- — GuLoader implements new evasion techniques
![[*]](img/ib-star_nm.png "mark favorite")
![[+]](img/ib-marked_nm.png "mark as new")
![[-]](img/ib-markold_nm.png "mark older as read")
![[x]](img/ib-delete_nm.png "delete article")
![[A+]](img/ib-fontbg_nm.png "larger font")
![[a-]](img/ib-fontsm_nm.png "smaller font")
![[l]](img/ib-link_nm.png "direct link")
at 12/26/22 10:33amCybersecurity researchers exposed new evasion techniques adopted by an advanced malware downloader called GuLoader. CrowdStrike researchers d a detailed multiple evasion techniques implemented by an advanced malware downloader called GuLoader (aka CloudEyE). GuLoader uses a polymorphic shellcode loader to avoid traditional security solutions, the experts mapped all embedded DJB2 hash values for every API used by the malicious code. The malware uses an anti-analysis technique to avoid execution in virtualized environments. In dissecting GuLoader’s shellcode, CrowdStrike revealed a new anti-analysis technique meant to detect if the malware is running in a hostile environment by scanning the entire process memory for any Virtual Machine (VM)-related strings. reads the analysis published by CrowdStrike. New redundant code injection mechanism means to ensure code execution by using inline assembly to bypass user mode hooks from security solutions. GuLoader first appeared on the threat landscape in 2019, it was used by threat actors to download multiple remote access trojans (RATs) such as AgentTesla, FormBook, Nanocore, NETWIRE and the Parallax RAT. Early versions of GuLoader were distributed via spam messages using attachments containing the malicious executable. Recent variants were delivered via a Visual Basic Script (VBS) file. GuLoader also started employing advanced anti-analysis techniques to evade detection, such as anti-debug, anti-sandbox, anti-VM and anti-detection to make analysis difficult. reads the analysis. A recent GuLoader variant analyzed by the experts exhibits a multistage deployment: The first stage uses a VBS dropper file to drop a second-stage packed payload into a registry key. It then uses a PowerShell script to execute and unpack the second stage payload from the registry key within memory. The second stage payload performs all anti-analysis routines (described below), creates a Windows process (e.g., an ieinstal.exe) and injects the same shellcode into the new process. The third stage reimplements all the anti-analysis techniques, downloads the final payload from a remote server and executes it on the victim’s machine. The malware implements anti-debugging and anti-disassembling checks to detect the presence of breakpoints used for the analysis of code. The researchers also noticed the use of a redundant code injection mechanism to avoid NTDLL.dll hooks used by antivirus and EDR solutions to detect malicious activities. It then maps that section via NtMapViewofSection on the suspended process. continues the analysis. If this injection technique fails, it uses the following redundancy method: a. NtAllocateVirtualMemory by invoking the inline assembly instructions (without calling ntdll.dll, to bypass AV/EDR User Mode hooks) of that function, using the following assembly stub: mov eax,18 mov edx,ntdll.77178850 call edx ret 18 It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address. It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address. Experts pointed out that GuLoader remains a dangerous threat that constantly evolves, they also shared Indicators of Compromise for the latest variant of the downloader. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, GuLoader) The post GuLoader implements new evasion techniques appeared first on Security Affairs.- — Critical Linux Kernel flaw affects SMB servers with ksmbd enabled
- at 12/25/22 4:38pmExperts warn of a critical Linux Kernel vulnerability (CVSS score of 10) impacting SMB servers that can lead to remote code execution. A critical Linux kernel vulnerability (CVSS score of 10) exposes SMB servers with ksmbd enabled to hack. KSMBD is a Linux kernel server that implements SMB3 protocol in kernel space for sharing files over the network. An unauthenticated, remote attacker can execute arbitrary code on vulnerable installations of the Linux Kernel. The flaw resides in the processing of SMB2_TREE_DISCONNECT commands. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable. reads the advisory published by ZDI. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the kernel. The vulnerability was discovered on July 26, 2022, by the researchers Arnaud Gatignol, Quentin Minster, Florent Saudel, Guillaume Teissier from the Thalium Team at Thales Group. The flaw was publicly disclosed on December 22, 2022. The researcher Shir Tamari, Head of Research at Wiz_IO, SMB servers using Samba are not affected, he also added that SMB servers using ksmbd are vulnerable to read access that could leak servers memory (similar to the vulnerability Heartbleed). ksmbd is new; most users still use Samba and are not affected. Basically, if you are not running SMB servers with ksmbd, enjoy your weekend. added Tamari. ksmbd is new; most users still use Samba and are not affected. Basically, if you are not running SMB servers with ksmbd, enjoy your weekend.— Shir Tamari (@shirtamari) December 22, 2022 Admins using ksmbd must update to Linux kernel version 5.15.61, which was released in August, or a newer version. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Linux) The post Critical Linux Kernel flaw affects SMB servers with ksmbd enabled appeared first on Security Affairs.
