As cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement in this sector

Cryptocurrencies have revolutionized the financial world, offering new investment opportunities and decentralized transactions. However, as cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement in this sector.

The natural ambiguity of cryptocurrencies

Cryptocurrencies, like Bitcoin, are decentralized and pseudonymous, which makes them a breeding ground for criminal activities. Indeed, while anonymity provides privacy and security for transactions, it can also be exploited by criminals for illicit activities, such as money laundering, drug trafficking, illegal arms sales, and terrorist financing. Cybercrime is no longer limited to simple cyberattacks, but has evolved into a form of organized crime that exploits cryptocurrencies for activities such as money laundering and corruption, finding vast and attractive new territory in the darkweb. Here, cybercrime can operate with greater freedom, exploiting the anonymity and irreversibility of cryptocurrency transactions.

Cryptocurrency transactions are used by cybercrime for various purposes, taking advantage of certain characteristics inherent in the very nature of cryptocurrencies such as anonymity, irreversibility, difficulty of traceability, ease of transactions, and the variety of cryptocurrencies in circulation.

Emerging threats

Cybercrime often exploits precisely the lack of regulation and centralized controls of cryptocurrencies to deceive investors and embezzle funds through various forms of phishing, investment scams, digital wallet theft, ransomware, and illegal mining. In particular, ransomware, which encrypts users’ data and demands a cryptocurrency ransom for their release or to avoid a dataleak, is becoming increasingly prevalent, causing financial and operational damage to individuals and businesses worldwide.

Money laundering via cryptocurrency

Money laundering through cryptocurrencies has become a worrisome practice followed by cybercrime. Criminals create cryptocurrency wallets using randomly generated digital addresses or services that offer a greater degree of anonymity. They may also use tumbling services (https://en.wikipedia.org/wiki/Cryptocurrency_tumbler) to mix cryptocurrencies from different sources and cryptocurrencies designed to provide greater anonymity, such as Monero or Zcash, which implement advanced techniques to hide transactions.

They may also seek to minimize interaction with exchange platforms that may impose KYC (Know Your Customer, (https://en.wikipedia.org/wiki/Know_your_customer) and AML (Anti Money Laundering, (https://en.wikipedia.org/wiki/Anti%E2%80%93money_laundering) rules. Money laundering can also involve fraudulent investments, where criminals use illegally obtained cryptocurrencies to participate in fake ICOs (https://it.wikipedia.org/wiki/Initial_coin_offering) or to buy digital assets.

Cryptojacking

Cryptojacking, an illicit activity in which third-party resources are exploited without authorization to mine cryptocurrencies, is another significant threat that also jeopardizes the security of the devices involved. Compromised websites and malware are often at the root of these types of attacks. Specifically, the most common forms of cryptojacking involve the use of hidden scripts in websites or online ads, malware, and infected applications.

The fight against cybercrime

Government authorities and financial institutions are stepping up efforts to combat cybercrime in the cryptocurrency sector. Anti-money laundering laws and cybersecurity regulations have been strengthened to monitor and regulate cryptocurrency transactions. In addition, cryptocurrency exchange platforms are implementing more stringent security measures, such as two-factor authentication and advanced encryption, to protect users’ funds.

Educate and protect users and investors

To effectively counter cybercrime, it is essential to understand the nature and techniques used by criminals. Prevention comes through educating users and taking robust security measures to protect their digital assets. Another crucial aspect in the fight against cybercrime in the cryptocurrency world is also investor education. Users must be aware of the risks associated with investing in cryptocurrencies and adopt robust cybersecurity practices, such as using hardware wallets and avoiding sharing sensitive information online. In addition, it is essential that investors do thorough research before making any transactions and consult reliable sources for information on the safety and legality of cryptocurrencies.

Possible mitigations

Cryptocurrencies undoubtedly offer significant benefits, but it is important to recognize and address the challenges associated with cybercrime in this sector. Through a combination of effective regulation, advanced cybersecurity, and investor education, it is possible to mitigate the risks and foster a safer and more reliable environment for cryptocurrency adoption and use.

In this context, therefore, the combination of stricter regulations, advanced technological tools and public awareness can help mitigate the threat. It could be a key strategy to strengthen KYC and AML regulations for platforms and services, regulate ICOs to prevent financial scams, increase information exchange between authorities in different jurisdictions, and collaborate with the financial industry to create security and prevention solutions.

About the author: Salvatore Lombardo (Twitter @Slvlombardo)

Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Nigerian fraud)

Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals in the United States.

Kaiser Permanente is an American integrated managed care consortium, it is made up of three distinct but interdependent groups of entities: the Kaiser Foundation Health Plan, Inc. (KFHP) and its regional operating subsidiaries; Kaiser Foundation Hospitals; and the regional Permanente Medical Groups.

The health giant operates 39 hospitals and more than 700 medical offices, with over 300,000 personnel, including more than 87,000 physicians and nurses.

It operates in California, Colorado, the District of Columbia, Georgia, Hawaii, Maryland, Oregon, Virginia, and Washington.

Media reported [1, 2] that the company is notifying millions of current and former members of a data breach. TechCrunch reported that the company confirmed it shared patients’ information with third-party organizations, including Google, Microsoft and X, for advertising purposes.

Shared data include names, IP addresses, and information about members’ operations on the company website and mobile apps. This included search terms used in their health encyclopedia. Kaiser Permanente later removed the tracking code from their platforms. Exposed data does not include usernames, passwords, Social Security Numbers (SSNs), and financial data.

In a notice filed with the US government, the integrated managed care consortium disclosed a data breach impacting 13.4 million residents.

Kaiser Permanente is not aware of any misuse of the exposed information.

In June 2022, Kaiser Permanente disclosed another data breach that exposed the health information of 69,000 people. The company revealed that threat actors gained access to an employee’s emails at the Kaiser Foundation Health Plan of Washington.

The exposed data included names, medical records, dates of service, and lab test results.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, data breach)

Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability.

Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks targeting the critical severity vulnerability CVE-2024-4040.

CVE-2024-4040 is a CrushFTP VFS sandbox escape vulnerability.

CrushFTP is a file transfer server software that enables secure and efficient file transfer capabilities. It supports various features such as FTP, SFTP, FTPS, HTTP, HTTPS, WebDAV, and WebDAV SSL protocols, allowing users to transfer files securely over different networks. CrushFTP also provides support for automation, scripting, user management, and extensive customization options meet the diverse needs of businesses and organizations.

In April, CrushFTP notified users of a virtual file system escape vulnerability impacting their FTP software, which could potentially enable users to download system files.

Simon Garrelou from the Airbus CERT discovered the vulnerability.

Crowdstrike researchers discovered that threat actors exploited the critical zero-day vulnerability in targeted attacks in the wild.

“On April 19, 2024, CrushFTP advised of a virtual file system escape present in their FTP software that could allows users to download system files. Falcon OverWatch and Falcon Intelligence have observed this exploit being used in the wild in a targeted fashion.” reads a post published by Crowdstrike on Reddit.

Security researchers from the Shadowserver reported that at least 1400 vulnerable servers were exposed online as of April 24, 2024. 

Most of the vulnerable servers are in the United States (725), followed by Germany (115), and Canada (108).

We are now sharing CrushFTP CVE-2024-4040 (CrushFTP VFS Sandbox Escape Vulnerability) vulnerable instances. At least 1400 vulnerable on 2024-04-24. CVE-2024-4040 is currently exploited in the wild & on @CISACyber KEV.

Top affected: US, Germany, Canadahttps://t.co/NucoywFO7Y pic.twitter.com/CrNkHttv40

— Shadowserver (@Shadowserver) April 25, 2024

CISA this week added CVE-2024-4040 to its Known Exploited Vulnerabilities catalog.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, zero-day)

A ransomware attack on a Swedish logistics company Skanlog severely impacted the country’s liquor supply. 

Skanlog, a critical distributor for Systembolaget, the Swedish government-owned retail chain suffered a ransomware attack. Systembolaget has a monopoly on the sale of alcoholic beverages containing more than 3.5% alcohol by volume. It operates stores across Sweden and is responsible for the retail sale of wine, spirits, and strong beer.

“It affects about 15% of our sales volume. Wine and liquor most of all,” Sofia Sjöman Waas, a press officer at Systembolaget, told Euronews Next. “We are accustomed to handling small to large scales of disruptions even though they are rarely on this scale,” Waas added. “We have many other items delivered to us as usual via other distributors. Therefore, there will continuously be many alternatives available at our stores,”

Mona Zuko, Skanlog’s chief executive, attributed the cyber attack to a North Korean ransomware gang.

“We have been centrally attacked by a cyber attack, which has caused our entire system to be down until we can fix it and get it back up,” Skanlog’s Swedish CEO Mona Zuko told local newspaper Dagens Industri.

