RSS Security

🔒
❌ About FreshRSS
There are new articles available, click to refresh the page.
Today — 5 August 2021Security Affairs

Cryptominer ELFs Using MSR to Boost Mining Process

5 August 2021 at 16:28

The Uptycs Threat Research Team recently observed Golang-based worm dropping cryptominer binaries which use the MSR (Model Specific Register) driver.

 By UPTYCS THREAT RESEARCH 

Original research by Siddarth Sharma

The Uptycs Threat Research Team recently observed Golang-based worm dropping cryptominer binaries which use the MSR (Model Specific Register) driver to disable hardware prefetchers and increase the speed of the mining process by 15%.

The Golang-based worm which targets vulnerable *nix servers exploit known vulnerabilities in the popular web servers in order to spread itself and the embedded miner. The new variants of the worm were identified in June 2021 by our threat intelligence systems. Though some of the functionalities were similar to the malware discussed by the security firm Intezer last year, the newer variants of this malware had a bunch of activities up its sleeve.

In this blog, we will detail the usage of MSR to disable the hardware prefetcher in the cryptomining malwares. We will also cover certain new techniques employed by the attackers in the attack kill chain for the persistence and dropping of the worm into certain sensitive directories on the vulnerable servers.

Hardware Prefetcher and the MSR

Hardware prefetcher is a technique in which the processors prefetch data based on the past access behaviour by the core. The processor (or the CPU), by using hardware prefetcher, stores instructions from the main memory into the L2 cache. However, on multicore processors, the use of aggressive hardware prefetching causes hampering and results in overall degradation of system performance.

MSR registers in processor architecture are used to toggle certain CPU features and computer performance monitoring. By manipulating the MSR registers, hardware prefetchers can be disabled.

Miners Using MSR to Disable Hardware Prefetcher

A miner running with root privileges can disable the prefetcher. This is done to boost the miner execution performance, thereby increasing the speed of the mining process. We have seen Xmrig miners in our threat intelligence systems using MSR to disable the hardware prefetcher.

Xmrig miners use the RandomX algorithm which generates multiple unique programs that are generated by data selected from the dataset generated from the hash of a key block. The code to be run inside the VM is generated randomly and the resultant hash of its outcome is used as proof of work.

As RandomX programs are run in a VM, this operation is generally memory intensive. Hence, the miner disables the hardware prefetcher using the MSR. According to the documentation of Xmrig, disabling the hardware prefetcher increases the speed upto 15%.

The miner uses the modprobe msr command to load the msr driver (see Figure 1).

Figure 1: Command used to load msr driver

This is done because in modular kernels the msr driver is not automatically loaded. Once the msr driver gets loaded, a pseudo file is created in /dev/cpu/ (/dev/cpu/CPUNUM/msr). This provides an interface to read and write the model-specific registers (MSRs) of an x86 CPU. The miner accesses /dev/cpu/CPUNUM/msr to modify the existing value of the msr with the new value as shown below (see Figure 2).

fig-2Figure 2: MSR file modification

For disabling hardware prefetcher, the miner accesses the /dev/CPU/CPUNUM/msr special character file to read the old value of msr and then modifies it using pwrite system call in chunks of 8 bytes. The pseudo-code of this activity is shown below (see Figure 3).

fig-3Figure 3: Pseudo-code

Also, the “wrmsr” set to true in the miner config for enabling MSR feature is shown below (see Figure 4).

fig-4Figure:4 Config file:Miner

Wormed cyptominer: attack kill chain

  1. The attack kill chain of the wormed cryptominer starts with a Shell script which downloads the Golang worm using curl utility. 
  2. The worm scans and exploits existing server based vulnerabilities like CVE-2020-14882 and CVE-2017-11610 from the victim machine.
  3. After having access to a vulnerable server, the worm downloads another shell script which downloads a copy of the same Golang worm.
  4. The worm also writes multiple copies of itself to various sensitive directories like /boot,/efi,/grub and later drops Xmrig miner ELF in /tmp location.
  5. The miner disables the hardware prefetcher by using MSR to boost the mining process. 

The shell-script we analysed (hash: 28e9b06e5a4606c9d806092a8ad78ce2ea7aa1077a08bcf3ec1d8e3d19714f08) involved several defense evasive techniques like firewall altering, disabling monitoring agents which we have detailed in our previous blog. Alongside this, the script also used the ‘sed -i’ command to modify the /etc/hosts file with the nanopool URL as shown in the below figure (see Figure 5).

Figure 5: /etc/hosts modification

The script finally downloads the first stage worm sample from 194.145.227[.]21 as shown below (see Figure 6).

 Figure 6: Shell script network traffic – Downloading Worm

First stage payload: Worm

The Worm (163ef20a1c69bcb29f436ebf1e8a8a2b6ab6887fc48bfacd843a77b7144948b9) was compiled in Golang and UPX packed. The worm used the go-bindata package to embed Xmrig miner inside itself as shown below (see Figure 7).

Figure 7: Embedded XMRig miner

Vulnerabilities exploited by the Worm

After getting downloaded in the victim system, the worm first scans for vulnerable servers from the victim system to exploit certain known web server vulnerabilities like CVE-2020-14882 and CVE-2017-11610. The scanner package used by the worm for scanning remote vulnerable servers is shown below (see Figure 8).

fig-8Figure 8: Scanner modules

The majority of the worm samples exploited the following vulnerabilities:

  1. CVE-2020-14882 – A classic path traversal vulnerability used for exploiting vulnerable web logic servers. It seemed like the attacker tried to bypass the authorization mechanism by changing the URL and performing a path traversal using double encoding on /console/images (see Figure 9).

