There are new articles available, click to refresh the page.
Today — 29 November 2021Security Affairs

Israel cut cyber export list, excluding totalitarian regimes

29 November 2021 at 08:33

Israel’s Ministry of Defense bans the sale of surveillance software and offensive hacking tools to tens of countries.

Israel’s Ministry of Defense has cut the list of countries to which Israeli surveillance and cybersecurity firms could sell their products and services.

65 countries have been excluded from the export list, which now includes only 37 nations, by the Israeli Government.

The export list currently only includes Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Iceland, India, Ireland, Italy, Japan, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, New Zealand, Norway, Portugal, Romania, Slovakia, Slovenia, South Korea, Spain, Sweden, Switzerland, the Netherlands, the U.K., and the U.S.

“Israel has updated the list of countries local companies are permitted to sell cybersecurity tools to, reducing the overall number to 37 countries, down from 102.” reports Calcalistech. “Assuming this claim is correct, it seems that Israel was very lenient in providing approvals for the sale of cyber tools and was aware of all the sales being made by NSO.”

Israel’s Ministry of Defense removed from the list countries such as Morocco, Mexico, Saudi Arabia, or the UAE, which because they abused the surveillance software acquired from the Israeli NSO Group. 

The decision to cut the list comes after the announcement of The Commerce Department’s Bureau of Industry and Security (BIS) to sanction four companies for the development of spyware or the sale of hacking tools used by nation-state actors. The firms are NSO Group and Candiru from Israel, Computer Security Initiative Consultancy PTE. LTD from Singapore, and Positive Technologies from Russia.

NSO Group and Candiru are being sanctioned for the development and sale of surveillance software used to spy on journalists and activists. 

Recently, Apple has sued NSO Group and its parent company Q Cyber Technologies in a U.S. federal court for illegally targeting its customers with the surveillance spyware Pegasus.

According to the lawsuit, NSO Group is accountable for hacking into Apple’s iOS-based devices using zero-click exploits. The software developed by the surveillance firm was used to spy on activists, journalists, researchers, and government officials.

The legal action aims at permanently preventing the infamous company from breaking into any Apple software, services, or devices.

“The new list will significantly complicate matters for Israeli cybersecurity companies, especially those selling offensive cyber tools, to operate in countries with totalitarian regimes or with a record of violating human rights.” concludes Calcalistech. “The Israeli cybersecurity sector currently generates $10 billion in annual revenue, with offensive cyber believed to be responsible for 10% of those sales. Some 13% of all cybersecurity companies operate from Israel, with 29% of all investments in the sector being directed to Israeli companies.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, surveillance)

The post Israel cut cyber export list, excluding totalitarian regimes appeared first on Security Affairs.

French court indicted Nexa Technologies for complicity in acts of torture

28 November 2021 at 23:21

Nexa Technologies was indicted for complicity in acts of torture, the French firm is accused of having sold surveillance equipment to the Egypt.

Nexa Technologies offers a range of solutions for homeland security, including surveillance solutions. Now the French company was accused of having sold surveillance software to the Egyptian regime.

The cybersurveillance equipment was used by the Egyptian government to track down opponents.

Today the Agence France-Presse (AFP), revealed that Nexa Technologies was indicted on October 12 for “Complicity in acts of torture and enforced disappearances.”

“The indictment was pronounced on October 12 by the investigating judge in charge of the investigations, about four months after those of four executives and executives of the company, according to this source, confirmed by a judicial source. Contacted by AFP, the lawyer for Nexa Technologies, M  François Zimeray, declined to comment.” reported the website LeMonde.

The investigation began in 2017 following a complaint by FIDH and LDH filed with the support of the Cairo Institute for Human Rights Studies (CIHRS).

The complaint refers to the revelation made by the magazine Télérama that reported the sale in March 2014 of “a listening system at 10 million euros to fight – officially – against the Muslim Brotherhood” , the Islamist opposition in Egypt.

This was based on a survey by the magazine Telerama revealing the sale in March 2014 of surveillance equipment, called Cerebro, that was used against the Muslim Brotherhood.

“A 10 million euro listening system to fight – officially – against the Muslim Brotherhood. In two months, the case was heard. The contract was signed in March 2014. Code name of the operation: “Toblerone”. A cryptic nod to the triangular shape of the pyramids …” reported Télérama. “In short, Cerebro can suck up any data that is not encrypted. A weapon of choice for authoritarian governments.”

The Cerebro surveillance software allows spying in real-time the electronic communications of a target. The software was allegedly used to repress opponents of Abdel Fattah Al-Sisi. The software allowed the government to identify and arrest more than 40,000 political opponents. in Egypt.

“In all, according to Human Rights Watch and other international organizations, between 40,000 and 60,000 political prisoners are languishing in jails in a country where civil society no longer has any rights.” continues Télérama.

The software also allow dragnet surveillance, according to the brochures presented at Milipol it is an updated copy of Eagle, the program ceded to Gaddafi in 2007. 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, IKEA)

The post French court indicted Nexa Technologies for complicity in acts of torture appeared first on Security Affairs.

Yesterday — 28 November 2021Security Affairs

RATDispenser, a new stealthy JavaScript loader used to distribute RATs

28 November 2021 at 15:25

RATDispenser is a new stealthy JavaScript loader that is being used to spread multiple remote access trojans (RATs) into the wild.

Researchers from the HP Threat Research team have discovered a new stealthy JavaScript loader dubbed RATDispenser that is being used to spread a variety of remote access trojans (RATs) in attacks into the wild. Experts pointed out that the use of JavaScript is uncommon as malware file format and for this reason it is more poorly detected.

The loader is highly evasive, at the time of the analysis, it had only 11% detection rate on VirusTotal, HP experts confirmed that it was employed to distribute at least eight RAT families during 2021 (STRRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty). The experts believe that the threat actors behind the RATDispenser may be operating a malware-as-a-service model.

“As with most attacks involving JavaScript malware, RATDispenser is used to gain an initial foothold on a system before launching secondary malware that establishes control over the compromised device. Interestingly, our investigation found that RATDispenser is predominantly being used as a dropper (in 94% of samples analyzed), meaning the malware doesn’t communicate over the network to deliver a malicious payload.” reads the report published by HP.