“Our systems, including our central business system, have been affected by the attack. We use a Microsoft financial system, and an inventory system called Dynaman which is critical to our operations.”

Due to the cyber attack’s impact on the logistics company, the media reported it may be difficult to get hold of alcoholic beverages this weekend. Skanlog spokesman warned that certain alcoholic beverages could be sold out within a few days.

SCMagazine reported that Systembolaget, in response to Skanlog’s uncertainty about restoring its operations, plans to implement a backup procedure to address potential delays in deliveries. This decision comes as a precautionary measure to ensure continuity in the distribution of alcoholic beverages.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-20353 Cisco ASA and FTD Denial of Service Vulnerability
• CVE-2024-20359 Cisco ASA and FTD Privilege Escalation Vulnerability
• CVE-2024-4040 CrushFTP VFS Sandbox Escape Vulnerability

Cisco Talos this week warned that the nation-state actor UAT4356 (aka STORM-1849) has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide.

Cisco Talos researchers tracked this cyber-espionage campaign as ArcaneDoor.

Early in 2024, a customer contacted Cisco to report a suspicious related to its Cisco Adaptive Security Appliances (ASA). PSIRT and Talos launched an investigation to support the customer. 

The experts discovered that the UAT4356 group deployed two backdoors, respectively called “Line Runner” and “Line Dancer.”

Cisco reported that the sophisticated attack chain employed by the attackers impacted a small set of customers. The experts have yet to identify the initial attack vector, however, they discovered the threat actors exploited two vulnerabilities (CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)) as zero-days in these attacks.

The Line Dancer in-memory implant that acts as a memory-resident shellcode interpreter that allows adversaries to execute arbitrary shellcode payloads. On compromised ASA devices, attackers utilize the host-scan-reply field to deliver shellcode, bypassing the need for CVE-2018-0101 exploitation. By redirecting the pointer to the Line Dancer interpreter, attackers can interact with the device through POST requests without authentication. Threat actors used Line Dancer to execute various commands, including disabling syslog, extracting configuration data, generating packet captures, and executing CLI commands. Additionally, Line Dancer hooks into the crash dump and AAA processes to evade forensic analysis and establish remote access VPN tunnels.

The Line Runner allows attackers to maintain persistence on compromised ASA devices. It exploits a legacy capability related to VPN client pre-loading, triggering at boot by searching for a specific file pattern on disk0:. Upon detection, it unzips and executes a Lua script, providing persistent HTTP-based backdoor access. This backdoor survives reboots and upgrades, allowing threat actors to maintain control. Additionally, the Line Runner was observed retrieving staged information facilitated by the Line Dancer component.

The third issue added to the KEV catalog is a CrushFTP VFS sandbox escape vulnerability.

CrushFTP is a file transfer server software that enables secure and efficient file transfer capabilities. It supports various features such as FTP, SFTP, FTPS, HTTP, HTTPS, WebDAV, and WebDAV SSL protocols, allowing users to transfer files securely over different networks. CrushFTP also provides support for automation, scripting, user management, and extensive customization options meet the diverse needs of businesses and organizations.

In April, CrushFTP notified users of a virtual file system escape vulnerability impacting their FTP software, which could potentially enable users to download system files.

Simon Garrelou from the Airbus CERT discovered the vulnerability.

Crowdstrike researchers discovered that threat actors exploited the critical zero-day vulnerability in targeted attacks in the wild.

“On April 19, 2024, CrushFTP advised of a virtual file system escape present in their FTP software that could allows users to download system files. Falcon OverWatch and Falcon Intelligence have observed this exploit being used in the wild in a targeted fashion.” reads a post published by Crowdstrike on Reddit.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by May 1st, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)

U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2022-38028 Microsoft Windows Print Spooler Privilege Escalation vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

Cisa added the flaw to the KEV catalog after Microsoft reported that the Russia-linked APT28 group (aka “Forest Blizzard”, “Fancybear” or “Strontium” used a previously unknown tool, dubbed GooseEgg, to exploit the Windows Print Spooler flaw CVE-2022-38028.

Since at least June 2020, and possibly earlier, the cyberespionage group has used the tool GooseEgg to exploit the CVE-2022-38028 vulnerability. This tool modifies a JavaScript constraints file and executes it with SYSTEM-level permissions. Microsoft has observed APT28 using GooseEgg in post-compromise activities against various targets, including government, non-governmental, education, and transportation sector organizations in Ukraine, Western Europe, and North America.

While GooseEgg is a simple launcher application, threat actors can use it to execute other applications specified at the command line with elevated permissions. In a post-exploitation scenario, attackers can use the tool to carry out a broad range of malicious activities such as remote code execution, installing backdoors, and moving laterally through compromised networks.

The vulnerability CVE-2022-38028 was reported by the U.S. National Security Agency and Microsoft addressed it with the release of Microsoft October 2022 Patch Tuesday security updates.

APT28 deployed GooseEgg to gain elevated access to target systems and steal credentials and sensitive information.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by May 14, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)

The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer Samourai.

The U.S. Department of Justice (DoJ) has arrested two co-founders of the cryptocurrency mixer Samourai and seized the service. The allegations include claims of facilitating over $2 billion in illicit transactions and laundering more than $100 million in criminal proceeds.

The duo, Keonne Rodriguez (35) and William Lonergan Hill (65), are charged with operating Samourai Wallet, which DoJ states is an unlicensed money-transmitting business.

Keonne Rodriguez was the Chief Executive Officer of Samourai Wallet (“Samourai”), while William Lonergan Hill was the company’s Chief Technology Officer.

“These charges arise from the defendants’ development, marketing, and operation of a cryptocurrency mixer that executed over $2 billion in unlawful transactions and facilitated more than $100 million in money laundering transactions from illegal dark web markets, such as Silk Road and Hydra Market” reads the press release published by the DoJ.

RODRIGUEZ was arrested and is set to appear before a U.S. Magistrate Judge in the Western District of Pennsylvania. HILL was also arrested yesterday in Portugal following U.S. criminal charges. The United States aims to extradite HILL to face trial in the country.

The cryptocurrency mixer operated from about 2015 through February 2024, the DoJ states that both defendants were aware that a substantial portion of the funds that the service processed were criminal proceeds passed through Samourai for purposes of concealment. 

“While offering Samourai as a “privacy” service, the defendants knew that it was a haven for criminals to engage in large-scale money laundering and sanctions evasion.” continues the DoJ. “Indeed, as the defendants intended and well knew, a substantial portion of the funds that Samourai processed were criminal proceeds passed through Samourai for purposes of concealment.”

Rodriguez and Hill implemented features in the platform aimed at aiding individuals involved in criminal activities to obscure the origin of their proceeds. One feature, “Whirlpool,” offers a cryptocurrency mixing service that batches cryptocurrency exchanges among users to hinder law enforcement tracing on the Blockchain. Another feature, “Ricochet,” adds unnecessary intermediate transactions (“hops”) when sending cryptocurrency to obscure its origin.

Both features are aimed at evading detection by law enforcement and making investigations in illicit transactions more difficult.

“Similarly, RODRIGUEZ and HILL possessed and transmitted to potential investors marketing materials that discussed how Samourai’s customer base was intended to include criminals seeking privacy or the subversion of safeguards and reporting requirements by financial institutions.” continues the press release. “For example, in Samourai’s marketing materials, RODRIGUEZ and HILL similarly acknowledge that the individuals most likely to use a service like Samourai include individuals engaged in criminal activities, including “Restricted Markets.”

The DoJ also shared an excerpt from Samourai’s marketing materials showing the founders acknowledging that its revenues will be derived from “Dark/Grey Market participants” seeking to “swap their bitcoins with multiple parties” to avoid detection:

Since the launch of Whirlpool in 2019 and Ricochet in 2017, the mixer processed over 80,000 BTC (equivalent to over $2 billion), generating approximately $3.4 million in fees for Whirlpool transactions and $1.1 million for Ricochet transactions.

The joint operation conducted by US authorities with the help of Europol and law enforcement authorities in Iceland, and Portugal, led to the seizure of Samourai’s web servers and domain (https://samourai.io/).  The police also issued a seizure warrant for Samourai’s mobile application on the Google Play Store, the app was removed from the Google Play Store in the United States.

The authorities charged the defendants with one count of conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison, and one count of conspiracy to operate an unlicensed money transmitting business, which carries a maximum sentence of five years in prison. 

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, mixer)

Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics layer engine.

Google addressed four vulnerabilities in the Chrome web browser, including a critical vulnerability tracked as CVE-2024-4058.

The vulnerability CVE-2024-4058 is a Type Confusion issue that resides in the ANGLE graphics layer engine. An attacker can exploit this vulnerability to execute arbitrary code on a victim’s machine.

