🔒
There are new articles available, click to refresh the page.
Today — 20 October 2021Security Affairs

Acer suffers a second data breach in a week

20 October 2021 at 13:19

Tech giant Acer was hacked again in a few days, after the compromise of the servers in India, threat actors also breached some of its systems in Taiwan.

Tech giant Acer was hacked twice in a week, the same threat actor (Desorden) initially breached some of its servers in India, now it is claiming to have also breached some systems in Taiwan.

Last week the company revealed that its after-sales service systems in India were hit by an isolated attack.

The incident was disclosed after threat actors have advertised the sale of more than 60 GB of data on an underground cybercrime forum.

ACER INDIA data breach

The threat actors now claim to have breached the servers of Acer Taiwan on October 15th and have stolen internal data, including employee and product information.

Desorden compromised Acer for the second time in less than a week to demonstrate that the company is still exposed to cyber attacks to its negligence, he also claims that other servers in Asia of the company are still vulnerable.

In response to the intrusion, Acer Taiwan took down the compromised server.

“We have recently detected an isolated attack on our local after-sales service system in India and a further attack in Taiwan. Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems. We are notifying all potentially affected customers in India, while the attacked Taiwan system does not involve customer data. The incident has been reported to local law enforcement and relevant authorities, and has no material impact to our operations and business continuity.” reads the statement issued by the Tech giant.

This is the third time ACER suffered a security breach, in March the computer giant was hit by REvil ransomware operators that compromised its systems and requested the record $50,000,000 ransom.

While the threat actors claimed to have obtained information on customers, login credentials for retailers and distributors, and corporate and financial documents, the company pointed out only employees’ data was exposed.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Acer suffers a second data breach in a week appeared first on Security Affairs.

China-linked LightBasin group accessed calling records from telcos worldwide

20 October 2021 at 12:39

China-linked cyberespionage group LightBasin hacked mobile telephone networks around the world and used specialized tools to access calling records.

A China-linked hacking group, tracked as LightBasin (aka UNC1945), hacked mobile telephone networks around the globe and used specialized tools to access calling records and text messages from telecommunications companies.

The cyberespionage group has been active since at least 2016, according to the CrowdStrike researchers it is using a very sophisticated toolset. CrowdStrike researchers reported that at least 13 telecommunication companies were compromised by since 2019.

The campaign was uncovered by CrowdStrike by investigating a series of security incidents in multiple countries, the security firm added that the threat actors show an in-depth knowledge of telecommunications network architectures.

“LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.” reads the report published by Crowdstrike. “Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.”

The hacking group initially compromised one of the telecommunication companies by leveraging external DNS (eDNS) servers which are part of the General Packet Radio Service (GPRS) network.

The eDNS are used in roaming between different mobile operators, threat actors leveraged it to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously deployed implants.

The group was able to target other telecommunications-specific systems in the GPRS network such as Service Delivery Platform (SDP) systems, and SIM/IMEI provisioning, as well as Operations Support Systems (OSS), and Operation and Maintenance Units (OMU).

Crowdstrike collected evidence of the use of password-spraying attempts using extremely weak either third-party-focused passwords (i.e. huawei) for the initial compromise.

Once compromised the eDNS servers, the attackers deployed a custom backdoor, tracked as SLAPSTICK, that allowed them to access the Solaris Pluggable Authentication Module (PAM). The implant was used by LightBasin to steal passwords to access other systems and deploy additional implants.

Later, the hacking group accessed multiple eDNS servers from compromised telecommunications companies and used another implant tracked as PingPong.

“Later, LightBasin returned to access several eDNS servers from one of the compromised telecommunications companies while deploying an ICMP traffic signalling implant tracked by CrowdStrike as PingPong under the filename /usr/bin/pingg, with persistence established through the modified SysVinit script /etc/rc.d/init.d/sshd through the following additional line:

cd /usr/bin && nohup ./pingg >/dev/null 2>&1 &

“This implant waits for a magic ICMP echo request, which, when sent to the system, established a TCP reverse shell to an IP address and port specified within the magic packet. The /bin/bash process spawned by PingPong masquerades under the process name httpd.”

Experts pointed out that eDNS servers are protected from general external internet access by firewalls, for this reason, attackers send commands to the PingPong implant via ICMP request from another compromised GPRS network infrastructure.

Then the backdoor sets a TCP reverse shell to an IP address and port specified in the “magic packet” it has received.

LightBasin also added iptables rules to the eDNS server to establish SSH access from five compromised companies.

Additionally, the actor used a trojanized version of the iptables utility that removed output containing the first two octets from IP addresses belonging to other hacked companies, making it more difficult for admins to find the modified rules.

Researchers noticed that LightBasin uses a novel technique involving the use of SGSN emulation software for C2 connections involving also the TinyShell open-source backdoor.

“TinyShell is an open-source Unix backdoor used by multiple adversaries; however, LightBasin uniquely combined this implant with the publicly available SGSN emulator sgsnemu2 through a bash script. This script constantly ran on the system, but only executed certain steps between 2:15 and 2:45 UTC each day.” continues the analysis.

The report also includes info about additional malware and utilities used by the group along with a set of recommendations and Indicators of Compromise (IoCc).

The report also includes additional malware and utilities used by the group along with a set of recommendations.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post China-linked LightBasin group accessed calling records from telcos worldwide appeared first on Security Affairs.