- — Experts warn of attacks exploiting WordPress gift card plugin
- at 12/25/22 12:42pmThreat actors are actively exploiting a critical flaw in the YITH WooCommerce Gift Cards Premium WordPress plugin installed by over 50,000 websites. Hackers are actively exploiting a critical vulnerability, tracked as CVE-2022-45359 (CVSS v3: 9.8), affecting the WordPress plugin YITH WooCommerce Gift Cards Premium. The YITH WooCommerce Gift Cards Premium plugin allows websites of online stores to sell gift cards, a WordPress plugin used on over 50,000 websites. The CVE-2022-45359 flaw is an Arbitrary File Upload issue that can allow an unauthenticated attacker to upload files to vulnerable sites, including web shells that provide full access to the site. The issue was discovered on November 22, 2022, and was addressed with the release of version 3.20.0. Due to the presence of a lot of websites that are still using vulnerable versions of the plugin, threat actors are exploring the flaw in attacks in the wild to upload backdoors on the e-stores. The Wordfence Threat Intelligence team has been tracking exploits targeting a Critical Severity Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor. reported Wordfence. This allows attackers to place a back door, obtain Remote Code Execution, and take over the site. The researchers were able to reverse engineer the exploit and discovered that the issue lies in the import_actions_from_settings_panel function which runs on the admin_init hook. The hook runs for any page in the /wp-admin/ directory and allows to trigger functions that run on it as an unauthenticated attacker by sending a request to /wp-admin/admin-post.php. The experts noticed that the import_actions_from_settings_panel function also lacks a capability check and a CSRF check. An unauthenticated attacker can send POST requests to “/wp-admin/admin-post.php” using the certain parameters to upload a malicious PHP executable on the site. Since the import_actions_from_settings_panel function also lacks a capability check and a CSRF check, it is trivial for an attacker to simply send a request containing a page parameter set to yith_woocommerce_gift_cards_panel, a ywgc_safe_submit_field parameter set to importing_gift_cards, and a payload in the file_import_csv file parameter. continues the report. Since the function also does not perform any file type checks, any file type including executable PHP files can be uploaded. The experts added that it is possible to discover the attacks by analyzing the logs and checking unexpected POST requests to wp-admin/admin-post.php from unknown IP addresses. Below are some files uploaded by threat actors in attacks analyzed by Wordfence: kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location (shell[.]prinsh[.]com) b.php – this file is a simple uploader admin.php – this file is a password-protected backdoor Most of the attacks observed by Wordfence originated from 103.138.108.15 (19604 attacks against 10936 different sites) and 188.66.0.135 IP addresses (1220 attacks against 928 sites). The majority of attacks occurred the day after the vulnerability was disclosed, but have been ongoing, with another peak on December 14, 2022. As this vulnerability is trivial to exploit and provides full access to a vulnerable website we expect attacks to continue well into the future. concludes the report. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, WordPress plugin) The post Experts warn of attacks exploiting WordPress gift card plugin appeared first on Security Affairs.
- — Updated: Data of 400 Million Twitter users up for sale
- at 12/25/22 9:52amA threat actor is claiming they have obtained data of 400,000,000 Twitter users and is offering it for sale. A threat actor claims they have obtained data of 400,000,000 Twitter users and is attempting to sell it. The seller claims the database is private, he provided a sample of 1,000 accounts as proof of claims which included the private information of prominent users such as Donald Trump JR, Brian Krebs, and many more. The seller, a member of data breach forums named Ryushi, claims the data was scraped via a vulnerability, it includes emails and phone numbers of celebrities, politicians, companies, normal users, and a lot of OG and special usernames. The seller is also inviting Twitter and Elon Musk to buy the data to avoid GDPR lawsuits. Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imaging the fine of 400m users breach source. Your best option to avoid paying $276 million USD in GDPR breach fines like facebook did (due to 533m users being scraped) is to buy this data exclusively. reads the advertising. The seller also announced that the sale is covered by the escrow service offered by the Breached forum administrators (pompompurin). At this time is it not possible to verify the claims of the seller. Irelands Data Protection Commission on Friday opened a probe into Twitter over an August data breach that has reportedly impacted 5.4 million Twitter users. The data is increasingly more likely to be valid and was probably obtained from an API vulnerability enabling the threat actor to query any email / phone and retrieve a Twitter profile (https://lnkd.in/dMsWwiJa), this is extremely similar to the Facebook 533m database that I originally reported about in 2021 and resulted in a $275,000,000 fine to Meta. explained Alon Gal, co-Founder of threat intelligence firm Hudson Rock. BREAKING: Hudson Rock discovered a credible threat actor is selling 400,000,000 Twitter users data.The private database contains devastating amounts of information including emails and phone numbers of high profile users such as AOC, Kevin OLeary, Vitalik Buterin & more (1/2). pic.twitter.com/wQU5LLQeE1— Hudson Rock (@RockHudsonRock) December 24, 2022 Update December 26, 2022 Alon Gal reported that Twitter placed a readers context in which they attribute the 400,000,0000 Twitter user database to the August data leak impacting 5,400,000 users, but according to the expert it is false. This is easily disproved by comparing the samples in the new leak to the older 5.4m version which had already been leaked publicly. Gal explained. 250 out of 1000 are found. (the count would have been lower had it been a sample of non-verified accounts) I cant share some sensitive information I have, but as time goes on I am more confident this is a 400,000,000 users leak, and as always, it will unfortunately leak to the hands of every hacker for free. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, data breach) The post Updated: Data of 400 Million Twitter users up for sale appeared first on Security Affairs.
- — Data of 400 Million Twitter users up for sale
- at 12/25/22 9:52amA threat actor is claiming they have obtained data of 400,000,000 Twitter users and is offering it for sale. A threat actor claims they have obtained data of 400,000,000 Twitter users and is attempting to sell it. The seller claims the database is private, he provided a sample of 1,000 accounts as proof of claims which included the private information of prominent users such as Donald Trump JR, Brian Krebs, and many more. The seller, a member of data breach forums named Ryushi, claims the data was scraped via a vulnerability, it includes emails and phone numbers of celebrities, politicians, companies, normal users, and a lot of OG and special usernames. The seller is also inviting Twitter and Elon Musk to buy the data to avoid GDPR lawsuits. Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imaging the fine of 400m users breach source. Your best option to avoid paying $276 million USD in GDPR breach fines like facebook did (due to 533m users being scraped) is to buy this data exclusively. reads the advertising. The seller also announced that the sale is covered by the escrow service offered by the Breached forum administrators (pompompurin). At this time is it not possible to verify the claims of the seller. Irelands Data Protection Commission on Friday opened a probe into Twitter over an August data breach that has reportedly impacted 5.4 million Twitter users. The data is increasingly more likely to be valid and was probably obtained from an API vulnerability enabling the threat actor to query any email / phone and retrieve a Twitter profile (https://lnkd.in/dMsWwiJa), this is extremely similar to the Facebook 533m database that I originally reported about in 2021 and resulted in a $275,000,000 fine to Meta. explained Alon Gal, co-Founder of threat intelligence firm Hudson Rock. The Irish Data Protection Commission on Friday announced an investigation into a August incident that saw the contact records of 5.4 million Twitter users dumped on the same forum favored by Ryushi Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, data breach) The post Data of 400 Million Twitter users up for sale appeared first on Security Affairs.
