U.S. Government personnel.”
The announcement doesn’t name the individuals targeted by the visa restrictions.
The visa restrictions are part of a broader initiative launched by the US government aimed at countering the proliferation of commercial spyware. Other measures proposed and adopted by the US authorities include restrictions on the government’s use of such spyware, export controls, and sanctions to promote accountability.
“The US government believes that the engagement of civil society and the private sector in identifying technological solutions to prevent the misuse of spyware, safeguard human rights defenders, and strengthen the resilience of victims is essential.”
In February, the U.S. State Department announced it is implementing a new policy to impose visa restrictions on individuals involved in the misuse of commercial spyware.
The policy underscores the U.S. Government’s commitment to addressing the misuse of surveillance software, which poses a significant threat to society
“The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association. Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases. Additionally, the misuse of these tools presents a security and counterintelligence threat to U.S. personnel.” reads the announcement. The United States stands on the side of human rights and fundamental freedoms and will continue to promote accountability for individuals involved in commercial spyware misuse.”
The policy specifically addresses the abuse of commercial spyware for unlawfully surveilling, harassing, suppressing, or intimidating individuals.
Visa restrictions target individuals believed to facilitate or derive financial benefit from the misuse of commercial spyware and also surveillance companies that act on behalf of governments.
The restrictions are extended to the immediate family members of the targeted individuals, including spouses and children of any age.
In March 2023, the US Government issued an Executive Order on the prohibition on use by the United States Government of commercial spyware that poses risks to national security.
In July 2023, the Commerce Department’s Bureau of Industry and Security (BIS) added surveillance technology vendors Intellexa and Cytrox to the Entity List for trafficking in cyber exploits used to gain access to information systems.
The Entity List maintained by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) is a trade control list created and maintained by the U.S. government. It identifies foreign individuals, organizations, companies, and government entities that are subject to specific export controls and restrictions due to their involvement in activities that threaten the U.S. national security or foreign policy interests.
The U.S. Government warns of the key role that surveillance technology plays in surveillance activities that can lead to repression and other human rights abuses.
The Commerce Department’s action targeted the above companies because their technology could contribute to the development of surveillance tools that pose a risk of misuse in violations or abuses of human rights.
The financial entities added to the Entity List include Intellexa S.A. in Greece, Cytrox Holdings Crt in Hungary, Intellexa Limited in Ireland, and Cytrox AD in North Macedonia.
In May 2023, Google’s Threat Analysis Group (TAG) researchers discovered three campaigns, between August and October 2021, targeting Android users with five zero-day vulnerabilities.
The attacks aimed at installing the surveillance spyware Predator, developed by the North Macedonian firm Cytrox.
According to Google, the exploits were included in Cytrox’s commercial surveillance spyware that is sold to different nation-state actors, including Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia.
In December 2022, a report published by CitizenLab researchers detailed the use of the Predator spyware against exiled politician Ayman Nour and the host of a popular news program.
The disconcerting aspect of these attacks is that Ayman Nour’s phone was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different nation-state actors.
The exploits were used to initially deliver the ALIEN Android banking Trojan that acts as a loader for the PREDATOR implant.
In November 2021, the Commerce Department’s Bureau of Industry and Security (BIS) sanctioned four companies for the development of spyware or the sale of hacking tools used by nation-state actors.
The surveillance firms were NSO Group and Candiru from Israel, Computer Security Initiative Consultancy PTE. LTD from Singapore, and Positive Technologies from Russia.
NSO Group and Candiru were sanctioned for the development and sale of surveillance software used to spy on journalists and activists. Positive Technologies and Computer Security Initiative Consultancy PTE. LTD. are being sanctioned because both entities traffic in cyber exploits used by threat actors to compromise computer networks of organizations worldwide. The US authorities have added the companies to the Entity List based on their engagement in activities counter to U.S. national security.
In the last couple of years, like NSO Group and Candiru, made the headlines because totalitarian regimes used their spyware to spy on journalists, dissidents, and government opposition.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, commercial spyware)
A cyber attack paralyzed operations at Synlab Italia
A cyber attack has been disrupting operations at Synlab Italia, a leading provider of medical diagnosis services, since April 18.
