🔒
There are new articles available, click to refresh the page.
✇ Security Affairs

Experts believe that Russian Gamaredon APT could fuel a new round of DDoS attacks

By: Pierluigi Paganini

360 Qihoo reported DDoS attacks launched by APT-C-53 (aka Gamaredon) conducted through the open-source DDoS Trojan program LOIC.

Researchers at 360 Qihoo observed a wave of DDoS attacks launched by Russia-linked APT-C-53 (aka Gamaredon) and reported that the threat actors also released as open-source the code of a DDoS Trojan called LOIC. The instances of the malware spotted by the experts were compiled in early March, a few days after the Russian invasion of Ukraine began.

“We found that multiple C2 servers distributed an open-source DDoS Trojan program LOIC compiled by .net from March 4th to 5th, 2022.” reads the analysis published by 360 Qihoo.

While monitoring the activity of the APT group, experts observed threat actors conducting multiple attacks, including phishing campaigns and malware attacks. The experts were able to locate the C2 infrastructure used by the nation-state actors.

Below is the list of domains involved in the DDoS attacks:

decree.maizuko.**
caciques.gloritapa.**
delicate.maizuko.**
jealousy.jump.artisola.**
dense.gitrostan.**
decision.lotorgas.**
decency.maizuko.**
junior.jacket.artisola.**
defective88.maizuko.**
deception.lotorgas.**
destination.delight.coffiti.**
cachinate.gloritapa.**
January.josie.artisola.**
defective19.maizuko.**
deception.lotorgas.**
destination.delight.coffiti.**

The malicious code distributed by the APT group includes hardcoded IP addresses and ports for the targets.

“The distribution of the LOIC Trojan may be the prelude to a new round of DDoS attacks.” concludes the researchers that also shared Indicators of compromise for the attacks.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Gamaredon

The post Experts believe that Russian Gamaredon APT could fuel a new round of DDoS attacks appeared first on Security Affairs.

✇ Security Affairs

The strange link between Industrial Spy and the Cuba ransomware operation

By: Pierluigi Paganini

The recently launched Industrial Spy data extortion marketplace has now started its ransomware operation.

In April, Malware HunterTeam and Bleeping Computer reported the launch of a new dark web marketplace called Industrial Spy that sells stolen data and offers free stolen data to its members. MalwareHunterTeam researchers spotted malware samples [12] that drop the following wallpaper that promotes the site.

Here is the wallpaper that gets dropped on systems where one of their samples run.
Same typos/mistakes as in the text notes seen, and also the whole text is repeated.
Very strange…
🤔 pic.twitter.com/on0v3IryKB

— MalwareHunterTeam (@malwrhunterteam) April 15, 2022

Upon executing the malware it creates README.txt files in every folder on the machine, the content of the files includes a description of the service and a link to the Tor site.

Below is the description for the marketplace:

“There you can buy or download for free private and compromising data of your competitors. We public schemes, drawings, technologies, political and military secrets, accounting reports and clients databases. All this things were gathered from the largest worldwide companies, conglomerates and concerns with every activity. We gather data using vunlerability in their IT infrastructure. in their IT infrastructure. Industrial spy team processes huge massives every day to devide you results. You can fid it in their portal:

Industrial Spy is a marketplace that offers businesses data on their competitors, including intellectual property and trade secrets.

The marketplace has different levels of data offerings, from $2 for individual files up to “premium” stolen data related which represents all data stolen from an organization and that could be proposed for million of dollars.

Some data dumps are available on Industrial Spy for free, they were likely downloaded from the leak sites of ransomware gangs or other hacking forums.

Now BleepingComputer reported that the Industrial Spy data marketplace launched its own ransomware operation.

Recently MalwareHunterTeam researchers discovered a new sample of the Industrial Spy malware, which appeared like a ransom note.

Industrial Spy ransomware

This "Industrial Spy" story just got more strange/interesting in recent days…
🤔
More details later from @LawrenceAbrams. https://t.co/hmohQqFPlz

— MalwareHunterTeam (@malwrhunterteam) May 24, 2022

Additional investigation in the ransom note suggested the link with another ransomware operation.

