PyPI is going to enforce two-factor authentication (2FA) for all project maintainers by the end of this year over security concerns.
Due to security concerns, PyPI will be mandating the use of two-factor authentication (2FA) for all project maintainers by the end of this year.
Over the past few years, there has been a rise in supply chain attacks targeting the Python software repository. Threat actors have been updating various packages with versions containing malware.
The adoption of 2FA aims at protecting maintainers’ account takeover as explained in the official announcement.
“Today, as part of that long term effort to secure the Python ecosystem, we are announcing that every account that maintains any project or organization on PyPI will be required to enable 2FA on their account by the end of 2023.” reads the announcement. “Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage. In addition, we may begin selecting certain users or projects for early enforcement.”
The maintainers at the repository urge developers to enable 2FA for their account as soon as possible, either with a security device (preferred) or an authentication app and to switch to using either Trusted Publishers (preferred) or API tokens to upload to PyPI.
The maintainers highlight the risks of supply chain attacks for both popular projects and also for compromised projects in someone’s dependency.
“The attacker doesn’t care if they get you from a widely used or a niche project, just that they got you.” continues the announcement.
The measure announced by the Python repository will enhance security for both enterprises and individual developers.
“A compromise in the supply chain can be used to attack individual developers the same as it able to attack corporate and business users. In fact, we believe that individual developers, are in a more vulnerable position than corporate and business users.” concludes the announcement. “While businesses are generally able to hire staff and devote resources to vetting their dependencies, individual developers generally are not, and must expend their own limited free time to do so”
The database of the popular RaidForums hacking forum has been leaked on a new hacking forum, 478,000 members exposed.
A database belonging to the now-defunct RaidForums cybercrime platform has been leaked on a new hacking forum called Exposed. The database contains data belonging to 478,000 RaidForums members.
In April 2022, the illegal dark web marketplace RaidForums has been shut down and its infrastructure was seized as a result of the international law enforcement Operation TOURNIQUET coordinated by Europol’s European Cybercrime Centre.
RaidForums was launched in 2015, its community reached over half a million users. The marketplace gained popularity for the sale of high-profile database leaks belonging to a number of US corporations across different industries.
After Raidforums was seized, the Breached hacking forums become the most prominent darkweb marketplace for the trading of stolen data. The good news is that in March 2023, U.S. law enforcement arrested the notorious owner of the BreachForums cybercrime forum known as Pompompurin and seized the Breached platform.
Bleeping Computer first reported that the RaidForums member database was leaked on the Exposed forum by one of its administrators, known as ‘Impotent.’
The leaked database contains precious data for cybersecurity experts and investigators to analyze the operations of the hacking forums and their members.
The leaked database is a single SQL file containing the table ‘mybb_users.’ Each record in the table includes usernames, email addresses, hashed passwords, registration dates, and a variety of other information.
The data are related to members registered between March 20th, 2015, and September 24th, 2020.
BleepingComputer and some members of the Exposed forum have already confirmed that the data in the database are legitimate.
“file archiver in the browser” is a new phishing technique that can be exploited by phishers when victims visit a .ZIP domain.
A new phishing technique called “file archiver in the browser” can be used by phishers to “emulate” a file archiver software in a web browser when a victim visits a .ZIP domain. The security researcher mr.d0x detailed the new attack technique.
In May 2023, Google launched eight new top-level domains (TLDs) that included .zip and .mov. Security experts are warning of malicious uses of these domains.
To carry out an attack using this technique, the attacker needs to emulate a file archive software through HTML/CSS. The researchers shared two samples, the first one emulates the WinRAR file archive utility, the second one the Windows 11 File Explorer window.
The researchers employed a clever trick, as depicted in the image below, where they added a ‘Scan’ icon to the WinRAR sample. When users click on the icon, a message box reassuring them that the files are secure is displayed, thereby preventing suspicion.
Then the researchers deployed the sample on a .zip domain that can be used for multiple attack scenarios such as:
redirect the visitors to a landing page created to steal the victim’s credentials when a file is clicked.
deceive the visitors by presenting an executable file with a disguised extension. When users click on what appears to be a .pdf file (for example, “invoice.pdf”), it actually downloads an executable file
The researcher noted that numerous Twitter users emphasized the Windows File Explorer search bar as an effective delivery method.
“Several people pointed out on Twitter that the Windows File Explorer search bar is a good delivery vector. If the user searches for mrd0x.zip and it doesn’t exist on the machine, it will automatically open it up in the browser. This is perfect for this scenario since the user would be expecting to see a ZIP file.” reads the analysis published by mr.d0x.
The recently launched TLDs provide attackers with more opportunities for phishing campaigns. The knowledge of this attack technique is essential to avoid beign victims of these attack.
It is strongly advised for organizations to implement blocking measures for .zip and .mov domains, as they are currently being exploited by phishers and are expected to see a further rise in their malicious usage.
“It’s highly recommended for organizations to block .zip and .mov domains as they are already being used for phishing and will likely only continue to be increasingly used.” concludes the expert.
Researchers devised an attack technique, dubbed BrutePrint Attack, that allows brute-forcing fingerprints on smartphones to bypass authentication.
Researchers have devised an attack technique, dubbed BrutePrint, that allows to brute-force fingerprints on smartphones to bypass user authentication.
The attack technique exploits two zero-day vulnerabilities, called Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), in the smartphone fingerprint authentication (SFA) framework.
The BRUTEPRINT attack acts as a middleman to bypass attempt limit and hijack fingerprint images.
The two vulnerabilities exploit logical flaws in the authentication framework, stemming from inadequate protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors.
“We find the insufficient protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors, and thus come up with a hardware approach to do man-inthe-middle (MITM) attacks for fingerprint image hijacking” reads the research paper published by the researchers Yu Chen and Yiling He.
In order to carry out the attack, the researchers assume that:
the attackers have physical access to the smartphone.
the attackers possess a fingerprint database and an adversarial equipment consisting of an inexpensive printed circuit board (PCB) that intercepts data transmitted by the fingerprint sensor. In the case of certain smartphone models, the researchers utilized an adaptive flexible printed circuit (FPC). The overall cost of the equipment amounts to approximately 15 dollars.
“We implement BRUTEPRINT system to crack SFA and achieve fingerprint brute-force attack. there are two kinds of brute-force attackers who exploit CAMF and MAL vulnerabilities. Specifically, BRUTEPRINT acts as a middleman between fingerprint sensor and TEE” reads the paper. “Typically, a CAMF exploitation invalidates the checksum of transmitted fingerprint data, and a MAL exploitation infers matching results through side-channel attacks. Fingerprint image hijacking attack meets R2, which has the capability to decode the intercepted fingerprint data and encode replaced data for injection. To increase the success rate of brute-forcing, BRUTEPRINT additionally propose a fingerprint dictionary generation method that trains a neural style transfer network to transfer available fingerprint database into valid styles.”
CAMF is based on the fault-tolerant mechanisms in SFA systems, the attacker can exploit the issue to force the “Error-cancel Only” result after each authentication attempt. The experts pointed out that only “Failed” authentication result decreases the remaining attempt number restricted by the attempt limit. This means that the attackers can make unlimited attempts if each attempt goes into the Error-cancel.
The MAL vulnerability can be exploited to make attempts to infer authentication results of fingerprint images (called the “inference attempt”) in lockout mode. The lockout mode is supported in Google’s biometric framework to penalize too many failed attempts, where no fingerprint authentication can be launched in a certain period of time or permanently.
“Although the lockout mode is further checked in Keyguard to disable unlocking, the authentication result has been made by TEE. As Success authentication result is immediately returned when a matched sample is met, it’s possible for side-channel attacks to infer the result from behaviors such as response time and the number of acquired images.” continues the report.
The researchers tested the BrutePrint attack technique against 10 popular smartphone models running the latest OS versions.
The experimental results show that attempts are made three times over the attempt limit on Touch ID, while the researchers achieved unlimited attempts on all Android devices.
