OnionPoison: researchers reported that an infected Tor Browser installer has been distributed through a popular YouTube channel.
Kaspersky researchers discovered that a trojanized version of a Windows installer for the Tor Browser has been distributed through a popular Chinese-language YouTube channel.
The campaign, named OnionPoison, targeted users located in China, where the Tor Browser website is blocked. Users in China often attempt to download the Tor browser from third-party websites.
In the OnionPoison campaign, threat actors shared a link to a malicious Tor installer posting it on a popular Chinese-language YouTube channel providing info on the anonymity on the internet.
The channel has more than 180,000 subscribers and according to Kaspersky the video with the malicious link had more than 64,000 views at the time of the discovery. The video was posted on January 2022, and according to Kaspersky’s telemetry, the first victims were compromised in March 2022.
The malicious version of the installer installs a malicious Tor Browser that is configured to expose user data, including the browsing history and data entered into website forms. The experts also discovered that the libraries bundled with the malicious Tor Browser is infected with spyware.
“More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it.” reads Kaspersky’s analysis. “We decided to dub this campaign ‘OnionPoison’, naming it after the onion routing technique that is used in Tor Browser.”
The description of the video includes two links, one to the official Tor Browser website, while the other points to the malicious Tor Browser installer hosted on a Chinese cloud sharing service.
The malicious installer has a file size of 74.1 MB. Upon executing the installer a malicious Tor Browser is installed, it has the same UI of the original Tor Browser. The malicious installer is not digitally signed and the malicious installer also drops some files that are different from the ones bundled with the original installer
“The file freebl3.dll is present in the original Tor Browser installer; however, its contents are entirely different from the DLL in the malicious installer” continues the report.
The experts noticed that the second-stage payload containing the spyware is only served to users from China.
The spyware is able to gather system information and support data exfiltration capabilities. It is able to retrieve the list of installed software and running processes, Google Chrome and Edge histories, victims’ WeChat and QQ account IDs, the SSIDs and MAC addresses of Wi-Fi networks to which the victims are connected, and also allows operators to run arbitrary shell commands on the victim machine.
Experts believe the OnionPoison campaign is not financially motivated because threat actors did not collect credentials or wallets.
“In this campaign, the attackers use anonymization software to lure targets. Placing a link on a popular YouTube channel makes the malicious Tor Browser installer appear more legitimate to potential targets.” concludes the report. “Curiously, unlike common stealers, OnionPoison implants do not automatically collect user passwords, cookies or wallets. Instead, they gather data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks.”
(SecurityAffairs – hacking, Tor Browser)
The post OnionPoison: malicious Tor Browser installer served through a popular Chinese YouTube channel appeared first on Security Affairs.
Bad news for the Australian telecommunications industry, the largest company in the country Telstra suffered a data breach.
Australia’s largest telecommunications company Telstra disclosed a data breach through a third-party supplier.
The company pointed out that its systems have not been breached, the security breach impacted a third-party supplier that previously provided a now-obsolete Telstra employee rewards program.
The data breach impacted a third-party platform called Work Life NAB, which si no longer live, that was supplied by Pegasus Group Australia (a subsidiary of MyRewards International Ltd.) to several other organisations.
It was run by Pegasus Group Australia, which is a subsidiary of MyRewards International Ltd.
Narelle Devine, the company’s chief information security officer for the Asia Pacific region, added that no customer account information was stored on the third-party platform. It seems that the security breach also impacted other companies.
Data leaked online was from 2017, it includes the names (first and last) and email addresses used to sign up for the employee rewards program.
“Information obtained as a result of a data breach at a third-party supplier, was posted on the internet. The supplier previously provided a now-obsolete Telstra employee rewards program.” reads the statement published by the company. “Critically, there was no breach of any Telstra systems, and no customer account information was stored on the third-party platform.”
According to the post published by Reuters, who had access to internal staff email sent by Telstra, the number of impacted current and former employees is 30,000.
The company is still investigating the incident and is supporting the third party to determine how the security breach happened and its extent.