The TOX ID and email address reported in the ransom note were the same as a ransom note created by another sample of malware uploaded to VirusTotal that links to Cuba Ransomware.

“While this does not 100% tie the two groups together, it’s very possible that the Industrial Spy threat actors simply used Cuba’s information while testing the creation of their ransomware.” states BleepingComputer.

However, it is peculiar and something that security researchers and analysts will need to keep an eye on.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post The strange link between Industrial Spy and the Cuba ransomware operation appeared first on Security Affairs.

✇ The Hacker News

New York Man Sentenced to 4 Years in Transnational Cybercrime Scheme

By: Ravie Lakshmanan
A 37-year-old man from New York has been sentenced to four years in prison for buying stolen credit card information and working in cahoots with a cybercrime cartel known as the Infraud Organization. John Telusma, who went by the alias "Peterelliot," pleaded guilty to one count of racketeering conspiracy on October 13, 2021. He joined the gang in August 2011 and remained a member for
✇ Security Affairs

Reuters: Russia-linked APT behind Brexit leak website

By: Pierluigi Paganini

Russia-linked threat actors are behind a new website that published leaked emails from leading proponents of Britain’s exit from the EU, the Reuters reported.

According to a Google cybersecurity official and the former head of UK foreign intelligence, the “Very English Coop d’Etat” website was set up to publish private emails from Brexit supporters, including former British MI6 chief Richard Dearlove, leading Brexit campaigner Gisela Stuart, and historian Robert Tombs.

According to Reuters, at least victims of the leak confirmed the authenticity of the messages and revealed they were targeted by Russia-linked hackers.

Google’s Threat Analysis Group (TAG) chief Shane Huntley told Reuters was set up by a Russia-linked APT dubbed “Cold River

At this time it is unclear how the website has obtained the sensitive emails, Reuters pointed out that most of the messages mainly appear to have been exchanged using ProtonMail accounts.

“The “English Coop” site makes a variety of allegations, including one that Dearlove was at the center of a conspiracy by Brexit hardliners to oust former British Prime Minister Theresa May, who had negotiated a withdrawal agreement with the European Union in early 2019, and replace her with Johnson, who took a more uncompromising position.” reported the Reuters. “Dearlove said that the emails captured a “legitimate lobbying exercise which, seen through this antagonistic optic, is now subject to distortion.””

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Brexit)

The post Reuters: Russia-linked APT behind Brexit leak website appeared first on Security Affairs.

✇ Security Affairs

GitHub: Nearly 100,000 NPM Users’ credentials stolen in the April OAuth token attack

By: Pierluigi Paganini

GitHub provided additional details into the theft of its integration OAuth tokens that occurred in April, with nearly 100,000 NPM users’ credentials.

GitHub provided additional details about the incident that suffered in April, the attackers were able to steal nearly 100K NPM users’ credentials.

In April, GitHub uncovered threat actors using stolen OAuth user tokens to gain access to their repositories and download private data from several organizations.

The attackers abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. GitHub excluded that the attacker obtained these tokens via a compromise of GitHub or its systems, the company explained that the stolen tokens used to access the repositories are not stored by GitHub in their original, usable formats. 

On April 12, the company launched an investigation into a series of unauthorized access to data stored in repositories of dozens of organizations. The experts first detected the intrusion on April 12 when the company’s security team identified unauthorized access to their npm production infrastructure using a compromised AWS API key.

The threat actors allegedly obtained the AWS API key by downloading a set of unspecified private NPM repositories using the stolen OAuth token from one of the two affected OAuth applications. GitHub revoked the access tokens associated with the affected apps.

Now the Microsoft-owned company provided an update on the incident, the attackers were able to escalate access to npm infrastructure and access the following files exfiltrated from npm cloud storage:

  • A backup of skimdb.npmjs.com containing data from April 7, 2021, with the following information:An archive of user information from 2015. This contained npm usernames, password hashes, and email addresses for roughly 100k npm users.
  • All private npm package manifests and package metadata as of April 7, 2021.
  • A series of CSVs containing an archive of all names and version numbers (semVer) of published versions of all npm private packages as of April 10, 2022.
  • Private packages from two organizations.

The analysis of the log and package hash verification, suggests that the attackers did not modify any package in the repository or publish any new versions of existing packages.

