RSS Security

❌ About FreshRSS
There are new articles available, click to refresh the page.
Yesterday — 19 September 2021Security Affairs

Numando, a new banking Trojan that abuses YouTube for remote configuration

19 September 2021 at 16:25

Numando, a new banking Trojan that abuses YouTube, Pastebin, and other public platforms as C2 infrastructure and to spread.

ESET researchers spotted a new LATAM banking trojan, tracked as Numando, that abuses YouTube, Pastebin, and other public platforms as C2 infrastructure and to spread.

The threat actor behind this banking Trojan has been active since at least 2018, it focuses almost exclusively on Brazil but experts spotted rare attacks against users in Mexico and Spain.

Like other Latin American banking trojans, it is written in Delphi and utilizes fake overlay windows to trick victims into providing sensitive information.

“Some Numando variants store these images in an encrypted ZIP archive inside their .rsrc sections, while others utilize a separate Delphi DLL just for this storage. Backdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shutdown the machine, display overlay windows, take screenshots and kill browser processes.” reads the analysis published by ESET. “Unlike other Latin American banking trojans, however, the commands are defined as numbers rather than strings, which inspired our naming of this malware family.”

The Trojan implements Backdoor capabilities to simulate mouse and keyboard actions, restart and shutdown the machine, display overlay windows, take screenshots and kill browser processes. 

Experts noticed that unlike other Latin American banking trojans they analyzed, Numando isn’t under development.

Numando is distributed almost exclusively by malspam campaigns, recent attacks employed messages using a ZIP attachment containing an MSI installer. The installer contains a CAB archive with a legitimate application, an injector, and an encrypted Numando banking trojan DLL. Upon executing the MSI, it will eventually run the legitimate application as well the injector that loads the payload and decrypts it.


Once Numando is installed on a target machine, it will create fake overlay windows every time the victim visits the website of a financial organization and captures the credentials they provide. 

Experts also uncovered another distribution chain employed in recent attacks that starts with a Delphi downloader downloading a decoy ZIP archive. The downloader ignores the content of the ZIP archive and extracts a hex-encoded encrypted string from the ZIP file comment at the end of the file. Decrypting the string results in a different URL that leads to the actual payload archive.

“The second ZIP archive contains a legitimate application, an injector and a suspiciously large BMP image. The downloader extracts the contents of this archive and executes the legitimate application, which side-loads the injector that, in turn, extracts the Numando banking trojan from the BMP overlay and executes it.” continues the report.

“This BMP file is a valid image and can be opened in a majority of image viewers and editors without issue, as the overlaly is simply ignored.”

Numando leverages public services such as Pastebin and YouTube for the remote configuration, a technique used by other malware like Casbaneiro.  

ESET reported the existence of the report to Google that quickly removed them. 

Numando is also able to simulate mouse clicks and keyboard actions, hijack PC shutdown and restart functions, take screenshots, and kill browser processes. 

The report published by ESET includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, banking trojan)

The post Numando, a new banking Trojan that abuses YouTube for remote configuration appeared first on Security Affairs.

Why Edward Snowden is urging users to stop using ExpressVPN?

19 September 2021 at 11:57

The popular whistleblower Edward Snowden recommends customers of ExpressVPN VPN service to stop using it.

Last week the Israeli cybersecurity firm Kape Technologies has acquired the industry’s leading virtual private networks ExpressVPN, as part of a $936 million deal. Kape announced that the acquisition will more than double its overall customer base, from almost 3 million customers to more than 6 million.

Edward Snowden expressed concerns about the VPN service offered by ExpressVPN and has warned users to stop using it.

If you're an ExpressVPN customer, you shouldn't be.

— Edward Snowden (@Snowden) September 16, 2021

Why Snowden is worried about ExpressVPN?

Last week, three former NSA employees (Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40) entered into a deferred prosecution agreement that restricts their future activities and employment.

The trio has worked as hackers-for-hire for the United Arab Emirates cybersecurity company DarkMatter between January 2016 and November 2019.

