Google announced support for a V8 Sandbox in the Chrome web browser to protect users from exploits triggering memory corruption issues.

Google has announced support for what’s called a V8 Sandbox in the Chrome web browser. The company included the V8 Sandbox in Chrome’s Vulnerability Reward Program (VRP). Chrome 123 is a sort of “beta” release for the sandbox designed to mitigate memory corruption issues in the Javascript engine.

The V8 Sandbox is designed to prevent memory corruption issues that would impact other areas of memory in the process.

Almost every Chrome exploits observed in the wild between 2021 and 2023 triggered a memory corruption issue in a Chrome renderer process that was exploited for remote code execution (RCE). The majority of these issues (60%) impacted the V8 Javascript engine.

“V8 vulnerabilities are rarely “classic” memory corruption bugs (use-after-frees, out-of-bounds accesses, etc.) but instead subtle logic issues which can in turn be exploited to corrupt memory. As such, existing memory safety solutions are, for the most part, not applicable to V8.” reads the announcement. “In particular, neither switching to a memory safe language, such as Rust, nor using current or future hardware memory safety features, such as memory tagging, can help with the security challenges faced by V8 today.”

The researchers highlighted that a common thread among nearly all V8 vulnerabilities is that the eventual memory corruption occurs within the V8 heap. This is primarily because the compiler and runtime predominantly deal with V8 HeapObject instances.

To mitigate such vulnerabilities the researchers devised a technique to isolate V8’s (heap) memory to prevent memory corruption from spreading to other parts of the process’ memory.

“The sandbox limits the impact of typical V8 vulnerabilities by restricting the code executed by V8 to a subset of the process’ virtual address space (“the sandbox”), thereby isolating it from the rest of the process. This works purely in software (with options for hardware support, see the respective design document linked below) by effectively converting raw pointers either into offsets from the base of the sandbox or into indices into out-of-sandbox pointer tables. In principle, these mechanisms are very similar to the userland/kernel separation used by modern operating systems (e.g. the unix file descriptor table).” states Google. “The sandbox assumes that an attacker can arbitrarily and concurrently modify any memory inside the sandbox address space as this primitive can be constructed from typical V8 vulnerabilities. Further, it is assumed that an attacker will be able to read memory outside of the sandbox, for example through hardware side channels. The sandbox then aims to protect the rest of the process from such an attacker. As such, any corruption of memory outside of the sandbox address space is considered a sandbox violation.”

Software-based sandbox replaces data types that can access out-of-sandbox memory with “sandbox-compatible” alternatives.

In the software-based sandbox, only the V8 heap is enclosed within the sandbox. As a result, the overall structure is similar to the sandboxing model employed by WebAssembly.

The researchers state that the majority of the overhead generated by the sandbox primarily arises from the pointer table indirection for external objects. A minor overhead is related to the use of offsets instead of raw pointers, primarily involving a shift+add operation, anyway this is quite inexpensive. The sandbox’s overhead is approximately 1% or less on standard workloads, as determined by measurements using the Speedometer and JetStream benchmark suites. Consequently, the V8 Sandbox can be activated by default on compatible platforms.

“The V8 Sandbox must be enabled/disabled at build time using the v8_enable_sandbox build flag. It is (for technical reasons) not possible to enable/disable the sandbox at runtime. The V8 Sandbox requires a 64-bit system as it needs to reserve a large amount of virtual address space, currently one terabyte.” concludes the announcement.

“The V8 Sandbox has already been enabled by default on 64-bit (specifically x64 and arm64) versions of Chrome on Android, ChromeOS, Linux, macOS, and Windows for roughly the last two years.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, V8 Sandbox)

Researchers discovered a sophisticated multi-stage attack that leverages ScrubCrypt to drop VenomRAT along with many malicious plugins.

Fortinet researchers observed a threat actor sending out a phishing email containing malicious Scalable Vector Graphics (SVG) files. The email is crafted to trick recipients into clicking on an attachment, which downloads a ZIP file containing a Batch file obfuscated with the BatCloak tool. Then the attackers use ScrubCrypt to load the final payload VenomRAT. The malicious code connects the command and control (C2) server to install additional plugins on the victims’ system., which include VenomRAT version 6, Remcos, XWorm, NanoCore, and a stealer designed to drain funds from specific crypto wallets.

The campaign is notable for its utilization of the BatCloak malware obfuscation engine and ScrubCrypt to distribute the malware through obfuscated batch scripts.

BatCloak is a fully undetectable (FUD) malware obfuscation engine used by threat actors to stealthily deliver their malware since September 2022.

In June 2023, Trend Micro researchers detailed the malware obfuscation engine BatCloak which multiple threat actors used. The samples analyzed by the experts demonstrated a remarkable ability to persistently evade anti-malware solutions

The researchers discovered that the BatCloak engine was part of FUD builder named Jlaive that began circulating in 2022, The analysis of the Jlaive repository revealed the developer (ch2sh)’s effort in FUD technologies. The developers used AES encryption and implemented techniques to bypass the anti-malware scan interface (AMSI). After the repository containing the open-source tool was taken down in September 2022, it has since been cloned and modified by other threat actors. The researchers discovered modified versions and clones offered Jlaive as a one-time service for purchase, instead of a classic subscription-based model. While many of the repositories containing modified or cloned Jlaive versions continue to be removed from code hosting sites such as GitHub and GitLab, threat actors continue to upload the code and in some cases development team have also ported to other languages such as Rust.

The ScrubCrypt crypter is available for sale on hacking forums, it allows securing applications with a unique BAT packing method.

ScrubCrypt was first detailed by Fortinet in March 2023 when a threat actor tracked as 8220 Gang was spotted using it in cryptojacking campaigns.

Fortinet experts conclude that this campaign is very sophisticated because leveraging multiple layers of obfuscation and evasion techniques to distribute and execute VenomRAT via ScrubCrypt.

“The attackers employ a variety of methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems. Furthermore, deploying plugins through different payloads highlights the versatility and adaptability of the attack campaign.” concludes the report that also includes indicators of compromise (IoCs). “The attackers’ ability to persist in the system, evade detection, and execute malicious payloads underscores the importance of robust cybersecurity measures and vigilant monitoring to mitigate such threats effectively.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ScrubCrypt)

Researchers found multiple vulnerabilities in LG webOS running on smart TVs that could allow attackers to gain root access to the devices.

Bitdefender researchers discovered multiple vulnerabilities in LG webOS running on smart TVs that could be exploited to bypass authorization and gain root access on the devices.

The vulnerabilities discovered by the researchers impact WebOS versions 4 through 7 running on LG TVs.

“WebOS runs a service on ports 3000/3001 (HTTP/HTTPS/WSS) which is used by the LG ThinkQ smartphone app to control the TV. To set up the app, the user must enter a PIN code into the display on the TV screen.” reads the advisory. “An error in the account handler lets an attacker skip the PIN verification entirely and create a privileged user profile.”

The researchers pointed out that despite the vulnerable service is intended for LAN access only, querying Shodan they identified over 91,000 devices that expose the service to the Internet. At this time, the number of exposed devices decreased to 88,000. Most of the Internet-facing devices are in South Korea, Hong Kong, the U.S., Sweden, and Finland.

Below is the list of vulnerabilities discovered by the experts in November 2023:

• CVE-2023-6317 – An authentication bypass issue that can be exploited to bypass PIN verification and add a privileged user profile to the TV set without requiring user interaction
• CVE-2023-6318 – An elevation of privileges issue that can be exploited to elevate privileges and gain root access to take control of the device
• CVE-2023-6319 – A vulnerability that allows operating system command injection by manipulating a library named asm responsible for showing music lyrics
• CVE-2023-6320 – A vulnerability that allows for the injection of authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint

The vulnerabilities impact the following webOS versions:

• webOS 4.9.7 – 5.30.40 running on LG43UM7000PLA
• webOS 5.5.0 – 04.50.51 running on OLED55CXPUA
• webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 running on OLED48C1PUB
• webOS 7.3.1-43 (mullet-mebin) – 03.33.85 running on OLED55A23LA

Below is the disclosure timeline:

• November 01, 2023: Vendor disclosure
• November 15, 2023: Vendor confirms the vulnerabilities.
• December 14, 2023: Vendor requests extension
• March 22, 2024: Patch release
• April 09, 2024: Public release of this report

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, smart TVs)

As technology evolves and our dependence on digital systems increases, the cybersecurity threat landscape also rapidly changes, posing fresh challenges for organizations striving to protect their assets and data.

The battle between cybersecurity defenders and malicious actors rages on in the vast digital expanse of today’s interconnected world. As technology advances and our reliance on digital infrastructure grows, the threat landscape morphs and mutates, presenting new challenges for organizations trying to safeguard their assets and data.