Zerodium is looking for zero-day exploits in ExpressVPN, NordVPN, and Surfshark Windows VPN clients

20 October 2021 at 06:48

Zero-day exploit broker Zerodium announced it is looking for zero-day vulnerabilities in the Windows clients of ExpressVPN, NordVPN, and Surfshark.

Zerodium is looking to pay for zero-day exploits for vulnerabilities in the Windows clients of three virtual private network (VPN) service providers, ExpressVPN, NordVPN, and Surfshark.

The company announced with a message posted on Twitter:

We're looking for #0day exploits affecting VPN software for Windows:

– ExpressVPN
– NordVPN
– Surfshark

Exploit types: information disclosure, IP address leak, or remote code execution. Local privilege escalation is out of scope.

Contact us: https://t.co/R6E2CVU9K3

— Zerodium (@Zerodium) October 19, 2021

VPN services allow users to protect their anonymity when accessing resources online, they allow hiding the user’s IP address by routing the connection through a network of servers used by the provider.

Zerodium is searching for information disclosure, IP address leak, or remote code execution in the Windows VPN software of the three service providers. The company is not interested in local privilege escalation.

The request is not surprising, the three providers are used by tens of millions of users worldwide, including cybercriminals. Zerodium will likely resell the zero-day exploits to law enforcement and intelligence agencies that will use them for their investigation into cybercriminal activities and operations carried out by nation-state actors.

NordVPN and Surfshark have been used by threat actors in the past.

In July, Zerodium announced it was looking for zero-day exploits for VMware vCenter Server. vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. The company announced payouts up to $100,000 for zero-days in vCenter Server.

In June, the zero-day exploit broker announced it was looking for 0day exploits affecting the IM client tool Pidgin on Windows and Linux. The company payouts were up to $100,000 for zero-days in Pidgin, which is a free and open-source multi-platform instant messaging client.

Additional info about the Zerodium Exploit Acquisition Program is available here.

In December 2019, the virtual private network (VPN) service provider NordVPN launched a public bug bounty program operated via the HackerOne platform.

The service provider offered payouts between $100 and $5,000 for each reported vulnerability, an amount of money that is much lower than Zerodium’s offers. 

Below is a reference payout range for the vulnerabilities based on their severity levels:

  • Critical: $1000-5000+ USD
  • High: $500-1000 USD
  • Medium: $100-500 USD
  • Low: $100 USD
  • None: $0 USD

The bug bounty program was covering NordVPN websites (nordvpn.com and some subdomains), Chrome and Firefox browser extensions, VPN servers, and desktop and mobile applications for all platforms.

Cleary if the payouts of the bug bounty will remain the same, all the bugs discovered in the VPN service will be reported only to Zerodium.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking,zero-day)

The post Zerodium is looking for zero-day exploits in ExpressVPN, NordVPN, and Surfshark Windows VPN clients appeared first on Security Affairs.

Yesterday — 19 October 2021Security Affairs

Experts found many similarities between the new Karma Ransomware and Nemty variants

19 October 2021 at 17:48

Sentinel Labs experts have analyzed the new Karma ransomware and speculate it represents an evolution of the Nemty ransomware operation.

Karma ransomware is a new threat that was first spotted in June of 2021, it is important to distinguish it from a different threat with the same name that is active since 2016.

Sentinel Labs researchers explored the links between the Karma ransomware and other malware families such as NEMTY and JSWorm.

The researchers analyzed eight samples used in attacks that took place in June 2021 and analyzed them finding important code similarities with some ransomware variants of Gangbang and Milihpen that were active in the wild at least since January 2021. The analysis of the compilation dates of the samples suggests that the Karma ransomware is still under active development.

The similarities between Karma and the above variants included the exclusion of extensions and folders and the presence of debug messages.

“From our analysis, we see similarities between JSWorm and the associated permutations of that ransomware family such as NEMTY, Nefilim, and GangBang. Specifically, the Karma code analyzed bears close similarity to the GangBang or Milihpen variants that appeared around January 2021.” reads the analysis published by SentinelLabs.

The experts conducted a “bindiff” on Karma and Gangbang samples and noticed that the ‘main()’ function is quite similar.

karma ransomware

The analysis of the encryption process implemented in the sample analyzed revealed that the earlier ones were using the Chacha20 encryption algorithm, while the most recent samples were using the Salsa20 algorithm.

“Diving in deeper, some samples show that the ChaCha20 algorithm has been swapped out for Salsa20. The asymmetric algorithm (for ECC) has been swapped from Secp256k1 to Sect233r1. Some updates around execution began to appear during this time as well, such as support for command line parameters.” continues the report.

Like other ransomware operations, the Karma gang has set up a leak site where publish the stolen data of those victims that don’t pay the ransom. 

“Karma is a young and hungry ransomware operation. They are aggressive in their targeting, and show no reluctance in following through with their threats. The apparent similarities to the JSWorm family are also highly notable as it could be an indicator of the group being more than they appear.” “The rapid iteration over recent months suggests the actor is investing in development and aims to be around for the foreseeable future.” concludes the report that also includes Indicators of Compromise (IoCs) for the threat.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Karma ransomware)

The post Experts found many similarities between the new Karma Ransomware and Nemty variants appeared first on Security Affairs.

Symantec uncovered a previously unknown nation-state actor, named Harvester, that targeted telcos

19 October 2021 at 11:20

Symantec spotted a previously unknown nation-state actor, tracked as Harvester, that is targeting telecommunication providers and IT firms in South Asia.

Symantec spotted a previously unknown nation-state actor, tracked as Harvester, that is using a custom implant, dubbed Backdoor.Graphon, in attacks aimed at telecommunication providers, IT firms, and government entities in South Asia. At this time, the APT group is mostly targeting organizations in Afghanistan.

