A cyberattack has disrupted gas stations from the National Iranian Oil Products Distribution Company (NIOPDC) across Iran.
A cyber attack has disrupted gas stations from the state-owned National Iranian Oil Products Distribution Company (NIOPDC) across Iran. The attack also defaced the screens at the gas pumps and gas price billboards.
In multiple cities, the billboards were displaying messages like “Khamenei! Where’s our fuel?” and “Free gas at [local gas station’s name].”
After the attack, the screens at the impacted NIOPDC gas stations were showing the words “cyebrattack 64411,” which is the phone number for the office of Supreme Leader Ayatollah Ali Khamenei.
NIOPDC currently manages more than 3,500 gas stations across the country.
The operations at the gas pumps were interrupted immediately after the incident because the employees were not able to charge customers for the fuel they were buying.
At this time, no one claimed responsibility for the attack, but Iranian authorities speculate the incident was the result of a cyber attack orchestrated by a foreign, hostile state.
The Iranian TV confirmed that the root cause of the incident is a nationwide cyber-attack that targeted petrol stations.
The message “cyberattack 64411” was also shown on the billboards of Iranian train stations during another attack that took place in July and that hit Iran’s railroad system.
A Ministry of Oil spokesperson downplayed the news of a “cyberattack” and stated that the incident was caused by a software glitch.
At the time of this writing, the operations at the gas stations have resumed.
Dark HunTOR: Police corps across the world have arrested 150 individuals suspected of buying or selling illicit goods on the dark web marketplace DarkMarket.
A joint international operation, tracked as Dark HunTOR, conducted by law enforcement across the world resulted in the arrest of 150 suspects allegedly involved in selling and buying illicit goods in DarkMarket marketplace.
The authorities arrested 65 suspects in the United States, 47 in Germany, 24 in the United Kingdom, 4 in Italy, 4 in the Netherlands, 3 in France, 2 in Switzerland, and one in Bulgaria.
DarkMarket, the world’s largest black marketplace on the dark web, has been taken offline in January as a result of an international operation conducted by law enforcement from Germany, Australia, Denmark, Moldova, Ukraine, the United Kingdom (the National Crime Agency), and the USA (DEA, FBI, and IRS) with the support of the Europol.ⓘ
The figures related to the DarkMarket at the time of the shut down were impressive:
almost 500 000 users;
more than 2 400 sellers;
over 320 000 transactions;
more than 4 650 bitcoin and 12 800 Monero transferred.
The overall transactions, at the current rate, corresponding to a sum of more than €140 million.
The marketplace was an important point of aggregation for online cybercriminals that traded all kinds of drugs, counterfeit money, stolen or counterfeit credit card details, anonymous SIM cards and malware.
The authorities seized more than €26.7 million (USD 31 million) in cash and virtual currencies, as well as 234 kg of drugs and 45 firearms. The police seized 152 kg of amphetamine, 27 kg of opioids and over 25 000 ecstasy pills.
“Operation Dark HunTOR stems from the takedown earlier this year of DarkMarket, the world’s then-largest illegal marketplace on the dark web. At the time, German authorities arrested the marketplace’s alleged operator and seized the criminal infrastructure, providing investigators across the world with a trove of evidence. Europol’s European Cybercrime Centre (EC3) has since been compiling intelligence packages to identify the key targets.” states the press release published by the Europol. “As a result, 150 vendors and buyers who engaged in tens of thousands of sales of illicit goods were arrested across Europe and the United States. A number of these suspects were considered as High-Value Targets by Europol.”
Europol says that the Dark HunTOR investigation is still ongoing.
The Italian police also shut down the DeepSea and Berlusconi dark web marketplaces as part of the Dark HunTOR operation. According to the press release, the two marketplaces had over 100 000 announcements of illegal products. The authorities arrested four administrators and seized €3.6 million in cryptocurrencies.
“The point of operations such as the one today is to put criminals operating on the dark web on notice: the law enforcement community has the means and global partnerships to unmask them and hold them accountable for their illegal activities, even in areas of the dark web,” said Jean-Philippe Lecouffe, Europol’s Deputy Executive Director of Operations.
“The FBI continues to identify and bring to justice drug dealers who believe they can hide their illegal activity through the Darknet,” said FBI Director Christopher A. Wray. “Criminal darknet markets exist so drug dealers can profit at the expense of others’ safety. The FBI is committed to working with our JCODE and EUROPOL law enforcement partners to disrupt those markets and the borderless, worldwide trade in illicit drugs they enable.”
A researcher from the security firm CyberArk has managed to crack 70% of Tel Aviv’s Wifi Networks starting from a sample of 5,000 gathered WiFi.
CyberArk security researcher Ido Hoorvitch demonstrated how it is possible to crack WiFi at scale by exploiting a vulnerability that allows retrieving a PMKID hash.
