🔒
There are new articles available, click to refresh the page.
Today — 10 August 2022Security Affairs

VMware warns of public PoC code for critical auth bypass bug CVE-2022-31656

10 August 2022 at 07:46

VMware warns of the availability of a proof-of-concept exploit code for a critical authentication bypass flaw in multiple products.

VMware warns its customers of the availability of a proof-of-concept exploit code for a critical authentication bypass flaw, tracked as CVE-2022-31656, in multiple products. The flaw was discovered by security researcher Petrus Viet from VNG Security, who today released the proof-of-concept (PoC) exploit code for the flaws and provided technical details about the flaw.

This is a detailed technical analysis of two vulnerabilities CVE-2022-31656 and CVE-2022-31659 affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation. I hope it helps you and sorry for my bad english.

[ENG] https://t.co/lOXEUvEyPV

— Petrus Viet (@VietPetrus) August 9, 2022

Last week, the virtualization giant addressed the CVE-2022-31656 flaw, which impacts local domain users in multiple products. An unauthenticated attacker can exploit the vulnerability to gain admin privileges.

“A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.” reads the advisory published by the virtualization giant.

The flaw affects Workspace ONE Access, Identity Manager, and vRealize Automation products.

The vulnerability has been rated as critical and received a CVSS v3 base score of 9.8.

Today, VMware reported the availability of PoC exploits for CVE-2022-31656 and CVE-2022-31659.

“Updated advisory with information that VMware has confirmed malicious code that can exploit CVE-2022-31656 and CVE-2022-31659 in impacted products is publicly available.” reads an update to the advisory published by the company.

The good news is that the vendor is not aware of attacks exploiting the vulnerabilities in attacks in the wild.

“VMware is not aware of exploitation of these vulnerabilities at the time of this publication.” reads an advisory published by the company.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2022-31656)

The post VMware warns of public PoC code for critical auth bypass bug CVE-2022-31656 appeared first on Security Affairs.

Yesterday — 9 August 2022Security Affairs

Microsoft Patch Tuesday for August 2022 fixed actively exploited zero-day

9 August 2022 at 21:25

Microsoft Patch Tuesday security updates for August 2022 addressed a zero-day attack remote code execution vulnerability in Windows.

Microsoft Patch Tuesday security updates for August 2022 addressed 118 CVEs in multiple products, including .NET Core, Active Directory Domain Services, Azure Batch Node Agent, Azure Real Time Operating System, Azure Site Recovery, Azure Sphere, Microsoft ATA Port Driver, Microsoft Bluetooth Driver, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Microsoft Office, Microsoft Office Excel, Microsoft Office Outlook, Microsoft Windows Support Diagnostic Tool (MSDT), Remote Access Service Point-to-Point Tunneling Protocol, Role: Windows Fax Service, Role: Windows Hyper-V, System Center Operations Manager, Visual Studio, Windows Bluetooth Service, Windows Canonical Display Driver, Windows Cloud Files Mini Filter Driver, Windows Defender Credential Guard, Windows Digital Media, Windows Error Reporting, Windows Hello, Windows Internet Information Services, Windows Kerberos, Windows Kernel, Windows Local Security Authority (LSA), Windows Network File System, Windows Partition Management Driver, Windows Point-to-Point Tunneling Protocol, Windows Print Spooler Components, Windows Secure Boot, Windows Secure Socket Tunneling Protocol (SSTP), Windows Storage Spaces Direct, Windows Unified Write Filter, Windows WebBrowser Control, Windows Win32K.

Seventeen vulnerabilities have been rated as critical, the remaining ones are rated Important in severity.

Most of the flaws, 64, are escalation of privilege issues, followed by remote code execution, 31, and 12 information disclosure.

The IT giant addressed a remote code execution vulnerability, tracked as CVE-2022-34713, that resides in the Microsoft Windows Support Diagnostic Tool (MSDT), the flaw has been exploited by threat actors in the wild. An attacker can trigger the flaw by tricking the victims into opening specially crafted files.

Microsoft states that the issue is a variant of the Dogwalk vulnerability that was disclosed in June.

“This bug also allows code execution when MSDT is called using the URL protocol from a calling application, typically Microsoft Word. There is an element of social engineering to this as a threat actor would need to convince a user to click a link or open a document.” reads the description provided by ZDI. “It’s not clear if this vulnerability is the result of a failed patch or something new.”

Three flaws, tracked as CVE-2022-30133CVE-2022-35744, and CVE-2022-34691, addressed by Microsoft with the release of Microsoft Patch Tuesday security updates for August 2022 are rated as critical and received a CVSS score of 9.8.

The first two flaws, CVE-2022-30133 and CVE-2022-35744, are remote code execution issues that affect the Windows Point-to-Point Protocol (PPP), the third one (CVE-2022-34691) is a privilege escalation issue in Active Directory Domain Services.

Below is the full list of vulnerabilities fixed by Microsoft:

