Category Archives: Breaking News

REvil ransomware gang hacked gaming firm Gaming Partners International

The REvil ransomware operators made the headlines again, this time the gang claims to have hacked the Gaming Partners International (GPI).

Gaming Partners International (GPI) is a full-service supplier of gaming furniture and equipment for casinos worldwide. The REvil ransomware gang (aka Sodinokibi) claims to have stolen info from the systems at the company before encrypting them.

Recently, one of the members of the gang that goes online with the moniker UNKN, announced in an interview with Yelisey Boguslavskiy that they were planning an attack against a prominent organization in the gaming network.

The attack happened and today the REvil ransomware operators added Gaming Partners International to their dedicated leak site.

The cybercrime gang published some screenshots showing directories and files from the systems of the breached company.

Gaming Partners International (GPI)
Source Databreaches.net

The message published by the ransomware gang threatens to release the stolen data if the company will not pay the ransom within 72 hours.

The hackers claim to have stolen 540Gb of technical and financial documents stolen form the company.

“Absolutely all servers and working computers of the company are hacked and encrypted. There was a large data leak 540Gb of the most important information of the company, technical data, financial documents, contracts with ALL CASINO in LAS-VEGAS, MACAO, EUROPE, bank documents.” reads the message published by the ransomware operators.

The list of victims of the REvil ransomware gang is long and includes the London-based Travelex, the law firm of the stars, Grubman Shire Meiselas & Sacks (GSMLaw), the law firm Seyfarth Shaw, and US-based supplier of video delivery software solutions, SeaChange International.

Pierluigi Paganini

(SecurityAffairs – hacking, Gaming Partners International (GPI))

The post REvil ransomware gang hacked gaming firm Gaming Partners International appeared first on Security Affairs.

Companies paid $4.2M bug bounties for XSS flaws in 2020

Cross-Site Scripting (XSS) issues are the most common vulnerabilities that received the highest amount of rewards on the HackerOne vulnerability reporting platform.

Cross-Site Scripting (XSS) is the most common vulnerability type and received the highest amount of rewards on the HackerOne vulnerability reporting platform.

XSS vulnerabilities accounted for 18% of all flaws reported by bug hunters, these issues received a total of $4.2 million in bounties paid by companies (+26% from last year).

The Cross Site Vulnerabilites received an average of just $501 per issue.

XSS vulnerabilities can be exploited by threat actors for multiple malicious activities, including account takeover and data theft.

“XSS vulnerabilities are extremely common and hard to eliminate, even for organizations with the most mature application security. XSS vulnerabilities 2are often embedded in code that can impact your production pipeline.” reads The 4th Hacker-Powered Security Report.

“These bugs account for 18% of all reported vulnerabilities, but the average bounty award is just US$501. That means organizations are mitigating this common, potentially painful bug on the cheap.”

Improper Access Control follows XSS in the list of most awarded vulnerability type in 2020, experts observed an increase of 134% in occurrence compared to 2019. Companies paid a total of $4 million in bug bounty rewards through the HackerOne platform.

Information Disclosure accounts for 63% from last year. Companies paid $3 million for reports related to these vulnerabilities.

“Awards for Improper Access Control increased 134% year over year to just over US$4 million. Information Disclosure was not far behind, increasing 63% year over year.” continues the report.

“Both methods expose potentially sensitive data like personally identifiable information. While they range widely in criticality, they can be disastrous if sensitive customer or internal information is leaked by misconfigured permissions.”

Both flaws are very dangerous because they’re nearly impossible to detect using automated tools.

In the third place there are SSRF (Server Side Request Forgery) flaws, experts pointed out that the advent of cloud architecture and unprotected metadata endpoints has rendered these vulnerabilities increasingly critical.

Organizations paid about USD$3 million in SSRF mitigations last year.

Top10 vulnerabilities 2020 XSS top

Most of the bounties were paid by organizations in the United States with $39.1 million / €33.4 million / ¥273.7 million, accounting for 87% of the total. It is interesting to note that Latin America increased bounty awards by 371%, while all other regions increased awards by at least 68%.

“That growth is even more impressive considering the scale, as those three
countries combined paid out more than $380,000 / €324,000 / ¥2,660,000
in bounties in the past year.” states the report.

In the last year, organizations paid $23.5 million via HackerOne to bug hunters who submitted valid reports for vulnerabilities in the systems of organizations worldwide.

To date, the popular platform already paid $107 million in bug bounties with more than $44.75 million paid within a 12-month.

Pierluigi Paganini

(SecurityAffairs – hacking, bug bounty)

The post Companies paid $4.2M bug bounties for XSS flaws in 2020 appeared first on Security Affairs.

Emotet operators are running Halloween-themed campaigns

Crooks behind Emotet malware attempt to take advantage of the Halloween festivity, a new campaign could invite you to a Halloween party.

Threat actors are attempting to take advantage of the Halloween festivities, a recent Emotet malware campaign spotted by BleepingComputer employed spam emails that invite recipients to a Halloween party.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of a surge of Emotet attacks that have targeted multiple state and local governments in the U.S. since August.

During that time, the agency’s EINSTEIN Intrusion Detection System has detected roughly 16,000 alerts related to Emotet activity.

In a recent campaign observed on October 14th, the attackers are using multiple lures, including invoices, purchase orders, shipping information, COVID-19 information, and information about President Trump’s health.

The spam messages come with malicious Word (.doc) attachments or include links to download the bait document.

Now experts warn of Emotet campaigns that are playing a Halloween trick, the spam messages attempt to trick the victims into opening a weaponized attachment by inviting them to a Hallowing party.

“The Emotet malware gang has created an email that pretends to invite you to a Halloween party to trick you into opening the malicious attachment.” reported Bleeping Computer.

According to the experts, threat actors are using unique subjects like Happy Halloween, Halloween Party, Halloween party invitation, Halloween invitation, Party tonight, etc..

The malicious files used in this campaign have different names, such as Inviting friends to your Halloween Extravaganza.doc, Halloween Pot Luck 10.31.doc, Halloween.doc, Halloween party invitation.doc, and Halloween party.doc

Emotet Spam Hallowen spam-email
Source Bleeping Computer

Researchers from Microsoft Security Intelligence are also warning of the ongoing Halloween-themed Emotet campaign.

An example of the text found in the spam emails is

Dear, 
Trick or Treat?
Details in the attachment.
Mail: XXXXXXXXX

Upon opening the attachment, they will invite the recipient to “Enable Editing” and “Enable Content” button, then it will install the Emotet Trojan on the computer. 

The template used in the Halloween Emotet campaign asks recipients to upgrade their Microsoft Word version by enabling the content.

The suggestion is to avoid opening any attachment coming with an email inviting you to a Halloween party.

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

The post Emotet operators are running Halloween-themed campaigns appeared first on Security Affairs.

Operation Earth Kitsune: hackers target the Korean diaspora

Experts uncovered a new watering hole attack, dubbed Operation Earth Kitsune, targeting the Korean diaspora that exploits flaws in web browsers.

Researchers at Trend Micro have disclosed details about a new watering hole campaign, dubbed Operation Earth Kitsune, targeting the Korean diaspora that exploits flaws in web browsers such as Google Chrome and Internet Explorer to deploy backdoors.

Threat actors behind the Operation Earth Kitsune used SLUB (for SLack and githUB) malware and two new backdoors tracked as dneSpy and agfSpy to exfiltrate data from the infected systems and for taking over them.

The attacks were spotted by the researchers during the months of March, May, and September.

Attackers have deployed the spyware on websites associated with North Korea, but experts pointed out that access to these sites is blocked for visitors from South Korean IP addresses.

“The threat, which we dubbed as such due to its abuse of Slack and GitHub in previous versions, has not abused either of the platforms this time; instead, it employed Mattermost, an open-source online chat service that can be easily deployed on-premise.” reads the analysis published by Trend Micro.

Operation Earth Kitsune

This campaign, unlike other ones, deployed numerous samples (7) to the victim machines and used multiple command-and-control (C&C) servers (5), attackers also employed exploits for four N-day bugs.

Experts were investigating a strange redirection of visitors of the Korean American National Coordinating Council (KANCC) website to the Hanseattle website. Users were redirected to a weaponized version of a proof of concept (POC) for the CVE-2019-5782 Chrome vulnerability published by Google researchers. Experts discovered that the exploit was infecting the victim machine with three separate malware samples.

Operation Earth Kitsune 2

The attack chain initiates with a connection to the C&C server to receive the dropper, which once executed first checks for the presence of anti-malware solutions on the target system before delivering the three backdoor samples (in “.jpg” format) and executing them.

The attackers used Mattermost server to keep track of the deployment across multiple infected machines and to create a separate channel for each machine for data exfiltration.

The agfSpy backdoor support multiple commands to exfiltrate data, capture screenshots, enumerate directories, upload, download, and execute files.

“One interesting aspect of dneSpy’s design is its C&C pivoting behavior. The central C&C server’s response is actually the next-stage C&C server’s domain/IP, which dneSpy has to communicate with to receive further instructions.” continues the analysis.

agfSpy uses its own C&C server mechanism to receive commands that could instruct the backdoor to execute shell commands and send the execution results back to the server.

agfSpy and dneSpy are very similar except for the use of a different C&C server and various formats in message exchanges.

“Operation Earth Kitsune turned out to be complex and prolific, thanks to the variety of components it uses and the interactions between them,” the researchers concluded. “The campaign’s use of new samples to avoid detection by security products is also quite notable.”

“From the Chrome exploit shellcode to the agfSpy, elements in the operation are custom coded, indicating that there is a group behind this operation. This group seems to be highly active this year, and we predict that they will continue going in this direction for some time.”

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Earth Kitsune)

The post Operation Earth Kitsune: hackers target the Korean diaspora appeared first on Security Affairs.

Google discloses unpatched Windows zero-day exploited in the wild

Google researchers disclosed today a zero-day vulnerability in the Windows operating system that is currently under active exploitation.

Security researchers from Google have disclosed a zero-day vulnerability in the Windows operating system, tracked as CVE-2020-17087, that is currently under active exploitation.

Ben Hawkes, team lead for Google Project Zero team, revealed on Twitter that the vulnerability was chained with another Chrome zero-day flaw, tracked as CVE-2020-15999, that Google recently disclosed.

Google researchers expect a patch for this zero-day flaw to be available on November 10. The Director of Google’s Threat Analysis Group, Shane Huntley (@ShaneHuntley), confirmed that the vulnerability was exploited in targeted attacks that are not related to the forthcoming US election.

Google did not provide info on the attackers that have already exploited the flaw, but experts speculate that they were nation-state actors.

The Chrome zero-day is a sandbox escape issue, it allows attackers to escape Chrome’s secure container and run code on the underlying operating system.

“We have evidence that the following bug is being used in the wild. Therefore, this bug is subject to a 7 day disclosure deadline.” reads Google’s advisory.

“The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).”

The Google Project Zero team notified Microsoft last week and gave the company seven days to address the vulnerability, but unfortunately, Microsoft has yet to fix it.

The vulnerability affects all Windows versions between Windows 7 and the most recent Windows 10 release.

Google researchers also published a proof of concept code to exploit this vulnerability.

In March 2019, Google disclosed that that threat actors were chaining a Chrome zero-day (CVE-2019-5786) with a Windows zero-day (CVE-2019-0808) in attacks in the wild.

Pierluigi Paganini

(SecurityAffairs – hacking, Windows zero-day)

The post Google discloses unpatched Windows zero-day exploited in the wild appeared first on Security Affairs.

