🔒
There are new articles available, click to refresh the page.
✇Security Affairs

Attackers abuse open redirects in Snapchat and Amex in phishing attacks

By: Pierluigi Paganini

Threat actors abuse open redirects on Snapchat and American Express to launch phishing attacks against Microsoft 365 users.

Attackers abused open redirects on the websites of Snapchat and American Express as part of a phishing campaign targeting Microsoft 365 users.

The term Open URL redirection, open redirects, refers to a security issue that makes it easier for attackers to direct users to malicious resources under the control of the attackers.

Open redirect occurs when a website fails to validate user input, allowing attackers to manipulate the URLs of high reputation domains to redirect victims to malicious sites. Victims will trust the link because the first domain name in the manipulated link is a trusted domain like American Express and Snapchat.

“The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.” reads a post published by Inky.

“The following example shows an open redirect link. A surfer sees the link going to a safe site (safe.com) but may not realize this domain will redirect them to a malicious site (malicious.com), which may harvest credentials or distribute malware.

http://safe.com/redirect?url=http://malicious.com

During the two months, INKY researchers observed phishing attacks leveraging snapchat[.]com open redirect. The attackers sent 6,812 phishing emails originating from various hijacked accounts. Below is the Snapchat link manipulated to redirect to malicious site:

https://click.snapchat[.]com/aVHG?=http://29781.google.com&af_web_dp=http://qx.oyhob.acrssd[.]org. #.aHR0cHME6Ly9zdG9yYWdlYXBpLmZsZWVrLmNvLzI0MjY4ZTMyLT E2MEmQtNDUxYi1hNTc4LWZhNzg0OTdiZjM4NC1idWWNrZXQvb2Z maWNlMzY1Lmh0bWwjYWNvb3BlckBjcHRsaGVhbHRoLmNvbQ==

The phishing messages exploiting the Snapchat open redirect impersonated DocuSign, FedEx, and Microsoft and led to landing sites designed to harvest Microsoft credentials. 

open redirects

The experts reported the Snapchat vulnerability to the company through the Open Bug Bounty platform on August 4, 2021, but the issue is yet to be addressed.

Unlike Snapchat, American Express quickly fixed the issue being exploited in late July.

“When examining links, surfers should keep an eye out for URLs that include, for example, “url=”, “redirect=”, “external-link”, or “proxy”. These strings might indicate that a trusted domain could redirect to another site.” concludes the report. “Recipients of emails with links should also examine them for multiple occurrences of “http” in the URL, another potential indication of redirection. Domain owners can prevent this abuse by avoiding the implementation of redirection in the site architecture.”

If the redirection is necessary for commercial reasons, domain owners should present users with an external redirection disclaimer that requires user clicks before redirecting to external sites.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, open redirects)

The post Attackers abuse open redirects in Snapchat and Amex in phishing attacks appeared first on Security Affairs.

✇Security Affairs

Microsoft is blocking Tutanota email addresses from registering a MS Teams account

By: Pierluigi Paganini

Microsoft is actively blocking Tutanota email addresses from registering a Microsoft Teams account.

Tutanota is an end-to-end encrypted email app and a freemium secure email service, as of March 2017, Tutanota’s owners claimed to have over 2 million users.

The news is that Microsoft is actively blocking Tutanota email addresses from registering a Microsoft Teams account.

“Politicians on both sides of the Atlantic are discussing stronger antitrust legislation to regulate Big Tech – and such laws are badly needed as the blocking of Tutanota users from Microsoft Teams demonstrates. Big Tech companies have the market power to harm smaller competitors with some very easy steps like refusing smaller companies’ customers from using their own services.” reads a comment shared by the German email service provider. “Currently, Microsoft is actively blocking Tutanota email addresses from registering a Microsoft Teams account. This severe anti-competitive practice forces our customers to register a second email address – possibly one from Microsoft themselves – to create a Teams account.”

Microsoft doesn’t recognize the company as an email service but as a corporate address.

The first time that a Tutanota user registered a Teams account, its domain was recognized as a corporation, for this reason, any other users of the popular email service were not able to register its account and were requested to contact their admin. 

Tutanota

“We repeatedly tried to solve the issue with Microsoft, but unfortunately our request was ignored”, says Matthias Pfau, co-founder of Tutanota.

“Microsoft would only have to change the settings that Tutanota is an email service so that everyone can register an individual account but they (Microsoft) say such a change is not possible.”

Let’s see if Microsoft will solve the issue, allowing 2 million users to use its MS Teams service.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)

The post Microsoft is blocking Tutanota email addresses from registering a MS Teams account appeared first on Security Affairs.

✇Security Affairs

Serious cyberattack hits German Chambers of Industry and Commerce (DIHK)

By: Pierluigi Paganini

A massive cyberattack hit the website of the German Chambers of Industry and Commerce (DIHK) this week.