Recently the second largest company in Australia, Optus confirmed that nearly 2.1 million of its current and former customers were impacted by a security breach they have suffered,
(SecurityAffairs – hacking, Telstra Telecom)
The post Telstra Telecom discloses data breach impacting former and current employees appeared first on Security Affairs.
Hundreds of Microsoft SQL servers all over the world have been infected with a new piece of malware tracked as Maggie.
Security researchers Johann Aydinbas and Axel Wauer from the DCSO CyTec have spotted a new piece of malware, named Maggie, that has already infected over 250 Microsoft SQL servers worldwide.
Most of the infected instances are in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States.
The malware comes in the form of an “Extended Stored Procedure,” which are stored procedures that call functions from DLL files. Upon loading into a server, an attacker, can control it using SQL queries and offers a variety of functionality to run commands, and interact with files.
The backdoor is also able to bruteforce logins to other MSSQL servers to add a special hardcoded backdoor.
“In addition, the backdoor has capabilities to bruteforce logins to other MSSQL servers while adding a special hardcoded backdoor user in the case of successfully bruteforcing admin logins. Based on this finding, we identified over 250 servers affected worldwide, with a clear focus on the Asia-Pacific region.” reads the analysis published by the researchers. “Once loaded into a server by an attacker, it is controlled solely using SQL queries and offers a variety of functionality to run commands, interact with files and function as a network bridge head into the environment of the infected server.”
While investigating new threats, the experts discovered a suspicious file, the DLL file was signed by DEEPSoft Co., Ltd. on 2022–04–12. The export directory revealed the name of the library, sqlmaggieAntiVirus_64.dll, which offers a single export called maggie.
Inspecting the DLL file the experts discovered it is an Extended Stored Procedure, which allows SQL queries to run shell commands.
The Maggie malware supports over 51 commands to gather system information and run programs, it is also able to support network-related functionalities like enabling TermService, running a Socks5 proxy server or setting up port forwarding to make Maggie act as a bridge head into the server’s network environment.
Maggie also supports commands that are passed by the attackers along with arguments appended to them.
Maggie implements simple TCP redirection that allows it to operate as a network bridge head from the Internet to any IP address reachable by the compromised MSSQL server.
“When enabled, Maggie redirects any incoming connection (on any port the MSSQL server is listening on) to a previously set IP and port, if the source IP address matches a user-specified IP mask. The implementation enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of Maggie.” continues the analysis.
The experts noticed that the list of supported commands includes Exploit AddUser, Exploit Run, Exploit Clone, and Exploit TS. The researchers noticed that the DLL used to implement the above commands are not present in the actual implementation of the commands.
The researchers assume the caller manually uploads the exploit DLL prior to issuing any exploit. commands.
“Maggie would then load the user-specified DLL, look for an export named either StartPrinter or ProcessCommand (depending on the exact command used) and pass the user-supplied argument.” continues the analysis.
The researchers shared indicators of compromise (IoCs) for this threat and announced they will continue to investigate it to determine how the affected servers are being utilized.
(SecurityAffairs – hacking, Microsoft SQL Server)
The post New Maggie malware already infected over 250 Microsoft SQL servers appeared first on Security Affairs.
A recent proliferation of phony executive profiles on LinkedIn is creating something of an identity crisis for the business networking site, and for companies that rely on it to hire and screen prospective employees. The fabricated LinkedIn identities — which pair AI-generated profile photos with text lifted from legitimate accounts — are creating major headaches for corporate HR departments and for those managing invite-only LinkedIn groups.
Some of the fake profiles flagged by the co-administrator of a popular sustainability group on LinkedIn.
Last week, KrebsOnSecurity examined a flood of inauthentic LinkedIn profiles all claiming Chief Information Security Officer (CISO) roles at various Fortune 500 companies, including Biogen, Chevron, ExxonMobil, and Hewlett Packard.
Since then, the response from LinkedIn users and readers has made clear that these phony profiles are showing up en masse for virtually all executive roles — but particularly for jobs and industries that are adjacent to recent global events and news trends.