The US Department of Justice requires the payment of $1,685,000 in penalties ( $750,000, $600,000, and $335,000, respectively) to resolve its investigation regarding violations of U.S. export control, computer fraud and access device fraud laws. The three suspects worked at the UAE company and developed at least two iOS zero-click exploits dubbed Karma and Karma 2.

DOJ also ordered the former intelligence employees to cooperate with the relevant department and FBI components; they are also condemned to a lifetime ban on future US security clearances.

Snowden was likely worried by the fact one of the three former NSA employees, Daniel Gericke, was ExpressVPN’s CIO.

In 2019, the Reuter agencies published a report that detailed the activity of “a secret hacking team of American mercenaries” that joined Project Raven as part of a clandestine team of experts that helped the United Arab Emirates in conducting a surveillance program and conducting hit-and-run hacking operations.

ExpressVPN published an official response that confirmed the accusation of the DoJ but that pointed out that the experts took part to the Project Raven before he joined to the company in 2019.

“We find it deeply regrettable that the news of the past few days regarding Daniel Gericke has created concerns among our users and given some cause to question our commitment to our core values. To be completely clear, as much as we value Daniel’s expertise and how it has helped us to protect customers, we do not condone Project Raven. The surveillance it represents is completely antithetical to our mission.” reads the response. “When we hired Daniel in December 2019, we knew his background: 20 years in cybersecurity, first with the U.S. military and various government contractors, then with a U.S. company providing counter-terrorism intelligence services to the U.S. and its ally, the U.A.E., and finally with a U.A.E. company doing the same work. We did not know the details of any classified activities, nor of any investigation prior to its resolution this month. But we did know what we had built here at ExpressVPN: a company where every system and process is hardened and designed to minimize risks of all kinds, both external and internal. “

ExpressVPN added that it has implemented multiple security measures to implement a secure service that protectsthe privacy of its users.

“While we are confident that our commitment to this mission is unwavering, we understand that actions speak louder than words. To begin with, we’ll be increasing the cadence of our existing third-party audits to annually recertify our full compliance with our Privacy Policy, including our policy of not storing any activity or connection logs. This is just a first step, and we will continue to strive to earn your trust,” ExpressVPN blog post on the issue read. 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Snowden)

The post Why Edward Snowden is urging users to stop using ExpressVPN? appeared first on Security Affairs.

Security Affairs newsletter Round 332

19 September 2021 at 08:14

A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

The Biden administration plans to target exchanges supporting ransomware operations with sanctions
Threat actor has been targeting the aviation industry since at least 2018
Expert discloses details and PoC code for Netgear Seventh Inferno bug
CVE-2021-26333 AMD Chipset Driver flaw allows obtaining sensitive data
Experts warn that Mirai Botnet starts exploiting OMIGOD flaw
German Election body hit by a cyber attack
New Go malware Capoae uses multiple flaws to target WordPress installs, Linux systems
A new Win malware uses Windows Subsystem for Linux (WSL) to evade detection
FBI, CISA, and CGCYBER warn of nation-state actors exploiting CVE-2021-40539 Zoho bug
Microsoft warns of attacks exploiting recently patched Windows MSHTML CVE-2021-40444 bug
Bitdefender released free REvil ransomware decryptor that works for past victims
Anonymous hacked the controversial, far-right web host Epik
OMIGOD vulnerabilities expose thousands of Azure users to hack
Microsoft announces passwordless authentication for consumer accounts
Three formers NSA employees fined for providing hacker-for-hire services to UAE firm
US CISA appointed Kiersten Todt as new chief of staff
Microsoft Patch Tuesday fixes CVE-2021-40444 MSHTML zero-day
Mēris Bot infects MikroTik routers compromised in 2018
Millions of HP OMEN gaming PCs impacted by CVE-2021-3437 driver flaw
Google addresses a new Chrome zero-day flaw actively exploited in the wild
Vermilion Strike, a Linux implementation of Cobalt Strike Beacon used in attacks
Popular NPM package Pac-Resolver affected by a critical flaw
Apple fixes actively exploited FORCEDENTRY zero-day flaws
Facebook announces WhatsApp end-to-end encrypted (E2EE) backups
New Spook.Js attack allows to bypass Google Chrome Site Isolation protections
BlackMatter ransomware gang hit Technology giant Olympus
The new maxtrilha trojan is being disseminated and targeting several banks
Department of Justice and Constitutional Development of South Africa hit by a ransomware attack
Google implements new Private Compute Services for Android
Revil ransomware operators are targeting new victims

If you want to also receive for free the international press subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 332 appeared first on Security Affairs.

