There are new articles available, click to refresh the page.
Today — 26 November 2022Security Affairs

Devices from Dell, HP, and Lenovo used outdated OpenSSL versions

26 November 2022 at 00:35

Researchers discovered that devices from Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library.

Binarly researchers discovered that devices from Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library.

The OpenSSL software library allows secure communications over computer networks against eavesdropping or need to identify the party at the other end. OpenSSL contains an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

The researchers discovered the issue by analyzing firmware images used devices from the above manufacturers.

The experts analyzed one of the core frameworks EDKII used as a part of any UEFI firmware which has its own submodule and wrapper over the OpenSSL library (OpensslLib) in the CryptoPkg component.

EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and UEFI Platform Initialization (PI) specifications.

The main EDKII repository is hosted on Github and is frequently updated.

The experts first analyzed Lenovo Thinkpad enterprise devices and discovered that they used different versions of OpenSSL in the firmware image.

Lenovo Thinkpad enterprise devices used three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j. The most recent OpenSSL version was released in 2018.

“Many of the security-related firmware modules contain significantly outdated versions of OpenSSL. Some of them like InfineonTpmUpdateDxe contain code known to be vulnerable for at least eight (8) years.” reads the report published by Binarly. “The InfineonTpmUpdateDxe module is responsible for updating the firmware of Trusted Platform Module (TPM) on the Infineon chip. This clearly indicates the supply chain problem with third-party dependencies when it looks like these dependencies never received an update, even for critical security issues.”

One of the firmware modules named InfineonTpmUpdateDxe uses the OpenSSL version 0.9.8zb that was released on August 4, 2014.

The researchers discovered that most recent OpenSSL version is used by on Lenovo enterprise devices and dates back to the summer of 2021.

OpenSSL

The following image reports for each vendor all the versions of OpenSSL detected by the Binarly Platform in the wild:

OpenSSL vendors

The experts pointed out that the same device firmware code often rely on different versions of OpenSSL. 

The reason for this design choice is that the supply chain of third-party code depends on their own code base, which is often not available to device firmware developers. The researchers explained that this introduces an extra layer of supply chain complexity.

“Most of the OpenSSL dependencies are linked statically as libraries to specific firmware modules that create compile-time dependencies which are hard to identify without deep code analysis capabilities.” continues the report. “Historically the problem within third-party code dependencies is not an easy issue to solve at the compiled code level.”

The experts noticed that devices from Dell and Lenovo relied on version 0.9.8l that dates back to 2009.

Some Lenovo devices used the version 1.0.0a that dates back 2010, while the three vendors (Lenovo, Dell, HP) were observed using version 0.9.8w that dates back 2012.

“We see an urgent need for an extra layer of SBOM Validation when it comes to compiled code to validate on the binary level, the list of third-party dependency information that matches the actual SBOM provided by the vendor,” concludes the report. “A ‘trust-but-verify’ approach is the best way to deal with SBOM failures and reduce supply chain risks.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, firmware)

The post Devices from Dell, HP, and Lenovo used outdated OpenSSL versions appeared first on Security Affairs.

Yesterday — 25 November 2022Security Affairs

Google fixed the eighth actively exploited #Chrome #zeroday this year

25 November 2022 at 13:50

Google on Thursday released security updates to address a new zero-day vulnerability, tracked as CVE-2022-4135, impacting the Chrome web browser.

Google rolled out an emergency security update for the desktop version of the Chrome web browser to address a new zero-day vulnerability, tracked as CVE-2022-4135, that is actively exploited.

The CVE-2022-4135 vulnerability is a heap buffer overflow issue in GPU. The vulnerability was reported Clement Lecigne of Google’s Threat Analysis Group on November 22, 2022.

As usual, Google did not share technical details about the vulnerability in order to allow users to update their Chrome installations.

“Google is aware that an exploit for CVE-2022-4135 exists in the wild.” reads the advisory published by Google. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

An attacker can exploit the heap buffer overflow to potentially gain arbitrary code execution on systems running vulnerable versions of the browser.

Google fixed the zero-day with the release of version 107.0.5304.121 for Mac and Linux and 107.0.5304.121/.122 for Windows, which the company plans to roll out over the coming days/weeks.

The CVE-2022-4135 vulnerability is the eighth actively exploited Chrome zero-day addressed by Google this year, below is the list of the other zero-day fixed by the tech giant:

  • CVE-2022-3723 – (October 28) – type confusion issue that resides in the V8 Javascript engine
  • CVE-2022-3075 (September 2) – Insufficient data validating in the Mojo collection of runtime libraries.
  • CVE-2022-2856 (August 17) – Insufficient validation of untrusted input in Intents
  • CVE-2022-2294 (July 4) – Heap buffer overflow in the Web Real-Time Communications (WebRTC) component
  • CVE-2022-1364 (April 14) –  type confusion issue that resides in the V8 JavaScript engine
  • CVE-2022-1096 – (March 25) – type Confusion in V8 JavaScript engine
  • CVE-2022-0609 – (February 14) – use after free issue that resides in the Animation component.

Chrome users are recommended to update their installations as soon as possible to neutralize attacks attempting to exploit the zero-day.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

The post Google fixed the eighth actively exploited #Chrome #zeroday this year appeared first on Security Affairs.

Experts investigate WhatsApp data leak: 500M user records for sale

25 November 2022 at 12:20

Cybernews investigated a data sample available for sale containing up-to-date mobile phone numbers of nearly 500 million WhatsApp users.

Original post published by Cybernews: https://cybernews.com/news/whatsapp-data-leak/

On November 16, an actor posted an ad on a well-known hacking community forum, claiming they were selling a 2022 database of 487 million WhatsApp user mobile numbers.

The dataset allegedly contains WhatsApp user data from 84 countries. Threat actor claims there are over 32 million US user records included.

Another huge chunk of phone numbers belongs to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million).

The dataset for sale also allegedly has nearly 10 million Russian and over 11 million UK citizens’ phone numbers.

The threat actor told Cybernews they were selling the US dataset for $7,000, the UK – $2,500, and Germany – $2,000.

Such information is mostly used by attackers for smishing and vishing attacks, so we recommend users to remain wary of any calls from unknown numbers, unsolicited calls and messages.

WhatsApp

WhatsApp is reported to have more than two billion monthly active users globally.

Upon request, the seller of WhatsApp’s database shared a sample of data with Cybernews researchers. There were 1097 UK and 817 US user numbers in the shared sample.

Cybernews investigated all the numbers included in the sample and managed to confirm that all of them are, in fact, WhatsApp users.

The seller did not specify how they obtained the database, suggesting they “used their strategy” to collect the data, and assured Cybernews all the numbers in the instance belong to active WhatsApp users.

Cybernews reached out to WhatsApp’s parent company, Meta, but received no immediate response. We will update the article as soon as we learn more.

The information on WhatsApp users could be obtained by harvesting information at scale, also known as scraping, which violates WhatsApp’s Terms of Service.

This claim is purely speculative. However, quite often, massive data dumps posted online turn out to be obtained by scraping.

WhatsApp

Meta itself, long criticized for letting third parties scrape or collect user data, saw over 533 million user records leaked on a dark forum. The actor was sharing the dataset practically for free.

Days after a massive Facebook data leak made the headlines, an archive containing data purportedly scraped from 500 million LinkedIn profiles had been put for sale on a popular hacker forum.

Leaked phone numbers could be used for marketing purposes, phishing, impersonation, and fraud.

“In this age, we all leave a sizeable digital footprint – and tech giants like Meta should take all precautions and means to safeguard that data,” head of Cybernews research team Mantas Sasnauskas said. “We should ask whether an added clause of ‘scraping or platform abuse is not permitted in the Terms and Conditions’ is enough. Threat actors don’t care about those terms, so companies should take rigorous steps to mitigate threats and prevent platform abuse from a technical standpoint.”

If you want to know how to prevent data leaks, read the original post published by CyberNews.

About the author: Jurgita Lapienytė Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp)

The post Experts investigate WhatsApp data leak: 500M user records for sale appeared first on Security Affairs.

An international police operation dismantled the spoofing service iSpoof

25 November 2022 at 10:27

An international law enforcement operation has dismantled an online phone number spoofing service called iSpoof.

An international law enforcement operation that was conducted by authorities in Europe, Australia, the United States, Ukraine, and Canada, with the support of Europol, has dismantled online phone number spoofing service called iSpoof. The iSpoof service allowed fraudsters to impersonate trusted corporations or contacts in an attempt to gain access to sensitive information from victims.

Threat actors used the service to trick victims into disclosing financial or private information or transferring money.  

“The services of the website allowed those who sign up and pay for the service to anonymously make spoofed calls, send recorded messages, and intercept one-time passwords.” reads the announcement published by Europol. “The users were able to impersonate an infinite number of entities (such as banks, retail companies and government institutions) for financial gain and substantial losses to victims.”

The ‘spoofing’ service is believed to have caused an estimated worldwide loss in excess of GBP 100 million (EUR 115 million).

ispoof spoofing service

“According to the police, some victims have seen their savings or pension pot disappear within hours.” reported the Dutch Police.

The investigation, dubbed Operation Elaborate, was launched in October 2021 at the request of the UK authorities. The iSpoof was launched in December 2020 and authorities estimated it had 59,000 users.