“We discover vulnerabilities in SFA ecosystem that the fault-tolerant mechanism / careless userfriendly implementation can be exploited through the insecure transmission on SPI to fool the unreliable authentication algorithms. We validate the attacks on 10 representative smartphones, where all of them are affected to some extent.” concludes the paper. “With the proposed attack, adversaries can brute-force the fingerprint authentication on arbitrary victim smartphone to unlock the device and cheat many security apps. In addition, the attack method can be used to enhance presentation attacks and may also applies to other biometric systems”
Managed Care of North America (MCNA) Dental disclosed a data breach that impacted more than 8.9 million individuals.
Managed Care of North America (MCNA) Dental suffered a data breach that impacted 8,923,662 patients.
MCNA Dental is one of the largest US dental care and oral health insurance providers.
The security breach exposed the personal information of current or former provider of dental/orthodontic care to members of certain state Medicaid and Children’s Health Insurance Programs, for which MCNA provides dental benefits and services.
According to the notification filed with the Office of the Maine Attorney General, the company discovered unauthorized access to its computer systems on March 6th, 2023, and immediately launched an investigation into the incident.
“On March 6, 2023, MCNA became aware that an unauthorized party was able to access certain MCNA systems. Upon discovery the same day, MCNA took immediate steps to contain the threat and engaged a third-party forensic firm to investigate the incident and assist with remediation efforts. MCNA subsequently discovered that certain systems within the network may have been infected with malicious code. Through its investigation, MCNA determined that an unauthorized third party was able to access certain systems and remove copies of some personal information between February 26, 2023 and March 7, 2023.” reads the data breach notification. “MCNA undertook an extensive review to determine what data may have been impacted. As a result of this review, which was completed on May 3, 2023, it appears that your personal information may have been involved.”
Stole data includes demographic information to identify and contact patients, such as full name, date of birth, address, telephone and email; Social Security number; driver’s license number or government-issued identification number; health insurance information, such as name of plan/insurer/government payor, member/Medicaid/Medicare ID number, plan and/or group number; and information regarding dental/orthodontic care. The notice states that not all data elements were involved for all individuals.
The company announced that it has already taken steps to mitigate and prevent similar security breaches in the future.
The company is offering the impacted individuals 12 months of free identity theft protection and credit monitoring service through IDX.
“Although we are unaware of any actual or attempted misuse of provider information as a result of this incident, we encourage you to carefully review credit reports and statements sent from providers as well as your insurance company to ensure that all account activity is valid. Any questionable charges should be promptly reported to the company with which you maintain the account.”
The notice doesn’t provide details about the security breach, but the LockBit ransomware group claimed responsibility for the attack.
The ransomware group added the company to the list of victims on its Tor leak site and published a sample of the stolen data as proof of the data breach.
LockBit threatened to publish the stolen data if MCNA would have not paid a $10 million ransom.
On April 7th, 2023, LockBit released all stolen data on its leak site.
A new Golang remote access trojan (RAT), tracked as GobRAT, is targeting Linux routers in Japan, the JPCERT Coordination Center warns.
JPCERT/CC is warning of cyberattacks against Linux routers in Japan that have been infected with a new Golang remote access trojan (RAT) called GobRAT.
Threat actors are targeting Linux routers with publicly exposed WEBUI to execute malicious scripts to deploy the GobRAT malware.
“Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT.” reads the alert published by the JPCERT Coordination Center (JPCERT/CC).
Loader Script acts as a loader, it supports multiple functions for downloading and deploying the GobRAT. The experts noticed an SSH public key, likely used as a backdoor, which is hard-coded in the script. The Loader Script maintains persistence via crontab because GobRAT does not support such a function.
The Loader Script includes multiple functions, such as disabling Firewall, downloading GobRAT for the target machine’s architecture, creating Start Script and making it persistent, creating and running the Daemon Script, and registering a SSH public key in /root/.ssh/authorized_keys.
The RAT communicates with C2 server via TLS and can execute various commands. The Japan CERT reported that the RAT is packed with UPX version 4 series. The researchers observed samples for multiple architectures, including ARM, MIPS, x86, and x86-64.
Upon starting up, the GobRAT checks IP address and MAC address of itself, uptime by uptime command, network communication status by /proc/net/dev.
The malware supports 22 commands, the researchers have identified the following commands:
Obtain machine Information
Execute reverse shell
Read/write files
Configure new C2 and protocol
Start socks5
Execute file in /zone/frpc
Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine
“In recent years, different types of malware using Go language have been confirmed, and the GobRAT malware confirmed this time uses gob, which can only be handled by Go language, for communication.” concludes the alert that also provides indicators of compromise. “Please continuously beware of malware that infects routers, not limited to GobRAT, since they are difficult to detect.”
Cisco Talos and the Citizen Lab researchers have published a technical analysis of the powerful Android spyware Predator.
Security researchers at Cisco Talos and the Citizen Lab have shared technical details about a commercial Android spyware named Predator that is sold by the surveillance firm Intellexa (formerly known as Cytrox).
The researchers focused their analysis on two components of the mobile spyware implant, respectively tracked as “ALIEN” and “PREDATOR.”
“PREDATOR is an interesting piece of mercenary spyware that has been around since at least 2019, designed to be flexible so that new Python-based modules can be delivered without the need for repeated exploitation, thus making it especially versatile and dangerous.” reads the post published by Cisco Talos. “New analysis from Talos uncovered the inner workings of PREDATOR and the mechanisms it uses to communicate with the other spyware component deployed along with it known as “ALIEN.” Both components work together to bypass traditional security features on the Android operating system. Our findings reveal the extent of the interweaving of capabilities between PREDATOR and ALIEN, providing proof that ALIEN is much more than just a loader for PREDATOR as previously thought to be.”
In May 2022, Google’s Threat Analysis Group (TAG) researchers discovered three campaigns, between August and October 2021, targeting Android users with five zero-day vulnerabilities.
The attacks aimed at installing the surveillance spyware Predator, developed by the North Macedonian firm Cytrox.
According to Google, the exploits were included in Cytrox’s commercial surveillance spyware that is sold to different nation-state actors, including Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia.
In December 2021 a report published by CitizenLab researchers detailed the use of the Predator Spyware against exiled politician Ayman Nour and the host of a popular news program.
The surveillance software supports common spyware capabilities, such as recording phone calls, spying on messaging apps, and data harvesting on infected Android devices.
Currently, the Predator spyware is developed and sold by Israeli company Intellexa, it can target both iOS and Android devices. The surveillance suite offered by Intellexa has multiple components that Talos grouped into three major categories, exploitation, privilege escalation, and malware deployment.
The first two groups are related to components involved in the exploitation of remote vulnerabilities in the devices to achieve remote code execution (RCE) execution followed by the privilege escalation.
“When used together, these components provide a variety of information stealing, surveillance and remote-access capabilities. The functionalities described here are just a subset of the comprehensive capabilities of the spyware. At this time, Talos does not have access to all components of the spyware; therefore, this capability list should not be considered exhaustive.” continues the report. “We believe that capabilities like geolocation tracking, camera access or the ability to make it appear as if the phone is powering off may have been implemented in the tcore module.”
The researchers reported that the implant runs a variety of processes to bypass security measured supported by Android OS. The malware takes the “__progname” of the process that is currently running and then uses it to decide what set of functions to call. The Alien component is loaded into the Android process named ‘zygote64,’ then it fetches and launches additional components, including the Predator one.
The zygote64 and system_server call chains are the most active in performing tasks, while the installd call chain is responsible for establishing file structures for other components of the spyware. Each of these call chains creates a process structure that intercepts specific ioctl commands, allowing the spyware to exploit the SELinux context and grant different functionalities to other processes.
Alien also upgrades the existing Predator payload to a newer version if available.
Talos experts reported that ALIEN is not just a loader, but it is also able to execute multiple commands issued by the PREDATOR.