5 Components of the Kubernetes Control Plane that Demand Special Attention in Your Security Strategy

Organizations and security incidents in Kubernetes environments, these are 5 key components of the control plane that demand special attention

Organizations are no strangers to security incidents in their Kubernetes environments. In its State of Container and Kubernetes Security Fall 2020 survey, StackRox found that 90% of respondents had suffered a security incident in their Kubernetes deployments in the last year. Two-thirds of respondents explained that they had weathered a misconfiguration incident, followed by vulnerability cases, runtime events and failed audits at 22%, 17% and 16%, respectively.

Misconfiguration incidents are so prolific because they can appear in many different aspects of an organization’s Kubernetes environment. For instance, they can affect the Kubernetes control plane. This section of a Kubernetes deployment is responsible for making global decisions about a cluster as well as for detecting and responding to events affecting the cluster, notes Kubernetes.

This raises an important question: how can organizations harden the Kubernetes control plane against digital attacks?

To answer that question, this blog post will discuss five components within the Kubernetes control plane that require special attention within organizations’ security strategy. These are the kube-apiserver, etcd, kube-scheduler, kube-controller-manager and cloud-controller-manager. It will then provide recommendations on how organizations can secure each of these components.

kube-apiserver

What it is

Per Kubernetes’ documentation, kube-apiserver is the front end for the Kubernetes control plane. It functions as the main implementation of a Kubernetes API server. Organizations can scale kube-apiserver horizontally by deploying more instances.

Why it needs to be secured

The Container Journal noted that attackers are committed to scanning the web for publicly accessible API servers. Acknowledging that reality, organizations need to make sure they don’t leave their kube-apiserver instances publicly exposed. If they do, they could provide attackers with an opening for compromising a Kubernetes cluster.

How to secure it

Administrators can follow the Container Journal’s advice by configuring their API servers to allow cluster API access only via the internal network or a corporate VPN. Once they’ve implemented that security measure, they can use RBAC authorization to further limit who has access to the cluster. They can enable this feature specifically via the kube-apiserver.

etcd

What it is

Kubernetes uses etcd as key value backing store for cluster data. In order to use etcd, organizations need to have a backup plan for the highly sensitive configuration data that they’d like to protect with this store.

Why it needs to be secured

As with kube-apiserver, organizations might accidentally leave etcd exposed to the Internet. The New Stack covered the work of one software developer who conducted a search on Shodan to look for exposed etcd servers. This investigation uncovered 2,284 etcd servers that malicious actors could access through the Internet.

How to secure it

Kubernetes notes in its cluster administration resources that etcd is equivalent to root permission in the cluster. In response, administrators should grant permission to only the nodes that require access to etcd clusters. They should also use firewall rules as well as the feature’s inherent security features, notably peer.key/peer.cert and client.key/client.cert, to secure communications between etcd members as well as between etcd and its clients.

kube-scheduler

What it is

The kube-scheduler is a component within the control plane that watches for the creation of new pods with no assigned node. If it detects such a pod, it selects a node for them to run on. It makes these decisions by taking individual and collective resource requirements, data locality and other considerations into consideration, per Kubernetes’ website.

Why it needs to be secured

Any compromise involving the kube-scheduler could affect the performance and availability of a cluster’s pods, explains Packt. Such an event could thereby cause disruptions in an organization’s Kubernetes environment that undermines business productivity.

How to secure it

Administrators can follow Packt’s advise to secure the kube-scheduler by disabling profiling, a feature which exposes system details. They can do this by setting the “–profiling” setting to “false.” Additionally, they can disable external connections to kube-scheduler using the “AllowExtTrafficLocalEndpoints” configuration to prevent outside attackers from gaining access to this control plane component.

kube-controller-manager

What it is

This particular component lives up to its name in that it runs controller processes. Each of those processes, including those run by the node controller, replication controller and others, are separate processes. However, the kube-controller-manager compiles all of those processes and runs them together.

Why it needs to be secured

A security issue in the kube-controller-manager could negatively affect the scalability and resilience of applications that are running in the cluster. Such an event could thus have an effect on the organization’s business.

How to secure it

Organizations can secure the kube-controller-manager by monitoring the number of instances that they have of this feature deployed in their environments. They can also follow the recommendations that StackRox made in September 2020 by restricting the feature’s file permissions, configuring to serve only HTTPs, binding it to a localhost interfact and using Kubernetes RBAC to allow access to individual service accounts per controller.

cloud-controller-manager  

What is it?

Last but not least, the cloud-controller-manager enables administrators to link their cluster into their Cloud Service Provider’s (CSP’s) API. They can then use that feature to separate out elements that interact with the CSP’s cloud platform from those that interact with the cluster. Per Kubernetes’ documentation, cloud-controller-manager functions similarly to kube-controller-manager in its ability to compile multiple processes into one. The difference is that the cloud-controller-manager runs controllers that are specific to an organization’s CSP only.

Why it needs to be secured

Issues involving the cloud-controller-manager pose a similar threat to organizations as those that affect the kube-controller-manager.

How to secure it

Acknowledging the similarities between kube-controller-managers and cloud-controller-managers, organizations can use the same measures to secure both.

The Security Work Doesn’t End There

The five control plane components discussed above all demand attention as part of an organization’s overall Kubernetes security efforts. Even so, organizations’ work to secure their Kubernetes architecture doesn’t end there. There are also the Node components.

For information on how to secure that part of a Kubernetes cluster, click here.

About the Author: David Bisson is an information security writer and security junkie. He’s a contributing editor to IBM’s Security Intelligence, Tripwire’s The State of Security Blog, and a contributing writer to Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.

Pierluigi Paganini

(SecurityAffairs – hacking, Kubernetes)

The post 5 Components of the Kubernetes Control Plane that Demand Special Attention in Your Security Strategy appeared first on Security Affairs.

DoppelPaymer ransomware gang leaked Hall County, Georgia, voter info

The DoppelPaymer ransomware operators have released data that was stolen from Hall County, Georgia earlier this month.

The DoppelPaymer ransomware operators have published online data that was stolen from Hall County, Georgia earlier this month.

The attack took place on October 7, it hit Hall County, in the northern part of the state and it disabled the county’s voter signature database.

The ransomware attack hit a Georgia county government and disabled a database used to verify voter signatures in the authentication of absentee ballots. It is a common process to validate absentee ballots sent by mail by analyzing signatures.

The media pointed out that this is the first reported case of a ransomware attack against a system used in the incoming 2020 Presidential election.

Ransomware attacks could have a dramatic impact on the elections, they could disrupt voting systems and raise doubts about the validity of the vote.

While the media reported that the ransomware operators leaked stolen data on their dark web leak site to force the organization to pay the ransom, Hall County stated that there was no indication that the hackers stole any unencrypted data before encrypting the systems.

“At this time, there is no evidence to show that citizen or employee data has been compromised. However, citizens and employees are encouraged to take precautionary measures to monitor and protect their personal information,” Hall County stated.

The DoppelPaymer ransomware gang finally published over 1 GB of files stolen from Hall County systems and revealed that 2,464 devices were encrypted during the attack.

DoppelPaymer ransomware Hall County
Source Bleeping Computer

According to Bleeping Computer, The dump includes election documents, lobby comment cards, 911 spreadsheets, accounting and financial records.

“The election documents reviewed by BleepingComputer contain ballot proofs, poll worker lists, administrative documents, accounting and financial records, and city bulletins.” reported Bleeping Computer. “Also included are voter registration records containing resident’s voter registration ID, full name, address, and assigned ballot, which is, for the most part, public information.”

Most of the information leaked is public, but can be exploited by threat actors to carry out malicious activities against voters.

Recently the US government revealed that Iran-linked hackers were behind voter intimidation emails that were sent to Democrats in Florida and Alaska that pretended to be from the far-right Proud Boys group.

Pierluigi Paganini

(SecurityAffairs – DoppelPaymer ransomware, Hall County)

The post DoppelPaymer ransomware gang leaked Hall County, Georgia, voter info appeared first on Security Affairs.

Brooklyn & Vermont US hospitals hit by ransomware attacks

Wyckoff Heights Medical Center in Brooklyn and the University of Vermont Health Network are the last victims of the Ryuk ransomware operators.

Ryuk ransomware operators continue the target the US healthcare industry, the last victims in order of time are the Wyckoff Heights Medical Center in Brooklyn and the University of Vermont Health Network.

The news of the attack comes a few hours after The FBI, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have issuedjoint alert to warn hospitals and healthcare providers of imminent ransomware attacks from Russia.

This security advisory describes the tactics, techniques, and procedures (TTPs) associated with cyber criminals that could target organizations in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware.

The government agencies receive information about imminent attacks, threat actors are using the TrickBot botnet to deliver the infamous ransomware to the infected systems.

This week, the systems at Sky Lakes Medical Center in Oregon and St. Lawrence Health System in New York were infected with the Ryuk ransomware. In September, the Ryuk ransomware gang hit Universal Health Services, one of the largest hospital and healthcare services providers, forcing the company to shut down systems at healthcare facilities in the United States. The incident impacted over 200 medical facilities nationwide.

The news of the Ryuk ransomware attack at the Wycoff hospital was first published by Bleeping Computer that was informed by an employee of the organization.

Wyckoff Heights Medical Center is a 350-bed teaching hospital located in an ethnically diverse residential neighborhood directly on the border of northern Brooklyn and Western Queens, NY.

Wyckoff Hospital shut down portions of its network as part of the incident response procedure.

At the time of publishing this post, it is not known the extent of the incident and the impact on the operations of the hospitals.

University of Vermont Health Network also disclosed a similar cyber attack, the organization is working with the FBI and the Vermont Department of Public Safety on the investigation.

“People who are in urgent need of care are getting it and most appointments are happening,” Dr. Stephen Leffler, president of the University of Vermont Medical Center in Burlington, said at a news conference late Thursday outside the hospital. “Most surgeries will happen tomorrow. We did slow some down today as were switching systems.”

The ransomware attack has caused variable impacts at each of our affiliates, the family of ransomware involved in the attack is yet to be revealed.

“The attack has caused variable impacts at each of our affiliates. Staff are continuing to follow well-practiced standby procedures to ensure safe patient care. We understand the difficulty this causes for our patients and the community and apologize for the impact. There have been some changes to patient appointments and we are attempting to reach those patients who have been affected. We will continue to provide systems and patient service updates when they are available,” read a statement from the University of Vermont Health Network.

According to researchers at CheckPoint, Healthcare is the most targeted industry, by ransomware, in the US in October. Ransomware attacks against the US healthcare sector increased by 71%, experts also reported an increase of 33% in APAC and 36% in EMEA.

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Brooklyn & Vermont US hospitals hit by ransomware attacks appeared first on Security Affairs.

Threat actors are actively exploiting Zerologon flaw, Microsoft warns

Microsoft researchers are warning that threat actors are continuing to actively exploit the ZeroLogon vulnerability in attacks in the wild.

Microsoft is warning that threat actors are actively exploiting the ZeroLogon vulnerability in the Netlogon Remote Protocol.

The CVE-2020-1472 flaw is an elevation of privilege that resides in the Netlogon. The Netlogon service is an Authentication Mechanism used in the Windows Client Authentication Architecture which verifies logon requests, and it registers, authenticates, and locates Domain Controllers.

An attacker could exploit the vulnerability to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

An attacker could also exploit the flaw to disable security features in the Netlogon authentication process and change a computer’s password on the domain controller’s Active Directory.

“Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020.” reads a post published by MSRC VP of Engineering Aanchal Gupta. “If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be used to steal domain credentials and take over the domain.”

Microsoft strongly encourages administrators of enterprise Windows Servers to install the August 2020 Patch Tuesday as soon as possible to protect their systems from Zerologon attack that exploits the CVE-2020-1472.