A massive attack hit the website of the German Chambers of Industry and Commerce (DIHK) forcing the organization to shut down its IT systems as a precautionary measure for security reasons.

Aktuell wird intensiv an Lösung und Abwehr gearbeitet. Wir informieren Sie hier, welche Anwendungen wieder funktionsfähig sind: https://t.co/LtrMItl8Sb#IHK #DIHK pic.twitter.com/5OHMOLH7Mz

— DIHK (@DIHK_News) August 4, 2022

“Due to a possible cyber attack, the IHK organization has shut down its IT systems as a precautionary measure for security reasons . We are currently working intensively on a solution and defense. The IT systems are successively started up after testing, so that the services are then available again for companies.” reads the announcement published by the German Chambers of Industry and Commerce (DIHK).

DIHK states that phone and fax are the only channels to use to contact it.

Michael Bergmann, chief executive of DIHK, defined the attack as serious and massive, it also added that the organization was not able to estimate how long its systems will be down.

Bergmann did not provide further details about the attack, but the circumstances suggest the German Chambers of Industry and Commerce was the victim of a ransomware attack.

“We will inform you at this point and on other channels which applications are functional again. As soon as the security of our systems has been fully restored, you will of course also be informed.” concludes the announcement.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, German Chambers of Industry and Commerce)

The post Serious cyberattack hits German Chambers of Industry and Commerce (DIHK) appeared first on Security Affairs.

✇Security Affairs

Security Affairs newsletter Round 377

By: Pierluigi Paganini

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Greek intelligence service used surveillance malware to spy on a journalist, Reuters reports
Slack resets passwords for about 0.5% of its users due to the exposure of salted password hashes
Twitter confirms zero-day used to access data of 5.4 million accounts
The popularity of Dark Utilities ‘C2-as-a-Service’ rapidly increases
DHS warns of critical flaws in Emergency Alert System encoder/decoder devices
CISA adds Zimbra email bug to Known Exploited Vulnerabilities Catalog
Mysterious threat actor TAC-040 used previously undetected Ljl Backdoor
New Linux botnet RapperBot brute-forces SSH servers
New Woody RAT used in attacks aimed at Russian entities
Unauthenticated RCE can allow hacking DrayTek Vigor routers without user interaction
Taiwan Government websites suffered DDoS attacks during the Nancy Pelosi visit
Hackers stole $200 million from the Nomad crypto bridge
Cisco addressed critical flaws in Small Business VPN routers
Power semiconductor component manufacturer Semikron suffered a ransomware attack
Manjusaka, a new attack tool similar to Sliver and Cobalt Strike
Google fixed Critical Remote Code Execution flaw in Android
Busting the Myths of Hardware Based Security
VMware fixed critical authentication bypass vulnerability
LockBit 3.0 affiliate sideloads Cobalt Strike through Windows Defender
Gootkit AaaS malware is still active and uses updated tactics
Austria investigates DSIRF firm for allegedly developing Subzero spyware 
ALPHV/BlackCat ransomware gang claims to have stolen data from Creos Luxembourg S.A.
Australian man charged with creating and selling the Imminent Monitor spyware
A flaw in Dahua IP Cameras allows full take over of the devices
US Federal Communications Commission (FCC) warns of the rise of smishing attacks
Threat actor claims to have hacked European manufacturer of missiles MBDA
17 Android Apps on Google Play Store, dubbed DawDropper, were serving banking malware
Security Affairs newsletter Round 376 by Pierluigi Paganini
North Korea-linked SharpTongue spies on email accounts with a malicious browser extension

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 377 appeared first on Security Affairs.

✇Security Affairs

GwisinLocker ransomware exclusively targets South Korea

By: Pierluigi Paganini

Researchers spotted a new family of ransomware, named GwisinLocker, that encrypts Windows and Linux ESXi servers.

Researchers warn of a new ransomware called GwisinLocker which is able to encrypt Windows and Linux ESXi servers. The ransomware targets South Korean healthcare, industrial, and pharmaceutical companies, its name comes from the name of the author ‘Gwisin’ (ghost in Korean).

The ransomware is distributed through targeted attacks against specific organizations. 

Experts also reported that the names of South Korean entities, such as the Korean police, the National Intelligence Service, and KISA, are listed on the ransom note.

The Gwisin threat actor hit Korean companies on public holidays and early in the morning according to local media.

The attack chain on Windows systems leverages MSI installer and requires a special value as an argument to run the DLL file included in the MSI.