“The exploitation of technology by organised criminals is one of the greatest challenges for law enforcement in the 21st century. Together with the support of partners across UK policing and internationally, we are reinventing the way fraud is investigated. The Met is targeting the criminals at the centre of these illicit webs that cause misery to thousands.” London’s Metropolitan Police Commissioner Sir Mark Rowley stated. “By taking away the tools and systems that have enabled fraudsters to cheat innocent people at scale, this operation shows how we are determined to target corrupt individuals intent on exploiting often vulnerable people.”

In the coordinated effort led by the United Kingdom, 142 suspects have been arrested, including the administrator of the iSpoof website (ispoof[.]me and ispoof[.]cc).

The police seized the servers behind the service and two days later Ukrainian and U.S. agencies took them offline.

“The arrests today send a message to cybercriminals that they can no longer hide behind perceived international anonymity. Europol coordinated the law enforcement community, enriched the information picture and brought criminal intelligence into ongoing operations to target the criminals wherever they are located.” Europol’s Executive Director Ms Catherine De Bolle said. “Together with our international partners, we will continue to relentlessly push the envelope to bring criminals to justice.”

“As cybercrime knows no borders, effective judicial cooperation across jurisdictions is key in bringing its perpetrators to court. Eurojust supports national authorities in their efforts to protect citizens against online and offline threats, and to help see that justice gets done.” Eurojust President Mr Ladislav Hamran said.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, iSpoof)

The post An international police operation dismantled the spoofing service iSpoof appeared first on Security Affairs.

UK urges to disconnect Chinese security cameras in government buildings

25 November 2022 at 06:35

The British government banned the installation of Chinese-linked security cameras at sensitive facilities due to security risks.

Reuters reports that the British government ordered its departments to stop installing Chinese security cameras at sensitive buildings due to security risks. The Government has ordered departments to disconnect the camera from core networks and to consider removing them.

“The decision comes after a review of “current and future possible security risks associated with the installation of visual surveillance systems on the government estate,” cabinet office minister Oliver Dowden said in a written statement to parliament.” states Reuters.

The security cameras of the two Chinese firms are widely adopted by a number of government departments, including the interior and business ministries.

Dowden pointed out that the surveillance cameras must be carefully scrutinized because of their capability and connectivity of these systems.

“The review has concluded that, in light of the threat to the UK and the increasing capability and connectivity of these systems, additional controls are required,” Dowden said. “Departments have therefore been instructed to cease deployment of such equipment onto sensitive sites, where it is produced by companies subject to the National Intelligence Law of the People’s Republic of China.”

The risk is related to the use of security cameras manufactured by Chinese-owned companies Dahua and Hikvision. Both companies are also on the Covered List maintained by the the U.S. Federal Communications Commission (FCC).

The Covered List, published by Public Safety and Homeland Security Bureau published, included products and services that could pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, security cameras)

The post UK urges to disconnect Chinese security cameras in government buildings appeared first on Security Affairs.

Before yesterdaySecurity Affairs

RansomExx Ransomware upgrades to Rust programming language

24 November 2022 at 21:19

RansomExx ransomware is the last ransomware in order of time to have a version totally written in the Rust programming language.

The operators of the RansomExx ransomware (aka Defray777 and Ransom X) have developed a new variant of their malware, tracked as RansomExx2, that was ported into the Rust programming language.

The move follows the decision of other ransomware gangs, like Hive, Blackcat, and Luna, of rewriting their ransomware into Rust programming language.

The main reason to rewrite malware in Rust is to have lower AV detection rates, compared to malware written in more common languages.

RansomExx2 was developed to target Linux operating system, but experts believe that ransomware operators are already working on a Windows version.

RansomExx operation has been active since 2018, the list of its victims includes government agencies, the computer manufacturer and distributor GIGABYTE, and the Italian luxury brand Zegna. RansomExx is operated by the DefrayX threat actor group (Hive0091), the group also developed the PyXie RAT, Vatet loader, and Defray ransomware strains.

The functionality implemented in RansomExx2 is very similar to previous RansomExx Linux variants.

“RansomExx2 has been completely rewritten using Rust, but otherwise, its functionality is similar to its C++ predecessor. It requires a list of target directories to encrypt to be passed as command line parameters and then encrypts files using AES-256, with RSA used to protect the encryption keys.” reads the analysis published by IBM Security X-Force.

The ransomware iterates through the specified directories, enumerating and encrypting files. The malware encrypts any file greater than or equal to 40 bytes and gives a new file extension to each file.

The RansomExx2 encrypts files using the AES-256 algorithm, it drops a ransom note in each encrypted directory.

ransomexx ransomware

“RansomExx is yet another major ransomware family to switch to Rust in 2022 (following similar efforts with Hive and Blackcat).” concludes the report. “While these latest changes by RansomExx may not represent a significant upgrade in functionality, the switch to Rust suggests a continued focus on the development and innovation of the ransomware by the group,  and continued attempts to evade detection.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RansomExx ransomware)

The post RansomExx Ransomware upgrades to Rust programming language appeared first on Security Affairs.

An aggressive malware campaign targets US-based companies with Qakbot to deliver Black Basta Ransomware

24 November 2022 at 09:59

Researchers warn of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US.

Experts at the Cybereason Global SOC (GSOC) team have observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US.

In the last two weeks, the experts observed attacks against more than 10 different US-based customers.

Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model. Security researchers at Sentinel Labs recently shared details about Black Basta‘s TTPs and assess it is highly likely the ransomware operation has ties with FIN7.

“In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization’s network. QakBot, also known as QBot or Pinkslipbot, is a banking trojan primarily used to steal victims’ financial data, including browser information, keystrokes, and credentials.” reads the report published by Cybereason. “Once QakBot has successfully infected an environment, the malware installs a backdoor allowing the threat actor to drop additional malware—namely, ransomware.” 

The attack chain starts with a QBot infection, The operators use the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the Black Basta ransomware. The attacks began with a spam/phishing email containing malicious URL links.

qakbot blackbasta ransomware

The researchers noticed that once obtained access to the network, the threat actor moves extremely fast. In some cases observed by Cybereason, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.

The threat actor was also spotted locking the victims out of the network by disabling DNS services, making the recovery even more complex.  

In most of the attacks observed by the experts, the spear-phishing email contains a malicious disk image file. Upon opening the file, Qbot is executed, then the malware connects to a remote server to retrieve the Cobalt Strike payload.

Threat actors perform credential harvesting and lateral movement and use the gathered credentials to compromise as many endpoints as possible and deploy the Black Basta ransomware.

Experts observed the attackers that were looking for machines without a defense sensor in an attempt to deploy additional malicious tools without being detected.

The report includes indicators of compromise for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Black Basta ransomware)

The post An aggressive malware campaign targets US-based companies with Qakbot to deliver Black Basta Ransomware appeared first on Security Affairs.

Threat actors exploit discontinues Boa web servers to target critical infrastructure

24 November 2022 at 08:46

Microsoft reported that hackers have exploited flaws in a now-discontinued web server called Boa in attacks against critical industries.

Microsoft experts believe that threat actors behind a malicious campaign aimed at Indian critical infrastructure earlier this year have exploited security flaws in a now-discontinued web server called Boa.

The Boa web server is widely used across a variety of devices, including IoT devices, and is often used to access settings and management consoles as well as sign-in screens. The experts pointed out that Boa has been discontinued since 2005.

Researchers at Recorded Future observed several intrusion attempts on Indian critical infrastructure since 2020 and shared IOCs related to this campaign. Microsoft experts analyzed these IoCs and discovered that Boa servers were running on the IP addresses on the list of IOCs, they also explained that the electrical grid attack targeted exposed IoT devices running Boa.

Microsoft also discovered that half of the IP addresses in the list published by Recorded Future returned suspicious HTTP response headers, which might be associated with the active deployment of a malicious tool identified by Recorded Future. 

“Investigating the headers further indicated that over 10% of all active IP addresses returning the headers were related to critical industries, such as the petroleum industry and associated fleet services, with many of the IP addresses associated to IoT devices, such as routers, with unpatched critical vulnerabilities, highlighting an accessible attack vector for malware operators.”reads the report published by Recorded Future. “Most of the suspicious HTTP response headers were returned over a short timeframe of several days, leading researchers to believe they may be associated with intrusion and malicious activity on networks.”

Microsoft experts explained that despite Boa being discontinued in 2005, many vendors across a variety of IoT devices and popular software development kits (SDKs) continue to use it.

The researchers identified over 1 million internet-exposed Boa server components around the world over the span of a week.

Boa web server

“We assessed the vulnerable component to be the Boa web server, which is often used to access settings and management consoles and sign-in screens in devices.” reads the report published by Microsoft.

“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files. Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.”

Boa is known to be affected by multiple flaws, including CVE-2017-9833 and CVE-2021-33558, which can allow unauthenticated attackers to read arbitrary files, obtain sensitive information, and gain remote code execution.

Boa server

“The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network.” concludes the report.

“As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Boa)

The post Threat actors exploit discontinues Boa web servers to target critical infrastructure appeared first on Security Affairs.

Pro-Russian group Killnet claims responsibility for DDoS attack that has taken down the European Parliament site

23 November 2022 at 21:20

Pro-Russian hacker collective Killnet took down the European Parliament website with a DDoS cyberattack.

The Pro-Russia group of hacktivists Killnet claimed responsibility for the DDoS attack that today took down the website of the European Parliament website.