CVE Title Severity CVSS Public Exploited Type
CVE-2022-34713 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability Important 7.8 Yes Yes RCE
CVE-2022-30134 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 7.6 Yes No EoP
CVE-2022-30133 Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2022-35744 Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2022-34691 Active Directory Domain Services Elevation of Privilege Vulnerability Critical 8.8 No No EoP
CVE-2022-33646 Azure Batch Node Agent Remote Code Execution Vulnerability Critical 7 No No RCE
CVE-2022-21980 Microsoft Exchange Server Elevation of Privilege Vulnerability Critical 8 No No EoP
CVE-2022-24477 Microsoft Exchange Server Elevation of Privilege Vulnerability Critical 8 No No EoP
CVE-2022-24516 Microsoft Exchange Server Elevation of Privilege Vulnerability Critical 8 No No EoP
CVE-2022-35752 RAS Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-35753 RAS Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-35804 SMB Client and Server Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-34696 Windows Hyper-V Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2022-34702 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-34714 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-35745 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-35766 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-35767 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-35794 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-34716 .NET Spoofing Vulnerability Important 5.9 No No Spoofing
CVE-2022-34685 Azure RTOS GUIX Studio Information Disclosure Vulnerability Important 7.8 No No Info
CVE-2022-34686 Azure RTOS GUIX Studio Information Disclosure Vulnerability Important 7.8 No No Info
CVE-2022-30175 Azure RTOS GUIX Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-30176 Azure RTOS GUIX Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-34687 Azure RTOS GUIX Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-35773 Azure RTOS GUIX Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-35779 Azure RTOS GUIX Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-35806 Azure RTOS GUIX Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-35776 Azure Site Recovery Denial of Service Vulnerability Important 6.2 No No DoS
CVE-2022-35802 Azure Site Recovery Elevation of Privilege Vulnerability Important 8.1 No No EoP
CVE-2022-35775 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35780 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35781 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35782 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35784 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35785 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35786 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35788 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35789 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35790 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35791 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35799 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35801 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35807 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35808 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35809 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35810 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35811 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35813 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35814 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35815 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35816 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35817 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35818 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35819 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-35774 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-35787 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-35800 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-35783 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.4 No No EoP
CVE-2022-35812 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.4 No No EoP
CVE-2022-35824 Azure Site Recovery Remote Code Execution Vulnerability Important Unknown No No RCE
CVE-2022-35772 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-35821 Azure Sphere Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2022-34301 * CERT/CC: CVE-2022-34301 Eurosoft Boot Loader Bypass Important N/A No No SFB
CVE-2022-34302 * CERT/CC: CVE-2022-34302 New Horizon Data Systems Inc Boot Loader Bypass Important N/A No No SFB
CVE-2022-34303 * CERT/CC: CVE-20220-34303 Crypto Pro Boot Loader Bypass Important N/A No No SFB
CVE-2022-35748 HTTP.sys Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-35760 Microsoft ATA Port Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-33649 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability Important 9.6 No No SFB
CVE-2022-33648 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-33631 Microsoft Excel Security Feature Bypass Vulnerability Important 7.3 No No SFB
CVE-2022-34692 Microsoft Exchange Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2022-21979 Microsoft Exchange Information Disclosure Vulnerability Important 4.8 No No Info
CVE-2022-34717 Microsoft Office Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-35742 Microsoft Outlook Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-35743 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-35762 Storage Spaces Direct Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35763 Storage Spaces Direct Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35764 Storage Spaces Direct Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35765 Storage Spaces Direct Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35792 Storage Spaces Direct Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-33640 System Center Operations Manager: Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35754 Unified Write Filter Elevation of Privilege Vulnerability Important 6.7 No No EoP
CVE-2022-35777 Visual Studio Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-35825 Visual Studio Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-35826 Visual Studio Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-35827 Visual Studio Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-35750 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35820 Windows Bluetooth Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-30144 Windows Bluetooth Service Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-35757 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2022-34705 Windows Defender Credential Guard Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35771 Windows Defender Credential Guard Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-34704 Windows Defender Credential Guard Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-34710 Windows Defender Credential Guard Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-34712 Windows Defender Credential Guard Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-34709 Windows Defender Credential Guard Security Feature Bypass Vulnerability Important 6 No No SFB
CVE-2022-35746 Windows Digital Media Receiver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35749 Windows Digital Media Receiver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35795 Windows Error Reporting Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-34690 Windows Fax Service Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2022-35797 Windows Hello Security Feature Bypass Vulnerability Important 6.1 No No SFB
CVE-2022-35751 Windows Hyper-V Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35756 Windows Kerberos Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35761 Windows Kernel Elevation of Privilege Vulnerability Important 8.4 No No EoP
CVE-2022-34707 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35768 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-34708 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-35758 Windows Kernel Memory Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-30197 Windows Kernel Security Feature Bypass Important 7.8 No No SFB
CVE-2022-35759 Windows Local Security Authority (LSA) Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-34706 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-34715 Windows Network File System Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2022-33670 Windows Partition Management Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-34703 Windows Partition Management Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35769 Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-35747 Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability Important 5.9 No No DoS
CVE-2022-35755 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2022-35793 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2022-34701 Windows Secure Socket Tunneling Protocol (SSTP) Denial of Service Vulnerability Important 5.3 No No DoS
CVE-2022-30194 Windows WebBrowser Control Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-34699 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-33636 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 8.3 No No RCE
CVE-2022-35796 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Low 7.5 No No EoP
CVE-2022-2603 * Chromium: CVE-2022-2603 Use after free in Omnibox High N/A No No RCE
CVE-2022-2604 * Chromium: CVE-2022-2604 Use after free in Safe Browsing High N/A No No RCE
CVE-2022-2605 * Chromium: CVE-2022-2605 Out of bounds read in Dawn High N/A No No RCE
CVE-2022-2606 * Chromium: CVE-2022-2606 Use after free in Managed devices API High N/A No No RCE
CVE-2022-2610 * Chromium: CVE-2022-2610 Insufficient policy enforcement in Background Fetch Medium N/A No No SFB
CVE-2022-2611 * Chromium: CVE-2022-2611 Inappropriate implementation in Fullscreen API Medium N/A No No N/A
CVE-2022-2612 * Chromium: CVE-2022-2612 Side-channel information leakage in Keyboard input Medium N/A No No Info
CVE-2022-2614 * Chromium: CVE-2022-2614 Use after free in Sign-In Flow Medium N/A No No RCE
CVE-2022-2615 * Chromium: CVE-2022-2615 Insufficient policy enforcement in Cookies Medium N/A No No SFB
CVE-2022-2616 * Chromium: CVE-2022-2616 Inappropriate implementation in Extensions API Medium N/A No No N/A
CVE-2022-2617 * Chromium: CVE-2022-2617 Use after free in Extensions API Medium N/A No No RCE
CVE-2022-2618 * Chromium: CVE-2022-2618 Insufficient validation of untrusted input in Internals Medium N/A No No Spoofing
CVE-2022-2619 * Chromium: CVE-2022-2619 Insufficient validation of untrusted input in Settings Medium N/A No No Spoofing
CVE-2022-2621 * Chromium: CVE-2022-2621 Use after free in Extensions Medium N/A No No RCE
CVE-2022-2622 * Chromium: CVE-2022-2622 Insufficient validation of untrusted input in Safe Browsing Medium N/A No No Spoofing
CVE-2022-2623 * Chromium: CVE-2022-2623 Use after free in Offline Medium N/A No No RCE
CVE-2022-2624 * Chromium: CVE-2022-2624 Heap buffer overflow in PDF Medium N/A No No RCE

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Patch Tuesday)

The post Microsoft Patch Tuesday for August 2022 fixed actively exploited zero-day appeared first on Security Affairs.

Experts linked Maui ransomware to North Korean Andariel APT

9 August 2022 at 17:04

Cybersecurity researchers from Kaspersky linked the Maui ransomware to the North Korea-backed Andariel APT group.

Kaspersky linked with medium confidence the Maui ransomware operation to the North Korea-backed APT group Andariel, which is considered a division of the Lazarus APT Group, 

North Korean nation-state actors used Maui ransomware to encrypt servers providing healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services.