The common maxim today is that when it comes to breaches, it’s no longer a case of ‘if’ but ‘when’ or ‘how often?’. Cybersecurity has always been seen as a catch-up game, with determined adversaries a step ahead.

However, while companies struggle to stay ahead of emerging threats, there are several tools and approaches they can adopt to bolster their cybersecurity strategies.

A Dynamic, Complex Threat Landscape

Today’s cyber threat landscape is characterized by its dynamic and complex nature. No longer confined to isolated malware or phishing attacks, threats now encompass a wide range of sophisticated tactics, techniques, and procedures (TTPs) used by cybercriminals and nation-state actors alike.

The cybercriminal’s arsenal grows daily, from ransomware and supply chain attacks to advanced persistent threats (APTs) and zero-day exploits.

One of the primary reasons why entities battle to stay ahead of emerging threats is the rapid pace of technological innovation. As businesses in every sector embrace digital transformation initiatives, adopting cloud computing, Internet of Things (IoT) devices, automation, AI, and interconnected ecosystems, their attack surface widens exponentially.

Each new technology comes with its own set of vulnerabilities and potential chinks in the armor for attackers to slip through, making it increasingly challenging to maintain robust defenses.

Moreover, the asymmetric nature of cyber attacks exacerbates the problem. While security practitioners must safeguard against every possible attack vector, adversaries only need to exploit a single weakness to get a foot in the door.

This inherent imbalance tilts the scales in the attackers’ favor, forcing organizations into a perpetual game of cat and mouse as they attempt to anticipate and mitigate the barrage of evolving threats.

Old Tools Are Failing Miserably

In their mission to strengthen their digital defenses, defenders employ a range of tools and approaches, each with their strengths and weaknesses. Historically, traditional perimeter-based defenses, such as firewalls and intrusion detection systems (IDS), were the foundation of most cybersecurity strategies.

While effective at foiling known threats and preventing unauthorized access to network resources, these traditional measures fail miserably in the face of increasingly sophisticated attacks that bypass perimeter defenses through social engineering or insider threats.

Similarly, in this era of distributed work, employees access company resources from various locations and devices. The idea that a secure network perimeter will keep the bad guys out has become obsolete.

With the proliferation of remote workers and cloud-based apps and services, the boundaries of the corporate network have blurred, with little distinction between inside and outside.

As a result, bad actors have a much broader attack surface to exploit. Moreover, the rise of the bring-your-own-everything phenomenon – be it device, application, or connection – complicates matters even more. Businesses now have to work hard to enforce consistent security controls across a diverse array of personal and corporate-owned devices, unsanctioned apps, and shadow IT.

It’s clear that in today’s distributed world, reliance on perimeter-based defenses alone leaves entities vulnerable to sophisticated cyber threats that can circumvent these measures with ease.

Navigating Through a Sea of Options

There are a range of threat detection and response solutions to help identify any malicious activity that could compromise the network and then help security teams respond quickly to mitigate or neutralize the threat before it can turn into a major incident.

Endpoint security solutions, including antivirus software and Endpoint Detection and Response (EDR) tools, aim to protect individual devices from malicious activity. By monitoring endpoint behavior and pinpointing anomalous patterns that might be signs of a cyber threat, these tools provide a crucial layer of defense against malware, ransomware, and other endpoint-centric attacks.

However, their effectiveness is often limited by the sheer volume of endpoints in today’s IT environments, making comprehensive endpoint protection a daunting task for large enterprises.

Managed Detection and Response (MDR) is a security service designed to improve organizations’ protection against modern cyber threats. These services bring advanced threat detection, incident response, and continuous monitoring together to enable security teams to quickly recognize unusual activity, identify threats, and take immediate action. However, MDR also runs the risk of false positives, leading to wasted time and resources.

Gaining Holistic Visibility into Environments

In response to these challenges, another approach to cybersecurity is gaining traction – Extended Detection and Response (XDR). Building upon the foundational principles of EDR and threat intelligence, XDR integrates data from multiple security controls, such as endpoints, networks, cloud environments, and applications, into one unified platform.

By aggregating and correlating telemetry data from disparate sources, XDR enables security professionals to gain holistic visibility into their environments and root out sophisticated threats that might slip through traditional security nets. Unlike tools that look at a single dimension (the endpoint), XDR architectures extend across multiple security dimensions.

One of the critical strengths of XDR is its ability to contextualize security alerts within the broader context of a company’s environment. By analyzing telemetry data across multiple vectors, these platforms can identify complex attack chains and separate legitimate threats from benign anomalies, reducing false positives and facilitating more precise threat detection.

 Moreover, these solutions feature centralized management and orchestration capabilities to streamline incident response workflows, enabling security teams to quickly investigate and remediate security incidents across the entire attack surface.

However, like all security solutions, XDR has its limitations. Implementation challenges, such as integration complexities and interoperability issues with existing security tools, can be a stumbling block to adopting these solutions.

Furthermore, the effectiveness of these tools depends heavily on the quality and timeliness of the telemetry data ingested into the platform. Incomplete or outdated data sources have been known to compromise the efficacy of threat detection and response.

Navigating the Future of Cybersecurity

When it comes to cybersecurity, there’s no one-size-fits-all solution. Every company operates within a unique risk environment influenced by factors such as industry, size, and infrastructure.

When navigating this landscape, each business must thoroughly evaluate the pros and cons of various detection and response options. Whether it’s investing in intrusion detection systems, deploying endpoint protection tools, or implementing robust incident response plans, the decision hinges on a full understanding of the company’s specific vulnerabilities and operational needs.

What works for one may not work for another. Therefore, the path to effective cybersecurity requires a tailored approach, where informed decisions are made based on individual needs and circumstances, ensuring a robust defense against evolving threats.

About the Author: Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications. She is also a regular writer at Bora.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cybersecurity Threat Landscape)

Microsoft Patches Tuesday security updates for April 2024 addressed three Critical vulnerabilities, none actively exploited in the wild.

Microsoft Patches Tuesday security updates for April 2024 addressed 147 vulnerabilities in multiple products. This is the highest number of fixed issues from Microsoft this year and the largest since at least 2017. The issues impact Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; DNS Server; Windows Defender; Bitlocker; and Windows Secure Boot. According to ZDI, three of these vulnerabilities were reported through their ZDI program.

Only three vulnerabilities, tracked as CVE-2024-21322, CVE-2024-21323, and CVE-2024-29053, are rated Critical, the good news is that they are not actively exploited in the wild.

Below are some of the most interesting issues addressed by the IT giant:

CVE-2024-29988 – SmartScreen Prompt Security Feature Bypass Vulnerability. An attacker can exploit this security feature bypass vulnerability by tricking a user into launching malicious files using a launcher application that requests that no UI be shown. An attacker could send the targeted user a specially crafted file that is designed to trigger the remote code execution issue. The flaw is actively exploited in the wild.

CVE-2024-20678 – Remote Procedure Call Runtime Remote Code Execution Vulnerability. Any authenticated user can exploit this vulnerability, according to Microsoft it does not require admin or other elevated privileges.

CVE-2024-26234 – Proxy Driver Spoofing Vulnerability – The flaw reported by Sophos ties a malicious driver signed with a valid Microsoft Hardware Publisher Certificate. The driver was used in attacks in the wild to deploy a backdoor.

CVE-2024-26221 – Windows DNS Server Remote Code Execution Vulnerability. In a network-based attack an attacker would need to have the privileges to query the Domain Name Service (DNS). If the timing of DNS queries is perfect, the attacker could execute code remotely on the target server.

The full list of flaw fixed by Microsoft in April 2024 is available here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Patches Tuesday)

Fortinet addressed multiple issues in FortiOS and other products, including a critical remote code execution flaw in FortiClientLinux.

Fortinet fixed a dozen vulnerabilities in multiple products, including a critical-severity remote code execution (RCE) issue, tracked as CVE-2023-45590 (CVSS score of 9.4), in FortiClientLinux.

The vulnerability is an Improper Control of Generation of Code (‘Code Injection’) issue that resides in FortiClientLinux. An unauthenticated attacker can trigger the flaw to execute arbitrary code by tricking a FortiClientLinux user into visiting a specially crafted website.

“An Improper Control of Generation of Code (‘Code Injection’) vulnerability [CWE-94] in FortiClientLinux may allow an unauthenticated attacker to execute arbitrary code via tricking a FortiClientLinux user into visiting a malicious website.” reads the advisory published by Fortinet.

Below are the impacted versions and the one released by the company to fix the issue.