An additional investigation, unrelated to the OAuth token attack, revealed a number of plaintext user credentials for the npm registry that were collected in internal logs as a result of the integration of npm into GitHub logging systems.

The company is resetting the passwords of impacted users and notifying users by email.

“Passwords belonging to the impacted users of the accessed database backup have been reset and these users are being notified. The two organizations that had private packages stolen were notified immediately after analysis confirmed the activity. Over the next few days, we will directly notify those with exposed private package manifests, metadata, and private package names and versions.” concludes the announcement.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Github)

The post GitHub: Nearly 100,000 NPM Users’ credentials stolen in the April OAuth token attack appeared first on Security Affairs.

✇ The Hacker News

Microsoft Finds Critical Bugs in Pre-Installed Apps on Millions of Android Devices

By: Ravie Lakshmanan
Four high severity vulnerabilities have been disclosed in a framework used by pre-installed Android System apps with millions of downloads. The issues, now fixed by its Israeli developer MCE Systems, could have potentially allowed threat actors to stage remote and local attacks or be abused as vectors to obtain sensitive information by taking advantage of their extensive system privileges. "As
✇ Security Affairs

Android pre-installed apps are affected by high-severity vulnerabilities

By: Pierluigi Paganini

Microsoft found several high-severity vulnerabilities in a mobile framework used in pre-installed Android System apps.

The Microsoft 365 Defender Research Team discovered four vulnerabilities (CVE-2021-42598CVE-2021-42599CVE-2021-42600, and CVE-2021-42601) in a mobile framework, owned by mce Systems, that is used by several mobile carriers in pre-installed Android System apps.

The researchers discovered the flaws in September 2021 and reported them to mce Systems and affected mobile service providers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).

The experts pointed out that the vulnerabilities affected apps with millions of downloads, the good news is that the flaws have been fixed.

Threat actors could have abused these pre-installed apps to access system configuration and sensitive information.

“As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. We worked with mce Systems, the developer of the framework, and the affected mobile service providers to solve these issues.” reads the post published by Microsoft.

The bad news is that some of the affected apps cannot be fully uninstalled or disabled without root access to the device. 

The experts discovered that the framework had a “BROWSABLE” service activity that can be remotely invoked to exploit several vulnerabilities. Threat actors could exploit these issues to implant a persistent backdoor or take substantial control over the device.

pre-installed apps flaws
BROWSABLE Activity with the “mcedigital://” scheme (source Microsoft)

The framework was designed to implement self-diagnostic mechanisms, for this reason it runs with permissions to valuable resources. Microsoft experts highlight that affiliated apps also included extensive device privileges that could be exploited via the vulnerable framework.

“Our analysis further found that the apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers. All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues.” continues Microsoft. “As part of our effort to help ensure broad protection against these issues, we shared our research with Google, and Google Play Protect now identifies these types of vulnerabilities.”

mce Systems has fixed the issues and provided framework update to the impacted providers. The good news is that at the time of publication, the researchers are not aware of attacks in the wild exploring these vulnerabilities.

“Several other mobile service providers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted.” concludes the report.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Android pre-installed apps)

The post Android pre-installed apps are affected by high-severity vulnerabilities appeared first on Security Affairs.

✇ The Hacker News

Experts Detail New RCE Vulnerability Affecting Google Chrome Dev Channel

By: Ravie Lakshmanan
Details have emerged about a recently patched critical remote code execution vulnerability in the V8 JavaScript and WebAssembly engine used in Google Chrome and Chromium-based browsers. The issue relates to a case of use-after-free in the instruction optimization component, successful exploitation of which could "allow an attacker to execute arbitrary code in the context of the browser." The
✇ The Hacker News

Nearly 100,000 NPM Users' Credentials Stolen in GitHub OAuth Breach

By: Ravie Lakshmanan
Cloud-based repository hosting service GitHub on Friday shared additional details into the theft of its integration OAuth tokens last month, noting that the attacker was able to access internal NPM data and its customer information. "Using stolen OAuth user tokens originating from two third-party integrators, Heroku and Travis CI, the attacker was able to escalate access to NPM infrastructure,"
✇ Security Affairs

GhostTouch: how to remotely control touchscreens with EMI

By: Pierluigi Paganini

Security researchers devised a technique, dubbed GhostTouch, to remotely control touchscreens using electromagnetic signals.