Since April 18, Synlab Italia, a major provider of medical diagnosis services, has been experiencing disruptions due to a cyber attack.
The company initially cited technical issues as the cause leading to “temporary interruption of access to computer and telephone systems and related services.” However, a concerning scenario has emerged a few hours later.
The company has released a statement informing customers of the ongoing attack and has “disabled” all company computer systems in Italy as a precautionary measure.
Patients are facing significant disruptions, with many social media users complaining about their inability to access urgently needed diagnostic test results.
The company’s statement announced the suspension of all activities at sampling points, medical centers, and laboratories in Italy until further notice.
Synlab immediately investigated the incident and is working with external experts to contain it.
Certain passages of the statement raise particular concerns:
“SYNLAB informs all Patients and Customers that it has been the victim of a hacker attack on its computer systems throughout the national territory. As a precaution, all company computer systems in Italy were immediately disabled following the identification of the attack and in accordance with the company’s computer security procedures.”
[SYNLAB] is currently unable to determine when operations can be restored.
These statements highlight the need for the company to isolate systems to prevent the spread of the threat and mitigate its impact.
Such drastic containment measures are typically associated with malware infections, while the unavailability of affected systems often suggests a ransomware infection.
Therefore, companies that suffer a ransomware attack cannot predict when they will be operational again because they need to eradicate the threat from affected systems and restore any backups.
Another concern for companies affected by ransomware is the potential exfiltration of data. If health information is stolen in the case of SYNLAB Italy, it would pose a serious risk to affected customers’ privacy and security.
The latest update provided by the company states:
“Currently, the SYNLAB task force is analyzing every single part of the IT infrastructure, including backup systems, in order to restore its systems securely as soon as possible. The company has also filed a report with the Postal Police and initiated the preliminary notification procedure to the Italian Data Protection Authority.” reads the statement. “SYNLAB has apologized to its patients for the inconveniences caused by the current situation and has made available dedicated telephone and social media channels for managing requests and providing information, referring to all facilities in the territories. The company is continuously updating patients, clients, and the public through the website www.synlab.it and social media channels.”
A similar scenario occurred previously at the French branch of the group, Synlab.fr, when it was targeted in an attack by the Clop group, specializing in extortion activities. While the attacks appear unrelated, they serve as a warning for the entire sector.
The increasing number of attacks against healthcare companies exposes the medical information of millions of citizens, which remains easily accessible to criminals.
In February, 2024, a cybersecurity alert published by the FBI, CISA, and the Department of Health and Human Services (HHS) warned U.S. healthcare organizations of targeted attacks conducted by ALPHV/Blackcat ransomware attacks.
The US agencies released a report containing IOCs and TTPs associated with the ALPHV Blackcat RaaS operation identified through law enforcement investigations conducted as recently as February 2024.
As for the SynLab case, further information on the incident is awaited as the company works to restore operations and secure user information.
Italian readers can give a look at my Post on the Italian Newspaper La Repubblica:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Synlab Italia)
U.S. Imposes Visa Restrictions on 13 Linked to Commercial Spyware Misuse
Russia's APT28 Exploited Windows Print Spooler Flaw to Deploy 'GooseEgg' Malware
Last Week in Security (LWiS) - 2024-04-22
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-16 to 2024-04-22.
News
- VASA-1: Lifelike Audio-Driven Talking Faces Generated in Real Time - Just when you thought you could trust the CFO ordering you to transfer all that money via Zoom...
- Build the future of AI with Meta Llama 3 - The best "open source" (sort of) model yet. Local AI just got a big boost.
- How we built the new Find My Device network with user security and privacy in mind - Google enters the "Find My" crowdsourced device-locating network game with the similarly named "Find My Device" network. It support the standard which allows trackers to be detected by iOS devices (and vice-versa) so unwanted trackers will alert users.