This critical flaw was reported by Toan (suto) Pham and Bao (zx) Pham of Qrious Secure on 2024-04-02, the researchers have been awarded a $16,000 bounty.

The IT giant also fixed a high-severity flaw tracked as CVE-2024-4059. The flaw is an Out of bounds read that resides in the in V8 API. The vulnerability was discovered by Eirik on 2024-04-08.

Google also fixed another high-severity flaw tracked as CVE-2024-4060. The flaw is Use after free in Dawn, which is an open-source and cross-platform implementation of the WebGPU standard. The vulnerability was reported by wgslfuzz on 2024-04-09.

The Stable channel has been updated to 124.0.6367.78/.79 for Windows and Mac. Linux version 124.0.6367.78 will be rolled out over the coming days/weeks.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Google)

Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November 2023 to breach government networks.

Cisco Talos warned that the nation-state actor UAT4356 (aka STORM-1849) has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide.

Cisco Talos researchers tracked this cyber-espionage campaign as ArcaneDoor.

Early in 2024, a customer contacted Cisco to report a suspicious related to its Cisco Adaptive Security Appliances (ASA). PSIRT and Talos launched an investigation to support the customer. 

The experts discovered that the UAT4356 group deployed two backdoors, respectively called “Line Runner” and “Line Dancer.”

Cisco reported that the sophisticated attack chain employed by the attackers impacted a small set of customers. The experts have yet to identify the initial attack vector, however, they discovered the threat actors exploited two vulnerabilities (CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)) as zero-days in these attacks.

The Line Dancer in-memory implant that acts as a memory-resident shellcode interpreter that allows adversaries to execute arbitrary shellcode payloads. On compromised ASA devices, attackers utilize the host-scan-reply field to deliver shellcode, bypassing the need for CVE-2018-0101 exploitation. By redirecting the pointer to the Line Dancer interpreter, attackers can interact with the device through POST requests without authentication. Threat actors used Line Dancer to execute various commands, including disabling syslog, extracting configuration data, generating packet captures, and executing CLI commands. Additionally, Line Dancer hooks into the crash dump and AAA processes to evade forensic analysis and establish remote access VPN tunnels.

The Line Runner allows attackers to maintain persistence on compromised ASA devices. It exploits a legacy capability related to VPN client pre-loading, triggering at boot by searching for a specific file pattern on disk0:. Upon detection, it unzips and executes a Lua script, providing persistent HTTP-based backdoor access. This backdoor survives reboots and upgrades, allowing threat actors to maintain control. Additionally, the Line Runner was observed retrieving staged information facilitated by the Line Dancer component.

“ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective.” reads the alert published by Cisco, which also includes Indicators of Compromise (IOCs). “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ASA)

A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute backdoors and cryptocurrency miners.

Avast researchers discovered and analyzed a malware campaign that exploited the update mechanism of the eScan antivirus to distribute backdoors and crypto miners.

Threat actors employed two different types of backdoors and targeted large corporate networks

The researchers believe the campaign could be attributed to North Korea-linked AP Kimsuky. The final payload distributed by GuptiMiner was also XMRig.

“GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.” reads the analysis published by Avast. “The main objective of GuptiMiner is to distribute backdoors within big corporate networks.”

The threat actors behind this campaign exploited a vulnerability in the update mechanism of the Indian antivirus provider eScan that allowed them to carry out a man-in-the-middle attack to distribute the malware. Avast already reported the issue to eScan and the India CERT. eScan acknowledged the flaw and addressed it on July 31, 2023. The issue in the update mechanism was present for at least five years.

The infection process begins when eScan requests an update from the update server. However, the attackers carry out a MitM attack and replace the legitimate update package with a malicious one. Subsequently, eScan unpacks and installs the package, which results in the sideloading of a DLL by eScan’s clean binaries. This DLL facilitates the continuation of the process, leading to the execution of multiple shellcodes and intermediary PE loaders.

The researchers noticed that the downloaded package file is replaced with a malware-laced one on the wire because the process doesn’t use an HTTPS connection. 

Below the infection chain described by Avast:

1. The eScan updater triggers the update 
2. The downloaded package file is replaced with a malicious one on the wire because of a missing HTTPS encryption (MitM is performed) 
3. A malicious package updll62.dlz is downloaded and unpacked by eScan updater 
4. The contents of the package contain a malicious DLL (usually called version.dll) that is sideloaded by eScan. Because of the sideloading, the DLL runs with the same privileges as the source process – eScan – and it is loaded next time eScan runs, usually after a system restart 
5. If a mutex is not present in the system (depends on the version, e.g. Mutex_ONLY_ME_V1), the malware searches for services.exe process and injects its next stage into the first one it can find 
6. Cleanup is performed, removing the update package 

GuptiMiner operates its own DNS servers to provide legitimate destination domain addresses of C2 servers through DNS TXT responses.

GuptiMiner connects directly to malicious DNS servers, bypassing the DNS network entirely. This use of the DNS protocol resembles telnet and is not considered DNS spoofing, which typically occurs within the DNS network. Although the servers requested by GuptiMiner exist, it’s likely an evasion tactic.

In the second-stage the shellcode from the PNG file extracts and executes the Gzip loader. This loader is a simple PE that decompresses another shellcode using Gzip and executes it in a separate thread that kiads the Stage 3 malware Puppeteer.

Puppeteer orchestrates the core functionality of the malware, including the cryptocurrency mining as well as the backdoor deployment.

Surprisingly, the ultimate payload disseminated by GuptiMiner can be also XMRig, which was somewhat unexpected given the level of sophistication of this campaign.

The researchers speculate that using the miner could be a diversionary tactic.

“During our research, we’ve also found an information stealer which holds a rather similar PDB path as was used across the whole GuptiMiner campaign.” concludes the report. “What is truly interesting, however, is that this information stealer might come from Kimsuky operations.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, eScan antivirus)

The Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their role in cyberattacks against the U.S..

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on four Iranian nationals for their involvement in cyberattacks against the U.S. government, defense contractors, and private companies. OFAC has also sanctioned two front companies, Mehrsam Andisheh Saz Nik (MASN) and Dadeh Afzar Arman (DAA) linked to the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC).

The Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) is an organization within the Iranian government responsible for cybersecurity and cyber warfare. It is considered a major threat by many countries, including the United States, due to its involvement in various malicious cyber activities.

The Iranian nationals were involved in attacks against more than a dozen U.S. companies and government entities. The individuals launched spear-phishing and malware attacks. The U.S. Department of Justice and the Federal Bureau of Investigation unsealed an indictment against the four individuals for their roles in these cyber operations.

“Iranian malicious cyber actors continue to target U.S. companies and government entities in a coordinated, multi-pronged campaign intended to destabilize our critical infrastructure and cause harm to our citizens,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “The United States will continue to leverage our whole-of-government approach to expose and disrupt these networks’ operations.”

Iranian cyber actors persist in targeting the United States through various malicious cyber activities, including ransomware attacks on critical infrastructure and spear phishing campaigns against individuals, companies, and government entities.

The four Iranian nationals are Hossein Harooni, Reza Kazemifar, Komeil Baradaran Salmani, and Alireza Shafie Nasab — are accused of participating in a malware operation using spear-phishing and other hacking techniques to harvest hundreds of thousands of corporate employee accounts.

Alireza Shafie Nasab and Reza Kazemifar Rahman targeted the U.S. entities while employed by MASN. Kazemifar was involved in the attacks against the Department of the Treasury. Hosein Mohammad Harooni targeted the Treasury Department and other U.S. entities using spear phishing and social engineering. Komeil Baradaran Salmani operated with several IRGC-CEC front companies and was involved in spear-phishing campaigns targeting various U.S. entities, including the Department of the Treasury.

“As a result of today’s action, all property and interests in property of the designated persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons.” reads the announcement. “In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action.”

The four men are still at large.

The Department of State also announced a $10 million reward for information leading to the arrest of the four Iranian nationals.

Up to $10 Million Reward & Possible Relocation

These individuals conducted malicious cyber ops against U.S. firms and government agencies on behalf of Iran's IRGC.

If you have info on them, contact us. Your tip could be worth millions of $ and a plane ticket to somewhere new. pic.twitter.com/EjOGLXDeJl

— Rewards for Justice (@RFJ_USA) April 23, 2024

In February, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on six Iranian government officials associated with cyberattacks targeting critical infrastructure organizations in the US and abroad.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Iran)

A cyber attack on Leicester City Council resulted in certain street lights remaining illuminated all day and severely impacted the council’s operations

The Leicester City Council suffered a cyber attack that severely impacted the authority’s services in March and led to the leak of confidential documents. The ransomware group behind the attack leaked multiple documents, including rent statements and applications to buy council houses. The attack occurred on March 7 and crippled the city council’s IT systems.

Some lights have been stuck in all day due to the cyber attack and the council is unable to turn them off.