- — Security Affairs newsletter Round 399 by Pierluigi Paganini
- at 12/25/22 6:43amA new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. Expert found Backdoor credentials in ZyXEL LTE3301 M209Raspberry Robin malware used in attacks against Telecom and GovernmentsTikTok parent company ByteDance revealed the use of TikTok data to track journalistsBetMGM discloses security breach impacting 1.5 Million customersAn Iranian group hacked Israeli CCTV cameras, defense was aware but didn’t block itLastPass revealed that encrypted password vaults were stolenVice Society ransomware gang is using a custom lockerA new Zerobot variant spreads by exploiting Apache flawsNorth Korea-linked hackers stole $626 million in virtual assets in 2022Play ransomware attacks use a new exploit to bypass ProxyNotShell mitigations on Exchange serversOkta revealed that its private GitHub repositories were hacked this monthShoemaker Ecco leaks over 60GB of sensitive data for 500+ daysGerman industrial giant ThyssenKrupp targeted in a new cyberattackUAC-0142 APT targets Ukraine’s Delta military intelligence programRussia-linked Gamaredon APT targeted a petroleum refining company in a NATO nation in AugustMicrosoft shares details for a Gatekeeper Bypass bug in Apple macOSMalicious PyPI package posed as SentinelOne SDK to serve info-stealing malwareOld vulnerabilities in Cisco products actively exploited in the wildExperts spotted a variant of the Agenda Ransomware written in RustPlay ransomware attacks use a new exploit to bypass ProxyNotShell mitigations on Exchange serversOkta revealed that its private GitHub repositories were hacked this monthShoemaker Ecco leaks over 60GB of sensitive data for 500+ daysGerman industrial giant ThyssenKrupp targeted in a new cyberattackUAC-0142 APT targets Ukraine’s Delta military intelligence programRussia-linked Gamaredon APT targeted a petroleum refining company in a NATO nation in AugustMicrosoft shares details for a Gatekeeper Bypass bug in Apple macOSMalicious PyPI package posed as SentinelOne SDK to serve info-stealing malwareOld vulnerabilities in Cisco products actively exploited in the wildExperts spotted a variant of the Agenda Ransomware written in RustUS Gov warns of BEC attacks to hijack shipments of food productsGlupteba botnet is back after Google disrupted it in December 2021Google announced end-to-end encryption for Gmail webFire and rescue service in Victoria, Australia, confirms cyber attack Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, newsletter) The post Security Affairs newsletter Round 399 by Pierluigi Paganini appeared first on Security Affairs.
- — Microsoft fined €60 million in France for using advertising cookies without consent
- at 12/25/22 5:47amFrances privacy watchdog fines €60 million Microsoft for using advertising cookies without explicit customer consent. Frances privacy watchdog fines €60 million Microsofts Ireland subsidiary for using advertising cookies without the explicit consent of its customers. The practice violated the European data protection law. The CNIL received a complaint relating to the conditions for the deposit of cookies on bing.com, and investigated the issue in September 2020 and May 2021. Microsoft did not implement for the home page of the Bing search engine a mechanism to refuse cookies as easily as accepting them. CNIL found that when a user visited this site, cookies were placed on their terminal without their consent, while they were pursuing, in particular, an advertising objective. She also noticed the absence of a button allowing to refuse the deposit of cookies as easily as to accept it. reads the announcement published by the Commission nationale de linformatique et des libertés (CNIL). Consequently, the Restricted Committee, the body of the CNIL responsible for pronouncing the sanctions, sanctioned the company MICROSOFT IRELAND OPERATIONS LIMITED with a fine of 60 million euros , made public. The Restricted Committee is also ordering that Microsoft collects on the bing.com website, within three months, the consent of persons residing in France before filing on their terminal cookies and trackers for advertising purposes. Otherwise, the company will be sanctioned with a penalty of 60,000 euros per day of delay. Microsoft told the Wall Street Journal that it has already addressed the issue by implementing an option to reject advertising cookies. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, privacy) The post Microsoft fined €60 million in France for using advertising cookies without consent appeared first on Security Affairs.
- — Microsoft fined €60 million in France for using advertising cookies without consent
- at 12/25/22 5:47amFrances privacy watchdog fines €60 million Microsoft for using advertising cookies without explicit customer consent. Frances privacy watchdog fines €60 million Microsofts Ireland subsidiary for using advertising cookies without the explicit consent of its customers. The practice violated the European data protection law. The CNIL received a complaint relating to the conditions for the deposit of cookies on bing.com, and investigated the issue in September 2020 and May 2021. Microsoft did not implement for the home page of the Bing search engine a mechanism to refuse cookies as easily as accepting them. CNIL found that when a user visited this site, cookies were placed on their terminal without their consent, while they were pursuing, in particular, an advertising objective. She also noticed the absence of a button allowing to refuse the deposit of cookies as easily as to accept it. reads the announcement published by the Commission nationale de linformatique et des libertés (CNIL). Consequently, the Restricted Committee, the body of the CNIL responsible for pronouncing the sanctions, sanctioned the company MICROSOFT IRELAND OPERATIONS LIMITED with a fine of 60 million euros , made public. The Restricted Committee is also ordering that Microsoft collects on the bing.com website, within three months, the consent of persons residing in France before filing on their terminal cookies and trackers for advertising purposes. Otherwise, the company will be sanctioned with a penalty of 60,000 euros per day of delay. Microsoft told the Wall Street Journal that it has already addressed the issue by implementing an option to reject advertising cookies. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, privacy) The post Microsoft fined €60 million in France for using advertising cookies without consent appeared first on Security Affairs.