Kaspersky experts noticed that approximately ten hours prior to deploying Maui ransomware to the initial target system, the threat actors deployed a variant of the well-known DTrack malware to the target preceded by 3proxy months earlier. Both malicious codes are recognized as part of Andariel’s arsenal.

Kaspersky experts discovered that the DTrack variant employed in the attacks against the Japanese, Russian, Indian, and Vietnamese companies has a code similarity of 84% to samples used in cyberespionage campaigns attributed to the Andariel APT.

The Andariel APT (aka Stonefly) has been active since at least 2015, it was involved in several attacks attributed to the North Korean government.

The researchers speculate the threat actor is rather opportunistic and could potentially target any company around the world with good financial standing and with vulnerable Internet-exposed web services.

maui ransomware Andariel _Deploys_DTrack_and_Maui_Ransomware_02-1024x482

“Based on the modus operandi of this attack, we conclude that the actor’s TTPs behind the Maui ransomware incident is remarkably similar to past Andariel/Stonefly/Silent Chollima activity:

  • Using legitimate proxy and tunneling tools after initial infection or deploying them to maintain access, and using Powershell scripts and Bitsadmin to download additional malware;
  • Using exploits to target known but unpatched vulnerable public services, such as WebLogic and HFS;
  • Exclusively deploying DTrack, also known as Preft;
  • Dwell time within target networks can last for months prior to activity;
  • Deploying ransomware on a global scale, demonstrating ongoing financial motivations and scale of interest

In April 2020, the U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation released a joint advisory that is warning organizations worldwide about the ‘significant cyber threat’ posed by the North Korean nation-state actors to the global banking and financial institutions.

At the time, the U.S. government also offered a monetary reward of up to $5 million to anyone who can provide ‘information about the activities carried out by North Korea-linked APT groups. The authorities will also pay for information about past hacking campaigns.

In July, the U.S. State Department increased the rewards to $10 million.

People that have information on any individuals associated with the North Korea-linked APT groups (such as AndarielAPT38Bluenoroff, Guardians of Peace, Kimsuky, or Lazarus Group) and who are involved in targeting U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act, may be eligible for a reward.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Maui ransomware)

The post Experts linked Maui ransomware to North Korean Andariel APT appeared first on Security Affairs.

Chinese actors behind attacks on industrial enterprises and public institutions

9 August 2022 at 14:52

China-linked threat actors targeted dozens of industrial enterprises and public institutions in Afghanistan and Europe.

In January 2022, researchers at Kaspersky ICS CERT uncovered a series of targeted attacks on military industrial enterprises and public institutions in Afghanistan and East Europe.

The attackers breached dozens of enterprises and in some cases compromised their IT infrastructure, taking over systems used to manage security solutions.

“All the victims identified are associated with the defense industry or are public institutions. The attack targeted industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan.” reads the report published by Kaspersky.

The threat actors launched spear-phishing campaigns against the victims, in some cases, the messages contained information related to the victims which were not publicly available. This suggests that attackers had a deep knowledge of the targets, likely resulting from detailed preparatory work

The emails used weaponized Microsoft Word documents exploiting the CVE-2017-11882 vulnerability.

industrial enterprises

The CVE-2017-11882 flaw is a memory-corruption issue that affects all versions of Microsoft Office released between 2000 and 2017. The vulnerability affects the MS Office component EQNEDT32.EXE which is responsible for the insertion and editing of equations (OLE objects) in documents.

The component fails to properly handle objects in the memory, a bug that could be exploited by the attacker to execute malicious code in the context of the logged-in user.

Even if the flaw was patched in 2017, experts at Microsoft continue to see threat actors exploiting it in the wild.

The threat actors deploy multiple backdoors on the target systems, experts believe the attackers used them to create redundant channels of communication.

The information gathered by the experts led them into believing that the goal of the attacks was cyberespionage, the researchers linked the campaigns with a Chinese APT group tracked as TA428 (aka Colourful Panda, BRONZE DUDLEY). 

Some indirect evidence that links the attacks to a China-linked group is the use of hacking utilities that are popular in China, the use of a second-stage CnC server located in China, and the fact that the CnC server registration information includes an email address in the Chinese domain 163.com specified in the administrator’s contact data.

One of the backdoors used by the group is called PortDoor, it was first detailed by Cybereason researchers in April 2021. Cybereason researchers reported that a China-linked APT group targeted the Russian defense contractor Rubin involved in designing nuclear submarines for the Russian Navy.

The Portdoor backdoor implements multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration.

Other malware employed in the attacks linked to TA428 are nccTrojan, Logtu, Cotx, and DNSep, and previously undetected malware named CotSam.

Once gained control of a target’s IT infrastructure, threat actors started stealing sensitive information. Gathered files were packed into password-protected ZIP archives, then they were sent to one of the stage one malware C2 servers, which are located in different countries of the world.

In most cases, stage one C2 servers were used to redirect the data received to a stage two server in China.

“The attack series that we have discovered is not the first in the campaign and, given that the attackers achieve a certain degree of success, we believe it is highly likely that they will continue to conduct similar attacks in the future. Industrial enterprises and public institutions should take extensive measures to repel such attacks successfully.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, industrial enterprises)

The post Chinese actors behind attacks on industrial enterprises and public institutions appeared first on Security Affairs.

US sanctioned crypto mixer Tornado Cash used by North Korea-linked APT

9 August 2022 at 10:28

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned the crypto mixer service Tornado Cash used by North Korea.

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned the crypto mixer service Tornado Cash used by North Korean-linked Lazarus APT Group.

Today, Treasury sanctioned virtual currency mixer Tornado Cash, which has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. Virtual currency mixers that assist criminals are a threat to U.S. national security. https://t.co/x8sCXsNzUv

— Treasury Department (@USTreasury) August 8, 2022

The mixers are essential components for cybercriminals that use them for money laundering, it was used to launder the funds stolen from the victims.

According to OFAC, Tornado Cash was used to launder more than $7 billion worth of virtual currency since its creation in 2019. The Lazarus APT group laundered over $455 million stolen during the largest known virtual currency heist to date. Tornado Cash was also used to launder more than $96 million of malicious cyber actors’ funds derived from the June 24, 2022 Harmony Bridge Heist, and at least $7.8 million from the recent Nomad crypto heist.

The sanction is being taken pursuant to Executive Order (E.O.) 13694.