ALIEN hooks the ioctl() function in libbinder.so, which is used in the Android framework for inter-process communication.
“This ioctl hook manages a variety of different binder commands, inside of the BINDER_WRITE_READ IOCTL command. This hook filters all the BINDER_WRITE_READ functions to ALIEN’s own handler commands.” continues the analysis. “The commands that are redirected include BC_TRANSACTION, BR_TRANSACTION, BR_REPLY, BC_REPLY. This allows the control of information into and out of the target process. Within each of the selected processes mentioned above, there are different actions a malicious module could then take on the system. This creates an effective way to communicate within the implant while also allowing the implant to hide within other legitimate system processes. The implant communicates discreetly with itself, without network-based indicators and avoiding SELinux restrictions.”
PREDATOR is the core component of the implant, it is a pyfrozen ELF file that contains serialized Python modules and native code. ALIEN calls the main_exec() function to launch PREDATOR.
The Alien component checks the device manufacturer name, if it running on Samsung, Huawei, Oppo, or Xiaomi devices, it iteratively accesses the contents of directories where user data from email, messaging, social media, and browser apps are stored. It also access
It also enumerates the victim’s list of contacts and the user’s media folders, to access audio, images, and video on the compromised device.
The experts pointed out that they were not able to analyze all the components composing the surveillance suite, in particular, they speculate the execution of two additional components.
“We assess with high confidence that the spyware has two additional components — tcore (main component) and kmem (privilege escalation mechanic) — but we were unable to obtain and analyze these modules.” concludes the report.
Experts warn of phishing attacks that are combining the use of compromised Microsoft 365 accounts and .rpmsg encrypted emails.
Trustwave researchers have observed threat actors using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts in a phishing campaign aimed at stealing Microsoft credentials.
RPMSG files are used to deliver e-mails with Rights-Managed Email Object Protocol enabled. This protocol controls e-mail access and usage permissions. Instead of a plain text, e-mails via RPMSG files are sent with content encrypted and stored as encrypted file attachment.
The recipients can read the encrypted messages only after being authenticated with their Microsoft account or obtaining a one-time passcode.
The attacks analyzed by Trustwave commenced with a phishing message originating from a compromised Microsoft 365 account, in this case from the payments processing company Talus Pay.
“The recipients were users in the billing department of the recipient company. The message shows a Microsoft encrypted message. In the email, the From: and To: email address displayed in the header were the same, but the message was delivered to various third party recipients.” reads the report published by Trustwave.
The message attempts to trick recipients into clicking the “Read the message” button to decrypt the protected message. Upon clicking the link, the recipients are redirected to an Office 365 webpage with a request to sign into their Microsoft account.
Once authenticated with the Microsoft service, the recipients are redirected to a page displaying the attackers’ phishing email. The message contains a “Click here to Continue” button that points to a fake SharePoint document hosted on Adobe’s InDesign service.
If the recipient clicks on “Click Here to View Document” on the Adobe document, he will be redirected to the final page, which resembles the domain of the original sender, Talus Pay. However, this landing page has a .us TLD and was registered recently on May 16, 2023.
The page only displays a “Loading…Wait” message in the title bar, while in the background it relies on a Javascript that collects system information.
The script uses the open source FingerprintJS library to collect recipient’s data, including visitor ID, connect token (hardcoded from the configuration), connect hash (hardcoded from the configuration), video card renderer information, system language, device memory, hardware concurrency (# of processor), browser plugins installed, browser window size, orientation, and screen resolution, and OS architecture.
Once the script has completed the collection data, the page will show a fake cloned Microsoft 365 login form. Once the recipient has provided its credentials, they will be sent to a remote server under the control of the attackers.
“These phishing attacks are challenging to counter. They are low volume, targeted, and use trusted cloud services to send emails and host content (Microsoft and Adobe). The initial emails are sent from compromised Microsoft 365 accounts and appear to be targeted towards recipient addresses where the sender might be familiar.” concludes the report. “The use of encrypted .rpmsg messages means that the phishing content of the message, including the URL links, are hidden from email scanning gateways. The only URL link in the body of the message points to a Microsoft Encryption service.”
Swiss electrification and automation technology giant ABB confirmed it has suffered a data breach after a ransomware attack.
ABB has more than 105,000 employees and has $29.4 billion in revenue for 2022. On May 7, 2023, the Swiss multinational company, leading electrification and automation technology provider, suffered a cyber attack that reportedly impacted its business operations.
The news of the attack was first reported by BleepingComputer, which is aware that the attack impacted the company’s Windows Active Directory, with hundreds of devices that were infected.
BleepingComputer reported that the attack was carried out by the Black Basta ransomware group, some of the projects were delayed and the attack impacted some of the company factories.
However, Black Basta did not add the name of the company to its leak website, a circumstance that suggests that there is an ongoing negotiation, or that they paid the ransom as reported by the popular cybersecurity expert Kevin Beaumont.
Once discovered the security breach, ABB closed VPN connections with its customers to prevent the threat from spreading.
According to a press release published by the company, threat actors had unauthorized access to certain ABB systems, deployed a ransomware payload, and stole certain data.
“ABB has determined that an unauthorized third-party accessed certain ABB systems, deployed a type of ransomware that is not self-propagating, and exfiltrated certain data. The company is working to identify and analyze the nature and scope of affected data and is further assessing its notification obligations.” reads the press release. “ABB will communicate with affected parties where necessary, including, for example, specific customers, suppliers, and/or individuals where personally identifiable information was affected.”
ABB added that the investigation is still ongoing and that it is working with cybersecurity experts to determine the extent of the impact.
ABB confirmed that the attackers accessed portions of its network and deployed a human-operated ransomware to steal certain data. The attackers had access to a limited number of servers and endpoints.
The company has fully recovered from the security breach, all factories are operating.
“All of ABB’s key services and systems are up and running, all factories are operating, and the company continues to serve its customers. The company also continues to restore any remain- ing impacted services and systems and is further enhancing the security of its systems,” continues the press release.
The company will share information regarding the incident, including indicators of compromise.
Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.
In November 2022, Sentinel Labs researchers reported having found evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7.
In November 2022, experts at the Cybereason Global SOC (GSOC) team observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US.
In two weeks, the experts observed attacks against more than 10 different US-based customers
The attack chain starts with a QBot infection, The operators use the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the Black Basta ransomware. The attacks began with a spam/phishing email containing malicious URL links.
The researchers noticed that once obtained access to the network, the threat actor moves extremely fast. In some cases observed by Cybereason, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.
Bandit Stealer is a new stealthy information stealer malware that targets numerous web browsers and cryptocurrency wallets.
Trend Micro researchers discovered a new info-stealing malware, dubbed Bandit Stealer, which is written in the Go language and targets multiple browsers and cryptocurrency wallets.
At this time, the malware only targets Windows systems, but experts pointed out that it has the potential to expand to other platforms because it is written in Go.
The malicious code relies on the Windows command-line utility program “runas.exe” to run programs as a different user with different permissions.
Using the tool, the malware elevates the user’s privileges and executes itself with administrative access without being detected. However, Trend Micro states Bandit Stealer is failing to use the tool because they need to provide the appropriate credentials.
Bandit Stealer performs some checks to determine if it’s running in a sandbox environment or testing environment.
The malware then terminates blacklisted processes associated with anti-malware solutions.
The Bandit Stealer maintains persistence by using an entry for autorun in Windows Registry.
The info-stealer collects a broad range of information and stores it in the “vicinfo” folder in <C:\Users\<Username>\AppData\Local\>.
“Additionally, the malware scans for specific browser extensions associated with cryptocurrency wallets by checking the path of the browser extensions.” reads the report published by Trend Micro.
Bandit Stealer is also able to collect Telegram sessions to gain unauthorized access, allowing impersonation and malicious actions such as accessing private messages and data associated with the compromised account
The information-stealing malware might have been downloaded by users while visiting malicious websites or by opening the attachment of a phishing email.