Hoorvitch has managed to crack 70% of a 5,000 WiFi network sample in Tel Aviv to demonstrate that it is easy to compromise WiFi networks.CyberArk security researcher Ido Hoorvitch first wandered in the city center with WiFi sniffing equipment to gather a sample of 5,000 network hashes to use in the research.
The expert gathered 5,000 WiFi network hashes by strolling the streets in Tel Aviv with simple WiFi sniffing equipment composed of an AWUS036ACH ALFA Network card ($50) that can work in monitoring mode and is able to inject packets.
The expert used the free and open-source packet analyzer.WireShark running on Ubuntu.
The PMKID is calculated by using a hashing function having the PMK, the PMK Name, the MAC_AP and the MAC_STA as input.
The PMK is calculated from the following parameters:
Passphrase– The WiFi password — hence, the part that we are really looking for.
SSID – The name of the network. It is freely available at the router beacons (Figure 3).
4096 – Static integer for all PMK
Hoorvitch used an attack technique devised by Jens “atom” Steube’s (Hashcat’s lead developer) to retrieve the PMKIDs that allowed him to derive the password.
“All of this changed with the atom’s groundbreaking research, which exposed a new vulnerability targeting RSN IE (Robust Security Network Information Element) to retrieve a PMKID hash (will be explained in a bit) that can be used to crack the target network password. PMKID is a hash that is used for roaming capabilities between APs. The legitimate use of PMKID is, however, of little relevance for the scope of this blog. Frankly, it makes little sense to enable it on routers for personal/private use (WPA2-personal), as usually there is no need for roaming in a personal network.” reads the post published by Hoorvitch.
The attack technique is clientless, this means that an attacker doesn’t need to carry out the attack in real-time, he just needs to capture a single frame and eliminate wrong passwords and malformed frames that are disturbing the cracking process.
The expert first used “mask attack” as a Hashcat cracking method, he used a combination of dictionary + rules and mask attack because many Israeli citizens have the bad habit of using their cellphone numbers as WiFi passwords.
Israeli phone numbers have 10 digits and starts with 05, so it’s only eight digits, this means that remained only 8 digits to guess. Using a standard laptop, Hoorvitch successfully cracked 2,200 passwords at an average speed of nine minutes per password.
“Each digit has 10 options (0-9), hence 10**8 possible combinations. One hundred million seems like a lot of combinations, but our monster rig calculates at the speed of 6819.8 kH/s which translates into 6,819,000 hashes per second.” continues the post. “A cracking rig is not required as my laptop can get to 194.4 kH/s, which translates into 194,000 hashes per second. That equals more than enough computing power to cycle through the possibilities necessary to crack the passwords. Consequently, it took my laptop roughly 9 minutes to break a single WiFi password with the characteristics of a cellphone number. (10**8)/194,000 = ~516 (seconds)/60 = ~9 minutes.”
In a second phase, the expert used a standard dictionary attack technique leveraging the ‘Rockyou.txt’ dictionary.
He cracked another 1,359 passwords using this technique, most of cracked passwords contain only digits or only lower-case characters.
The expert pointed out that only routers supporting roaming features are vulnerable to the PMKID attack, however, the research demonstrated that routers manufactured by major vendors are vulnerable.
“In total, we cracked more than 3,500 WiFi network in and around Tel Aviv – 70% of our sample.” concludes the expert. “The threat of a compromised WiFi network presents serious risk to individuals, small business owners and enterprises alike. And as we’ve shown, when an attacker can crack more than 70% of WiFi networks in a major global city with relative ease, greater attention must be paid to protecting oneself.”
Below are the recommendations provided by the expert to protect themselves:
Choose a complex password. A strong password should include at least one lower case character, one upper case character, one symbol, one digit. It should be at least 10 characters long. It should be easily remembered and hard to anticipate. Bad example: Summer$021
Change the default username and password of your router.
Update your router firmware version.
Disable weak encryption protocols (as WAP or WAP1).
The FBI published a flash alert to warn of the activity of the Ranzy Locker ransomware that had already compromised tens of US companies.
The FBI published a flash alert to warn of Ranzy Locker ransomware operations that had already compromised at least 30 US companies this year.
The gang has been active since at least 2020, threat actors hit organizations from various industries.
“Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector.” reads the flash alert.
The attack vector most used by the Ranzy Locker ransomware operators are brute force attempts targeting Remote Desktop Protocol (RDP) credentials. In recent attacks, the group also exploited known Microsoft Exchange Server vulnerabilities and used phishing messages to target computer networks.
Once gained access to the target network, the ransomware gang attempts to locate sensitive data, including customer information, PII related files, and financial records. The Ranzy Locker ransomware targets Windows systems, including servers and virtual machines.