Version	Affected	Solution
FortiClientLinux 7.2	7.2.0	Upgrade to 7.2.1 or above
FortiClientLinux 7.0	7.0.6 through 7.0.10	Upgrade to 7.0.11 or above
FortiClientLinux 7.0	7.0.3 through 7.0.4	Upgrade to 7.0.11 or above

The vulnerability was reported to Fortinet by the security researcher CataLpa from Dbappsecurity.

Fortinet did not reveal if this vulnerability is actively exploited in attacks in the wild.

US CISA published an alert to warn Fortinet users of the security updates released by the vendor to address multiple vulnerabilities in its products, including OS and FortiProxy.

“Fortinet released security updates to address vulnerabilities in multiple products, including OS and FortiProxy. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.” reads the alert that encourages users and administrators to review the following advisories and apply necessary updates: 

• FR-IR-23-345 FortiClientMac – Lack of configuration file validation
• FG-IR-23-493 FortiOS & FortiProxy – Administrator cookie leakage
• FG-IR-23-087 FortiClient Linux – Remote Code Execution due to dangerous   nodejs configuration

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

AT&T confirmed that the data breach impacted 51 million former and current customers and is notifying them.

AT&T revealed that the recently disclosed data breach impacts more than 51 million former and current customers and is notifying them.

In March 2024, more than 70,000,000 records from an unspecified division of AT&T were leaked onto Breached forum, vx-underground researchers reported.

The researchers confirmed that the leaked data is legitimate, however, it is still unclear if the information was stolen from a third-party organization linked to AT&T.

The seller, who goes online with the moniker MajorNelson, claimed that the data was obtained from an unnamed AT&T division by @ShinyHunters in 2021. The archive contains 73.481.539 records.

“It should be noted before anyone hits us with an “aktschually” – the data was stolen in 2021. It was leaked online today.” said vx-underground.

In August 2021, the ShinyHunters group claimed to have a database containing private information on roughly 70 million AT&T customers, but the company denied that they had been stolen from its systems.

ShinyHunters is a popular hacking crew that is known to have offered for sale data stolen from tens of major organizations, including Tokopedia, Homechef, Chatbooks.com, Microsoft, and Minted.

In August 2021, the group asked $1 million for the entire database, or $200,000 for access, according to the RestorePrivacy website that examined a sample that appears authentic.

“While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid.” reads the RestorePrivacy website. “Here is the data that is available in this leak:

• Name
• Phone number
• Physical address
• Email address
• Social security number
• Date of birth”

The threat actors claimed that data belonged to AT&T customers in the United States, the group told RestorePrivacy that they were available to support AT&T in securing its systems for a reward.

AT&T initially denied any data breach, below is the statement from the telecomunication giant:

“Based on our investigation Thursday, the information that appeared in an internet chat room does not appear to have come from our systems,”

Later, the telecommunications company retracted its initial denial and confirmed the data breach. The data was “released on the dark web approximately two weeks ago,” said the company.

“It is not yet known whether the data … originated from AT&T or one of its vendors,” the company added. “Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set.”

The company pointed out that it was not aware of any compromise of its infrastructure.

“We have no indications of a compromise of our systems. We determined in 2021 that the information offered on this online forum did not appear to have come from our systems. We believe and are working to confirm that the data set discussed today is the same dataset that has been recycled several times on this forum.” AT&T told CNN.

The company speculates that leaked data are from 2019 or earlier.

AT&T is notifying the 51,226,382 individuals impacted according to the data breach notification shared with the Maine Attorney General.

“The information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode.” reads the data breach notification. “To the best of our knowledge, personal financial information and call history were not included. Based on our investigation to date, the data appears to be from June 2019 or earlier.”

The telecommunication giant offers impacted customers one year of complimentary credit monitoring, identity theft detection and resolution services provided by Experian’s IdentityWorksSM.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Group Health Cooperative of South Central Wisconsin disclosed a data breach that impacted over 500,000 individuals.

The Group Health Cooperative of South Central Wisconsin (GHC-SCW) is a non-profit organization that provides health insurance and medical care services to its members in the Madison metropolitan area of Wisconsin.

The organization disclosed a data breach after a ransomware attack, the incident impacted 533,809 individuals.

The data breach occurred on January 24, 2024, and was discovered on January 25 when GHC-SCW identified unauthorized access to its network. The Information Technology (IT) Department isolated and secured the organization’s network in response to the incident.

The Group Health Cooperative of South Central Wisconsin (GHC-SCW) notified the FBI and is responding to the incident with the help of external cybersecurity experts.

“The attacker attempted to encrypt GHC-SCW’s system but was unsuccessful.” reads the data breach notification shared with the Maine Attorney General. “On February 9, 2024, during our investigation, we discovered indications that the attacker had copied some of GHC-SCW’s data, which included protected health information (PHI).”

The potentially compromised PHI may have included member/patient name, address, telephone number, e-mail address, date of birth and/or death, social security number, member number, and Medicare and/or Medicaid number.

A ransomware group contacted the organization claiming the theft of data.

“Our discovery was confirmed when the attacker, a foreign ransomware gang, contacted GHC-SCW claiming responsibility for the attack and stealing our data,” continues the notification letter.

The data breach notification doesn’t name the ransomware group that hit the organization, however the BlackSuit gang added Group Health Cooperative to it Tor leak site in March. The ransomware group claimed to have stolen patient and member data, financial documents, employee data, NDAs, contracts, several databases, and emails.

The company pointed out that they have no indication that information has been used or further disclosed.

Group Health Cooperative also added that they have implemented enhanced security measures across all our systems and networks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Group Health Cooperative)

Microsoft addressed two zero-day vulnerabilities (CVE-2024-29988 and CVE-2024-26234) actively exploited by threat actors to deliver malware

Microsoft addressed two zero-day vulnerabilities, tracked as CVE-2024-29988 and CVE-2024-26234, that threat actors are exploiting to deliver malware.

Microsoft Patches Tuesday security updates for April 2024 addressed 147 vulnerabilities in multiple products. This is the highest number of fixed issues from Microsoft this year and the largest since at least 2017. The issues impact Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; DNS Server; Windows Defender; Bitlocker; and Windows Secure Boot. According to ZDI, three of these vulnerabilities were reported through their ZDI program.

Below are the descriptions of the two flaws:

CVE-2024-29988 – SmartScreen Prompt Security Feature Bypass Vulnerability. An attacker can exploit this security feature bypass vulnerability by tricking a user into launching malicious files using a launcher application that requests that no UI be shown. An attacker could send the targeted user a specially crafted file designed to trigger the remote code execution issue. The flaw is actively exploited in the wild but Microsoft did not confirm it in the advisory.

“This is an odd one, as a ZDI threat researcher found this vulnerability being in the wild, although Microsoft currently doesn’t list this as exploited. I would treat this as in the wild until Microsoft clarifies.” reported ZDI.

CVE-2024-26234 – Proxy Driver Spoofing Vulnerability – The flaw reported by Sophos ties a malicious driver signed with a valid Microsoft Hardware Publisher Certificate. The driver was used in attacks in the wild to deploy a backdoor. In December 2023, Sophos X-Ops received a report of a false positive detection on an executable that was signed using a valid Microsoft Hardware Publisher Certificate. However, the researchers noticed that the version info for the supposedly clean file looked a little suspicious. Attackers were attempting to personate the legitimate company Thales Group.

“However, after digging into both our internal data and reports on VirusTotal, we discovered that the file was previously bundled with a setup file for a product named LaiXi Android Screen Mirroring, “a marketing software…[that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting.”” reported Sophos. “It’s worth noting that while we can’t prove the legitimacy of the LaiXi software – the GitHub repository has no code as of this writing, but contains a link to what we assume is the developer’s website – we are confident that the file we investigated is a malicious backdoor.”

There’s no evidence indicating intentional inclusion of the malicious file by LaiXi developers or involvement of a threat actor in a supply chain attack during the application’s compilation/building process.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

Apple is warning iPhone users in over 90 countries of targeted mercenary spyware attacks, Reuters agency reported.

Apple is alerting iPhone users in 92 countries about mercenary spyware attacks, reported Reuters.

Reuters only mentioned India as one of the countries where users were targeted by the attacks.

According to a threat notification email sent to targeted users, the IT giant detected attempts to “remotely compromise the iPhone.”

The company did not attribute the targeted attacks to “any specific state-sponsored attacker”.

“Initially, Apple explicitly referred to “state-sponsored attacks.” After the last warnings to Indian opposition politicians and journalists, the government there appeared to be annoyed – unfavorable for Apple, after all, India is becoming increasingly important as an iPhone production location.” reported the German website Heise. “Meanwhile, the iPhone company instead speaks diplomatically of “mercenary spyware” and notes that such attacks “have historically been associated with state actors.””

Apple started sending such kind of threat notifications in 2021, and since then the company has notified users in more than 150 countries.