“The Harvester group uses both custom malware and publicly available tools in its attacks, which began in June 2021, with the most recent activity seen in October 2021. Sectors targeted include telecommunications, government, and information technology (IT). The capabilities of the tools, their custom development, and the victims targeted, all suggest that Harvester is a nation-state-backed actor.” reads the analysis published by Symantec.

The threat actors deployed the Graphon backdoor on victim machines alongside other downloaders and screenshot tools to take over the systems, exfiltrate sensitive data and spy on user activities.

Symantec researchers have yet to discover the initial attack vector, experts believe that the attackers could have used spear-sphishing messages sharing a malicious URL.

The cyberspies leverage legitimate CloudFront and Microsoft infrastructure for its command and control (C&C) activity in the attempt to evade detection.

Below is a list of tools used by the Harvester group in the attacks spotted by the researchers:

  • Backdoor.Graphon – custom backdoor that uses Microsoft infrastructure for its C&C activity
  • Custom Downloader – uses Microsoft infrastructure for its C&C activity
  • Custom Screenshotter – periodically logs screenshots to a file
  • Cobalt Strike Beacon – uses CloudFront infrastructure for its C&C activity (Cobalt Strike is an off-the-shelf tool that can be used to execute commands, inject other processes, elevate current processes, or impersonate other processes, and upload and download files)
  • Metasploit – an off-the-shelf modular framework that can be used for a variety of malicious purposes on victim machines, including privilege escalation, screen capture, to set up a persistent backdoor, and more.

The downloader leverages the Costura Assembly Loader, it prepares the environment on the target system by adding a registry value for a new load-point, and eventually opening an embedded web browser within its own UI using the URL hxxps://usedust[.]com.

“The attackers then run commands to control their input stream and capture the output and error streams. They also periodically send GET requests to the C&C server, with the content of any returned messages extracted and then deleted.” continues the analysis. “Data that cmd.exe pulled from the output and error streams is encrypted and sent back to the attackers’ servers.”

The custom screenshot tool allows operators to take photos that are saved in a password-protected ZIP archive for exfiltration. The malware deletes all archives older than a week. 

The researchers have not yet attributed the activity to a specific nation-state actor, Symantec’s report includes Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Harvester)

The post Symantec uncovered a previously unknown nation-state actor, named Harvester, that targeted telcos appeared first on Security Affairs.

FBI, CISA, NSA published a joint advisory on BlackMatter ransomware operations

19 October 2021 at 07:06

FBI, CISA, NSA have published a joint advisory about the operation of the BlackMatter ransomware gang and provides defense recommendations.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have published an advisory that provides details about the BlackMatter ransomware operations and defense recommendations.

This advisory provides information on tactics, techniques, and procedures (TTPs) associated with the ransomware gang that were obtained from the analysis of a sample of BlackMatter ransomware as well from trusted third-party reporting.

The BlackMatter group launched its operations at at the end of July, the gang claims to be the successor of Darkside and REvil groups. Like other ransomware operations, BlackMatter also set up its leak site where it publishes data exfiltrated from the victims before encrypting their system.

The launch of the BlackMatter ransomware-as-a-service (RaaS) was first spotted by researchers at Recorded Future who also reported that the gang is setting up a network of affiliates using ads posted on two cybercrime forums, such as Exploit and XSS.

The group is recruiting crooks with access to the networks of large enterprises, which have revenues of $100 million/year or larger, in an attempt to infect them with its ransomware. The group is looking for corporate networks in the US, the UK, Canada, or Australia.

BlackMatter ransomware operators announced that they will not target healthcare organizations, critical infrastructure, organizations in the defense industry, and non-profit companies. In August, the gang has implemented a Linux encryptor to targets VMware ESXi virtual machine platform. 

BlackMatter operators have already hit numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.

Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.

The sample analyzed by the researchers allowed them to discover that the ransomware operators used compromised administrator credentials to discover all the hosts in the victim’s Active Directory. In order to list all accessible network shares for each host the malicious code used Microsoft Remote Procedure Call (MSRPC) function (srvsvc.NetShareEnumAll) that allowed listing all accessible network shares for each host.

“The BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares.” reads the joint alert. “Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON.”

BlackMatter operators use a separate encryption binary for Linux-based machines that can encrypt ESXi virtual machines. The experts noticed that BlackMatter operators wipe or reformat backup data stores and appliances instead of encrypting backup systems.

The alert also includes Snort signatures that can be used by network defenders to detect the network activity associated with BlackMatter.

CISA, the FBI, and NSA urge network defenders to apply the following mitigations to reduce the risk of compromise by BlackMatter ransomware:

  • Implement Detection Signatures;
  • Use Strong Passwords;
  • Implement Multi-Factor Authentication;
  • Patch and Update Systems;
  • Limit Access to Resources over the Network;
  • Implement Network Segmentation and Traversal Monitoring;
  • Use Admin Disabling Tools to Support Identity and Privileged Access Management;
  • Implement and Enforce Backup and Restoration Policies and Procedures;

The US agencies also urge critical infrastructure organizations to apply the following additional mitigations:

  • Disable the storage of clear text passwords in LSASS memory.
  • Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
  • Implement Credential Guard for Windows 10 and Server 2016, enable Protected Process Light for Local Security Authority (LSA). 
  • Minimize the AD attack surface

The alert also provides the following recommendations for responding to ransomware attacks:

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, BlackMatter ransomware)

The post FBI, CISA, NSA published a joint advisory on BlackMatter ransomware operations appeared first on Security Affairs.