“Today, Treasury is sanctioning Tornado Cash, a virtual currency mixer that launders the proceeds of cybercrimes, including those committed against victims in the United States,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”

In May, the U.S. Department of Treasury sanctioned another cryptocurrency mixer, Blender.io, which was used by the North Korea-linked Lazarus APT to launder the funds stolen from Axie Infinity’s Ronin bridge. This is the first time ever, Treasury is sanctioning a virtual currency mixer.

“Virtual currency mixers that assist criminals are a threat to U.S. national security. Treasury will continue to investigate the use of mixers for illicit purposes and use its authorities to respond to illicit financing risks in the virtual currency ecosystem.” concludes the announcement published by the U.S. Treasury Department. “Criminals have increased their use of anonymity-enhancing technologies, including mixers, to help hide the movement or origin of funds.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Tornado Cash)

The post US sanctioned crypto mixer Tornado Cash used by North Korea-linked APT appeared first on Security Affairs.

Malicious file analysis – Example 01

9 August 2022 at 09:17

Cyber Security Specialist Zoziel Pinto Freire shows an example of malicious file analysis presented during his lecture on BSides-Vitória 2022.

My objective with this series of articles is to show examples of malicious file analysis that I presented during my lecture on BSides-Vitória 2022.

For this first one, I’ll briefly introduce some crucial topics to ease the understanding of the analysis process.

What’re malicious files?

  • Files that contains in their internal structure malicious actions that could compromise an environment, account, workstation, server, or user will receive the file.

Some files are more used in attacks

Compressed files

  • ZIP, RAR e 7z

Microsoft Office Documents

  • DOC, DOCX, XLS, XLSX, XLSM

PDF files

Microsoft Office Documents

  • From a security point of view files of the types DOC, DOCX, XLS, XLSX, and XLSM, have a common issue, they can contain macros which are embedded scripts that are executed inside the file.

PDF Files

  • PDF files can be used to execute JavaScript, download files, access URLs, and execute commands.
  • Often instead of very malicious links, and induce the user to click on something.

Static Analysis x Dynamic Analysis

  • Static analysis is done without the execution or opening the file/code.
  • Dynamic analysis is done during the execution or opening the file/code.

Tools

Peframe

  • PEframe is an open source tool to perform static analysis of malware executables and malicious MS Office documents. 
  • Example: peframe file_name

Pdf-parser

  • PdfParser, a standalone PHP library, provides various tools to extract data from a PDF file.
  • Example: python2.7 pdf-parser.py file_name

Peepdf

  • peepdf is a Python tool to explore PDF files to find out if the file can be harmful or not.
  • Example: python2.7 peepdf.py file_name

Oletools

  • oletools – python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics, and debugging.
  • olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, anti-sandboxing, and anti-virtualization techniques, and potential IOCs (IP addresses, URLs, executable filenames, etc).
  • Example: olevba file_name
  • oleobj is a Python script and module to parse OLE objects and files stored into various MS Office file formats (doc, xls, ppt, docx, xlsx, pptx, etc)
  • Example: oleobj file_name

ExifTool

  • ExifTool is a platform-independent Perl library plus a command-line application for reading, writing, and editing meta information in a wide variety of files.

Wireshark

  • Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions.

URLscan

urlscan.io – Website scanner for suspicious and malicious URLs.

MXtoolBox

MxToolbox supports global Internet operations by providing free, fast, and accurate network diagnostic and lookup tools. Millions of technology professionals use our tools to help diagnose and resolve a wide range of infrastructure issues.

Example 01 – Static Analysis

Note: All tests were executed in a virtual machine with Linux operating system.

Here I’m going to show in practice how we can use some of the tools above to analyze a malicious file.

We start with ExifTool to try to gather information through metadata.

No alt text provided for this image

Attention points:

  • In the figure above we can identify the name of who made the last modification of the file. (possible attacker name).
  • An alleged creator name (username used to create the file).
  • In the title, it is possible to identify something as if it were the execution of a file or command, but written in reverse.

When I use the rev command to reverse the output of the ExifTool command it is possible to better understand the line, as shown below.

No alt text provided for this image

Using the olevba it’s possible to identify malicious macros and their possible actions.

No alt text provided for this image

Attention point:

  • May open a file
  • May write to a file (if combined with Open)
  • May run an executable file or a system command
  • May call a DLL using Excel 4 Macros (XLM/XLF)
  • May create an OLE object
  • May attempt to obfuscate specific strings
  • May run an executable file or a system command using Excel 4 Macros (XLM/XLF)
  • Base64-encoded strings were detected, which may be to obfuscate strings

Using the PEframe it’s possible to get a similar result but without the suspicious points shown by olevba.

No alt text provided for this image

Now performing dynamic analysis, I opened the file using the LibreOffice package, and the same generated an alert that the macros can contain viruses.

No alt text provided for this image

The content of the file induces the user to enable the “enable edition” option.

No alt text provided for this image

To according shown above, with some small steps was possible to perform an analysis and have a conclusion that the file is malicious.

See you in the next analysis 🙂

About the author: Zoziel Pinto Freire

Cyber Security Specialist | Forensic Expert | Threat Hunter | BlueTeam | RedTeam | Pentester | Assessment

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Malicious file analysis)

The post Malicious file analysis – Example 01 appeared first on Security Affairs.

Before yesterdaySecurity Affairs

Orchard botnet uses Bitcoin Transaction info to generate DGA domains

8 August 2022 at 22:24

Experts spotted a new botnet named Orchard using Bitcoin creator Satoshi Nakamoto’s account information to generate malicious domains.

360 Netlab researchers recently discovered a new botnet named Orchard that uses Satoshi Nakamoto’s Bitcoin account (1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa) transaction information to generate DGA domain name.

“Another change relates to the use of the DGA algorithm employed in the attacks. While the first two variants exclusively rely on date strings to generate the domain names, the newer version uses balance information obtained from the cryptocurrency wallet address “1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa.” reads the analysis published by the researchers. “It’s worth pointing out that the wallet address is the miner reward receiving address of the Bitcoin Genesis Block, which occurred on January 3, 2009, and is believed to be held by Nakamoto.”

“Over the past decade or so, small amounts of bitcoin have been transferred to this wallet on a daily basis for various reasons, so it is variable and that change is difficult to predict, so the balance information for this wallet can also be used as DGA input,” the researchers added.

According to the researchers, this technique is more unpredictable than using the common time-generated DGAs due to the uncertainty of Bitcoin transactions.

Because of the uncertainty of Bitcoin transactions, this technique is more unpredictable than using the common time-generated DGAs, and thus more difficult to defend against.