“Beaumont Leys resident Roger Ewens, 65, noticed the street lights in his road were on constantly and asked the city council why. He was surprised when he received a reply blaming the cyber attack for affecting the “central management system” and leading to the streetlights “misbehaving”.” reported the website LeicesterLive.

The issue with street lighting should be fully resolved by the end of next week.

“We are aware of a number of streetlights that are staying on during the day. This is due to a technical issue connected to the recent cyber attack, when we were forced to shut down our IT systems. It means we are currently not able to remotely identify faults in the street lighting system.” said a city council spokesperson. “The default mode for faults is that the lights stay on to ensure that roads are not left completely unlit and become a safety concern. “There are a number of steps required to resolve the problem, and we are working through these as quickly as we can.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Leicester City)

The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting defense industry entities.

The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting defense industry entities to steal defense technology information.

North Korea-linked APT groups Lazarus, Andariel, and Kimsuky hacked multiple defense companies in South Korea, reported the National Police Agency.

The state-sponsored hackers hacked into the subcontractors of defense companies by exploiting vulnerabilities in the targeted systems and deployed malware.

“North Korean hacking organizations sometimes infiltrated defense companies directly, and their security is relatively low. Hacking into vulnerable defense industry partners and stealing the defense industry company’s server account information. Afterwards, it was discovered that threat actors had infiltrated major servers without permission and distributed malware.” reads the Police’s advisory shared by BleepingComputer.

The National Police Agency and the Defense Acquisition Program Administration (DAPA) conducted a series of special inspections of the environments of the targeted organizations.

The joint inspections occurred between January 15 and February 16 and impacted organizations implemented protective measures.

The Police states that the attacks are carried out in the form of an all-out war that see the contribution of multiple APT groups. The government experts warned that the attackers employed sophisticated hacking techniques.

The South Korea National Police Agency provided details of multiple attacks carried out by different APT groups.

In one case, the Lazarus APT group successfully breached an organization due poorly protected infrastructure. The group gained access to the network of a defense industry company since November 2022. The hackers deployed a malware and took control of the company’s internal network and exfiltrared important data from, including information stored on the computers of employees in the development team. The hackers breached at least 6 internal computers and stolen data were sent to overseas cloud servers

In a second case attributed to the Andariel APT group, threat actors used an account of an employee of a company that maintains the server of a defense industry company. The attackers stole the account in October 2022 and used it to deploy malware on the servers of defense subcontractors. The malware was used to exfiltrate technical data of valuable defense technology. The Police noticed that the employee was using the same password for personal and work accounts.

In a third attack linked to Kimsuky, the APT group exploited a vulnerability in the email server of a defense subcontractor between April and July 2023. Attackers exploited the flaw to download large files containing technical data without any authentication.

The National Police Agency recommends that defense companies and their subcontractors enhance their cybersecurity.

“North Korea’s hacking attempts targeting defense technology will continue.” concludes the advisory. “The National Police Agency will continue to track and investigate state-sponsored hacking organizations linked to North Korea.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, North Korea)

The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the commercial spyware business.

The US Department of State is imposing visa restrictions on 13 individuals involved in the development and sale of commercial spyware or their immediate family members. The measure aims to counter the misuse of surveillance technology targeting journalists, academics, human rights defenders, dissidents, and US Government personnel, as documented in the Country Reports on Human Rights Practices.

“the Department is taking steps to impose visa restrictions on 13 individuals who have been involved in the development and sale of commercial spyware or who are immediate family members of those involved.” reads the announcement.  “These individuals have facilitated or derived financial benefit from the misuse of this technology, which has targeted journalists, academics, human rights defenders, dissidents and other perceived critics, and U.S. Government personnel.”

The announcement doesn’t name the individuals targeted by the visa restrictions.

The visa restrictions are part of a broader initiative launched by the US government aimed at countering the proliferation of commercial spyware. Other measures proposed and adopted by the US authorities include restrictions on the government’s use of such spyware, export controls, and sanctions to promote accountability.

“The US government believes that the engagement of civil society and the private sector in identifying technological solutions to prevent the misuse of spyware, safeguard human rights defenders, and strengthen the resilience of victims is essential.”

In February, the U.S. State Department announced it is implementing a new policy to impose visa restrictions on individuals involved in the misuse of commercial spyware.

The policy underscores the U.S. Government’s commitment to addressing the misuse of surveillance software, which poses a significant threat to society

“The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association.  Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases.  Additionally, the misuse of these tools presents a security and counterintelligence threat to U.S. personnel.” reads the announcement. The United States stands on the side of human rights and fundamental freedoms and will continue to promote accountability for individuals involved in commercial spyware misuse.”

The policy specifically addresses the abuse of commercial spyware for unlawfully surveilling, harassing, suppressing, or intimidating individuals.

Visa restrictions target individuals believed to facilitate or derive financial benefit from the misuse of commercial spyware and also surveillance companies that act on behalf of governments.

The restrictions are extended to the immediate family members of the targeted individuals, including spouses and children of any age.

In March 2023, the US Government issued an Executive Order on the prohibition on use by the United States Government of commercial spyware that poses risks to national security.

In July 2023, the Commerce Department’s Bureau of Industry and Security (BIS) added surveillance technology vendors Intellexa and Cytrox to the Entity List for trafficking in cyber exploits used to gain access to information systems.

The Entity List maintained by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) is a trade control list created and maintained by the U.S. government. It identifies foreign individuals, organizations, companies, and government entities that are subject to specific export controls and restrictions due to their involvement in activities that threaten the U.S. national security or foreign policy interests.

The U.S. Government warns of the key role that surveillance technology plays in surveillance activities that can lead to repression and other human rights abuses.

The Commerce Department’s action targeted the above companies because their technology could contribute to the development of surveillance tools that pose a risk of misuse in violations or abuses of human rights.

The financial entities added to the Entity List include Intellexa S.A. in Greece, Cytrox Holdings Crt in Hungary, Intellexa Limited in Ireland, and Cytrox AD in North Macedonia.

In May 2023, Google’s Threat Analysis Group (TAG) researchers discovered three campaigns, between August and October 2021, targeting Android users with five zero-day vulnerabilities.

The attacks aimed at installing the surveillance spyware Predator, developed by the North Macedonian firm Cytrox.

According to Google, the exploits were included in Cytrox’s commercial surveillance spyware that is sold to different nation-state actors, including Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia.

In December 2022, a report published by CitizenLab researchers detailed the use of the Predator spyware against exiled politician Ayman Nour and the host of a popular news program.

The disconcerting aspect of these attacks is that Ayman Nour’s phone was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different nation-state actors.

The exploits were used to initially deliver the ALIEN Android banking Trojan that acts as a loader for the PREDATOR implant.

In November 2021, the Commerce Department’s Bureau of Industry and Security (BIS) sanctioned four companies for the development of spyware or the sale of hacking tools used by nation-state actors.

The surveillance firms were NSO Group and Candiru from Israel, Computer Security Initiative Consultancy PTE. LTD from Singapore, and Positive Technologies from Russia.

NSO Group and Candiru were sanctioned for the development and sale of surveillance software used to spy on journalists and activists. Positive Technologies and Computer Security Initiative Consultancy PTE. LTD. are being sanctioned because both entities traffic in cyber exploits used by threat actors to compromise computer networks of organizations worldwide. The US authorities have added the companies to the Entity List based on their engagement in activities counter to U.S. national security.

In the last couple of years, like NSO Group and Candiru, made the headlines because totalitarian regimes used their spyware to spy on journalists, dissidents, and government opposition.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, commercial spyware)

A cyber attack has been disrupting operations at Synlab Italia, a leading provider of medical diagnosis services, since April 18.

Since April 18, Synlab Italia, a major provider of medical diagnosis services, has been experiencing disruptions due to a cyber attack.

The company initially cited technical issues as the cause leading to “temporary interruption of access to computer and telephone systems and related services.” However, a concerning scenario has emerged a few hours later.

The company has released a statement informing customers of the ongoing attack and has “disabled” all company computer systems in Italy as a precautionary measure.

Patients are facing significant disruptions, with many social media users complaining about their inability to access urgently needed diagnostic test results.

The company’s statement announced the suspension of all activities at sampling points, medical centers, and laboratories in Italy until further notice.

Synlab immediately investigated the incident and is working with external experts to contain it.

Certain passages of the statement raise particular concerns:

“SYNLAB informs all Patients and Customers that it has been the victim of a hacker attack on its computer systems throughout the national territory. As a precaution, all company computer systems in Italy were immediately disabled following the identification of the attack and in accordance with the company’s computer security procedures.”

[SYNLAB] is currently unable to determine when operations can be restored.

These statements highlight the need for the company to isolate systems to prevent the spread of the threat and mitigate its impact.

Such drastic containment measures are typically associated with malware infections, while the unavailability of affected systems often suggests a ransomware infection.