Before yesterdaySecurity Affairs

The Biden administration plans to target exchanges supporting ransomware operations with sanctions

18 September 2021 at 17:46

US Government is expected to issue sanctions against crypto exchanges, wallets, and traders used by ransomware operations to cash out ransom payments.

The Biden administration is putting in place all the strategies to disrupt the operations of the ransomware gangs, and according to the Wall Street Journal, it is now planning to target the digital finance infrastructure used by these criminal organizations.

The Biden administration is expected to apply sanctions against crypto exchanges, wallets, and traders used by the gangs to cash out ransom payments.

“The Biden administration is preparing an array of actions, including sanctions, to make it harder for hackers to use digital currency to profit from ransomware attacks, according to people familiar with the matter.” states the WSJ. “The government hopes to choke off access to a form of payment that has supported a booming criminal industry and a rising national security threat.”

Over the past years, the number of ransomware attacks has exponentially increased, causing huge losses to the victims and disrupting their activities.

The operations also targeted the US critical infrastructure, the attack against Colonial Pipeline demonstrates the potential damages that such kind of criminal practice could cause to the US citizens.

The US authorities want to target the economy behind the ransomware operations, disrupting the process used by the gang to convert their ransom payments to fiat currency.

Every time victims pay ransomware, the cryptocurrencies are transferred to wallets used by the ransomware gangs then the groups attempt to launder the money by using so-called mixer services. The final step consists of converting the crypto funds through exchanges.

The authorities want to make pressure on the exchanges that are critical components for ransomware operations and threaten to apply sanctions for their support to the criminal practive.

“An action of this kind would be an aggressive, proactive approach to going after those who facilitate ransomware payments,” Ari Redbord, a former senior Treasury security official, told the Wall Street Journal.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, sanctions)

The post The Biden administration plans to target exchanges supporting ransomware operations with sanctions appeared first on Security Affairs.

Threat actor has been targeting the aviation industry since at least 2018

18 September 2021 at 16:48

Security researchers from the Cisco Talos team uncovered a spear-phishing campaign targeting the aviation industry for two years avoiding detection.

Security researchers from Cisco Talos uncovered a spear-phishing campaign targeting, dubbed Operation Layover, that targeted the aviation industry for two years without being detected.

The experts believe that the threat actor behind this campaign is based out of Nigeria with a high degree of confidence and isn’t technically sophisticated. The group is suspected to have been running successful malware campaigns for more than five years. The attackers have used off-the-shelf malware since the beginning of their operations and have never developed their own malware.

Talos researchers believe that the group was able to remain under the radar using crypters that it bought on cybercrime forums.

The investigation into the activity of the group started after a tweet from Microsoft describing a series of attacks that employed the AsyncRAT.

Microsoft 365 Defender detects the multiple components of this attack. Our researchers are closely monitoring the campaign and will share additional info and investigation guidance through Microsoft 365 security center and Microsoft Threat Experts.

— Microsoft Security Intelligence (@MsftSecIntel) May 11, 2021

The spear-phishing messages use bait documents specifically crafted to target the aviation or cargo industry that purport to be PDF files but link to a VBScript file hosted on Google Drive, which ultimately leads to the delivery of remote access trojans (RATs) like AsyncRAT and njRAT.

“The actor behind these campaigns has been operating malware for more than five years and specifically targeting the aviation industry for at least two years. For this campaign, the actor used emails similar to the one below as the initial attack vector.” reads the analysis published by Cisco Talos. “These emails would appear to contain an attached PDF file that was a link to a .vbs file hosted on Google Drive.” Our research shows that this actor has been targeting the aviation industry since at least 2018, with files mentioning both “Trip Itinerary Details” and “Bombardier” at the time using the URL akconsult[.]linkpc[.]net.”

phishing attacks aviation

Evidence collected by the experts suggests that the threat actor has been active at least since 2013.