The attachment is a self-extracting archive that executes the hot.exe file to start the infection process. It also opens a harmless Word document to avoid raising suspicion.
“While Bandit Stealer was specifically developed to operate on Windows systems, we have observed the presence of Linux commands. As the binary sample of Bandit Stealer is designed to run in Windows, some Linux commands used by the malware ” concludes the report published by Trend Micro. “It is possible that these commands will be used in future cross-platform developments of the malware following the advertisement in the malware community stating developers are continuously updating the malware’s features and security patches.”
This week, the network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability.
The vulnerability, tracked as CVE-2023-2868, resides in the module for email attachment screening, the issue was discovered on May 19 and the company fixed it with the release of two security patches on May 20 and 21.
“Barracuda identified a vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2023-2868) in our Email Security Gateway appliance (ESG) on May 19, 2023. A security patch to eliminate the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20, 2023.” reads the advisory published by the security solutions provider. “The vulnerability existed in a module which initially screens the attachments of incoming emails.”
The issue could have a significant impact because the impacted Email Security Gateway (ESG) appliances are used by hundreds of thousands of organizations worldwide, including several high-profile businesses.
The vulnerability doesn’t impact other Barracuda products, the company states that its SaaS email security services is not affected by this issue.
The company investigated the flaw and discovered that it was exploited to target a subset of email gateway appliances. The company notified via the ESG user interface the customers whose appliances they believe were impacted.
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
The city of Augusta in Georgia, U.S., admitted that the recent IT system outage was caused by a cyber attack.
While the City of Augusta revealed that a cyberattack caused the recent IT outage, the BlackByte ransomware gang has claimed responsibility for the attack.
The attack took place on May 21, the administrator at the City announced that they were experiencing a disruption in network services, warning of potential impacts on telephone and email access.
In a post published on the city’s website, the administration denied that it was the victim of a ransomware attack and that the threat actors demanded the payment of $50 million ransom.
— Mayor Garnett Johnson (@MayorJohnson85) May 26, 2023
“The City of Augusta, GA began experiencing technical difficulties this past Sunday, May 21, 2023, unrelated to last week’s outage, resulting in a disruption to certain computer systems. We began an investigation and determined that we were the victim of unauthorized access to our system.” reads the announcement published by the City. “Our Information Technology Department is working diligently to investigate the incident, to confirm its impact on our systems, and to restore full functionality to our systems as soon as possible.”
The City has launched an investigation into the incident to determine the impact of the security breach and is working to restore full functionality to our systems as soon as possible.
“Recent media reports regarding Augusta, Georgia being held hostage for $50 million in a ransomware attack are incorrect.” reads the post published in May 25.
“Augusta’s Information Technology Department continues to work diligently to investigate the incident, to confirm its impact on our systems, and to restore full functionality to our systems as soon as possible. We continue to investigate what, if any, sensitive data may have been impacted or accessed.”
The BlackByte ransomware group has added the City of Augusta to its Tor leak site. The group has leaked a zip archive of 8.1 GB of data as proof of their breach.
The group is demanding $400,000 for deleting the stolen information and $300,000 for anyone that wants to buy the data.
In February the City of Oakland (California), suffered a ransomware attack. The group behind the attack, the Play ransomware gang, has begun to leak stolen data in March.
The Play ransomware gang has begun to leak data they have stolen from the City of Oakland (California) in a recent cyberattack.
In March, Clop ransomware gang added the City of Toronto to the list of victims published on its Tor leak site. The City was targeted as part of a campaign exploiting the recently disclosed zero-day vulnerability in the Fortra’s GoAnywhere secure file transfer tool.
In May, the IT systems at the City of Dallas, Texas, have been targeted by a ransomware attack launched by the Royal ransomware group.
The recently identified Buhti operation targets organizations worldwide with rebranded LockBit and Babuk ransomware variants.
Researchers from Symantec discovered a new ransomware operation called Buhti (aka Blacktail) that is using LockBit and Babuk variants to target Linux and Windows systems worldwide.
The ransomware operation hasn’t its own ransomware payload, however, it uses a custom information stealer to target specified file types.
The Buhti operation has been active since February 2023, it was initially spotted attacking Linux systems, but later Symantec’s Threat Hunter Team also identified attacks on Windows computers.
The group was observed quickly exploiting recently disclosed vulnerabilities, such as the recently patched PaperCut vulnerability.
In a recent attack against Windows systems, Buhti operators used a payload that is a modified version of the leaked LockBit 3.0 (aka LockBit Black) ransomware. The builder used by the operators was leaked in September 2022 by a disgruntled developer in response to Russian invasion of the Ukraine.
The ransomware appends the .buthi extension to the encrypted files.
The researchers also observed attacks against Linux systems with Golang-based variants of the Babuk ransomware, which was released on hacking forums in September 2021. This variant used in the attacks targets ESXi systems.
The information stealer used by the group is written in Golang, it allows operators to look for specific files (pdf, .php, .png, .ppt, .psd, .rar, .raw, .rtf, .sql, .svg, .swf, .tar, .txt, .wav, .wma, .wmv, .xls, .xml, .yml, .zip, .aiff, .aspx, .docx, .epub, .json, .mpeg, .pptx, .xlsx, .yaml. ) and then store them in a compressed .ZIP archive.
“The tool can be configured via command-line arguments to specify both the directory to search for files of interest in and the name of the output archive. The -o argument in the command line specifies the archive to be created. The -d argument specifies the directory to search for files of interest in.” reads the post published by Symantec.
The attackers exploited the vulnerability in PaperCut NG and MF (CVE-2023-27350) to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise hacking tools.
“While the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail’s general competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered vulnerabilities, suggests that it is not to be underestimated.” concludes the report.
An alleged Iran-linked APT group targeted an organization linked to the United Arab Emirates (U.A.E.) with the new PowerExchange backdoor.
Researchers from the Fortinet FortiGuard Labs observed an attack targeting a government entity in the United Arab Emirates with a new PowerShell-based backdoor dubbed PowerExchange.
The experts speculate that the backdoor is likely linked to an Iran-linked APT group.
The backdoor uses emails for C2 communications, where the C2 is the victim’s Microsoft Exchange server. The investigation conducted by Fortinet revealed the presence of other implants on various servers, including a new web shell, dubbed ExchangeLeech, on Microsoft Exchange servers.
The infection chain commenced with spear phishing messages using a zip file named Brochure.zip in attachment. The archive contained a malicious .NET executable (Brochure.exe) which is an executable with an Adobe PDF icon. Upon running the executable, it displays an error message box while downloads and executes the final payload.
The malware relies on Exchange Web Services (EWS) API to connect to the victim’s Exchange Server and uses a mailbox on the server to send and receive encoded commands.
“The PowerShell script is a custom backdoor. Its name is derived from the nature of the C2 channel as it utilizes the Exchange Web Services (EWS) API to connect to the victim’s Exchange server and uses mailboxes on the server to send and receive commands from its operator.” reads the analysis published by Fortinet. “The Exchange server is accessible from the internet, saving C2 communication to external servers from the devices in the organizations. It also acts as a proxy for the attacker to mask himself.”
The backdoor connects to the Exchange server and sends the computer name, base64-encoded, to a mailbox to indicate it’s running. The mailbox and connection credentials are hardcoded in the code of the implant. The operator in turn can send to the backdoor additional mailboxes to beacon in the current session or the ID of a mail to use to receive commands.
The attribution to the Iran-linked APT group APT34 is based on similarities between PowerExchange and the TriFive backdoor deployed against government organizations in Kuwait by the state-sponsored hackers.
Experts also highlighted that APT34 is known to have tested communication via internet-facing Exchange servers in its campaigns (i.e. Karkoff)
“The PowerExchange backdoor is a simple yet effective tool. When writing this blog, it was unclear where the threat actor had obtained the domain credentials to connect to the Exchange server. Even though the targeting of Exchange servers by threat actors spiked in the past couple of years, ExchangeLeech wasn’t commonly used, unlike other webshells.” concludes the report. “Using the victim’s Exchange server for the C2 channel allows the backdoor to blend in with benign traffic, thereby ensuring that the threat actor can easily avoid nearly all network-based detections and remediations inside and outside the target organization’s infrastructure.” the researchers said.