The attack chain starts with a phishing email using a JavaScript attachment using ‘.TXT.js’ double-extension to trick victims into believing that they are opening a harmless text file.


Upon launching the malicious code, the JavaScript decodes itself at runtime and writes a VBScript file to the %TEMP% folder using cmd.exe. Then the VBScript downloads and executes the final RAT payload.

HP researchers run a retrohunt over the last three months with this YARA rule and identified 155 RATDispenser samples, belonging to a three different variants. The experts also developed a wrote a Python script to recover the final payload and discovered that:

  • 145 of the 155 samples (94%) were droppers. Only 10 samples were downloaders that communicate over the network to download a secondary stage of malware
  • 8 malware families delivered as payloads
  • All the payloads were remote access Trojans (RATs), keyloggers and information stealers

STRRAT and WSHRAT accounted for 81% of the samples analyzed by the researchers. “Using each sample’s earliest scan result, on average the RATDispenser samples were only detected by 11% of available anti-virus engines, or eight engines in absolute numbers.”

HP researchers published a set of hashes, URLs, YARA rule and extraction script in the HP Threat Research GitHub repository.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, RATDispenser)

The post RATDispenser, a new stealthy JavaScript loader used to distribute RATs appeared first on Security Affairs.

North Korea-linked Zinc group posed as Samsung recruiters to target security firms

28 November 2021 at 12:11

North Korea-linked threat actors posed as Samsung recruiters in a spear-phishing campaign aimed at employees at South Korean security firms.

North Korea-linked APT group posed as Samsung recruiters is a spear-phishing campaign that targeted South Korean security companies that sell anti-malware solutions, Google TAG researchers reported.

According to the Google Threat Horizons report, the state-sponsored hackers sent fake job offers to employees at the security companies. Google TAG researchers reported that the same group, tracked as Zinc,” also targeted security researchers in past campaigns

“TAG observed a North Korean government-backed attacker group that previously targeted security researchers posing as recruiters at Samsung and sending fake job opportunities to employees at multiple South Korean information security companies that sell anti-malware solutions.” reads the Google Threat Horizons report. “The emails included a PDF allegedly claiming to be of a job description for a role at Samsung; however, the PDFs were malformed and did not open in a standard PDF reader. When targets replied that they could not open the job description, attackers responded with a malicious link to malware purporting to be a “Secure PDF Reader” stored in Google Drive which has now been blocked.”

The attackers used a malformed PDF claiming to be a job description for a role at Samsung, for this reason, the recipient was not able to open it and contacted the sender that in turn provided him with a link to a “Secure PDF Reader” app.

The app, which was stored in Google Drive, was a tainted version of the legitimate PDF reader PDFTron. Upon installing the app a backdoor is established on the victims’ devices.

North Korea-linked APT phishing

The activity of the Zinc APT group, aka Lazarus, surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFT attacks in 2016, and the Sony Pictures hack. The attackers targeted the researchers through multiple social networking platforms, including Twitter, LinkedIn, Telegram, Discord, and Keybase.

Threat actors used a network of fake profiles to get in contact with researchers of interest. In mid-2020, ZINC hackers created Twitter profiles for fake security researchers that were used to retweet security content and posting about vulnerability research. 

North Korea

Attackers used Twitter profiles for sharing links to a blog under their control (br0vvnn[.]io), to share videos of their claimed exploits, and for amplifying and retweeting posts from other accounts under their control.

Once established initial communications, the attackers would ask the targeted security researcher if they wanted to collaborate on vulnerability research together, and then shared with it a Visual Studio Project.

The Visual Studio project used by the attackers included the source code for exploiting the vulnerability along with an additional DLL that would be executed through Visual Studio Build Events, which is a backdoor.

The Visual Studio project was containing a malicious DLL that would be executed when researchers compiled the project.

The malicious code would lead to the installation of a backdoor that would allow the attackers to take over the target’s computer.

The attackers published a blog post titled “DOS2RCE: A New Technique To Exploit V8 NULL Pointer Dereference Bug” and shared it via Twitter. The researchers who visited the post from October 19 to 21, 2020, using the Chrome browser, were infected with a known ZINC malware. Microsoft researchers noticed that some of the victims were using fully patched browsers, a circumstance that suggests that attackers used 0-day exploits. Not all visitors to the site were infected.

Attackers also used other techniques to target security professionals, for example in some cases distributed blog posts as MHTML files that contained some obfuscated JavaScript that was pointing to a ZINC-controlled domain for further JavaScript to execute. 

In one case, attackers attempted to exploit, without success, the CVE-2017-16238 vulnerability in a vulnerable driver for the antivirus product called Vir.IT eXplorer.

The recent attacks against South Korean anti-malware suggest the interests of threat actors in compromising the supply chain of South Korean security organizations in order to target their customers.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

The post North Korea-linked Zinc group posed as Samsung recruiters to target security firms appeared first on Security Affairs.

0patch releases unofficial patches for CVE-2021-24084 Windows 10 zero-day

28 November 2021 at 10:55

0patch released free unofficial patches for Windows local privilege escalation zero-day (CVE-2021-24084) in Windows 10, version 1809 and later.

0patch released free unofficial patches for Windows local privilege escalation zero-day (CVE-2021-24084) in Windows 10, version 1809 and later. The issue doesn’t impact Windows Servers because the vulnerable functionality in not implemented in these OSs.

The issue resides in the  “Access work or school” settings of the Mobile Device Management Service. The vulnerability, discovered by the security researcher Abdelhamid Naceri, can be exploited to bypass a patch released by Microsoft in February to address another information disclosure flaw (CVE-2021-24084) reported by the same expert.

Naceri reported this month that the vulnerability has yet to be addressed and can be exploited to escalate privileges.