In some cases the group implemented a double model of extortion, threatening victims to leak the stolen data if they don’t pay the ransom.
The flash alert also includes indicators of compromise (IOCs) associated with Ranzy Locker operations and Yara rules to detect the threat.
Below are the recommended mitigations included in the alert:
Implement regular backups of all data to be stored as air gapped, password protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
Implement network segmentation, such that all machines on your network are not accessible from every other machine.
Install and regularly update antivirus software on all hosts, and enable real time detection.
Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
Consider adding an email banner to emails received from outside your organization.
Disable hyperlinks in received emails.
Use double authentication when logging into accounts or services.
UltimaSMS, a massive fraud campaign is using Android apps with million of downloads to subscribe victims to premium subscription services.
Researchers from Avast have uncovered a widespread premium SMS scam on the Google Play Store, tracked as UltimaSMS, the name comes from the first apps they discovered called Ultima Keyboard 3D Pro.
Threat actors used at least 151 Android apps with 10.5 million downloads from over 80 countries to subscribe victims to premium subscription services.
Attackers used a fake photo editor, spam call blockers, camera filter, games, and other apps and promoted them via Instagram and TikTok channels.
Most of the downloads were made by users in the Middle East, such as Egypt, Saudi Arabia, and Pakistan.
Upon installing the apps, they check their location, International Mobile Equipment Identity (IMEI), and phone number to determine which country area code and language to use for the scam. When the victim opens the app, it will be displayed a screen that requests to enter their phone number, and in some cases, email address to gain access to the app’s advertised service or product.
“Upon entering the requested details, the user is subscribed to premium SMS services that can charge upwards of $40 per month depending on the country and mobile carrier. Instead of unlocking the apps’ advertised features, which users might assume should happen, the apps will either display further SMS subscriptions options or stop working altogether.” reads the analysis published by Avast.”The sole purpose of the fake apps is to deceive users into signing up for premium SMS subscriptions”
Once the app has obtained the required permissions, it subscribes the victim to SMS service that could cost up to $40 per month depending on the country and mobile carrier.
Avast shared its findings with Google that quickly removed the apps, according to the experts the operators behind this campaign are racking up thousands of dollars in charges.
Experts recommend disabling the premium SMS option for their carrier and recommend users avoid entering a phone number unless they trust the app.
Mobile users are advised to read the fine print before entering details and carefully check reviews before installing an app.
Recently, security researchers from Zimperium have uncovered a piece of malware, dubbed GriftHorse, that was used for a similar purpose and that has infected more than 10 million Android smartphones across more than 70 countries.
Kansas man Wyatt Travnichek admitted in court to tampering with the computer systems at the Post Rock Rural Water District.
Kansas man Wyatt A. Travnichek pleaded guilty to tampering with the computer system at a drinking water treatment facility at the Post Rock Rural Water District. The man also pleaded guilty to one count of reckless damage to a protected computer system during unauthorized access.
In April, the United States Department of Justice charged Wyatt A. Travnichek, of Ellsworth County, Kansas, for accessing and tampering with the computer system of the Ellsworth County Rural Water District.
Travnichek accessed the computer systems of the Public Water System on about March 27, 2019, without authorization.
Travnichek worked for the Ellsworth County Rural Water District for roughly one year, he was remote monitoring the plan by accessing the Post Rock computer system.
Once gained access to the public water system, the man allegedly performed malicious actions that halted the processes at the facility that impacted the cleaning and disinfecting procedures.
The attack against the critical infrastructure posed a serious risk to the safety and health of an entire community.
According to the indictment, the man hacked the system with the intent to harm the Ellsworth Rural Water District No. 1, aka Post Rock Rural Water District.
The Kansan man used his cell phone to access the computer systems of the Public Water System, but at the time he declared that on the night of the incident (March 27, 2019) he was intoxicated and was able to explain what has really happened.
“Ensuring the security of our nations cyber infrastructure is one of the FBI’s top priorities and the plea underscores the joint dedication to that effort by the FBI, EPA and the Kansas Bureau of Investigation. There is no doubt that Travnichek’s intentional actions directly placed the public in harm’s way. The plea should send a clear message to anyone who attempts to tamper with public facilities – law enforcement will remain resolute in investigating any and all threats that put the public’s health at risk,” said FBI Special Agent in Charge Charles Dayoub.
“Protecting America’s drinking water is a top EPA priority,” said Special Agent in Charge Lance Ehrig of the EPA’s Criminal Investigation Division in Kansas. “EPA will continue our focused efforts with DOJ and the states as we investigate and pursue any threats that might be directed toward vital community drinking water resources.”
The EPA and the FBI recommend a prison sentence of 12 months and one day in prison.
An unknown ransomware gang leverages a critical SQL injection flaw in the BillQuick Web Suite time and billing solution to deploy ransomware.