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Researchers spotted a new botnet dubbed Dark Frost that is used to launch distributed denial-of-service (DDoS) attacks against the gaming industry.
Researchers from Akamai discovered a new botnet called Dark Frost that was employed in distributed denial-of-service (DDoS) attacks.
The botnet borrows code from several popular bot families, including Mirai, Gafgyt, and Qbot.
The Dark Frost botnet was used to target gaming companies, game server hosting providers, online streamers, and even other members of the gaming community who the threat actor interacted with directly.
The researchers first gathered a Dark Frost binary sample on February 28, 2023, that targeted one of its HTTP honeypots. The threat actors were attempting to exploit a remote code execution (RCE) in misconfigured Hadoop YARN servers. The experts highlight that the vulnerability exploited in the attacks has been in existence since 2014.
According to a screenshot taken by the malware author, the botnet was composed of at least 414 machines as of February 2023. Most of the infected machines are based on ARMv4 architectures, specifically MIPSEL and x86.
The botnet operators compiled the bot code specifically for ARMv4 and ARMv7 because ARMv4 is compatible with ARMv5 and ARMv6, this means that the malware can also target modern ARMv7 architecture.
The analysis of the bot revealed that the malware supports eight total attacks, including UDP and TCP, and more curious ones, such as zgoflood.
Akamai researchers estimated that the botnet can launch DDoS attacks of approximately 629.28 Gbps through a UDP flood attack.
“To continue the benchmark correctly, we had to start launching these attacks at the loopback to avoid fragmentation and listen on the loopback interface to re-measure (Table 2).” reads the analysis published by Akamai.
Packet size
Packets captured
Total size
Output
1,024
1,659,840
1.4G
1.12 Gbps
2,048
1,445,158
1.9G
1.52 Gbps
4,096
828,681
1.9G
1.52 Gbps
8,192
432,884
1.8G
1.44 Gbps
“As you can see, the optimal size for maximum output becomes 2,048. After this point, the number of packets getting sent drops significantly. This is likely due to the fact that the UDP packets are getting padded with “U” characters to make it the desired length, and this operation likely slows things down at larger sizes. With 1.52 Gbps as our new single node benchmark, we can multiply this by the number of nodes in the botnet as of February 2023 (414) to come out with 629.28 Gbps.”
Threat actors behind this botnet are active since at least May 2022, they published live recordings of their attacks to demonstrate the capabilities of the botnet.
The attackers set up a website to track requests and a discord channel to manage their DDoS-for-hire service.
“The reach that these threat actors can have is staggering despite the lack of novelty in their techniques. Although not the most advanced or mind-bending adversary, the Dark Frost botnet has still managed to accumulate hundreds of compromised devices to do its bidding.” concludes the report.
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Experts detailed a new piece of malware, named CosmicEnergy, that is linked to Russia and targets industrial control systems (ICS).
Researchers from Mandiant discovered a new malware, named CosmicEnergy, designed to target operational technology (OT) / industrial control system (ICS) systems. The malicious code was first uploaded to a public malware scanning service in December 2021 by a user in Russia. The malware is specifically designed to disrupt electric power by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs). These RTU are widely adopted n electric transmission and distribution operations in Europe, the Middle East, and Asia.
COSMICENERGY is one of the OT malware that were spotted over the years, but according to Mandiant, what makes this malware unique is that it has been developed by a contractor as part of a red teaming activity for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cyber security company. The ICS malware supports capabilities that are comparable to those implemented in malware such as INDUSTROYER and INDUSTROYER2.
Both INDUSTROYER and INDUSTROYER2 malware strains were used by Russia-linked APT groups in attacks aimed at critical infrastructure in Ukraine targeting IEC-104.
“COSMICENERGY’s capabilities and overall attack strategy appear reminiscent of the 2016 INDUSTROYER incident, which issued IEC-104 ON/OFF commands to interact with RTUs and, according to one analysis, may have made use of an MSSQL server as a conduit system to access OT.” reads the analysis published by Mandiant. “Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption.”
COSMICENERGY is composed of two components, respectively tracked as PIEHOP and LIGHTWORK:
PIEHOP is a disruption Python tool packaged with PyInstaller that can connect to a user-supplied remote MSSQL server for uploading files and issuing remote commands to an RTU. PIEHOP relies on LIGHTWORK to issue the IEC-104 commands “ON” or “OFF” to the remote system and then deletes the executable after issuing the command. The researchers noticed that the sample of PIEHOP they analyzed was affected by programming logic errors that prevent it from successfully performing its IEC-104 control capabilities, however, they can be quickly solved.
LIGHTWORK is a C++ tools that implements the IEC-104 protocol to modify the state of RTUs over TCP. It
The researchers pointed out that the malware doesn’t support discovery capabilities, which implies that the operator would need to perform some internal reconnaissance to obtain environmental information (i.e. MSSQL server IP addresses, MSSQL credentials, and target IEC-104 device IP addresses).
The analysis of COSMICENERGY revealed the use of a module associated with a project named “Solar Polygon.” Searching for this unique string, the researchers identified a single match to a cyber range (aka polygon) developed by Rostelecom-Solar.
“The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware. Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets.” concludes the report. “OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of COSMICENERGY. “
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
D-Link fixed two critical flaws in its D-View 8 network management suite that could lead to authentication bypass and arbitrary code execution.
D-Link has addressed two critical vulnerabilities (CVSS score: 9.8) in its D-View 8 network management suite that could be exploited by remote attackers to bypass authentication and execute arbitrary code.
The D-View network management suite allows customers to monitor performance, configure devices, and manage the network in an efficient way.
The vulnerabilities were reported to the company on December 23, 2022 through Trend Micro’s Zero Day Initiative (ZDI).
The first vulnerability, tracked as CVE-2023-32165, is a D-View TftpReceiveFileHandler Directory Traversal Remote Code Execution flaw.
“This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.” reads the advisory published by ZDI. “The specific flaw exists within the TftpReceiveFileHandler class.”
The vulnerability is caused by the lack of proper validation of a user-supplied path prior to using it in file operations. An unauthenticated attacker can exploit the flaw to execute code in the context of SYSTEM.
The vulnerability was reported by Andrea Micalizzi (aka rgod)
The second flaw, tracked as CVE-2023-32169, is an authentication bypass issue caused by the use of hard-coded cryptographic key authentication in the TokenUtils class.
An attacker can exploit this vulnerability to bypass authentication on the target system.
“This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.” reads the advisory. “The specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key.”
The vulnerability was discovered by Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative.
The company pointed out that the released patch is “beta software or hot-fix release,” which is still undergoing final testing.
“Please note that this is a device beta software, beta firmware, or hot-fix release which is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an “as is” and “as available” basis and the user assumes all risk and liability for use thereof. D-Link does not provide any warranties, whether express or implied, as to the suitability or usability of the beta firmware. D-Link will not be liable for any loss, whether such loss is direct, indirect, special or consequential, suffered by any party as a result of their use of the beta firmware.”
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Zyxel fixed two critical flaws in multiple firewall and VPN products that can lead to remote code execution or cause a DoS condition.
Zyxel addressed two critical buffer overflow vulnerabilities, tracked as CVE-2023-33009 and CVE-2023-33010, that affect several of its firewall and VPN products.
A remote, unauthenticated attacker can can trigger the flaws to cause a denial-of-service (DoS) condition and remote code execution on vulnerable devices.
Below are the description for both issues provided by the vendor in a security advisory:
CVE-2023-33009 – A buffer overflow vulnerability in the notification function in some firewall versions could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
CVE-2023-33010 – A buffer overflow vulnerability in the ID processing function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even a remote code execution on an affected device
Users are recommended to install security updates provided by the company to address the issues.