- — Expert found Backdoor credentials in ZyXEL LTE3301 M209
- at 12/24/22 10:20amThe cybersecurity researcher RE-Solver discovered Backdoor credentials in ZyXEL LTE3301-M209 LTE indoor routers. Security researcher ReSolver announced the discovery of hardcoded credentials (CVE-2022-40602) in ZyXEL LTE3301-M209 LTE indoor routers. In previous research, the expert discovered a Telnet backdoor in D-Link DWR-921 which is also present in the ZyXEL LTE3301-M209 as well. The researcher analyzed the commander ELF, focusing on the amit* functions that were containing the backdoor in D-Link routers.Unlike the D-Link analysis, the researchers has no physical access to the device and attempted to retrieve the password from the config. The firmware is basically a merge of 3 sections, the LZMA section is the kernel, at 0x148CD6 the root-fs and at 0x90BD36 the www content. wrote the expert. Inside the last Squashfs there is a [censored] file which is contains at 0x10 the Zlib magic bytes. Once unpacked the file, ReSolver noticed the following sequence: Despite he did not find Telnet credentials, he discovered something which looks like a backdoor in the webUI. Same as before and unpack the config.dat is going to contain the telnet login password states the expert. Lets put things together: On ZyXEL LTE3301 we have two ways to own the device: webUI credentials > username / WebUIFakePassword telnet credentials > root / TelnetFakePassword Owners of impacted devices have to upgrade them with the latest firmware release as soon as possible. Below is the timeline for this issue: 12 Sep 2022: Vulnerability reported to ZyXEL 13 Sep 2022: ZyXEL asks for detail in order to replicate the vulnerability. 13 Sep 2022: Details sent to ZyXEL. 14 Sep 2022: ZyXEL confirms that the issues only affect the LTE3301-M209 model. Theyre working to the vendor to fix it. They ask to keep the information confidential until the patch has been released. 17 Sep 2022: Waiting for the patch. 19 Oct 2022: The issue is now tracked by CVE-2022-40602 22 Nov 2022: ZyXELs security bullettin published. A firmware fix has been released. 24 Dec 2022 Hopefully users has now updated their own devices, Its time to make my blog post public. The expert and the Zyxel PSIRT decided to avoid disclosing the credentials the prevent massive exploitation in the wild. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, ZyXEL LTE3301-M209) The post Expert found Backdoor credentials in ZyXEL LTE3301 M209 appeared first on Security Affairs.
- — Raspberry Robin malware used in attacks against Telecom and Governments
- at 12/24/22 7:16amThe Raspberry Robin worm attacks aimed at telecommunications and government office systems across Latin America, Australia, and Europe. Researchers from Trend Micro have uncovered a Raspberry Robin worm campaign targeting telecommunications and government office systems across Latin America, Australia, and Europe. The campaign has been active since at least September 2022, most of the infections have been observed in Argentina (34,8%), followed by Australia (23,2%). We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. reads the report published by Trend Micro. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools. Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable USB devices. The malicious code uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure. The malware was first spotted in September 2021, the experts observed it targeting organizations in the technology and manufacturing industries. Initial access is typically through infected removable drives, often USB devices. The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file. Then msiexec.exe launches a legitimate Windows utility, fodhelper.exe, which in turn run rundll32.exe to execute a malicious command. Experts pointed out that processes launched by a fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt. Raspberry Robin infection routine (Source Trend Micro) The worm was attributed by IBM to the cybercrime gang Evil Corp, however, it is used by multiple threat actors to deliver malicious payloads such as the Clop ransomware. The analysis conducted by Trend Micro revealed that the main malware routine contains both the real and fake payloads. The fake payload is loaded once the malicious code detects sandboxing tools, meanwhile the real payload remains obfuscated under packing layers and subsequently connects to the Tor network. Once installed the malware contact the hard-coded .onion address using an embedded custom TOR client designed to communicate with the real payload using shared memory and it to await further commands. Upon starting the Tor client process, the real payload randomly uses a name of a legitimate Windows processes like dllhost.exe, regsvr32.exe, and rundll32.exe. The real routine of the malware runs in a specialized Windows session known as Session 0. Trend Micro experts discovered multiple similarities with privilege escalation and an anti-debugging technique implemented by LockBit ransomware leading to these hypothesis: The group behind LockBit is also behind Raspberry Robin. The group behind Raspberry Robin is the maker of some of the tools LockBit is also using. The group behind Raspberry Robin availed of the services of the affiliate responsible for the techniques used by LockBit. owever, even if Raspberry Robin uses the same techniques, we cannot conclude for certain that the actors behind LockBit and Raspberry Robin are the same. concludes the report. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, malware) The post Raspberry Robin malware used in attacks against Telecom and Governments appeared first on Security Affairs.
- — TikTok parent company ByteDance revealed the use of TikTok data to track journalists
- at 12/23/22 3:27pmByteDance admitted that its employees accessed TikTok data to track journalists to identify the source of leaks to the media. TikTok parent company ByteDance revealed that several employees accessed the TikTok data of two journalists to investigate leaks of company information to the media. According to an email from ByteDances general counsel Erich Andersen which was seen by the AFP news agency, the Chinese company was attempting to discover who shared company information with a Financial Times reporter and a former BuzzFeed journalist. The company fired an undisclosed number of employees who were involved in the data leak because they violated the companys Code of Conduct, but it did not reveal their names. In an attempt to discover the location of the unfaithful employees, the Chinese personnel analyzed their IP addresses, but this method was approximate. Employees had obtained the IP addresses of the journalists in a bid to determine whether they were in the same location as ByteDance colleagues suspected of disclosing confidential information, a company review of the scheme led by its compliance team and an external law firm found, according to Andersen. reported the AFP. Source: Messagero TikTok is going to be banned from most U.S. government devices under a spending bill Congress unveiled early Tuesday, the latest push by American lawmakers against the Chinese-owned social media app. TikTok would be banned from most U.S. government devices under a spending bill Congress that was announced this week. CIA Director William Burns said that the Chinese government can “insist upon extracting the private data of a lot of TikTok users in this country and also to shape the content of what goes on to TikTok as well to suit the interests of the Chinese leadership.” Brooke Oberwetter, a spokesperson for TikTok, said that the ban is a political gesture that will do nothing to advance national security interests. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, intelligence) The post TikTok parent company ByteDance revealed the use of TikTok data to track journalists appeared first on Security Affairs.