Figure 9: Worm exploiting Path traversal vulnerability

  1. CVE-2017-11610 – A Remote Code Authentication (RCE) vulnerability in the XMLRPC interface in supervisord. XMLRPC is an interface which is provided by the wordpress. The encoded payload in <param> used by the attacker in the XMLRPC exploit is shown below (see Figure 10).

fig-10Figure 10: Encoded payload in <param>

After successful exploitation, the worm uses base64 encoded command that downloads the shell-script (hash: dfbe48ade0b70bd999abaf68469438f528b0e108e767ef3a99249a4a8cfa0176) on the remote vulnerable servers from the C2 using a base64 encoded command (see Figure 11).

fig-11-1Figure 11: Post exploitation command to deploy worm

This shell script (ldr.sh) downloads the worm from the C2 to deploy XMrig miner on the servers via the worm again (see Figure 12).

fig-12Figure 12: Shell-script downloading the worm

Worm dropping Xmrig miner into /tmp

The worm deploys the embedded Xmrig miner to the /tmp location on the victim server. For this action, the worm first creates a directory in /tmp by the name u0jhm2. After changing the permission using fchmod utility, it gets executed (see Figure 13).

Figure 13: Worm dropping miner in /tmp 

After execution of the miner, the miner binary(kthreaddk) gets removed using unlinkat syscall – unlinkat(AT_FDCWD, “/tmp/u0jhm2/kthreaddk”, 0).

The worm also writes copies of itself to certain sensitive directories like /boot, /boot/grub, /boot,efi, /X11 (see Figure:14,15).

Figure 14: Worm binary copying itself to /boot

fig-15Figure 15: Worm binary copying itself to /boot/efi

Persistence

After writing itself to sensitive directories, the worm registers itself into the crontabs and uses fchmod to change permissions of the cron registered file, tmp.6GnMiL which later gets renamed as root (see Figure 16).

Figure 16:Writing to Cron and later changing the permission

Our threat intelligence systems identified seven similar samples of the Golang-based wormed cryptominer. Though the functionality and working of the binaries were the same, some of the worm samples register different paths like /dev/dri/by-path/<file_name>,/boot/<file_name> in crontab.

Uptycs EDR detections

Uptycs EDR armed with YARA process scanning detected the Xmrig cryptominer and the MSR modification with a threat score of 10/10 (see Figure 17).

fig-17Figure 17: Uptycs EDR detection for MSR modification and other malicious activities

Additionally, Uptycs EDR contextual detection provides additional details about the detected malware. Users can navigate to the toolkit data section in the detection alert and click on the name to find out the behavior and working of Xmrig as shown in the figure below (see Figure 18).

Figure 18: Toolkit data showing attribution

Conclusion

With the rise and sky-high valuation of Bitcoin and several other cryptocurrencies, cryptomining-based attacks have continued to dominate the threat landscape. Wormed cyptominer attacks have a greater threshold as they write multiple copies and also spread across endpoints in a corporate network. Alongside the mining process, modification of the MSR registers can lead to fatal performance issues of the corporate resources. The Uptycs EDR solution offers the added benefit of taking a deep dive into the events logged, providing more insights of an attack.

The Indicators of Compromise (IOCs) associated with wormed cryptomier are reported in the original report at https://www.uptycs.com/blog/cryptominer-elfs-using-msr-to-boost-mining-process.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MSR)

The post Cryptominer ELFs Using MSR to Boost Mining Process appeared first on Security Affairs.

Italian energy company ERG hit by LockBit 2.0 ransomware gang

5 August 2021 at 12:28

ERG SPA, an Italian energy company, reports a minor impact on its operations after the recent ransomware attack conducted by LockBit 2.0 gang.

Recently the Italian energy company ERG was hit by the LockBit 2.0 ransomware gang, now the company reported “only a few minor disruptions” for its ICT infrastructure. The company is active in the production of wind energy, solar energy, hydroelectric energy and high-yield thermoelectric cogeneration energy with low environmental impact.

“Concerning the recent rumours in the media on hacker attacks on institutions and companies, ERG reports that it has experienced only a few minor disruptions to its ICT infrastructure, which are currently being overcome, also thanks to the prompt deployment of its internal cybersecurity procedures.” reads the notice published by ERG.

“The company confirms that all its plants are operating smoothly and have not experienced any downtime, thus ensuring continuous business operations.”

Concerning the rumours in the media on hacker attacks on institutions and companies ERG reports that it has experienced only a few minor disruptions to ICT infrastructure which are currently being overcome to the prompt deployment of its internal #cybersecurity procedures (1/2)

— ERG (@ERGnow) August 4, 2021

ERG added that all its plants are operating smoothly and have not experienced any downtime, thus ensuring continuous business operations

The ransomware gang has already added the Italian company to the list of victims published on its leak site. The crooks will start leaking the stolen data on August 14, 2021, at 00:00:00.

LockBit 2.0 ERG

The LockBit ransomware operations began in September 2019, but in June 2021 the group launched the LockBit 2.0 ransomware-as-a-service.

ERG isn’t the only Italian organization under attack, multiple Italian companies were targeted with an unprecedented wave of ransomware attacks in the last weeks.

A major cyber attack paralyzed the IT systems at the region Lazio health portal which is used by residents for COVID-19 vaccine registration. According to sources informed about the event, the attack was carried out by the RansomEXX ransomware, as first reported by BleepingComputer that received a copy of the ransom note used in the attack.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, LockBit 2.0)

The post Italian energy company ERG hit by LockBit 2.0 ransomware gang appeared first on Security Affairs.

Cisco fixes critical, high severity vulnerabilities in VPN routers

5 August 2021 at 06:08

Cisco fixed critical, high severity pre-auth security vulnerabilities impacting multiple Small Business VPN routers.