#KILLNET, the Pro-Russia 🇷🇺 #hacking group, claims to have launched a #DDoS attack against the European Parliament's (@Europarl_EN) official website. The website is currently unreachable from the 🇺🇸pic.twitter.com/I8g4Fu0pgi

— BetterCyber (@_bettercyber_) November 23, 2022

“KILLNET officially recognises the European Parliament as sponsors of homosexualism,” states the group. 

The attack was launched immediately after lawmakers approved a resolution calling Moscow a “state sponsor of terrorism“.

“The European Parliament is under a sophisticated cyberattack. A pro-Kremlin group has claimed responsibility,” said parliament’s president, Roberta Metsola. “Our IT experts are pushing back against it and protecting our systems. This, after we proclaimed Russia as a State-sponsor of terrorism. My response: #SlavaUkraini (Glory to Ukraine).”

The @Europarl_EN is under a sophisticated cyberattack. A pro-Kremlin group has claimed responsibility.

Our IT experts are pushing back against it & protecting our systems.

This, after we proclaimed Russia as a State-sponsor of terrorism.

My response: #SlavaUkraini

— Roberta Metsola (@EP_President) November 23, 2022

The Director General for Communication and Spokesperson of the European Parliament, Jaume Dauch, also confirmed the attack via Twitter.

🚨The availability of @Europarl_EN website is currently impacted from outside due to high levels of external network traffic.
This traffic is related to a DDOS attack (Distributed Denial of Service) event.
EP teams are working to resolve this issue as quickly as possible.

— Jaume Duch (@jduch) November 23, 2022

European Pirate Party MEP Mikulas Peksa reported that “there are reports that the pro-Russian hacking group Killnet has claimed responsibility for the attack”. 

“If these reports are true, this is a massive attack on European democracy that will require further action,” he added. 

MEPs call for the further international isolation of Russia due to its aggression to Ukraine and the ongoing escalation of the attacks against civilians.

“Parliament calls on the European Union to further isolate Russia internationally, including when it comes to Russia’s membership of international organisations and bodies such as the United Nations Security Council. MEPs also want diplomatic ties with Russia to be reduced, EU contacts with official Russian representatives to be kept to the absolute minimum and Russian state-affiliated institutions in the EU spreading propaganda around the world to be closed and banned.” states the press release published by the EU Parliament. “Against the backdrop of the Kremlin’s escalating acts of terror against Ukrainian civilians, the resolution further calls on EU member states in the Council to swiftly complete its work on a ninth sanctions package against Moscow.”

In October, the pro-Russia hacktivist group ‘KillNetclaimed responsibility for massive distributed denial-of-service (DDoS) attacks against the websites of several major airports in the US. The DDoS attacks have taken the websites offline, users were not able to access them during the offensive.

KillNet has previously targeted many other countries that condemned the Russian invasion of Ukraine, including ItalyRomaniaEstoniaLithuania, and Norway.

Italian readers can read my comment to the Italian Press Agency ANSA.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, European Parliament)

The post Pro-Russian group Killnet claims responsibility for DDoS attack that has taken down the European Parliament site appeared first on Security Affairs.

Ducktail information stealer continues to evolve

23 November 2022 at 18:53

The operators behind the Ducktail information stealer continue to improve their malicious code, operators experts warn.

In late July 2022, researchers from WithSecure (formerly F-Secure Business) discovered an ongoing operation, named DUCKTAIL, that was targeting individuals and organizations that operate on Facebook’s Business and Ads platform.

Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to be active since 2018.

The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.

The end goal is to hijack Facebook Business accounts managed by the victims.

The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.

After a short pause, the DUCKTAIL campaign returned with slight changes in its TTPs.

Starting on September 6, 2022, the researchers detected new samples in-the-wild with a new variant that uses the .NET 7 NativeAOT feature which allows binaries to be compiled natively (ahead-of-time) from .NET code. The format of these binaries is different from the one used by traditional .NET assemblies.

“NativeAOT offers similar benefits to the .NET single-file feature that previous DUCKTAIL variants used for compilation, especially because they can be compiled as a framework independent binary that doesn’t require .NET runtime to be installed on the victim’s machine.” reads the report published by WithSecure.

Between 2nd and 4th October 2022, the security firm discovered new DUCKTAIL samples being submitted to VirusTotal from Vietnam. The samples contained a mixture of old and new DUCKTAIL variant code bases, compiled as self-contained .NET Core 3 Windows binaries, which suggests that the group is shifting to self-contained applications. On October 5, the operators started distributing DUCKTAIL malware to victims as self-contained .NET Core Windows binaries, abandoning NativeAOT and back to using self-contained .NET binaries.

DUCKTAIL malware

The analysis of the variants written in .NET Core 3 revealed the presence of unused anti-analysis functions that were copied from a GitHub repository. This is yet another indication of the threat actor’s continuous efforts to evade analysis and detection mechanisms

WithSecure observed several multi-stage subvariants of DUCKTAIL that are used to deliver the final payload, the researchers highlighted that this is the primary information stealer malware in all cases.

“The malware still relies on Telegram as its C&C channel. At the time of writing, three active Telegram bots and channels were observed in the latest campaign, with the threat actor re-using the same Telegram chats that were initially discovered, indicating that only the bots (and access tokens) were refreshed with stricter administrator rights” concludes the report. “An interesting shift that was observed with the latest campaign is that [the Telegram command-and-control] channels now include multiple administrator accounts, indicating that the adversary may be running an affiliate program.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DUCKTAIL)

The post Ducktail information stealer continues to evolve appeared first on Security Affairs.

Experts claim that iPhone’s analytics data is not anonymous

23 November 2022 at 13:58

Researchers discovered that analytics data associated with iPhone include Directory Services Identifier (DSID) that could allow identifying users.

Researchers at software company Mysk discovered that analytics data collected by iPhone include the Directory Services Identifier (DSID), which could allow identifying users.

Apple collects both DSID and Apple ID, which means that it can use the former to identify the user and retrieve associated personal information, including full name, phone number, birth date, email, and address.

iphone Apple

“Apple uses DSID to uniquely identify Apple ID accounts. DSID is associated with your name, email, and any data in your iCloud account. This is a screenshot of an API call to iCloud, and DSID it can be clearly seen alongside a user’s personal data” reads a Tweet by Mysk.

🚨 New Findings:
🧵 1/6
Apple’s analytics data include an ID called “dsId”. We were able to verify that “dsId” is the “Directory Services Identifier”, an ID that uniquely identifies an iCloud account. Meaning, Apple’s analytics can personally identify you 👇 pic.twitter.com/3DSUFwX3nV

— Mysk 🇨🇦🇩🇪 (@mysk_co) November 21, 2022

According to the experts, this behavior violates the privacy policy of the company that states that “none of the collected information identifies you personally.”

“Personal data is either not logged at all, is subject to privacy preserving techniques such as differential privacy, or is removed from any reports before they’re sent to Apple.” states the policy.

“Knowing the DSID is like knowing your name. It’s one-to-one to your identity,” Tommy Mysk, an app developer and security researcher, told Gizmodo. “All these detailed analytics are going to be linked directly to you. And that’s a problem, because there’s no way to switch it off.”

It is important to highlight that Mysk researchers used a jailbroken iPhone running iOS 14.6 for their tests in order to be able to decrypt the traffic and determine which data are sent back to Apple.

The experts also tested an iPhone running iOS 16, but security measures implemented by Apple could not allow them to “jailbreak” the device to inspect the traffic. Anyway, the experts argue that a jailbroken phone would send the same data as the latest iOS version.

Apple has yet to respond to a request for comment on the issue.

Earlier this month, Mysk researchers also discovered that Apple collects analytics information even when the users switch off the iPhone setting “Share iPhone Analytics.”

🧵
1/5
The recent changes that Apple has made to App Store ads should raise many #privacy concerns. It seems that the #AppStore app on iOS 14.6 sends every tap you make in the app to Apple.👇This data is sent in one request: (data usage & personalized ads are off)#CyberSecurity pic.twitter.com/1pYqdagi4e

— Mysk 🇨🇦🇩🇪 (@mysk_co) November 3, 2022

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, iPhone)

The post Experts claim that iPhone’s analytics data is not anonymous appeared first on Security Affairs.

Microsoft releases out-of-band update to fix Kerberos auth issues caused by a patch for CVE-2022-37966

23 November 2022 at 10:28

Microsoft released an out-of-band update to fix problems tied to a recent Windows security patch that caused Kerberos authentication issues.

Microsoft released an out-of-band update to address issues caused by a recent Windows security patch that causes Kerberos authentication problems.

Microsoft Patch Tuesday security updates for November 2022 addressed a privilege escalation vulnerability, tracked as CVE-2022-37966, that impacts Windows Server.

An attacker can trigger this flaw to gain administrator privileges on vulnerable systems.

“An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment.” reads the advisory published by Microsoft.

After the release of the Patch Tuesday security updates, users started reporting issues related to the Kerberos authentication.

The IT giant investigated the reports and developed an out-of-band update to fix the problems.

“There is a known issue documented in the security updates that address this vulnerability, where Kerberos authentication might fail for user, computer, service, and GMSA accounts when serviced by Windows domain controllers that have installed Windows security updates released on November 8, 2022. Has an update been released that addresses this known issue?” continues the advisory.