Because the initial documentation regarding Zerologon patching process was not clear enough, Microsoft provided the following updates:

  1. UPDATE your Domain Controllers with an update released August 11, 2020 or later.
  2. FIND which devices are making vulnerable connections by monitoring event logs.
  3. ADDRESS non-compliant devices making vulnerable connections.
  4. ENABLE enforcement mode to address CVE-2020-1472 in your environment.

At the end of September, Microsoft issued a similar warning. The IT giant published a series of Tweets to warn of attackers that are actively exploiting the Windows Server Zerologon in attacks in the wild. The IT giant urged Windows administrators to install the released security updates as soon as possible.

In early October, Microsoft spotted a series of Zerologon attacks allegedly launched by the Russian cybercrime group tracked as TA505, CHIMBORAZO and Evil Corp.

Microsoft experts spotted the Zerologon attacks involving fake software updates, the researchers noticed that the malicious code connected to command and control (C&C) infrastructure known to be associated with TA505.

In the same period, Microsoft published a post and a series of tweets to warn of cyber attacks exploiting the Zerologon vulnerability carried out by the Iran-linked APT group known as MuddyWater, aka Mercury.

On September 18, The Department of Homeland Security’s CISA issued an emergency directive to order government agencies to address the Zerologon vulnerability (CVE-2020-1472) by September 21.

Pierluigi Paganini

(SecurityAffairs – hacking, Windows)

The post Threat actors are actively exploiting Zerologon flaw, Microsoft warns appeared first on Security Affairs.

US Cyber Command details implants used in attacks on parliaments and embassies

US Cyber Command published technical details on malware implants used by Russia-linked APTs on multiple parliaments, embassies

US Cyber Command shared technical details about malware implants employed by Russian hacking groups in attacks against multiple ministries of foreign affairs, national parliaments, and embassies.

Experts from the US Cyber Command’s Cyber National Mission Force (CNMF) unit and the Cybersecurity and Infrastructure Security Agency (CISA) uploaded the samples on the Virus Total online virus scan platform.

CISA also published two joint advisories with the FBI and CNMF that provides info regarding the ComRAT and Zebrocy malware that were used by Russia-linked APT groups, including the APT28 and Turla.

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTONhas been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, NASA and the US Central Command.

“FBI has high-confidence that Russian-sponsored APT actor Turla, which is an espionage group active for at least a decade, is using ComRAT malware to exploit victim networks. The group is well known for its custom tools and targeted operations.” reads the advisory published CISA.

Russia-linked cyberespionage groups utilized the Zebrocy backdoor in attacks aimed at embassies and ministries of foreign affairs from Eastern Europe and Central Asia.

“Two Windows executables identified as a new variant of the Zebrocy backdoor were submitted for analysis. The file is designed to allow a remote operator to perform various functions on the compromised system.” reads the CISA’s advisory.

Zebrocy is known to be a malware of the APT28’s arsenal, a Russia linked APT group working under the control of the Russian Main Intelligence Directorate (GRU).

Pierluigi Paganini

(SecurityAffairs – hacking, US Cyber Command)

The post US Cyber Command details implants used in attacks on parliaments and embassies appeared first on Security Affairs.

FBI, CISA alert warns of imminent ransomware attacks on healthcare sector

FBI and the DHS’s CISA agencies published a joint alert to warn hospitals and healthcare providers of imminent ransomware attacks from Russia.

The FBI, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) has issued a joint alert to warn hospitals and healthcare providers of imminent ransomware attacks from Russia.

This security advisory describes the tactics, techniques, and procedures (TTPs) associated with cyber criminals that could target organizations in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware.

The government agencies receive information about imminent attacks, threat actors are using the TrickBot botnet to deliver the infamous ransomware to the infected systems.

“CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.” reads the alert.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features.

Ryuk ransomware

In early 2019, researchers spotted a new TrickBot backdoor framework dubbed Anchor that was using the anchor_dns tool for abusing the DNS protocol for C2 communications.

Several groups of experts linked both TrickBot and Ryuk threats to cybercrime gangs operating out of Russia. Ryuk first appeared in the threat landscape in August 2018 as a derivative of the Hermes 2.1 ransomware, that was first spotted in late 2017 and was available for sale on the open market as of August 2018

Unlike other ransomware gangs, Ryuk ransomware operators did not announce to avoid targeting healthcare organizations during the COVID-19

A few weeks ago, Universal Health Services (UHS), one of the largest hospital and healthcare services providers, has shut down systems at healthcare facilities in the United States after they were infected with the Ryuk ransomware.

A few days ago, Microsoft’s Defender team, FS-ISACESETLumen’s Black Lotus LabsNTT, and Broadcom’s cyber-security division Symantec joined the forces and announced a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.

Microsoft has taken down 120 of the 128 servers that were composing the Trickbot infrastructure.

Microsoft announced to have taken down 62 of the original 69 TrickBot C&C servers, seven servers that could not be brought down last week were Internet of Things (IoT) devices.

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post FBI, CISA alert warns of imminent ransomware attacks on healthcare sector appeared first on Security Affairs.

Critical Oracle WebLogic flaw CVE-2020-14882 actively exploited in the wild

Threat actors have started exploiting a critical vulnerability in Oracle WebLogin, tracked as CVE-2020-14882, in attacks in the wild.

Threat actors have started scanning the Internet for servers running vulnerable installs of Oracle WebLogic in the attempt of exploiting the a critical flaw tracked as CVE-2020-14882.

The CVE-2020-14882 can be exploited by unauthenticated attackers to take over the system by sending a simple HTTP GET request.

The vulnerability received a severity rating 9.8 out of 10, it was addressed by Oracle in this month’s release of Critical Patch Update (CPU).

The vulnerability affects versions of Oracle WebLogic Server are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.

The flaw was discovered by the security researcher Voidfyoo from Chaitin Security Research Lab.

Security researchers from SANS Technology Institute set up a collection of honeypots set up allowed the researchers to catch a series of attacks shortly after the exploit code for CVE-2020-14882 was publicly available.

According to Johannes Ullrich, Dean of Research at SANS, the attacks that targeted the honeypots were originated from the following IP addresses:

  • 114.243.211.182 – assigned to China Unicom
  • 139.162.33.228 – assigned to Linode (U.S.A.)
  • 185.225.19.240 – assigned to MivoCloud (Moldova)
  • 84.17.37.239 – assigned to DataCamp Ltd (Hong Kong)

According to the SANS expert, the exploit employed in the attacks appears to be based on the code published in this blog post by the researcher Jang.

“These exploit attempts are right now just verifying if the system is vulnerable. Our honeypots (up to now) do not return the “correct” response, and we have not seen follow-up requests yet.” reads the post published by SANS.

SANS Institute is alerting the internet service providers operating the IP addresses involved in the attacks.

The exploit used by the attackers only probe the systems to determine if they are vulnerable.

Searching on Spyse engine for Oracle WebLogic servers exposed online end potentially vulnerable to CVE-2020-14882 we can retrieve more than 3,000 installs.

Administrators of Oracle WebLogic installs have to apply the patch for the CVE-2020-14882 vulnerability as soon as possible.

Pierluigi Paganini

(SecurityAffairs – hacking, Oracle WebLogic)

The post Critical Oracle WebLogic flaw CVE-2020-14882 actively exploited in the wild appeared first on Security Affairs.

Iran-linked Phosphorous APT hacked emails of security conference attendees

Iran-linked APT group Phosphorus successfully hacked into the email accounts of multiple high-profile individuals and security conference attendees.

Microsoft revealed that Iran-linked APT Phosphorus (aka APT35Charming KittenNewscaster, and Ajax Security Team) successfully hacked into the email accounts of multiple high-profile individuals and attendees at this year’s Munich Security Conference and the Think 20 (T20) summit.

“Today, we’re sharing that we have detected and worked to stop a series of cyberattacks from the threat actor Phosphorous masquerading as conference organizers to target more than 100 high-profile individuals.” reads the post published by Microsoft. “Phosphorus, an Iranian actor, has targeted with this scheme potential attendees of the upcoming Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia.”

Nation-state actors successfully targeted over 100 individuals, including former ambassadors and other senior policy experts.

According to the experts at Microsoft Security Intelligence Center, the attacks are part of a cyber-espionage campaign aims at gathering intelligence on the victims by exfiltrating data from their mailboxs and contact list.

Data was exfiltrated to the de-ma[.]online domain, and the g20saudi.000webhostapp[.]com, and ksat20.000webhostapp[.]com subdomains.

The attackers have been sending spoofed email invitations to to former government officials, policy experts, academics, and leaders from non-governmental organizations. Attackers attempted to exploit the fears of travel during the Covid-19 pandemic by offering remote sessions.

The emails were written in almost perfect English.

Experts believe that this campaign is not tied to the upcoming U.S. Presidential elections.

Microsoft experts have worked with conference organizers who are warning their attendees about the ongoing attacks and suggesting them to remain vigilant to this approach being used in connection with other conferences or events.

“We recommend people evaluate the authenticity of emails they receive about major conferences by ensuring that the sender address looks legitimate and that any embedded links redirect to the official conference domain. As always, enabling multi-factor authentication across both business and personal email accounts will successfully thwart most credential harvesting attacks like these.” suggest Microsoft. “For anyone who suspects they may have been a victim of this campaign, we also encourage a close review of email-forwarding rules in accounts to identify and remove any suspicious rules that may have been set during a successful compromise.”

The Phosphorus group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. In past campaigns, the APT group launched spear-phishing attacks against activists and journalists focusing on the Middle East, US organizations, and entities located in Israel, the U.K., Saudi Arabia, and Iraq.

Recently Microsoft published a post and a series of tweets to warn of cyber attacks exploiting the Zerologon vulnerability carried out by the Iran-linked APT group known as MuddyWater, aka Mercury.

The IT giant also warned of cyber espionage campaigns carried out by other nation state-sponsored hacking groups operating from Russia and China targeting organizations and individuals involved in this year’s U.S. presidential election.

Pierluigi Paganini

(SecurityAffairs – hacking, Phosphorous)

The post Iran-linked Phosphorous APT hacked emails of security conference attendees appeared first on Security Affairs.

TrickBot operators employ Linux variants in attacks after recent takedown

A few days after the TrickBot takedown, Netscout researchers spotted a new TrickBot Linux variant that was used by its operators.

A few days ago, Microsoft’s Defender team, FS-ISACESETLumen’s Black Lotus LabsNTT, and Broadcom’s cyber-security division Symantec joined the forces and announced a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.

Microsoft has taken down 120 of the 128 servers that were composing the Trickbot infrastructure.

Microsoft announced to have taken down 62 of the original 69 TrickBot C&C servers, seven servers that could not be brought down last week were Internet of Things (IoT) devices.

Microsoft also revealed that operators tried to resume the operations, The company brought down 58 of the 59 servers the operators attempted to bring online after the recent takedown.

According to a new report published by researchers from security firm Netscout, TrickBot’s operators have started to use a new variant of their malware in an attempt to Linux systems and expand the list of its targets.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features.

At the end of 2019, researchers spotted a new TrickBot backdoor framework dubbed Anchor that was using the DNS protocol for C2 communications.

Stage 2 Security researcher Waylon Grange first spotted the new Linux variant of Anchor_DNS in July and called it “Anchor_Linux.”

“The actors behind Trickbot, a high profile banking trojan, have recently developed a Linux port of their new DNS command and control tool known as Anchor_DNS.” explained Grange.

“Often delivered as part of a zip, this malware is a lightweight Linux backdoor. Upon execution it installs itself as a cron job, determines the public IP [address] for the host and then begins to beacon via DNS queries to its C2 server.”