An unknown ransomware gang is exploiting a critical SQL injection flaw, tracked as CVE-2021-42258, in the popular billing software suite BillQuick Web Suite time to deploy ransomware.
The attacks were first spotted this month by researchers from security firm Huntress that were also able to demonstrate the exploit. The ransomware gang exploited the CVE-2021-42258 flaw to gain access to the computer network of an US engineering company and deploy ransomware.
BQE has a self-proclaimed user base of 400,000 users worldwide, for this reason this campaign is alarming the experts.
“Hackers were able to successfully exploit CVE-2021-42258—using it to gain initial access to a US engineering company—and deploy ransomware across the victim’s network.” reads the post published by Huntress Labs. “Our team was able to successfully recreate this SQL injection-based attack and can confirm that hackers can use this to access customers’ BillQuick data and run malicious commands on their on-premises Windows servers.”
The researchers demonstrated that to trigger the vulnerability an attacker could navigate to the login page and enter a single quote (`’`). Experts also noticed that the error handlers for this page display a full traceback that could contain sensitive information about the server-side code.
Huntress Labs reported the flaw to BQE Software that addressed it on October 7.
BleepingComputer speculates that the gang has been spreading this ransomware since at least May 2020 and it borrows large portion of code from other AutoIT-based ransomware families.
“Once deployed on target systems, it will add the [email protected] extension to all encrypted files but, as mentioned above, BleepingComputer has not seen it drop a ransom note during any known attacks.” reported BleepingComputer.
US CISA urges administrators to address a critical remote code execution flaw, tracked as CVE-2021-41163, in Discourse installs.
Discourse is a popular open-source Internet forum and mailing list management software application. The US CISA published a security advisory to urge administrators to fix a critical remote code execution flaw, tracked as CVE-2021-41163, in Discourse installs. The vulnerability received a CVSS v3 score of 10.0.
“Discourse—an open source discussion platform—has released a security advisory to address a critical remote code execution (RCE) vulnerability (CVE-2021-41163) in Discourse versions 2.7.8 and earlier.” reads the advisory published by the researchers.
CISA recommends development teams install versions 2.7.9 or later that address the vulnerability, or apply the necessary workarounds.
Discourse also published an advisory about the issue, the flaw is a validation bug in the upstream as-SDK-Sns gem that can lead to the RCE. An attacker could exploit the vulnerability via a maliciously crafted request.
The CVE-2021-41163 has been addressed in the latest stable, beta and tests-passed versions of Discourse. The development team recommends to block at an upstream proxy every request with a path starting /webhooks/aws.
“In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. To workaround the issue without updating, requests with a path starting /webhooks/aws path could be blocked at an upstream proxy.” reads the advisory published by the NIST.
A quick search of Discourse installs using the Shodan search engine reveals the existence of 8,639 potentially exploitable systems, most of them in the US.
The Red Team Research (RTR), the bug’s research division from Italian Telecommunication firm TIM, found 2 new vulnerabilities affecting the Ericsson OSS-RC.
What is the OSS (Operations Support System)?
The Operations Support System – Radio and Core (OSS-RC) provides a centralized interface into the radio and core components.
The Operations Support Systems are all those systems used by companies that provide communication services for networks’ integrated function.
Let’s consider the case of the activation of a new line for a customer, while the order and customer data are collected through the CRM, the configuration of the network is automated through the OSS.
For example, let’s consider the case of a client that requires the activation of a new telephone line. The systems that handle these requests/CRM gather user data, but it isn’t able to configure the network to provide the service to the customer. The OSSs allow telecommunications carriers to automate this process and also to carry out management operations of the networks, such as the update of the base-band systems located on the buildings of our cities.
Unfortunately, OSS systems also represent a “single-point-of-failure,” a Remote Code Execution (RCE) vulnerability affecting an OSS can allow attackers to potentially compromise all connected systems, including basebands.
The vulnerabilities have been reported to Ericsson by the researchers Alessandro Bosco, Mohamed Amine Ouad, and by the head of laboratory Massimiliano Brolli.
Below is the list of flaws reported to the vendor since 2001 and included in the National Vulnerability Database of the United States of America. They were only 10, two of which reported by the TIM.
In OSS-RC systems of the release 18B and older customer documentation browsing libraries under ALEX are subject to Cross-Site Scripting. This problem is completely resolved in new Ericsson library browsing tool ELEX used in systems like Ericsson Network Manager.
Vulnerability Description: Improper Neutralization of Input During Web Page Generation (‘Reflected Cross-site Scripting’). – CWE-79 Software Version: <=18B NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-32569CVSv3: 6.1Severity: MediumCredits: Alessandro Bosco, Mohamed Amine Ouad, Massimiliano Brolli
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to.