“Yes. The issue is addressed by out-of-band updates released to Microsoft Update Catalog on and after November 17, 2022. Customers who have not already installed the security updates released on November 8, 2022 should install the out-of-band updates instead. Customers who have already installed the November 8, 2022 Windows security updates and who are experiencing issues should install the out-of-band updates.”

The IT giant recommends customers who have yet to install the security updates released on November 8, 2022 of only install the out-of-band updates. Customers who have already installed the Patch Tuesday security updates and are experiencing issues should install the out-of-band updates.

Microsoft is not aware of attacks in the wild exploiting the CVE-2022-37966 flaw.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)

The post Microsoft releases out-of-band update to fix Kerberos auth issues caused by a patch for CVE-2022-37966 appeared first on Security Affairs.

Exclusive – Quantum Locker lands in the Cloud

23 November 2022 at 08:15

The gang behind Quantum Locker used a particular modus operandi to target large enterprises relying on cloud services in the NACE region.

Executive Summary

  • Quantum Locker gang demonstrated capabilities to operate ransomware extortion even on cloud environments such as Microsoft Azure.
  • Criminal operators of the Quantum gang demonstrated the ability to hunt and delete secondary backup copies stored in cloud buckets and blobs.
  • Quantum Locker gang targets IT administration staff to gather sensitive network information and credential access. 
  • During their intrusions, Quantum operators steal access to enterprise cloud file storage services such as Dropbox, to gather sensitive credentials.
  • Cloud root account takeovers have been observed in q4 2022 during Quantum gang intrusions in North Europe.
Quantum Locker
Source Cybereason

Incident Insights

During the latest weeks, the Belgian company Computerland shared insights with the European threat intelligence community about Quantum TTPs adopted in recent attacks. The shared information revealed Quantum gang used a particular modus operandi to target large enterprises relying on cloud services in the NACE region.

The disclosed technical details about recent intrusions confirm the ability of the Quantum Locker gang to conduct sabotage and ransomware attacks even against companies heavily relying on cloud environments.

For instance, TTPs employed in a recent attack include the complete takeover of company Microsoft cloud services through the compromise of the root account (T1531). Such action is particularly harrowing for the victim company: all the Microsoft services and users, including email services and regular users, would remain unusable until the Vendor’s response, which could last even days, depending on the reset request verification process.

In addition, the insights on q4 2022 attacks reported Quantum Locker operators are able to locate and delete all the victim Microsoft Azure’s Blob storages to achieve secondary backup annihilation and business data deletion (T1485). Even if cloud services could theoretically provide support for the restoration of old blobs and buckets, the recovery of “permanently deleted” data often requires days and might not even be available due to the provider’s internal technical restrictions.

The favorite initial targets of Quantum operators during their recent activities in North Europe were IT administrators and networking staff. Through accessing their personal resources and shared Dropbox folders, the threat actors were able to gather sensitive administrative credentials to extend the attack on the cloud surface (T1530).

Incident insights from the Belgian firm also confirm Quantum is coupling these new techniques even with more traditional ransomware delivery techniques, such as the modification of domain Group Policies (T1484.001) to distribute ransomware across the on-prem Windows machines and users’ laptops, along with the abuse of the legitimate Any Desk software as remote access tool (T1219).

Also, during the recent intrusions, Quantum operators extensively altered the configuration of endpoint defense tools such as Microsoft Defender (T1562.001).  In fact, threat actors were able to programmatically insert ad hoc exclusions to blind the onboard endpoint protection system without raising any shutdown warning.

The Belgian firm also reports Quantum Locker’s average encryption speed in real-world cloud hybrid scenario results around 13 MB/s, an amount particularly slower than other ransomware families adopting intermitted encryption, extending the responders’ windows of opportunity for in-time interception and containment. 

Threat Actor Brief

Quantum Locker ransomware was originally born from the hashes of the MountLocker ransomware program operated by Russian-speaking cybercriminals back in 2020. Before its actual name, Quantum Locker has been rebranded many times first with the AstroLocker name, and then with the XingLocker alias.

Quantum Locker was also involved in many high-profile attacks such as the Israelian security company BeeSense, the alleged attack on the local administration of the Sardinia region in Italy, and government agencies in the Dominican Republic.

Indicator of Compromise

  • Intrusion and Exfiltration infrastructure
    • 146.70.87,66 M247-LOS-ANGELES US
    • 42.216.183,180 NorthStar CN
  • Distribution Infrastructure:
    • hxxp://146.70.87,186/load/powerDEF
    • 146.70.87,186 M247-LOS-ANGELES

About the author : Luca Mella, Cyber Security Expert

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Quantum Locker)

The post Exclusive – Quantum Locker lands in the Cloud appeared first on Security Affairs.

5 API Vulnerabilities That Get Exploited by Criminals

22 November 2022 at 23:17

Let’s give a look at API vulnerabilities by reading the API Security Top 10 published by the Open Web Application Security Project (OWASP).

It’s no secret that cyber security has become a leading priority for most organizations — especially those in industries that handle sensitive customer information. And as these businesses work towards building robust security strategies, it’s vital that they account for various threat vectors and vulnerabilities.

One area that requires significant scrutiny is API security. APIs, short for application programming interfaces, have become a common building block for digitally enabled organizations. They facilitate communication as well as critical business operations, and they also support important digital transformations. It’s no surprise then that the average number of APIs per company increased 221% in the last year.

Crafting an API security strategy is a complex task. APIs have unique threat implications that aren’t fully solved by web application firewalls or identity and access management solutions. The first step to getting it right is to understand what the common vulnerabilities are.

5 Common API Vulnerabilities Explained

In its API Security Top 10, the Open Web Application Security Project (OWASP) identifies the top ten threats to APIs. Below, we take a closer look at some of the most common.

1. Broken Object Level Authentication (BOLA)

APIs with broken object level authentication allow attackers to easily exploit API endpoints by manipulating the ID of an object sent within an API request. The result? BOLA authorization flaws can lead to unauthorized viewing, modification or destruction of data, or even a full account takeover.

Today, BOLA accounts for 40% of all API attacks. One of the primary reasons they’re so prevalent is that traditional security controls like WAFs or API gateways can’t identify them as anomalous to the baseline API behavior. Instead, businesses need an API solution that can spot whenan authenticated user is trying to gain unauthorized access to another user’s data.

2. Broken User Authentication

There are a number of factors that can lead to broken user authentication in an API. This includes weak password complexity or poor password hygiene, missing account lockout thresholds, long durations for password or certificate rotations, or relying on API keys alone for authentication.

When an API experiences broken user authentication, cyber criminals can use authentication-related attacks like credential stuffing and brute-force attacks to gain access to applications. Once they’re in, the attackers can then take over user accounts, manipulate data, or make unauthorized transactions.

When it comes to traditional security methods, they often lack the ability to track traffic over time, meaning they can’t easily identify high-volume attacks like credential stuffing. As such, an API security solution should be able to identify abnormal behavior against a typical authentication sequence.

3. Excessive Data Exposure

A common issue with most APIs is that, for the sake of efficiency, they’re often set up to share more information than is needed in an API response. They then leave it to the client application to filter the information and render it for the user. This is problematic because attackers can use the redundant data to extract sensitive information from the API.

While some traditional security solutions can identify this type of vulnerability, they can’t always differentiate between legitimate data returned by the API and sensitive data that shouldn’t be returned. This means an API security solution should be able to spot when a user is consuming too much sensitive data.

4. Lack of Resources and Rate Limiting

APIs don’t always have restrictions for the number of resources that can be requested by the client or a user. This leaves them open to server disruptions that cause denial of service, as well as brute-force and enumeration attacks against APIs responsible for authentication and data fetching. Plus, attackers can set up automated attacks against APIs that don’t have limits, including credential cracking and token cracking.

Traditional solutions will have some basic rate limiting functionality, but it’s not always easy to deploy at scale. As such, these security tools often lack the context required to flag an attack when it’s happening. A modern API security solution should be able to identify any activity that falls outside of normal usage values.

5. Security Misconfiguration

There are a number of security misconfigurations that can accidentally introduce vulnerabilities into APIs. These include incomplete configurations, misconfigured HTTP headers, verbose error messages, open cloud storage, and more. Attackers can leverage these to learn more about the API components, and then exploit the misconfigurations as part of their attack.

Close the Gaps

Comprehensive API solutions can identify these misconfigurations and provide remediation suggestions.

Attackers are always evolving their strategies for compromising APIs, looking for new threat vectors and leveraging new vulnerabilities. What’s common in most successful attacks is that they target gaps in business logic. This means that to establish a proactive API security strategy, organizations must account for these gaps at every step.

About the Author: Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well suited for writing in the cybersecurity space. She is also a regular writer for Bora

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, API Vulnerabilities)

The post 5 API Vulnerabilities That Get Exploited by Criminals appeared first on Security Affairs.

Researcher warns that Cisco Secure Email Gateways can easily be circumvented

22 November 2022 at 19:04

A researcher revealed how to bypass some of the filters in Cisco Secure Email Gateway appliance and deliver malware using specially crafted emails.

An anonymous researcher publicly disclosed a series of techniques to bypass some of the filters in Cisco Secure Email Gateway appliance and deliver malware using specially crafted emails.

The researcher pointed out that the attack complexity is low, it also added that working exploits have already been published by a third party. The expert disclosed the technique within a coordinated disclosure procedure.