Trustwave released a free decryptor for the BlackByte ransomware

19 October 2021 at 05:18

Trustwave’s SpiderLabs researchers have released a free decryptor for the BlackByte ransomware that can allow victims to recover their files.

Researchers from Trustwave’s SpiderLabs have released a decryptor that can allow victims of the BlackByte ransomware to restore their files for free.

The experts spotted the BlackByte ransomware while investigating a recent malware incident. The analysis of the ransomware revealed that it was developed to avoid infecting systems that primarily use Russian or related languages.

BlackByte ransomware

Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key to encrypt files and it uses the symmetric-key algorithm AES. Anyone that could access the raw key would be able to decrypt the files.

The experts noticed that the ransomware fetches a .PNG file that embeds multiple keys and which is the same for all the victims. The researchers analyzed it to create a free decryptor.

“Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key (which it downloads) to encrypt files and it uses a symmetric-key algorithm – AES.  To decrypt a file, one only needs the raw key to be downloaded from the host. As long as the .PNG file it downloaded remains the same, we can use the same key to decrypt the encrypted files.” reads the analysis published by Trustwave.

The ransomware also implements worm capabilities, and it crashes if the encryption key download fails.

Experts noticed that the ransomware also sets its process priority class to above normal and uses SetThreadExecutionState APIm this trick prevents the system from entering in the sleep mode.

Then the malware removes applications and terminates processes that can interfere with the encryption process. 

BlackByte also terminates Raccine anti-ransomware utility and removes it from the infected system.

In order to prevent the victims from recovering the encrypted files, BlackByte deletes all shadow copies and Windows restore points, deletes the recycle bin, disables controlled folder access, enables file and printer sharing and network discovery, and enables the SMB1 protocol.

Experts also noticed that the ransomware doesn’t include exfiltration capabilities even if its operators claim to steal victims’ data.

“The auction site that is linked in the ransom note is also quite odd, see below. The site claims that it has exfiltrated data from its victims, but the ransomware itself does not have any exfiltration functionality. So this claim is probably designed to scare their victims into complying.” states the analysis.

Anyway the good news is the availability of the decryptor, Trustwave released the free tool on GitHub.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Trustwave released a free decryptor for the BlackByte ransomware appeared first on Security Affairs.

Before yesterdaySecurity Affairs

TeamTNT Deploys Malicious Docker Image On Docker Hub

18 October 2021 at 19:50

The Uptycs Threat Research Team spotted a campaign in which the TeamTNT threat actors deployed a malicious container image on Docker hub.

The Uptycs Threat Research Team recently identified a campaign in which the TeamTNT threat actors deployed a malicious container image (hosted on Docker Hub) with an embedded script to download Zgrab scanner and masscanner—penetration testing tools used for banner grabbing and port scanning respectively. Using the scanning tools inside the malicious Docker image, the threat actor tries to scan for more targets in the victim’s subnet and perform further malicious activities.

Criminal groups continue to target Docker Hub, GitHub, and other shared repositories with container images and software components that include malicious scripts and tools. They often aim to spread coinminer malware, hijacking the computing resources of victims to mine cryptocurrency.

In this post, we will detail the technical analysis of the malicious components deployed by the TeamTNT threat actor.

 

Alpineos profile – Responsible Disclosure

The malicious Docker image was hosted in Docker Hub under the handle name alpineos, a community user who joined Docker Hub on May 26, 2021. At the time of this writing, alpineos profile was hosting 25 Docker images (See Figure 1).

Figure 1: Alpineos Docker hub handle

The Dockerapi image which we analysed had 5,400 downloads within approximately two weeks of being added. Another Docker image from the repository, ‘basicxmr’ has been downloaded more than 100,000 times. This clearly suggests that the profile is actively developing malicious images. 

The Uptycs Threat Research Team reported the Docker image hosted in the Docker Hub website to the security team on September, 30 2021.

TeamTNT threat actor

TeamTNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. Threat actors associated with TeamTNT mostly use open-source tools in their campaigns, such as XMrig miner, Tsunami IRC bot (a.k.a kaiten) and the diamorphine rootkit.

 

The Attack kill chain

The attack kill chain we observed TeamTNT using is shown below (see Figure 2).

teamtnt 2

Figure 2: TeamTNT attack life cycle

The different stages of the attack kill chain depicted above are as follows:

  • Using the monero-ocean shell script, TeamTNT/Hilde deployed a new malicious Docker image named Dockerapi which was hosted on Docker hub website. 
  • Using Docker, the malicious image was run with the privilege flag, and was mounted with the victim host and victim host’s network configuration. 
  • The malicious Docker image had an embedded shell script named ‘pause’.
  • The ‘pause’ shell script inside the malicious Docker image had commands to install masscanner and the zgrab tool.
  • After setting up the scanning tools, the functions in the ‘pause’ script start scanning rigorously in the victim subnet on Docker related ports for more target virtual machines (nodes). A node is a part of Docker swarm. A Docker swarm is a group of physical or virtual machines (nodes) operating in a cluster. 
  • Once the target node is found as a result of the Docker-related port scan in the victim subnet, the pause shell script runs the misconfigured alpine Docker image remotely (from the victim machine) in the target node, passing a base64 command as command line. The command:
  1. Generates the ssh keys and adds it to authorized_keys file.
  2. Logs into the target node’s host via ssh and downloads the monero-ocean shell script from the C2 (teamtnt[.]red) into the target node’s host.
  • The monero-ocean shell script in this campaign later deploys Xmrig miner and the Tsunami IRC bot on the system it is being run on.
  • The monero-ocean shell script also downloads another shell script (diamorphine shell script) which downloads and deploys the diamorphine rootkit to the victim’s system.
  • The diamorphine rootkit consists of features like hiding the pid, syscall table hooking and giving root privilege to the pid.