I mean this is still unpatched and allow LPE if shadow volume copies are enabled;
But I noticed that it doesn't work on windows 11 https://t.co/HJcZ6ew8PO

— Abdelhamid Naceri (@KLINIX5) November 15, 2021

“Namely, as HiveNightmare/SeriousSAM has taught us, an arbitrary file disclosure can* be upgraded to local privilege escalation if you know which files to take and what to do with them. We confirmed this by using the procedure described in this blog post by Raj Chandel in conjunction with Abdelhamid’s bug – and being able to run code as local administrator.” wrote 0patch co-founder Mitja Kolsek. “Two conditions need to be met in order for the local privilege escalation to work:

  1. System protection must be enabled on drive C, and at least one restore point created. Whether system protection is enabled or disabled by default depends on various parameters.  
  2. At least one local administrator account must be enabled on the computer, or at least one “Administrators” group member’s credentials cached.”

0patch released unofficial patches for:

  1. Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates
  2. Windows 10 v20H2 (32 & 64 bit)updated with November 2021 Updates
  3. Windows 10 v2004 (32 & 64 bit)updated with November 2021 Updates
  4. Windows 10 v1909 (32 & 64 bit)updated with November 2021 Updates
  5. Windows 10 v1903 (32 & 64 bit)updated with November 2021 Updates
  6. Windows 10 v1809 (32 & 64 bit)updated with May 2021 Updates

0patch will provide free micropatches for this vulnerability until Microsoft has issued an official patch. Users that want to install the micropatches can create a free account in 0patch Central, then install 0patch Agent from 0patch.com. The company pointed out that no computer reboots will be needed.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Windows)

The post 0patch releases unofficial patches for CVE-2021-24084 Windows 10 zero-day appeared first on Security Affairs.

Security Affairs newsletter Round 342

28 November 2021 at 10:38

A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Italy’s Antitrust Agency fines Apple and Google for aggressive practices of data acquisition
HAEICHI-II: Interpol arrested +1,000 suspects linked to various cybercrimes
IKEA hit by a cyber attack that uses stolen internal reply-chain emails
Marine services provider Swire Pacific Offshore (SPO) hit by Clop ransomware
Threat actors target crypto and NFT communities with Babadeda crypter
Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices
APT C-23 group targets Middle East with an enhanced Android spyware variant
New Linux CronRAT hides in cron jobs to evade detection in Magecart attacks
Several GoDaddy brands impacted in recent data breach
Iranian threat actors exploit MS MSHTML bug to steal Google and Instagram credentials
FBI warns of crooks targeting online shoppers during the holiday season
VMware addresses File Read and SSRF flaws in vCenter Server
A vulnerable honeypot exposed online can be compromised in 24 hours
Apple sues NSO Group for abusing state-sponsored Pegasus spyware
Expert discloses details of flaws in Oracle VirtualBox
Malware are already attempting to exploit new Windows Installer zero-day
Android.Cynos.7.origin trojan infected +9 million Android devices
Experts warn of RCE flaw in Imunify360 security platform
Expert released PoC exploit code for Microsoft Exchange CVE-2021-42321 RCE bug
Expert disclosed an exploit for a new Windows zero-day local privilege elevation issue
US govt warns critical infrastructure of ransomware attacks during holidays
New GoDaddy data breach impacted 1.2 million customers
Utah Imaging Associates data breach impacts 583,643 patients
Iran’s Mahan Air claims it has failed a cyber attack, hackers say the opposite
New Memento ransomware uses password-protected WinRAR archives to block access to the files
US SEC warns investors of ongoing fraudulent communications claiming from the SEC
Experts found 11 malicious Python packages in the PyPI repository
Researchers were able to access the payment portal of the Conti gang
Attackers compromise Microsoft Exchange servers to hijack internal email chains

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 342 appeared first on Security Affairs.

Before yesterdaySecurity Affairs

Italy’s Antitrust Agency fines Apple and Google for aggressive practices of data acquisition

27 November 2021 at 16:32

Italy’s antitrust regulator, Autorità Garante della Concorrenza e del Mercato (AGCM), has fined Apple and Google €10 million each their “aggressive” data practices.

Italy’s antitrust regulator, Autorità Garante della Concorrenza e del Mercato (AGCM), has fined Apple and Google €10 million each their “aggressive” data practices and the lack of transparency on the use of customers’ personal data.

Both companies were fined due to violations of the Consumer Code for aggressive practices related to the acquisition and use of consumer data for commercial purposes.

Italy’s antitrust regulator has fined both Apple and Google €10 million each for what it calls are “aggressive” data practices and not providing consumers with clear information on commercial uses of their personal data during the account creation phase. 10 million euros is the maximum fine permitted according to current legislation.

“The Authority found that both Google and Apple did not provide clear and immediate information on the acquisition and use of user data for commercial purposes.” reads the press release published by the AGCM. “In particular, Google, both in the account creation phase, which is essential for the use of all the services offered, and during the use of the services themselves, omits relevant information that the consumer needs to consciously decide to accept that the Company collects and uses their personal information for commercial purposes. Apple , both in the phase of creating the Apple ID and on the occasion of accessing the Apple Stores (App Store, iTunes Store and Apple Books), does not immediately and explicitly provide the user with any indication on the collection and use of your data for commercial purposes, emphasizing only that data collection is necessary to improve the consumer experience and use of services.”

The Italian Authority pointed out that in the account creation phase, Google pre-sets the user’s acceptance of the transfer and/or use of their data for commercial purposes.

In the case of Apple, the IT giant was accused of acquiring consent to the use of user data for commercial purposes without providing the consumer with the possibility of a prior and express consent on sharing their data.

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

The post Italy’s Antitrust Agency fines Apple and Google for aggressive practices of data acquisition appeared first on Security Affairs.

HAEICHI-II: Interpol arrested +1,000 suspects linked to various cybercrimes

27 November 2021 at 12:08

HAEICHI-II: Interpol arrested 1,003 individuals charged for several cybercrimes, including romance scams, investment frauds, and online money laundering.

Interpol has coordinated an international operation, code-named Operation HAEICHI-II, that led to the arrest of 1,003 individuals linked to various cyber-crimes such as romance scams, investment frauds, online money laundering, and illegal online gambling. The INTERPOL published more than 20 notices were published based on information relating to Operation HAECHI-II and identified 10 new fraudulent schemes.