Therefore, companies that suffer a ransomware attack cannot predict when they will be operational again because they need to eradicate the threat from affected systems and restore any backups.

Another concern for companies affected by ransomware is the potential exfiltration of data. If health information is stolen in the case of SYNLAB Italy, it would pose a serious risk to affected customers’ privacy and security.

The latest update provided by the company states:

“Currently, the SYNLAB task force is analyzing every single part of the IT infrastructure, including backup systems, in order to restore its systems securely as soon as possible. The company has also filed a report with the Postal Police and initiated the preliminary notification procedure to the Italian Data Protection Authority.” reads the statement. “SYNLAB has apologized to its patients for the inconveniences caused by the current situation and has made available dedicated telephone and social media channels for managing requests and providing information, referring to all facilities in the territories. The company is continuously updating patients, clients, and the public through the website www.synlab.it and social media channels.”

A similar scenario occurred previously at the French branch of the group, Synlab.fr, when it was targeted in an attack by the Clop group, specializing in extortion activities. While the attacks appear unrelated, they serve as a warning for the entire sector.

The increasing number of attacks against healthcare companies exposes the medical information of millions of citizens, which remains easily accessible to criminals.

In February, 2024, a cybersecurity alert published by the FBI, CISA, and the Department of Health and Human Services (HHS) warned U.S. healthcare organizations of targeted attacks conducted by ALPHV/Blackcat ransomware attacks.

The US agencies released a report containing IOCs and TTPs associated with the ALPHV Blackcat RaaS operation identified through law enforcement investigations conducted as recently as February 2024.

As for the SynLab case, further information on the incident is awaited as the company works to restore operations and secure user information.

Italian readers can give a look at my Post on the Italian Newspaper La Repubblica:

https://www.italian.tech/blog/sicuri-nella-rete/2024/04/19/news/synlab_attacco_hacker_dati_pazienti-422612040

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Synlab Italia)

Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler service flaw.

Microsoft reported that the Russia-linked APT28 group (aka “Forest Blizzard”, “Fancybear” or “Strontium” used a previously unknown tool, dubbed GooseEgg, to exploit the Windows Print Spooler flaw CVE-2022-38028.

Since at least June 2020, and possibly earlier, the cyberespionage group has used the tool GooseEgg to exploit the CVE-2022-38028 vulnerability. This tool modifies a JavaScript constraints file and executes it with SYSTEM-level permissions. Microsoft has observed APT28 using GooseEgg in post-compromise activities against various targets, including government, non-governmental, education, and transportation sector organizations in Ukraine, Western Europe, and North America.

While GooseEgg is a simple launcher application, threat actors can use it to execute other applications specified at the command line with elevated permissions. In a post-exploitation scenario, attackers can use the tool to carry out a broad range of malicious activities such as remote code execution, installing backdoors, and moving laterally through compromised networks.

The vulnerability CVE-2022-38028 was reported by the U.S. National Security Agency and Microsoft addressed it with the release of Microsoft October 2022 Patch Tuesday security updates.

APT28 deployed GooseEgg to gain elevated access to target systems and steal credentials and sensitive information.

GooseEgg is usually deployed with a batch script, commonly named execute.bat or doit.bat. This script creates a file named servtask.bat, which includes commands for saving or compressing registry hives. The batch script then executes the GooseEgg executable and establishes persistence by scheduling a tack that runs the servtask.bat.

The GooseEgg binary supports four commands, each with different run paths.

Microsoft researchers noted that an embedded malicious DLL file often contains the phrase “wayzgoose” in its name, such as wayzgoose23.dll. The cybers spies use GooseEgg to drop this embedded DLL file in the context of the PrintSpooler service with SYSTEM permissions.

“wayzgoose.dll is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code.” reads the report published by Microsoft.

Microsoft reports include instructions for detecting, hunting, and responding to GooseEgg.

The APT28 group (aka Forest Blizzard, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Most of the APT28s’ campaigns leveraged spear-phishing and malware-based attacks.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, APT28)

A financially motivated group named GhostR claims the theft of a sensitive database from World-Check and threatens to publish it.

World-Check is a global database utilized by various organizations, including financial institutions, regulatory bodies, and law enforcement agencies, for assessing potential risks associated with individuals and entities. It compiles information from diverse sources like public records, regulatory filings, and proprietary databases to create profiles of entities susceptible to financial crime, terrorism, or corruption. World-Check aids organizations in conducting due diligence and adhering to regulatory standards concerning anti-money laundering (AML) and counter-terrorism financing (CTF).

World-Check is currently owned by LSEG (London Stock Exchange Group).

A financially motivated threat actor, called GhostR, announced the theft of a confidential database containing 5.3 million records from the World-Check.

The threat actor said that he stole the database in March and threatened to publish the data online.

The hackers told TechCrunch that they stole the database from a Singapore-based company that has access to the sensitive database, however, they did not name the victim organization.

The threat actors shared a portion of the stolen data with TechCrunch as proof of the hack, it includes records on current and former government officials, diplomats, and politically exposed people. The list also includes criminals, suspected terrorists, intelligence operatives and a European spyware firm.

Compromised data vary by individuals and organizations, it includes names, passport numbers, Social Security numbers, online crypto account identifiers and bank account numbers, and more.

World-Check had different owners across the years, it was originally founded as an independent company. Curiously, in 2011, Thomson Reuters acquired World-Check, then in October 2018, Thomson Reuters closed a deal with The Blackstone Group. As a result of this merger, World-Check became part of the new company, Refinitiv. LSEG acquired Refinitiv is 2021.

The disclosure of data in the archive poses a threat to the individuals whose data it contains. This is sensitive information that could lead to discrimination, persecution, or otherwise cause harm to individuals by violating their privacy and exposing them to various types of cyberattacks.

The database was criticized because it includes names of people and organizations that are mistakenly considered terrorists.

In June 2016, security researcher Chris Vickery found a copy of the World-Check database dated 2014 that was accidentally exposed online.

In August 2015, journalists from BBC’s Radio 4 gained 30 minutes of access thanks to the support of a disgruntled customer and demonstrated that the designations in the archive were inaccurate.

The Vice News also gained access to the World-Check archive in February 2016 arriving at the same conclusion after it analyzed some profiles in the database

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, GhostR)

Researcher demonstrated how to exploit vulnerabilities in the Windows DOS-to-NT path conversion process to achieve rootkit-like capabilities.

SafeBreach researcher Or Yair devised a technique, exploiting vulnerabilities in the DOS-to-NT path conversion process, to achieve rootkit-like capabilities on Windows.

When a user executes a function with a path argument in Windows, the DOS path of the file or folder is converted to an NT path. However, a known issue arises during this conversion process where the function removes trailing dots from any path element and trailing spaces from the last path element. This behavior is consistent across most user-space APIs in Windows.

The expert exploiting this known issue discovered the following vulnerabilities:

• CVE-2023-36396 Windows Compressed Folder Remote Code Execution Vulnerability – The RCE issue resides in Windows’s new extraction logic for all newly supported archive types. The expert craft a malicious archive that would write anywhere he chose on a remote computer once extracted, leading to code execution.
• CVE-2023-32054 Volume Shadow Copy Elevation of Privilege Vulnerability – An can exploit this issue to gain the rights of the user that is running the affected application. The researchers discovered two elevation of privilege (EoP) vulnerabilities. The CVE-2023-32054 allowed him to write into files without the required privileges by manipulating the restoration process of a previous version from a shadow copy and another that allowed him to delete files without the required privileges.

“In addition to leading me to these vulnerabilities, the MagicDot paths also granted me rootkit-like abilities that were accessible to any unprivileged user.” wrote Or Yair. “I discovered how a malicious actor—without admin privileges—could hide files and processes, hide files in archives, affect prefetch file analysis, make Task Manager and Process Explorer users think a malware file was a verified executable published by Microsoft, disable Process Explorer with a denial of service (DoS) vulnerability, and more.”

A user-space rootkit aims to intercept user-space API calls, execute the original function, filter out malicious data, and return altered information to the caller. An attacker needs Admin privileges to run such rootkits, as they need to conceal their presence from users, including administrators, by operating within processes with elevated privileges.

A kernel rootkit operates within the kernel and attempts to intercept system calls, altering the information returned to user-space processes that request it.

Running a kernel rootkit requires access to the kernel, typically requiring administrative privileges and overcoming various security measures such as Patch Guard, Driver Signature Enforcement, Driver Blocklist, and HVCI. Consequently, the prevalence of kernel rootkits has decreased significantly.