CVE-2023-33009: A buffer overflow vulnerability in the notification function in some Zyxel products, allowing an unauthenticated attacker to perform remote code execution or impose DoS conditions. (critical severity score of 9.8)
CVE-2023-33010: A buffer overflow vulnerability in the ID processing function in some Zyxel products, allowing an unauthenticated attacker to perform remote code execution or impose DoS conditions. (critical severity score of 9.8)
The following table includes vulnerable devices:
Affected series
Affected version
Patch availability
ATP
ZLD V4.32 to V5.36 Patch 1
ZLD V5.36 Patch 2
USG FLEX
ZLD V4.50 to V5.36 Patch 1
ZLD V5.36 Patch 2
USG FLEX50(W) / USG20(W)-VPN
ZLD V4.25 to V5.36 Patch 1
ZLD V5.36 Patch 2
VPN
ZLD V4.30 to V5.36 Patch 1
ZLD V5.36 Patch 2
ZyWALL/USG
ZLD V4.25 to V4.73 Patch 1
ZLD V4.73 Patch 2
At the end April, Zyxel fixed a critical RCE flaw, tracked as CVE-2023-28771 (CVSS score 9.8), in its firewall devices and urged customers to install the patches.
The company also fixed a high-severity post-authentication command injection issue (CVE-2023-27991, CVSS score: 8.8) affecting some specific firewall versions.
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
A China-linked APT group, tracked as Volt Typhoon, breached critical infrastructure organizations in the U.S. and Guam without being detected.
China-linked APT cyber espionage group Volt Typhoon infiltrated critical infrastructure organizations in the U.S. and Guam without being detected. The group managed to maintain access without being detected for as long as possible.
According to Microsoft, the campaign aims at building capabilities that could disrupt critical communications infrastructure between the United States and Asia region in the case of future crises.
The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
The APT group is using almost exclusively living-off-the-land techniques and hands-on-keyboard activity to evade detection.
In order to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and stay under the radar.
Volt Typhoon targets internet-facing Fortinet FortiGuard devices to achieve initial access to targeted organizations. Then the attackers attempt to extract credentials to an Active Directory account used by the compromised device and use them for lateral movement by authenticating to other devices.
Upon gaining access to a target environment, the group conducts hands-on-keyboard activity via the command line. The researchers pointed out that the group rarely uses malware in the post-compromise phase.
“If the account that Volt Typhoon compromises from the Fortinet device has privileged access, they use that account to perform the following credential access activities.” continues the report. “Microsoft has observed Volt Typhoon attempting to dump credentials through the Local Security Authority Subsystem Service (LSASS). The LSASS process memory space contains hashes for the current user’s operating system (OS) credentials.”
Microsoft observed the Volt Typhoon dumping information from local web browser applications, then the attackers staged collected data in password-protected archives.
The experts concluded by warning organizations to be vigilant on successful sign-ins from unusual IP addresses that could represent C2 accesses.
Today, CISA joined the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners in releasing a joint cybersecurity advisory highlighting recently discovered activities conducted by a People’s Republic of China (PRC) state-sponsored cyber threat actor.
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
North Korea-linked APT group Lazarusactor has been targeting vulnerable Microsoft IIS servers to deploy malware.
AhnLab Security Emergency response Center (ASEC) researchers reported that the Lazarus APT Group is targeting vulnerable versions of Microsoft IIS servers in a recent wave of malware-based attacks.
Once discovered a vulnerable ISS server, the attackers leverage the DLL side-loading (T1574.002) technique to execute a malicious DLL (msvcr100.dll) that they have placed in the same folder path as a normal application (Wordconv.exe). Then the library is executed via the Windows IIS web server process.
The msvcr100.dll is contained within the import DLL list of Wordconv.exe, this means that the first DLL is loaded in the memory of the Wordconv.exe process when it is executed.
“the functionality of msvcr100.dll involves decrypting an encoded PE file (msvcr100.dat) and the key (df2bsr2rob5s1f8788yk6ddi4x0wz1jq) that is transmitted as a command-line argument during the execution of Wordconv.exe by utilizing the Salsa20 algorithm.” reads the analysis published by ASEC. “The decrypted PE file is then executed in the memory. It then performs the function of clearing the malicious DLL module that was loaded through the FreeLibraryAndExitThread WinAPI call before deleting itself (msvcr100.dll).”
The researchers noticed important similarities between the msvcr100.dll and the cylvc.dll previously detailed by ASEC and related to another Lazarus campaign.
The threat actor exploited an open-source Notepad++ plugin called Quick Color Picker (a discontinued project) to establish a foothold in the target network before creating additional malware (diagn.dll).
The diagn.dll received the PE file encoded with the RC6 algorithm as an execution argument value, then uses an internally hard-coded key to decrypt the data file and execute the PE file directly in the memory.
The researchers were not able to determine the malicious behavior of the PE file because the PE data file that was encoded during the attack could not be collected, but the analysis of the log suggests threat the attackers had executed a credential theft tool such as Mimikatz.
Once obtained the system credentials, the threat actor performed internal reconnaissance and used remote access (port 3389) to perform lateral movement into the internal network.
“The Lazarus group used a variety of attack vectors to perform their initial breach, including Log4Shell, public certificate vulnerability, 3CX supply chain attack, etc.” concludes the report that also provides Indicators of Compromise (IoCs). “since the threat group primarily utilizes the DLL side-loading technique during their initial infiltrations, companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement.”
This week, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against four entities and one individual for their role in malicious cyber operations conducted to support the government of North Korea.
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Iran-linked threat actor Tortoiseshell targeted shipping, logistics, and financial services companies in Israel with watering hole attacks.
ClearSky Cyber Security uncovered a watering hole attack on at least eight Israeli websites belonging to shipping, logistics, and financial services companies and attributed them with low confidence to the Iran-linked APT group Tortoiseshell (aka TA456 or Imperial Kitten).
The threat actors used a script on the compromised websites to collect preliminary user information.
The malicious JavaScript employed in the watering hole attacks collects data from visitors, including the user’s OS language, IP address, screen resolution, as well as the URL from which the website was visited.
The activity of the APT group was first detailed by Symantec in 2019, the experts analyzed a series of attacks against IT providers in Saudi Arabia and US entities. The expert spotted the Iranian group in 2018, but they speculate that it has been active for a longer time.
Five out of eight compromised websites were hosted by the uPress hosting service, which was hit by a cyber attack carried out by the Iranian group Emennet Pasargad5, “Hackers of Savior”, in 2020.
“uPress”, a hosting service, was attacked in 2020 by the Iranian group Emennet Pasargad5 , “Hackers of Savior”, who defaced thousands of Israeli sites hosted by it.
The collected data were transferred into a JSON file via a POST request to a website under the control of the threat actor.
The experts noticed that the first malicious JavaScript they spotted contains a unique string of text which includes grammatical errors. Looking for this unique string, the researchers were able to find another JavaScript that contains the same code but is used on a different domain.
“The script is downloaded from the malicious website cdnpakage[.]com. Our team discovered that cdnpakage[.]com previously had another SSL certificate related to another domain – globalpneuservices[.]com.” reads the report published by ClearSky. “Using the domain cdnpakage[.]com, additional infected domains were found: tel-bar.co[.]il, aviram.co[.]il.”
The attribution to an Iran-linked APT is based on the following evidence:
C2 Attribution – The domain jquery-stack[.]online is attributed to TA456 (Tortoiseshell).
Attackers employed four domains impersonating the legitimate JavaScript framework jQuery by using “jQuery” in their domain names. The trick to use domain names impersonating jQuery was observed in a previous Iranian campaign from 2017.
Watering holes have been part of the initial access stage used by Iran-linked APT since at least 2017.
Iranian threat actors target Israeli websites and attempt to collect data on logistics companies associated with shipping and healthcare.
Re-use of open-source penetration testing tools that focus on web browsers was seen both in an Iranian campaign in 2017 and in this current campaign.