Cisco Secure Email Gateway

“This report is being published within a coordinated disclosure procedure. The researcher has been in contact with the vendor but not received a satisfactory response within a given time frame.” wrote the researcher on the Full Disclosure mailing list. “As the attack complexity is low and exploits have already been published by a third party there must be no further delay in making the threads publicly known.”

The researchers explained that Cisco Secure Email Gateways can be circumvented by a remote attacker that leverages error tolerance and different MIME decoding capabilities of email clients.

The methods disclosed by the researcher could allow attackers to bypass Cisco Secure Email Gateway, they work against several email clients, such as Outlook, Thunderbird, Mutt, and Vivaldi.

The three methods are:

  • Method 1: Cloaked Base 64 – This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. The method impacts several Email Clients, including Microsoft Outlook for Microsoft 365 MSO (Version 2210 Build 16.0.15726.20070) 64-bit, Mozilla Thunderbird 91.11.0 (64-bit), Vivaldi 5.5.2805.42 (64-bit), Mutt 2.1.4-1ubuntu1.1, and others.
  • Method 2: yEnc Encoding – This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. The method impacts Mozilla Thunderbird 91.11.0 (64-bit) email client.
  • Method 3: Cloaked Quoted-Printable – This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. The method impacts Vivaldi 5.5.2805.42 (64-bit) and Mutt 2.1.4-1ubuntu1.1 Email Clients.

Cisco published a bug report warning of an issue in the Sophos and McAfee scanning engines of Cisco Secure Email Gateway that could allow an unauthenticated, remote attacker to bypass specific filtering features.

“The issue is due to improper identification of potentially malicious emails or attachments. An attacker could exploit this issue by sending a malicious email with malformed Content-Type headers (MIME Type) through an affected device.” reads the alert. “An exploit could allow the attacker to bypass default anti-malware filtering features based on the affected scanning engines and successfully deliver malicious messages to the end clients.”

The issues impact devices running with a default configuration.

The researcher explained that the code employing the attack methods, and many similar techniques to manipulate MIME encoding, are implemented in an open-source Toolkit for generating and testing bad MIME that is available on GitHub.

known for many years and have been found in the products of several vendors.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco Secure Email Gateways)

The post Researcher warns that Cisco Secure Email Gateways can easily be circumvented appeared first on Security Affairs.

Aurora Stealer Malware is becoming a prominent threat in the cybercrime ecosystem

22 November 2022 at 15:20

Researchers warn of threat actors employing a new Go-based malware dubbed Aurora Stealer in attacks in the wild.

Aurora Stealer is an info-stealing malware that was first advertised on Russian-speaking underground forums in April 2022. Aurora was offered as Malware-as-a-Service (MaaS) by a threat actor known as Cheshire. It is a multi-purpose botnet with data stealing and remote access capabilities.

Aurora Stealer

Researchers at SEKOIA identified 7 traffers teams on Dark Web forums that announced the availability of the Aurora Stealer in their arsenal, a circumstance that confirms the increased popularity of the malware among threat actors.

Traffers Team Malware arsenal Launch date Last observed activity
RavenLogs Aurora, Redline 17/10/2022 14/11/2022
BrazzersLogs Aurora, Raccoon 14/11/2022 14/11/2022
DevilsTraff Aurora, Raccoon 30/10/2022 14/11/2022
YungRussia Aurora 16/10/2022 31/10/2022
Gfbg6 Aurora 14/09/2022 24/10/2022
SAKURA Aurora 10/08/2022 04/11/2022
HellRide Aurora 09/07/2022 15/07/2022

In October and November 2022, the researchers analyzed several hundreds of collected samples and identified dozens of active C2 servers. The experts also observed multiple infection chains leading to the deployment of Aurora stealer. The attackers used methods to deliver the malware, including phishing websites masquerading as legitimate ones, YouTube videos and fake “free software catalogue” websites.

“These infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites.” reads the analysis by the experts.

The malware was also able to target 40 cryptocurrency wallets and applications like Telegram.

Threat actors behind this malware also advertised its loader capabilities, the malicious code in fact is able to deploy a next-stage payload using a PowerShell command.

“Aurora is another infostealer targeting data from browsers, cryptocurrency wallets, local systems, and acting as a loader. Sold at a high price on market places, collected data is of particular interest to cybercriminals, allowing them to carry out follow-up lucrative campaigns, including Big Game Hunting operations.” concludes the report. “As multiple threat actors, including traffers teams, added the malware to their arsenal, Aurora Stealer is becoming a prominent threat.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Aurora Stealer)

The post Aurora Stealer Malware is becoming a prominent threat in the cybercrime ecosystem appeared first on Security Affairs.

Two Estonian citizens arrested in $575M cryptocurrency fraud scheme

22 November 2022 at 10:56

Two Estonian citizens were arrested in Tallinn for allegedly running a $575 million cryptocurrency fraud scheme.

Two Estonian nationals were arrested in Tallinn, Estonia, after being indicted in the US for running a fraudulent cryptocurrency Ponzi scheme that caused more than $575 million in losses.

According to the indictment, Sergei Potapenko and Ivan Turõgin, both 37, allegedly defrauded hundreds of thousands of victims through a crypto Ponzi scheme. The duo used shell companies to launder the cash from the fraudulent activity and to buy real estate and luxury cars.

“They induced victims to enter into fraudulent equipment rental contracts with the defendants’ cryptocurrency mining service called HashFlare. They also caused victims to invest in a virtual currency bank called Polybius Bank.” reads the press release published by DoJ. “In reality, Polybius was never actually a bank, and never paid out the promised dividends. Victims paid more than $575 million to Potapenko and Turõgin’s companies.”

The defendants are accused to have defrauded the victims between December 2013 and August 2019, they operated with other co-conspirators residing in Estonia, Belarus, and Switzerland.

Potapenko and Turõgin tricked the investors into believing that HashFlare was a massive cryptocurrency mining operation, the victims were requested to pay for rent computing power and receive a proportional part of the cryptocurrencies mined. The bad news for the investors is that HashFlare did not have the virtual currency mining equipment it claimed to have.

According to the indictment, HashFlare’s equipment performed Bitcoin mining at a rate of less than one percent of the computing power it claimed to have.

When investors asked to withdraw their mining proceeds, the defendants either resisted making the payments or in some cases, they paid off the investors using virtual currency that were purchased on the open market.

HashFlare shut down its operations in 2019, but since May 2017, the duo started offering investments in a company called Polybius, which they claimed to form a bank specializing in virtual currency. 

“They promised to pay investors dividends from Polybius’s profits. The men raised at least $25 million in this scheme and transferred most of the money to other bank accounts and virtual currency wallets they controlled. Polybius never formed a bank or paid any dividends.” continues the DoJ.

According to the indictment, the defendants also conspired to launder their criminal proceeds through shell companies and phony contracts and invoices. The money laundering conspiracy involved “at least 75 real properties, six luxury vehicles, cryptocurrency wallets, and thousands of cryptocurrency mining machines.”

Potapenjo and Turõgin are being charged with conspiracy to commit wire fraud, 16 counts of wire fraud, and one count of conspiracy to commit money laundering. Both could face a maximum penalty of 20 years in prison.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cryptocurrency fraud scheme)

The post Two Estonian citizens arrested in $575M cryptocurrency fraud scheme appeared first on Security Affairs.

Emotet is back and delivers payloads like IcedID and Bumblebee

22 November 2022 at 08:39

The Emotet malware is back and experts warn of a high-volume malspam campaign delivering payloads like IcedID and Bumblebee.

Proofpoint researchers warn of the return of the Emotet malware, in early November the experts observed a high-volume malspam campaign delivering payloads like IcedID and Bumblebee.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as ContiProLockRyuk, and Egregor.

In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default.

In June, Proofpoint experts spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser.

Over time, Emotet operators have enhanced their attack chain by employing multiple attack vectors to remain under the radar.

The Emotet operators remained inactive between July and November 2022.

Threat actors were spotted distributing hundreds of thousands of emails per day, this activity suggests Emotet is returning to its full functionality acting as a delivery network for major malware families.

The experts noticed multiple changes to the bot and its payloads, and the operators introduced changes to the malware modules, loader, and packer. Below are the changes observed by Proofpoint:

  • New Excel attachment visual lures
  • Changes to the Emotet binary
  • IcedID loader dropped by Emotet is a light new version of the loader
  • Reports of Bumblebee dropped in addition to IcedID

“The volume of emails that Emotet sending bots attempt to deliver each day is in the hundreds of thousands. These numbers are comparable to historic averages. Hence, it does not appear that the Emotet botnet lost any significant spamming capability during the inactive period.” reads the report published by Proofpoint.

Emotet campaigns

The wave of attacks observed by the security firm primarily targeted the U.S., the U.K., Japan, Germany, Italy, France, Spain, Mexico, and Brazil.

The emails observed in recent attacks typically used a weaponized Excel attachment or a password-protected zip attachment containing an Excel file inside. The Excel files contain XL4 macros that download the Emotet payload from several (typically four) built-in URLs.

The novelty of the Excel files used in recent campaigns is that they contain instructions for recipients to copy the file to a Microsoft Office Template location and run it from there instead. This location is “trusted,” which means that opening a document located in this folder will not display any warnings. 