Researchers from Netscout now published an analysis of the variant detailing the communication flow between the bot and the C2 server.

The client sends “c2_command 0” to the server along with information about the compromised system and the bot ID, the server, in turn, responds with the message “signal /1/” back to the bot.

Trickbot Linux

The infected host responds by sending the same message back to the C2, which in turn sends the command to be executed by the bot. Once executed the command, the bot sends the result of the execution to the C2 server.

“The complexity of Anchor’s C2 communication and the payloads that the bot can execute reflect not only a portion of the Trickbot actors’ considerable capabilities, but also their ability to constantly innovate, as evidenced by their move to Linux.” concludes the report. “It is important to note that Trickbot operators aren’t the only adversaries to realize the value of targeting other operation systems”

Pierluigi Paganini

(SecurityAffairs – hacking, Trickbot)

The post TrickBot operators employ Linux variants in attacks after recent takedown appeared first on Security Affairs.

Trump campaign website defaced by scammers

Hackers broke into a website used in Donald Trump ‘s campaign website on Tuesday, the news is worrying because comes a few days before Election Day.

Hackers defaced a website used in Donald Trump’s campaign website, donaldjtrump.com, displaying the following message:

“This site was seized.” “The world has had enough of the fake-news spreaded daily by president donald j trump.”

Trump site hacked

The hack was first reported Gabriel Lorenzo Greschler on Twitter, it took place shortly before 4 PM Pacific time. 

The news is worrying because comes ahead of the incoming Election Day. Hackers likely gained access to the web server back-end and inserted obfuscated JavaScript to display the above message.

The website was quickly restored, Trump campaign spokesman Tim Murtaugh confirmed that no sensitive data was compromised as result of the attack,

“The Trump campaign website was defaced and we are working with law enforcement authorities to investigate the source of the attack,” Murtaugh said.

The attackers don’t appear to be politically motivated, according to the website Techcrunch the site was hacked by scammers with the purpose to collect hard-to-trace cypto-currency Monero.

The scammers claimed to have confidential information on Trump and his relatives, they provided two Monero addresses where transfer funds to receive the alleged information.

The scammers instructed people to send crypto-currency to one address if they wanted the strictly classified information released and to another to keep it secret.

Experts noticed that page was signed with a PGP public key corresponding to an email address at a non-existent domain (planet.gov).

Pierluigi Paganini

(SecurityAffairs – hacking, Trump election day)

The post Trump campaign website defaced by scammers appeared first on Security Affairs.

Steelcase office furniture giant hit by Ryuk ransomware attack

Office furniture company Steelcase was hit by Ryuk ransomware attack that forced it to shut down its network to avoid the malware from spreading.

Steelcase is a US-based furniture company that produces office furniture, architectural and technology products for office environments and the education, health care and retail industries. It is the largest office furniture manufacturer in the world. It has facilities, offices, and factories in the Americas, Europe, Asia, the Middle East, Australia and Africa.

Steelcase has 13,000 employees and $3.7 billion in 2020. The company is the last victim of the Ryuk ransomware operators, the attack forced the firm to shut down its network to avoid the malware from spreading.

In an 8-K form filed with the Securities and Exchange Commission (SEC), the company has disclosed the ransomware attack that took place on October 22nd, 2020.

“On October 22, 2020, Steelcase Inc. (the “Company”) detected a cyberattack on its information technology systems. The Company promptly implemented a series of containment measures to address this situation including temporarily shutting down the affected systems and related operations.” reads the 8-K form.

The company immediately started the incident response procedure in an attempt to restore the affected systems and return to normal operations as soon as possible. The company is not aware of data loss caused by the ransomware attack.

Bleeping Computer, citing a source in the cybersecurity industry, confirmed that Steelcase suffered a Ryuk ransomware attack.

“At this time, the Company is not aware of any data loss from its systems or any other loss of assets as a result of this attack. Although cyberattacks can be unpredictable, the Company does not currently expect this incident will have a material impact on its business operations or its financial results.” continues the form.

Ryuk ransomware operators were very active during the recent weeks, recently the gang infected systems at the Universal Health Services and French IT outsourcer Sopra Steria.

In March, the City of Durham shut down its network after Ryuk Ransomware attack.

A few days before, EVRAZ, one of the world’s largest multinational vertically integrated steel making and mining companies, has been hit by the Ryuk ransomware.

The list of the victims of the Ryuk ransomware is very long and includes the US government contractor Electronic Warfare Associates (EWA), US railroad company Railworks, Croatian petrol station chain INA Group, and parts manufacturer Visser Precision.

Threat actors behind Ryuk attacks often used the BazarLoader or TrickBot infections to gain a foothold in the target networks and then deploy Ryuk.

Pierluigi Paganini

(SecurityAffairs – hacking, Steelcase)

The post Steelcase office furniture giant hit by Ryuk ransomware attack appeared first on Security Affairs.

Enel Group suffered the second ransomware attack this year

Multinational energy company Enel Group has been hit by Netwalker ransomware operators that are asking a $14 million ransom.

Systems at the multinational energy company Enel Group has been infected with Netwalker ransomware, it is the second ransomware attack suffered by the energy giant this year. Netwalker ransomware operators are asking a $14 million ransom for the decryption key, the hackers claim to have stolen several terabytes from the company and threaten to leak them if the ransom will be not paid.

Enel S.p.A., or the Enel Group, is an Italian multinational energy company that is active in the sectors of electricity generation and distribution, as well as in the distribution of natural gas.

The company has more than 61 million customers in 40 countries, it ranks 87 in Fortune Global 500, with $90 billion in revenues in 2019.

In June, Enel was hit by Snake ransomware, but the attack was quickly contained and the malware was not able to spread within its network.

The news of a possible ransomware attack against Enel Group was reported to BleepingComputer by a researcher on October 19.

The researcher shared with BleepingComputer a Netwalker ransom note that appeared to be used in the attack on Enel Group.

Netwalker Enel Group ransom-note
Source Bleeping Computer

BleepingComputer attempted to notify Enel Group last week without success. A few days later, Netwalker announced the leak of the company data through their support chat.

Enel never replied to the message of the ransomware operators, for this reason, the attackers started leaking a portion of the stolen data as proof of the data breach.

The operators are asking $14 million worth of Bitcoin (roughly 1234.02380000 BTC).

ENEL group netwalker-page-for-enel
Source Bleeping Computer

Today, the Netwalker ransomware operators added Enel Group to their data leak site and some screenshots of unencrypted files stolen from the company.

The Italian cyber security firm TG soft publicly shared the news of the attack in a tweet:

The hackers stole about 5 terabytes of documents from the company and announced that they will “analyze every file for interesting things” and publish it on their leak site.

At the time of publishing this post, the company have yet to confirm the incident, let’s remember that the company conduct will have to be in compliance with the current EU privacy legislation GDPR.

Pierluigi Paganini

(SecurityAffairs – hacking, ENEL Group)

The post Enel Group suffered the second ransomware attack this year appeared first on Security Affairs.

Google removes a set of 21 malicious apps from the Play Store

Google has removed 21 malicious apps from the official Play Store because they were found to serve intrusive and annoying ads.

Google has removed 21 new malicious apps from the official Play Store because they were found displaying intrusive ads.

The following malicious apps were spotted by researchers from cybersecurity firm Avast:

Shoot Them
Crush Car
Rolling Scroll
Helicopter Attack – NEW
Assassin Legend – 2020 NEW
Helicopter Shoot
Rugby Pass
Flying Skateboard
Iron it
Shooting Run
Plant Monster
Find Hidden
Find 5 Differences – 2020 NEW
Rotate Shape
Jump Jump
Find the Differences – Puzzle Game
Sway Man
Money Destroyer
Desert Against
Cream Trip – NEW
Props Rescue

The Android apps reported in the above table were downloaded nearly eight million times by Android users.

“the apps in question are 21 gaming apps that come packed with hidden adware that is part of the HiddenAds family. According to SensorTower, a mobile apps marketing intelligence and insights company, the apps have been downloaded approximately eight million times thus far.” reads the post published by Avast.

The tainted gaming apps are bundled with HiddenAds malware, which is known to be an adware that serves intrusive ads outside of the app.

Threat actors behind these malicious apps advertised them on social media channels to lure users into downloading them.

“Developers of adware are increasingly using social media channels, like regular marketers would,” Jakub Vávra, Threat Analyst at Avast, says. “This time, users reported they were targeted with ads promoting the games on YouTube. In September, we saw adware spread via TikTok. The popularity of these social networks make them an attractive advertising platform, also for cybercriminals, to target a younger audience,”

Upon installing the malicious apps, they hide their icons to prevent deletion and they also hide behind relevant-looking advertisements, making them hard to identify. 

The apps also have the ability to draw over other apps to show timed ads that users cannot skip. Experts also reported that in some cases the malware uses the browser to bombard the users with annoying ads.

Fortunately, the apps do not implement rootkit capabilities and users can uninstall them from the app manager features of the device.

It is not the first time that AVAST discovers tainted applications in the official Play Store. In July, the researchers from AVAST discovered a currency converter application in the Google Play store that was downloaded by more than 10,000 users and that was designed to deliver the Cerberus banking Trojan.

Pierluigi Paganini

(SecurityAffairs – hacking, Google Play Store)

The post Google removes a set of 21 malicious apps from the Play Store appeared first on Security Affairs.

Fragomen law firm data breach exposed Google employee’s data

Immigration law firm Fragomen has disclosed a data breach that exposed current and former Google employees’ personal information.

Immigration law firm Fragomen, Del Rey, Bernsen & Loewy, LLP, one of the most prominent US law firms covering immigration law, disclosed a data breach.

The security breach exposed current and former Google employees’ personal information after an unauthorized third party gained access to a single file containing personal information relating to I-9 employment verification services.

The firm discovered the intrusion on September 24, 2020 and engaged a digital forensic investigation firm to assist with this investigation.

“We recently became aware of suspicious activity within our computer network. While our investigation is ongoing, we discovered that an unauthorized third party gained access to a single file containing personal information relating to I-9 employment verification services. This file contained personal information for a discrete number of Googlers (and former Googlers), including you,” reads the data breach notification sent to the impacted people.

A Form I-9 is filled out by all US employees to verify their identity and employment authorization for employment in the United States.

The form contains employee’s information, including full name, date of birth, phone number, social security number, passport numbers, mailing address, and email address,

Exposed data could be abused by crooks to carry out multiple malicious activities, including identity theft. Users should be vigilant and report to the authorities any suspicious activities.

Fragomen is offering one year of free credit monitoring to the affected Google’s employees.

“We are offering complimentary identity theft protection and credit monitoring services to all Googlers (and former Googlers) who may have been affected by this incident in countries where these services are available. These services are available through IDX, the data breach and recovery services expert.” continues the notification notice. “IDX identity protection services include: 12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services. With this protection, IDX will help you resolve issues if your identity is compromised.”

Pierluigi Paganini

(SecurityAffairs – hacking, Fragomen)

The post Fragomen law firm data breach exposed Google employee’s data appeared first on Security Affairs.

Hacker was identified after the theft of $24 million from Harvest Finance

A threat actor has stolen roughly $24 million worth of cryptocurrency assets from decentralized finance service Harvest Finance.

A hacker has stolen approximately $24 million worth of cryptocurrency assets from decentralized finance service Harvest Finance, a web portal that lets users finding the farming opportunities that will maximize their yield(APY) returns.

The hack took place earlier today and was almost immediately confirmed by Harvest Finance administrators in messages posted on the company’s Twitter account and Discord channel.