Cisco addressed critical and high severity pre-auth security vulnerabilities that impact multiple Small Business VPN routers.

An attacker could exploit the issues to trigger a denial of service condition or execute commands and arbitrary code on impacted multiple Small Business VPN routers.

The two vulnerabilities, tracked as CVE-2021-1609 and CVE-2021-1602, resides in the web-based management interfaces. Both flaws could be exploited by a remote, unauthenticated attacker without any user interaction, just by

CVE-2021-1609 affects the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers, it received a CVSS score of 9.8.

“This vulnerability exists because HTTP requests are not properly validated. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device or cause the device to reload, resulting in a DoS condition.” reads the advisory.

The CVE-2021-1602 affects RV160, RV160W, RV260, RV260P, and RV260W VPN routers, it received a CVSS score of 8.2.

“This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface.” states the advisory.

Cisco pointed out that the remote management feature is disabled by default on the impacted VPN routers.

“The web-based management interface for these devices is available through local LAN connections by default and cannot be disabled there. The interface can also be made available through the WAN interface by enabling the remote management feature. By default, the remote management feature is disabled on affected devices.” continues the advisory.

The IT giant says no workarounds are available to secure the devices, the Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting the above flaws.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, VPN routers)

The post Cisco fixes critical, high severity vulnerabilities in VPN routers appeared first on Security Affairs.

Yesterday — 4 August 2021Security Affairs

Advanced Technology Ventures discloses ransomware attack and data breach

4 August 2021 at 21:39

The American venture capital firm Advanced Technology Ventures (ATV) disclosed a ransomware attack, crooks also stole data of some private investors.

Advanced Technology Ventures (ATV) is an American venture capital firm with more than $1.8 billion in capital under management. The venture capital firm this week disclosed a ransomware attack, threat actors have also stolen the personal information of some of its private investors.

ATV reported that the security breach took place in July, the ransomware operators stole financial information stored on two servers before encrypting them.

“On July 9, 2021 the Company learned from its third-party information technology provider that there had been anomalous activity on two identical ATV servers (the “Servers”) on which the Company stored financial reporting information. The Company soon determined that the Servers had been encrypted by a ransomware attack. On July 26, 2021, the Company learned that there was evidence of both unauthorized access to and exfiltration of the contents of the Servers.” reads a data breach notification letter sent to affected Maine residents.

Stolen data includes names, emails, phone numbers, and Social Security Numbers of some private investors.

Advanced Technology Ventures states that 300 individuals have been affected.

“We are not at this time aware of any fraud or misuse of your information as a result of this incident,” states the company. “We also required all employees to change their access credentials and deployed additional endpoint protection on our corporate network to help prevent this type of incident from reoccurring in the future,”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Advanced Technology Ventures discloses ransomware attack and data breach appeared first on Security Affairs.

US CISA and NSA publish guidance to secure Kubernetes deployments

4 August 2021 at 16:15

US CISA and NSA released new guidance that provides recommendations on how to harden Kubernetes deployments and minimize the risk of hack.

US CISA and NSA released new guidance that provides recommendations to harden Kubernetes deployments.

Kubernetes is an open-source container-orchestration system for automating computer application deployment, scaling, and management. In recent months the number of cyberattacks against misconfigured Kybernetes systems has surged, threat actors mainly used the to illegally mine cryptocurrencies.

The guidance details the security challenges associated with setting up and securing a Kubernetes cluster. The advisory also includes recommendations to harden the installs and to properly configure them.

It guides system administrators and developers of National Security Systems on how to deploy Kubernetes with example configurations for the recommended hardening measures and mitigations.

Below is the list of mitigations provided by the US agencies:

  • Scan containers and Pods for vulnerabilities or misconfigurations.
  • Run containers and Pods with the least privileges possible.
  • Use network separation to control the amount of damage a compromise can cause.
  • Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
  • Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface.
  • Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
  • Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.

The guidance states that the three common sources of compromise in Kubernetes are supply chain risks, malicious threat actors, and insider threats.

“Supply chain risks are often challenging to mitigate and can arise in the container build cycle or infrastructure acquisition. Malicious threat actors can exploit vulnerabilities and misconfigurations in components of the Kubernetes architecture, such as the control plane, worker nodes, or containerized applications. Insider threats can be administrators, users, or cloud service providers. Insiders with special access to an organization’s Kubernetes infrastructure may be able to abuse these privileges.” states the guidance.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, LockBit 2.0)

The post US CISA and NSA publish guidance to secure Kubernetes deployments appeared first on Security Affairs.

China-linked APT31 targets Russia for the first time

4 August 2021 at 15:25

China-linked APT31 group employed a new strain of malware in attacks aimed at entities in Mongolia, Belarus, Canada, the US, and Russia.

Researchers from Positive Technologies reported that China-linked APT31 group has been using a new piece of malware in a recent wave of attacks targeting Mongolia, Belarus, Canada, the United States, and Russia.

Experts found many similarities between the malware and the DropboxAES RAT that was first spotted by researchers at Secureworks and that was previously attributed to APT31. Positive Technologies pointed out that the two samples were the same malware with only minor differences.

APT31 (aka Zirconium) is a China-linked APT group that was involved in multiple cyber espionage operations, it made the headlines recently after Check Point Research team discovered that the group used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool, years before it was leaked online by Shadow Brokers hackers.

In July 2021, the French national cyber-security agency ANSSI warned of ongoing attacks against a large number of French organizations conducted by the Chine-linked APT31 cyberespionage group. The state-sponsored hackers are hijacking home routers to set up a proxy mesh of compromised devices to conceal its attack infrastructure. The campaign began at the beginning of 2021 and is still ongoing, the alert published by the French agency includes a list of 161 IP addresses associated with hijacked devices that were involved in the attack.