- — BetMGM discloses security breach impacting 1.5 Million customers
- at 12/23/22 12:06pmOnline sports betting company BetMGM suffered a data breach and threat actors offered for sale a database containing the data of 1.5 million customers. On December 21, the online sports betting company BetMGM disclosed a data breach while threat actors offered for sale a database containing the information of 1,569,310 million BetMGM customers. We breached BetMGMs casino database current as of Nov 2022. The database is inclusive of every BetMGM casino customer (over 1.5M) as of November 2022 from MI, NJ, ON, PV, and WV. Any customer that has placed a casino wager included in this database. reads the announcement published by the seller on BreachForums. The attackers had access to the personal information of some patrons, including name, contact information (such as postal address, email address and telephone number), date of birth, hashed Social Security number, account identifiers (such as player ID and screen name) and information related to transactions with us. According to the notice published by the company on its website, the compromised information varied by patron. The company launched an investigation into the security breach and hired leading security experts to determine the scope of the incident. BetMGM learned of the data breach on November 28, 2022, and dated it back to May 2022. The company pointed out that there is no evidence that patron passwords or account funds were accessed. Our online operations were not compromised. We are coordinating with law enforcement and taking steps to further enhance our security. We have learned that certain BetMGM patron records were obtained in an unauthorized manner. reads the statement published by the company on its website. We are coordinating with law enforcement and taking steps to further enhance our security. We recommend patrons remain alert for any unsolicited communications regarding their personal information and review their accounts for suspicious activity. We take our obligation to safeguard personal information very seriously and have arranged to offer affected patrons credit monitoring and identity restoration services for two years at no cost to them. The Reference Guides below provide information on steps you can take to protect your information. The company recommends patrons change passwords and remain vigilant for any unsolicited communications regarding their personal information and review their accounts for suspicious activity. The company is offering impacted patrons two years of free credit monitoring and identity restoration services at no cost to them. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, BetMGM data breach) The post BetMGM discloses security breach impacting 1.5 Million customers appeared first on Security Affairs.
- — An Iranian group hacked Israeli CCTV cameras, defense was aware but didn’t block it
- at 12/23/22 7:14amAn Iranian group hacked dozens of CCTV cameras in Israel in 2021 and maintained access for a long period of time. An Iranian group of hackers, known as Moses Staff, had seized control of dozens of Israeli CCTV cameras, the hack was known to the authorities that did nothing to stop it, reported The Times of Israel which had access to a preview of the full investigative report. In a preview of a full investigative report set to be aired on Tuesday, the Kan public broadcaster said officials did not take action to secure the cameras, despite their knowledge of the activities of the group, known as Moses Staff. reported The Times of Israel. חשיפה: מצלמות הגוף הביטחוני שצילמו את הפיגוע ביציאה מירושלים לפני כחודש נפרצו על ידי האקרים איראנים כבר לפני יותר משנה. גורמי ביטחון ידעו. התחקיר המלא של @orenaharoni1 מחר ב-#חדשותהערב pic.twitter.com/fMhv3i8S72— כאן חדשות (@kann_news) December 19, 2022 According to Kan, hackers gained access to the CCTV cameras and were able to control them for a lengthy period. In 2021, the group published footage on its Telegram channel of the surroundings of Israel’s Rafael defense contractor factory in Haifa, as well as footage from cameras throughout Israeli cities of Jerusalem and Tel Aviv. A picture shows a security camera of a big security organization that was hacked by Iranian hackers, in Jerusalem, November 24, 2022 . Photo by Olivier Fitoussi/Flash90 *** Local Caption *** אירן שבכ מצלמת אבטחה האקר פיגוע תיעוד נפרץ Source (The Times of Israel) The group published several videos, including footage of an arms facility and of a terror attack in Jerusalem in November. An Iranian hacker group calling itself Moses Staff published documentation showing CCTV footage of one of the bombings that happened in Jerusalem Wednesday morning. pic.twitter.com/6ZKjb0fsy9— Joe Truzman (@JoeTruzman) November 24, 2022 The video of the attack was a previously unseen footage and came from surveillance cameras used by a major Israeli security organization. The Moses Staff group claimed it had hacked security cameras. “We’ve been surveillance [sic] you for many years, at every moment and on each step. This is just one part of our surveillance over your activities through access to CCTV cameras in the country. We had said that, we will strike you while you never would have imagined,” the group wrote on its Telegram channel in January speaking to the Israeli intelligence. Now security officials told Kan that the footages uploaded by Moses Staff come from civilian cameras that were not connected to any security infrastructure. According to Kan, the full report provides details on the surveillance acitvity conducted by Moses Staff by hacking the cameras to spy on senior Israeli officials, it also includes information of the Iranian group. According to The Times of Israel, in June the Iranian hacker group claimed responsibility for a cyberattack that caused rocket sirens to go off in some areas of Jerusalem and the southern city of Eilat. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Iranian group) The post An Iranian group hacked Israeli CCTV cameras, defense was aware but didn’t block it appeared first on Security Affairs.
- — LastPass revealed that encrypted password vaults were stolen
- at 12/23/22 2:49amThe data breach suffered by LastPass in August 2022 may have been more severe than previously thought. In August password management software firm LastPass disclosed a security breach, threat actors had access to portions of the company development environment through a single compromised developer account and stole portions of source code and some proprietary technical information. In response to the incident, the company deployed containment and mitigation measures and implemented additional enhanced security measures. The company engaged a leading cybersecurity and forensics firm to investigate the incident, at the time of disclosure it confirmed that the data breach did not compromise users’ Master Passwords. In an update published on Thursday, the company revealed that threat actors obtained personal information belonging to its customers, including encrypted password vaults. The company discovered that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the August security incident. The attackers used the info accessed to target another employee and obtain credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service. The update highlights that the cloud storage service accessed by the threat actor is physically separate from the production environment. Once obtained the cloud storage access key and dual storage container decryption keys, the attackers copied information from backup that contained basic customer account information and related metadata. Copied data include company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The threat actor also copied a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format. The backup contains both unencrypted data (i.e. Website URLs) and 256-bit AES-encrypted sensitive (i.e. Website usernames and passwords, secure notes, and form-filled data). The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. reads the update provided by the company. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. The risk for customers is that threat actors may attempt to brute force their master password and decrypt the copies of the vault data they copied. LastPass added that the hashing and encryption methods used are extremely robustand it is hard for attackers to guess master passwords for customers who follow password best practices. This means that customers that have used weak passwords may be at risk. LastPass confirmed that threat actors did not access unencrypted credit card data because it does not store this information in this cloud storage environment. The company notified a small subset (less than 3%) of its Business customers to recommend that they take certain actions based on their specific account configurations. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, data breach) The post LastPass revealed that encrypted password vaults were stolen appeared first on Security Affairs.