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were breached exploiting a zero-day vulnerability.
Network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability.
The vulnerability, tracked as CVE-2023-2868, resides in the module for email attachment screening, the issue was discovered on May 19 and the company fixed it with the release of two security patches on May 20 and 21.
“Barracuda identified a vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2023-2868) in our Email Security Gateway appliance (ESG) on May 19, 2023. A security patch to eliminate the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20, 2023.” reads the advisory published by the security solutions provider. “The vulnerability existed in a module which initially screens the attachments of incoming emails.”
The issue could have a significant impact because the impacted Email Security Gateway (ESG) appliances are used by hundreds of thousands of organizations worldwide, including several high-profile businesses.
The vulnerability doesn’t impact other Barracuda products, the company states that its SaaS email security services is not affected by this issue.
The company investigated the flaw and discovered that it was exploited to target a subset of email gateway appliances. The company notified via the ESG user interface the customers whose appliances they believe were impacted.
“Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances,” continues the advisory. “Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers.“
Barracuda pointed out that the investigation was limited to its ESG product and not the customers’ specific environment. Impacted organizations are recommended to review their networks to determine if other systems were compromised by the attackers.
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
The US Department of the Treasury sanctioned four entities and one individual for their role in cyber operations conducted by North Korea.
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against four entities and one individual for their role in malicious cyber operations conducted to support the government of North Korea.
“The DPRK conducts malicious cyber activities and deploys information technology (IT) workers who fraudulently obtain employment to generate revenue, including in virtual currency, to support the Kim regime and its priorities, such as its unlawful weapons of mass destruction and ballistic missile programs.” reads the announcement.
The sanctioned entities conducted operations to steal funds to support the military strategy of the regime.
In December 2022, South Korea’s spy agency, the National Intelligence Service, estimated that North Korea-linked threat actors have stolen an estimated 1.5 trillion won ($1.2 billion) in cryptocurrency and other virtual assets in the past five years.
According to the spy agency, more than half the crypto assets (about 800 billion won ($626 million)) have been stolen this year alone, reported the Associated Press.
The NIS added that more than 100 billion won ($78 million) of the total stolen funds came from South Korea.
Cyber security and intelligence experts believe that attacks aimed at the cryptocurrency industry will continue to increase next year. National Intelligence Service experts believe that North Korea-linked APT groups will focus on the theft of South Korean technologies and confidential information on South Korean foreign policy and national security.
Data published by the National Intelligence Service agency confirms a report published by South Korean media outlet Chosun early this year that revealed North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years.
According to local media, US federal prosecutors believe that North Korea’s government considers cryptocurrency a long-term investment and it is amassing crypto funds through illegal activities.
In a classified report cited by Chosun, the US National Intelligence Service (DNI) found that North Korea was financing its ‘priority policies’, such as nuclear and missile development, through cybercrime. Government experts noticed that nation-state actors are not immediately cashing out all the stolen crypto to create a crypto fund reserve.
“Today’s action continues to highlight the DPRK’s extensive illicit cyber and IT worker operations, which finance the regime’s unlawful weapons of mass destruction and ballistic missile programs,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “The United States and our partners remain committed to combatting the DPRK’s illicit revenue generation activities and continued efforts to steal money from financial institutions, virtual currency exchanges, companies, and private individuals around the world.”
According to the announcement, Pyongyang University of Automation was involved in the training of threat actors, including members of the bureaus directed by the Reconnaissance General Bureau (RGB), with is the core infrastructure in the military structure of Pyongyang.
OFAC also sanctioned the Technical Reconnaissance Bureau and its subordinate cyber unit, the 110th Research Center. The Technical Reconnaissance Bureau leads the DPRK’s development of offensive cyber tactics and tools and coordinates the activities of several departments, including those affiliated with the Lazarus Group.
The 110th Research Center conducted cyber campaigns targeting networks worldwide, in 2013 it carried out a hacking campaign, tracked as DarkSeoul, which destroyed thousands of systems of organizations in the financial sector. The 110th Research Center was also involved in the theft of sensitive government information from entities in South Korea.
The DPRK also deployed IT workers in companies worldwide, including in the technology and virtual currency industries, to generate significant revenues.
The North Korean government maintains a workforce of thousands of highly skilled IT workers around the world, most of them located in the People’s Republic of China and Russia. The revenue generated by these experts contributes to the government’s unlawful WMD and ballistic missile programs. According to the announcement, each worker can earn more than $300,000 per year.
“These workers deliberately obfuscate their identities, locations, and nationalities, typically using fake personas, proxy accounts, stolen identities, and falsified or forged documentation to apply for jobs at these companies. They target employers located in wealthier countries, utilizing a variety of mainstream and industry-specific freelance contracting, payment, and social media and networking platforms.” continues the announcement. “Applications and software developed by DPRK IT workers span a range of fields and sectors, including business, health and fitness, social networking, sports, entertainment, and lifestyle.”
The US Department of the Treasury also states that the Chinyong Information Technology Cooperation Company (Chinyong), aka Jinyong IT Cooperation Company, is involved in the IT worker activities.
Chinyong is associated with the Ministry of Peoples’ Armed Forces, and North Korean national Kim Sang Man.
“As a result of today’s action, pursuant to E.O. 13687 and E.O. 13810, all property and interests in property of the persons named above that are in the United States, or in the possession or control of U.S. persons, are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” concludes the annoucement. “In addition, persons that engage in certain transactions with the individuals or entities designated today may themselves be exposed to designation. Furthermore, any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to U.S. correspondent or payable-through account sanctions.”
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
The Computer Emergency Response Team of Ukraine (CERT-UA) warns of a cyberespionage campaign targeting state bodies in the country.
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks targeting state bodies in the country as part of an espionage campaign conducted by a threat actor tracked as UAC-0063.
The nation-state actor on April 18, 2023 and April 20, 2023, sent spear-phishing emails to the department’s e-mail address, supposedly from the official mailbox of the Embassy of Tajikistan in Ukraine.
The CERT-UA believes that the mailbox of the Embassy of Tajikistan may have been compromised in a previous attack. The email used in the attacks contained respectively a weaponized document and a reference to the same document.
“If the document is downloaded and the macro is activated on the PC, a DOCX file “SvcRestartTaskLogon” will be created and opened, which also contains a macro, which will create another file with the “WsSwapAssessmentTask” macro.” reads the report published by CERT-UA. “The purpose of the latter is to create a “SoftwareProtectionPlatform” file classified as HATVIBE and a scheduled task to run it. HATVIBE is presented as an encoded VBScript (VBE) file, which functionally provides the ability to load and run other files.”
Upon enabling the macro in the Microsoft Word document, an encoded VBScript called HATVIBE is launched. The script then is used used to drop additional malicious payloads, including a keylogger (LOGPIE) and the CHERRYSPY backdoor. Both Python-based malware are protected using the PyArmor utility.
The threat actors also used the STILLARCH malware to search and exfiltrate files, including the results of the LOGPIE keylogger operation (file extension: “.~tmp”)
Threat actors also employed the sophisticated malware strain DownEx, which was recently involved in attacks aimed at Government organizations in Central Asia.
Ukrainian government experts reported that the analysis of the attack infrastructure lead them into believing that the attack was aimed at organizations from Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India.
CERT-UA recommends that user accounts should be restricted from running “mshta.exe”, running Windows Script Host (“wscript.exe”, “cscript.exe”) and the Python interpreter.
Ukraine’s CERT also shared Indicators of Compromise (IoCs).
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
ESET found a new remote access trojan (RAT), dubbed AhRat, on the Google Play Store that was concealed in an Android screen recording app.
ESET researchers have discovered an Android app on Google Play that was hiding a new remote access trojan (RAT) dubbed AhRat.
The app, named iRecorder – Screen Recorder, has more than 50,000 installs. The app was initially uploaded to the Google Play store without malicious features on September 19th, 2021. Threat actors introduced the support for malicious functionalities in version 1.3.8 which was uploaded on August 2022.