The law enforcement operation involve police from twenty countries ( Angola, Brunei, Cambodia, Colombia, China, India, Indonesia, Ireland, Japan, Korea (Rep. of), Laos, Malaysia, Maldives, Philippines, Romania, Singapore, Slovenia, Spain, Thailand, and Vietnam) between June and September 2021.

The Interpol also involved the use of a new global stop-payment mechanism, the Anti-Money Laundering Rapid Response Protocol (ARRP), which was designed to intercept illicit funds.

Interpol HAECHI-II

The authorities blocked 2,350 bank accounts linked to the illicit proceeds of online financial crime and intercepted over 27 million dollars.

“The results of Operation HAECHI-II show that the surge in online financial crime generated by the COVID-19 pandemic shows no signs of waning,” said INTERPOL Secretary General Jürgen Stock. “It also underlines the essential and unique role played by INTERPOL in assisting member countries combat a crime which is borderless by nature.

“Only through this level of global cooperation and coordination can national law enforcement effectively tackle what is a parallel cybercrime pandemic,” added Secretary General Stock.

The announcement cited a case in Colombia, when a prominent textiles company was defrauded of more than USD 8 million through a sophisticated business email compromise (BEC) scam. The threat actors impersonated the legal representative of the company and ordered to transfer more than USD 16 million to two Chinese bank accounts. The company discovered the fraudulent activity after half of the money was transferred, then alerted local authorities..

Thanks to the use of the ARRP network and the international police cooperation over 94 percent of the money was intercepted in record time.

Interpol also warned of the use of the ‘Squid Game’ as bait in malware campaigns.

“One Purple Notice requested by Colombia during the operation details a malware-laden mobile application using the name and branding of the Netflix show ‘Squid Game’. Masquerading as a product affiliated with the popular television series, the app was in fact a Trojan horse virus that, once downloaded, was able to hack the user’s billing information and subscribe to paid ‘premium’ services without the user’s explicit approval. While flagged in Colombia, the app has also targeted users in other countries.” concludes the announcement.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Operation HAEICHI-II)

The post HAEICHI-II: Interpol arrested +1,000 suspects linked to various cybercrimes appeared first on Security Affairs.

IKEA hit by a cyber attack that uses stolen internal reply-chain emails

27 November 2021 at 10:41

Threat actors are targeting IKEA employees in an internal phishing campaign leveraging stolen reply-chain emails.

According to BleepingComputer, threat actors are targeting IKEA employees in phishing attacks using stolen reply-chain emails.

Once compromised the mail servers, threat actors use the access to reply to the company’s internal emails in reply-chain attacks. Sending the messages from the organizations allows the attackers to bypass detection. Threat actors also exploit the access to internal emails to target business partners.

“In internal emails seen by BleepingComputer, IKEA is warning employees of an ongoing reply-chain phishing cyber-attack targeting internal mailboxes. These emails are also being sent from other compromised IKEA organizations and business partners.” reports BleepingComputer.

“There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA,” reads the emails sent by IKEA to its employees. “This means that the attack can come via email from someone that you work with, from any external organisation, and as a reply to an already ongoing conversations. It is therefore difficult to detect, for which we ask you to be extra cautious.”

The above message warns employees and explains that the fraudulent messages are difficult to distinguish because have an internal source. The download links contained in the phishing messages have seven digits at the end, the company support desk told employees to report any suspicious message. The company also shared an example of a phishing email sent to its employees.

A good practice consists of contacting the sender over a different channel (i.e. Microsoft Teams chat, phone) in order to inform him of the fraudulent message.

The multinational conglomerate also disabled the possibility for its employees to release emails from quarantine, to avoid that employees can believe that the messages were isolated for error by the email filters.

Recently Trend Micro spotted a malware campaign aimed at Microsoft Exchange servers that exploits ProxyShell and ProxyLogon issues and uses stolen internal reply-chain emails to avoid detection.

The attacks were orchestrated by Squirrelwaffle, a threat actor known for sending malicious spam as replies to existing email chains. The investigation into three incidents revealed that attackers used exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell).

Once compromised the Exchange servers, threat actors use the access to reply to the company’s internal emails in reply-chain attacks containing links to weaponized documents.

“In the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).” reads the analysis published by Trend Micro. “Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails.”

The emails originate from the same internal network, appear to be a continuation of a previous discussion between two employees. The attacker did not use tools for lateral movement or execute malware on the Exchange servers to avoid detection.

The emails use weaponized Office documents or include a link to them. Upon enabling the content, malicious macros are executing to download and install the malware, such as QbotCobalt Strike, and SquirrelWaffle.

The excel sheets used in this campaign contain malicious Excel 4.0 macros used to download and execute the malicious DLL.

microsoft exchange servers

Experts recommend securing their Microsoft Exchange servers by installing security updates published by Microsoft.

BleepingComputer researchers were able to verify the download links included in the phishing messages. The links poin to a zip archive called ‘charts.zip’ that contains a weaponized Excel document. Upon opening the file and enabling the macros the infection chain will start.

The final payload installed as part of the attack is the Qbot trojan, but similar campaigns also deployed Emotet. Both malware were involved in attacks to gain access to target networks and deploy a ransomware strain.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, IKEA)

The post IKEA hit by a cyber attack that uses stolen internal reply-chain emails appeared first on Security Affairs.

Marine services provider Swire Pacific Offshore (SPO) hit by Clop ransomware

26 November 2021 at 22:53

Marine services provider Swire Pacific Offshore (SPO) has suffered a Clop ransomware attack that resulted in the theft of company data.

Clop ransomware hit Marine services provider Swire Pacific Offshore (SPO) and stole company data, but did not affected global operations.

“Swire Pacific Offshore (SPO) has discovered that it was the target of a cyberattack which involved unauthorised access to its IT systems. The unauthorised access has resulted in the loss of some confidential proprietary commercial information and has resulted in the loss of some personal data.” reads the media statement published by SPO. “The cyberattack has not materially affected SPO’s global operations.”

The company announced to have taken immediate actions to reinforce existing security measures and to mitigate the potential impact of the security breach.

SPO reported the security breach incident to the relevant authorities, it is also notifying potentially affected parties.