Apple recommends that targeted iPhone users update their devices to the latest software version and contact cybersecurity experts to investigate potential compromise.

In response to a wave of sophisticated attacks against Apple users (i.e. Pegasus, DevilsTongue, and Hermit) in July 2022 Apple developed a new security feature, called lockdown mode, to protect its users against highly targeted cyberattacks.

Some of the protections implemented in the lockdown mode are:

• Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
• Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
• Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
• Wired connections with a computer or accessory are blocked when iPhone is locked.
• Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

Palo Alto Networks fixed several vulnerabilities in its PAN-OS operating system, including 3 issues that can trigger a DoS condition on its firewalls.

Palo Alto Networks released security updates to address several high-severity vulnerabilities in its PAN-OS operating system.

The company fixed the following DoS vulnerabilities:

CVE-2024-3385 – The company reported that a packet processing mechanism in Palo Alto Networks PAN-OS software allows a remote attacker to reboot hardware-based firewalls. Repeated attacks can eventually trigger a DoS condition by forcing the firewall into maintenance mode, requiring manual intervention to restore online functionality. This issue affects hardware firewall models PA-5400 Series firewalls and PA-7000 Series firewalls when GTP security is disabled. 

“Palo Alto Networks is not aware of any malicious exploitation of this issue. This was encountered by two customers in normal production usage.” reads the advisory.

Another DoS vulnerability in PAN-OS addressed by the vendor is tracked as CVE-2024-3384.

A remote attacker can trigger the flaw to reboot PAN-OS firewalls when receiving Windows New Technology LAN Manager (NTLM) packets from Windows servers. Repeated attacks can eventually trigger a DoS condition by forcing the firewall into maintenance mode, requiring manual intervention to restore online functionality.

The flaw affects only PAN-OS configurations with NTLM authentication enabled.

The third DoS vulnerability addressed by the vendor is tracked as CVE-2024-3382.

“A memory leak exists in Palo Alto Networks PAN-OS software that enables an attacker to send a burst of crafted packets through the firewall that eventually prevents the firewall from processing traffic. This issue applies only to PA-5400 Series devices that are running PAN-OS software with the SSL Forward Proxy feature enabled.” reads the advisory.

Palo Alto Networks also fixed an improper Group Membership Change vulnerability in Cloud Identity Engine (CIE). The PAN-OS issue tracked as CVE-2024-3383 ‘impacts user access to network resources where users may be inappropriately denied or allowed access to resources based on your existing Security Policy rules.’

The vendor is not aware of attacks in the wild exploiting any of these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DoS)

Business intelligence software company Sisense suffered a cyberattack that may have exposed sensitive information of major enterprises worldwide.

Sisense, a business intelligence software company, experienced a cyberattack potentially exposing the sensitive data of global enterprises. The list of the company’s customers includes Nasdaq, Philips Healthcare, Verizon, and many others.

The cyber attack made the headlines because the U.S. cybersecurity agency CISA published an alert on Sisense.

“CISA is collaborating with private industry partners to respond to a recent compromise discovered by independent security researchers impacting Sisense, a company that provides data analytics services.” reads the alert.

“CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations. We will provide updates as more information becomes available.”

CISA urges Sisense customers to reset credentials and secrets potentially exposed to, or used to access, services provided by Sisense.

The US agency recommends customers of the company investigate and report to CISA any suspicious activity involving their credentials used to access the services of the business intelligence firm.

Yesterday the popular cybersecurity investigator Brian Krebs published a note from the company that confirmed that they were aware of a data leak.

Below is the content of the note:

Good afternoon
We are aware of reports that certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet). We are taking this matter seriously and promptly commenced an investigation. We engaged industry-leading experts to assist us with the investigation. This matter has not resulted in an interruption to our business operations.
Out of an abundance of caution, and while we continue to investigate, we urge you to promptly rotate any credentials that you use within your Sisense application.
Should you have any questions related to this matter, please email [email protected]
At Sisense, we give paramount importance to security and are committed to our customers' success. This is a proactive measure to ensure that our customers are secure. Thank you for your partnership and commitment to our mutual security.
Regards,
Sangram Dash
Chief Information Security Officer

The company launched an investigation into the security breach which is still ongoing.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds D-Link multiple NAS devices bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following D-Link multiple NAS devices flaws to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-3272 D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
• CVE-2024-3273 D-Link Multiple NAS Devices Command Injection Vulnerability

The flaw CVE-2024-3272 is a Use of Hard-Coded Credentials Vulnerability impacting D-Link Multiple NAS Devices. The flaw affects D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L, these devices contain a hard-coded credential that allows an attacker to conduct authenticated command injection, leading to remote, unauthorized code execution. CISA pointed out that the flaw affects D-Link products that have reached their end-of-life (EOL) or end-of-service (EOS) life cycle, for this reason, they should be retired and replaced per vendor instructions.

The flaw CVE-2024-3272 is a Command Injection Vulnerability impacting D-Link Multiple NAS Devices. The vulnerability impacts D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L, which contain a command injection vulnerability. Chaining CVE-2024-3272 and CVE-2024-3273 an attacker can achieve remote, unauthorized code execution.

This flaw also affects D-Link products that have reached their end-of-life (EOL) or end-of-service (EOS) life cycle, for this reason, they should be retired and replaced per vendor instructions.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by May 2, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, CISA)

TA547 group is targeting dozens of German organizations with an information stealer called Rhadamanthys, Proofpoint warns.

Proofpoint researchers observed a threat actor, tracked as TA547, targeting German organizations with an email campaign delivering the Rhadamanthys malware.

TA547 is a financially motivated threat actor that has been active since at least November 2017, it was observed conducting multiple campaigns to deliver a variety of Android and Windows malware, including DanaBot, Gootkit, Lumma stealer, NetSupport RAT, Ursnif, and ZLoader. The group also operates as an initial access broker (IAB) and targets various geographic regions.

The security firm pointed out that this is the first TA547 group to use this malware family. In past campaigns, the group used a PowerShell script likely generated by large language model (LLM) such as ChatGPT, Gemini, CoPilot, etc.  

The TA547 group sent emails to the victims impersonating the German retail company Metro, purportedly related to invoices.

The messages contain a password-protected ZIP file containing an LNK file when opened. Upon executing the LNK file, it triggers PowerShell to run a remote PowerShell script. The remote PowerShell script decoded the Base64-encoded Rhadamanthys executable file stored in a variable and loaded it as an assembly into memory and then executed it. The experts noticed that the malicious code is executed directly in memory without writing any artifact to disk. 

“Notably, when deobfuscated, the second PowerShell script that was used to load Rhadamanthys contained interesting characteristics not commonly observed in code used by threat actors (or legitimate programmers). Specifically, the PowerShell script included a pound sign followed by grammatically correct and hyper specific comments above each component of the script.” reads the report published by Proofpoint. “This is a typical output of LLM-generated coding content, and suggests TA547 used some type of LLM-enabled tool to write (or rewrite) the PowerShell, or copied the script from another source that had used it.”

This campaign exemplifies a shift in techniques by the threat actor, utilizing compressed LNKs and the previously unseen Rhadamanthys stealer malware. The experts also discovered the attempts of using LLM in malware campaigns.

“LLMs can assist threat actors in understanding more sophisticated attack chains used by other threat actors, enabling them to repurpose these techniques once they understand the functionality.  Like LLM-generated social engineering lures, threat actors may incorporate these resources into an overall campaign.” concludes the report. “It is important to note, however, that while TA547 incorporated suspected LLM-generated content into the overall attack chain, it did not change the functionality or the efficacy of the malware or change the way security tools defended against it. In this case, the potentially LLM-generated code was a script which assisted in delivering a malware payload but was not observed to alter the payload itself.” 

The report includes Indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, malware)

Crooks targeted a LastPass employee using deepfake technology to impersonate the company’s CEO in a fraudulent scheme.

In a fraudulent scheme, criminals used deepfake technology to impersonate LastPass ‘s CEO, targeting an employee of the company.

The attack occurred this week, but the employed recognized the attack and the attempt failed. According to the password management software firm, the employee was contacted outside of the business hours.

Deepfakes are created using generative AI, attackers manipulate audio and/or visual data to fabricate content of interest of a targeted individual. The rise in quality and accessibility of deepfake technology poses concerns for both political and private sectors, with numerous readily available tools enabling their creation.

“In our case, an employee received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating our CEO via WhatsApp.” reported LastPass. “As the attempted communication was outside of normal business communication channels and due to the employee’s suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such as forced urgency), our employee rightly ignored the messages and reported the incident to our internal security team so that we could take steps to both mitigate the threat and raise awareness of the tactic both internally and externally.”