- — Vice Society ransomware gang is using a custom locker
- at 12/22/22 3:51pmThe Vice Society ransomware group has adopted new custom ransomware, with a strong encryption scheme, in recent intrusions. SentinelOne researchers discovered that the Vice Society ransomware gang has started using a custom ransomware that implements a robust encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms. Vice Society ransomware has been active since June 2021, it is considered by researchers a spin-off of the HelloKitty ransomware, the malware targets both Windows and Linux systems primarily belonging to small or midsize victims. This group focuses on public school districts and other educational institutions, like other ransomware gangs it implements a double extortion model and publishes data stolen from the victims on a data leak site. The new variant, dubbed “PolyVice”, was used in a recent attack and appended the file extension .ViceSociety to all encrypted files. The malware dropped ransom notes with the file name “AllYFilesAE” in each encrypted directory. The researchers speculate the ransomware was in the early stages of development, they found debugging messages in the code. SentinelOne noticed a significant overlap with the process implemented in the RedAlert ransomware, a circumstance that suggests that both variants were developed by the same threat actor. Further investigation also revealed that codebase for the Vice Society Windows payload has been used to build custom-branded payloads for other ransomware groups, such as “Chily” and “SunnyDay.” We assess it’s likely that a previously unknown developer or group of developers with specialized expertise in ransomware development is selling custom-branded ransomware payloads to multiple groups. The details embedded in these payloads make it highly unlikely that Vice Society, SunnyDay, and Chily ransomware are operated by the same group. continues the report. The delivery method for this “Locker as a Service” is unclear, but the code design suggests the ransomware developer provides a builder that enables buyers to independently generate any number of lockers/decryptors by binary patching a template payload. Buyers can customize their ransomware without revealing any source code and can generate branded payloads to run their own RaaS programs. The encryption scheme used by PolyVice combines asymmetric and symmetric encryption to securely encrypt files. It leverages a quantum-resistant NTRUEncrypt algorithm for asymmetric encryption, and an open source implementation of the ChaCha20-Poly1305 algorithm for symmetric encryption. The PolyVice locker implement a multi-threading approach to parallelize the encryption process. The malware uses the CreateThread function to spawn multiple workers and relies on a WaitForMultipleObject call to synchronize with the main thread, The main thread and the worker threads use an I/O Completion Port to exchange data. PolyVice worker reads the file content to determine the speed optimizations to apply which depend on the file size. The PolyVice ransomware applies intermittent encryption selectively. Files smaller than 5MB are fully encrypted. Files with a size between 5MB and 100MB are partially encrypted: A total of 5MB of content is encrypted by splitting them into 2 chunks of 2.5MB. First chunk from the top and the second chunk from the bottom of the file. Files bigger than 100MB are partially encrypted: A total of 25MB of content is encrypted in intermittent mode split into 10 chunks of 2.5MB distributed every 10% of the file size. The adoption of the PolyVice Ransomware variant has further strengthened their ransomware campaigns, enabling them to quickly and effectively encrypt victims’ data using a robust encryption scheme. concludes the report. The ransomware ecosystem is constantly evolving, with the trend of hyperspecialization and outsourcing continuously growing. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Vice Society ransomware) The post Vice Society ransomware gang is using a custom locker appeared first on Security Affairs.
- — A new Zerobot variant spreads by exploiting Apache flaws
- at 12/22/22 8:27amMicrosoft spotted an upgraded variant of the Zerobot botnet that spreads by exploiting Apache vulnerabilities. Microsoft Threat Intelligence Center (MSTIC) researchers discovered a new variant of the Zerobot botnet (aka ZeroStresser) that was improved with the capabilities to target more Internet of Things (IoT) devices. The IT giant is tracking this cluster of threat activity as DEV-1061. Zerobot operators are offering the botnet as a malware-as-a-service model, one domain (zerostresser[.]com) with links to the bot was among the 48 domains associated with DDoS-for-hire services seized by the FBI in December. The Zerobot botnet first appeared in the wild in November 2022 targeting devices running on Linux operating system. The Go-based botnet spreads by exploiting two dozen security vulnerabilities in the internet of things (IoT) devices and other applications. The most recent variant spotted by Microsoft spreads by exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively) and also supports new DDoS attack capabilities. The Zerobot botnet can propagate through brute force attacks on vulnerable devices with insecure configurations that use default/weak credentials. Experts observed the bot attempting to gain access to the device by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323. The researchers identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323. Zerobot was also observed spreading by exploiting dozens of vulnerabilities, the version Zerobot 1.1 includes several new flaws, including: VulnerabilityAffected softwareCVE-2017-17105Zivif PR115-204-P-RSCVE-2019-10655GrandstreamCVE-2020-25223WebAdmin of Sophos SG UTMCVE-2021-42013ApacheCVE-2022-31137Roxy-WICVE-2022-33891Apache SparkZSL-2022-5717MiniDVBLinux Since the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files. Microsoft researchers have also identified that previous reports have used the vulnerability ID “ZERO-32906” for CVE-2018-20057, “GPON” for CVE-2018-10561, and “DLINK” for CVE-2016-20017; and that CVE-2020-7209 was mislabeled as CVE-2017-17106 and CVE-2022-42013 was mislabeled as CVE-2021-42013. reads the analysis published by Microsoft. Researchers also discovered that Zerobot propagates by compromising devices with known flaws that are not included in the malware binary, such as a command injection vulnerability in Tenda GPON AC1200 routers, which is tracked as CVE-2022-30023. Zerobot targets multiple architectures, including i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x. The bot is saved using the filename “zero.” The continuous evolution and rapid addition of new capabilities in the latest Zerobot version underscores the urgency of implementing comprehensive security measures. concludes Microsoft that provides the following recommendations to protect devices and networks against the threat of Zerobot: Use security solutions with cross-domain visibility and detection capabilities. Adopt a comprehensive IoT security solution. Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access. Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches. Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device. Harden endpoints with a comprehensive Windows security solution Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, botnet) The post A new Zerobot variant spreads by exploiting Apache flaws appeared first on Security Affairs.