- GitHub comments abused to push malware via Microsoft repo URLs - The fact that GitHub will upload a file to a publically accessable URL during comment editing, actors don't need to publish comments to get files hosted under trusted projects URLs. If you're ok with giving your payload to Microsoft (GitHub), this is a pretty sneaky way to host it.
- Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects - Echos of the XZ backdoor are still being felt.
- SSO tax, cut - Tailscale is the best VPN solution there is (unsponsored opinion). Between this change and Tailnet lock, they have eliminated all issues I had with their service. If you're a self-hosting true purist, there is still headscale.
- MITRE Response to Cyber Attack in One of Its R&D Networks - MITRE was hit with the Ivanti 0day. Good transparency on what took place. Additional details here.
- An Introduction to the Canadian Program for Cyber Security Certification (CPCSC) - Starting at the end of 2024, Canadian defense industry suppliers will need to be certified under the Canadian Program for Cyber Security Certification (CPCSC) to bid on certain government contracts, an initiative designed to enhance security measures within the nation's federal contracting processes.
- What We Learned Inside a North Korean Internet Server: How Well Do You Know Your Partners? - A misconfigured North Korean internet server exposes the nation's outsourcing of animation work. Is your "IT partner" North Korea?
Techniques and Write-ups
- ouned.py: Exploiting Hidden Organizational Units Acl Attack Vectors in Active Directory - You know "GenericAll" but what other OU permissions can be abused in Active Directory? Read this post to learn about gPLink poisoning. OUned is the tool.
- CVE-2023-6345: Integer overflow in Skia MeshOp::onCombineIfPossible - An intiger overflow in the Skia graphics library has been used to exploit Chrome. The fact that it would not appear in debug builds due to assert calls that are not compiled with release builds is interesting. Make sure you are fuzzing release binaries!
- Element Android CVE-2024-26131, CVE-2024-26132 - Never Take Intents From Strangers - A very in-depth post on Android app Intents and how they can be exploited, especially in "high security" apps like chat or cyptocurrency apps.
- CVE-2024-20356: Jailbreaking a Cisco appliance to run DOOM - The out-of-band management chips on enterprise servers are nutorious for being vulnerable. Cisco's is no exception.
- LSA Whisperer - Some seriously indepth research into the local security authority (LSA) of Windows which leads to all kinds of functionality. My favorite is the possible use of CacheLogon to cache a specific NT hash into an active logon session which will allow for stable Pass-the-hash without having to patch LSASS memory (but will require injection into LSASS). I can only imagine the amount of reverse-engineering it took to get to the lsa-whisperer.
- A Crash Course in Hardware Hacking Methodology: The Ones and Zeros - A good primer on IoT hacking.
- Passbolt: a bold use of HaveIBeenPwned - Passbolt is a password manager that uses the HaveIBeenPwned API to check if a password has been compromised. This post goes into the details of how they implemented it.
- Patch Diffing CVE-2024-3400 from a Palo Alto NGFW Marketplace AMI - Saving some of the commands here for future use. Those AWS AMIs can certainly come in handy.
- ROPGadget: Writing a ROPDecoder - This post discusses creating a ROPDecoder from scratch, detailing the selection and use of ROP gadgets to encode and decode shellcode, and automating the process to handle bad characters effectively in exploit dev.
- The Windows Registry Adventure #1: Introduction and research results - Wild. Mateusz Jurczyk of Google Project Zero audited the Windows Registry for local privilege escalation bugs over 20 months, identifying multiple vulnerabilities now fixed as 44 CVEs by Microsoft, utilizing methods from fuzzing to manual review in an extensive security research effort.
- State of DevSecOps - Datadog's State of DevSecOps report is out. TLDR - Java/JS account for tons of issues, automated security scanners are just noise, the industry sucks at prioritizing what to fix, manual cloud deployments (no IaC) is still very common, and more.
Tools and Exploits
- CVE-2024-21111 - Oracle VirtualBox Elevation of Privilege (Local Privilege Escalation) Vulnerability.
- lsa-whisperer - Tools for interacting with authentication packages using their individual message protocols.