The employee ignored the contact and reported the attempt to the security team, the company confirmed that the incident did not impact the company.

LastPass shared the incident to raise awareness about using deepfakes for CEO fraud and other scams.

In October 2022, cybersecurity firm Resecurity identified a new spike of underground services enabling bad actors to generate deepfakes. According to company, this may be used for political propaganda, foreign influence activity, disinformation, scams, and fraud. 

“Impressing the importance of verifying potentially suspicious contacts by individuals claiming to be with your company through established and approved internal communications channels is an important lesson to take away from this attempt.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, deepfakes)

Roku announced that 576,000 accounts were compromised in a new wave of credential stuffing attacks.

Roku announced that 576,000 accounts were hacked in new credential stuffing attacks, threat actors used credentials stolen from third-party platforms.

“Credential stuffing is a type of attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.” In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts to abuse permissions, siphoning out data, or both. 

Earlier this year, Roku detected unusual account activity and discovered that unauthorized actors accessed around 15,000 user accounts using login credentials obtained from a different source through “credential stuffing.”

Once the company concluded the investigation of this first security breach, they notified the impacted customers in early March. The company continued to monitor account activity and identified a second incident that impacted approximately 576,000 additional accounts. 

“There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident. Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials.” reads the press release published by the company. “In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information.” 

The company announced the implementation of measures to prevent future incidents, including password resets for the affected accounts. Roku also plans to refund unauthorized purchases and is implementing two-factor authentication (2FA) for all accounts. Roku aims to simplify this process and offers support for users needing assistance.

The company has enabled two-factor authentication (2FA) by default for all customer accounts.

The company recommends customers use strong and unique passwords for their accounts and be vigilant for suspicious activities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

A critical vulnerability, named ‘BatBadBut’, impacts multiple programming languages, its exploitation can lead to command injection in Windows applications.

The cybersecurity researcher RyotaK (@ryotkak ) discovered a critical vulnerability, dubbed BatBadBut, which impacts multiple programming languages.

When specific conditions are satisfied, an attacker can exploit the flaw to perform command injection on Windows.

“The BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.” wrote the researcher. “CreateProcess() implicitly spawns cmd.exe when executing batch files (.bat, .cmd, etc.), even if the application didn’t specify them in the command line.“

Due to Windows’ default inclusion of .bat and .cmd files in the PATHEXT environment variable, some runtimes inadvertently execute batch files instead of the intended commands. This can lead to arbitrary command executions, even if a snippet like the following one doesn’t explicitly include .bat or .cmd files.

RyotaK explained that OS executes batch files with ‘cmd exe’, which has complicated parsing rules for the command arguments, and programming language runtimes fail to escape the command arguments properly. The majority of programming languages provide their interface to the ‘CreateProcess’ function, however, they fail to escape the command arguments properly passed to the function.

Below is the list of conditions that must be satisfied to exploit BatBadBut:

• The application executes a command on Windows
• The application doesn’t specify the file extension of the command, or the file extension is .bat or .cmd
• The command being executed contains user-controlled input as part of the command arguments
• The runtime of the programming language fails to escape the command arguments for cmd.exe properly²

The researcher already notified the maintainers of the impacted programming languages, who have taken steps to address the flaw.

The CERT/CC from Carnegie Mellon University published an advisory on this issue. Four different CVE identifiers, respectively CVE-2024-1874, CVE-2024-22423, CVE-2024-24576, and CVE-2024-3566, have been assigned to this issue.

“Various programming languages lack proper validation mechanisms for commands and in some cases also fail to escape arguments correctly when invoking commands within a Microsoft Windows environment.” reads the advisory. “The command injection vulnerability in these programming languages, when running on Windows, allows attackers to execute arbitrary code disguised as arguments to the command. This vulnerability may also affect the application that executes commands without specifying the file extension.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Researchers warn threat actors are manipulating GitHub search results to target developers with persistent malware.

Checkmarx researchers reported that threat actors are manipulating GitHub search results to deliver persistent malware to developers systems.

Attackers behind this campaign create malicious repositories with popular names and topics, they were observed using techniques like automated updates and fake stars to boost search rankings.

“By leveraging GitHub Actions, the attackers automatically update the repositories at a very high frequency by modifying a file, usually called “log”, with the current date and time or just some random small change. This continuous activity artificially boosts the repositories’ visibility, especially for instances where users filter their results by “most recently updated,” increasing the likelihood of unsuspecting users finding and accessing them.” reads the report published by Checkmarx. “While automatic updates help, the attackers combine another technique to amplify the effectiveness of their repo making it to the top results. The attackers employed multiple fake accounts to add bogus stars, creating an illusion of popularity and trustworthiness.”

To evade detection, threat actors concealed the malicious code in Visual Studio project files (.csproj or .vcxproj), it is automatically executed when the project is built.

The researchers noticed that the payload is delivered based on the victim’s origin, and is not distributed to users in Russia.

In the recent campaign, the threat actors used a sizable, padded executable file that shares similarities with the “Keyzetsu clipper” malware.

The recent malware campaign involves a large, padded executable file that shares similarities with the “Keyzetsu clipper” malware, targeting cryptocurrency wallets.

On April 3rd, the attacker updated the code in one of their repositories, linking to a new URL that downloads a different encrypted .7z file. The archive contained an executable named feedbackAPI.exe.

Threat actors padded the executable with numerous zeros to artificially increase the file size surpassing the limit of various security solutions, notably VirusTotal, making it unscannable.

The malware maintains persistence by creating a scheduled task that runs the executable every day at 4AM without user confirmation.

“The use of malicious GitHub repositories to distribute malware is an ongoing trend that poses a significant threat to the open-source ecosystem. By exploiting GitHub’s search functionality and manipulating repository properties, attackers can lure unsuspecting users into downloading and executing malicious code.” concludes the report. “These incidents highlight the necessity for manual code reviews or the use of specialized tools that perform thorough code inspections for malware. Merely checking for known vulnerabilities is insufficient.“

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

Crooks manipulate GitHub’s search results to distribute malware

BatBadBut flaw allowed an attacker to perform command injection on Windows

Roku disclosed a new security breach impacting 576,000 accounts

LastPass employee targeted via an audio deepfake call

TA547 targets German organizations with Rhadamanthys malware

CISA adds D-Link multiple NAS devices bugs to its Known Exploited Vulnerabilities catalog

US CISA published an alert on the Sisense data breach

Palo Alto Networks fixed multiple DoS bugs in its firewalls

Apple warns of mercenary spyware attacks on iPhone users in 92 countries

Microsoft fixed two zero-day bugs exploited in malware attacks

Group Health Cooperative data breach impacted 530,000 individuals

AT&T states that the data breach impacted 51 million former and current customers

Fortinet fixed a critical remote code execution bug in FortiClientLinux

Microsoft Patches Tuesday security updates for April 2024 fixed hundreds of issues

Over 91,000 LG smart TVs running webOS are vulnerable to hacking

Crowdfense is offering a larger 30M USD exploit acquisition program

Over 92,000 Internet-facing D-Link NAS devices can be easily hacked

Cybercrime    

Social Engineering Attacks Targeting IT Help Desks in the Health Sector

DOJ data on 341,000 people leaked in cyberattack on consulting firm

Hackers deploy crypto drainers on thousands of WordPress sites

530k Impacted by Data Breach at Wisconsin Healthcare Organization  

TA547 Targets German Organizations with Rhadamanthys Stealer

Attempted Audio Deepfake Call Targets LastPass Employee  

Malware

Shifting the Lens: Detecting Malware in npm ecosystem with Large Language Models

ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins  

Smoke and (screen) mirrors: A strange signed backdoor  

New Technique to Trick Developers Detected in an Open Source Supply Chain Attack

Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla       

Hacking 

Crowdfense Exploit Acquisition Program

Vulnerabilities Identified in LG WebOS  

Roku warns 576,000 accounts hacked in new credential stuffing attacks

BatBadBut: You can’t securely execute commands on Windows 

XZ backdoor story – Initial analysis

PSG: the club’s ticketing system attacked     

Intelligence and Information Warfare 

China tests US voter fault lines and ramps AI content to boost its geopolitical interests

Apple drops term ‘state-sponsored’ attacks from its threat notification policy     

Why we must take seriously China’s mastery and misuse of AI espionage

Messages between Chinese hackers show Australian Strategic Policy Institute is a target       

Top Israeli spy chief exposes his true identity in online security lapse   

Cybersecurity          

The April 2024 security updates review 

Attack on data analytics company Sisense prompts alert from CISA 

Why CISA is Warning CISOs About a Breach at Sisense

Global taxi software vendor exposes details of nearly 300K across UK and Ireland

British DARPA’ to build AI gatekeepers for ‘quantitative safety guarantees      

(SecurityAffairs – hacking, newsletter)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

A threat actor claimed the hack of the Canadian retail chain Giant Tiger and leaked 2.8 million records on a hacker forum.