“It is similar to Magniber in that it operates in the MSI installer form. Yet unlike Magniber which targets random individuals, Gwisin does not perform malicious behaviors on its own, requiring a special value for the execution argument. The value is used as key information to run the DLL file included in the MSI.” reads the report published by security firm Ahnlab. “As such, the file alone does not perform ransomware activities on security products of various sandbox environments, making it difficult to detect Gwisin. The ransomware’s internal DLL operates by being injected into a normal Windows process. The process is different for each infected company.”

The GwisinLocker ransomware is able to operate in safe mode, it first copies itself to a certain path of ProgramData and then is registered as a service before forcing a system reboot.

GwisinLocker
Source Ahnlab

Researchers from Reversinglabs analyzed the Linux version of the ransomware, they pointed out that it is a sophisticated piece of malware with features specially designed to manage Linux hosts and targets VMWare ESXI virtual machines. GwisinLocker combines AES symmetric-key encryption with SHA256 hashing, it generated a unique key for each file. 

The victims of the Linux GwisinLocker variant are required to log into a portal operated by the group to get in contact with the crooks.  

“Analysis and public reporting of the larger GwisinLocker campaign suggests the ransomware is in the hands of sophisticated threat actors who gain access to- and control over target environments prior to the deployment of the ransomware. That includes identifying and stealing sensitive data for use in so-called “double extortion” campaigns.” concludes the report published by Reversinglabs. “Details in samples of the group’s ransom notes suggest a familiarity with the Korean language as well as South Korean government and law enforcement. This has led to speculation that Gwisin may be a North Korean-linked advanced persistent threat (APT) group”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, GwisinLocker ransomware)

The post GwisinLocker ransomware exclusively targets South Korea appeared first on Security Affairs.

✇Security Affairs

Greek intelligence service used surveillance malware to spy on a journalist, Reuters reports

By: Pierluigi Paganini

Greek intelligence admitted it had spied on a journalist, while citizens ask the government to reveal the use of surveillance malware.

The head of the Greek intelligence told a parliamentary committee that they had spied on a journalist with surveillance malware, Reuters reported citing two sources present.

The revelation comes while media and journalists are making pressure on the government to reveal the use of surveillance software.

The committee was called after the leader of the socialist opposition PASOK party, Nikos Androulakis, claimed authorities attempted to install surveillance software on his mobile device.

The practice of using surveillance malware to spy on journalists and politicians emerged in several European countries.

“At the July 29 hearing, Panagiotis Kontoleon, chief of the EYP intelligence service, told parliament’s institutions and transparency committee that his service had spied on Thanasis Koukakis, a financial journalist who works for CNN Greece, two lawmakers present at the hearing told Reuters.” reported Reuters.

“He admitted the surveillance, absolutely,” one of the lawmakers present at the hearing told Reuters on Wednesday.

Curiously the Government spokesman Giannis Oikonomou told Reuters that Greek authorities do not use the spyware allegedly used to spy on Koukakis.

In February, the European Data Protection Supervisor (EDPS) authority this week called for a ban on the development and the use of surveillance software like the Pegasus spyware in the EU.

In April, a report published by Reuters revealed that Israeli surveillance software was used to spy on senior officials in the European Commission.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Greece)

The post Greek intelligence service used surveillance malware to spy on a journalist, Reuters reports appeared first on Security Affairs.

✇Security Affairs

Slack resets passwords for about 0.5% of its users due to the exposure of salted password hashes

By: Pierluigi Paganini

Slack is resetting passwords for approximately 0.5% of its users after a bug exposed salted password hashes when users created or revoked a shared invitation link for their workspace

Slack announced that it is resetting passwords for about 0.5% of its users after a bug exposed salted password hashes when creating or revoking shared invitation links for workspaces.

This issue was reported by an independent security researcher and disclosed to Slack on 17 July 2022. The company states that the bug affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022.

“When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members. This hashed password was not visible to any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers.” reads the advisory published by Slack.

Slack Enterprise Key Management

Upon receiving the report from the security researcher, the company immediately addressed the flaw and investigated its potential impact on users. Slack pointed out that it doesn’t believe that anyone has obtained plaintext passwords exploiting this issue.

The company also added that it is practically infeasible to derive a password from the associated hash, and exposed hashes cannot be used to authenticate. 

“All active accounts requiring a password reset are being notified directly with instructions. For information on password resets at any time, please visit our Help Centre: https://get.slack.help/hc/en-us/articles/201909068” concludes the advisory. “We recommend that all users use two-factor authentication, ensure that their computer software and antivirus software are up to date, create new, unique passwords for every service that they use and use a password manager.”

The bug is said to have impacted all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022, when it was alerted to the issue by an unnamed independent security researcher.

It’s worth pointing out that the hashed passwords were not visible to any Slack clients, meaning access to the information necessitated active monitoring of the encrypted network traffic originating from Slack’s servers.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Slack)

The post Slack resets passwords for about 0.5% of its users due to the exposure of salted password hashes appeared first on Security Affairs.