Hamish Taylor runs the Sustainability Professionals group on LinkedIn, which has more than 300,000 members. Together with the group’s co-owner, Taylor said they’ve blocked more than 12,700 suspected fake profiles so far this year, including dozens of recent accounts that Taylor describes as “cynical attempts to exploit Humanitarian Relief and Crisis Relief experts.”
“We receive over 500 fake profile requests to join on a weekly basis,” Taylor said. “It’s hit like hell since about January of this year. Prior to that we did not get the swarms of fakes that we now experience.”
The opening slide for a plea by Taylor’s group to LinkedIn.
Taylor recently posted an entry on LinkedIn titled, “The Fake ID Crisis on LinkedIn,” which lampooned the “60 Least Wanted ‘Crisis Relief Experts’ — fake profiles that claimed to be experts in disaster recovery efforts in the wake of recent hurricanes. The images above and below show just one such swarm of profiles the group flagged as inauthentic. Virtually all of these profiles were removed from LinkedIn after KrebsOnSecurity tweeted about them last week.
Another “swarm” of LinkedIn bot accounts flagged by Taylor’s group.
Mark Miller is the owner of the DevOps group on LinkedIn, and says he deals with fake profiles on a daily basis — often hundreds per day. What Taylor called “swarms” of fake accounts Miller described instead as “waves” of incoming requests from phony accounts.
“When a bot tries to infiltrate the group, it does so in waves,” Miller said. “We’ll see 20-30 requests come in with the same type of information in the profiles.”
After screenshotting the waves of suspected fake profile requests, Miller started sending the images to LinkedIn’s abuse teams, which told him they would review his request but that he may never be notified of any action taken.
Some of the bot profiles identified by Mark Miller that were seeking access to his DevOps LinkedIn group. Miller said these profiles are all listed in the order they appeared.
Miller said that after months of complaining and sharing fake profile information with LinkedIn, the social media network appeared to do something which caused the volume of group membership requests from phony accounts to drop precipitously.
“I wrote our LinkedIn rep and said we were considering closing the group down the bots were so bad,” Miller said. “I said, ‘You guys should be doing something on the backend to block this.”
Jason Lathrop is vice president of technology and operations at ISOutsource, a Seattle-based consulting firm with roughly 100 employees. Like Miller, Lathrop’s experience in fighting bot profiles on LinkedIn suggests the social networking giant will eventually respond to complaints about inauthentic accounts. That is, if affected users complain loudly enough (posting about it publicly on LinkedIn seems to help).
Lathrop said that about two months ago his employer noticed waves of new followers, and identified more than 3,000 followers that all shared various elements, such as profile photos or text descriptions.
“Then I noticed that they all claim to work for us at some random title within the organization,” Lathrop said in an interview with KrebsOnSecurity. “When we complained to LinkedIn, they’d tell us these profiles didn’t violate their community guidelines. But like heck they don’t! These people don’t exist, and they’re claiming they work for us!”
Lathrop said that after his company’s third complaint, a LinkedIn representative responded by asking ISOutsource to send a spreadsheet listing every legitimate employee in the company, and their corresponding profile links.
Not long after that, the phony profiles that were not on the company’s list were deleted from LinkedIn. Lathrop said he’s still not sure how they’re going to handle getting new employees allowed into their company on LinkedIn going forward.
It remains unclear why LinkedIn has been flooded with so many fake profiles lately, or how the phony profile photos are sourced. Random testing of the profile photos shows they resemble but do not match other photos posted online. Several readers pointed out one likely source — the website thispersondoesnotexist.com, which makes using artificial intelligence to create unique headshots a point-and-click exercise.
Cybersecurity firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.
Fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.
In addition, identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams.
But the Sustainability Group administrator Taylor said the bots he’s tracked strangely don’t respond to messages, nor do they appear to try to post content.
“Clearly they are not monitored,” Taylor assessed. “Or they’re just created and then left to fester.”