“However, while moving a file to a template location, the operating system asks users to confirm and that administrator permissions are required to do such a move.” observed the experts. “It remains unclear how effective this technique is. While there is no longer a need for users to enable macros with an extra click, there is instead a need to perform a file move, acknowledge the dialog, and the user must have Administrator privileges.”

Emotet

The Emotet variant employed in recent attacks supports new commands, has a new implementation of the communication loop, uses a new check-in packet format, and a new packer.

Currentt version of the bot supports 5 commands:

  • 1 – Update bot
  • 2 – Load module
  • 3 – Load executable
  • 4 – Load executable via regsvr32.exe
  • 16343 – invoke rundll32.exe with a random named DLL and the export PluginInit

The last two were added to the latest version of the botnet.

“Overall, these modifications made to the client indicate the developers are trying to deter researchers and reduce the number of fake or captive bots that exist within the botnet. The addition of commands related to IcedID and the widespread drop of a new IcedID loader might mean a change of ownership or at least the start of a relationship between IcedID and Emotet.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Moshen Dragon)

The post Emotet is back and delivers payloads like IcedID and Bumblebee appeared first on Security Affairs.

Expert published PoC exploit code for macOS sandbox escape flaw

21 November 2022 at 21:19

A researcher published details and proof-of-concept (PoC) code for High-Severity macOS Sandbox escape vulnerability tracked as CVE-2022-26696.

Researcher Wojciech Reguła (@_r3ggi) of SecuRing published technical details and proof-of-concept (PoC) code for a macOS sandbox escape vulnerability tracked as CVE-2022-26696 (CVSS score of 7.8).

In a wrap-up published by Regula, the researcher observed that the problem is caused by a strange behavior he observed in a sandboxed macOS app that may launch any application that won’t inherit the main app’s sandbox profile.

According to ZDI, This vulnerability allows remote attackers to escape the sandbox on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

“A sandboxed process may be able to circumvent sandbox restrictions.” reads the advisory published by Apple that addressed the flaw with improved environment sanitization.

According to ZDI, a remote attacker can trigger the flaw to escape the sandbox on vulnerable Apple macOS installs. ZDI pointed out that an attacker can exploit the bug only he has first obtained the ability to execute low-privileged code on the target system.

“This vulnerability allows remote attackers to escape the sandbox on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.” reads the report published by ZDI. “The specific flaw exists within the handling of XPC messages in the LaunchServices component. A crafted message can trigger execution of a privileged operation. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the current user.”

The issue was reported to the vendor on December 22, 2021 and it was disclosed on August 15, 2022.

Regula focused his analysis on an Objective-C method of the Terminal.app.

“+[TTApplication isRunningInInstallEnvironment] will return YES when the __OSINSTALL_ENVIRONMENT environment variable was set.” wrote the expert. “So, when Terminal.app starts, some of the environment variables were not cleared when +[TTApplication isRunningInInstallEnvironment] returned YES. Great, with simple command injection I was able to execute code within the Terminal.app context without any sandbox!”

The expert was able to weaponize the flaw by embedding the exploit in a Word document and load the Mythic’s JXA payload.

“Executing code within the Terminal.app context can be really dangerous as it can also have some TCC permissions already granted.” Regula explained.

Reguła shared a video PoC that demonstrates how to weaponize Word document to escape the sandbox and execute code within the Terminal.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, macOS Sandbox Escape)

The post Expert published PoC exploit code for macOS sandbox escape flaw appeared first on Security Affairs.

Google won a lawsuit against the Glupteba botnet operators

21 November 2022 at 14:33

Google won a lawsuit filed against two Russian nationals involved in the operations of the Glupteba botnet.

This week, Google announced it has won a nearly year-long legal battle against the Glupteba botnet. Glupteba is a highly sophisticated botnet composed of millions of compromised Windows devices. Unlike other botnets, Gluteba leverages cryptocurrency blockchains as a command-and-control mechanism in an attempt to make it more resilient to takeover.

“This means that a conventional botnet can be disabled by taking the server at the hardcoded address offline. The Glupteba malware, however, instructs infected computers to look for the addresses of its C2 servers by referencing transactions associated with specific accounts on the Bitcoin blockchain. The blockchain is not controlled by any central authority, and each transaction is disseminated to and viewable by any user on the blockchain.” states the court owner. “These features make the Glupteba botnet unusually resistant to disruption. If the botnet’s C2 servers are disabled, then its operators can simply set up new servers and broadcast their addresses on the blockchain.”

The IT giant won a lawsuit filed against two Russian nationals involved in the operations of the botnet, the court’s ruling sets an important legal precedent in the fight against cybercrime.

In December 2021, the company’s Threat Analysis Group (TAG) shared the actions it took to disrupt the operations of the Glupteba botnet and announced it has filed a case in the Southern District of New York against its operators.

Google Glupteba botnet

“This week, we were pleased to see the end to a nearly year-long legal battle against the Glupteba botnet” reads the announcement published by Google. “We made the explicit decision to name the criminal actors behind Glupteba as defendants in the suit, to expose them and their various shell companies. This is not a common tactic, but we felt it was important to try and disrupt their ability to operate covertly online.”

The U.S. District Court issued monetary sanctions against both the Russian-based defendants and their US-based lawyer and required them to pay the legal fees to Google.

“In exchange, the Defendants would receive Google’s agreement not to report them to law enforcement, and a payment of $1 million per defendant, plus $110,000 in attorney’s fees. The Defendants stated that, although they do not currently have access to the private keys, Valtron would be willing to provide them with the private keys if the case were settled.” continues the court order.

The sentence is considered very important and demonstrates that crooks can have monetary consequences for engaging in cyber criminal activities like this one.

It is now clear that the Defendants appeared in this Court not to proceed in good faith to defend against Google’s claims but with the intent to abuse the court system and discovery rules to reap a profit from Google,” said Federal Judge Denise Cote in her decision Tuesday.

Google pointed out that Glupteba operators have resumed activity using platforms and IoT devices that are not operated by Google. However, the company confirmed that its operation caused a 78% reduction in the number of infected hosts.

“But there’s a lot more work to be done. Legal cases that expose the criminal elements behind these types of operations are just one tool that Google uses to protect our services and the people and businesses who use them.” concludes the announcement.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Glupteba botnet)

The post Google won a lawsuit against the Glupteba botnet operators appeared first on Security Affairs.

Google provides rules to detect tens of cracked versions of Cobalt Strike

21 November 2022 at 11:41

Researchers at Google Cloud identified 34 different hacked release versions of the Cobalt Strike tool in the wild.

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. The Beacon includes a wealth of functionality for the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. 

Cobalt Strike infrastructure

Google Cloud researchers announced to have discovered 34 different Cobalt Strike hacked release versions with a total of 275 unique JAR files across these versions.

Google Cloud Threat Intelligence (GCTI) researchers developed a set of YARA rules to detect hacked variants in the wild with a high degree of accuracy. The researchers noticed that each Cobalt Strike version contains approximately 10 to 100 attack template binaries

The experts were able to locate versions of the Cobalt Strike JAR file starting with version 1.44 (which was released in 2012) up to the latest version at the time of publishing the analysis, Cobalt Strike 4.7.

The researchers cataloged the stagers, templates, and beacons, including the XOR encodings used by Cobalt Strike since version 1.44.

GCTI noticed that the cracked versions of the post-exploitation tool used in the attack in the wild are not the latest versions from the vendor Fortra, but are typically at least one release version behind. For this reason, Google researchers focused on these versions.

“We focused on these versions by crafting hundreds of unique signatures that we integrated as a collection of community signatures available in VirusTotal.” states the report published by Google. “We also released these signatures as open source to cybersecurity vendors who are interested in deploying them within their own products, continuing our commitment to improving open source security across the industry.”

The activity conducted by Google aims at improving the detection of malicious activities involving hacked version of the tool. It is an important work that did not impact legitimate versions of the tools used by penetration testing and “red teams”.

“We wanted to enable better detection of actions done by bad actors, and we needed a surgical approach to excise the bad versions while leaving the legitimate ones untouched. This required detecting the exact version of the Cobalt Strike component.” concludes the post. “By targeting only the non-current versions of the components, we can leave the most recent versions alone, the version that paying customers are using.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybersecurity)

The post Google provides rules to detect tens of cracked versions of Cobalt Strike appeared first on Security Affairs.

Octocrypt, Alice, and AXLocker Ransomware, new threats in the wild

21 November 2022 at 08:31

Experts from Cyble Research and Intelligence Labs (CRIL) discovered three new ransomware families: AXLocker, Octocrypt, and Alice Ransomware.

Threat intelligence firm Cyble announced the discovery of three new ransomware families named AXLocker, Octocrypt, and Alice Ransomware.

The AXLocker ransomware encrypts victims’ files and steals Discord tokens from the infected machine. The analysis of the code revealed that the startencryption() function implements the capability to search files by enumerating the available directories on the C:\ drive. The malware only targets specific file extensions and excludes a list of directories from the encryption process.

The AXLocker ransomware uses the AES encryption algorithm to encrypt files, unlike other ransomware it does not change the name or extension of the encrypted files.

AXLocker ransomware

“After encrypting the victim’s files, the ransomware collects and sends sensitive information such as Computer name, Username, Machine IP address, System UUID, and Discord tokens to TA.” reads the analysis published by Cyble.

The malware uses regex to find the Discord tokens in the local storage files, then sends them to the Discord server along with other information.