 

Technical Analysis

The monero-ocean shell script (c21d1e12fea803793b39225aee33fe68b3184fff384b1914e0712e10630e523e) used as initial vector had the following command to deploy alpineos/Dockerapi Docker image onto the victim system (see Figure 3)

Figure 3: Command to deploy Dockerapi container image

The command shown above runs the Dockerapi image with the following:

  • –privilege flag
  • –net flag to have host’s network configuration inside container
  • /host mounted inside container image

Using the command Docker ps, we can identify the malicious Docker image runs pause shell script (see Figure 4).

Figure 4: Dockerapi image runs pause shell script 

The pause shell script inside Docker image installs basic utilities and the scanning tools Zgrab and masscan (see Figure 5).

Figure 5: Initial setup done by pause shell script 

Upon installation of these tools, commands inside the pause shell script start heavy scanning on Docker related ports in an attempt to target more nodes (machines) in the victim subnet (see Figures 6,7).

Figure 6: Docker related scanned ports in the victim subnet

Figure 7: Masscan and Zgrab commands used for scanning

Masscan and zgrab

Masscan and zgrab scanning commands are used in the Docker container image for scanning and banner grabbing. The functionality of these commands is listed below.

masscan 1.0.0.0/8 -p2377 –rate 50000

The masscan works much like nmap utility which is used for scanning target IPs. In this case masscan scans with a rate of 50,000 pks/sec which is a huge rate against the port 2377.

zgrab –senders 200 –port 2377 –http=/v1.16/version –output-file=-2>dev/null

The zgrab tool is used for vulnerability scanning and part of the zmap project. In this case the attacker used zgrab with 200 send coroutines (threads) for banner grabbing and saving the IP addresses with target opened ports in an output file.

Alpine Docker image deployment

As a result of scanning, once the target node is found, the command inside pause shell script performs the following:

  1. Remotely runs the alpine Docker image with full privilege and host mounted on the target node.
  2. Uses a base64 encoded command which adds newly generated ssh keys to authorized_keys file. 
  3. Using the same command, logs into the target node’s host with ssh and downloads the monero-ocean shell script in the target host (see Figures 8,9).

Figure 8: base64 encoded command passed with misconfigured alpine image

Figure 9: Decoded base64 – Monero-ocean shell script getting downloaded and executed

Xmrig miner, IRC bot and DiaMorphine Rootkit

The monero-ocean shell script later deploys Xmrig miner and the Tsunami IRC bot on the system it is being run on (see Figures 10 and 11).

Figure 10: command to download XMrig miner

Figure 11: command to download IRC bot

The IRC bot in the victim machine communicates with attacker C2 over port 8080 (see Figure 12). 

Figure 12: IRC communication on port 8080

Alongside this, the monero-ocean shell script also contained the command to download diamorphine rootkit shell script (see Figure 13).

Figure 13: command to download diamorphine shell script

The diamorphine shell script (418d1ea67110b176cd6200b6ec66048df6284c6f2a0c175e9109d8e576a6f7ab) deploys the diamorphine rootkit in the victim system (see Figure 14).

Figure 14: Diamorphine Rootkit getting compiled and deployed 

The diamorphine rootkit consists of features like hiding the pid, syscall table hooking and giving root privilege to the pid (see Figures 15 and 16).

Figure 15: cr0 WP bit modification for syscall table hooking

Figure 16: Hooked syscalls (getdents and kill)

Uptycs EDR detections

The Uptycs EDR armed with YARA process scanning detected the malware components involved in this campaign with a threat score of 10/10 (see Figure 17,18,19). In addition, Uptycs offers the following abilities to secure your container deployments: 

  • Uptycs integrates with CI/CD tools so that developers can initiate image scans at build time to detect malicious container images before they are deployed to production. 
  • Uptycs continuously monitors and reports on compliance with the CIS Benchmark for Docker to identify misconfigurations that attackers can exploit, and offer remediation guidance so that your team can quickly fix those issues.

Figure 17: Uptycs EDR detection

Figure 18: masscan command captured by the Uptycs EDR

Figure 19: zgrab command captured by the Uptycs EDR

Conclusion

Docker containers have become an integral part of the organisations. A lot of services nowadays run in isolated Docker containers. The threat actors on the other side are also trying to deploy malicious components to escape Docker containers and target host machines and the other nodes connected in a subnet and its swarm. Hence, to maintain a robust security stance, it is crucial to be able to detect malicious images early in the CI/CD pipeline as well as monitor all the container activities in runtime. 

The EDR capabilities of Uptycs empowers security teams to detect, investigate attacks in their Docker infrastructure.

Credits: Thanks to Uptycs Threat Research Team members for their inputs and research.

About the author: Siddharth Sharma

Indicators of Compromise (IoCs) are reported in the original post available at

https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post TeamTNT Deploys Malicious Docker Image On Docker Hub appeared first on Security Affairs.

Prometheus endpoint unprotected installs could expose sensitive data

18 October 2021 at 18:15

Experts discovered several unprotected installs of open source event monitoring solution Prometheus that may expose sensitive data.