✇Security Affairs

Twitter confirms zero-day used to access data of 5.4 million accounts

By: Pierluigi Paganini

Twitter confirmed that the recent data breach that exposed data of 5.4 million accounts was caused by the exploitation of a zero-day flaw.

At the end of July, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting a now-fixed vulnerability in the popular social media platform.

The threat actor offered for sale the stolen data on the popular hacking forum Breached Forums. In January, a report published on Hacker claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options.

“The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account.” ” reads the description in the report submitted by zhirinovskiy via bug bounty platform HackerOne. “This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities”

The seller claimed that the database was containing data (i.e. emails, phone numbers) of users ranging from celebrities to companies. The seller also shared a sample of data in the form of a csv file.

Twitter data leak
Source RestorePrivacy

“A few hours after the post was made, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the vulnerability from the HackerOne report above.” reads the post published by RestorePrivacy.

“We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.”

The seller told RestorePrivacy that he is asking for at least $30,000 for the entire database.

Now Twitter confirmed that the data breach was caused by the now-patched zero-day vulnerability submitted by zhirinovskiy via bug bounty platform HackerOne.

Twitter confirmed the existence of this vulnerability and awarded zhirinovskiy with a $5,040 bounty.

“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.” reads the Twitter’s advisory. “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” continues the social media firm.

“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”

The company is notifying the impacted users, it also added that it is aware of the risks caused by the security breach for those users operating a pseudonymous Twitter account to protect their privacy.

The company pointed out that no passwords were exposed, but encourages its users to enable 2-factor authentication using authentication apps or hardware security keys to protect their accounts from unauthorized logins.

BleepingComputer reported that two different threat actors purchased the data for less than the original selling price. This means that threat actors could use these data to target Twitter accounts in the future.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Data leak)

The post Twitter confirms zero-day used to access data of 5.4 million accounts appeared first on Security Affairs.

✇Security Affairs

The popularity of Dark Utilities ‘C2-as-a-Service’ rapidly increases

By: Pierluigi Paganini

Dark Utilities “C2-as-a-Service” is attracting a growing number of customers searching for a command-and-control for their campaigns.

The popularity of the Dark Utilities “C2-as-a-Service” is rapidly increasing, over 3,000 users are already using it as command-and-control for their campaigns.

Dark Utilities was launched in early 2022, the platform that provides full-featured C2 capabilities to its users. Dark Utilities is advertised as a platform to enable remote access, command execution, conduct distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.

It allows threat actors to target multiple architectures without requiring technical skills. The operators of the platform offer technical support and assistance to the customers through Discord and Telegram.

“Dark Utilities provides payloads consisting of code that is executed on victim systems, allowing them to be registered with the service and establish a command and control (C2) communications channel.” reads the analysis published by Cisco Talos researchers. “The platform currently supports Windows, Linux and Python-based payloads, allowing adversaries to target multiple architectures without requiring significant development resources.”

dark utilities platform

The platform is hosted on both clear internet and Tor network, its operators offers premium access to the platform, associated payloads and API endpoints for 9.99 euros. At the time of writing, the platform had enrolled roughly 3,000 users, which is approximately 30,000 euros in income.

The Dark Utilities platform uses Discord for user authentication, it implements a dashboard displaying platform statistics, server health status and other metrics.

Users can generate new payloads for specific operating systems and deploy them on the victim machines.

“Selecting an operating system causes the platform to generate a command string that threat actors are typically embedding into PowerShell or Bash scripts to facilitate the retrieval and execution of the payload on victim machines.” continues the report.

The researchers pointed out that payloads provided by the platform are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention.

IPFS is a distributed, peer-to-peer network, that prevent takeover from authorities. IPFS supports gateways, which operate similar to Tor2Web gateways, to allow users on the internet to access contents hosted within IPFS without requiring a client application to be installed.

Dark Utilities appears to have been designed by a threat actor that goes under the moniker Inplex-sys. 

Talos researchers believe Inplex-sys collaborated with one of the operators of a botnet service called Smart Bot, which is designed to launch spam attacks, or “raids” against the Discord and Twitch communication platforms.

“Although the Dark Utilities platform was recently established, thousands of users have already been enrolled and joined the platform. Given the amount of functionality that the platform provides and the relatively low cost of use, we expect this platform will continue to rapidly expand its user base.” concludes the report. “This will likely result in an increase in the volume of malware samples in the wild attempting to establish C2 using the platform.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, c2-as-a-service)

The post The popularity of Dark Utilities ‘C2-as-a-Service’ rapidly increases appeared first on Security Affairs.

  • There are no more articles
❌