The technique allows masquerading the actual source of attacks against France entities.

Researchers reported that the attackers employed the new malware in approximately 10 attacks aimed at the above states between January and July 2021.

APT31 employed a new dropper that leverages DLL sideloading to execute the malicious binary on the target machine.

“The main objective of the dropper, the appearance of the main function of which is shown in Figure 1, is the creation of two files on the infected computer: a malicious library and an application vulnerable to DLL Sideloading (this application is then launched). Both files are always created over the same path: C:\ProgramData\Apacha. In the absence of this directory, it is created and the process is restarted.” reads the analysis published by the experts.

The application launched by the dropper loads the malicious library and calls one of its functions. The library mimics the legitimate MSVCR100.dll which is included in Visual C ++ for Microsoft Visual Studio. Experts pointed out that the size of the malicious library employed in the attack is much smaller than the legitimate one.

APT31

In order to avoid detection, threat actors also signed the dropper used in some attacks with a valid digital signature likely stolen.

The malware employed in the attacks allows operators to steal information from infected systems, get info on mapped drives, search for files and documents, create a process, create a new stream with a file download from the server, create a new stream sending the file to the server, create a directory, or delete itself.

“In the study PT ESC specialists analyzed new versions of the malware used by APT31 in attacks from January to July this year. The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular. We believe that further instances will be revealed soon of this group being used in attacks, including against Russia, along with other tools that might be identified by code correspondence or network infrastructure.” Positive Technologies concludes.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, APT31)

The post China-linked APT31 targets Russia for the first time appeared first on Security Affairs.

INFRA:HALT flaws impact OT devices from hundreds of vendors

4 August 2021 at 11:33

INFRA:HALT is a set of vulnerabilities affecting a popular TCP/IP library commonly OT devices manufactured by more than 200 vendors.

Security researchers from security teams at Forescout and JFrog have disclosed today 14 vulnerabilities that impact a popular TCP/IP library named NicheStack commonly used in industrial equipment and Operational Technology (OT) devices manufactured by more than 200 vendors.

NicheStack (aka InterNiche stack) is a proprietary TCP/IP stack developed originally by InterNiche Technologies and acquired by HCC Embedded in 2016

NicheStack is used by several devices in the Operational Technology (OT) and critical infrastructure space, such as the popular Siemens S7 line of PLCs.

“The new vulnerabilities allow for Remote Code Execution, Denial of Service, Information Leak, TCP Spoofing, or DNS Cache Poisoning.” states the report. “Forescout Research Labs and JFrog Security Research exploited two of the Remote Code Execution vulnerabilities in their lab and show the potential effects of a successful
attack.”

The flaw could be exploited by a threat actor that has gained access to the OT network of an organization.

Below is the list of vulnerabilities discovered by the experts:

InfraHalt flaws

“INFRA:HALT confirms earlier findings of Project Memoria, namely similar vulnerabilities appearing in different implementations, both open and closed source. In fact, INFRA:HALT includes examples of memory corruption like in
AMNESIA:33, weak ISN generation like in NUMBER:JACK and DNS vulnerabilities like in NAME:WRECK” continues the report.

InfraHalt flaws 2

The experts also provided an estimation of the impact of the INFRA:HALT vulnerabilities, the analysis was based on the following sources:

  • A legacy InterNiche website listing its main customers, which includes a total of almost 200 device vendors.
  • Shodan Queries show around 6,400 OT devices connected online in March. Experts “found
    more than 6,400 instances of devices running NicheStack (using the simple query “InterNiche”). Of those devices, the large majority (6360) run an HTTP server (query “InterNiche Technologies Webserver”), while the others ran mostly FTP (“Welcome to InterNiche embFtp server”), SSH (“SSH2.0-InternicheSSHServer (c)InterNiche”) or Telnet (“Welcome to InterNiche Telnet Server”) servers.”
  • Forescout Device Cloud. Forescout Device Cloud is a repository of information of 13+ million devices monitored by Forescout appliances. Experts found more than 2,500 device instances from 21 vendors.

HCC Embedded has released firmware patches to address the INFRA:HALT issues.

The researchers also released Forescout’s Project Amnesia scanner to allow organizations to determine if the devices they are using are affected by these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, OT)

The post INFRA:HALT flaws impact OT devices from hundreds of vendors appeared first on Security Affairs.

Before yesterdaySecurity Affairs

Cyber Defense Magazine – August 2021 has arrived. Enjoy it!

3 August 2021 at 22:57

Cyber Defense Magazine August 2021 Edition has arrived. We hope you enjoy this month’s edition…packed with over 148 pages of excellent content.

Cyber Defense eMagazine August Edition for 2021
Grab this PDF version and help fund our operations:
https://cyberdefensemagazine.tradepub.com/free/w_cyba125/

Here’s the Yumpu Magazine Version
https://www.yumpu.com/en/document/read/65794079/cyber-defense-emagazine-august-edition-for-2021

Here’s a free PDF Version hosted on our site:
https://www.cyberdefensemagazine.com/newsletters/august-2021/CDM-CYBER-DEFENSE-eMAGAZINE-August-2021.pdf

Mobile Version
https://www.cyberdefensemagazine.com/newsletters/august-2021/index.html
The Black Unicorn Report for 2021 
Grab this PDF version and help fund our operations:
https://cyberdefensemagazine.tradepub.com/free/w_cyba124/

Yumpu Magazine Version
https://www.yumpu.com/en/document/read/65793309/the-black-unicorn-report-for-2021

Free PDF Version hosted on our site
https://www.cyberdefensemagazine.com/wp-content/uploads/2021/08/TheBlackUnicornReportfor2021.pdf

Mobile Version
https://www.cyberdefenseawards.com/annualreports/TheBlackUnicornReportfor2021/index.html
Thank you so much for your continued support as we are now at Black Hat 2021.
Our award winners for 7 categories in the Black Unicorn Award are here.


Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Cyber Defense Magazine)

The post Cyber Defense Magazine – August 2021 has arrived. Enjoy it! appeared first on Security Affairs.

China-linked APT groups target telecom companies in Southeast Asia

3 August 2021 at 20:55

China linked APT groups have targeted networks of at least five major telecommunications companies operating in Southeast Asia since 2017.

Cybereason researchers identified three clusters of activity associated with China-linked threat actors that carried out a series of attacks against networks of at least five major telecommunications companies located in South Asia since 2017.

“The goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers,” states the report published by Cybereason.

The three clusters were linked to the China-linked APT groups tracked as Soft Cell (aka Gallium), Naikon APT (aka APT30 or Lotus Panda), and TG-3390 (aka APT27 or Emissary Panda).

Below are the details of each cluster:

  • Cluster A: Operated by Soft Cell, the activity associated with this cluster started in 2018 and continued through Q1 2021.
  • Cluster B: Operated by the Naikon APT, the activity associated with this cluster was first observed in Q4 2020 and continued through Q1 2021.
  • Cluster C: It was classified by Cybereason as a “mini-cluster” with a unique OWA backdoor that was deployed by cyberspies across multiple Microsoft Exchange and IIS servers. The analysis of the backdoor shows many similarities with a known backdoor, tracked as Iron Tiger, employed in campaigns conducted by the Group-3390 (APT27 / Emissary Panda). The activity related to this cluster was observed between 2017 and Q1 2021.
China-linked APT groups

The attackers spent a significant effort to avoid detection, like the HAFNIUM attacks, the threat actors exploited the ProxyLogon vulnerabilities affecting Microsoft Exchange Servers to gain access to the targeted networks.

“They then proceeded to compromise critical network assets such as Domain Controllers (DC) and billing systems which contain highly sensitive information like Call Detail Record (CDR) data, allowing them access to the sensitive communications of anyone using the affected telecoms’ services.” continues the analysis..

Naikon APT employed a backdoor tracked “Nebulae” that supports common backdoor capabilities, including the ability to collect LogicalDrive information, manipulate files and folders, download and upload files from and to the command-and-control server, list/execute/terminate processes on compromised devices.

Experts found multiple overlaps between the activities of the clusters, below the hypothesis elaborated by the experts:

  • One hypothesis is that the clusters represent the work of two or more teams with different sets of expertise (e.g initial access team, foothold, telco-technology specialized team, etc.) all working together and reporting to the same Chinese threat actor. 
  • A second hypothesis is that there are two or more Chinese threat actors with different agendas / tasks that are aware of each other’s work and potentially even working in tandem. 
  • Another plausible hypothesis is that the clusters are not interconnected and that the threat actors are working independently with no collaboration, or even piggybacking on the access achieved by one of the actors involved. 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, China-linked APT)

The post China-linked APT groups target telecom companies in Southeast Asia appeared first on Security Affairs.

Cisco fixed Remote Code Execution issue in Firepower Device Manager On-Box software

3 August 2021 at 14:19

Cisco addressed a vulnerability in the Firepower Device Manager (FDM) On-Box software that allows attackers to execute arbitrary code on vulnerable devices.

Cisco has addressed a vulnerability in the Firepower Device Manager (FDM) On-Box software, tracked as CVE-2021-1518, that could be exploited by an attacker to execute arbitrary code on vulnerable devices.

FDM On-Box allows administrators to manage the firewall without a centralized manager like the FMC and provides diagnostics capabilities.

The flaw resides in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software, it is due to lack of proper sanitization of user input on specific REST API commands.

“A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system of an affected device.” states the report.

“This vulnerability is due to insufficient sanitization of user input on specific REST API commands. An attacker could exploit this vulnerability by sending a crafted HTTP request to the API subsystem of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system. To exploit this vulnerability, an attacker would need valid low-privileged user credentials.”

The flaw received a CVSS score of 6.3, it was reported by Positive Technologies security researchers Nikita Abramov and Mikhail Klyuchnikov.

An attacker could exploit the vulnerability by sending a special HTTP request to the API subsystem of a device affected by the flaw.

The flaw could be exploited by an attacker having valid user credentials.

The vulnerability impacts FDM On-Box versions 6.3.0, 6.4.0, 6.5.0, 6.6.0, and 6.7.0. Cisco fixed the vulnerability with the release of software versions 6.4.0.12, 6.4.4, and 6.7.0.2.

The good news is that Cisco experts are not aware of attacks in the wild exploiting this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, LockBit 2.0)

The post Cisco fixed Remote Code Execution issue in Firepower Device Manager On-Box software appeared first on Security Affairs.

Experts found potential remote code execution in PyPI

3 August 2021 at 08:27

A flaw in the GitHub Actions workflow for PyPI ’s source repository could be exploited to potentially execute arbitrary code on pypi.org.

Security researcher RyotaK disclosed three flaws in PyPI, the most severe one could potentially lead to the compromise of the entire PyPI infrastructure.

Python Package Index (PyPI) is the official third-party software repository for Python. PyPI as an index allows users to search for packages by keywords or by filters against their metadata, such as free software license or compatibility with POSIX.

The flaw affects the combine-prs.yml workflow in pypa/warehouse, which includes the current source code of PyPI.

This workflow allows to collect pull requests that have branch names starting with dependabot and merge them into a single pull request.

The workflow fails to verify the pull request author, this means that anyone could create a pull request with a specific name and have the workflow to process it.