The expert reported to the Microsoft Security Response Center (MSRC) in 2023. The IT giant acknowledged these issues and took the following action:  

• Remote Code Execution (CVE-2023-36396, CVSS: 7.8): fixed by Microsoft.
• Elevation of Privilege (Write) (CVE-2023-32054, CVSS: 7.3): fixed by Microsoft.
• Elevation of Privilege (Deletion): The vulnerability was reproduced and confirmed by Microsoft. However, the company did not issue a CVE or a fix. Below is the response provided by Microsoft. “Thank you again for submitting this issue to Microsoft. We determined that this issue does not require immediate security service but did reveal unexpected behavior. A fix for this issue will be considered in a future version of this product or service.” 
• Process Explorer Unprivileged DOS for Anti-Analysis (CVE-2023-42757): fixed by the engineering team of Process Explorer in version 17.04. CVE-2023-42757 was reserved for this vulnerability by MITRE. MITRE confirmed the vulnerability with Microsoft and will publish the CVE once online publication of the details is available. 

“This research is the first of its kind to explore how known issues that appear to be harmless can be exploited to develop vulnerabilities and, ultimately, pose a significant security risk. We believe the implications are relevant not only to Microsoft Windows, which is the world’s most widely used desktop OS, but also to all software vendors, most of whom also allow known issues to persist from version to version of their software.” Yair concluded.

The report includes video PoCs for these vulnerabilities-

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Microsoft)

Japan’s CERT warns of a vulnerability in the Forminator WordPress plugin that allows unrestricted file uploads to the server.

Japan’s CERT warned that the WordPress plugin Forminator, developed by WPMU DEV, is affected by multiple vulnerabilities, including a flaw that allows unrestricted file uploads to the server.

Forminator is a popular WordPress plugin that allows users to easily create various forms for their website without needing any coding knowledge. The plugin is installed in over 500,000.

One of these vulnerabilities is a critical issue, tracked as CVE-2024-28890 (CVSS v3: 9.8) that a remote attacker can exploit to upload malicious code on WordPress sites using the plugin.

“A remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin and cause a denial-of-service (DoS) condition (CVE-2024-28890)” read the security bulletin published by the JPCERT.

The bulletin also warns of the following these vulnerabilities:

• CVE-2024-31077 (CVSS score 7.2) – SQL injection flaw – An administrative user may obtain and alter any information in the database and cause a denial-of-service (DoS) condition
• CVE-2024-31857 (CVSS score 6.1) – Cross-site scripting flaw – A remote attacker may obtain user information etc. and alter the page contents on the user’s web browser

Forminator versions 1.29.3 addressed all the vulnerabilities, admins are recommended to update their installs asap

At the time of this writing, researchers have reports of attacks in the wild exploiting the vulnerability CVE-2024-28890.

According to statistics provided by WordPress.org, the plugin has over 500,000 active installations, but only 55,9% (over 279) are running version 1.29.

This means that more than 200,000 sites are vulnerable to cyber attacks.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, WordPress)

Government agencies revealed that Akira ransomware has breached over 250 entities worldwide and received over $42 million in ransom payments.

A joint advisory published by CISA, the FBI, Europol, and the Netherlands’ National Cyber Security Centre (NCSC-NL) revealed that since early 2023, Akira ransomware operators received $42 million in ransom payments from more than 250 victims worldwide.

The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.

The Akira ransomware operators implement a double extortion model by exfiltrating victims’ data before encrypting it.

Earlier versions of the ransomware were written in C++ and the malware added the .akira extension to the encrypted files. However, from August 2023 onwards, certain Akira attacks began utilizing Megazord, which employs Rust-based code and encrypts files with a .powerranges extension. Akira threat actors have persisted in employing both Megazord and Akira, including Akira_v2, identified by independent investigations, interchangeably.

The cybersecurity researchers observed threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured. The attackers mostly used Cisco vulnerabilities CVE-2020-3259 and CVE-2023-20269.

Akira operators were also observed using external-facing services such as Remote Desktop Protocol (RDP), spear phishing, and the abuse of valid credentials.

Following initial access, threat actors were observed exploiting domain controller’ functions by generating new domain accounts to establish persistence. In some attacks, threat actors created an administrative account named itadm.

“According to FBI and open source reporting, Akira threat actors leverage post-exploitation attack techniques, such as Kerberoasting, to extract credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Akira threat actors also use credential scraping tools like Mimikatz and LaZagne to aid in privilege escalation.” reads the report. “Tools like SoftPerfect and Advanced IP Scanner are often used for network device discovery (reconnaissance) purposes and net Windows commands are used to identify domain controllers and gather information on domain trust relationships.“

Akira operators have been observed deploying two distinct ransomware variants against different system architectures within the same attack. It was this first time that the operators adopted this tactic.

The operators frequently disable security software to evade detection and for lateral movement. The government experts observed the use of PowerTool by Akira threat actors to exploit the Zemana AntiMalware driver and terminate antivirus-related processes.

Threat actors use FileZilla, WinRAR, WinSCP, and RClone for data exfiltration. The attackers use AnyDesk, Cloudflare Tunnel, RustDesk, Ngrok, and Cloudflare Tunnel to communicate with the command-and-control (C&C).

“Akira threat actors utilize a sophisticated hybrid encryption scheme to lock data. This involves combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange. This multilayered approach tailors encryption methods based on file type and size and is capable of full or partial encryption.” concludes the advisory that includes indicators of compromise (IoCs).”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Akira ransomware)

Threat actors target government entities in the Middle East with a new backdoor dubbed CR4T as part of an operation tracked as DuneQuixote.

Researchers from Kaspersky discovered the DuneQuixote campaign in February 2024, but they believe the activity may have been active since 2023.

Kaspersky discovered over 30 DuneQuixote dropper samples used in the campaign. The experts identified two versions of the dropper, regular droppers (in the form of an executable or a DLL file) and tampered installer files for a legitimate tool named “Total Commander.”

The droppers were employed to download a backdoor tracked as “CR4T”. The experts detected only two CR4T implants, but they speculate the existence of many other variants which may be completely different malware.

The threat actors behind the DuneQuixote campaign took steps to prevent collection and analysis the implants through the implementation of practical and well-designed evasion methods.

The dropper connects to an embedded command-and-control (C2), whose address is hardcoded in the malicious code and is decrypted using a unique technique to prevent its exposure to automated malware analysis tools.

“The initial dropper is a Windows x64 executable file, although there are also DLL versions of the malware sharing the same functionality. The malware is developed in C/C++ without utilizing the Standard Template Library (STL), and certain segments are coded in pure Assembler.” reads the analysis published by Kaspersky. “The dropper then proceeds to decrypt the C2 (Command and Control) address, employing a unique technique designed to prevent the exposure of the C2 to automated malware analysis systems. This method involves first retrieving the filename under which the dropper was executed, then concatenating this filename with one of the hardcoded strings from Spanish poems. Following this, the dropper calculates the MD5 hash of the concatenated string, which is then used as a key for decrypting the C2 string.”

The threat actors used strings in these functions consisting of excerpts from Spanish poems. The strings differ from one sample to another, altering the signature of each sample to avoid detection through conventional methods. Then, after executing decoy functions, the malware constructs a framework for the required API calls. This framework is filled with offsets of Windows API functions, resolved through various techniques.

The dropper calculates the MD5 hash of the combined string and uses it as the key to decode the C2 server address. Then the dropper connects with the C2 server and downloads a next-stage payload.

The researchers noticed that the payload can only be downloaded once per victim or is only accessible for a short period after a malware sample is released, for this reason, researchers were unable to obtain most of the payload implants from active C2 servers.

The Total Commander installer dropper is designed to appear like a genuine Total Commander software installer but includes additional malicious components. These alterations invalidate the official digital signature of the Total Commander installer. This version of the dropper maintains the core functionality of the initial dropper but excludes Spanish poem strings and decoy functions. Additionally, it incorporates anti-analysis measures and checks to prevent connections to C2 resources.

The experts also spotted a Golang version of the CR4T implant that shares similar capabilities with the C version. It includes a command line console for machine interaction, file download/upload functions, and command execution capabilities. Notably, the malware can create scheduled tasks using the Golang Go-ole library, which interfaces with the Windows Component Object Model (COM) for Task Scheduler service interaction.

The malware achieves persistence through the COM objects hijacking technique. The malware uses the Telegram API for C2 communications, implementing the public Golang Telegram API bindings. All the interactions are similar to the C/C++ version.