This experience was shared by the DevOp group admin Miller, who said he’s also tried baiting the phony profiles with messages referencing their fakeness. Miller says he’s worried someone is creating a massive social network of bots for some future attack in which the automated accounts may be used to amplify false information online, or at least muddle the truth.
“It’s almost like someone is setting up a huge bot network so that when there’s a big message that needs to go out they can just mass post with all these fake profiles,” Miller said.
In last week’s story on this topic, I suggested LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a “created on” date for every profile. Twitter does this, and it’s enormously helpful for filtering out a great deal of noise and unwanted communications.
Many of our readers on Twitter said LinkedIn needs to give employers more tools — perhaps some kind of application programming interface (API) — that would allow them to quickly remove profiles that falsely claim to be employed at their organizations.
Another reader suggested LinkedIn also could experiment with offering something akin to Twitter’s verified mark to users who chose to validate that they can respond to email at the domain associated with their stated current employer.
In response to questions from KrebsOnSecurity, LinkedIn said it was considering the domain verification idea.
“This is an ongoing challenge and we’re constantly improving our systems to stop fakes before they come online,” LinkedIn said in a written statement. “We do stop the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scams. We’re also exploring new ways to protect our members such as expanding email domain verification. Our community is all about authentic people having meaningful conversations and to always increase the legitimacy and quality of our community.”
In a story published Wednesday, Bloomberg noted that LinkedIn has largely so far avoided the scandals about bots that have plagued networks like Facebook and Twitter. But that shine is starting to come off, as more users are forced to waste more of their time fighting off inauthentic accounts.
“What’s clear is that LinkedIn’s cachet as being the social network for serious professionals makes it the perfect platform for lulling members into a false sense of security,” Bloomberg’s Tim Cuplan wrote. “Exacerbating the security risk is the vast amount of data that LinkedIn collates and publishes, and which underpins its whole business model but which lacks any robust verification mechanisms.”
Avast released a free decryptor for variants of the Hades ransomware tracked as ‘MafiaWare666’, ‘Jcrypt’, ‘RIP Lmao’, and ‘BrutusptCrypt,’ .
Avast has released a decryptor for variants of the Hades ransomware known as ‘MafiaWare666’, ‘Jcrypt’, ‘RIP Lmao’, and ‘BrutusptCrypt,’ which can allow the victims of these ransomware strains to recover their files without paying the ransom.
The security firm discovered a bug in the encryption process implemented by the Hades ransomware that can be used to recover the files encrypted by some variants.
“We discovered a vulnerability in the encryption schema that allows some of the variants to be decrypted without paying the ransom. New or previously unknown samples may encrypt files differently, so they may not be decryptable without further analysis.” reads the post published by AVAST.
The experts pointed out that the Hades ransomware affected by the flaw did not exfiltrate any data from the victims. MafiaWare666, for example, is a ransomware strain written in C# which doesn’t contain any obfuscation or anti-analysis techniques. The malicious code encrypts files using AES encryption.
The malware samples analyzed by the researchers append the following extensions the the filename of the encrypted files:
Once the MafiaWare666 variant completes the encrypted process, it displays a window that provides payment instructions to the victims. The ransom price ranges from $50 to $300, although some of the older samples with different names demand up to one Bitcoin.
Victims of these variants can download the free decryptor from the Avast server along with instructions to use it.
The tool also allows victims that know a valid password for decrypting files, but that are not able to use the decryptor supplied by Hades, to tick the box in the above UI provided by the tool.
In case victims haven’t the password, they can use the Avast tool to crack it.
“Once the password is found, you can proceed to decrypt all the encrypted files on your PC by clicking “Next” concludes AVAST. ” On the final page, you can opt-in to backup your encrypted files. These backups may help if anything goes wrong during the decryption process. This option is on by default, which we recommend. After clicking “Decrypt” the decryption process begins. Let the decryptor work and wait until it finishes decrypting all of your files.”
(SecurityAffairs – hacking, Hades ransomware)
The post Avast releases a free decryptor for some Hades ransomware variants appeared first on Security Affairs.
There are no more articles