The researchers discovered three versions of this botnet since February 2021, they also noticed that its operators switched programming languages during the same period.

The bot allows operators to deploy additional malware onto the infected machine and execute commands received from the C2 server.

The Orchard botnet uses a redundant C2 mechanism of “hardcoded domain + DGA”, the experts discovered that each version includes a unique hardcoded DuckDNS dynamic domain name as C2.

All the versions analyzed by the experts versions support propagation by infecting USB disks, anyway, experts believe Orchard can be spread in other ways.

The three versions of Orchard basically support the same functionalities, including:

  • Uploading device and user information
  • Responding to commands/downloading to execute the next stage of the module
  • Infecting USB storage devices

Netlab researchers reported that which v1 and v2 have already infected thousands of machines, while v3 is composed of lesser systems because of its late appearance.

Version 3 supports features to launch an XMRig Monero mining software.

Orchard botnet

“Orchard is a botnet family that uses DGA technology. The latest version is dedicated to mining and has started using more unpredictable information like transaction information of bitcoin accounts as input to DGA, making detection more difficult. In over 1 year, Orchard has appeared in 3 different versions with changes in programming language and DGA implementation, indicating that Orchard is a botnet family that is still active and deserves our vigilance.” concluded the report. “We expect more variants to emerge subsequently, for which we will continue to keep an eye on, and will continue to disclose new findings.”

It’s worth pointing out that the wallet address is the miner reward receiving address of the Bitcoin Genesis Block, which occurred on January 3, 2009, and is believed to be held by Nakamoto.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, domain name system)

The post Orchard botnet uses Bitcoin Transaction info to generate DGA domains appeared first on Security Affairs.

Twilio discloses data breach that impacted customers and employees

8 August 2022 at 18:16

Communications company Twilio discloses a data breach after threat actors have stolen employee credentials in an SMS phishing attack.

Communications company Twilio discloses a data breach, threat actors had access to the data of some of its customers. The attackers accessed company systems using employee credentials obtained through a sophisticated SMS phishing attack.

Twilio is an American firm that provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs.

The company has more than 5,000 employees in 17 countries, and its revenues in 2021 are US$2.84 billion.

“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.” Twilio said over the weekend.” reads the incident report published by Twilio.

The company did not disclose the number of affected employees and customers.

The company employees received phishing messages impersonating the IT department, the content of the messages informed the recipient that their passwords had expired, or that their schedule had changed, and urged them to log in to a URL the attacker controls. The URLs in the messages included words like “Twilio,” “Okta,” and “SSO” in the attempt to trick users into clicking on a link redirecting them to a landing page that impersonated Twilio’s sign-in page. The text messages originated from U.S. carrier networks.

asking them to click URLs containing “Twilio,” “Okta,” and “SSO” keywords that would redirect them to a Twilio sign-in page clone.

twilio attack sms

“The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down,” continues the incident report. “Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”

Twilio reported that it is aware of similar attacks that hit other companies, for this reason it has coordinated its response to the threat actors. The company is collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs.

The company has also revoked access to the compromised employee accounts.

“As the threat actors were able to access a limited number of accounts’ data, we have been notifying the affected customers on an individual basis with the details. If you are not contacted by Twilio, then it means we have no evidence that your account was impacted by this attack.” concludes the report. “The Twilio Security Incident Response Team will post additional updates here if there are any changes. Also note that Twilio will never ask for your password or ask you to provide two-factor authentication information anywhere other than through the twilio.com portal.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Twilio discloses data breach that impacted customers and employees appeared first on Security Affairs.

LogoKit update – The phishing kit leveraging Open Redirect Vulnerabilities

8 August 2022 at 15:11

LogoKit – Threat actors leveraging Open Redirect Vulnerabilities popular in online services and apps to bypass spam filters in phishing campaigns.

Resecurity, Inc. (USA), a Los Angeles-based cybersecurity company providing managed threat detection and response for Fortune 500’s, identified threat actors leveraging Open Redirect Vulnerabilities popular in online services and apps to bypass spam filters to ultimately deliver phishing content.

Using highly trusted service domains like Snapchat and other online-services, they create special URLs which lead to malicious resources with phishing kits. The kit identified is named LogoKit, which was previously used in attacks against the customers of Office 365, Bank of America, GoDaddy, Virgin Fly, and many other major financial institutions and online-services internationally.

The spike of LogoKit was been identified around the beginning of August, when multiple new domain names impersonating popular services had been registered and leveraged together with Open Redirects. While LogoKit is known for a while in the underground, at least since 2015, the cybercrime group behind it is constantly leveraging new tactics.

LogoKit is known for its dynamic content generation using JavaScript – it is able to change logos (of the impersonated service) and text on the landing pages in real-time to adapt on the fly, by doing so the targeted victims are more likely to interact with the malicious resource. Around November 2021, there were over 700 identified domains names used in campaigns leveraging LogoKit – their number is constantly growing.

Notably, the actors prefer to use domain names in exotic jurisdictions or zones with relatively poor abuse management process – .gq, .ml, .tk, ga, .cf or to gain unauthorized access to legitimate WEB-resources, and then use them as hosting for further phishing distribution.

LogoKit relies on sending users phishing links that contain their email addresses. Once the victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google’s favicon database. The victim’s email is then auto filled in the email or username field which consequently tricks them into feeling they’ve previously logged in before. Should the victim then enter their password, LogoKit performs an AJAX request, sending the target’s email and password to an external source, then finally redirecting the victim to their “legitimate” corporate website.

These tactics allow cybercriminals to masquerade their activity behind the notifications of legitimate services to evade detection, thus tricking the victim into accessing the malicious resource.

Unfortunately, the use of Open Redirect vulnerabilities significantly facilitates LogoKit distribution, as many (even popular) online-services don’t treat such bugs as critical, and in some cases – don’t even patch, leaving the open door for such abuse.

LogoKit open redirect flaws phishing

Additional details are reported in the analysis published by Resecurity.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, domain name system)

The post LogoKit update – The phishing kit leveraging Open Redirect Vulnerabilities appeared first on Security Affairs.

Attackers abuse open redirects in Snapchat and Amex in phishing attacks

8 August 2022 at 05:53

Threat actors abuse open redirects on Snapchat and American Express to launch phishing attacks against Microsoft 365 users.

Attackers abused open redirects on the websites of Snapchat and American Express as part of a phishing campaign targeting Microsoft 365 users.

The term Open URL redirection, open redirects, refers to a security issue that makes it easier for attackers to direct users to malicious resources under the control of the attackers.