The app was designed to extract microphone recordings and stealing files with specific extensions, a circumstance that suggests it was involved in an espionage campaign. Researchers have not detected the AhRat anywhere else in the wild.
The AhRat is a customization of the open-source AhMyth Android RAT (remote access trojan). The AhMyth RAT supports various malicious functions, including exfiltrating call logs, contacts, and text messages, obtaining a list of files on the device, tracking the device location, sending SMS messages, recording audio, and taking pictures. However, ESET observed only a limited set of malicious features derived from the original AhMyth RAT in both versions of AhRat analyzed by its experts.
ESET immediately notified Google that quickly removed the iRecorder app from its store. The experts pointed out that the app can also be found in alternative and unofficial Android stores.
ESET was not able to link the AhRat malware to any known threat actors. The researchers only reported that previously, the open-source AhMyth was employed by the Pakistan-linked APT group Transparent Tribe (aka APT36).
“The AhRat research serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy. While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses.” concludes ESET that also shared Indicators of Compromise (IoC).
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
A previously undocumented APT group tracked as GoldenJackal has been targeting government and diplomatic entities in the Middle East and South Asia since 2019.
Kaspersky researchers shared details about the activity of a previously undocumented APT group, tracked as GoldenJackal, which has been active since 2019. The primary motivation of the group appears to be the espionage.
The group focuses on government and diplomatic entities in the Middle East and South Asia. Kaspersky started monitoring the operations of the group in mid-2020, the researchers explained that it showed a constant level of activity that demonstrates the capability of the group to fly under the radar.
The APT group employed a specific toolset of .NET malware, composed of JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher. The malware allows the group to:
control victim machines
spread across systems using removable drives
exfiltrate certain files from the infected system
steal credentials
collect information about the local system
collect information about users’ web activities
take screen captures of the desktop
In the attacks spotted by the researchers, the GoldenJackal APT used fake Skype installers and weaponized Word documents as initial attack vectors.
“The fake Skype installer was a .NET executable file named skype32.exe that was approximately 400 MB in size. It was a dropper containing two resources: the JackalControl Trojan and a legitimate Skype for business standalone installer. This tool was used in 2020.” reads the report published by Kaspersky. “The other known infection vector was a malicious document that uses the remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability.”
The JackalControl Trojan allows threat actors to remotely control the target machine. The malware uses HTTPS communications with the C2 servers, and supports the following operations:
Execute an arbitrary program with provided arguments
Download arbitrary files to the local file system
Upload arbitrary files from the local file system
The researchers observed that the APT group updated this malware multiple times across the years.
JackalSteal is an implant, used in limited attacks, that allows to look for files of interest on the target’s machine and exfiltrate them. The tool allows to to monitor removable USB drives, remote shares, and all logical drives in the targeted system. Experts noticed it cannot maintain persistence, this means that it needs to be installed by another component.
The JackalWorm worm spreads using removable USB drives, its behavior changes according to the parent process. When the malware is working on a system that is already infected and the parent process is taskeng.exe or services.exe it can monitors removable USB drives and when a device is attached, hides the last-modified directory and replaces it with a copy of the worm. The worm borrows the code to monitor removable USB drives from the JackalSteal.
The JackalPerInfo malware allows operators to collect information about the compromised system, as well as a specific set of files that could potentially be used to retrieve stored credentials and the user’s web activities.
The JackalScreenWatcher tool can be used to collect screenshots of the victim’s desktop and sends the pictures to a remote, hard-coded C2
Kaspersky observed a limited number of attacks against government and diplomatic entities in the Middle East and South Asia. Victims of the APT group are in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan and Turkey.
The researchers were not able to to link the GoldenJackal APT to any known actor, however, they observed some similarities between the group and the Russia-linked Turla cyber-espionage group.
The experts we noticed a code similarity in the victim UID generation algorithm that overlaps somewhat with that used by Kazuar.
“The group is probably trying to reduce its visibility by limiting the number of victims. According to our telemetry, the number of targets is very low and most of them were related to government or diplomatic entities. Moreover, some of the samples were deployed only on systems that were not protected by Kaspersky during the infection phase. This may indicate that the actor is trying to protect some of its tools and avoid specific security solutions.” Kaspersky concludes. “Their toolkit seems to be under development – the number of variants shows that they are still investing in it. The latest malware, JackalWorm, appeared in the second half of 2022 and appears to still be in the testing phase.” Kaspersky concludes.””
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Google introduced Mobile VRP (vulnerability rewards program), a new bug bounty program for reporting vulnerabilities in its mobile applications.
Google announced a new bug bounty program, named Mobile VRP (vulnerability rewards program), that covers its mobile applications.
Google’s Mobile VRP is a bug bounty program for reporting vulnerabilities in first-party Android applications developed or maintained by Google.
Only apps published by the developers in the list below or apps in the Tier 1 list (Google’s Play Services, AGSA (Android Google Search app), Chrome, Cloud, Gmail, and Chrome Remote Desktop) are in covered by the new program:
The IT giant will reward arbitrary code execution vulnerabilities and flaws that can lead to the theft of sensitive data. The company is also looking for:
Path traversal / zip path traversal vulnerabilities leading to arbitrary file write
Intent redirections leading to launching non-exported application components
Vulnerabilities caused by unsafe usage of pending intents
Orphaned permissions
Below is the table reporting the rewards offered by the company for the different categories of vulnerabilities and the level of user interaction for their exploitation:
Category
1) Remote/No User Interaction
2) User must follow a link that exploits the vulnerable app
3) User must install malicious app or victim app is configured in a non-default way
4) Attacker must be on the same network (e.g. MiTM)
A) Arbitrary Code Execution
$30,000
$15,000
$4,500
$2,250
B) Theft of Sensitive Data
$7,500
$4,500
$2,250
$750
C) Other Vulnerabilities
$7,500
$4,500
$2,250
$750
The white hackers can ear up to $30,000 for vulnerabilities in Tier 1 apps that can be exploited remotely without user interaction to achieve arbitrary code execution.
“The panel can apply a discretionary $1,000 bonus – e.g. for a particularly surprising vulnerability, or an exceptional writeup.” states the announcement. “When investigating a vulnerability, please only ever target your own accounts. Never attempt to access anyone else’s data, and do not engage in any activity that would be disruptive or damaging to your fellow users or to Google.”
Bug hunters interested in taking part in the Mobile VRP should submit their findings through Google’s report page.
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
The German automotive and arms manufacturer Rheinmetall announced it was victim of a Black Basta ransomware attack that took place last month.
Rheinmetall is a German automotive and arms manufacturer that is listed on the Frankfurt stock exchange. The company this week announced it was victim of a ransomware attack conducted by the Black Basta ransomware group.
The incident took place in Mid-April and impacted the business unit that serves industrial customers, particularly in the automotive sector. The defense division of the company was not impacted by the ransomware attack as reported after the discovery of the incident by Rheinmetall’s spokesperson Oliver Hoffmann.
The automotive and arms manufacturer launched an investigation into the incident with the help of cybersecurity authorities.
The company filed a criminal complaint with the Cologne public prosecutor’s office.
The company is still working to completely recover from the security breach.
In March, the pro-Russian hacker group Killnetcalled to cyber arms on his Telegram channel against the company IT infrastructure in Germany and Australia after Rheinmetall announced a new tank factory in Ukraine as the Russian invasion of the Eastern European nation continues.
The company is a supplier of weaponry used on the Leopard tank which were sent to Ukraine by several European countries.
On September 2019, a series of cyber attacks hit defense contractors Rheinmetall AG and Defence Construction Canada (DCC) damaging their information technology systems.
Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.
In November 2022, Sentinel Labs researchers reported having found evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7.
In November 2022, experts at the Cybereason Global SOC (GSOC) team observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US.
In two weeks, the experts observed attacks against more than 10 different US-based customers
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Login