In OSS-RC systems of the release 18B and older during data migration procedures certain files containing usernames and passwords are left in the system undeleted but in folders accessible by top privileged accounts only.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to.
Ethics in the search for vulnerabilities, in this historical period, is something very important and once identified, these vulnerabilities not documented (c.d. zeroday) must be immediately reported to the vendor avoiding to provide public information that allows their active exploitation by Threat Actors (TA) on systems without patches.
The TIM RTR laboratory has already discovered over 60 zero-day issues in the last two years, 4 of these vulnerabilities received a CSSV score of 9.8.
TIM is a leading company in the research of zero-day vulnerabilities and the results demonstrate the success of the RTR project.
Russia-linked Nobelium APT group has breached at least 14 managed service providers (MSPs) and cloud service providers since May 2021.
The SolarWinds security breach was not isolated, Russia-linked Nobelium APT group has targeted140 managed service providers (MSPs) and cloud service providers and successfully breached 14 of them since May 2021.
NOBELIUM focuses on government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.
The recent large scale campaign uncovered by Microsoft aimed at the service providers was uncovered by Microsoft researchers, in order to avoid detection, threat actors repetitively changed tactics and used a broad range of hacking tools and malware.
“This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.” states Microsoft.
Attackers did not leverage exploits for vulnerabilities in the target organizations, but rather they used well-known techniques, like password spray and spear-phishing.
The campaign confirms that Russia-linked threat actors are trying to gain long-term, systematic access to multiple points in the technology supply chain to carry out cyberespionage activities.
Microsoft researchers spotted the campaign in its early stages, between July 1 and October 19 the IT giant informed 609 customers that they had been attacked 22,868 times by Nobelium. The number of attacks is very high, by comparison, prior to July 1, 2021, the company had notified customers about attacks from all nation-state actors 20,500 times over the past three years.
The company is still investigating these attacks, anyway the company believes that there was a very low rate of success between July and October.
Microsoft also released technical guidance that can allow organizations to protect themselves against hacking attempts that are part of the latest Nobelium’s campaign.
Threat actors infected the iPhone of New York Times journalist Ben Hubbard with NSO Group’s Pegasus spyware between June 2018 to June 2021.
The iPhone of New York Times journalist Ben Hubbard was repeatedly infected with NSO Group’s Pegasus spyware. The device was compromised two times, in July 2020 and June 2021.
The attacks were documented by the Citizen Lab research team from the University of Toronto, the infections took place while the journalist was wording on a book about Saudi Crown Prince Mohammed bin Salman.
“Notably, these infections occurred after Hubbard complained to NSO Group that he was targeted by the Saudi-linked KINGDOM Pegasus operator in June 2018.” reported Citizen Lab. “While we attribute the 2020 and 2021 infections to NSO Group’s Pegasus spyware with high confidence, we are not conclusively attributing this activity to a specific NSO Group customer at this time. However, we believe that the operator responsible for the 2021 hack is also responsible for the hacking of a Saudi activist in 2021.”
Researchers also discovered some forensic artifacts on Hubbard’s iPhone related to the Pegasus spyware as early as April 2018, but it is not clear if they were associated with a genuine infection attempt or some test conducted by the attackers.
The Hubbard’s iPhone was hacked on July 12, 2020 and June 13, 2021, the attackers used the KISMET and FORCEDENTRY zero-click exploits respectively.
The discovery of the attack was possible after another investigation in which the researchers recovered the FORCEDENTRY exploit from a backup of a Saudi activist’s iPhone.
The iMessage account [EMAIL ADDRESS 1] used to deliver to the Saudi activist’s phone the FORCEDENTRY exploit through 31 iMessage attachments was also used to communicate with Hubbard’s phone on June 13, 2021 at 15:45:20 GMT. The researchers noticed that about five minutes before a file was dropped in or deleted from the Library/Caches folder, and at least 41 iMessage attachments were deleted.
“The deleted items all had timestamps greater than June 9, 2021 11:56:46 GMT and less than June 16, 2021 8:46:17 GMT. Based on this pattern of facts, we conclude with high confidence that Hubbard’s iPhone was hacked with NSO Group’s Pegasus spyware on June 13,202115:45:20 GMT.” reads the analysis of the experts.
Experts also reported that Hubbard’s phone logs show the presence of Pegasus infection (aka HIPPOCRENE FACTOR) that took place on July 12, 2020. The initial compromise was introduced onto Hubbard’s phone sometime after January 29, 2020 and before December 14, 2020.
Citizen Lab experts found that Ben Hubbard’s DataUsage.sqlite file showed that process name bh was active on July 13, 2020 16:46:01. This process is associated with Pegasus spyware infections, in this case, attackers likely used the KISMET zero-click iMessage exploit.