Open redirect occurs when a website fails to validate user input, allowing attackers to manipulate the URLs of high reputation domains to redirect victims to malicious sites. Victims will trust the link because the first domain name in the manipulated link is a trusted domain like American Express and Snapchat.

“The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.” reads a post published by Inky.

“The following example shows an open redirect link. A surfer sees the link going to a safe site (safe.com) but may not realize this domain will redirect them to a malicious site (malicious.com), which may harvest credentials or distribute malware.

http://safe.com/redirect?url=http://malicious.com

During the two months, INKY researchers observed phishing attacks leveraging snapchat[.]com open redirect. The attackers sent 6,812 phishing emails originating from various hijacked accounts. Below is the Snapchat link manipulated to redirect to malicious site:

https://click.snapchat[.]com/aVHG?=http://29781.google.com&af_web_dp=http://qx.oyhob.acrssd[.]org. #.aHR0cHME6Ly9zdG9yYWdlYXBpLmZsZWVrLmNvLzI0MjY4ZTMyLT E2MEmQtNDUxYi1hNTc4LWZhNzg0OTdiZjM4NC1idWWNrZXQvb2Z maWNlMzY1Lmh0bWwjYWNvb3BlckBjcHRsaGVhbHRoLmNvbQ==

The phishing messages exploiting the Snapchat open redirect impersonated DocuSign, FedEx, and Microsoft and led to landing sites designed to harvest Microsoft credentials. 

open redirects

The experts reported the Snapchat vulnerability to the company through the Open Bug Bounty platform on August 4, 2021, but the issue is yet to be addressed.

Unlike Snapchat, American Express quickly fixed the issue being exploited in late July.

“When examining links, surfers should keep an eye out for URLs that include, for example, “url=”, “redirect=”, “external-link”, or “proxy”. These strings might indicate that a trusted domain could redirect to another site.” concludes the report. “Recipients of emails with links should also examine them for multiple occurrences of “http” in the URL, another potential indication of redirection. Domain owners can prevent this abuse by avoiding the implementation of redirection in the site architecture.”

If the redirection is necessary for commercial reasons, domain owners should present users with an external redirection disclaimer that requires user clicks before redirecting to external sites.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, open redirects)

The post Attackers abuse open redirects in Snapchat and Amex in phishing attacks appeared first on Security Affairs.

Microsoft is blocking Tutanota email addresses from registering a MS Teams account

8 August 2022 at 05:51

Microsoft is actively blocking Tutanota email addresses from registering a Microsoft Teams account.

Tutanota is an end-to-end encrypted email app and a freemium secure email service, as of March 2017, Tutanota’s owners claimed to have over 2 million users.

The news is that Microsoft is actively blocking Tutanota email addresses from registering a Microsoft Teams account.

“Politicians on both sides of the Atlantic are discussing stronger antitrust legislation to regulate Big Tech – and such laws are badly needed as the blocking of Tutanota users from Microsoft Teams demonstrates. Big Tech companies have the market power to harm smaller competitors with some very easy steps like refusing smaller companies’ customers from using their own services.” reads a comment shared by the German email service provider. “Currently, Microsoft is actively blocking Tutanota email addresses from registering a Microsoft Teams account. This severe anti-competitive practice forces our customers to register a second email address – possibly one from Microsoft themselves – to create a Teams account.”

Microsoft doesn’t recognize the company as an email service but as a corporate address.

The first time that a Tutanota user registered a Teams account, its domain was recognized as a corporation, for this reason, any other users of the popular email service were not able to register its account and were requested to contact their admin. 

Tutanota

“We repeatedly tried to solve the issue with Microsoft, but unfortunately our request was ignored”, says Matthias Pfau, co-founder of Tutanota.

“Microsoft would only have to change the settings that Tutanota is an email service so that everyone can register an individual account but they (Microsoft) say such a change is not possible.”

Let’s see if Microsoft will solve the issue, allowing 2 million users to use its MS Teams service.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)

The post Microsoft is blocking Tutanota email addresses from registering a MS Teams account appeared first on Security Affairs.

Serious cyberattack hits German Chambers of Industry and Commerce (DIHK)

7 August 2022 at 16:37

A massive cyberattack hit the website of the German Chambers of Industry and Commerce (DIHK) this week.

A massive attack hit the website of the German Chambers of Industry and Commerce (DIHK) forcing the organization to shut down its IT systems as a precautionary measure for security reasons.

Aktuell wird intensiv an Lösung und Abwehr gearbeitet. Wir informieren Sie hier, welche Anwendungen wieder funktionsfähig sind: https://t.co/LtrMItl8Sb#IHK #DIHK pic.twitter.com/5OHMOLH7Mz

— DIHK (@DIHK_News) August 4, 2022

“Due to a possible cyber attack, the IHK organization has shut down its IT systems as a precautionary measure for security reasons . We are currently working intensively on a solution and defense. The IT systems are successively started up after testing, so that the services are then available again for companies.” reads the announcement published by the German Chambers of Industry and Commerce (DIHK).

DIHK states that phone and fax are the only channels to use to contact it.

Michael Bergmann, chief executive of DIHK, defined the attack as serious and massive, it also added that the organization was not able to estimate how long its systems will be down.

Bergmann did not provide further details about the attack, but the circumstances suggest the German Chambers of Industry and Commerce was the victim of a ransomware attack.

“We will inform you at this point and on other channels which applications are functional again. As soon as the security of our systems has been fully restored, you will of course also be informed.” concludes the announcement.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, German Chambers of Industry and Commerce)

The post Serious cyberattack hits German Chambers of Industry and Commerce (DIHK) appeared first on Security Affairs.