JFrog researchers have discovered multiple unprotected instances of open source event monitoring solution Prometheus that may leak sensitive data.

The solution scrapes real-time metrics from multiple endpoints, it is used by several major organizations such as Uber.

Prometheus’ retrieval job, also called the scraper, pulls data from target services, aggregates it, and passes it to the database.

JFrog researchers discovered numerous Prometheus endpoints exposed online that leak metric and label data, they were able to perform “a large-scale unauthenticated scraping of publicly available and non-secured” installs.

In January, the Transport Layer Security (TLS) and basic authentication support was introduced with the release of version 2.24.0,

Unfortunately, many Prometheus installs haven’t yet enabled these security features and JFrog researchers have focused their analysis on them. JFrog performed “a large-scale unauthenticated scraping of publicly available and non-secured Prometheus endpoints.

JFrog found nearly 27,000 unsecured installs using the Shodan search engine, and 43,000 hosts using ZoomEye.

“Using search engines like Shodan or ZoomEye it’s extremely easy to find tens of thousands of Prometheus endpoints. The most effective single query we’ve seen in Shodan, was to look for Prometheus endpoints by the Web UI’s favicon Web UI favicon.” reads the post published by the experts. “This specific query (http.favicon.hash:-1399433489) returns almost 27K hosts in Shodan and 43K hosts in ZoomEye. By iterating automatically over these exposed endpoints, we’ve seen that 100% of the endpoints returned from this query had publicly-accessible data (meaning no authentication mechanisms were in place).”

Prometheus

Exposed data could be sensitive and could be used by threat actors to carry out further attacks against the organizations. Exposed data

Some of the exposed data login credentials in URL strings related to multiple services, infrastructure services, machine addresses and metadata labels, SSH public keys, environment variables for Kubelet, and more.

JFrog experts also warned of further security risks,associated with an optional management API that can be enabled via command line flags and that can be abused to delete all the saved metrics and to shut down the monitoring server.

“In our unauthenticated scraping effort, we discovered that ~15% of the exposed Prometheus endpoints had enabled API management, and ~4% had enabled database management. This means that right off the bat, an unauthenticated attacker can trivially shutdown and/or delete the metrics of these Prometheus endpoints. While our investigation clearly indicates this capability, to avoid harm or damage to users of those endpoints, we did not make any attempt to cause such a shutdown or a deletion as part of this research.” continues the post.

Before JFrog published the report I was alerted about the exposed install by the security researchers Anis Haboubi.

Mimecast révèle le vol du code source des produits Mimecast Sync and Recover, Continuity Monitor et IEP dans le piratage de #SolarWinds et l'utilisation de certificat pour cibler leur clients ; En image liste non exhaustive de leur client; #cyberpandemiehttps://t.co/dzg3QjbRWc pic.twitter.com/WtW5ZOEp5g

— Anis Haboubi |₿| (@HaboubiAnis) October 19, 2021

Researchers recommend using authentication and encryption mechanisms when deploying Prometheus to prevent the leak of sensitive information.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Prometheus)

The post Prometheus endpoint unprotected installs could expose sensitive data appeared first on Security Affairs.

Sinclair TV stations downtime allegedly caused by a ransomware attack

18 October 2021 at 11:43

A ransomware attack is likely the cause of the recent downtime for TV stations owned by the Sinclair Broadcast Group broadcast television company.

TV stations owned by the Sinclair Broadcast Group went down over the weekend officially due to technical issues, but some media [1,2] reported that it was a victim of a ransomware attack.

The alleged attack compromised the Sinclair internal corporate network, the broadcasting systems of TV stations, email servers, and phone services were impacted.

Still dealing with technical difficulties at @CBS6Albany …. Our 11pm newscast (which is starting late after football) will be unconventional. We’re working with handwritten notes, and it’s going to be a bit more conversational. Tune in, and thanks for bearing with us! 😀🙏🏼 pic.twitter.com/D620UCD72F

— Leanne DeRosa (@CBS6Leanne) October 18, 2021

We are learning this is a corporate wide problem. We are standing by as we wait to get on the air. https://t.co/aYaSa3VJLU

— Kristin Bien (@KristinBienWSBT) October 17, 2021

Sinclair Broadcast Group is a Fortune 500 media company, the group is a publicly-traded American telecommunications conglomerate having annual revenues of $5.9 billion in 2020.

The company is the second-largest television station operator in the United States by number of stations, it owns or operates a total of 193 stations across the country in over 100 markets (covering 40% of American households). The company operates many stations affiliated with Fox, ABC, and The CW.

Sources have told BleepingComputer that ransomware operators shut down Active Directory services for the domain, paralyzing the services at the company and its affiliates.

According to TheRecord media, the attack did not impact “the master control” of the Sinclair broadcast system that allows the TV stations to replace the scheduled local programming on the affected channels with a national feed

In July, the company suffered another security incident, in response to the security breach it forced all Sinclair stations to reset their passwords.

Recently, the American media conglomerate Cox Media Group (CMG) announced it was hit by a ransomware attack that caused the interruption of the live TV and radio broadcast streams in June 2021. The company notified via mail hundreds of individuals that were impacted by the security breach and that that have had their personal data exposed in the attack. 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post Sinclair TV stations downtime allegedly caused by a ransomware attack appeared first on Security Affairs.

REvil ransomware operation shuts down once again

18 October 2021 at 07:27

It seems that the REvil ransomware operation has shut down once again after a threat actor has hijacked their Tor hidden service.