“Hubbard was repeatedly subjected to targeted hacking with NSO Group’s Pegasus spyware. The hacking took place after the very public reporting in 2020 by Hubbard and the Citizen Lab that he had been a target. The case starkly illustrates the dissonance between NSO Group’s stated concerns for human rights and oversight, and the reality: it appears that no effective steps were taken by the company to prevent the repeated targeting of a prominent American journalist’s phone.” concludes the report.
The research institute did not attribute the infections to a specific threat actor, NSO Group denied any involvement in the attacks. The New York Times reported a statement from NSO that claims that the journalist “was not a target of Pegasus by any of NSO’s customers.”
Experts from cybersecurity firm Emsisoft announced the availability of a free decryptor for past victims of the BlackMatter ransomware.
Cybersecurity firm Emsisoft has released a free decryption tool for past victims of the BlackMatter ransomware. The researchers found a vulnerability in the encryption process implemented in the BlackMatter ransomware that allowed them to recover encrypted files for free. Emsisoft didn’t reveal the existence of the flaw before to avoid the ransomware group patching the code of their malware.
The decrypter only allows decrypting files encrypted with BlackMatter versions used gang between mid-July and late-September 2021, the most recent version of the ransomware addressed the issue.
“Earlier this year, Emsisoft researchers discovered a critical flaw in the BlackMatter ransomware that allowed them to help victims recover their files without paying a ransom, preventing millions of dollars falling into the hands of cybercriminals. The work has been conducted quietly and privately so as not to alert the BlackMatter operators to the flaw.“reads the announcement published by Emsisoft.
The company is now urging the victims of the BlackMatter ransomware to contact them to receive support to recover their data without paying the ransom.
The company, with the help of law enforcement agencies, CERTs and private sector partners in multiple countries, is reaching numerous victims to recover their data.
“Beyond BlackMatter, our team has identified vulnerabilities in about a dozen active ransomware families. In these cases, we can recover the vast majority of victims’ encrypted data without a ransom payment. As with BlackMatter, we aren’t making the list of families public until the vulnerability has been found and fixed by their respective operators. This is why we encourage victims to report incidents to law enforcement, as they may be able to direct them to us or other companies that can help.”concludes Emsisoft.
The BlackMatter group launched its operations at at the end of July, the gang claims to be the successor of Darkside and REvil groups. Like other ransomware operations, BlackMatter also set up its leak site where it publishes data exfiltrated from the victims before encrypting their system.
The launch of the BlackMatter ransomware-as-a-service (RaaS) was first spotted by researchers at Recorded Future who also reported that the gang is setting up a network of affiliates using ads posted on two cybercrime forums, such as Exploit and XSS.
The group is recruiting crooks with access to the networks of large enterprises, which have revenues of $100 million/year or larger, in an attempt to infect them with its ransomware. The group is looking for corporate networks in the US, the UK, Canada, or Australia.
BlackMatter ransomware operators announced that they will not target healthcare organizations, critical infrastructure, organizations in the defense industry, and non-profit companies. In August, the gang has implemented a Linux encryptor to targets VMware ESXi virtual machine platform.
BlackMatter operators have already hit numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.
Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.
Recently, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have published an advisory that provides details about the BlackMatter ransomware operations and defense recommendations.
The alert also includes Snort signatures that can be used by network defenders to detect the network activity associated with BlackMatter.
CISA, the FBI, and NSA urge network defenders to apply the following mitigations to reduce the risk of compromise by BlackMatter ransomware:
Implement Detection Signatures;
Use Strong Passwords;
Implement Multi-Factor Authentication;
Patch and Update Systems;
Limit Access to Resources over the Network;
Implement Network Segmentation and Traversal Monitoring;
Use Admin Disabling Tools to Support Identity and Privileged Access Management;
Implement and Enforce Backup and Restoration Policies and Procedures;
Microsoft uncovered an extensive series of credential phishing campaigns that employed a custom phishing kit tracked as TodayZoo.
Microsoft researchers uncovered a custom phishing kit, dubbed TodayZoo, that was used in an extensive series of credential phishing campaigns.
A “phishing kit” is a set of software or services aimed at facilitating phishing campaigns, In most cases a phishing kit is an archive file containing images, scripts, and HTML pages that allow threat actors to creat a phishing page that is used to trick recipients into providing their credentials.
TodayZoo borrows large pieces of code from other phishing kits investigated by Microsoft in the past, these portions of code also include the comment markers, dead links, and other holdovers from the previous kits.
The kit was first spotted by the IT giant in December 2020, because of the consistency in the redirection patterns, domains, and other techniques, tactics, and procedures (TTPs) of its related campaigns, experts attributes the kit to a threat actor that is behind an old phishing kit template. Microsoft experts specula the three actor has implemented its own credential harvesting logic.