A team of researchers from Zhejiang University and Technical University of Darmstadt devised a technique, dubbed GhostTouch, to remotely control capacitive touchscreens using electromagnetic signals.

According to the experts, GhostTouch is the first active contactless attack against capacitive touchscreens.

GhostTouch uses electromagnetic interference (EMI) to remotely inject fake touch points into a capacitive device. The researchers demonstrated how to inject two types of basic touch events, taps and swipes, into targeted locations of the touchscreen. The events allowed the researchers to control the devices (i.e. answering an eavesdropping phone call, pressing the button, swiping up to unlock), the attack technique was successful on nine smartphone models.

“We can inject targeted taps continuously with a standard deviation of as low as 14.6 x 19.2 pixels from the target area, a delay of less than 0.5s and a distance of up to 40mm. We show the real-world impact of the GhostTouch attacks in a few proof-of-concept scenarios, including answering an eavesdropping phone call, pressing the button, swiping up to unlock, and entering a password.” reads the research paper published by the academics. “Finally, we discuss potential hardware and software countermeasures to mitigate the attack.”


The GhostTouch system consists of two components, a touch injector and a phone locator. The touch injector is used to inject touch events into the touchscreen and includes a signal generator, an amplifier, an on/off switch, and a receiving antenna array. The phone locator is used to identify the position of the touchscreen and consists of a sensing antenna array, a data acquisition device, and a location calculator.

The experimental lab setup up by the researchers is composed of an electrostatic gun used to generate a strong pulse signal which is sent to an antenna to transmit an electromagnetic field to the touchscreen.

Below are a couple of video PoCs of attacks devised by the experts that show GhostTouch attack to answer the phone call and connect the malicious Bluetooth.

ghosttouch

ghosttouch

The experts tested the technique against nine different smartphone models, including Galaxy A10s, Huawei P30 Lite, Honor View 10, Galaxy S20 FE 5G, Nexus 5X, Redmi Note 9S, Nokia 7.2, Redmi 8, and an iPhone SE (2020).

“We demonstrate the feasibility of this attack in the real world.” concludes the paper. “In places like a cafe, library, meeting room, or conference lobbies, people might place their smartphone face-down on the table2. An attacker may embed the attack equipment under the table and launch attacks remotely. For example, an attacker may impersonate the victim to answer a phone call which would eavesdrop the private conversation, or visit a malicious website.”

The researchers provided a series of countermeasures to neutralize the attack, including adding electromagnetic shielding to block EMI, reinforcing the touchscreen, improving the detection algorithm of the touchscreen, and forcing some form of authentication for the execution of high-risk actions.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, GhostTouch)

The post GhostTouch: how to remotely control touchscreens with EMI appeared first on Security Affairs.

✇ The Hacker News

The Myths of Ransomware Attacks and How To Mitigate Risk

By: The Hacker News
Today's modern companies are built on data, which now resides across countless cloud apps. Therefore preventing data loss is essential to your success. This is especially critical for mitigating against rising ransomware attacks — a threat that 57% of security leaders expect to be compromised by within the next year.  As organizations continue to evolve, in turn so does ransomware. To help you
✇ Security Affairs

FBI: Compromised US academic credentials available on various cybercrime forums

By: Pierluigi Paganini

The FBI warns organizations in the higher education sector of credentials sold on cybercrime forums that can allow threat actors to access their networks.

The FBI issued an alert to inform the higher education sector about the availability of login credentials on dark web forums that can be used by threat actors to launch attacks against individuals and organizations in the industry. The availability of this data is the result of continued attacks conducted by threat actors against US colleges and universities. The alert also includes recommendations and mitigations for these attacks.

“The FBI is informing academic partners of identified US college and university credentials advertised for sale on online criminal marketplaces and publically accessible forums. This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber attacks against individual users or affiliated organizations.” reads the alert published by the FBI.

Crooks obtain the information by conducting spear-phishing and ransomware attacks, or other means.

In 2017, crooks launched a phishing campaign against universities to compromise .edu accounts. The attackers set up fake university login pages and embedded a credential harvester link in phishing emails.