“On October 26, 02:53:31 AM +UTC, an attacker executed a theft of funds from the USDC and USDT vaults of Harvest Finance.” reads the security breach notification published by the company. “The attacker exploited an arbitrage and impermanent loss that influences the value of individual assets inside the Y pool of Curve.fi, which is where the funds of Harvest’s vaults were invested.”

The attackers initially invested large quantities of cryptocurrency assets in the company service and then used a cryptographic exploit to stole the platform’s funds and transfer them to wallets under its control.

The attacker successfully transferred 13,000,000 USD Coin (USDC) and 11,000,000 Tether (USDT) from the attacking contract to the address “0x3811765a53c3188c24d412daec3f60faad5f119b.”

Experts noticed that shortly after the attack, the hacker returned roughly $2.5 million back to Harvest Finance, but they ignore the reason.

The company immediately launched an investigation into the cyber heist, it claims to have linked the fraudulent activities to an individual “well-known in the crypto community.”

The company claims to have collected “a significant amount of personally identifiable information on the attacker initially offered a $400,000 bounty to anyone who will allow recovering the stolen funds. The bounty will be lowered to $100,000 after 36 hours of the announcement.

The company hopes that the attacker will return the stolen funds:

Harvest Finance explained that the attack was the result of an error it has made, anyway if the attacker will return the stolen funds it will not take legal action against the hacker.

“We made an engineering mistake, we own up to it,” explained the company.

“You’ve proven your point. If you can return the funds to the users, it would be greatly appreciated by the community, and let’s move on.”

Pierluigi Paganini

(SecurityAffairs – hacking, Harvest Finance)

The post Hacker was identified after the theft of $24 million from Harvest Finance appeared first on Security Affairs.

Nitro PDF data breach might impact major companies, including Microsoft, Google, and Apple

Nitro PDF suffered a massive data breach that impacts many major organizations, including Apple, Chase, Citibank, Google, and Microsoft.

A massive data breach suffered by the Nitro PDF might have a severe impact on well-known organizations, including Google, Apple, Microsoft, Chase, and Citibank.

Nitro Software, Inc. develops commercial software used to create, edit, sign, and secure Portable Document Format (PDF) files and digital documents. The company has over 650,000 business customers worldwide, and claims millions of users across the globe.

According to the following the security advisory issued by the software maker and unauthorized third party gained limited access to a company database.

"NITRO ADVISES OF LOW IMPACT SECURITY INCIDENT
* AN ISOLATED SECURITY INCIDENT INVOLVING LIMITED ACCESS TO NITRO DATABASE BY AN UNAUTHORISED THIRD PARTY
* DATABASE DOES NOT CONTAIN USER OR CUSTOMER DOCUMENTS.
* INCIDENT HAS HAD NO MATERIAL IMPACT ON NITRO'S ONGOING OPERATIONS.
* INVESTIGATION INTO INCIDENT REMAINS ONGOING
* NO EVIDENCE CURRENTLY THAT ANY SENSITIVE OR FINANCIAL DATA RELATING TO CUSTOMERS IMPACTED OR IF INFO MISUSED
* DOES NOT ANTICIPATE A MATERIAL FINANCIAL IMPACT TO ARISE FROM INCIDENT
* INCIDENT IS NOT EXPECTED TO IMPACT CO'S PROSPECTUS FORECAST FOR FY2020"

Cybersecurity intelligence firm Cyble came across a threat actor that was selling a database, allegedly stolen from Nitro Software’s cloud service, that includes users’ data and documents. The huge archive contains 1TB of documents, the threat actor is attempting to sell it in a private auction with the starting price of $80,000.

NITRO PDF

The database contains a table named ‘user_credential’ that contains 70 million user records, including email addresses, full names, bcrypt hashed passwords, titles, company names, IP addresses, and other system-related data.

Cyble shared the database with Bleeping Computer that was able to determine the authenticity of the database.

“From the samples of the database shared with BleepingComputer, the document titles alone disclose a great deal of information about financial reports, M&A activities, NDAs, or product releases.” states BleepingComputer.

The records in the document database contain a file’s title, whether it was created, signed, what account owns the document, and whether it’s public.

I have reached Cyber for a comment, below their statement:

“Considering the scale and extent of the breach, this is one of the worst breaches Cyble has seen in the last few years. The cybercriminals were not only able to access sensitive account details, but also the information related to shared documents as well. Majority of the Fortune 500 organizations are affected by this breach.”

The databases contain a large number of records belonging to well-known companies:

Company# of accounts# of documents
Amazon5,44217,137
Apple5846,405
Citi653137,285
Chase85177
Google3,67832,153
Microsoft3,3302,390
M&A documents
M&A documents

Cyble has added the data related to the NITRO PDF data breach to its AmIBreached.com data breach notification service.

Pierluigi Paganini

(SecurityAffairs – hacking, Nitro PDF)

The post Nitro PDF data breach might impact major companies, including Microsoft, Google, and Apple appeared first on Security Affairs.

KashmirBlack, a new botnet in the threat landscape that rapidly grows

Security experts spotted a new botnet, tracked as KashmirBlack botnet, that likely infected hundreds of thousands of websites since November 2019.

Security experts from Imperva have spotted a new sophisticated botnet, tracked as KashmirBlack is believed to have already infected hundreds of thousands of websites by exploiting vulnerabilities in their content management system (CMS) platforms.

The KashmirBlack botnet has been active at least since November 2019, operators leverages dozens of known vulnerabilities in the target servers.

Experts believe that the botmaster of the KashmirBlack botnet is a hacker that goes online with moniker “Exect1337,” who is a member of the Indonesian hacker crew ‘PhantomGhost’.

The experts observed millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world.

“It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.” reads the first part of two reports published by the experts detailing the DevOps implementation behind the botnet.

KashmirBlack botnet

The primary purpose of the KashmirBlack botnet is to abuse resources of compromised systems for cryptocurrency mining and redirecting a site’s legitimate traffic to spam pages.

Experts observed a continuous growth of the botnet since its discovery along with an increasing level of complexity.

In May experts observed an increase in the command-and-control (C&C) infrastructure and the exploits used by botnet operators.

KashmirBlack scans the internet for sites using vulnerable CMS versions and attempting to exploit known vulnerabilities to them and take over the underlying server.

Below a list of vulnerabilities exploited by the botnet operators to compromise websites running multiple CMS platforms, including WordPress, Joomla!, PrestaShop, Magneto, Drupal, vBulletin, osCommerce, OpenCart, and Yeager:

“During our research we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay,” Imperva concludes.

The second part of the report also includes Indicators of Compromise (IoCs) for this botnet.

Pierluigi Paganini

(SecurityAffairs – hacking, KashmirBlack botnet)

The post KashmirBlack, a new botnet in the threat landscape that rapidly grows appeared first on Security Affairs.

Finnish psychotherapy center Vastaamo suffered a shocking security breach

Private Finnish psychotherapy center Vastaamo suffered a security breach, hackers are now demanding ransom to avoid the leak of sensitive data they have stolen.

Finland’s interior minister summoned an emergency meeting Sunday after the private Finnish psychotherapy center Vastaamo suffered a security breach that caused the exposure of patient records. To worse the situation the hackers now demanding ransoms threatening to leak the stolen data.

Vastaamo operates as a sub-contractor for Finland’s public health system, according to the authorities, the hackers have stolen patient sensitive data during two attacks that started almost two years ago.

Finnish Interior Minister Maria Ohisalo tweeted that authorities would “provide speedy crisis help to victims” of the security breach at the Vastaamo psychotherapy center, an incident she called “shocking and very serious.”

The Finnish Interior Minister Ohisalo defined the attack “shocking and very serious” and expressed the commitment of the authorities in providing “speedy crisis help to victims.”

President Sauli Niinisto called the blackmailing “cruel” and “repulsive,” while Prime Minister Sanna Marin added that such kind of attacks is “shocking in many ways.”

The attacker that goes online with the moniker ’ransom_man’ has already leaked 300 patient records containing names and contact information and is blackmailing the victims that received emails from the hackers.

“It was not immediately clear if the stolen information included diagnoses, notes from therapy sessions or other potentially damaging information. Also, it wasn’t clear why the information was surfacing only now.” reported the Associated Press.

According to a statement published by Vastaamo on Saturday, the first attack likely took place between the end of November 2018 and March 2019.

The National Bureau of Investigation is investigating the incident and revealed that the data breach may have impacted up to “tens of thousands” of the Vastaamo clients.

“What makes this case exceptional is the contents of the stolen material,” Marko Leponen, the National Bureau of Investigation’s chief investigator assigned to the case, told reporters.

Vastaamo urged clients who were contacted by the intruders to immediately contact Finnish police.

Finnish media reported that crooks are demanding ransoms of 200 euros worth of Bitcoin, the ransom amount will increase up to 500 euros if the victim will not pay it within 24 hours. Crooks also attempted to directly blackmail Vastaamo asking for a 450,000 euros ransom.

Pierluigi Paganini

(SecurityAffairs – hacking, Vastaamo)

The post Finnish psychotherapy center Vastaamo suffered a shocking security breach appeared first on Security Affairs.

Ransomware attack disabled Georgia County Election database

A ransomware attack recently hit Georgia county government and reportedly disabled a database used to verify voter signatures.

A ransomware attack hit a Georgia county government early this month and disabled a database used to verify voter signatures in the authentication of absentee ballots. It is a common process to validate absentee ballots sent by mail by analyzing signatures.

The media pointed out that this is the first reported case of a ransomware attack against a system used in the incoming 2020 Presidential election.

Ransomware attacks could have a dramatic impact on the elections, they could disrupt voting systems and raise doubts about the validity of the vote.

The attack took place on October 7, it hit Hall County, in the northern part of the state and it disabled the county’s voter signature database.

“One of the databases the county uses to verify voter signatures on absentee ballots is not working after some county network outages due to a ransomware attack on Oct. 7.” reported the Gainesville Times. “Registration Coordinator Kay Wimpye with the county elections office said employees can still verify voter signatures by manually pulling hard copies of voter registration cards, which is more time-consuming. Most voter signatures can be verified using a state database that has been unaffected by the outages, she said.”

The media reported that the Hall County attack was carried out by Doppelpaymer ransomware operators that also leaked stolen data on their dark web leak site to force the organization to pay the ransom.

The county website published an update to announce that the attack did not impact the voting process for citizens, a situation that is differed from the scenario reported by the Times.

Pierluigi Paganini

(SecurityAffairs – hacking, Georgia county)

The post Ransomware attack disabled Georgia County Election database appeared first on Security Affairs.

COVID-19 vaccine manufacturer suffers a data breach

Dr. Reddy’s, the Indian contractor for Russia’s “Sputinik V” COVID-19 vaccine was hit with a cyber-attack that forced the company to close its plants.

Indian COVID-19 vaccine manufacturer Dr. Reddy’s Laboratories was hit with a cyber attack that forced it to shut down its plants in Brazil, India, Russia, the U.K., and the U.S..

According to The Economic Times the company suffered a data breach.

The Indian company is the contractor for Russia’s “Sputinik V” COVID-19 vaccine, recently the Drug Control General of India (DCGI) gave it the authorization to enter Phase 2 human trials.

According to the BBC, the phone lines at the company’s UK sites in Cambridgeshire and Yorkshire were down.

In response to the security breach, the COVID-19 vaccine manufacturer has isolated all data center services.

“In the wake of a detected cyber-attack, we have isolated all data center services to take required preventive actions,” CIO Mukesh Rathi said in a media statement. “We are anticipating all services to be up within 24 hours, and we do not foresee any major impact on our operations due to this incident.”

According to the media, the attack is likely the result of a cyber espionage operation aimed at stealing info on the COVID-19 vaccine development.