The REvil ransomware gang has shut down its operation once again after a threat actor has hijacked their Tor leak site and payment portal. The news of the hack was shared by the REvil representive ‘0_neday’ on the XSS hacking forum, he initially confirmed that someone has compromised their server, later denied it.

The news of the hack was first reported by Dmitry Smilyanets from Recorded Future.

RIP 🪦 #REvil pic.twitter.com/LJKnJI9YtW

— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) October 17, 2021

REvil gives additional update. REvil representive '0_neday' states their server has been compromised.

"Good luck everyone, I'm off" – 0_neday

Intel courtesy of @ddd1ms pic.twitter.com/cKvev4uDu5

— vx-underground (@vxunderground) October 17, 2021

0_neday added that someone brought up the REvil hidden services using their private keys, he also said that the gang did not found signs of compromise to their servers, anyway, they have decided to shut down the operation. 

“But since we have today at 17.10 from 12:00 Moscow time, someone brought up the hidden-services of a landing and a blog with the same keys as ours, my fears were confirmed. The third party has backups with onion service keys,” wrote ‘0_neday’ on the hacking forum.

revil operation shut down2

REvil disappearance update:

Summary:
* REvil rep. 'Unknown' disappeared
* REvil assumed Unknown was dead
* REvil decided to continue operations
* Only 'Unknown' & '0_neday' had REvil domain keys
* REvil domain recently accessed using Unknown's keys

Intel courtesy of @ddd1ms pic.twitter.com/fsk5PdOt2n

— vx-underground (@vxunderground) October 17, 2021

REvil operators will provide anyway the decryption keys to the affiliates to allow them to continue their operations.

At the time of this writing, it is not clear how threat actors could have had access to the private keys of the REvil operation, someone speculates that the keys were obtained by law enforcement since they resumed their activity in September after a short pause.

On July 2, the REvil ransomware gang hit the Kaseya cloud-based MSP platform impacting MSPs and their customers.

The group asked $70 million worth of Bitcoin for decrypting all systems impacted in the Kaseya supply-chain ransomware attack.

The attack caught the attention of the media and the police authorities that increased pressure on the group.

Starting from July 13, the infrastructure and the websites used by the REvil ransomware gang were mysteriously unreachable. The Tor leak site, the payment website “decoder[.]re”, and their backend infrastructure went offline simultaneously.

It is not clear if the operators shut down the operations due to the pressure of law enforcement after the recent Kaseya massive ransomware attack or if the infrastructure was seized as a result of an operation conducted by law enforcement.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware operation)

The post REvil ransomware operation shuts down once again appeared first on Security Affairs.

Experts spotted an Ad-Blocking Chrome extension injecting malicious ads

18 October 2021 at 06:30

Researchers warn of an Ad-Blocking Chrome extension that was abused by threat actors to Injecting Ads in Google search pages.

Researchers from Imperva have spotted a new deceptive ad injection campaign that is targeting users of some large websites leveraging an AD-blocking extension, named AllBlock, that is available on both Chrome and Opera browsers.

Ad injection consists of inserting unauthorized advertisements into a publisher’s web page to trick users into clicking on them. Ad injection can be conducted in many ways, such as using malicious browser extensions, malware, and cross-site scripting (XSS) attacks.

The researchers discovered a series of rogue domains distributing an ad injection script in late August 2021 that they linked to an extension called AllBlock.

One of them was hxxps[:]//frgtylik[.]com/KryhsIvSaUnQ[.]js, which works in the following way:

1 – The script sends a list of all the links that are currently present in the page, including the full URL of the page, to a remote server.
2 – The server returns the list of domains it wants to redirect back to the script.
3 – Whenever the user clicks on a link that has been altered, the user will then be hijacked to a different page.” reads the analysis published by Imperva.

Ad-Blocking Chrome extension

The JavaScript code is injected into every new tab opened in the browser, it identifies and sends all links in a web page (i.e. The results of a query to a search engine) to a remote server. The server, in turn, responds back with a list of domains to replace the legitimate links, when the user will click on one of them he will be redirected to a page chosen by the attackers.

“In a variable called e.hiddenHref, the malicious JavaScript will store the replacing URL based on the information returned by the server ratds[.]net. When the user clicks on any modified links on the webpage, he will be redirected to an affiliate link. Via this affiliate fraud, the attacker earns money when specific actions like registration or sale of the product take place.” continues the analysis.

AllBlock employed by the operators behind this campaign implements several techniques to avoid detection and make the analysis harder, including clearing the debug console every 100ms and excluding major search engines.

Imperva researchers linked this campaign to an older one tracked as PBot campaign that used same domain names and IP addresses.

“Ad injection is an evolving threat that can impact almost any site.” concludes the analysis. “When ad injection is used, the site performance and user experience is degraded, making websites slower and harder to use. According to Baymard Institute, 68.8% of online shopping carts are abandoned. There could be many reasons for this, but there is no denying that ad injection plays a key role in this as well. Other impacts of ad injection include loss of customer trust and loyalty, revenue loss from ad placements, blocked content and diminished conversion rates.”

The malicious Ad-Blocking Chrome extension has been removed from both the Chrome Web Store and Opera add-ons marketplaces.

The researchers also shared Indicators of Compromise (IoCs) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Ad-Blocking Chrome extension)

The post Experts spotted an Ad-Blocking Chrome extension injecting malicious ads appeared first on Security Affairs.