Since March 2021, Microsoft observed a series of phishing campaigns abusing the AwsApps[.]com domain to send the phishing messages. The email messages impersonated Microsoft and leveraged a zero-point font obfuscation technique to evade detection.
Attackers used different lures in the message body over the months, including password reset, and fake fax and scanner notifications.
The analysis of the kit revealed that a large part of the code borrows from the DanceVida phishing kit.
“Upon further investigation, we identified the dead links and markers as holdovers from many other commoditized kits available for free or purchase. We then compared TodayZoo with other phishing kits we have analyzed previously and found that even these kits also contained references to sites like Dancevida[.]com but would have different code blocks for their obfuscation or credential harvest components.” reads the analysis from Microsoft. ““DanceVida” is more of a code block than a full-fledged phishing kit. As such, kits that use DanceVida are rather diverse in their delivery, lures, and location because they are directly for sale on various forums under kit-naming schemas, as well as under a wider variety of landing page templates, including document download pages. Most of the credentials that the DanceVida-based kits’ harvesting pages gather are exfiltrated to accounts using free email services, such as GMail, Yahoo!, and Yandex.”
The imitation and obfuscation-related components of the TodayZoo phishing kit overlap with the code from at least five other kits such as Botssoft, FLCFood, Office-RD117, WikiRed, and Zenfo.
TodayZoo demonstrates that threat actors could create their own variants of phishing kits from publicly available frameworks to meet their needs.
“Our analysis of TodayZoo, DanceVida, and other phishing kits gives us several insights into the underground economy today. First, this research further proves that most phishing kits observed or available today are based on a smaller cluster of larger kit “families.” While this trend has been observed previously, it continues to be the norm, given how phishing kits we’ve seen share large amounts of code among themselves.” concludes Microsoft.
This week, NATO Defence Ministers released the first-ever strategy for Artificial Intelligence (AI) that encourages the use of AI in a responsible manner.
Artificial Intelligence (AI) is changing the global defence and security environment, for this reason, NATO Defence Ministers released the first-ever strategy for this technology that promotes its development and use in a responsible manner.
A. Lawfulness: AI applications will be developed and used in accordance with national and international law, including international humanitarian law and human rights law, as applicable. B. Responsibility and Accountability: AI applications will be developed and used with appropriate levels of judgment and care; clear human responsibility shall apply in order to ensure accountability. C. Explainability and Traceability: AI applications will be appropriately understandable and transparent, including through the use of review methodologies, sources, and procedures. This includes verification, assessment and validation mechanisms at either a NATO and/ornational level. D. Reliability: AI applications will have explicit, well-defined use cases. The safety, security, and robustness of such capabilities will be subject to testing and assurance within those use cases across their entire life cycle, including through established NATO and/ornationalcertification procedures. E. Governability: AI applications will be developed and used according to their intended functions and will allow for: appropriate human-machine interaction; the ability to detect and avoid unintended consequences; and the ability to take steps, such as disengagement or deactivation of systems, when such systems demonstrate unintended behaviour. F. Bias Mitigation: Proactive steps will be taken to minimise any unintended bias in the development and use of AI applications and in data sets.
The new strategy also aims at accelerating and mainstream AI adoption in capability development and delivery, enhancing interoperability within the Alliance. NATO encourages to protect and monitor AI technologies used by its members.
The Alliance warns of malicious use of AI by threat actors and urges the adoption of measures and technologies to identify and safeguard against these threats.
NATO Allies have recognized seven high-priority technological areas for defence and security, including Artificial Intelligence. These technologies include quantum-enabled technologies, data and computing, autonomy, biotechnology and human enhancements, hypersonic technologies, and space.
NATO stresses the importance of addressing these technologies in an ethical way, all of them are dual-use and very pervasive.
“Some state and non-state actors will likely seek to exploit defects or limitations within our AI technologies. Allies and NATO muststrive to protect the use of AI from suchinterference, manipulation, or sabotage, in line with the Reliability Principle of Responsible Use, also leveraging AI-enabled Cyber Defence applications.” concludes the announcement. “Allies and NATO should develop adequate security certification requirements for AI, such as specific threat analysis frameworks and tailored security audits for purposes of ‘stress-testing’. AI can impact critical infrastructure, capabilities and civil preparedness—including those covered by NATO’s seven resilience Baseline Requirements—creating potential vulnerabilities, such as cyberspace,that could be exploited by certain state and non-state actors.”
Threat actors are offering for sale a database containing 50 million records belonging to Moscow drivers on a hacking forum for $800.
Bad news for Russian drivers, threat actors are selling a database containing 50 million records belonging to Moscow drivers on a hacking forum for only $800. The threat actors claim to have obtained the data from an insider in the local police, they published a sample of database records containing model of the car, its registration and VIN number, date of registration, engine power, name of the owner, date of birth, and phone number.