In late 2020, credentials for US-based universities were found for sale on the dark web. The seller listed approximately 2,000 unique credentials.

In May 2021, cybercriminals offered more than 36,000 login credentials for .edu email accounts and advertised the data on an instant messaging platform.

In May 2021, over 36,000 email and password combinations for .edu email accounts were offered for sale on a publically available instant messaging platform.

Recently, in January 2022, threat actors have been observed offering for sale network and VPN access credentials belonging to US-based universities and colleges on Russian cybercrime forums.

“The FBI has observed incidents of stolen higher education credential information posted on publically accessible online forums or listed for sale on criminal marketplaces. The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services,” concludes the alert. “If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, FBI)

The post FBI: Compromised US academic credentials available on various cybercrime forums appeared first on Security Affairs.

✇ The Hacker News

Attackers Can Use Electromagnetic Signals to Control Touchscreens Remotely

By: Ravie Lakshmanan
Researchers have demonstrated what they call the "first active contactless attack against capacitive touchscreens." GhostTouch, as it's called, "uses electromagnetic interference (EMI) to inject fake touch points into a touchscreen without the need to physically touch it," a group of academics from Zhejiang University and Technical University of Darmstadt said in a new research paper. The core
✇ Security Affairs

ERMAC 2.0 Android Banking Trojan targets over 400 apps

By: Pierluigi Paganini

A new version of the ERMAC Android banking trojan is able to target an increased number of apps.

The ERMAC Android banking trojan version 2.0 can target an increasing number of applications, passing from 378 to 467 target applications to steal account credentials and crypto-wallets.

ERMAC was first spotted by researchers from Threatfabric in July 2021, it is based on the popular banking trojan Cerberus. The source code of Cerberus was released in September 2020 on underground hacking forums after its operators failed an auction.

According to the experts, ERMAC is operated by threat actors behind the BlackRock mobile malware.

ERMAC 2.0 was discovered by ESET researchers after a campaign impersonating Bolt Food targeted Polish users. The malware is available for rent on underground forums for $5000 per month since March 2022.

ERMAC

A new #Android banker ERMAC 2.0 impersonates #Bolt Food and targets 🇵🇱 Polish users.
Available for rent on underground forums for $5K/month since March 2022, ERMAC 2.0 already has an active campaign. #ESETresearch @LukasStefanko 1/3 pic.twitter.com/hGeD4ZSwve

— ESET research (@ESETresearch) May 18, 2022

ERMAC 2.0 is able to steal credentials for financial and cryptocurrency apps included in the list of targeted apps that are sent by the C2.

The researchers also shared indicators of compromise (IoCs) for this version.

IoCs:
Distribution: bolt-food[.]site
Dropper: 301E2AB9707ABE193BB627C60F5E4B8736C86FE9
Payload: CCADCC836F3B6FC80FB3C49D507099846B5B71B3
C&C: 193.106.191[.]116, 193.106.191[.]148, 193.106.191[.]121, 185.215.113[.]100, 193.106.191[.]118#ESETresearch 3/3 pic.twitter.com/jY7maTyPxo

— ESET research (@ESETresearch) May 18, 2022

Researchers from Cyble analyzed the malware after the initial discovery made by ESET

ERMAC first determines what applications are installed on the host device and then sends the information to the C2 server.

Researchers from Cyble published a technical analysis of the malware after the initial discovery made by ESET. The malicious app asks for 43 permissions, of which the TA exploits 12. Below is the list of permission requested to conduct malicious activities and take over the infected device:  

Permission   Description  
REQUEST_INSTALL_PACKAGES  Allows an application to request installing    packages 
CALL_PHONE  Allows an application to initiate a phone call   without going through the Dialer user    interface for the user to confirm the call 
RECEIVE_SMS  Allows an application to receive SMS messages 
READ_SMS  Allows an application to read SMS messages 
SEND_SMS  Allows an application to send SMS    messages 
READ_CONTACTS  Allows an application to read the user’s    contacts data 
READ_PHONE_STATE  Allows read access to the device’s phone    number 
SYSTEM_ALERT_WINDOW  Allows an app to create windows shown on    top of all other apps. 
READ_EXTERNAL_STORAGE  Allows an application to read from external storage   
RECORD_AUDIO  Allows an application to record audio   
WRITE_EXTERNAL_STORAGE  Allows an application to write to external    storage 

while the list of commands supported by ERMAC 2.0 to execute malicious operations is:

Command  Description 
downloadingInjections  Sends the application list to download injections
logs  Sends injection logs to the server
checkAP Check the application status and send it to the server 
registration Sends device data 
updateBotParams Sends the updated bot parameters 
downloadInjection Used to receive the phishing HTML page 

“The Threat Actor behind ERMAC used the leaked code from a well-known malware variant named “Cerberus” and modified the code to sell the Android botnets in cybercrime forums. Interestingly, we observed that ERMAC 2.0 is distributed rapidly through various phishing sites, primarily targeting Polish users.” concludes Cyble. “ERMAC 2.0 steals credentials from different crypto wallets and targets multiple banking applications worldwide. We foresee that the TA behind ERMAC 2.0 will continue to develop new versions with more targeted applications, new TTPs, and new delivery methods.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ERMAC 2.0)

The post ERMAC 2.0 Android Banking Trojan targets over 400 apps appeared first on Security Affairs.

✇ The Hacker News

Zyxel Issues Patches for 4 New Flaws Affecting AP, API Controller, and Firewall Devices

By: Ravie Lakshmanan
Zyxel has released patches to address four security flaws affecting its firewall, AP Controller, and AP products to execute arbitrary operating system commands and steal select information. The list of security vulnerabilities is as follows - CVE-2022-0734 - A cross-site scripting (XSS) vulnerability in some firewall versions that could be exploited to access information stored in the user's
✇ Security Affairs

Experts released PoC exploit code for critical VMware CVE-2022-22972 flaw

By: Pierluigi Paganini

Security researchers released PoC exploit code for the critical authentication bypass vulnerability CVE-2022-22972 affecting multiple VMware products.

Horizon3 security researchers have released a proof-of-concept (PoC) exploit and technical analysis for the critical authentication bypass vulnerability CVE-2022-22972 affecting multiple VMware products.

The virtualization giant recently warned that a threat actor can exploit the CVE-2022-22972 flaw (CVSSv3 base score of 9.8) to obtain admin privileges and urges customers to install patches immediately.

“This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0014. The ramifications of this vulnerability are serious.” states VMware.

The CVE-2022-22972 flaw affects Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.

“VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.” reads the advisory published by the company. “A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.”

The company acknowledged Bruno López of Innotec Security for the discovery of the flaw.

VMware addressed the flaw and also provided workarounds for admins who cannot immediately install security patches.

VMware did not provide technical details about the flaw, then Horizon3 researchers performed an analysis of the patch. 

“Our POC sends requests starting at the /vcac endpoint the same way a browser would and parses the login page to extract these hidden fields. These hidden fields are then encoded into the body of the final POST with the Host header set to our custom login server. The POC then parses the response to extract the authentication cookies. These cookies can be used to execute actions as the chosen user.” reads the analysis published by the researchers. “This script can be used by bypass authentication on vRealize Automation 7.6 using CVE-2022-22972. Workspace ONE and vIDM have different authentication endpoints, but the crux of the vulnerability remains the same.”

The experts pointed out that the CVE-2022-22972 issue is a relatively simple Host header manipulation vulnerability.

cve-2022-22972

Threat actors could easily exploit this issue. Searching on Shodan.io for the affected VMware applications we can find organizations in the healthcare and education industries, and state government potentially vulnerable.

The Cybersecurity and Infrastructure Security Agency (CISA) issued the Emergency Directive 22-03 to order federal agencies to fix VMware CVE-2022-22972 and CVE-2022-22973 flaws or to remove the affected products from their networks by May 23, 2022.

DHS also orders federal agencies to report the status of all VMware installs on their networks into Cyberscope by May 24, 2022.

The Cybersecurity and Infrastructure Security Agency (CISA) further highlighted this security flaw’s severity lev

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, VMWare)

The post Experts released PoC exploit code for critical VMware CVE-2022-22972 flaw appeared first on Security Affairs.