Experts hacked a fully patched iOS 15 running on iPhone 13 at China’s Tianfu Cup hacking contest

17 October 2021 at 16:48

White hat hackers earned $1.88 million at the Tianfu Cup hacking contest by finding vulnerabilities in popular software.

The Tianfu Cup is the most important hacking contest held in China, this year white hat hackers earned $1.88 Million demonstrating vulnerabilities in popular software.

The edition of this year took place on October 16 and 17 in the city of Chengdu, participants had three attempts of 5 minutes to demonstrate their exploits.

TFC 2021 is coming! Oct. 16th-17th, see you again at CHENGDU, CHINA. This year, the total bonus is up to $1.5 Million, with new category and targets, waiting for you to PWN and WIN. https://t.co/XfAxZbttfq pic.twitter.com/zRSpQ6MkIk

— TianfuCup (@TianfuCup) July 15, 2021

The winner is the security firm Kunlun Lab who earned $654,500, below the tweet of the amazing expert @mj0011 CEO of Cyber-Kunlun & Kunlun Lab and former CTO of Qihoo 360 and founder of team 360Vulcan.

New company but still ranked as #1 this year TianfuCup. Almost all targets are fully pwned this time(except Synology). last photo : the empty review room after 0day party pic.twitter.com/TRM37hAYuh

— mj0011 (@mj0011sec) October 17, 2021

 Tianfu Cup 2021

This year’s edition included a list of 16 possible targets, participants successfully demonstrated exploits against 13 of them:

  • Windows 10 – hacked 5 times
  • Adobe PDF Reader – 4 times
  • Ubuntu 20 – 4 times
  • Parallels VM – 3 times
  • iOS 15 – 3 times
  • Apple Safari – 2 times
  • Google Chrome – 2 times
  • ASUS AX56U router – 2 times
  • Docker CE – 1 time
  • VMWare ESXi – 1 time
  • VMWare Workstation – 1 time
  • qemu VM – 1 time
  • Microsoft Exchange – 1 time

One of the exploits demonstrated at the contest immediately attracted the attention of the media, it is a zero-click remote code execution exploit against a fully patched iOS 15 running on the latest iPhone 13. The Chian Pangu won the highest single bonus in the history of this competition for this exploit, $300000.

The iPhone 13 Pro Safari escaped from prison remotely, and Chian Pangu won the highest single bonus of $300000 in history.🎉🎉@mj0011sec pic.twitter.com/rrCa1cGcnN

— HBS (@765075247Hbs) October 16, 2021

Pangu team iPhone 13 Pro IOS 15 Safari remote jailbreak attack video, really fast. @mj0011sec pic.twitter.com/JlO572oia8

— HBS (@765075247Hbs) October 17, 2021

The participants also demonstrated a remote code execution exploit chain against Google Chrome, this is the first time that this kind of exploit was demonstrated at the Tianfu Cup.

First confirmed entry for day1 of TianfuCup, Kunlun Lab @S0rryMybad pwned Google Chrome to get Windows system kernel level privilege with only two bugs. First time since 2015 as I remembered https://t.co/xy1dTzl1GV

— mj0011 (@mj0011sec) October 16, 2021

No exploit was demonstrated against Synology DS220j NAS, Xiaomi Mi 11 smartphone, and an unnamed domestic electric vehicle.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Tianfu Cup 2021)

The post Experts hacked a fully patched iOS 15 running on iPhone 13 at China’s Tianfu Cup hacking contest appeared first on Security Affairs.

Twitch security breach had minimal impact, the company states

17 October 2021 at 12:58

Twitch provided an update for the recent security breach, the company confirmed that it only had a limited impact on a small number of users.

Twitch downplayed the recent security breach in an update, the company said it only impacted a small number of users.

According to the update, login credentials or full payment card data belonging to users or streamers were not exposed.

The root cause of the incident was a server configuration change that allowed improper access by an unauthorized third party. Twitch passwords have not been exposed, the company believes that systems that store Twitch login credentials, which are hashed with bcrypt, were not accessed.

“Twitch passwords have not been exposed. We are also confident that systems that store Twitch login credentials, which are hashed with bcrypt, were not accessed, nor were full credit card numbers or ACH / bank information.” reads the update. “The exposed data primarily contained documents from Twitch’s source code repository, as well as a subset of creator payout data. We’ve undergone a thorough review of the information included in the files exposed and are confident that it only affected a small fraction of users and the customer impact is minimal. We are contacting those who have been impacted directly.”

Early this month, an anonymous 4chan user has published a torrent link to a 128GB file on the 4chan discussion board, the leaked archive contains sensitive data stolen from 6,000 internal Twitch Git repositories. The leaker, who used the #DoBetterTwitch hashtag, claims to have leaked the data in response to harassment raids targeting the platform streamers this summer.In August, the streamers used the same hashtag to share on Twitter evidence of the hate raids that targeted them, at the time the platform chats were flooded with hateful content.

“Their community is also a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories,” reads the message published by the leaker.

Twitch data leak

The anonymous user’s thread, named ‘twitch leaks part one’ claims that the archive contains:

  • The entirety of twitch.tv, with commit history going back to its early beginnings
  • Mobile, desktop, and video game console clients
  • Various proprietary SDKs and internal AWS services used by platform
  • Every other property that Twitch owns, including IGDB and CurseForge
  • An unreleased Steam competitor from Amazon Game Studios
  • Twitch SOC internal red teaming tools (lol)
  • and the creator payout reports from 2019 until now.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Twitch security breach had minimal impact, the company states appeared first on Security Affairs.

  • There are no more articles
❌