Further analysis of the operations associated with this threat actor revealed the use of different domains and RATs into their campaigns, including Cybergate RAT, AsyncRAT, and a batch file used to download and execute other malware.

“Many actors can have limited technical knowledge but still be able to operate RATs or information-stealers, posing a significant risk to large corporations given the right conditions. In this case, we have shown that what seemed like a simple campaign is, in fact, a continuous operation that has been active for three years, targeting an entire industry with off-the-shelf malware disguised with different crypters.” concludes the experts. These kinds of small operations tend to fly under the radar and even after exposure the actors behind them wont stop their activity. They abandon the C2 hostnames — which in this case are free DNS-based and they may change the crypter and initial vector, but they won’t stop their activity. The black market for web cookies, tokens and valid credentials is way too valuable when compared with the economy in their home countries for them to stop.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Threat actor has been targeting the aviation industry since at least 2018 appeared first on Security Affairs.

Expert discloses details and PoC code for Netgear Seventh Inferno bug

18 September 2021 at 12:21

A new critical vulnerability in Netgear smart switches can be exploited by an attacker to potentially execute malicious code and take over impacted devices.

Researchers provided technical details about a recently addressed critical vulnerability, dubbed Seventh Inferno, in Netgear smart switches that could be exploited by an attacker to potentially execute malicious code and take control of the affected devices.

The Seventh Inferno vulnerability received a CVSS score of 9.8, it was spotted with other two bugs, respectively tracked as Demon’s Cries (CVSS score: 9.8) and Draconian Fear (CVSS score: 7.8).

The flaws were discovered by Google security engineer Gynvael Coldwind, Netgear addressed then early this month.

The flaws, tracked by the networking device vendor PSV-2021-0140, PSV-2021-0144, and PSV-2021-0145, impact the following models:

  • GC108P
  • GC108PP
  • GS108Tv3
  • GS110TPP
  • GS110TPv3
  • GS110TUP
  • GS308T
  • GS310TP
  • GS710TUP
  • GS716TP
  • GS716TPP
  • GS724TPP
  • GS724TPv2
  • GS728TPPv2
  • GS728TPv2
  • GS750E
  • GS752TPP
  • GS752TPv2
  • MS510TXM
  • MS510TXUP

Netgear has released security patches to fix them on September 3.

“NETGEAR just patched 3 reported vulnerabilities (Demon’s CriesDraconian Fear and Seventh Inferno) in some managed (smart) switches. If you or your company owns any of these devices, please patch now.” Coldwind explained.

“P.S. This vulnerability [Seventh Inferno] and exploit chain is actually quite interesting technically. In short, it goes from a newline injection in the password field, through being able to write a file with constant uncontrolled content of 2 (like, one byte 32h), through a DoS and session crafting (which yields an admin web UI user), to an eventual post-auth shell injection (which yields full root).”

The expert also released the PoC for this vulnerability, the code first reboots the switch, then fakes a new session and exploits the post-auth RCE.

NETGEAR urge its customers using the following products to download the latest firmware:

  • GC108P fixed in firmware version
  • GC108PP fixed in firmware version
  • GS108Tv3 fixed in firmware version
  • GS110TPP fixed in firmware version
  • GS110TPv3 fixed in firmware version
  • GS110TUP fixed in firmware version
  • GS308T fixed in firmware version
  • GS310TP fixed in firmware version
  • GS710TUP fixed in firmware version
  • GS716TP fixed in firmware version
  • GS716TPP fixed in firmware version
  • GS724TPP fixed in firmware version
  • GS724TPv2 fixed in firmware version
  • GS728TPPv2 fixed in firmware version
  • GS728TPv2 fixed in firmware version
  • GS750E fixed in firmware version
  • GS752TPP fixed in firmware version
  • GS752TPv2 fixed in firmware version
  • MS510TXM fixed in firmware version
  • MS510TXUP fixed in firmware version

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Netgear)

The post Expert discloses details and PoC code for Netgear Seventh Inferno bug appeared first on Security Affairs.