Once the ransomware has encrypted the files, it shows a pop-up window that contains a ransom note with instructions to contact the operators. The ransom note doesn’t include the amount requested to the victims to recover their files.

Cyble also discovered a new ransomware strain dubbed Octocrypt, it is a Golang ransomware and its operators are adopting the Ransomware-as-a-Service (RaaS) business model. The malware appeared in the threat landscape around October 2022 and is offered for USD400.

“The Octocrypt web panel builder interface allows TAs to generate ransomware binary executables by entering options such as API URL, Crypto address, Crypto amount, and Contact email address.” continues Cyble.

The third ransomware strain discovered by Cyble dubbed “Alice” is also offered as a Ransomware-as-a-Service (RaaS).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AXLocker ransomware)

The post Octocrypt, Alice, and AXLocker Ransomware, new threats in the wild appeared first on Security Affairs.

Security Affairs newsletter Round 394

20 November 2022 at 21:55

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

DEV-0569 group uses Google Ads to distribute Royal Ransomware
Black Friday and Cyber Monday, crooks are already at work
New improved versions of LodaRAT spotted in the wild
Atlassian fixed 2 critical flaws in Crowd and Bitbucket products
Hive Ransomware extorted over $100M in ransom payments from over 1,300 companies
Ongoing supply chain attack targets Python developers with WASP Stealer
China-based Fangxiao group behind a long-running phishing campaign
Two public schools in Michigan hit by a ransomware attack
Magento and Adobe Commerce websites under attack
Tank, the leader of the Zeus cybercrime gang, was arrested by the Swiss police
Iran-linked threat actors compromise US Federal Network
F5 fixed 2 high-severity Remote Code Execution bugs in its products
Lazarus APT uses DTrack backdoor in attacks against LATAM and European orgs
New RapperBot Campaign targets game servers with DDoS attacks
Beginning 2023 Google plans to rollout the initial Privacy Sandbox Beta
Happy birthday Security Affairs … 11 years together!
Experts found critical RCE in Spotify’s Backstage
Experts revealed details of critical SQLi and access issues in Zendesk Explore
China-linked APT Billbug breached a certificate authority in Asia
Previously undetected Earth Longzhi APT group is a subgroup of APT41
Avast details Worok espionage group’s compromise chain
Massive Black hat SEO campaign used +15K WordPress sites
KmsdBot, a new evasive bot for cryptomining activity and DDoS attacks
CERT-UA warns of multiple Somnia ransomware attacks against organizations in Ukraine
Have board directors any liability for a cyberattack against their company?
Ukraine Police dismantled a transnational fraud group that made €200 million per year
Lockbit gang leaked data stolen from global high-tech giant Thales

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 394 appeared first on Security Affairs.

PoC exploit code for ProxyNotShell Microsoft Exchange bugs released online

20 November 2022 at 19:39

Proof-of-concept exploit code for two actively exploited Microsoft Exchange ProxyNotShell flaws released online.

Proof-of-concept exploit code has been released online for two actively exploited vulnerabilities in Microsoft Exchange, known as ProxyNotShell.

The two flaws are:

  • CVE-2022-41040 – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution Vulnerability

they impact Exchange Server 2013, 2016, and 2019, an authenticated attacker can trigger them to elevate privileges to run PowerShell in the context of the system and gain arbitrary or remote code execution on vulnerable servers.

Cybersecurity firm GreyNoise confirmed that threat actors are attempting to exploit the flaws since late September, Bleeping Computer reported.

Microsoft addressed both vulnerabilities with the release of Patch Tuesday updates for November 2022 security updates.

This week the popular researcher Will Dormann confirmed that PoC exploit code released by the security researcher Janggggg, which was exploited by threat actors in the wild, works against Exchange Server 2016 and 2019, and even against 2013 with some modifications. The expert demonstrated how to exploit the bug to execute calc.exe as SYSTEM.

Can confirm.
This is a working exploit for #ProxyNotShell CVE-2022-41040 / CVE-2022-41082
Here we have an Exchange 2019 box that's only up to date with what was available in October, and we have successful execution of calc.exe as SYSTEM.
🎉 https://t.co/PQfen11x7n pic.twitter.com/BlCJSJMcJM

— Will Dormann (@wdormann) November 17, 2022

Hmm, I'm not sure what I did wrong the first time around, but Exchange 2016 seems to work just fine with this PoC as well. It's perhaps just Exchange 2013 that requires a tweak. pic.twitter.com/nYJ0dC9zzL

— Will Dormann (@wdormann) November 18, 2022

Microsoft urges its customers to install the updates immediately to be protected against attacks exploring these flaws. The IT giant confirmed that they are aware of active exploits of related vulnerabilities that have been used in limited targeted attacks.

“Because we are aware of active exploits of related vulnerabilities (limited targeted attacks), our recommendation is to install these updates immediately to be protected against these attacks.” states Microsoft.

“Mitigations are not actual code fixes of specific vulnerabilities. Please install the November 2022 (or later) SU on your Exchange servers to address CVE-2022-41040 and CVE-2022-41082.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ProxyNotShell)

The post PoC exploit code for ProxyNotShell Microsoft Exchange bugs released online appeared first on Security Affairs.

DEV-0569 group uses Google Ads to distribute Royal Ransomware

19 November 2022 at 19:27

Microsoft warns that a threat actor, tracked as DEV-0569, is using Google Ads to distribute the recently discovered Royal ransomware.

Researchers from the Microsoft Security Threat Intelligence team warned that a threat actor, tracked as DEV-0569, is using Google Ads to distribute various payloads, including the recently discovered Royal ransomware.

The DEV-0569 group carries out malvertising campaigns to spread links to a signed malware downloader posing as software installers or fake updates embedded in spam messages, fake forum pages, and blog comments.

“The malicious files, which are malware downloaders known as BATLOADER, pose as installers or updates for legitimate applications like Microsoft Teams or Zoom.” reads the report published by Microsoft. “When launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that is decrypted and launched with PowerShell commands.”

DEV-0569 relies heavily on defense evasion techniques and employed the open-source tool Nsudo to disable antivirus solutions in recent campaigns.

DEV-0569 Royal ransomware 2

The downloader, tracked as BATLOADER, shares similarities with another malware called ZLoader.

From August to October 2022, DEV-0569 attempted to spread the BATLOADER via malicious links in phishing emails, posed as legitimate installers for multiple popular applications, including TeamViewer, Adobe Flash Player, Zoom, and AnyDesk.

The BATLOADER was hosted on domains created by the group to appear as legitimate software download sites (i.e. anydeskos[.]com) and on legitimate repositories like GitHub and OneDrive.

The attackers also used file formats like Virtual Hard Disk (VHD) posing as legitimate software. The VHDs also contain malicious scripts used to download DEV-0569’s payloads.

“DEV-0569 has used varied infection chains using PowerShell and batch scripts that ultimately led to the download of malware payloads like information stealers or a legitimate remote management tool used for persistence on the network,” continues the report. “The management tool can also be an access point for the staging and spread of ransomware.”

In late October 2022, Microsoft observed a malvertising campaign leveraging Google Ads that point to the legitimate traffic distribution system (TDS) Keitaro, which allows to customize advertising campaigns via tracking ad traffic and user- or device-based filtering. The TDS was used to redirect the user to a legitimate download site, or under certain conditions, to the site hosting the BATLOADER.

The DEV-0569 group used Keitaro to deliver the payloads to specified IP ranges and targets and of course to avoid IP ranges known to be associated with sandboxing solutions.

It further positions the group to serve as an initial access broker for other ransomware operations, joining the likes of malware such as EmotetIcedIDQakbot.

“Since DEV-0569’s phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists.” concludes the IT giant. “Enabling Safe Links for emails, Microsoft Teams, and Office Apps can also help address this threat.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DEV-0569)

The post DEV-0569 group uses Google Ads to distribute Royal Ransomware appeared first on Security Affairs.

Black Friday and Cyber Monday, crooks are already at work

19 November 2022 at 15:56

Every year during Black Friday and Cyber Monday, crooks take advantage of the bad habits of users with fraudulent schema.

Researchers at Bitdefender Antispam Lab have analyzed during the last weeks the fraudulent activities associated with Black Friday and Cyber Monday.

The experts noticed that between October 26 and November 6, the rate of unsolicited Black Friday emails peaked on Nov 9, when reached 26% of all Black Friday-related messages.

The experts pointed out that the majority of all Black Friday spam (by volume) (56%) received in the same period was marked as a scam.

Approximately one out of four (27%) of all Black Friday spam emails (by volume) targeted online users in the US and in Ireland (24%). Most of the Black Friday-related spam (49%) originated from IP addresses in the US, followed by Germany (16%).

Black Friday

The malicious messages used various subjects in an attempt to trick the recipients into visiting the bogus websites to receive huge discounts.

Below are some of the subject lines observed by Bitdefender:

  • black friday sale louis vuitton bags up to 86 off shop online now
  • black friday ray ban oakley costa sunglasses up to 90 off shop online now
  • cyber monday starts now but only for you
  • 25 nov 2022 is black Friday
  • Claim Your $500 Home Depot Gift Card Now!
  • claim your 100 walmart reward just in time for black Friday
  • profitezvite de nosoffresspéciale (aimed at German shoppers)
  • richiedi un prestito per te 200 di buoni  in regalo (aimed at Italian shoppers)
  • black friday sale 70 rabatt auf sofort (aimed at German shoppers)

The report provides details about some of the Black Friday scams analyzed by the experts, such as Louis Vuitton and Ray Ban sales scams. The scammers were offering impressive discounts that could be obtained by purchasing from fake shops.