✇ Security Affairs

Exposed: the threat actors who are poisoning Facebook

By: Pierluigi Paganini

An investigation of the infamous “Is That You?” video scam led Cybernews researchers into exposing threat actors who are poisoning Facebook

Original post @ https://cybernews.com/security/exposed-the-threat-actors-who-are-poisoning-facebook/

An investigation of the infamous “Is That You?” video scam has led Cybernews researchers to a cybercriminal stronghold, from which threat actors have been infecting the social media giant with thousands of malicious links every day. At least five suspects, thought to be residing in the Dominican Republic, have been identified.

Facebook has long been a happy hunting ground for online crooks, who take great pleasure in turning unwary members of the internet community into their prey.

It can start with something as seemingly innocuous as a message from a “friend” – in fact a cybercriminal pretending to be such – inviting you to click on a juicy link to the next big share-fest, be it a music clip, funny video, or anything else you might be interested in.

Is that you scam infographic
Screenshot of the original Is That You? scam uncovered on Facebook.

The only thing that’s juicy about such bogus links is the bundle of personal details you are giving up by clicking on them, because it won’t be the latest hot clip you’re sharing when you do – just your name, address, and passwords, which are then harvested for profit by the threat actor who has fooled you.

Given its likelihood of being used as a platform for such scams, Facebook has been on the Cybernews radar for some time – in February last year, we exposed the “Is That You?” phishing scam on its Messenger service that had been doing the rounds since at least 2017.

Since then, the research team has remained vigilant, keeping tabs on suspect activities on Facebook. Recently, that vigilance was rewarded when we received a tip-off from fellow cyber investigator Aidan Raney – who first reached out to us after our original findings were published – that malicious links were being distributed to users.

Upon further examination, it turned out that thousands of these phishing links had been distributed, through a devious network sprawling across the back channels of the social media platform.

Left unchecked, this could result in hundreds of thousands of unwary social media users falling foul of the dodgy links – the “Is That You?” scam was thought to have hooked in around half a million victims before we uncovered it.

That campaign was initiated by sending the potential mark a message from one of their Facebook contacts. The message contained what appears to be a video link with a text in German suggesting that they are featured in the clip.

Is that you infograph
Mind map of a devious cybercriminal enterprise.

The game is afoot!

Hot for the chase, our cyber detectives began their inquiry by scrutinizing a malicious link sent to one victim, to learn how the scam had been put together.

“I figured out what servers did what, where code was hosted, and how I could identify other servers,” said Raney. “I then used this information and urlscan.io [a website that allows one to scan URLs] to look for more phishing links matching the same characteristics as this one.”

A thorough search of servers connected to the phishing links turned up a page that was sending credentials to a site called devsbrp.app. Further scrutiny revealed a banner thought to be attached to a control panel, with the text “panelfps by braunnypr” written on it.

Using these as keywords in a subsequent search led the research team straight to the panel and banner creator, whose email address and password combinations were also discovered – neatly turning the tables on cybercriminals used to stealing credentials of unsuspecting web users.

Inside a criminal stronghold

Using the threat actor’s own details, Cybernews accessed a website that turned out to be the command and control center for most of the phishing attacks linked to the gang, thought to number at least five threat actors but possibly many more. This provided our intrepid investigators with a trove of information on the crooks behind the Facebook phishing scam, including their likely country of residence – the Dominican Republic.

“We were able to export the user list for everybody registered to this panel,” said the Cybernews researcher. “Using the usernames on the list, we started uncovering the identities of as many people on the list as people, but there is still more work to be done.”

One of the suspects that Raney identified is likely the same threat actor that the Cybernews research team was able to name in February 2021. Back then, we sent the relevant information to the Cyber Emergency Response Team (CERT) in the Dominican Republic, as evidence suggested that the campaign was also launched from there.

At the time of writing, all relevant information has been handed over to the authorities pending further investigation.

If you want to know how to protect yourself, give a look at this post:

https://cybernews.com/security/exposed-the-threat-actors-who-are-poisoning-facebook/

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

The post Exposed: the threat actors who are poisoning Facebook appeared first on Security Affairs.