A threat actor, who goes online with the moniker ShopifyGUY, claimed responsibility for hacking the Canadian retail chain Giant Tiger and leaked 2.8 million records on a hacker forum.

Giant Tiger is a Canadian discount store chain that operates over 260 stores across Canada. The threat actor responsible for the post claims to have uploaded the complete database of the company that was stolen in March 2024.

The threat actor behind the post claims to have uploaded the “full” database of Giant Tiger customer records stolen in March 2024. The compromised data include email addresses, names, phone numbers, physical addresses, and website activity. Financial data was not impacted in the alleged incident.

“In March 2024, the Canadian discount store chain Giant Tiger Stores Limited (https://www.gianttiger.com/) suffered a data breach that exposed over 2.8 million clients. The breach includes over 2.8 million unique email addresses, names, phone numbers and physical addresses. The data was breached by @ShopifyGUY” reads the announcement published by ShopifyGUY on Breachforums.

Every member of the forum can download the archive for 8 credits.

Customers of the Canadian retail chain can check for the presence of their data in the leaked archive by querying the data breach monitoring service HaveIBeenPwned.

New breach: Canadian retailer Giant Tiger had 2.8M records breached last month. Impacted data included email and physical address, name and phone. 46% were already in @haveibeenpwned. Read more: https://t.co/71a7YAVQvl

— Have I Been Pwned (@haveibeenpwned) April 12, 2024

BleepingComputer reached the retail company that confirmed they became aware of security concerns related to a third-party vendor.

(SecurityAffairs – hacking, Giant Tiger)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

A joint investigation conducted by U.S. and Australian authorities led to the arrest of two key figures behind the Firebird RAT operation.

A joint law enforcement operation conducted by the Australian Federal Police (AFP) and the FBI resulted in the arrest and charging of two individuals suspected of creating and selling the Firebird RAT, which was later renamed as Hive.

Australian Federal Police reported that an Australian man and a man based in the US will appear in court, following the international investigation that began in 2020. The Australian man faces twelve counts of computer offenses.

The Australian man developed and sold Firebird to customers on a dedicated hacking forum.

The RAT allowed customers to access and control their victims’ computers remotely, its author advertised its stealing capabilities.

Last week, the FBI arrested Edmond Chakhmakhchyan, 24, of Van Nuys, on charges of marketing and selling the RAT. Chakhmakhchyan, aka “Corruption,” was apprehended by FBI agents and pleaded not guilty to two charges. He is accused of advertising and selling the Hive remote access trojan (RAT) on the “Hack Forums” website. The man was accepting Bitcoin payments for licenses and offering customer service to buyers.

“Customers purchasing the malware “would transmit Hive RAT to protected computers and gain unauthorized control over and access to these computers, which allowed the RAT purchaser to close or disable programs, browse files, record keystrokes, access incoming and outgoing communications, and steal victim passwords and other credentials for bank accounts and cryptocurrency wallets, all without the victims’ knowledge or permission,” according to the indictment.” reported the DoJ. “Chakhmakhchyan allegedly began working with the creator of the Hive RAT, previously known as “Firebird,” approximately four years ago, and advertised online the RAT’s many features, including features that allowed the owner to remotely access victim computers and intercept communications and data without the victim knowing.“

According to the indictment, Chakhmakhchyan engaged in electronic communication with buyers after advertising the Hive RAT. He explained to one buyer that the malware allowed access to another person’s computer without their knowledge. When informed that the target had significant cryptocurrency and project files, Chakhmakhchyan agreed to sell the Hive RAT.

“After this purchaser told Chakhmakhchyan that “the point” of using the Hive RAT was because the victim had “20k in bitcoin on a blockchain wallet” and “project files worth over 5k,” Chakhmakhchyan agreed to sell the Hive RAT, the indictment alleges.” continues DoJ.

The DoJ states that the man allegedly sold a license to an undercover law enforcement agent. Chakhmakhchyan faces charges of conspiracy and advertising a device as an interception device, each carrying a maximum penalty of five years in federal prison.

Chakhmakhchyan could face up to ten years in prison, while the maximum penalty for the Australian man is three years imprisonment.

(SecurityAffairs – hacking, malware)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

Threat actors have been exploiting the recently disclosed zero-day in Palo Alto Networks PAN-OS since March 26, 2024.

Palo Alto Networks and Unit 42 are investigating the activity related to CVE-2024-3400 PAN-OS flaw and discovered that threat actors have been exploiting it since March 26, 2024.

CVE-2024-3400 (CVSS score of 10.0) is a critical command injection vulnerability in Palo Alto Networks PAN-OS software. An unauthenticated attacker can exploit the flaw to execute arbitrary code with root privileges on affected firewalls. This flaw impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.

The researchers are tracking this cluster of activity, conducted by an unknown threat actor, under the name Operation MidnightEclipse.

“Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor.” reads the report. “We also assess that additional threat actors may attempt exploitation in the future.”

Upon exploiting the flaw, the threat actor was observed creating a cronjob that would run every minute to access commands hosted on an external server that would execute via bash.

The researchers were unable to access the commands executed by the attackers, however, they believe threat actors attempted to deploy a second Python-based backdoor on the vulnerable devices.

Researchers at cybersecurity firm Volexity referred this second Python backdor as UPSTYLE.

The UPSTYLE backdoor was hosted at hxxp://144.172.79[.]92/update.py, but Unit42 observed a similar backdoor hosted at nhdata.s3-us-west-2.amazonaws[.]com. According to the HTTP headers, the threat actor last modified it on April 7, 2024.

The first Python payload creates and executes another Python script (“system.pth”), which then decrypts and launches the embedded backdoor component, that executes the attackers’s command in a file named “sslvpn_ngx_error.log.”

After execution, the script records the command output in the file:

• [snip]/css/bootstrap.min.css

A noteworthy aspect of the attack sequence is that both the files used for command extraction and result logging are authentic files linked with the firewall:

• /var/log/pan/sslvpn_ngx_error.log
• /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css

“The script will then create another thread that runs a function called restore. The restore function takes the original content of the bootstrap.min.css file, as well as the original access and modified times, sleeps for 15 seconds and writes the original contents back to the file and sets the access and modified times to their originals.” continues the report. “The point of this function is to avoid leaving the output of the commands available for analysis. Also, this suggests that the threat actor has automation built into the client side of this backdoor, as they only have 15 seconds to grab the results before the backdoor overwrites the file.“

The threat actor, tracked by Volexity as UTA0218, remotely exploited the firewall device to establish a reverse shell and install additional tools. Their primary objective was to extract configuration data from the devices and then use it as a foothold to expand laterally within the targeted organizations.

“During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. Details on this backdoor are included further on in this report.” reads the report published by Volexity. “As Volexity broadened its investigation, it discovered successful exploitation at multiple other customers and organizations dating back to March 26, 2024. Those attempts appear to be the threat actor testing the vulnerability by placing zero-byte files on firewall devices to validate exploitability.”

“After successfully exploiting devices, UTA0218 downloaded additional tooling from remote servers they controlled in order to facilitate access to victims’ internal networks. They quickly moved laterally through victims’ networks, extracting sensitive credentials and other files that would enable access during and potentially after the intrusion.” concludes Volexity. “The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives.”

(SecurityAffairs – hacking, Palo Alto Pan-OS)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Palo Alto Networks PAN-OS Command Injection flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection vulnerability to its Known Exploited Vulnerabilities (KEV) catalog:

CVE-2024-3400 (CVSS score of 10.0) is a critical command injection vulnerability in Palo Alto Networks PAN-OS software. An unauthenticated attacker can exploit the flaw to execute arbitrary code with root privileges on affected firewalls. This flaw impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.

Palo Alto Networks and Unit 42 are investigating the activity related to CVE-2024-3400 PAN-OS flaw and discovered that threat actors have been exploiting it since March 26, 2024.

The researchers are tracking this cluster of activity, conducted by an unknown threat actor, under the name Operation MidnightEclipse.

“Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor.” reads the report. “We also assess that additional threat actors may attempt exploitation in the future.”

Upon exploiting the flaw, the threat actor was observed creating a cronjob that would run every minute to access commands hosted on an external server that would execute via bash.

The researchers were unable to access the commands executed by the attackers, however, they believe threat actors attempted to deploy a second Python-based backdoor on the vulnerable devices.

Researchers at cybersecurity firm Volexity referred this second Python backdor as UPSTYLE.

The threat actor, tracked by Volexity as UTA0218, remotely exploited the firewall device to establish a reverse shell and install additional tools. Their primary objective was to extract configuration data from the devices and then use it as a foothold to expand laterally within the targeted organizations.

