Normal view
CERT-UA warns of malware campaign conducted by threat actor UAC-0006
The Ukraine CERT-UA warns of a concerning increase in cyberattacks attributed to the financially-motivated threat actor UAC-0006.
The Computer Emergency Response Team of Ukraine (CERT-UA) warned of surge in in cyberattacks linked to the financially-motivated threat actor UAC-0006.
UAC-0006 has been active since at least 2013. The threat actors focus on compromising accountants’ PCs (which are used to support financial activities, such as access to remote banking systems), stealing credentials, and making unauthorized fund transfers.
The government experts reported that the group carried out at least two massive campaigns since May 20, threat actors aimed at distributing SmokeLoader malware via email.
SmokeLoader acts as a loader for other malware, once it is executed it will inject malicious code into the currently running explorer process (explorer.exe) and downloads another payload to the system.
“Starting from May 20th, hackers have launched at least two massive campaigns with emails containing the SmokeLoader malware.” read the advisory published by CERT-UA.
The attackers sent out emails with ZIP archives containing an IMG files that serves as decoys for hidden EXE malware and ACCDB documents. The documents are weaponized Microsoft Access files, upon enabling the malicious macros they execute PowerShell commands to download and run EXE files.
The researchers observed that following the initial infection, additional malware such as TALESHOT and RMS are downloaded onto the targeted PC.
The UAC-0006 actor is using a botnet composed of several hundred infected machines.
“Currently, UAC-0006’s bot network consists of several hundred infected machines. CERT-UA believes that hackers may soon activate fraudulent schemes using remote banking systems.” continues the report.
CERT-UA warned Ukrainian CEOs to enhance cybersecurity measures for accountants’ automated workplaces. IT shared indicators of compromise for this campaign and is urging to implement proper security policies and protection mechanisms.
In May 2023, Ukraine’s CERT-UA warned of another phishing campaign aimed at distributing the SmokeLoader malware in the form of a polyglot file.
UAC-0006 is the most active financially-motivated threat actor targeting Ukraine businesses, has already attempted to steal tens of million hryvnias through mass online theft campaigns in August-October 2023.
CERT-UA published an article that provides more details of the group’s TTPs.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Ukraine)
- Security Affairs
- Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
International Press – Newsletter
Cybercrime
Healthcare company WebTPA discloses breach affecting 2.5 million people
Cybercriminals Are Targeting Elections In India With Influence Campaigns
Laundering cash from healthcare, romance scams lands US man in prison for a decade
He Trained Cops to Fight Crypto Crime—and Allegedly Ran a $100M Dark-Web Drug Market
Man behind deepfake Biden robocall indicted on felony charges, faces $6M fine
Dark Web Profile: Dispossessor Ransomware
Malware
Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns
GitCaught: Threat Actor Leverages GitHub Repository for Malicious Infrastructure
Spyware found on US hotel check-in computers
A Catalog of Hazardous AV Sites – A Tale of Malware Hosting
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Malware Transmutation! – Unveiling the Hidden Traces of BloodAlchemy
Hacking
Two Santa Cruz students uncover security bug that could let millions do their laundry for free
QNAP QTS zero-day in Share feature gets public RCE exploit
Linguistic Lumberjack: Attacking Cloud Services via Logging Endpoints (Fluent Bit – CVE-2024-4323)
Positive Technologies detects a series of attacks via Microsoft Exchange Server
Usage of TLS in DDNS Services leads to Information Disclosure in Multiple Vendors
Infiltrating Defenses: Abusing VMware in MITRE’s Cyber Intrusion
Google fixes eighth actively exploited Chrome zero-day this year
Intelligence and Information Warfare
IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders
Russia’s New Counterspace Weapon Is in the Same Orbit as a US Satellite
Operational Monitoring and Control Of Small Arms Weapons Within the People’s Liberation Army
Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea
Putin hijacked Austria’s spy service. Now he’s going after its government
Cybersecurity
Palantir’s Military AI Tech Conference Sounds Absolutely Terrifying
UK watchdog looking into Microsoft AI taking screenshots
Wargames director Jackie Schneider on why cyber is one of ‘the most interesting scholarly puzzles’
US Looks to Create Paranoia Amongst Hackers to Fight Ransomware Gangs, but How?
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
Malware-laced JAVS Viewer deploys RustDoor implant in supply chain attack
Malicious actors compromised the JAVS Viewer installer to deliver the RustDoor malware in a supply chain attack.
Rapid7 researchers warned that threat actors added a backdoor to the installer for the Justice AV Solutions JAVS Viewer software.
The attackers were able to inject a backdoor in the JAVS Viewer v8.3.7 installer that is being distributed from the JAVS’ servers.