“The “DuneQuixote” campaign targets entities in the Middle East with an interesting array of tools designed for stealth and persistence. Through the deployment of memory-only implants and droppers masquerading as legitimate software, mimicking the Total Commander installer, the attackers demonstrate above average evasion capabilities and techniques.” concludes the report. “The discovery of both C/C++ and Golang versions of the CR4T implant highlights the adaptability and resourcefulness of the threat actors behind this campaign.“

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, malware)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

Critical CrushFTP zero-day exploited in attacks in the wild

A French hospital was forced to reschedule procedures after cyberattack

MITRE revealed that nation-state actors breached its systems via Ivanti zero-days

FBI chief says China is preparing to attack US critical infrastructure

United Nations Development Programme (UNDP) investigates data breach

FIN7 targeted a large U.S. carmaker with phishing attacks

Law enforcement operation dismantled phishing-as-a-service platform LabHost

Previously unknown Kapeka backdoor linked to Russian Sandworm APT

Cisco warns of a command injection escalation flaw in its IMC. PoC publicly available

Linux variant of Cerber ransomware targets Atlassian servers

Ivanti fixed two critical flaws in its Avalanche MDMResearchers released exploit code for actively exploited Palo Alto PAN-OS bug

Cisco warns of large-scale brute-force attacks against VPN and SSH services

PuTTY SSH Client flaw allows of private keys recovery

A renewed espionage campaign targets South Asia with iOS spyware LightSpy

Misinformation and hacktivist campaigns targeting the Philippines skyrocket

Russia is trying to sabotage European railways, Czech minister said

Cisco Duo warns telephony supplier data breach exposed MFA SMS logs

Ukrainian Blackjack group used ICS malware Fuxnet against Russian targets

CISA adds Palo Alto Networks PAN-OS Command Injection flaw to its Known Exploited Vulnerabilities catalog

Threat actors exploited Palo Alto Pan-OS issue to deploy a Python Backdoor

U.S. and Australian police arrested Firebird RAT author and operator

Canadian retail chain Giant Tiger data breach may have impacted millions of customers

International Press Newsletter

Cybercrime    

SoCal Man Arrested on Federal Charges Alleging He Schemed to Advertise and Sell ‘Hive’ Computer Intrusion Malware

AFP traps alleged RAT developer      

Ransomware Group Claims Theft of Data From Chipmaker Nexperia  

International investigation disrupts phishing-as-a-service platform LabHost   

Threat Group FIN7 Targets the U.S. Automotive Industry  

Chinese Organized Crime’s Latest U.S. Target: Gift Cards

Ransomware Victims Who Pay a Ransom Drops to Record Low  

840-bed hospital in France postpones procedures after cyberattack  

Malware

Unpacking the Blackjack Group’s Fuxnet Malware  

LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India  

Cerber Ransomware: Dissecting the three heads  

Kapeka: A novel backdoor spotted in Eastern Europe  

OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal 

Hacking 

Hacker claims Giant Tiger data breach, leaks 2.8M records online

Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)

PuTTY vulnerability vuln-p521-bias

Palo Alto – Putting The Protecc In GlobalProtect (CVE-2024-3400)     

Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials  

Cisco discloses root escalation flaw with public exploit code

SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world  

CrushFTP Virtual Filesystem Escape Vulnerability in the Wild   

Intelligence and Information Warfare 

Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 

Misinformation And Hacktivist Campaigns Target The Philippines Amidst Rising Tensions With China 

FBI says Chinese hackers preparing to attack US infrastructure  

Russia-linked hacking group suspected of carrying out cyberattack on Texas water facility, cybersecurity firm says

Cybersecurity   

United Nations Agency Investigating Ransomware Attack Involving Data Theft

House passes bill banning Uncle Sam from snooping on citizens via data brokers

UNDP Investigates Cyber-Security Incident  

GT exclusive: Volt Typhoon false narrative a collusion among US politicians, intelligence community and companies to cheat funding, defame China: report 

ICS Network Controllers Open to Remote Exploit, No Patches Available     

Advanced Cyber Threats Impact Even the Most Prepared

Government Releases Guidance on Securing Election Infrastructure     

Warrantless spying powers extended to 2026 with Biden’s signature  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Threat actors exploited a critical zero-day vulnerability in the CrushFTP enterprise in targeted attacks, Crowdstrike experts warn.

CrushFTP is a file transfer server software that enables secure and efficient file transfer capabilities. It supports various features such as FTP, SFTP, FTPS, HTTP, HTTPS, WebDAV, and WebDAV SSL protocols, allowing users to transfer files securely over different networks. CrushFTP also provides support for automation, scripting, user management, and extensive customization options to meet the diverse needs of businesses and organizations.

CrushFTP has notified users of a virtual file system escape vulnerability impacting their FTP software, which could potentially enable users to download system files.

“CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0. Customers using a DMZ in front of their main CrushFTP instance are protected with its protocol translation system it utilizes.” reads the advisory.

Simon Garrelou from the Airbus CERT discovered the vulnerability.

Crowdstrike researchers discovered that threat actors exploited the critical zero-day vulnerability in targeted attacks in the wild.

“On April 19, 2024, CrushFTP advised of a virtual file system escape present in their FTP software that could allows users to download system files. Falcon OverWatch and Falcon Intelligence have observed this exploit being used in the wild in a targeted fashion.” reads a post published by Crowdstrike on Reddit.

The vulnerability has yet to receive CVE.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, zero-day)

A French hospital was forced to return to pen and paper and postpone medical treatments after a cyber attack.

A cyber attack hit Hospital Simone Veil in Cannes (CHC-SV) on Tuesday, impacting medical procedures and forcing personnel to return to pen and paper.

The Hospital Simone Veil in Cannes is a public hospital located in Cannes, France. The hospital provides a range of medical services and healthcare facilities to the local community and surrounding areas.

CHC-SV has more than 2,000 employees and has a capacity of more than 800 beds.

The website of the hospital states that “Cyberattack in progress! All non-urgent consultations should be reconsidered.”

Non-urgent surgical procedures and consultations scheduled for this week have been postponed.

The French hospital was forced to take all computers offline while the telephone lines were not impacted The hospital is investigating the incident with the help of ANSSI, Cert Santé, Orange CyberDéfense, and GHT06.

The organization hasn’t received any ransom demands and hasn’t identified a data breach.

“CHC-SV was the target of a cyber attack on Tuesday morning. General cybercontainment was one of the first decisions of the crisis unit. This radical decision was taken very quickly in all sectors. All computer access was consequently cut off. Telephony continues to work.” reads the announcement. “There have been no ransom demands or data theft identified at this stage. Investigations remain ongoing.”

The hospital ensured continuity of operations in emergency care, internal medicine, surgery, obstetrics, geriatrics, pediatrics, psychiatry, home hospitalization, and rehabilitation.

“The CHC-SV had never been the victim of a cyberattack of this type. Cyber ​​risk is one of the priority risks identified in the establishment’s risk map. Exercises have been held over the past few months, allowing for strong responsiveness to the event.” concludes the announcement.

“The return to normal will depend on technical investigations and the necessary catch-up. Feedback from other hospitals that have been the subject of a cyberattack shows that this return to normal can take a long time.”

In December 2022, the Hospital Centre of Versailles was hit by a cyber attack that forced it to cancel operations and transfer some patients in other hospitals.

In August 2022, the Center Hospitalier Sud Francilien (CHSF), a hospital southeast of Paris, suffered a ransomware attack over the weekend. The attack disrupted the emergency services and surgeries and forced the hospital to refer patients to other structures. According to local media, threat actors demand a $10 million ransom to provide the decryption key to restore encrypted data.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, French hospital)

The MITRE Corporation revealed that a nation-state actor compromised its systems in January 2024 by exploiting Ivanti VPN zero-days.

In April 2024, MITRE disclosed a security breach in one of its research and prototyping networks. The security team at the organization promptly launched an investigation, logged out the threat actor, and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.

According to the MITRE Corporation, a nation state actor breached its systems in January 2024 by chaining two Ivanti Connect Secure zero-day vulnerabilities.

“Starting in January 2024, a threat actor performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking. From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account.” reads a post published by the organization on Medium. “They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.”

MITRE spotted a foreign nation-state threat actor probing its Networked Experimentation, Research, and Virtualization Environment (NERVE), used for research and prototyping. The organization immediately started mitigation actions which included taking NERVE offline. The investigation is still ongoing to determine the extent of information involved.

The organization notified authorities and affected parties and is working to restore operational alternatives for collaboration. 

Despite MITRE diligently following industry best practices, implementing vendor recommendations, and complying with government guidance to strengthen, update, and fortify its Ivanti system, they overlooked the lateral movement into their VMware infrastructure.

The organization said that the core enterprise network or partners’ systems were not affected by this incident.

“No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible,” said Jason Providakes, president and CEO, MITRE. “We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well necessary measures to improve the industry’s current cyber defense posture. The threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Ivanti)

China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher Wray.

FBI Director Christopher Wray warned this week that China-linked threat actors are preparing an attack against U.S. critical infrastructure, Reuters reported.

According to the FBI chief, the Chinese hackers are waiting “for just the right moment to deal a devastating blow.”

In February, US CISA, the NSA, the FBI, along with partner Five Eyes agencies, published a joint advisory to warn that China-linked APT Volt Typhoon infiltrated a critical infrastructure network in the US and remained undetected for at least five years.