Stolen data spans from 2006 and 2019, local media outlets have confirmed their authenticity. Threat actors are also offering a file containing information from 2020 to those that will buy the database.
“The cybercriminals put up for sale for $ 800 a database of 50 million lines with the data of drivers that were registered in Moscow and the Moscow region from 2006 to 2019. As a bonus to the purchase, a file with information from 2020 is offered. The database contains names, dates of birth, phone numbers, VIN-codes and numbers of cars, their brands and models, as well as the year of registration. The seller himself claims that he received information from an insider in the traffic police.” reads the post published by the Kommersant website.
Alexei Parfentiev, head of the analytics department at SerchInform, confirmed this scenario:
“It looks more likely also because the requirements of regulators to such structures as the traffic police, in terms of protection against external attacks, are extremely strict,” he says.
However Kommersant speculates that the data was obtained by hacking into the level of regional information systems.
Andrey Arsentiev, head of analytics and special projects at InfoWatch Group, believes that the the data could have been obtained by external attackers, for example, by exploiting a vulnerability in the system software.
“Judging by the composition of the data, the new database of car owners is not an unloading from the traffic police system, but rather an unloading from the databases of insurers, the founder of the DLBI data leak intelligence and darknet monitoring service Ashot Hovhannisyan believes.” continues the post.
“This data could be stolen both directly from the insurance companies and from their contractors to whom the bases are transferred for “ringing”. says Ashot Hovhannisyan.
The availability of this data in the cybercrime underground poses serious risks to the exposed individuals, attackers can use the information to carry out several malicious activities.
Cisco fixes an OS command-injection flaw, tracked as CVE-2021-1529, in Cisco SD-WAN that could allow privilege escalation and lead to arbitrary code execution.
Cisco addressed a high-severity OS command-injection vulnerability, tracked as CVE-2021-1529, in Cisco SD-WAN that could allow privilege escalation and lead to arbitrary code execution.
Cisco SD-WAN is a cloud-delivered overlay WAN architecture that enables digital and cloud transformation at enterprises, it allows to connect disparate office locations via the cloud.
An authenticated, local attacker can exploit the CVE-2021-1529 vulnerability to execute arbitrary commands with root privileges. The CVE-2021-1529 received a CVSS score of 7.8,
“The vulnerability is due to insufficient input validation by the system CLI. An attacker could exploit this vulnerability by authenticating to an affected device and submitting crafted input to the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.” reads the advisory published by the IT giant.
Cisco has released software updates to address this flaw, the company pointed out that there are no workarounds that fix this issue.
The Cisco PSIRT is not aware of attacks in the wild exploiting this vulnerability.
The US Cybersecurity and Infrastructure Security Agency (CISA) also published a security advisory for this flaw that urge organizations to address this vulnerability.
“CISA encourages users and administrators to review Cisco Advisory cisco-sa-sd-wan-rhpbE34A and apply the necessary updates.” states CISA’s advisory.
The U.S. Cybersecurity and Infrastructure Security Agency published an advisory to warn of the discovery of a crypto-mining malware in the popular NPM Package UAParser.js. The popular library has million of weekly downloads.
“Versions of a popular NPM package named ua-parser-js was found to contain malicious code. ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or take control of the system.” reads the advisory. “CISA urges users and administers using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1.”
The analysis of the experts revealed that at least three tainted versions of the package were uploaded to the repository, versions 0.7.29, 0.8.0, and 1.0.0.
According to the maintainer of the library,Faisal Salman, a threat actor has hijacked his NPM account to publish the infected packages.
“I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don’t realize something was up, luckily the effect is quite the contrary).” wrote the maintainer of the UAParser.js.
The tainted versions were replaced with clean versions 0.7.30, 0.8.1, and 1.0.1.
“The npm package ua-parser-js had three versions published with malicious code. Users of affected versions (0.7.29, 0.8.0, 1.0.0) should upgrade as soon as possible and check their systems for suspicious activity. See this issue for details as they unfold.” reads another alert published by GitHub. “Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”
The good news is that the above packages remained on the repository only for a day before they were discovered.
Server-side request forgery is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain chosen by the attacker.
“In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.”
“This tool is a simple UI where researchers can generate unique internal endpoint URLs for targeting. The UI will then show the number of times these unique URLs have been hit as a result of a SSRF attempt. Researchers can leverage this tool as part of their SSRF proof of concept to reliably determine if they have been successful.” states Facebook.
SSRF Dashboard allows researchers to create unique internal endpoint URLs that could be targeted by SSRF attacks and determine if they have been hit. The tool allows researchers to test their SSRF proof-of-concept (PoC) code.
Pentesters could report any SSRF flat to the company by including the ID of the SSRF attempt url that they used along with their PoC.
Additional information on the utility can be found here.