Security Affairs newsletter Round 377

7 August 2022 at 12:46

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Greek intelligence service used surveillance malware to spy on a journalist, Reuters reports
Slack resets passwords for about 0.5% of its users due to the exposure of salted password hashes
Twitter confirms zero-day used to access data of 5.4 million accounts
The popularity of Dark Utilities ‘C2-as-a-Service’ rapidly increases
DHS warns of critical flaws in Emergency Alert System encoder/decoder devices
CISA adds Zimbra email bug to Known Exploited Vulnerabilities Catalog
Mysterious threat actor TAC-040 used previously undetected Ljl Backdoor
New Linux botnet RapperBot brute-forces SSH servers
New Woody RAT used in attacks aimed at Russian entities
Unauthenticated RCE can allow hacking DrayTek Vigor routers without user interaction
Taiwan Government websites suffered DDoS attacks during the Nancy Pelosi visit
Hackers stole $200 million from the Nomad crypto bridge
Cisco addressed critical flaws in Small Business VPN routers
Power semiconductor component manufacturer Semikron suffered a ransomware attack
Manjusaka, a new attack tool similar to Sliver and Cobalt Strike
Google fixed Critical Remote Code Execution flaw in Android
Busting the Myths of Hardware Based Security
VMware fixed critical authentication bypass vulnerability
LockBit 3.0 affiliate sideloads Cobalt Strike through Windows Defender
Gootkit AaaS malware is still active and uses updated tactics
Austria investigates DSIRF firm for allegedly developing Subzero spyware 
ALPHV/BlackCat ransomware gang claims to have stolen data from Creos Luxembourg S.A.
Australian man charged with creating and selling the Imminent Monitor spyware
A flaw in Dahua IP Cameras allows full take over of the devices
US Federal Communications Commission (FCC) warns of the rise of smishing attacks
Threat actor claims to have hacked European manufacturer of missiles MBDA
17 Android Apps on Google Play Store, dubbed DawDropper, were serving banking malware
Security Affairs newsletter Round 376 by Pierluigi Paganini
North Korea-linked SharpTongue spies on email accounts with a malicious browser extension

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 377 appeared first on Security Affairs.

GwisinLocker ransomware exclusively targets South Korea

7 August 2022 at 12:24

Researchers spotted a new family of ransomware, named GwisinLocker, that encrypts Windows and Linux ESXi servers.

Researchers warn of a new ransomware called GwisinLocker which is able to encrypt Windows and Linux ESXi servers. The ransomware targets South Korean healthcare, industrial, and pharmaceutical companies, its name comes from the name of the author ‘Gwisin’ (ghost in Korean).

The ransomware is distributed through targeted attacks against specific organizations. 

Experts also reported that the names of South Korean entities, such as the Korean police, the National Intelligence Service, and KISA, are listed on the ransom note.

The Gwisin threat actor hit Korean companies on public holidays and early in the morning according to local media.

The attack chain on Windows systems leverages MSI installer and requires a special value as an argument to run the DLL file included in the MSI.

“It is similar to Magniber in that it operates in the MSI installer form. Yet unlike Magniber which targets random individuals, Gwisin does not perform malicious behaviors on its own, requiring a special value for the execution argument. The value is used as key information to run the DLL file included in the MSI.” reads the report published by security firm Ahnlab. “As such, the file alone does not perform ransomware activities on security products of various sandbox environments, making it difficult to detect Gwisin. The ransomware’s internal DLL operates by being injected into a normal Windows process. The process is different for each infected company.”

The GwisinLocker ransomware is able to operate in safe mode, it first copies itself to a certain path of ProgramData and then is registered as a service before forcing a system reboot.

GwisinLocker
Source Ahnlab

Researchers from Reversinglabs analyzed the Linux version of the ransomware, they pointed out that it is a sophisticated piece of malware with features specially designed to manage Linux hosts and targets VMWare ESXI virtual machines. GwisinLocker combines AES symmetric-key encryption with SHA256 hashing, it generated a unique key for each file. 

The victims of the Linux GwisinLocker variant are required to log into a portal operated by the group to get in contact with the crooks.  

“Analysis and public reporting of the larger GwisinLocker campaign suggests the ransomware is in the hands of sophisticated threat actors who gain access to- and control over target environments prior to the deployment of the ransomware. That includes identifying and stealing sensitive data for use in so-called “double extortion” campaigns.” concludes the report published by Reversinglabs. “Details in samples of the group’s ransom notes suggest a familiarity with the Korean language as well as South Korean government and law enforcement. This has led to speculation that Gwisin may be a North Korean-linked advanced persistent threat (APT) group”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, GwisinLocker ransomware)

The post GwisinLocker ransomware exclusively targets South Korea appeared first on Security Affairs.

Greek intelligence service used surveillance malware to spy on a journalist, Reuters reports

6 August 2022 at 20:46

Greek intelligence admitted it had spied on a journalist, while citizens ask the government to reveal the use of surveillance malware.

The head of the Greek intelligence told a parliamentary committee that they had spied on a journalist with surveillance malware, Reuters reported citing two sources present.

The revelation comes while media and journalists are making pressure on the government to reveal the use of surveillance software.

The committee was called after the leader of the socialist opposition PASOK party, Nikos Androulakis, claimed authorities attempted to install surveillance software on his mobile device.

The practice of using surveillance malware to spy on journalists and politicians emerged in several European countries.

“At the July 29 hearing, Panagiotis Kontoleon, chief of the EYP intelligence service, told parliament’s institutions and transparency committee that his service had spied on Thanasis Koukakis, a financial journalist who works for CNN Greece, two lawmakers present at the hearing told Reuters.” reported Reuters.

“He admitted the surveillance, absolutely,” one of the lawmakers present at the hearing told Reuters on Wednesday.

Curiously the Government spokesman Giannis Oikonomou told Reuters that Greek authorities do not use the spyware allegedly used to spy on Koukakis.

In February, the European Data Protection Supervisor (EDPS) authority this week called for a ban on the development and the use of surveillance software like the Pegasus spyware in the EU.

In April, a report published by Reuters revealed that Israeli surveillance software was used to spy on senior officials in the European Commission.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Greece)

The post Greek intelligence service used surveillance malware to spy on a journalist, Reuters reports appeared first on Security Affairs.

Slack resets passwords for about 0.5% of its users due to the exposure of salted password hashes

6 August 2022 at 18:06

Slack is resetting passwords for approximately 0.5% of its users after a bug exposed salted password hashes when users created or revoked a shared invitation link for their workspace

Slack announced that it is resetting passwords for about 0.5% of its users after a bug exposed salted password hashes when creating or revoking shared invitation links for workspaces.

This issue was reported by an independent security researcher and disclosed to Slack on 17 July 2022. The company states that the bug affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022.

“When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members. This hashed password was not visible to any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers.” reads the advisory published by Slack.

Slack Enterprise Key Management

Upon receiving the report from the security researcher, the company immediately addressed the flaw and investigated its potential impact on users. Slack pointed out that it doesn’t believe that anyone has obtained plaintext passwords exploiting this issue.

The company also added that it is practically infeasible to derive a password from the associated hash, and exposed hashes cannot be used to authenticate. 

“All active accounts requiring a password reset are being notified directly with instructions. For information on password resets at any time, please visit our Help Centre: https://get.slack.help/hc/en-us/articles/201909068” concludes the advisory. “We recommend that all users use two-factor authentication, ensure that their computer software and antivirus software are up to date, create new, unique passwords for every service that they use and use a password manager.”