- — North Korea-linked hackers stole $626 million in virtual assets in 2022
- at 12/22/22 5:25amNorth Korea-linked threat actors have stolen an estimated $1.2 billion worth of cryptocurrency and other virtual assets in the past five years. South Korea’s spy agency, the National Intelligence Service, estimated that North Korea-linked threat actors have stolen an estimated 1.5 trillion won ($1.2 billion) in cryptocurrency and other virtual assets in the past five years. According to the spy agency, more than half the crypto assets (about 800 billion won ($626 million)) have been stolen this year alone, reported the Associated Press. The Government of Pyongyang focuses on crypto hacking to fund its military program following harsh U.N. sanctions. South Korea’s main spy agency, the National Intelligence Service, said North Korea’s capacity to steal digital assets is considered among the best in the world because of the country’s focus on cybercrimes since U.N. economic sanctions were toughened in 2017 in response to its nuclear and missile tests. reported the AP agency. North Korea cannot export its products due to the U.N. sanctions imposed in 2016 and 1017, and the impact on its economy is dramatic. The NIS added that more than 100 billion won ($78 million) of the total stolen funds came from South Korea. Cyber security and intelligence experts believe that attacks aimed at the cryptocurrency industry will continue to increase next year. National Intelligence Service experts believe that North Korea-linked APT groups will focus on the theft of South Korean technologies and confidential information on South Korean foreign policy and national security. Data published by the National Intelligence Service agency confirms a report published by South Korean media outlet Chosun early this year that revealed North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years. According to local media, US federal prosecutors believe that North Korea’s government considers cryptocurrency a long-term investment and it is amassing crypto funds through illegal activities. In a classified report cited by Chosun, the US National Intelligence Service (DNI) found that North Korea was financing its ‘priority policies’, such as nuclear and missile development, through cybercrime. Government experts noticed that nation-state actors are not immediately cashing out all the stolen crypto to create a crypto fund reserve. “Citing the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the media reported that all banks in the world are being targeted by North Korea’s cyberattacks. It also reported that North Korea is committing cybercriminals such as stealing defense secrets from major powers, using ransomware to steal funds, hijacking cryptocurrencies, and “laundering” criminal proceeds into cryptocurrencies.” reads a post published by Chosun. “Then, citing the results of investigations by the United States and the UN Security Council, it was estimated that the Kim Jong-un regime’s fraudulent profits from cyber crimes have already reached $2.3 billion (about 2.7 trillion won).” The report states that North Korea-linked attacks employed the AppleJeus malware to steal cryptocurrency. According to Bloomberg, multiple versions of Apple Zeus have been used in attacks against entities in 30 countries since 2018, and according to a UN and US investigation, between 2019 and November 2020, North Korean hackers stole $316.4 million in cryptocurrency through this program. 380 billion. According to Chosun, North Korea’s dependence on cybercrime will increase due to international sanctions that limit the amount of money that North Korea can earn from coal exports to $400 million (about 480 billion won) per year. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, cryptocurrency) The post North Korea-linked hackers stole $626 million in virtual assets in 2022 appeared first on Security Affairs.
- — Play ransomware attacks use a new exploit to bypass ProxyNotShell mitigations on Exchange servers
- at 12/21/22 4:26pmPlay ransomware attacks target Exchange servers with a new exploit that bypasses Microsoft’s ProxyNotShell mitigations. Play ransomware operators target Exchange servers using a new exploit chain, dubbed OWASSRF by Crowdstrike, that bypasses Microsoft’s mitigations for ProxyNotShell vulnerabilities. The ProxyNotShell flaws are: CVE-2022-41040 – Microsoft Exchange Server Elevation of Privilege Vulnerability CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution Vulnerability they impact Exchange Server 2013, 2016, and 2019, an authenticated attacker can trigger them to elevate privileges to run PowerShell in the context of the system and gain arbitrary or remote code execution on vulnerable servers. Microsoft addressed both vulnerabilities with the release of Patch Tuesday updates for November 2022 security updates. The exploit was used by attackers to bypass URL rewrite mitigations for the Autodiscover endpoint implemented by Microsoft in response to ProxyNotShell. Then the ransomware gang leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity. CrowdStrike recently discovered a new exploit method (called OWASSRF) consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA). The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell. reads the analysis published by Crowdstrike. After initial access via this new exploit method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity. In the attacks investigated by the experts, the threat actor cleared Windows Event Logs on affected backend Exchange servers to prevent investigation on the PowerShell commands used by the attackers. CrowdStrike security researchers were working to develop proof-of-concept (POC) code in an attempt to reproduce the one used in recent Play ransomware attacks. Simultaneously, a researcher from HuntressLabs discovered an attacker’s tooling via an open repository and shared it through a MegaUpload link. 179.60.149.28 Initial access #ProxyNotShell Bitsadmin to download tooling (http://179.60.149.28:4427/). Installed Screen Connect, ID: b81d2f07c9163bf5, URL: instance-cmjrni-relay.screenconnect[.]com Deployed MimikatzCrawled and saved their tools, you can access pic.twitter.com/8vA3LNtpul— Dray Agha (@Purp1eW0lf) December 14, 2022 The leaked tools included a Python script, poc.py, that when executed, led CrowdStrike researchers to replicate the logs generated in recent Play ransomware attacks. CrowdStrike researchers Dray Agha replicated the exploit method attack on Exchange systems that were not patched against ProxyNotShell, but could not replicate the attack on patched systems. Organizations are recommended to apply Microsoft’s November 2022 security updates immediately, disable remote PowerShell for non-administrative users, and to deploy endpoint detection and response (EDR) tools. Users that cannot apply the KB5019758 patch immediately should disable OWA until the patch can be applied. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, ransomware) The post Play ransomware attacks use a new exploit to bypass ProxyNotShell mitigations on Exchange servers appeared first on Security Affairs.
- — Okta revealed that its private GitHub repositories were hacked this month
- at 12/21/22 12:32pmAmerican identity and access management giant Okta revealed that that its private GitHub repositories were hacked this month. Okta revealed that its private GitHub repositories were hacked this month, the news was first reported by BleepingComputer which had access to confidential email notification sent by Okta. According to the notification threat actors have stolen the Oktas source code. As soon as Okta learned of the possible suspicious access, we promptly placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications. reads the email sent by the company We have since reviewed all recent access to Okta software repositories hosted by GitHub to understand the scope of the exposure, reviewed all recent commits to Okta software repositories hosted with GitHub to validate the integrity of our code, and rotated GitHub credentials. We have also notified law enforcement. The security breach was discovered by GitHub earlier this month when the company noticed suspicious access to Oktas code repositories. Upon investigation, we have concluded that such access was used to copy Okta code repositories, writes David Bradbury, the Okta Chief Security Officer (CSO) in the mail. According to the notification, intruders did not gain access to its service or customer data Okta states that HIPAA, FedRAMP or DoD customers were not affected. The incident is related to the Okta Workforce Identity Cloud (WIC) code repositories and doesnt impact Auth0 Customer Identity Cloud products. The company announced to have taken steps to prevent threat actors can use the stolen code to access company or customer environments. In March 2022, the Lapsus$ extortion group has stolen sensitive data from Okta, including customer data, and published screenshots of the stolen data on its Telegram channel. The company launched an investigation into the claims of a data breach, while the CEO Todd McKinnon confirmed that in late January 2022 the company detected an attempt to compromise the account of a third-party customer support engineer working for one of its subprocessors. The company revealed that the security breach impacted 2.5% of its customers (approximately 375), but pointed out that they have no action that should do. The Lapsus$ extortion group compromised the laptop of one of its support engineers that allowed them to reset passwords for some of its customers. Investigators discovered that the attackers had access to the laptop for five days starting from January 16, 2022. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, GitHub) The post Okta revealed that its private GitHub repositories were hacked this month appeared first on Security Affairs.