Black Friday

Other campaigns observed by the experts invited recipients to claim gift cards from popular retailers like Home Depot.

In this case, the spam messages include links to fake online survey pages that have nothing to do with the retailer’s gift card.

Once the recipients have completed the survey (even if they provide the wrong answers to all questions), they were directed to another page where we could choose the ‘prize.’ Then the recipients have to pay for the shipment by providing personal and financial data.

“We scored an iPhone 13, though. The displayed page uses the recipients’ IP address to display a localized version of the scam – in our case Romania.  We need to pay 15 RON (roughly 3.06 USD) for shipping and enter our name and address.” continues the report. “After entering our shipping details, we were prompted to enter our payment information, including cc number and CVV code.”

Researchers also spotted fake PayPal and Amazon voucher worth 1,000 euros used in campaigns aimed at German users. In these campaigns, recipients are urged to enter personally identifiable information and confirm their email addresses. Then the attackers sent malicious links to the email addresses provided by the users.

Below are the recommendations provided by Bitdefender:

  • Always check the sender’s email address and look for typos
  • Never interact with unsolicited giveaway correspondence
  • Shop on legitimate websites you already know
  • Researcher any new vendor
  • Never access links or attachments you receive from unknown sources – Use a Bitdefender security solution to fend off scam and phishing links
  • Add an extra layer of security and privacy to your device when shopping this Black Friday with Bitdefender Premium Security.  With anti-phishing and advanced threat protection to block nasty internet threats, ransomware protection, VPN for safe shopping, and a dedicated Password Manager, you can steer clear of malicious attacks and protect your data

The experts also published a guide for a secure holiday shopping.

Safe shopping everyone!

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, scam)

The post Black Friday and Cyber Monday, crooks are already at work appeared first on Security Affairs.

New improved versions of LodaRAT spotted in the wild

19 November 2022 at 09:22

Cisco Talos spotted multiple updated versions of LodaRAT that were deployed alongside other malware families, including RedLine and Neshta.

Researchers from Cisco Talos have monitored the LodaRAT malware over the course of 2022 and recently discovered multiple updated versions that have been deployed alongside other malware families, including RedLine and Neshta.

The versions include new functionality to spread to attached removable storage, a new string encoding algorithm and the removal of “dead” functions

LodaRAT is written in AutoIt, the researchers pointed out that it is easy to obtain its original source code from the compiled binaries by using an AutoIt decompiler.

Samples of the LodaRAT discovered in the wild use function obfuscation and string encoding to prevent being analyzed. However, experts reported that there are many examples of malware that are not obfuscated, their analysis can allow threat actors to access to the original code and create their own variants of LodaRAT. Another weakness in the malware is the lack of encryption for C2 communications which makes it trivial to implement a custom C2 infrastructure.

“This ease of source code retrieval and customization has likely contributed to the proliferation of numerous variants and customized versions of LodaRAT.” reads the report published by Talos. “It is quite common to find altered versions of LodaRAT, and it should be expected that most samples will likely have some sort of alteration to the source code.”

One of the heavily altered versions of LodaRAT analyzed by Talos used a totally rewritten function that detects anti-malware processes. The new function searches for thirty different process names, but this new implementation is far less effective than the previous one because it will not detect a product that is not included in the list of processes to search for.

LodaRAT

The list of processes also includes discontinued security software such as ByteHero, and Norman Virus Control.

Many new malware versions also removed some functionalities to avoid detection.

“Many of the LodaRAT samples we analyzed have removed functionality in some way, which may be the author’s attempt to reduce detection rates. The most common removal appears to be the PowerShell keylogger typically found in earlier versions.” continues the report.

During their research, Talos experts observed the LodaRAT being delivered through a previously unknown variant of the commodity trojan Venom RAT.

The bundling of LodaRAT alongside Neshta and RedLine Stealer has also been something of a puzzle, although it’s being suspected that “LodaRAT is preferred by the attacker for performing a particular function.”

“Over the course of LodaRAT’s lifetime, the implant has gone through numerous changes and continues to evolve. While some of these changes appear to be purely for an increase in speed and efficiency, or reduction in file size, some changes make Loda a more capable malware. As it grows in popularity, it is reasonable to expect additional alterations in future.” concludes the report. “The ease of access to its source code makes LodaRAT an attractive tool for any threat actor who is interested in its capabilities.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, LodaRAT)

The post New improved versions of LodaRAT spotted in the wild appeared first on Security Affairs.

Atlassian fixed 2 critical flaws in Crowd and Bitbucket products

18 November 2022 at 21:35

Atlassian addressed this week two critical vulnerabilities impacting its Crowd and Bitbucket products.

Atlassian announced the release of security updates to address critical-severity vulnerabilities in its identity management platform, Crowd Server and Data Center, and in the Bitbucket Server and Data Center, a self-managed solution that provides source code collaboration for professional teams.

The vulnerability in the Bitbucket source code repository hosting service, tracked as CVE-2022-43781, is a critical command injection vulnerability.

The vulnerability received a CVSS score of 9/10 and affects Bitbucket Server and Data Center version 7 and, and version 8 if mesh.enabled is set to false in bitbucket.properties.

“There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system.” reads the advisory published by the vendor.

The second critical vulnerability addressed by Atlassian, tracked as CVE-2022-43782 (CVSS score of 9/10), is a security misconfiguration issue.

An attacker connecting from IP in the allow list can trigger the vulnerability to bypass password checks when authenticating as the Crowd app and to call privileged API endpoints.

“The vulnerability allows an attacker connecting from IP in the allow list to authenticate as the crowd application through bypassing a password check. This would allow the attacker to call privileged endpoints in Crowd’s REST API under the usermanagement path.” reads the advisory

The flaw was introduced in Crowd 3.0.0, it affects all versions released after 3.0.0 but only if both of the following conditions are met:

  • the vulnerability concerns only new installations of affected versions: if you upgraded from an earlier version, for example version 2.9.1, to version 3.0.0 or later, your instance is not affected.
    • A new installation is defined by an instance of Crowd that is the same version that you originally downloaded from the downloads page and has not been upgraded since
  • an IP address has been added to the Remote Address configuration of the crowd application (which is none by default in versions after 3.0.0)

Summarizing, all new installations running any of the following versions are impacted:

  • Crowd 3.0.0 – Crowd 3.7.2
  • Crowd 4.0.0 – Crowd 4.4.3
  • Crowd 5.0.0 – Crowd 5.0.2

Atlassian will not patch the vulnerability in version 3.0.0 of the product because it reached the end of life.

The advisory provides instructions to check if an instance was compromised along with mitigation that can be applied if it is not possible to immediately upgrade Crowd.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Bitbucket Server)

The post Atlassian fixed 2 critical flaws in Crowd and Bitbucket products appeared first on Security Affairs.

Hive Ransomware extorted over $100M in ransom payments from over 1,300 companies

18 November 2022 at 11:30

Hive ransomware operators have extorted over $100 million in ransom payments from over 1,300 companies worldwide as of November 2022.

The threat actors behind the Hive ransomware-as-a-service (RaaS) have extorted $100 million in ransom payments from over 1,300 companies worldwide as of November 2022, reported the U.S. cybersecurity and intelligence authorities.

“As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments” reads the alert published by CISA.

Hive ransomware

The authorities reported that from June 2021 through at least November 2022, threat actors employed the Hive ransomware in attacks aimed at a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).

The Hive ransomware operation has been active since June 2021, it provides Ransomware-as-a-Service Hive and adopts a double-extortion model threatening to publish data stolen from the victims on their leak site (HiveLeaks). In April 2021, the Federal Bureau of Investigation (FBI) released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang. According to a report published by blockchain analytics company Chainalysis, the Hive ransomware is one of the top 10 ransomware strains by revenue in 2021. The group used various attack methods, including malspam campaigns, vulnerable RDP servers, and compromised VPN credentials.

In June, The Microsoft Threat Intelligence Center (MSTIC) researchers discovered the new variant, while analyzing a new technique used by the ransomware for dropping .key files.

The main difference between the new variant of the Hive malware is related to the programming language used by the operators. The old variants were written in the Go language, while the new Hive variant is written in Rust.

The alert points out that the technique of the initial intrusion depends on which affiliate targets the network. The threat actors were observed gaining initial access to victim networks by using single-factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols. In some attacks the group was able to bypass multifactor authentication (MFA) and gained access to FortiOS servers by exploiting the CVE-2020-12812 vulnerability.

The threat actors also gained initial access to victim networks via phishing attacks delivering weaponized documents and by exploiting the following flaws in Microsoft Exchange servers:

  • CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability
  • CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-34523 – Microsoft Exchange Server Privilege Escalation Vulnerability

Government experts also warn that Hive operators have been known to reinfect the victim’s networks with either Hive ransomware or another ransomware variant.

The alert includes Indicators of Compromise (IoC), MITRE ATT&CK TECHNIQUES, and mitigations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Hive)

The post Hive Ransomware extorted over $100M in ransom payments from over 1,300 companies appeared first on Security Affairs.

❌
❌