At the time it is not clear whether the attack was carried out by a nation-state actor or a cyber crime gang.

In July, the British National Cyber Security Centre revealed that Russia-linked group APT29 is conducting cyberespionage campaigns targeting UK, US, and Canadian organizations working of the development of a COVID-19 vaccine.

In the same period, the US Justice Department accused two Chinese hackers of stealing trade secrets from companies worldwide and recently involved in attacks against firms developing a vaccine for the COVID-19.

In September, the El Pais newspaper reported that Chinese hackers have stolen information from Spanish laboratories working on a vaccine for COVID19.

Pierluigi Paganini

(SecurityAffairs – hacking, COVID-19)

The post COVID-19 vaccine manufacturer suffers a data breach appeared first on Security Affairs.

Is the Abaddon RAT the first malware using Discord as C&C?

Abaddon is the first RAT that uses the freeware instant messaging and VoIP app and digital distribution platform Discord as a command & control server.

Researchers from MalwareHunterTeam have spotted a new piece of remote access trojan (RAT) dubbed ‘Abaddon’ that is likely the first malware using the Discord platform as command and control. The Abaddon malware connects to the Discord command and control server to check for new commands to execute.

Experts also warn that the author of the malware also developed a malware feature.

In the past, other threat actors already abused the Discord platform for different purposes, such as using it as a stolen data drop.

“In the past, we have reported on how threat actors use Discord as a stolen data drop or have created malware that modifies the Discord client to have it steal credentials and other information.” reported Bleeping Computer that first reported the news.

Abaddon implements data-stealing feature, it was designed to steal multiple data from the infected host, including Chrome cookies, saved credit cards, and credentials, Steam credentials, Discord tokens and MFA information.

The malware also collects system information such as country, IP address, and hardware information.

According to Bleeping Computer the malware supports the following commands:

  • Steal a file or entire directories from the computer
  • Get a list of drives
  • Open a reverse shell that allows the attacker to execute commands on the infected PC.
  • Launch in-development ransomware (more later on this).
  • Send back any collected information and clear the existing collection of data.

The malicious code connects to the Command & Control every ten seconds for new tasks to execute.

Experts pointed out that the malware also implements the commands to encrypt files of the infected system and decrypt them.

The ransomware feature appears to be under development.

Pierluigi Paganini

(SecurityAffairs – hacking, Abaddon)

The post Is the Abaddon RAT the first malware using Discord as C&C? appeared first on Security Affairs.

HPE addresses critical auth bypass issue in SSMC console

HPE fixed a remote authentication bypass vulnerability in HPE StoreServ Management Console (SSMC) data center storage management solution.

Hewlett Packard Enterprise (HPE) has addressed a maximum severity (rated 10/10) remote authentication bypass vulnerability, tracked as CVE-2020-7197, affecting the HPE StoreServ Management Console (SSMC) data center storage management solution.

HPE SSMC is a management and reporting console for HPE Primera (data storage for mission-critical apps) and HPE 3PAR StoreServ systems (AI-powered storage cloud service providers) data center arrays.

The CVE-2020-7197 flaw is a remote authentication bypass vulnerability that affects HPE 3PAR StoreServ Management and Core Software Media prior to 3.7.0.0.

“HPE StoreServ Management Console 3.7.0.0 is an off node multiarray manager web application and remains isolated from data on the managed arrays. SSMC is vulnerable to remote authentication bypass.” reads the advisory.

The flaw can be exploited by threat actors with no privileges and doesn’t require user interaction.

HPE has addressed the issue with the release of the HPE 3PAR StoreServ Management Console 3.7.1.1.

“This SSMC release includes important security and quality improvement defect fixes that strengthen the security posture of SSMC appliances,” reads the changelog.

Hewlett Packard Enterprise acknowledged the researchers Elwood Buck from MindPoint Group for reporting the flaw.

Pierluigi Paganini

(SecurityAffairs – hacking, StoreServ Management Console)

The post HPE addresses critical auth bypass issue in SSMC console appeared first on Security Affairs.

New Emotet attacks use a new template urging recipients to upgrade Microsoft Word

Emotet operators have started using a new template this week that pretends to be a Microsoft Office message urging a Microsoft Word update.

Researchers this week observed Emotet attacks employing a new template that pretends to be a Microsoft Office message urging the recipient to update their Microsoft Word to add a new feature.

Source Bleeping Computer

Emotet spam messages leverage templates to trick the victims into enabling macros to start the infection.

Upon installing the malware, Emotet will download additional payloads on the machine, including ransomware, and use it to send spam emails.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of a surge of Emotet attacks that have targeted multiple state and local governments in the U.S. since August.

During that time, the agency’s EINSTEIN Intrusion Detection System has detected roughly 16,000 alerts related to Emotet activity.

In a recent campaign observed on October 14th, the attackers are using multiple lures, including invoices, purchase orders, shipping information, COVID-19 information, and information about President Trump’s health.

The spam messages come with malicious Word (.doc) attachments or include links to download the bait document.

“Emotet switched to a new template this week that pretends to be a Microsoft Office message stating that Microsoft Word needs to be updated to add a new feature.” reported BleepingComputer.

Below the messages displayed to the recipient to trick him into opening enabling the macros.

Upgrade your edition of Microsoft WordUpgrading your edition will add new feature to Microsoft Word.
Please click Enable Editing and then click
Enable Content.

Upon enabling the macros, the Emotet malware is downloaded and installed into the victim’s %LocalAppData% folder, as shown below.

“Due to this, it is important that all email users recognize malicious document templates used by Emotet so that you do not accidentally become infected.” concludes Bleeping computer.

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post New Emotet attacks use a new template urging recipients to upgrade Microsoft Word appeared first on Security Affairs.

Microsoft Teams phishing campaign targeted up to 50,000 Office 365 users

Experts warn of a phishing campaign that already targeted up to 50,000 Office 365 users with a fake automated message from Microsoft Teams.

Secruity researchers reported that up to 50,000 Office 365 users have been targeted by a phishing campaign that pretends to be automated message from Microsoft Teams. The bait message uses fake notifications of a “missed chat” from Microsoft Teams, the campaigns aims at stealing Office 365 recipients’ login credentials.

Like other collaboration and communications platforms, the popularity of Microsoft Teams has risen since the beginning of the Covid-19 pandemic because a growing number of organizations started using the remote working model. Threat actors are adapting their attack techniques to exploit the ongoing situation, researchers from Abnormal Security observed campaign that hit between 15,000 to 50,000 Office 365 users.

“This attack impersonates an automated message from Microsoft Teams in order to steal recipient’s login credentials.” reads the report published by Abnormal Security. “The email is sent from the display name, ‘There’s new activity in Teams’, making it appear like an automated notification from Microsoft Teams. It appears to notify the recipient that their teammates are trying to reach them and urges the recipient to click on ‘Reply in Teams’. However, this leads to a phishing page.”

The bait email displays the name “There’s new activity in Teams” to trick the victims into believing that it is an automated notification from Microsoft Teams.

The email tells the recipient that they have missed Microsoft Team chats and show an example of a teammate chat that asks them to submit something by Wednesday of next week.

The researchers that the campaing is not targeted in nature as the employee referenced in the chats doesn’t appear to be an employee of the company that was targeted by the attackers.

Recipient could respond to the email by click on the “Reply in Teams” button that is present in the content of the message, but as a consequence of this action, the victim is redirected to a phishing page.

“Within the body of the email, there are three links appearing as ‘Microsoft Teams’, ‘(contact) sent a message in instant messenger’, and ‘Reply in Teams’,” continues the analysis. “Clicking on any of these leads to a fake website that impersonates the Microsoft login page. The phishing page asks the recipient to enter their email and password.”

The phishing landing looks like a Microsoft login page, its URL begins with the “microsftteams” to appear as legitimate.

“The attacker spoofed employee emails and also impersonated Microsoft Teams. The recipient is more likely to fall prey to an attack when it is believed to originate from within the company and also from a trusted brand.” concludes the report.

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Team)

The post Microsoft Teams phishing campaign targeted up to 50,000 Office 365 users appeared first on Security Affairs.

Boyne Resorts ski and golf resort operator hit with WastedLocker ransomware

The systems at the US-based ski and golf resort operator were infected with the WastedLocker ransomware, the incident impacted reservation systems.

Boyne Resorts is a collection of mountain and lakeside resorts, ski areas, and attractions spanning from British Columbia to Maine.  The company owns and operates eleven properties and an outdoor lifestyle equipment/apparel retail division with stores in cities throughout Michigan.  An industry leader in multiple U.S. regions, operations include snowsports and year-round mountain recreation, golf, an indoor waterpark, spas, food and beverage, lodging and real estate development.

Boyne Resorts was the victim of WastedLocker ransomware attack, the incident has impacted reservation systems.

According to BleepingComputer, the ransomware initially breached the corporate offices and then moved laterally targeting the IT systems of the resorts they operate. As result of the attack the company was forced to shut down portions of its network to prevent the ransomware from spreading.

Customers of the company were not able to make reservations at the resorts operated by the company. .

The ransomware encrypted files and renamed their filenames by adding the “.easy2lock” extension, this extension was previously associated with recent WastedLocker ransomware infections.

In July, Smartwatch and wearable device maker Garmin had to shut down some of its connected services and call centers following a WastedLocker Ransomware attack.

In June, security experts from Symantec reported that at least 31 organizations in the United States have been targeted with the recently discovered WastedLocker ransomware.

Researchers from the NCC Group’s report and later Symantec confirmed that malware was developed by the Russian cybercrime crew known as Evil Corp, which was behind the Dridex Trojan, and multiple ransomware like Locky , Bart, Jaff, and BitPaymer.

Most of the victims belong to the manufacturing industry, followed by IT and media and telecommunications sectors.

This group has been active since at least 2007, in December 2019, the U.S. Treasury Department imposed sanctioned on Evil Corp for causing more than $100 million in financial damages.

The U.S. Department of Justice (DoJ) has charged Russian citizens Maksim V. (32) and Igor Turashev (38) for distributing the infamous Dridex banking Trojan, and for their involvement in international bank fraud and computer hacking schemes.

Ransom payments to WastedLocker is not allowed by US authorities, this means that Boyne Resorts could face severe sanctions if it will pay the ransom.

Pierluigi Paganini

(SecurityAffairs – hacking, WastedLocker)

The post Boyne Resorts ski and golf resort operator hit with WastedLocker ransomware appeared first on Security Affairs.

US Treasury imposes sanctions on a Russian research institute behind Triton malware

US Treasury Department announced sanctions against Russia’s Central Scientific Research Institute of Chemistry and Mechanics behind Triton malware.

The US Treasury Department announced sanctions against a Russian research institute for its alleged role in the development of the Triton malware.

“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated, pursuant to Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA), a Russian government research institution that is connected to the destructive Triton malware.” reads a press release published by the Department of the Treasury.

Triton is a strain of malware specifically designed to target industrial control systems (ICS) system that has been spotted by researchers at FireEye in December 2017.

The malware was first spotted after it was employed in 2017 in an attack against a Saudi petrochemical plant owned by the privately-owned Saudi company Tasnee. According to the experts, the infection caused an explosion.

“In August 2017, a petrochemical facility in the Middle East was the target of a cyber-attack involving the Triton malware. This cyber-attack was supported by the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), a Russian government-controlled research institution that is responsible for building customized tools that enabled the attack.” continues the press release.

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye in 2017.

“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”

Triton malware

Once gained access to the SIS system, the threat actor deployed the TRITON malware, a circumstance that indicates that attackers had a knowledge of such systems. According to FireEye the attackers pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

The Triton malware interacts with Triconex SIS controllers., it is able to read and write programs and functions to and from the controller.