- — Shoemaker Ecco leaks over 60GB of sensitive data for 500+ days
- at 12/21/22 8:50amCyberNews researchers reported that Ecco, a global shoe manufacturer and retailer, exposed millions of documents. Original post @ https://cybernews.com/security/ecco-leaks-sensitive-data-for-months/ Ecco, a global shoe manufacturer and retailer, exposed millions of documents. Not only could anyone have modified the data, but the server misconfiguration’s severity likely left the company open to an attack that could have affected customers all over the world. Its no use carrying an umbrella if your shoes are leaking, an old Irish proverb says. Words that sum up the recent predicament of Ecco, a Danish shoe manufacturer and retailer with thousands of stores and sales points all over the planet. Our research team discovered an exposed instance hosting a trove of data for Ecco. The team has identified that Ecco left 50 indices exposed to the public, with over 60GB of data accessible since June 2021. Millions of sensitive documents, from sales to system information, were accessible. Anyone with access could have viewed, edited, copied and stolen, or deleted the data. We reached out to Ecco but received no reply before going to press. However, at the time of publishing, the company appears to have fixed the problem. What happened? Our research team recently discovered an exposed instance that hosts Kibana, an ElasticSearch visualization dashboard, for Ecco. Kibana allows processing of information on ElasticSearch, a storage facility favored by enterprises dealing with large volumes of data. Even though the instance hosting the dashboard was protected with a basic Hypertext Transfer Protocol (HTTP) authentication, the server was misconfigured and allowed all Application Programming Interface (API) requests through. Under an umbrella with leaky shoes, indeed. The misconfigured authentication allowed us to look up the index names on Eccos ElasticSearch, revealing 50 exposed indices with over 60GB of data. The exposed servers contain documents ranging from sales and marketing to logging and system information. According to the team, historical data indicates that the exposed database was left accessible for at least 506 days, since June 4, 2021. Over 35GB of data was added to the exposed database after the server misconfiguration opened a security hole in Eccos infrastructure. A threat actor could change the visible code, naming, and URLs to phish or potentially make victims or employees install unwanted files, such as ransomware loaders or remote access tools on their browsers and devices, causing immense damage.Cybernews researchers said. Immense damage The names of indices on the open server show that millions of documents were revealed. For example, a directory named sales_org contained over 300,000 documents. Another directory, titled market_specific_quality_dashboard, had over 820,000 records. As the table with exposed indices shows, millions of documents covering various aspects of Eccos corporate life were accessible, from performance monitoring to information about system status. Worryingly, the database appears to be linked with the ecco.com website, likely used by international Ecco websites, thus providing a skilled threat actor with the means to target the company globally. According to the researchers, the capability to modify the data inside ElasticSearch would be a dangerous tool in the hands of persistent threat actors, allowing them to launch a campaign against Ecco stores, employees, and even clients. A threat actor could change the visible code, naming, and URLs to phish or potentially make victims or employees install unwanted files, such as ransomware loaders or remote access tools on their browsers and devices, causing immense damage, Cybernews researchers said. Screenshot showing one of the indexes. Image by Cybernews. Why the misconfiguration discovered by CyberNews is dangerous? Give a look at the original post published by CyberNews at https://cybernews.com/security/ecco-leaks-sensitive-data-for-months/ Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Data Leak) The post <strong>Shoemaker Ecco leaks over 60GB of sensitive data for 500+ days</strong> appeared first on Security Affairs.
- — German industrial giant ThyssenKrupp targeted in a new cyberattack
- at 12/21/22 1:48amGerman multinational industrial engineering and steel production company ThyssenKrupp AG was the target of a cyberattack. German multinational industrial engineering and steel production giant ThyssenKrupp AG announced that the Materials Services division and corporate headquarters were hit by a cyberattack. At this time the company has yet to disclose the type of attack that hit its systems and no cybercriminal group has yet to claim responsibility for the attack. A company spokesman declared that there are no indications of a data breach. “Thyssenkrupp is currently the target of a cyberattack — presumably by organized crime” and that “at the present time, no damage has been done, nor are there any indications that data has been stolen or modified.” a spokesperson told Agence France Presse. At the present time, no damage has been done, nor are there any indications that data has been stolen or modified, This isnt the first attack suffered by the company, in 2012, the company was targeted by another cyber attack that was classified as “heavy” and of “exceptional quality.” In 2016, alleged Asian threat actors targeted ThyssenKrupp to steal company secrets. The investigators speculated the attack was carried out by a group of professional hackers from Southeast Asia that were interested in the technological know-how and research activities of the company. On December 28, 2020, ThyssenKrupp Materials group of companies based in U.S. and Canada were breached by the NetWalker ransomware group. The hackers managed to access sensitive HR information and documents about the company’s current and former employees. The confidential information accessed by the attackers included the SSN and bank account information of employees. In August 2020, ThyssenKrupp System Engineering was hit by the Mount Locker ransomware group. In In January 2021, a ThyssenKrupp subsidiary was a victim of a ransomware cyberattack that caused the encryption of its servers and employee workstations. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – ThyssenKrupp, hacking) The post German industrial giant ThyssenKrupp targeted in a new cyberattack appeared first on Security Affairs.
As of 3/29/23 4:32pm. Last new 12/26/22 4:38am.
- Next feed in category: Dark Reading