The workflow did not verify the pull request author, anyone could create a pull request with a specific name and have the workflow to process it. RyotaK pointed out that it is still not possible to execute code because the workflow only combines pull requests and the result is reviewed by a human operator that could detect and discard any malicious code.

RyotaK discovered a flaw in the code used for printing branch lists of pull requests, the issue could be exploited to execute commands and leak GitHub Access Token with write permission against the pypa/warehouse repository.

“In this line, combine-prs.yml prints branch lists of pull requests by using the following code. It’s a simple echo command, which looks fine at first glance, but it’s not safe due to the GitHub Actions’ behavior.” states the expler

run: |
  echo "${{steps.fetch-branch-names.outputs.result}}"

“Because this workflow used actions/checkout, .git/config contains secrets.GITHUB_TOKEN, which has the write permissions. So, by executing commands like cat .git/config, it’s possible to leak GitHub Access Token with write permission against the pypa/warehouse repository. As described above, if someone pushed changes to the main branch, it’ll trigger the automatic deployment to pypi.org.”

Once an attacker has obtained write permission to the repository, it will be able to execute arbitrary code on pypi.org.

Below the step by step procedure to execute arbitrary codes on pypi.org:

  1. Fork pypa/warehouse
  2. In forked repository, create a branch named dependabot;cat$IFS$(echo$IFS'LmdpdA=='|base64$IFS'-d')/config|base64;sleep$IFS'10000';#4
  3. Add harmless modification to the created branch
  4. Create a pull request with a harmless name (e.g.: WIP)
  5. Wait for combine-prs.yml to be executed
  6. A GitHub Access Token that has the write permissions against pypa/warehouse will be leaked, so add an arbitrary modification to the main branch
  7. Modified codes will be deployed to pypi.org

The expert reported this vulnerability to Python’s security team that fixed it.

In an update provided on 31 July, the researcher @mrtc0 explained that the attack procedure above doesn’t work. RyotaK agreed and provided the following procedure:

attack procedure.

  1. Fork pypa/warehouse
  2. Find a branch that starts with dependabot in pypa/warehouse
  3. In forked repository, add a harmless modification to the branch that you found in step 2
  4. Create a pull request named `;github.auth().then(auth=>console.log(auth.token.split("")))//
  5. Wait for combine-prs.yml to be executed
  6. A GitHub Access Token that has the write permissions against pypa/warehouse will be leaked, so add an arbitrary modification to the main branch
  7. Modified codes will be deployed to pypi.org

The vulnerability discovered by the expert could have a significant impact to the Python ecosystem, the expert highlighted the risks of supply chain attacks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, PyPI )

The post Experts found potential remote code execution in PyPI appeared first on Security Affairs.

Do You Trust Your Smart TV?

2 August 2021 at 21:12

Did you ever stop to think that the office smart TV used for company presentations, Zoom meetings, and other work-related activities may not be so trustworthy?

In our latest video, we demonstrate an attack scenario that can occur within any organization – hacking a smart TV. The video shows an insider plugging a USB Rubber Ducky into a smart TV in a company meeting room. Within less than a minute, a payload is executed to set up a Wi-Fi network for data exfiltration (called kitty3) and instructs the TV to connect to it. The payload then uploads a utility that captures the screen before the insider removes the rogue device.

Later that day, a company meeting takes place in that same meeting room, and the smart TV displays a presentation containing confidential data. The screen capture utility screen records the whole presentation and saves the recording as a file on the TV. Through the pre-established Wi-Fi network (kitty3), the attacker remotely connects to the TV and views and downloads the saved screen recording. Now, the bad actor has full access to all the data.

“Someone” Like You

In this scenario, the type of attack on the smart TV was a hardware-based attack. These attacks require physical access as someone must physically insert the rogue device, and in this case, that “someone” was an insider; more specifically, an outsourced worker. According to the 2020 Insider Threat Report, contractors, service providers, and temporary workers pose the greatest risk to 50% of organizations. As an outsourced worker, the cleaner has insider access yet less loyalty to the organization than a direct employee. Such characteristics mean outsourced staff are ideal targets for attackers. The cleaner’s insider access takes care of the physical access challenge, while detachment to the organization makes the individual more susceptible to social engineering. There is an abundance of social engineering techniques, of which many are sinister, such as blackmail. In this case, however, the social engineering technique was bribery in the form of a financial payout.

The Faceless Man

Other than a global healthcare crisis, COVID-19 brought new opportunities to bad actors. Before the pandemic, wearing a surgical mask would raise suspicion unless you were a surgeon or healthcare worker. However, as wearing a mask is now not only second nature, but in most countries, mandatory, attackers are using this to their advantage to hide their identity and gain physical access to secure locations. The use of masks to assist in criminal activity is of such value that face masks sell on the black market at premiums of up to 1,500%. So, while this attack demonstrated manipulating an insider, as long as face masks are a norm, that “insider” could have been anyone.

Rubber Ducky, You’re the One

The USB Rubber Ducky is a Rogue Device that spoofs a legitimate HID. Gaps in device visibility mean the Rogue Device is not detected, but rather the legitimate device it is impersonating is. As a result, the Rogue Device raises no security alarms and, in seconds, covertly hacks the smart TV to provide the attacker with remote access to the company’s sensitive information, even after removing the attack tool. So, while you may not see them, they see you; all it takes is a duck, a Wi-Fi connection, and a smart TV that is smarter than you think.

About the author: Jessica Amado, Head of Cyber Research at Sepio Systems

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Smart TV)

The post Do You Trust Your Smart TV? appeared first on Security Affairs.

PwnedPiper flaws in PTS systems affect 80% of major US hospitals

2 August 2021 at 19:42

Cybersecurity researchers disclosed multiple flaws, dubbed PwnedPiper, that left a widely-used pneumatic tube system (PTS) vulnerable to attacks.