Triton Malware Triconex

The hackers deployed the Triton malware on a Windows-based engineering workstation, the malicious code added its own programs to the execution table. In case of a failure, the malware attempts to return the controller to a running state, it also overwrites the malicious program with junk data if the attempt fails, likely to delete any track of the attack.

The US Treasury Department imposed sanctions on the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (also known as CNIIHM or TsNIIKhM).

In October 2018, FireEye experts discovered a link between the Triton malware, tracked by the company as TEMP.Veles, and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a Russian government research institute in Moscow.

FireEye collected strong evidence suggesting that the Russian CNIIHM institute has been involved in the development of some of the tools used in the Triton attack.

“FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow. The following factors supporting this assessment are further detailed in this post.” reads the analysis published by FireEye.

  1. FireEye uncovered malware development activity that is very likely supporting TEMP.Veles activity. This includes testing multiple versions of malicious software, some of which were used by TEMP.Veles during the TRITON intrusion.
  2. Investigation of this testing activity reveals multiple independent ties to Russia, CNIIHM, and a specific person in Moscow. This person’s online activity shows significant links to CNIIHM.
  3. An IP address registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion.
  4. Behavior patterns observed in TEMP.Veles activity are consistent with the Moscow time zone, where CNIIHM is located.
  5. We judge that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of TRITON and TEMP.Veles operations.” 

Experts pointed out that Triton is linked to Russia, the CNIIHM, and an individual located in Moscow. Some of the TEMP.Veles hacking tools were tested using an unnamed online scan service. A specific user of the service who has been active since 2013 has tested various tools across the time.

The user also tested several customized versions of widely available tools, including Metasploit, Cobalt Strike, PowerSploit, the PowerShell-based WMImplant, and cryptcat.

In many cases, the custom versions of the tools were used in TEMP.Veles attacks just days after being submitted to the testing environment.

The experts discovered that a PDB path contained in a tested file included a string that appears to be an online moniker associated with a Russia-based individual active in Russian information security communities since at least 2011.

According to a now-defunct social media profile, the individual was a professor at CNIIHM.

FireEye also discovered that one IP address registered to the Russian research institute was involved in the Triton attacks.

The sanctions prohibit US entities from engaging with CNIIHM and also seize any asset on the US soil belonging to the research institute.

“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Secretary Steven T. Mnuchin. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”

TsNIIKhM is being designated pursuant to Section 224 of CAATSA for knowingly engaging in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation.” concludes the press release.

“As a result of today’s designation, all property and interests in property of TsNIIKhM that are in or come within the possession of U.S. persons are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked. Moreover, non-U.S. persons who engage in certain transactions with TsNIIKhM may themselves be exposed to sanctions.”

On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint report that provides details about a hacking campaign of a Russian hacking group known as Energetic Bear.

The EU Council also imposed sanctions on two Russian intelligence officers for their role in the 2015 Bundestag hack.

Pierluigi Paganini

(SecurityAffairs – hacking, Triton)

The post US Treasury imposes sanctions on a Russian research institute behind Triton malware appeared first on Security Affairs.

Sopra Steria hit by the Ryuk ransomware gang

French IT outsourcer Sopra Steria hit by ‘cyberattack’, Ryuk ransomware suspected

French IT outsourcer Sopra Steria has been hit by a ransomware attack, while the company did not reveal the family of malware that infected its systems, local media speculate the involvement of the Ryuk ransomware.

“A cyber attack was detected on the Sopra Steria computer network on the evening of October 20. Security measures have been taken to limit the risk of propagation.” reads the press release published by the company. “The Group’s teams are fully mobilized to ensure a return to normal as quickly as possible and everything is done to ensure business continuity. Sopra Steria is in close contact with its customers and partners as well as with the competent authorities.”

The European IT firm has 46,000 employees operating in 25 countries worldwide. It provides a wide range of IT services, including software development and consulting.

“According to our sources, the incident started to spread during the course of last night. The Active Directory infrastructure would be affected. And part of the information system would have been encrypted.” reported the website LeMagit. “Two sources tell us that the ransomware involved is none other than Ryuk. Surprise, researcher  JamesWT_MHT  found on VirusTotal a copy of an executable which two sources have confirmed to us is used internally at ESN for the generation of email signatures.”

French authorities are investigating the incident.

Sopra Steria is a member of France’s Cyber Campus, a French initiative to spread cybersecurity awareness, training, and product sales.

The Ryuk ransomware operators were very active early this year, in March they targeted hospitals even as these organizations are involved in the fight against the Coronavirus pandemic.

In September, the Universal Health Services (UHS) healthcare providers has reportedly shut down systems at healthcare facilities after a Ryuk ransomware attack.

In March, the City of Durham shut down its network after Ryuk Ransomware attack.

A few days before, EVRAZ, one of the world’s largest multinational vertically integrated steel making and mining companies, has been hit by the Ryuk ransomware.

The list of the victims of the Ryuk ransomware is very long and includes the US government contractor Electronic Warfare Associates (EWA), US railroad company Railworks, Croatian petrol station chain INA Group, and parts manufacturer Visser Precision.

Pierluigi Paganini

(SecurityAffairs – hacking, Sopra Steria)

The post Sopra Steria hit by the Ryuk ransomware gang appeared first on Security Affairs.

Iran-Linked Seedworm APT target orgs in the Middle East

The Iran-linked cyber espionage group tracked as Seedworm started using a new downloader and is conducting destructive attacks.

The Iran-linked cyber-espionage group Seedworm (aka MuddyWater MERCURY, and Static Kitten) was observed using a new downloader in a new wave of attacks. Security experts pointed out that the threat actor started conducting destructive attacks.

Also referred to as MuddyWater, MERCURY, and Static Kitten, the cyber-espionage group was initially analyzed in 2017.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

In September 2018, experts from Symantec found evidence of Seedworm and the espionage group APT28 on a computer in the Brazil-based embassy of an oil-producing nation. 

Earlier this month, the Iranian APT group was observed actively targeting the Zerologon flaw.

According to security firm ClearSky and Symantec, Seedworm recently started using a new downloader dubbed PowGoop. Experts noticed that the threat actors used the downloader to deliver the Thanos ransomware in an attack aimed at an organization in the Middle East.

“PowGoop is a loader that was exposed in a PaloAlto report and later used in Operation Quicksand. PowGoop is comprised of a DLL Loader and a PowerShell-based downloader.” reads the report published by ClearSky. “The malicious file impersonates a legitimate goopdate.dll file that is signed as a Google Update executable”

The experts observed the attacks between July 6 and July 9, 2020, the hackers employed a strain of ransomware that was able to evade security tools and that implemented a destructive feature by overwriting the MBR.

Experts pointed out that the primary objectives of previous MuddyWater campaigns were espionage and cyber espionage, but in the latest campaign, tracked as ‘Operation Quicksand’ threat actors used for the first time the destructive malware in attacks on prominent organizations in Israel and in other countries around the world.

“We assess that the group is attempting to employ destructive attacks (the likes of the NotPetya attack from 2017), via a disguised as ransomware attacks” continnues the report.

“Although we didn’t see execution of the destruction in the wild, due to the presence of the destructive capabilities, the attribution to nation-state sponsored threat actor, and the realization of this vector in the past, a destructive purpose is more likely than a ransomware that is being deployed for financial goals.”

Another report published by Symantec connected the dots between MuddyWater and the PowGoopdownlaoder.

“In several recent Seedworm attacks, PowGoop was used on computers that were also infected with known Seedworm malware (Backdoor.Mori). In addition to this, activity involving Seedworm’s Powerstats (aka Powermud) backdoor appears to have been superseded by DLL side-loading of PowGoop.” reads the report published by Symantec.

“Additionally, during PowGoop activity, we also observed the attackers downloading tools and some unknown content from GitHub repos, similar to what has been reported on Seedworm‘s Powerstats in the past.”

Symantec researchers noticed that on the same machine where Seedworm was active, the attackers deployed the PowGoop downloader which is known to be a malware that is part of Seedworm’s arsenal.

PowGoop appears to have been employed in attacks aimed at governments, education, oil and gas, real estate, technology, and telecoms organizations in Afghanistan, Azerbaijan, Cambodia, Iraq, Israel, Georgia, Turkey, and Vietnam.

Symantec’s analysis revealed that the PowGoop was masquerading as a Google tool and noticed the use of SSF and Chisel.

Experts speculate the PowGoop downloader might be an evolution of Powerstats tool employed by MuddyWater in previous attacks.

“Symantec has not found any evidence of a wiper or ransomware on computers infected with PowGoop.”Symantec concludes. “This suggests that either the simultaneous presence of PowGoop and Thanos in one attack was a coincidence or, if the two are linked, that PowGoop is not used exclusively to deliver Thanos,”

Pierluigi Paganini

(SecurityAffairs – hacking, Seedworm)

The post Iran-Linked Seedworm APT target orgs in the Middle East appeared first on Security Affairs.

FBI and CISA joint alert blames Russia’s Energetic Bear APT for US government networks hack

The US government declared that Russia-linked APT group Energetic Bear has breached US government networks and exfiltrated data.

A joint security advisory published by The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) revealed that Russia-linked APT group Energetic Bear has breached US government networks and exfiltrated data.

The Energetic Bear APT group (aka DragonFlyCrouching Yeti, TEMP.Isotope, Berserk Bear, TeamSpy, Havex, Koala). has been active since at least 2010 most of the victims of the group are organizations in the energy and industrial sectors.

In March 2018, the Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian threat actors. The US-CERT blamed the APT group tracked as DragonflyCrouching Yeti, and Energetic Bear.

This joint advisory provides information on Russia-linked APT actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. 

Officials said the group has been targeting dozens of US state, local, territorial, and tribal (SLTT) government networks since at least February 2020.

Energetic Bear successfully compromised the infrastructure and as of October 1, 2020, exfiltrated data from at least two victim servers.

“Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets.” reads the advisory. “The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.”

The Russian-sponsored APT actor uses previously obtained user and administrator credentials to access the target network and then perform lateral movement to locate high-value assets and exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to sensitive network configurations and passwords, standard operating procedures (SOP), IT instructions, such as requesting password resets, vendors and purchasing information. printing access badges.

This advisory updates another joint CISA-FBI cybersecurity advisory, which warned of attackers combining VPN and Windows Zerologon flaws to target government networks.

The new advisory attributes the cyber attacks to the Russian threat actor and included technical details about the Energetic Bear’s TTPs.

The state-sponsored hackers scanned for vulnerable Citrix (CVE-2019-19781) and Microsoft Exchange services (CVE-2020-0688) and identified vulnerable installs for future exploitation.

According to the technical advisory, Russian hackers used publicly known vulnerabilities to breach networking gear, pivot to internal networks, elevate privileges, and steal sensitive data.

Hackers also targeted Exim mail agents (CVE 2019-10149) and Fortinet SSL VPNs (CVE-2018-13379).

Once gained access to the target networks, Russian hackers moved laterally exploiting the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials to take over the target’s internal network.

“To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence US policies and actions, or to delegitimize SLTT government entities,” continues the alert.

“As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised.”

Pierluigi Paganini

(SecurityAffairs – hacking, Energetic Bear)

The post FBI and CISA joint alert blames Russia’s Energetic Bear APT for US government networks hack appeared first on Security Affairs.

US whistleblower Edward Snowden received permanent residency by Russian authorities

The popular US whistleblower Edward Snowden has been granted permanent residency in Russia, the announcement was made by his lawyer.

The former CIA employee and National Security Agency contractor Edward Snowden (37) has been granted permanent residency in Russia, his lawyer announced on Thursday.