Clop ransomware published on its dark web leak site sample of the stolen data, that includes passports, payroll information, bank account details, email addresses, and more.

Swire Pacific Offshore

In the past, other major organizations in the shipping industry were hit by ransomware attacks, including Maersk, COSCO, International Maritime Organization (IMO), MSC, Pitney Bowes, and CMA CGM.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SPO)

The post Marine services provider Swire Pacific Offshore (SPO) hit by Clop ransomware appeared first on Security Affairs.

Threat actors target crypto and NFT communities with Babadeda crypter

26 November 2021 at 15:50

Morphisec researchers spread cryptocurrency malware dubbed Babadeda in attacks aimed at crypto and NFT communities.

Morphisec researchers spotted a new crypto-malware strain, tracked as Babadeda, targeting cryptocurrency, non-fungible token (NFT), and DeFi passionates through Discord channels.

Threat actors are attempting to exploit the booming market for NFTs and crypto games. Babadeda is able to bypass antivirus solutions. According to the researchers, this crypto-malware was recently employed in several campaigns to deliver information stealers, RATs, and ransomware like LockBit.

Most of the attacks observed by the researchers that targeted crypto communities are based on the Discord platform, threat actors shared download links via Discord channels 

“In the campaign that we observed, a threat actor took advantage of these features in order to phish victims. The threat actor sent users a private message inviting them to download a related application that would supposedly grant the user access to new features and/or additional benefits. Because the actor created a Discord bot account on the official company discord channel, they were able to successfully impersonate the channel’s official account.” reads the report published by Morphisec.


In one of the attacks analyzed by Morphisec, threat actor sent decoy messages to potential victims via Discord channels related to games such as Mines of Dalarnia. The messages urge the recipients to download an application. The link included in the message redirects users to a phishing domain that contains a download link for the Babadeda installer.

One of the decoy sites used in this campaign includes an HTML object written in Russian, a circumstance that suggests that the threat actors may have a Russian origin. The list of RATs used by this campaign includes BitRAT and Remcos.

“As demonstrated above, Babadeda is a highly dangerous crypter. Targeting cryptocurrency users through trusted attack vectors gives its distributors a fast-growing selection of potential victims. Once on a victim’s machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine — or of stopping it from executing.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, babadeda)

The post Threat actors target crypto and NFT communities with Babadeda crypter appeared first on Security Affairs.

Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices

26 November 2021 at 14:39

Resecurity researchers found a zero-day vulnerability in the TP-Link enterprise device with model number TL-XVR1800L.

Resecurity, a Los Angeles-based cybersecurity company has identified an active a zero-day vulnerability in the TP-Link device with model number TL-XVR1800L (Enterprise AX1800 Dual Band Gigabit Wi-Fi 6 Wireless VPN Router), which is primarily suited to enterprises.

The identified vulnerability enables Remote Code Execution (RCE) which grants the ability to takeover of the device and then use it for malicious purposes, as well as to steal sensitive data too. It’s likely this vulnerability is present in other devices from the same family.

The affected device is orientated towards the enterprise segment and supports Wi-Fi 6 (the next-generation wireless standard which is faster than 802.11ac). Wi-Fi 6 officially arrived in late 2019, and Wi-Fi 6 enabled hardware was released throughout 2020. The main goal of this new standard is enhancing throughput-per-area in high-density scenarios, such as corporate offices, shopping malls and dense residential apartments.

Resecurity notified TP-Link on November 19th 2021, and received acknowledgment the very next day. TP-Link said they’re going to release a patch in a week (currently the 0-day vulnerability is in the wild). Resecurity shared Proof-of-Concept with TP-Link of how Remote Code Execution was achieved on the target device, along with multiple other vulnerabilities.


Below is the video PoC of the zero-day exploitation:

According to Resecurity, the vulnerability was identified by the cause of abnormal traffic monitoring which consisted of a network of “honeypot” sensors to emulate common IoT devices developed by Resecurity are to hunt for malice on the internet.

Ongoing attacks were discovered by Resecurity’s researchers while monitoring the activity of a threat actor know for targeting networks and IoT devices since early October 2021.

Notably, the productized version of 0-day exploit was initially spotted by Resecurity’s HUNTER unit “in the wild” known as “TP-Linker”, the tool available for sale in the Chinese-speaking segment of the Dark Web.

Based on additional context – the actors are attacking insecure IoT devices and are involved in large-scale traffic manipulation including online-banking theft activity.

It’s not the 1st time TP-Link has faced critical vulnerabilities in their product line up, such bugs are widely leveraged by threat actors building IoT-based botnets like Mirai for further DDoS attacks and other malicious activities.

Insecurity of IoT devices remains a challenging cybersecurity issue and creates a vast flaw in the external network perimeter of companies which allows attackers to penetrate and steal sensitive data too.

Last year researchers found thousands of vulnerable TP-Link routers which took more than a year for the company to publish patches on their website. This year, cybersecurity researchers from the Flashback Team found and exploited critical vulnerabilities in another device by TP-Link Archer AC1750 at Pwn2Own Tokyo

Follow me on Twitter: @securityaffairs and Facebook

About the author: Resecurity Chief Executive Officer Gene Yoo

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

The post Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices appeared first on Security Affairs.

APT C-23 group targets Middle East with an enhanced Android spyware variant

26 November 2021 at 07:07

A threat actor, tracked as APT C-23, is using new powerful Android spyware in attacks aimed at targets in the Middle East.

The APT C-23 cyberespionage group (also known as GnatSpy, FrozenCell, or VAMP) continues to target entities in the Middle East with enhanced Android spyware masqueraded as seemingly harmless app updates (i.e. AndroidUpdate,, Telegram). The spyware is delivered to specific users via SMS text messages containing download links.

Experts from Sophos reported that recently discovered variants of Android spyware implement new features to avoid being removed by the users and to security firms that attempt to dismantle C2 infrastructure.

APT-C-23 group is using Android spyware since at least 2017, most of the targets were in the Palestinian Territories

“The new variants appear in the form of an app that purports to install updates on the target’s phone, with names that include App Updates, System Apps Updates, or Android Update Intelligence. Sophos suspects that the apps are delivered to specific users by means of SMS text messages linking to downloads.” reads the analysis published by Sophos.