Justice AV Solutions (JAVS) is a U.S.-based company providing digital audio-visual recording solutions for courtroom settings and other environments, including jails, councils, and lecture rooms. The JAVS Viewer has over 10,000 installations globally. The backdoor delivered by the researchers allows attackers to gain full control of infected systems. Rapid7 experts recommend to re-image the affected systems, reset associated credentials, and install the latest version of JAVS Viewer (v8.3.8 or higher).
The researchers noticed that the installer for JAVS Viewer Setup 8.3.7.250-1.exe was digitally signed with an unexpected Authenticode signature and included a binary called fffmpeg.exe. The binary executed encoded PowerShell scripts, Rapid7 linked fffmpeg.exe to the GateDoor/Rustdoor malware, which was identified by security firm S2W.
“Both the fffmpeg.exe binary and the installer binary are signed by an Authenticode certificate issued to “Vanguard Tech Limited”. This is unexpected, as it was noted that other JAVS binaries which appear legitimate are signed by a certificate issued to “Justice AV Solutions Inc”.” reads the report published by Rapid7. “Searching VirusTotal for other files signed by “Vanguard Tech Limited” shows the following.
“The above suggests that there may be one other version of the malicious installer (SHA1: b8e97333fc1b5cd29a71299a8f82a541cabf4d59) and one other malicious fffmpeg.exe
(SHA1: b9d13055766d792abaf1d11f18c6ee7618155a0e). These binaries were first seen on the VirusTotal platform April 1, 2024.”
The researchers discovered
On April 2, 2024, the X user @2RunJack2 first reported of the implant distributed by the official JAVS downloads page.
Rapid7 published Indicators of Compromise (IoC) for this attack, below is the attack timeline:
- Feb 10, 2024: A certificate is issued for the subject Vanguard Tech Limited, which the certificate indicates is based in London.
- Feb 21, 2024: The first of the two malicious JAVS Viewer packages is signed with the Vanguard certificate.
- April 2, 2024: The Twitter user @2RunJack2 tweets about malware being served by the official JAVS downloads page. It’s not stated whether the vendor was notified.
- Mar 12, 2024: The second of the two malicious JAVS Viewer packages is signed with the Vanguard certificate.
- May 10, 2024: Rapid7 investigates a new alert in a Managed Detection and Response customer environment. The source of the infection is traced back to an installer that was downloaded from the official JAVS site. The malware file that was downloaded by the victim, the first Viewer package, is not observed to be accessible on the vendor’s download page. It’s unknown who removed the malicious package from the downloads page (i.e., the vendor or the threat actor).
- May 12, 2024: Rapid7 discovers three additional malicious payloads being hosted on the threat actor’s C2 infrastructure over port 8000:
chrome_installer.exe
,firefox_updater.exe
, andOneDriveStandaloneUpdater.exe
. - May 13, 2024: Rapid7 identifies an unlinked installer file containing malware, the second Viewer package, still being served by the official vendor site. This confirms that the vendor site was the source of the initial infection.
- May 17, 2024: Rapid7 discovers that the threat actor removed the binary
OneDriveStandaloneUpdater.exe
from C2 infrastructure and replaced it with a new binary,ChromeDiscovery.exe
. This indicates that the threat actor is actively updating their C2 infrastructure.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, JAVS Viewer)
Fake AV websites used to distribute info-stealer malware
Threat actors used fake AV websites masquerading as legitimate antivirus products from Avast, Bitdefender, and Malwarebytes to distribute malware.
In mid-April 2024, researchers at Trellix Advanced Research Center team spotted multiple fake AV sites used to distribute info-stealers. The malicious websites hosted sophisticated malicious files such as APK, EXE and Inno setup installer, including Spy and Stealer capabilities.
The fake websites were masquerading as legitimate antivirus products from Avast, Bitdefender, and Malwarebytes.
The sites hosting malware are avast-securedownload.com (Avast.apk), bitdefender-app.com (setup-win-x86-x64.exe.zip), malwarebytes.pro (MBSetup.rar).
Below is the list of malicious websites analyzed by the researchers:
- avast-securedownload[.]com: Distributes the SpyNote trojan as an Android package file (“Avast.apk”), which, once installed, requests intrusive permissions such as reading SMS messages and call logs, installing and deleting apps, taking screenshots, tracking location, and mining cryptocurrency.
- bitdefender-app[.]com: Distributes a ZIP archive file (“setup-win-x86-x64.exe.zip”) that was used to deploy the Lumma information stealer.
- malwarebytes[.]pro: Distributes a RAR archive file (“MBSetup.rar”) that was used to deploy the StealC information stealer malware.
The experts also discovered a malicious Trellix binary that pretends to be Legit (AMCoreDat.exe).