Researchers from cybersecurity Armis disclosed a set of nine vulnerabilities collectively tracked as PwnedPiper that could be exploited to carry out multiple attacks against a widely-used pneumatic tube system (PTS).

The Swisslog PTS system are used in the hospitals to automate logistics and the transport of materials throughout the building via a network of pneumatic tubes. 

The flaw affects the Translogic PTS system manufactured by Swisslog Healthcare, which is installed in about 80% of all major hospitals in North America and thousands of hospitals worldwide.

An attacker could exploit the PwnedPiper vulnerabilities to completely take over the Translogic Nexus Control Panel, which powers current models of Translogic PTS stations.

The flaws could be exploited by attackers to conduct a broad range of malicious activities, such as carrying out a man-in-the-middle (MitM) attack to change or deploying ransomware

“These vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital,” reads the post published by Armis. “This type of control could enable sophisticated and worrisome ransomware attacks, as well as allow attackers to leak sensitive hospital information.”

PwnedPiper

The flaws include privilege escalation, memory corruption, remote-code execution, and denial-of-service issues. An attacker could also push an insecure firmware upgrade to fully compromise the devices.

These are the nine vulnerabilities discovered by the researchers:

  • CVE-2021-37161 – Underflow in udpRXThread
  • CVE-2021-37162 – Overflow in sccProcessMsg
  • CVE-2021-37163 – Two hardcoded passwords accessible through the Telnet server
  • CVE-2021-37164 – Off-by-three stack overflow in tcpTxThread
  • CVE-2021-37165 – Overflow in hmiProcessMsg
  • CVE-2021-37166 – GUI socket Denial Of Service
  • CVE-2021-37167 – User script run by root can be used for PE
  • CVE-2021-37160 – Unauthenticated, unencrypted, unsigned firmware upgrade

Swisslog has released Nexus Control Panel version 7.2.5.7 that addresses most of the above vulnerabilities. The CVE-2021-37160 has yet to be addressed.

“This research sheds light on systems that are hidden in plain sight but are nevertheless a crucial building block to modern-day healthcare. Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments.” concludes the report.

Swisslog has also published security advisories for these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, PTS Systems)

The post PwnedPiper flaws in PTS systems affect 80% of major US hospitals appeared first on Security Affairs.

More evidence suggests that DarkSide and BlackMatter are the same group

2 August 2021 at 09:18

Researchers found evidence that the DarkSide ransomware gang has rebranded as a new BlackMatter ransomware operation.

BleepingComputer found evidence that after the clamorous Colonia Pipeline attack, the DarkSide ransomware gang has rebranded as a new BlackMatter ransomware operation. The experts analyzed encryption algorithms in a decryptor used by BlackMatter, which is actively attacking corporate entities.

BleepingComputer became aware of a victim that paid a $4 million ransom to BlackMatter gang. The company received by the cybercriminals gang both Windows and Linux ESXi decryptors.

BleepingComputer shared a decryptor from a BlackMatter victim with Emisosft CTO Fabian Wosar who confirmed that the new ransomware gang is using the same unique encryption methods (a custom implementation of Salsa20 matrix) implemented by the DarkSide.

After looking into a leaked BlackMatter decryptor binary I am convinced that we are dealing with a Darkside rebrand here. Crypto routines are an exact copy pretty much for both their RSA and Salsa20 implementation including their usage of a custom matrix.

— Fabian Wosar (@fwosar) July 31, 2021

DarkSide also used an RSA-1024 implementation unique to their encryptor, which is the same used by BlackMatter.

The above and other similarities, such as the similar text on the leak sites, suggest that BlackMatter rebrand from DarkSide.

BlackMatter ransomware Darkside

On its leak site BlackMatter states that it doesn’t attack:

  • Hospitals.
  • Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).
  • Oil and gas industry (pipelines, oil refineries).
  • Defense industry.
  • Non-profit companies.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, BlackMatter)

The post More evidence suggests that DarkSide and BlackMatter are the same group appeared first on Security Affairs.

WordPress Download Manager Plugin was affected by two flaws

2 August 2021 at 06:53

An attacker could exploit a vulnerability in the WordPress Download Manager plugin, tracked as CVE-2021-34639, to execute arbitrary code under specific configurations.

Researchers from Wordfence team discovered a vulnerability, tracked as CVE-2021-34639, affecting the WordPress Download Manager plugin that could allow attackers to execute arbitrary code under specific configurations.

The flaw could allow authors and other users with the upload_files capability to upload files with php4 extensions as well as other potentially executable files.

“Prior to our findings, the WordPress Download Manager plugin patched a vulnerability allowing authors and other users with the upload_files capability to upload files with php4 extensions as well as other potentially executable files. While the patch in question was sufficient to protect many configurations, it only checked the very last file extension, so it was still possible to perform a “double extension” attack by uploading a file with multiple extensions.” reads the analysis published by Wordfence. “For instance, it was possible to upload a file titled info.php.png. This file would be executable on certain Apache/mod_php configurations that use an AddHandler or AddType directive.”

The plugin was vulnerable to a double extension attack, that could occur when attackers submit a file with multiple extensions in order to get it being executed.

Experts pointed out that although the CVSS score of this vulnerability is 7.5 (High), its exploitation is not simple because in a real attack scenario the use of an .htaccess file in the downloads directory making it difficult to execute uploaded files.

The flaw impacts versions of WordPress Download Manager prior to 3.1.24. The development team behind the plugin addressed the vulnerability in May.

The development team also addressed a directory traversal issue, tracked as CVE-2021-34638 (CVSS score of 6.5) that could allow a low privileged user (i.e. a contributor) to retrieve the contents of a site’s wp-config.php file by adding a new download and carrying out a directory traversal attack using the file[page_template] parameter.