- KExecDD - Admin to Kernel code execution using the KSecDD driver.
- CloudConsoleCartographer - Released at Black Hat Asia on April 18, 2024, Cloud Console Cartographer is a framework for condensing groupings of cloud events (e.g. CloudTrail logs) and mapping them to the original user input actions in the management console UI for simplified analysis and explainability.
- PasteBomb - PasteBomb C2-less RAT. The creator of this project is only 13 years old. Impressive! Great work.
- poutine - poutine is a security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository. It supports parsing CI workflows from GitHub Actions and Gitlab CI/CD.
- panos-scanner - Determine the Palo Alto PAN-OS software version of a remote GlobalProtect portal or management interface.
- LetMeowIn - A sophisticated, covert Windows-based credential dumper using C++ and MASM x64.
- MagicDot - A set of rootkit-like abilities for unprivileged users, and vulnerabilities based on the DOT-to-NT path conversion known issue.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- smugglefuzz - A rapid HTTP downgrade smuggling scanner written in Go.
- netz - Discover internet-wide misconfigurations while drinking coffee.
- cognito-scanner - A simple script which implements different Cognito attacks such as Account Oracle or Privilege Escalation.
- Amplified exposure: How AWS flaws made Amplify IAM roles vulnerable to takeover - A deep dive into AWS Amplify and how it can be abused.
- Elastic Universal Profiling agent, a continuous profiling solution, is now open source - Elastic has open sourced their profiling agent.
- Active Directory Hardening Series - Part 4 - Enforcing AES for Kerberos - Part 4 of the Active Directory Hardening Series.
- The Ultimate Guide for BloodHound Community Edition (BHCE) - A guide to BloodHound Community Edition. Also gives the background of the project for those that are new to Bloodhound in general.
- Living Off the Pipeline - "....to inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features ("foot guns"), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection. "
- BAADTokenBroker post-exploitation tool designed to leverage device-stored keys (Device key, Transport key etc..) to authenticate to Microsoft Entra ID.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
- Security Affairs
- Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw
Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw
Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler service flaw.
Microsoft reported that the Russia-linked APT28 group (aka “Forest Blizzard”, “Fancybear” or “Strontium” used a previously unknown tool, dubbed GooseEgg, to exploit the Windows Print Spooler flaw CVE-2022-38028.
Since at least June 2020, and possibly earlier, the cyberespionage group has used the tool GooseEgg to exploit the CVE-2022-38028 vulnerability. This tool modifies a JavaScript constraints file and executes it with SYSTEM-level permissions. Microsoft has observed APT28 using GooseEgg in post-compromise activities against various targets, including government, non-governmental, education, and transportation sector organizations in Ukraine, Western Europe, and North America.
While GooseEgg is a simple launcher application, threat actors can use it to execute other applications specified at the command line with elevated permissions. In a post-exploitation scenario, attackers can use the tool to carry out a broad range of malicious activities such as remote code execution, installing backdoors, and moving laterally through compromised networks.
The vulnerability CVE-2022-38028 was reported by the U.S. National Security Agency and Microsoft addressed it with the release of Microsoft October 2022 Patch Tuesday security updates.
APT28 deployed GooseEgg to gain elevated access to target systems and steal credentials and sensitive information.
GooseEgg is usually deployed with a batch script, commonly named execute.bat or doit.bat. This script creates a file named servtask.bat, which includes commands for saving or compressing registry hives. The batch script then executes the GooseEgg executable and establishes persistence by scheduling a tack that runs the servtask.bat.
The GooseEgg binary supports four commands, each with different run paths.
Microsoft researchers noted that an embedded malicious DLL file often contains the phrase “wayzgoose” in its name, such as wayzgoose23.dll.
“wayzgoose.dll is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code.” reads the report published by Microsoft.
Microsoft reports include instructions for detecting, hunting, and responding to GooseEgg.
The APT28 group (aka Forest Blizzard, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
Most of the APT28s’ campaigns leveraged spear-phishing and malware-based attacks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT28)