The researchers did not attribute the attacks to a specific threat actor. The report also includes Indicators of Compromise (IoCs) for the attacks employing fake AV websites.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, fake AV websites)
MITRE December 2023 attack: Threat actors created rogue VMs to evade detection
The MITRE Corporation revealed that threat actors behind the December 2023 attacks created rogue virtual machines (VMs) within its environment.
The MITRE Corporation has provided a new update about the December 2023 attack. In April 2024, MITRE disclosed a security breach in one of its research and prototyping networks. The security team at the organization promptly launched an investigation, logged out the threat actor, and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.
According to the MITRE Corporation, China-linked nation-state actor UNC5221 breached its systems in January 2024 by chaining two Ivanti Connect Secure zero-day vulnerabilities.
MITRE spotted the foreign nation-state threat actor probing its Networked Experimentation, Research, and Virtualization Environment (NERVE), used for research and prototyping. The organization immediately started mitigation actions which included taking NERVE offline. The investigation is still ongoing to determine the extent of information involved.
The organization notified authorities and affected parties and is working to restore operational alternatives for collaboration.
Despite MITRE diligently following industry best practices, implementing vendor recommendations, and complying with government guidance to strengthen, update, and fortify its Ivanti system, they overlooked the lateral movement into their VMware infrastructure.
The organization said that the core enterprise network or partners’ systems were not affected by this incident.
According to the new update, threat actors exploited zero-day flaws in Ivanti Connect Secure (ICS) and created rogue virtual machines (VMs) within the organization’s VMware environment.
“The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access. They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.” reads the latest update. “By deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery.”
The attackers deployed rogue virtual machines (VMs) to evade detection by hiding their activities from centralized management interfaces like vCenter. This tactic allows them to control the compromised systems while minimizing the risk of discovery.
On January 7, 3034, the adversary accessed VMs and deployed malicious payloads, including the BRICKSTORM backdoor and a web shell tracked as BEEFLUSH, enabling persistent access and arbitrary command execution.
The hackers relied on SSH manipulation and script execution to maintain control over the compromised systems. Mitre noted attackers exploiting a default VMware account to list drives and generate new VMs, one of which was removed on the same day. BRICKSTORM was discovered in directories with local persistence setups, communicating with designated C2 domains. BEEFLUSH interacted with internal IP addresses, executing dubious scripts and commands from the vCenter server’s /tmp directory
In the following days, the threat actors deployed additional payloads on the target infrastrcuture, including the WIREFIRE (aka GIFTEDVISITOR) web shell, and the BUSHWALK webshell for data exfiltration.
The threat actors exploited a default VMware account, VPXUSER, to make API calls for enumerating drives. They bypassed detection by deploying rogue VMs directly onto hypervisors, using SFTP to write files and executing them with /bin/vmx. These operations were invisible to the Center and the ESXi web interface. The rogue VMs included the BRICKSTORM backdoor and persistence mechanisms, configured with dual network interfaces for communication with both the Internet/C2 and core administrative subnets.
“Simply using the hypervisor management interface to manage VMs is often insufficient and can be pointless when it comes to dealing with rogue VMs.” continues the update. “This is because rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively.”
MITRE shared two scripts, Invoke-HiddenVMQuery and VirtualGHOST, that allow admins to identify and mitigate potential threats within the VMware environment. The first script, developed by MITRE, Invoke-HiddenVMQuery is written in PowerShell and serves to detect malicious activities. It scans for anomalous invocations of the /bin/vmx
binary within rc.local.d
scripts.
“As adversaries continue to evolve their tactics and techniques, it is imperative for organizations to remain vigilant and adaptive in defending against cyber threats. By understanding and countering their new adversary behaviors, we can bolster our defenses and safeguard critical assets against future intrusions.” MITRE concludes.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
Experts Find Flaw in Replicate AI Service Exposing Customers' Models and Data
An XSS flaw in GitLab allows attackers to take over accounts
GitLab addressed a high-severity cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to take over user accounts.
GitLab fixed a high-severity XSS vulnerability, tracked as CVE-2024-4835, that allows attackers to take over user accounts.
An attacker can exploit this issue by using a specially crafted page to exfiltrate sensitive user information.
The vulnerability impacts versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1.
The flaw was addressed with the release of versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
“A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1.” reads the advisory published by the company. “By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.”
matanber reported this vulnerability through our HackerOne bug bounty program, he received a $10,270 bounty.
Below is the list of vulnerabilities addressed by the company:
In early May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
The issue, tracked as CVE-2023-7028 (CVSS score: 10.0), is an account takeover via Password Reset. The flaw can be exploited to hijack an account without any interaction.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, XSS)