The bug is said to have impacted all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022, when it was alerted to the issue by an unnamed independent security researcher.

It’s worth pointing out that the hashed passwords were not visible to any Slack clients, meaning access to the information necessitated active monitoring of the encrypted network traffic originating from Slack’s servers.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Slack)

The post Slack resets passwords for about 0.5% of its users due to the exposure of salted password hashes appeared first on Security Affairs.

Twitter confirms zero-day used to access data of 5.4 million accounts

5 August 2022 at 22:08

Twitter confirmed that the recent data breach that exposed data of 5.4 million accounts was caused by the exploitation of a zero-day flaw.

At the end of July, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting a now-fixed vulnerability in the popular social media platform.

The threat actor offered for sale the stolen data on the popular hacking forum Breached Forums. In January, a report published on Hacker claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options.

“The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account.” ” reads the description in the report submitted by zhirinovskiy via bug bounty platform HackerOne. “This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities”

The seller claimed that the database was containing data (i.e. emails, phone numbers) of users ranging from celebrities to companies. The seller also shared a sample of data in the form of a csv file.

Twitter data leak
Source RestorePrivacy

“A few hours after the post was made, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the vulnerability from the HackerOne report above.” reads the post published by RestorePrivacy.

“We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.”

The seller told RestorePrivacy that he is asking for at least $30,000 for the entire database.

Now Twitter confirmed that the data breach was caused by the now-patched zero-day vulnerability submitted by zhirinovskiy via bug bounty platform HackerOne.

Twitter confirmed the existence of this vulnerability and awarded zhirinovskiy with a $5,040 bounty.

“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.” reads the Twitter’s advisory. “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” continues the social media firm.

“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”

The company is notifying the impacted users, it also added that it is aware of the risks caused by the security breach for those users operating a pseudonymous Twitter account to protect their privacy.

The company pointed out that no passwords were exposed, but encourages its users to enable 2-factor authentication using authentication apps or hardware security keys to protect their accounts from unauthorized logins.

BleepingComputer reported that two different threat actors purchased the data for less than the original selling price. This means that threat actors could use these data to target Twitter accounts in the future.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Data leak)

The post Twitter confirms zero-day used to access data of 5.4 million accounts appeared first on Security Affairs.

The popularity of Dark Utilities ‘C2-as-a-Service’ rapidly increases

5 August 2022 at 20:45

Dark Utilities “C2-as-a-Service” is attracting a growing number of customers searching for a command-and-control for their campaigns.

The popularity of the Dark Utilities “C2-as-a-Service” is rapidly increasing, over 3,000 users are already using it as command-and-control for their campaigns.

Dark Utilities was launched in early 2022, the platform that provides full-featured C2 capabilities to its users. Dark Utilities is advertised as a platform to enable remote access, command execution, conduct distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.

It allows threat actors to target multiple architectures without requiring technical skills. The operators of the platform offer technical support and assistance to the customers through Discord and Telegram.

“Dark Utilities provides payloads consisting of code that is executed on victim systems, allowing them to be registered with the service and establish a command and control (C2) communications channel.” reads the analysis published by Cisco Talos researchers. “The platform currently supports Windows, Linux and Python-based payloads, allowing adversaries to target multiple architectures without requiring significant development resources.”

dark utilities platform

The platform is hosted on both clear internet and Tor network, its operators offers premium access to the platform, associated payloads and API endpoints for 9.99 euros. At the time of writing, the platform had enrolled roughly 3,000 users, which is approximately 30,000 euros in income.

The Dark Utilities platform uses Discord for user authentication, it implements a dashboard displaying platform statistics, server health status and other metrics.

Users can generate new payloads for specific operating systems and deploy them on the victim machines.

“Selecting an operating system causes the platform to generate a command string that threat actors are typically embedding into PowerShell or Bash scripts to facilitate the retrieval and execution of the payload on victim machines.” continues the report.

The researchers pointed out that payloads provided by the platform are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention.

IPFS is a distributed, peer-to-peer network, that prevent takeover from authorities. IPFS supports gateways, which operate similar to Tor2Web gateways, to allow users on the internet to access contents hosted within IPFS without requiring a client application to be installed.

Dark Utilities appears to have been designed by a threat actor that goes under the moniker Inplex-sys. 

Talos researchers believe Inplex-sys collaborated with one of the operators of a botnet service called Smart Bot, which is designed to launch spam attacks, or “raids” against the Discord and Twitch communication platforms.

“Although the Dark Utilities platform was recently established, thousands of users have already been enrolled and joined the platform. Given the amount of functionality that the platform provides and the relatively low cost of use, we expect this platform will continue to rapidly expand its user base.” concludes the report. “This will likely result in an increase in the volume of malware samples in the wild attempting to establish C2 using the platform.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, c2-as-a-service)

The post The popularity of Dark Utilities ‘C2-as-a-Service’ rapidly increases appeared first on Security Affairs.

DHS warns of critical flaws in Emergency Alert System encoder/decoder devices

5 August 2022 at 14:10

The U.S. DHS warns of critical security vulnerabilities in Emergency Alert System (EAS) encoder/decoder devices.

The Department of Homeland Security (DHS) warned of critical security vulnerabilities in Emergency Alert System (EAS) encoder/decoder devices. Threat actors could exploit the flaws to send fake emergency alerts via TV, radio networks, and cable networks.

The Emergency Alert System (EAS) is a national public warning system that requires radio and TV broadcasters, cable TV, wireless cable systems, satellite and wireline operators to provide the President with capability to address the American people within 10 minutes during a national emergency.

The alert was issued by the DHS Federal Emergency Management Agency (FEMA) through the Integrated Public Alert and Warning System (IPAWS).

The vulnerabilities in EAS encoder/decoder devices were discovered by security researcher Ken Pyle from CYBIR.

“We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network).reads the advisory. “This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.”

The US DHS did not disclose details about the flaw to prevent active exploitation in the wild.

The researcher plan to disclose as a proof of concept for the issues at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.

FEMA recommends EAS participants to ensure that:

  1. EAS devices and supporting systems are up to date with the most recent software versions and security patches;
  2. EAS devices are protected by a firewall;
  3. EAS devices and supporting systems are monitored and audit logs are regularly reviewed looking for unauthorized access.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Emergency Alert System)

The post DHS warns of critical flaws in Emergency Alert System encoder/decoder devices appeared first on Security Affairs.

❌