✇ Security Affairs

Zyxel addresses four flaws affecting APs, AP controllers, and firewalls

By: Pierluigi Paganini

Zyxel addressed multiple vulnerabilities impacting many of its products, including APs, AP controllers, and firewalls.

Zyxel has released security updates to address multiple vulnerabilities affecting multiple products, including firewall, AP, and AP controller products.

Below is the list of the four vulnerabilities, the most severe one is a command injection flaw in some CLI commands tracked as CVE-2022-26532 (CVSS v3.1 7.8):

  • CVE-2022-0734: A cross-site scripting vulnerability was identified in the CGI program of some firewall versions that could allow an attacker to obtain some information stored in the user’s browser, such as cookies or session tokens, via a malicious script.
  • CVE-2022-26531: Multiple improper input validation flaws were identified in some CLI commands of some firewall, AP controller, and AP versions that could allow a local authenticated attacker to cause a buffer overflow or a system crash via a crafted payload.
  • CVE-2022-26532: A command injection vulnerability in the “packet-trace” CLI command of some firewall, AP controller, and AP versions could allow a local authenticated attacker to execute arbitrary OS commands by including crafted arguments to the command.
  • CVE-2022-0910: An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to downgrade from two-factor authentication to one-factor authentication via an IPsec VPN client.

According to the advisory published by the vendor, the issues affect USG/ZyWALL, USG FLEX, ATP, VPN, NSG firewalls, NXC2500 and NXC5500 AP controllers, and NAP, NWA, WAC, and WAX Access Point families.

The vendor has already released security patched to address the flaws for most of the affected models.

The hotfix for NXC2500 AP controllers affected by CVE-2022-26531 and CVE-2022-26532 must be requested from a local service representative.

Experts urge admins to upgrade their installs to avoid cyber attacks exploiting the above flaws.

This advice is especially important for US companies as we head into a holiday weekend when it is common for threat actors to conduct attacks.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Zyxel)

The post Zyxel addresses four flaws affecting APs, AP controllers, and firewalls appeared first on Security Affairs.

✇ Security Affairs

Experts warn of a new malvertising campaign spreading the ChromeLoader

By: Pierluigi Paganini

Researchers warn of a new malvertising campaign spreading the ChromeLoader malware that hijacks the victims’ browsers.

Researchers from Red Canary observed a new malvertising campaign spreading the ChromeLoader malware that hijacks the victims’ browsers.

ChromeLoader is a malicious Chrome browser extension, it is classified as a pervasive browser hijacker that modifies browser settings to redirect user traffic. Threat actors spread the malware via an ISO file masqueraded as a cracked video game or pirated movie or TV show.

“However, ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique we don’t see very often (and one that often goes undetected by other security tools). If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions.” reads the analysis published by the experts.

The malware is able to redirect the user’s traffic and hijacking user search queries to popular search engines, including Google, Yahoo, and Bing. The malicious code is also able to use PowerShell to inject itself into the browser and added the extension to the browser.

Upon running the executable included in the mounted .ISO image file, the ChromeLoader is installed, along with a .NET wrapper for the Windows Task Scheduler used by the threat to achieve the persistence.

“Executing CS_Installer.exe creates persistence through a scheduled task using the Service Host Process (svchost.exe). Notably, ChromeLoader does not call the Windows Task Scheduler (schtasks.exe) to add this scheduled task, as one might expect. Instead, we saw the installer executable load the Task Scheduler COM API, along with a cross-process injection into svchost.exe (which is used to launch ChromeLoader’s scheduled task).” continues the analysis.

chromeloader

In April, the researcher Colin Cowie also published an analysis of the macOS version of ChromeLoader, the malicious code is able to install malicious extensions into both the Chrome and Safari web browsers.

The report published by the experts includes the following detection opportunities for this threat:

  • Detection opportunity 1: PowerShell containing a shortened version of the encodedCommand flag in its command line;
  • Detection opportunity 2: PowerShell spawning chrome.exe containing load-extension and AppData\Local within the command line;
  • Detection opportunity 3: Shell process spawning process loading a Chrome extension within the command line;
  • Detection opportunity 4: Redirected Base64 encoded commands into a shell process

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, chromeloader)

The post Experts warn of a new malvertising campaign spreading the ChromeLoader appeared first on Security Affairs.

❌