None of the apps analyzed by the researchers have been hosted on the official Google Play Store.

Across the years the APT-C-23 threat group has implemented additional spying capabilities, below is the list of functionalities currently implemented:

  • Collects SMS, contacts, call logs
  • Collects images and documents
  • Recording audio, incoming and outgoing calls, including WhatsApp calls
  • Taking screenshots and recording video of the screen
  • Taking pictures using the camera
  • Hiding its own icon
  • Reading notifications from WhatsApp, Facebook, Facebook Messenger, Telegram, Skype, IMO Messenger, or Signal
  • Canceling notifications from built-in security apps (such as Samsung SecurityLogAgent, Xiaomi MIUI SecurityCenter, Huawei SystemManager), as well as from Android system apps, package Installer, and its own notifications

Upon opening the app, it requests that the user grant the app permissions to perform surveillance actions such as to access to the microphone to record audio and all files stored on the device.

The malicious apps use social engineering to ask the user to grant advanced permissions. They justify the need for the additional features with fake argumentation, for instance, the request to “Enable Notifications” claims that the app needs this functionality or else “you won’t receive notifications in real time.”

APT C-23

The app asks the user to Enable the device admin permission or “system won’t secure your internet connection.”

Once the app has obtained all the permissions, it changes its icon and name to disguise itself using an icon of one of the popular apps such as Google Play, Youtube, Google, or Botim (a VOIP calling app). Then, the next time the victim will open the spyware, the malware will also launch the real app whose disguise it wears to avoid raising suspicion.

“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play. Updating Android OS and applications should be done via Android Settings and Google Play respectively, instead of relying on a third-party app.” concludes the analysis. “Users should be particularly wary of apps asking for sensitive permissions such as device admin, notification access, or those requiring superuser/root access. Users can view the apps currently having device admin and notification access permissions by browsing to Settings and searching for “Device admin apps” and “Notification access” respectively.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Cyclone)

The post APT C-23 group targets Middle East with an enhanced Android spyware variant appeared first on Security Affairs.

New Linux CronRAT hides in cron jobs to evade detection in Magecart attacks

25 November 2021 at 22:07

Security researchers discovered a new Linux RAT, tracked as CronRAT, that hides in scheduled cron jobs to avoid detection.

Security researchers from Sansec have discovered a new Linux remote access trojan (RAT), tracked as CronRAT, that hides in the Linux task scheduling system (cron) on February 31st.

Threat actors hides the malware in the task names, then the malicious code is constructed using several layers of compression and base64 decoding.

CronRAT is employed in Magecart attacks against online stores web stores and enables attackers to steal credit card data by deploying online payment skimmers on Linux servers.

Researchers explained that CronRAT malware is undetected by many antivirus engines, it leverages the fact that many security products do not scan the Linux cron system.

Below is the list of capabilities implemented by CronRAT:

  • Fileless execution
  • Timing modulation
  • Anti-tampering checksums
  • Controlled via binary, obfuscated protocol
  • Launches tandem RAT in separate Linux subsystem
  • Control server disguised as “Dropbear SSH” service
  • Payload hidden in legitimate CRON scheduled task names

“CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system.” reads the post published by Sansec. “https://sansec.io/research/cronrat”

In the attacks investigated by Sansec, CronRAT was used to inject payment skimmers (aka Magecart) in server-side code.

E-skimming attacks are moving from the browser to the server because the back-end is usually unprotected compared with the browser, Sansec director of threat research Willem de Groot explained.

The CronRAT adds a number of tasks to crontab with the date specification “52 23 31 2 3,” which would generate a run time error when executed despite are syntactically valid. However, the researchers pointed out that the run time error will never happen because the tasks are scheduled to run on a day that doesn’t exist.


Once executed, the malware contacts a command and control (C2) server ( using a feature of the Linux kernel that enables TCP communication via a file.

The malware contacts the server over TCP via port 443 using a fake banner for the Dropbear SSH service.

Sansec found instance of CronRAT on multiple online stores, including a nation’s largest outlet. The experts had to rewrite part of their eComscan algorithm in order to detect this innovative threat.

“CronRAT is currently undetected by other security vendors.” concludes Sansec.

Pierluigi Paganini

(SecurityAffairs – hacking, Magecart)

The post New Linux CronRAT hides in cron jobs to evade detection in Magecart attacks appeared first on Security Affairs.

Several GoDaddy brands impacted in recent data breach

25 November 2021 at 15:01

Recently disclosed data breach impacted several of its brands, including Domain Factory, Heart Internet, Host Europe, Media Temple, tsoHost and 123Reg.

Recently GoDaddy has disclosed a data breach that impacted up to 1.2 million of its customers, threat actors breached the company’s Managed WordPress hosting environment.

Threat actors compromised the company network since at least September 6, 2021, but the security breach was only discovered by the company on November 17.

The intruders used a compromised password to access the provisioning system in the company’s legacy code base for Managed WordPress. The initial investigation revealed that attackers exploited a vulnerability to gain access to the following customer information:

  • Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
  • The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords
  • For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
  • For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.

Once identifying the intrusion, the company immediately locked the unauthorized third party out of its system.

Now the web hosting giant announced that the security breach impacted several of its brands, including 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost.

The company discovered that threat actors also accessed WordPress admin passwords, sFTP and database credentials, and SSL private keys.

Now researchers from WordPress security company WordFence announced to have received confirmation from GoDaddy that multiple brands that resell GoDaddy Managed WordPress have been impacted by the security breach Impacted brands are:

The GoDaddy brands that resell GoDaddy Managed WordPress are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost. A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident.” said Dan Rice, VP of Corporate Communications at GoDaddy, “No other brands are impacted. Those brands have already contacted their respective customers with specific detail and recommended action.