“the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” reads the alert.

The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

The APT group is using almost exclusively living-off-the-land techniques and hands-on-keyboard activity to evade detection.

In December 2023, Microsoft first noticed that to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and to stay under the radar.

The Chinese cyberespionage group has successfully breached the networks of multiple US critical infrastructure organizations. Most of the impacted organizations are in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors.

“The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.” continues the alert. “Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”

U.S. agencies fear the possibility that these actors could gain access to the networks of critical infrastructure to cause disruptive effects in the event of potential geopolitical tensions and/or military conflicts.

The Volt Typhoon’s activities suggest that the group primarily aims to establish a foothold within networks to secure access to Operational Technology (OT) assets.

The US agencies also released a technical guide containing recommendations to identify and mitigate living off the land techniques adopted by the APT group.

A Chinese Foreign Ministry spokesperson recently stated that the Volt Typhoon activity is not associated with Beijing, but linked it to a cybercrime operation.

Wray confirmed that Volt Typhoon’s campaign is still ongoing and breached numerous American companies in telecommunications, energy, water and other critical sectors.

The state-sponsored hackers also targeted 23 pipeline operators, Wray revealed during a speech at Vanderbilt Summit on Modern Conflict and Emerging Threats.

The FBI Director remarked that China is developing the “ability to physically wreak havoc on US critical infrastructure at a time of its choosing,” “Its plan is to land low blows against civilian infrastructure to try to induce panic.”

Wray explained that it is difficult to determine the purpose behind the cyber pre-positioning, however, the activity is part of a broader strategy to dissuade the U.S. from defending Taiwan.

Wray added that the China-linked actors employed a series of botnets in their activities.

In December, the Black Lotus Labs team at Lumen Technologies linked a small office/home office (SOHO) router botnet, tracked as KV-Botnet to the operations of China-linked threat actor Volt Typhoon. The botnet is comprised of two complementary activity clusters, the experts believe it has been active since at least February 2022. The threat actors target devices at the edge of networks.

The KV-Botnet is composed of end-of-life products used by SOHO devices. In early July and August of 2022, the researchers noticed several Cisco RV320s, DrayTek Vigor routers, and NETGEAR ProSAFEs that were part of the botnet. Later, in November 2022, most of the devices composing the botnet were ProSAFE devices, and a smaller number of DrayTek routers. In November 2023, the experts noticed that the botnet started targeting Axis IP cameras, such as the M1045-LW, M1065-LW, and p1367-E. 

The researchers pointed out that the use of the KV-Botnet is limited to China-linked actors. Thus far the victimology aligns primarily with a strategic interest in the Indo-Pacific region, the experts observed a focus on ISPs and government organizations.

About the author: Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, China)

The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack and the subsequent theft of data.

The United Nations Development Programme (UNDP) is investigating an alleged ransomware attack that resulted in data theft.

The United Nations Development Programme (UNDP) is a United Nations agency tasked with helping countries eliminate poverty and achieve sustainable economic growth and human development.

The cyber attack recently targeted the IT infrastructure of the Agency in UN City, Copenhagen.

On March 27, UNDP became aware that a data-extortion threat actor had stolen data, including human resources and procurement information.

“On March 27, UNDP received a threat intelligence notification that a data-extortion actor had stolen data which included certain human resources and procurement information.” reads the statement published by the Agency. “Actions were immediately taken to identify a potential source and contain the affected server as well as to determine the specifics of the exposed data and who was impacted.” 

UNDP is investigating the security incident to determine the scope of the cyberattack. The agency is keeping individuals affected by the breach updated and sharing information with other stakeholders, including its partners across the UN system.

“UNDP takes this incident extremely seriously and we reiterate our dedication to data security. We are committed to continue working to detect and minimize the risk of cyber-attacks.” continues the statement.

UNDP did not share details about the attack, however, on March 27, 2024, the ransomware group 8base added the agency to its Tor leak site (the Tor leak site is unavailable at the time of this writing).

The extortion group as yet to publish the stolen data.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, United Nations Development Programme)

BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large U.S. carmaker with spear-phishing attacks.

In late 2023, BlackBerry researchers spotted the threat actor FIN7 targeting a large US automotive manufacturer with a spear-phishing campaign. FIN7 targeted employees who worked in the company’s IT department and had higher levels of administrative rights.

The attackers employed the lure of a free IP scanning tool to infect the systems with the Anunak backdoor and gain an initial foothold using living-off-the-land binaries, scripts, and libraries (lolbas).

FIN7 is a Russian criminal group (aka Carbanak) that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.

Fin7 was observed using the PowerShell script POWERTRASH, which is a custom obfuscation of the shellcode invoker in PowerSploit.

In the attacks analyzed by BlackBarry, threat actors used a typosquatting technique, they used a malicious URL “advanced-ip-sccanner[.]com” masquerading as the legitimate website “advanced-ip-scanner[.]com”, which is a free online scanner.

Upon visiting the rogue site, visitors are redirected to “myipscanner[.]com”, which in turn redirected them to an attacker-owned Dropbox that downloaded the malicious executable WsTaskLoad.exe onto their systems.

Upon execution, the executable initiates a complex multi-stage process comprising DLLs, WAV files, and shellcode execution. This process culminates in the loading and decryption of a file called ‘dmxl.bin,’ which contains the Anunak payload.

The threat actors used WsTaskLoad.exe to install OpenSSH to maintain persistence, they used scheduled task to persist OpenSSH on the victim’s machine.

While historical data demonstrate that FIN7 often employs OpenSSH for lateral movement, no such activity was detected in this particular campaign. OpenSSH is also used for external access.

“While the tactics, techniques, and procedures (TTPs) involved in this campaign have been well documented over the past year, the OpenSSH proxy servers utilized by the attackers have not been disseminated.” concludes the report that also includes recommendations for Mitigation and IoCs (Indicators of Compromise). “BlackBerry thinks it prudent to enable individuals and entities to also identify these hosts and protect themselves.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, FIN7)

An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.

An international law enforcement operation, codenamed Nebulae and coordinated by Europol, led to the disruption of LabHost, which is one of the world’s largest phishing-as-a-service platforms.

Law enforcement from 19 countries participated in the operation which resulted in the arrest of 37 individuals.

The phishing-as-a-service platform was available on the clear web and has been shut down by the police.

Between April 14th and April 17th, law enforcement agencies conducted searches at 70 addresses worldwide, leading to the arrest of the suspects. Four individuals, including the original developer of LabHost, were arrested in the United Kingdom.

Phishing as a service (PaaS) platforms provide phishing tools and resources to crooks, often for a fee or subscription. These tools typically include pre-designed phishing templates, email or text message sending capabilities, website hosting services for phishing pages. Most important PhaaS platforms also provide technical support to their customers.

LabHost was a prominent tool for cybercriminals globally, offering a subscription-based service that facilitated phishing attacks. The platform provided phishing kits, hosting infrastructure, interactive features for engaging victims, and campaign management tools. The investigation conducted by law enforcement revealed approximately 40,000 phishing domains associated with LabHost, which reached 10,000 users worldwide. Subscribers paid an average monthly fee of $249 for use the platform’s services. LabHost offered a selection of over 170 convincing fake websites for users to deploy with ease.

“What made LabHost particularly destructive was its integrated campaign management tool named LabRat. This feature allowed cybercriminals deploying the attacks to monitor and control those attacks in real time. LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.” reads the announcement published by Europol

Australian police arrested five individuals across the country as part of the operation, the authorities reported that more than 94,000 people in Australia were victims of the attacks launched through the platform.

“Australian offenders are allegedly among 10,000 cybercriminals globally who have used the platform, known as LabHost, to trick victims into providing their personal information, such as online banking logins, credit card details and passwords, through persistent phishing attacks sent via texts and emails.” reported the AFP.

“As a result of the Australian arm of the investigation, led by the AFP’s Joint Policing Cybercrime Coordination Centre (JCP3), more than 200 officers from the AFP and state and territory police were yesterday (17 April, 2024) involved in executing 22 search warrants across five states. This included 14 in Victoria, two in Queensland, three in NSW, one in South Australia and two in Western Australia. A Melbourne man and an Adelaide man, who police will allege were LabHost users, were arrested during the warrants and charged with cybercrime-related offences. Three Melbourne men were also arrested by Victoria Police and charged with drug-related offences.”

The U.K. Metropolitan Police said LabHost’s sites have ensnared approximately 70,000 victims in the UK alone. On a global scale, the service has acquired 480,000 card numbers, 64,000 PIN numbers, and over one million passwords for various online services. The actual number of victims is anticipated to surpass current estimates, with ongoing efforts focused on identifying and assisting as many affected individuals as feasible.

Operators behind the PhaaS received about £1 million in payments from criminal users since its launch.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, PhaaS)