The flaw could allow an attacker to take over a website either via obtaining database credentials or by executing malicious JavaScript in an administrator’s browser session.

“Since the contents of the file provided in the file[page_template] parameter were echoed out onto the page source, a user with author-level permissions could also upload a file with an image extension containing malicious JavaScript and set the contents of file[page_template] to the path of the uploaded file. This would lead to the JavaScript in the file being executed whenever the page was viewed or previewed resulting in Stored Cross-Site Scripting.” continues the report “As such, and despite the CVSS score of this vulnerability only being a 6.5, it could be used to take over a site either via obtaining database credentials or by executing JavaScript in an administrator’s browser session.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress Download Manager plugin )

The post WordPress Download Manager Plugin was affected by two flaws appeared first on Security Affairs.

GhostEmperor, a new Chinese-speaking threat actor targets Southeast Asia

1 August 2021 at 15:50

Kaspersky experts spotted a previously undocumented Chinese-speaking threat actor, tracked as GhostEmperor, that is targeting Microsoft Exchange flaws in attacks on high-profile victims.

Kaspersky spotted a new Chinese-speaking threat actor, tracked as GhostEmperor, that is targeting Microsoft Exchange vulnerabilities in attacks aimed at high-profile victims.

The long-running operation carried out by the group mostly targeted entities in Southeast Asia, including several government entities and telecom companies. 

GhostEmperor used a loading scheme that relies on a component of the Cheat Engine open-source project, which allows it to bypass the Windows Driver Signature Enforcement mechanism.

“The group stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote control access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and security solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named “Cheat Engine.”” reads the announcement published by Kaspersky “This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020.”

The cluster discovered by the experts also employed a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.

Multiple threat actors targeted Microsoft Exchange vulnerabilities this year, however, GhostEmperor operation has no overlap with other ones.

“GhostEmperor is a clear example of how cybercriminals look for new techniques to use and new vulnerabilities to exploit. Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers,” concludes Kaspersky.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, GhostEmperor)

The post GhostEmperor, a new Chinese-speaking threat actor targets Southeast Asia appeared first on Security Affairs.

Security Affairs newsletter Round 325

1 August 2021 at 08:55

A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the international press subscribe here.

Crooks target Kubernetes installs via Argo Workflows to deploy miners
XCSSET MacOS malware targets Telegram, Google Chrome data and more
Apple fixes CVE-2021-30807 flaw, the 13th zero-day this year
Hiding Malware inside a model of a neural network
Microsoft publishes mitigations for the PetitPotam attack
No More Ransom helped ransomware victims to save almost €1B
DIVD discloses three new unpatched Kaseya Unitrends zero-days
Flaws in Zimbra could allow to takeover webmail server of a targeted organization
Hackers flooded the Babuk ransomware gangs forum with gay porn images
South Africas logistics company Transnet SOC hit by a ransomware attack
BlackMatter ransomware group claims to be Darkside and REvil succesor
Chinese cyberspies used a new PlugX variant, dubbed THOR, in attacks against MS Exchange Servers
US, UK, and Australian agencies warn of top routinely exploited issues
BlackMatter and Haron, two new ransomware gangs in the threat landscape
Critical flaw in Microsoft Hyper-V could allow RCE and DoS
LockBit 2.0, the first ransomware that uses group policies to encrypt Windows domains
CVE-2021-3490 – Pwning Linux kernel eBPF on Ubuntu machines
Estonia ‘s police arrested a Tallin resident who stole 286K ID scans from a government DB
Meteor was the wiper used against Irans national railway system
Android Banking Trojan Vultur uses screen recording for credentials stealing
Threat actors leaked data stolen from EA, including FIFA code

If you want to also receive for free the international press subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 325 appeared first on Security Affairs.

Threat actors leaked data stolen from EA, including FIFA code

31 July 2021 at 20:50

Threat actors that hacked Electronic Arts in June have leaked full data dump stolen from the company after the failure of the negotiation with the victim.

In June, hackers have compromised the network of the gaming giant Electronic Arts (EA) and claimed to have stolen approximately 780 GB of data.

The stolen data include the source code of the games, the source code of the FrostBite game engine and debug tools, FIFA 21 matchmaking server code, proprietary EA games frameworks, debug tools, SDK, and API keys, XBOX and SONY private SDK & API key, XB PS and EA pfx and crt with key, and FIFA 22 API keys and SDK & debug tools.

Motherboard, who was among the first sites to report the security breach, contacted EA which confirmed the data breach.

BleepingComputer also received a statement from the gaming giant that said it was not hit by a ransomware attack. The company attempted to downplay the data breach saying that only “a limited amount of code and related tools were stolen”, it also added that they expect that the data breach will not impact its business.

The company said that hackers did not access player data, it also added to have already implemented additional security measures.

On July 26, hackers behind the attack have released the entire cache of stolen data after they failed to negotiate with the gaming firm and also to sell the stolen files to other threat actors, reported The Record.

The data has been initially leaked on a cybercrime forum, but now copies of the stolen data are circulating on different underground sites.

The Record that analyzed a copy of the dump confirmed that the archive contains the source code of the FIFA 21 game.

“According to a copy of the dump obtained by The Record, the leaked files contain the source code of the FIFA 21 soccer game, including tools to support the company’s server-side services” states The Record.

The hackers used stolen authentication cookies for an EA internal Slack channel that were bought in the Genesis black marketplace. Then the attackers tricked an EA IT support staffer into granting them access to the EA internal network.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, EA)

The post Threat actors leaked data stolen from EA, including FIFA code appeared first on Security Affairs.

❌