Godaddy data breach
Source Wordfence

“Our investigation is ongoing, but we have determined that, on or about September 6, 2021, an unauthorized third party gained access to certain authentication information for administrative services, specifically, your customer number and email address associated with your account; your WordPress Admin login set at inception; and your sFTP and database usernames and passwords,” states the above data breach notification letters sent to the impacted customers. “What this means is the unauthorized party could have obtained the ability to access your Managed WordPress service and make changes to it, including to alter your website and the content stored on it.”

In response to the incident, the company reset credentials and forced a password reset for websites users.

This isn’t the first data breach suffered by GoDaddy, in May 2020 the company revealed attackers have compromised users’ web hosting account credentials. The hosting provider submitted a data breach notice with the California Attorney General and revealed that the intrusion took place in October 2019.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, GoDaddy)

The post Several GoDaddy brands impacted in recent data breach appeared first on Security Affairs.

Iranian threat actors exploit MS MSHTML bug to steal Google and Instagram credentials

25 November 2021 at 12:32

An Iranian threat actor is stealing Google and Instagram credentials of Farsi-speaking targets by exploiting a Microsoft MSHTML bug.

Researchers from SafeBreach Labs spotted a new Iranian threat actor that is using an exploit for a Microsoft MSHTML Remote Code Execution (RCE) flaw in attacks aimed at Farsi-speaking victims. The exploit is used to install a PowerShell stealer, tracked by the researchers as PowerShortShell, that steals Google and Instagram credentials of the victims.

The campaign was first spotted in mid-September 2021 by ShadowChasing.

hi threat
why did you use it 😀
filename:جنایات خامنه ای.docx
hxxp://hr.dedyn.io/upload2.aspx pic.twitter.com/fHsgAshCNc

— Shadow Chaser Group (@ShadowChasing1) September 15, 2021

The PowerShortShell stealer is also used for Telegram surveillance and gathering system information from infected systems.

“SafeBreach Labs analyzed the full attack chain, discovered new phishing attacks which started in July this year and achieved the last and most interesting piece of the puzzle – the PowerShell Stealer code – which we named PowerShortShell.” reads the analysis published by SafeBreach Labs. “The reason we chose this name is due to the fact that the stealer is a PowerShell script, short with powerful collection capabilities – in only ~150 lines, it provides the adversary a lot of critical information including screen captures, telegram files, document collection, and extensive data about the victim’s environment.”

The campaign targets Windows users, the attack chain starts with spear-phishing emails using malicious Winword attachments that exploit a Microsoft MSHTML remote code execution (RCE) flaw tracked as CVE-2021-40444.

Most of the victims are located in the United States, threat actors use the “Corona massacre” lure, a circumstance that confirmed the attackers are targeting Iranians who live abroad. Upon opening the document a DLL is dropped on the target system, then it is used to execute the PowerShortShell stealer payload.

The PowerShortShell collects data and exfiltrates it to a C2 server under the control of the attacker.

“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten. Surprisingly, the usage of exploits for the infection is quite unique to Iranian threat actors which in most cases heavily rely on social engineering tricks.” continues the experts.

In mid-September, Microsoft reported that multiple threat actors, including ransomware operators, were exploiting the recently patched Windows MSHTML remote code execution security flaw (CVE-2021-40444) in attacks against organizations. The IT giant said that threat actors started targeting this issue on August 18, before Microsoft shared mitigation for this vulnerability, the attackers used weaponized Office documents. The campaigns observed August 2021 likely employed emails impersonating contracts and legal agreements, the messages used documents that were hosted on file-sharing sites. 

“In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders.” reads the post published by Microsoft. “These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.”

Experts noticed that loaders employed in the attacks connected with the C2 infrastructure connected with several cybercrime campaigns, including ransomware operators.

cve-2021-40444 attacks

MSTIC researchers tracked a large cluster of malicious activity involving Cobalt Strike infrastructure under the name DEV-0365, which has many similarities with another Cobalt Strike infrastructure that suggests it was managed by a third-party threat actor. 

Experts pointed out that the availability of information about the CVE-2021-40444 issue shared online allowed threat actors to create their own exploit

The report published by SafeBreach also includes indicators of compromise for the attacks orchestrated by the Iranian threat actors.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MSHTML)

The post Iranian threat actors exploit MS MSHTML bug to steal Google and Instagram credentials appeared first on Security Affairs.

FBI warns of crooks targeting online shoppers during the holiday season

25 November 2021 at 07:20

The Federal Bureau of Investigation (FBI) warns of cybercriminals targeting online shoppers during the holiday season.

The FBI warns of cyber criminals targeting online shoppers during the holiday season. In this period netizens hope to take advantage of online bargains and are more active online, for this reason they are more exposed to the risk of scams.

The feds estimated that online shoppers could lose more than $53 million during this year’s holiday season to scams offering bargains and gifts that are hard to find due to merchandise shortages.

“During the 2020 holiday shopping season, the FBI Internet Crime Complaint Center (IC3) received over 17,000 complaints regarding the non-delivery of goods, resulting in losses over $53 million,” reads a public service announcement published by the FBI. “It is anticipated this number could increase during the 2021 holiday season due to rumors of merchandise shortages and the ongoing pandemic.”

Cybercriminals will attempt to entice their victims in multiple ways including:

  • E-mails advertising hot-ticket or products that are hard to find on the market, such as event tickets or gaming systems.
  • Untrusted websites and ads promoting unrealistic discounts and bargains.
  • Post on social media posts, apparently shared by a known friend, offering vouchers, gift cards, freebies, and contests.
  • Advertisements on social media platforms that promote non-existent or counterfeit items.
  • Online surveys designed to steal personal information.

Unsuspecting online shoppers could also fall victim of identity theft of phishing attack aimed at stealing their payment card data.

FBI also warns criminals will use legitimate website photos to promise non-existent pets to multiple buyers. Feds recommends purchasing a pet online only after met the animal and owner via video chat.