“During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. Details on this backdoor are included further on in this report.” reads the report published by Volexity. “As Volexity broadened its investigation, it discovered successful exploitation at multiple other customers and organizations dating back to March 26, 2024. Those attempts appear to be the threat actor testing the vulnerability by placing zero-byte files on firewall devices to validate exploitability.”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by April 19, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, CISA)

The Ukrainian hacking group Blackjack used a destructive ICS malware dubbed Fuxnet in attacks against Russian infrastructure.

Industrial and enterprise IoT cybersecurity firm Claroty reported that the Ukrainian Blackjack hacking group claims to have damaged emergency detection and response capabilities in Moscow and beyond the Russian capital using a destructive ICS malware dubbed Fuxnet.

The Blackjack group is believed to be affiliated with Ukrainian intelligence services that carried out other attacks against Russian targets, including an internet provider and a military infrastructure.

The group claims to have attacked Moscollector, a Moscow-based company, that is responsible for the construction and monitoring of underground water and sewage and communications infrastructure. 

The website ruexfil.com provided detailed information about the attacks against Moscollector, the hackers also published screenshots of monitoring systems, servers, and databases they claim to have compromised.

The site also hosts password dumps allegedly stolen from the Russian company.

Below is the timeline of the attack published on ruexfil.com:

Initial access June 2023.
- Access to 112 Emergency Service. 
- 87,000 sensors and controls have been disabled (including Airports, subways, gas-pipelines, ...).
- Fuxnet (stuxnet on steroids) was deployed earlier to slowly and physically destroy sensory equipment
  (by NAND/SSD exhaustion and introducing bad CRC into the firmware). (YouTube Video 1, YouTube Video 2).
- Fuxnet has now started to flood the RS485/MBus and is sending 'random' commands to 87,000 embedded
  control and sensory systems (carefully excluding hospitals, airports, ...and other civilian targets).
- All servers have been deleted. All routers have been reset to factory reset. Most workstations (including
  the admins workstations) have been deleted.
- Access to the office building has been disabled (all key-cards have been invalidated).
- Moscollector has recently been certified by the FSB for being 'secure & trusted' (picture included)
- Defaced the webpage (https://web.archive.org/web/20240409020908/https://moscollector.ru/)

The website reported that Blackjack destroyed about 1,700 sensor routers deployed at airports, subways, gas-pipelines. The group also disrupted the central command-dispatcher and database. The attack brought all 87,000 sensors offline, threat actors also wiped databases, backups, and email servers, a total of 30TB of data.

“Fuxnet has now started to flood the RS485/MBus and is sending ‘random’ commands to 87,000 embedded control and sensory systems (carefully excluding hospitals, airports, …and other civilian targets).” states the website.

Team82 and Claroty have been unable to verify the attackers’ claims, however, they conducted a detailed analysis of the Fuxnet malware relying on information provided by the attackers.

“For example, Blackjack claims to have damaged or destroyed 87,000 remote sensors and IoT collectors. However, our analysis of data leaked by Blackjack, including the Fuxnet malware, indicates that only a little more than 500 sensor gateways were bricked by the malware in the attack, and the remote sensors and controllers likely remain intact.” reads the analysis published by Claroty. “If the gateways were indeed damaged, the repairs could be extensive given that these devices are spread out geographically across Moscow and its suburbs, and must be either replaced or their firmware must be individually reflashed.”

The attack chain sees hackers targeting a list of sensor gateways IPs. Threat actors distributed their malware to each target, likely either through remote-access protocols such as SSH or the sensor protocol (SBK) over port 4321.

Upon running on the target device, the malware initiates a new child process to lock out the device. The malicious code remounts the filesystem with write access, then delete essential filesystem files and directories and disables remote access services such as SSH, HTTP, telnet, and SNMP. This prevents remote access for restoring operations even if the router remains functional.

Subsequently, the threat actors erase the router’s routing table, rendering its communication with other devices non-functional. Finally, the malware deletes the filesystem and rewrites the flash memory using the operating system’s mtdblock devices.

Once it has corrupted the file system and isolated the device, the malware attempts to destroy the NAND memory chip physically and rewrites the UBI volume to prevent rebooting. 

“In order to ensure the sensor does not reboot again, the malware rewrites the UBI volume. First, the malware uses the IOCTL interface UBI_IOCVOLUP allowing it to interact with the management layer controlling the flash memory, which tells the kernel that the UBI volume will be rewritten, and that x-number of bytes will be written.” continues the report. “In its normal behavior, the kernel will know that the rewrite is finished only when x-number of bytes were written. However, the malware will not write x-number of bytes to the UBI, instead it will write fewer bytes than it declares, causing the device to wait for the rewrite to finish indefinitely.”  

The malware overwrites the UBI volume with junk data (0xFF), making the UBI useless and the filesystem becomes unstable.

The malware also tries to disrupt gateway-connected sensors by flooding serial channels with random data, overloading the serial bus and the sensors.

“The attackers developed and deployed malware that targeted the gateways and deleted filesystems, directories, disabled remote access services, routing services for each device, and rewrote flash memory, destroyed NAND memory chips, UBI volumes and other actions that further disrupted operation of these gateways.” concludes the report.

(SecurityAffairs – hacking, Fuxnet)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

Cisco Duo warns that a data breach involving one of its telephony suppliers exposed multifactor authentication (MFA) messages sent by the company via SMS and VOIP to its customers. 

Cisco Duo warns of a data breach involving one of its telephony suppliers, compromising multifactor authentication (MFA) messages sent to customers via SMS and VOIP.

The security breach occurred on April 1, 2024, the threat actors used a Provider employee’s credentials that illicitly obtained through a phishing attack. Then they used the access to download a set of MFA SMS message logs belonging to customers’ Duo accounts.

“More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024. The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.).” reads the data breach notification send to the impacted individuals. “The Provider confirmed that the threat actor did not download or otherwise access the content of any messages or use their access to the Provider’s internal systems to send any messages to any of the numbers contained in the message logs.”

Threat actors had access to phone numbers, phone carriers, countries, and states to which each message was sent. Attackers also obtained other metadata, including the date and time of the message, type of message, etc.. 

Once discovered the incident, the Provider immediately launched an investigation and implemented mitigation measures. The Provider invalidated the employee’s credentials and analyzed the logs. The

“Provider also started implementing measures to prevent similar incidents from occurring in the future and additional technical measures to further mitigate the risk associated with social engineering attacks. The Provider confirmed that they will also require employees to undergo additional social engineering awareness training.” continues the notification.

Affected users whose phone numbers were in the logs are recommended to remain vigilant and promptly report any suspected activities.

(SecurityAffairs – hacking, Cisco Duo)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

The Dark Angels (Dunghill) ransomware group claims the hack of the chipmaker Nexperia and the theft of 1 TB of data from the company.

The Dark Angels (Dunghill) ransomware group claims responsibility for hacking chipmaker Nexperia and stealing 1 TB of the company’s data.

Nexperia is a semiconductor manufacturer headquartered in Nijmegen, the Netherlands. It is a subsidiary of the partially state-owned Chinese company Wingtech Technology. It has front-end factories in Hamburg, Germany, and Greater Manchester, England. The company’s product range includes bipolar transistors, diodes, ESD protection, TVS diodes, MOSFETs, and logic devices.

The chipmaker has 14,000 employees as of 2024.

The Dark Angels ransomware group added Nexperia to the list of victims on its Tor leak site. According to the announcement, the stolen data includes:

- 285 Gb of quality control data
- 24 Gb - 896 client folders, many famous brands like SpaceX, IBM, Apple, Huawei, etc.
- 139 Gb project data, very detailed and highly confidential: NDA, internal documents, trade secrets, design, specifications, manufacturing
- 49 Gb industrial production data and instructions
- Assessment of the product's competitiveness in comparison with competitors
- 45 Gb engineers' experience and studies
- 20 Gb product management
- 201 Gb semiconductor manufacturing technologies
- 70 Gb semiconductor commercial marketing data
- 26 Gb pricing, analysis, price books
- 20 Gb HR department, employee data, personal data, passports, contracts, diplomas, salaries, insurance.
- 18 Gb .dwg - 38295 pcs - drawings and schematics of chips, microchips, transistors, etc. All data is confidential, contains trade secrets.
- 30 Gb user data
- production line settings
- repository with equipment configures
- 26 Gb machine operation logs
- 1.2 Gb AWACS software
- 13 Gb .esm files
- 1.9 Gb .job files
- 3 Gb .svn-base
- 101 Gb - .pst files
- 1.5 Gb - NDA

The group published a set of files as proof of the security breach and threatens leak all the stolen data if the victim will not pay the ransom. 