Below are the tips provided by the shared authorities:

  • Verify websites prior to making a purchase. Only purchase items from official, encryption-using websites. Web addresses should begin with https:// and include a locked padlock icon.
  • Be wary of online retailers who use a free email service instead of a company email address.
  • Do not judge a company by their website; flashy websites can be set up and taken down quickly.
  • Pay for items using a credit card dedicated for online purchases, checking the card statement frequently, and never saving payment information in online accounts.
  • Be wary of sellers who accept only wire transfers, virtual currency, gift cards, or cash, as these are almost impossible to recover.
  • Never make purchases using public Wi-Fi.
  • Verify the legitimacy of a seller before you purchase, take steps such as looking at consumer reviews and checking with the Better Business Bureau.
  • Beware of sellers posting under one name but requesting funds to be sent to another individual, or any seller claiming to be inside the country but requesting funds to be sent to another country.
  • Only purchase gift cards directly from a trusted merchant.
  • Do not click on links or provide personal or financial information to an unsolicited email.
  • Make sure anti-virus/malware software is up to date and block pop-up windows.
  • Use safe passwords or pass phrases. Never use the same password on multiple accounts.
  • As always – if the deal sounds too good to be true, chances are it is a scam.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, FBI)

The post FBI warns of crooks targeting online shoppers during the holiday season appeared first on Security Affairs.

VMware addresses File Read and SSRF flaws in vCenter Server

24 November 2021 at 20:17

VMware addressed arbitrary file read and server-side request forgery (SSRF) vulnerabilities in its vCenter Server product.

VMware this week addressed arbitrary file read and server-side request forgery (SSRF) vulnerabilities affecting its vCenter Server product. vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location.

The first vulnerability, tracked as CVE-2021-21980, is a high severity arbitrary file read issue that affects the vSphere Web Client. An attacker with network access to port 443 on vCenter Server can exploit the flaw to obtain sensitive information.

“The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability” reads the advisory published by VMware. “A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.”

Another flaw, tracked as CVE-2021-22049, is a medium severity SSRF vulnerability that affects the vSphere Web Client.

“The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in.” continues the advisory. “A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service.”

Organizations using the vCenter Server have to install the patches released by the virtualization giant as soon as possible.

Early September, VMware informed customers that it had started working on patches for a high-severity arbitrary file upload vulnerability, tracked as CVE-2021-22005, affecting vCenter Server.

At the end of September, a working exploit for the CVE-2021-22005 vulnerability was publicly released and attackers immediately started attempting to use it in the wild.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, vCenter Server)

The post VMware addresses File Read and SSRF flaws in vCenter Server appeared first on Security Affairs.

A vulnerable honeypot exposed online can be compromised in 24 hours

24 November 2021 at 15:32

Researchers deployed multiple instances of vulnerable systems and found that 80% of the 320 honeypots were compromised within 24 hours.

Researchers from Palo Alto Networks deployed a honeypot infrastructure of 320 nodes to analyze how three actors target exposed services in public clouds.

The company set up the honeypots between July 2021 and August 2021 to analyze the time, frequency and origins of the attacks targeting them.

The instances included systems exposing remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB) and Postgres database. The experts discovered that 80% of the 320 honeypots were compromised within 24 hours and all of the honeypots were compromised within a week. 

Below are some findings shared by the experts:

  • the most attacked application was SSH.
  • The most attacked SSH honeypot was compromised 169 times in a single day.
  • each SSH honeypot was compromised on average 26 times per day.
  • experts observed that one threat actor compromised 96% of the 80 Postgres honeypots that the researchers deployed, and all the instances were hacked within 30 seconds.
  • 85% of the attacker IPs were observed only on a single day demonstrating that Layer 3 IP-based firewalls are not effective against these attacks because threat actors rotate same IPs to launch attacks.

“Four types of applications, SSH, Samba, Postgres and RDP, were evenly deployed across the honeypot infrastructure. We intentionally configured a few accounts with weak credentials such as admin:admin, guest:guest, administrator:password. These accounts grant limited access to the application in a sandboxed environment. A honeypot will be reset and redeployed when a compromising event is detected, i.e., when a threat actor successfully authenticates via one of the credentials and gains access to the application.” reads the post published by Palo Alto Networks. “To analyze the effectiveness of blocking network scanning traffic, we blocked a list of known scanner IPs on a subset of honeypots.”

The researchers were updating the firewall policies once a day based on the observed network scanning traffic to prevent reconnaissance and attacks conducted with scanners. Each firewall policy might block 600-3,000 known scanner IP addresses.

Every time one of the virtual machines composing the honeypot infrastructure became unresponsive, the controller redeployed the virtual machine and application.


The experts analyzed the time-to-first-compromise (the time before the system was compromised) for the different services. The time-to-first-compromise for Samba installs was 2485 minutes, 667 minutes for RDP, 511 for Postgres, and 184 minutes for SSHD.

Palo Alto’s study also focuses on tThe mean time-between-compromise, that is the average time between two consecutive compromising events of a targeted application.

“A vulnerable service on the internet is usually compromised multiple times by multiple different attackers. To compete for the victim’s resources, attackers commonly attempt to remove malware or backdoors left by other cybercriminal groups (e.g., RockeTeamTNT).” continues the report. “Mean time-between-compromise resembles an attacker’s time on a compromised system before the next attacker shows up. Similar to time-to-first-compromise, the mean time-between-compromise of an application is also inversely proportional to the number of attackers targeting the application.”

Researchers also analyzed the geographic distribution of the attacks, systems deployed in the APAC region were most targeted from threat actors.

honeypot infrastructure 2

“The problem of insecurely exposed services is not new to public cloud, but the agility of cloud infrastructure management makes the creation and replication of such misconfigurations faster. The research highlights the risk and severity of such misconfigurations. When a vulnerable service is exposed to the internet, opportunistic attackers can find and attack it in just a few minutes. As most of these internet-facing services are connected to some other cloud workloads, any breached service can potentially lead to the compromise of the entire cloud environment.” concludes the report.

Below is the list of recommendations to protect cloud services published by Palo Alto Networks:

  • Create a guardrail to prevent privileged ports from being open.
  • Create audit rules to monitor all the open ports and exposed services.
  • Create automated response and remediation rules to fix misconfigurations automatically.
  • Deploy next-generation firewalls in front of the applications, such as VM-Series or WAF to block malicious traffic.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, honeypot)

The post A vulnerable honeypot exposed online can be compromised in 24 hours appeared first on Security Affairs.