The chipmaker confirmed it became aware of the unauthorized access to certain Nexperia IT servers in March 2024.

In response to the incident, the company disconnected the affected systems from the internet to prevent the threat from spreading. The Nexperia launched an investigation into the security breach with the help of third-party cybersecurity experts.

“we have reported the incident to the competent Authorities, including the ‘Autoriteit Persoonsgegevens’ and the police, and are keeping them informed of the progress of our investigation.” reads the press statement published by the company. “Together with our external cybersecurity expert FoxIT, Nexperia continues to investigate the full extent and impact of the matter and we are closely monitoring the developments. In the interest of the ongoing investigation, we cannot disclose further details at this point.”

In September 2023, the Dark Angels ransomware group hacked Johnson Controls and demanded a $51 million ransom.

(SecurityAffairs – hacking, Nexperia )

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

Czech transport minister warned that Russia conducted ‘thousands’ of attempts to sabotage railways, attempting to interfere with train networks and signals.

Early this month, the Czech transport minister Martin Kupka warned that Russia has conducted ‘thousands’ of attempts to sabotage European railways.

The Czech Republic’s transport minister told the Financial Times that the attacks aim at destabilizing the EU and sabotaging critical infrastructure.

Kupka confirmed that Russia-linked threat actors conducted “thousands of attempts to weaken our systems” since the beginning of the Russian invasion of Ukraine.

The state-sponsored hackers also targeted signaling systems and networks of the Czech national railway operator České dráhy, Kupka said.

The Czech cyber defense was able to detect and neutralize these attacks; however, the minister highlighted that sabotaging railways could cause serious accidents.

“It’s definitely a difficult point . . .[but] I’m really very satisfied because we are able to defend all systems [from] a successful attack,” Kupka told FT.

The Czech cyber security agency, NUKIB, warns of a surge in cyber attacks, particularly targeting the energy and transportation sectors. The attacks escalated since the approval of a 2022 law allowing measures against foreign entities suspected of human rights violations or cyber crimes.

The attacks were also reported by the European cybersecurity agency ENISA, according to the “ENISA THREAT LANDSCAPE: TRANSPORT SECTOR” published in March 2023

“The railway sector also experiences ransomware and data-related threats primarily targeting IT systems like passenger services, ticketing systems, and mobile applications, causing service disruptions. Hacktivist groups have been conducting DDoS attacks against railway companies with an increasing rate, primarily due to Russia’s invasion of Ukraine.” states the report.

The Czech government is planning to build high-speed railways connecting Berlin, Prague and Vienna, it also announced that it prefers European operators to bid on the tenders.

In August 2023, Poland’s Internal Security Agency (ABW) and national police launched an investigation into a hacking attack on the state’s railway network. According to the Polish Press Agency, the attack disrupted the traffic.

Stanisław Zaryn, deputy coordinator of special services, told the news agency that Polish authorities were investigating an unauthorized usage of the system used to control rail traffic.

“For the moment, we are ruling nothing out,” Stanislaw Zaryn told PAP. “We know that for some months there have been attempts to destabilise the Polish state,” he added. “Such attempts have been undertaken by the Russian Federation in conjunction with Belarus.”

Since the beginning of the Russian invasion of Ukraine, Poland’s railway system represented a crucial transit infrastructure for Western countries’ support of Ukraine.

Zaryn explained that the attacks are part of a broader activity conducted by Russia to destabilize Poland.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, European railways)

Amidst rising tensions with China in the SCS, Resecurity observed a spike in malicious cyber activity targeting the Philippines in Q1 2024.

Amidst rising tensions with China in the South China Sea, Resecurity has observed a significant spike in malicious cyber activity targeting the Philippines in Q1 2024, increasing nearly 325% compared to the same period last year. The number of cyberattacks involving hacktivist groups and foreign misinformation campaigns has nearly tripled. In Q2 2024, this growth trajectory continues, with Resecurity observing multiple cyberattacks staged by previously unknown threat actors. These attacks are characterized by the intersection of ideological “hacktivist” motivations and nation-state-sponsored propaganda.

One prolific example of this dynamic is the China-linked Mustang Panda group, which Resecurity observed using cyberspace to stage sophisticated information warfare campaigns. There is a thin line between cybercriminal activity (supported by the state) and nation-state actors engaging in malicious cyber activity. Leveraging hacktivist-related monikers allows threat actors to avoid attribution while creating the perception of homegrown social conflict online. This tactic is often combined with false-flag attacks originating under publicly known threat-actor profiles to keep a distance from the real intellectual authors of these malign campaigns.

According to experts, the underground scene of actors is represented by the following threat groups accelerating their activity – Philippine Exodus Security (PHEDS), Cyber Operation Alliance (COA), Robin Cyber Hood (RCH), and DeathNote Hackers (Philippines), as well as independent actors and mercenaries recruited to conduct targeted attacks. Notably, some of these groups were also spotted collaborating with Arab Anonymous and Sylnet Gang-SG.

Resecurity interprets this activity as pre-staging for broader malicious, foreign cyber-threat actor activity in the region, including cyber espionage and targeted attacks against government agencies and critical infrastructure. Multiple government resources such as the Department of Interior and Local Government, Bureau of Plant Industry, Philippine National Police, and Bureau of Customs have been targeted.

The full report is available here.

https://www.resecurity.com/blog/article/misinformation-and-hacktivist-campaigns-target-the-philippines-amidst-rising-tensions-with-china

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – misinformation, The Philippines)

Researchers warn of a renewed cyber espionage campaign targeting users in South Asia with the Apple iOS spyware LightSpy

Blackberry researchers discovered a renewed cyber espionage campaign targeting South Asia with an Apple iOS spyware called LightSpy.

The sophisticated mobile spyware has resurfaced after several months of inactivity, the new version of LightSpy, dubbed “F_Warehouse”, supports a modular framework with extensive spying capabilities.

LightSpy can steal files from multiple popular applications like Telegram, QQ, and WeChat, as well as personal documents and media stored on the device. It can also record audio and harvest a wide array of data, including browser history, WiFi connection lists, installed application details, and even images captured by the device’s camera. The malware also grants attackers access to the device’s system, enabling them to retrieve user KeyChain data, device lists, and execute shell commands, potentially gaining full control over the device.

The evidence gathered by the experts, including code comments and error messages, suggests that the creators of LightSpy are native Chinese speakers, prompting concerns regarding potential state-sponsored activity.

LightSpy implements certificate pinning to prevent detection of C2 communication, if the victim is on a network where traffic is being inspected, no connection to the C2 server will be established.

Based on previous campaigns, the attack chain likely commences by visiting compromised news websites carrying stories related to Hong Kong. A first-stage implant is delivered to the visitors, it gathers device information and downloads further stages, including the core LightSpy implant and various plugins for specific spying functions.

“The Loader initiates the process by loading both the encrypted and subsequently decrypted LightSpy kernel. The core of LightSpy functions as a complex espionage framework, designed to accommodate extensions via a plugin system.” reads the report published by BlackBerry. “The Loader is responsible for loading these plugins, each of which extends the functionality of the main LightSpy implant. Each plugin undergoes a process of secure retrieval from the threat actor’s server in an encrypted format, followed by decryption, before being executed within the system environment.”

In March 2020, security experts at Trend Micro observed a campaign aimed at infecting the iPhones of users in Hong Kong with an iOS version of the LightSpy backdoor.

Attackers used malicious links spread through posts on forums popular in Hong Kong, which led users to real news sites that were compromised by injecting a hidden iframe that would load and run malware.

There is evidence to suggest that the campaign may have targeted India based on VirusTotal submissions from within its borders.

First documented in 2020 by Trend Micro and Kaspersky, LightSpy refers to an advanced iOS backdoor that’s distributed via watering hole attacks through compromised news sites.

The latest LightSpy version uses the F_Warehouse framework that supports the following capabilities:

• Exfiltrate files: Systematically search and steal files from the compromised mobile device.
• Record audio: Covertly capture audio through the device’s microphone.
• Perform network reconnaissance: Collect information about WiFi networks the device has connected to.
• Track user activity: Harvest browsing history data to monitor online behavior.
• Application inventory: Gather details about installed applications on the device.
• Capture images: Secretly take pictures using the device’s camera.
• Access credentials: Retrieve sensitive data stored within the user’s KeyChain.
• Device enumeration: Identify and list devices connected to the compromised system.

The researchers noticed that the malware communicates with a server located at hxxps://103.27[.]109[.]217:52202, which also hosts an administrator panel accessible on port 3458.

The panel shows a message in Chinese language saying that the username or password is incorrect when the users enter the wrong credentials.

This report also includes a list of IoCs for this threat.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, European railways)