In 2013, Edward Snowden shed the light on the mass surveillance program operated by the US government to spy on its citizens and allies.

The man expressed his desire to return to the United States where he is considered a criminal and a threat to homeland security due to his revelation. Snowden is wanted in the United States on espionage charges after he revealed details on the surveillance apparatus used by the National Security Agency (NSA) to collect telephone records of millions of US citizens. 

According to his lawyer Anatoly Kucherena, Snowden’s residency permit was extended as the result of recent changes introduced to Russia’s immigration law. The residency permit and is now indefinite, as reported by AFP press.

“Kucherena said it was “natural” that Snowden wanted to return to the United States but will only do so when the case against him is closed.” reported AFP.

Edward snowden

The application was filed in April, but the decision of the Russian authorities was made public only this week due to a delay in the process caused by the ongoing COVID-19 pandemic.

It is not clear if Snowden plans to apply for Russian citizenship.

Earlier this year, US President Donald Trump announced that he was evaluating the possibility of pardoning Snowden but he did not provide further details on the case. 

In 2015 the White House rejected a petition calling on then-president Barack Obama to pardon the popular US whistleblower.

In September 2019, the US DoJ filed a lawsuit against Edward Snowden to prevent the former CIA employee and National Security Agency contractor from receiving the payment for his book, Permanent Record.

According to the civil lawsuit, filed in the Eastern District of Virginia, Snowden violated non-disclosure agreements signed when he was an employee at the US intelligence agencies.

Pierluigi Paganini

(SecurityAffairs – hacking, Snowden)

The post US whistleblower Edward Snowden received permanent residency by Russian authorities appeared first on Security Affairs.

EU Council sanctions two Russian military intelligence officers over 2015 Bundestag hack

The Council of the European Union announced sanctions imposed on Russian military intelligence officers for 2015 Bundestag hack.

The Council of the European Union announced sanctions imposed on Russian military intelligence officers, belonging to the 85th Main Centre for Special Services (GTsSS), for their role in the 2015 attack on the German Federal Parliament (Deutscher Bundestag).

The 85th Main Centre for Special Services (GTsSS) is the military unit of the Russian government also tracked as APT28  (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM).

The APT28 group (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

“The Council today imposed restrictive measures on two individuals and one body that were responsible for or took part in the cyber-attack on the German Federal Parliament (Deutscher Bundestag) in April and May 2015.” reads the press release published by the Council. “This cyber-attack targeted the parliament’s information system and affected its ability to operate for several days. A significant amount of data was stolen and the email accounts of several members of parliament, including that of Chancellor Angela Merkel, were affected.”

Immediately after the attack the daily Der Spiegel speculated that the Russian Government was behind the attack.  

Bundestag German politicians

The attackers used a sophisticated strain of malware to violated the Bundestag network and syphoned sensitive data. The experts that analyzed the malicious code employed in the hack found many similarities with a piece of malware used in a previous attack against a German Government network that took place in 2014.

“The cyber attack on the “Parlakom” network was discovered in early May. At the parliamentary IT network 20,000 Bundestag accounts are connected – including German Chancellor Angela Merkel and other government officials.” continues the Der Spiegel.

EU’s sanctions imposed on Russian military officers include travel bans and asset freezes, they also block EU organizations and individuals from transferring funds to sanctioned entities and individuals.

The Council’s sanctions target a total of 8 persons and 4 entities and bodies.

“Sanctions are one of the options available in the Union’s framework for a joint diplomatic response to malicious cyber activities (the so-called cyber diplomacy toolbox), and are intended to prevent, discourage, deter and respond to continuing and increasing malicious behaviour in cyberspace,” a press release published earlier reads. “The relevant legal acts, including the names of the individuals and the body concerned, have been published in the Official Journal.”

Two of the officers sanctioned by the Council of the European Union are Dmitry Sergeyevich Badin and Igor Olegovich Kostyukov are known members of the GTsSS.

The two officers were also indicted by US DoJ in October 2018, along with other five members of the Russian Main Intelligence Directorate (GRU), for hacking, wire fraud, identity theft, and money laundering.

Kostyukov was also reached by an executive order issued by President Barack Obama in 2016 to impose sanctions on a number of Russian military and intelligence officials in response to the alleged hacking campaigns against the 2016 US Presidential Election.

Kostyukov is the current chief of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU).

“In this capacity, Igor Kostyukov is responsible for cyber-attacks carried out by the GTsSS, including those with a significant effect constituting an external threat to the Union or its Member States,” states the Council. “In particular, military intelligence officers of the GTsSS took part in the cyber-attack against the German federal parliament (Deutscher Bundestag) which took place in April and May 2015 and the attempted cyber-attack aimed at hacking into the Wi-Fi network of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands in April 2018.”

In July 2020, for the first-ever time, the EU has imposed economical sanctions on Russia, China, and North Korea following cyber-attacks aimed at the EU and its member states.

The EU Council announced sanctions imposed on a Russia-linked military espionage unit, as well as companies operating for Chinese and North Korean threat actors that launched cyber-attacks against the EU and its member states.

The sanctions were imposed as part of a legal framework established on May 17, 2019, which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks aimed at the EU or its member states.

Pierluigi Paganini

(SecurityAffairs – hacking, Bundestag)

The post EU Council sanctions two Russian military intelligence officers over 2015 Bundestag hack appeared first on Security Affairs.

Cisco addresses 17 high-severity flaws in security appliances

Security Advisory Bundled Publication for October 2020 – Cisco announced the release of patches for 17 high-severity flaws in its security appliances.

Cisco announced the release of security patches for 17 high-severity vulnerabilities in its security appliances as part of its Security Advisory Bundled Publication for October 2020.

The vulnerability impacts Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC).

“The October 21, 2020 release of the ASA, FMC, and FTD Software Security Advisory Bundled Publication includes 17 Security Advisories that describe 17 vulnerabilities in ASA, FMC, and FTD Software. Cisco has released software updates for these vulnerabilities.” states the advisory.

“All of these vulnerabilities have a Security Impact Rating (SIR) of High.”

Most of the vulnerability addressed by the IT giant can be exploited by remote, unauthenticated attackers. The list of addressed vulnerabilities includes denial-of-service (DoS), CSRF, FMC authentication bypass, and MitM issues.

The company also fixed multiple vulnerabilities that require local access or authentication to be exploited, an attacker can trigger them to read or write files on a device, cause a DoS condition, bypass the secure boot mechanism, and escape containers and execute commands with root privileges.

The good news is that Cisco is not aware of attacks in the wild exploiting these vulnerabilities.

Cisco is also warning of attacks targeting the CVE-2020-3118 high severity vulnerability that affects multiple carrier-grade routers running the Cisco IOS XR Software.

The flaw resides in the Discovery Protocol implementation for Cisco IOS XR Software and could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.

Pierluigi Paganini

(SecurityAffairs – hacking)

The post Cisco addresses 17 high-severity flaws in security appliances appeared first on Security Affairs.

Taiwanese vendor QNAP issues advisory on Zerologon flaw

Taiwanese vendor QNAP published an advisory to warn customers that certain versions of its NAS OS (QTS) are affected by the Zerologon vulnerability.

The Taiwanese vendor QNAP has published an advisory to warn customers that certain versions of the operating system for its network-attached storage (NAS) devices, also known as of QTS, are affected by the Zerologon vulnerability (CVE-2020-1472).

The CVE-2020-1472 flaw is an elevation of privilege that resides in the Netlogon. The Netlogon service is an Authentication Mechanism used in the Windows Client Authentication Architecture which verifies logon requests, and it registers, authenticates, and locates Domain Controllers.

Administrators of enterprise Windows Servers have to install the August 2020 Patch Tuesday to mitigate “unacceptable risk” posed by the flaw to federal networks.

An attacker could also exploit the flaw to disable security features in the Netlogon authentication process and change a computer’s password on the domain controller’s Active Directory.

The only limitation on how to carry out a Zerologon attack is that the attacker must have access to the target network.

The flaw was discovered by researchers from the security firm Secura that also published technical details of the issue along with proof-of-concept exploits.

On September 18, the US CISA issued an Emergency Directive requiring federal agencies to install the available patches within three days.

Threat actors immediately started targeting the vulnerability in attacks in the wild, including Iranian APT groups and at least a Russian cybercrime gang.

QNAP already released security updates to address the Zerologon flaw in its products to prevent that attackers will use its NAS devices to take over entire networks.

“The Zerologon vulnerability has been reported to affect some versions of QTS.” reads the advisory issued by the vendor. “If exploited, this elevation of privilege vulnerability allows remote attackers to bypass security measures via a compromised QTS device on the network.”

Threat actors can exploit the issue in the NAS if users have configured the device as a domain controller in Control Panel > Network & File Services > Win/Mac/NFS > Microsoft Networking.

QNAP has already addressed the Zerologon vulnerability in the following software versions:

  • QTS 4.5.1.1456 build 20201015 and later
  • QTS 4.4.3.1439 build 20200925 and later
  • QTS 4.3.6.1446 Build 20200929 and later
  • QTS 4.3.4.1463 build 20201006 and later
  • QTS 4.3.3.1432 build 20201006 and later

The company pointed out that QTS 2.x and QES are not affected by this flaw.

QSnatch QNAP

QNAP users are advised to update QTS to the latest available version and to ensure that all other applications on their devices are up to date.

QNAP’s advisory also includes details on how to install the QTS Update and to update all installed applications.

Pierluigi Paganini

(SecurityAffairs – hacking, QNap)

The post Taiwanese vendor QNAP issues advisory on Zerologon flaw appeared first on Security Affairs.

ENISA Threat Landscape Report 2020

According to the ENISA Threat Landscape Report 2020, cyberattacks are becoming more sophisticated, targeted, and in many cases undetected.

I’m proud to present the ENISA Threat Landscape Report 2020, the annual report published by the ENISA that provides insights on the evolution of cyber threats for the period January 2019-April 2020.

The 8th annual ENISA Threat Landscape (ETL) report was compiled by the European Union Agency for Cybersecurity (ENISA), with the support of the European Commission, EU Member States and the CTI Stakeholders Group.

It is an amazing work that identifies and evaluates the top cyber threats for the period January 2019-April 2020.

This year the report has a different format that could allow the readers to focus on the threat of interest. The publication is divided into 22 different reports, which are available in both pdf form and ebook form.

The report provides details on threats that characterized the period of the analysis and highlights the major change from the 2018 threat landscape as the COVID-19-led transformation of the digital environment.

“During the pandemic, cyber criminals have been seen advancing their capabilities, adapting quickly and targeting relevant victim groups more effectively. (Infographic – Threat Landscape Mapping during COVID-19). states the report.

ENISA Threat Landscape Report 2020

The ETL report provides strategic and technical analysis of the events, it was created to provide relevant information to both technical and non-technical readers.

For a better understanding of how the ETL is structured, we recommend the initial reading of “The Year in Review” report, the following table could help readers to focus on the section of their interest included in the publication.

The report highlights the importance of cyber threat intelligence to respond to increasingly automated attacks leveraging automated tools and skills.

Another element of concern is the diffusion of IoT devices, in many cases, smart objects are exposed online without protection.

Below the main trends reported in the document:

  • Attack surface in cybersecurity continues to expand as we are entering a new phase of the digital transformation.
  • There will be a new social and economic norm after the COVID-19 pandemic even more dependent on a secure and reliable cyberspace.
  • The use of social media platforms in targeted attacks is a serious trend and reaches different domains and types of threats.
  • Finely targeted and persistent attacks on highvalue data (e.g. intellectual property and state secrets) are being meticulously planned and executed by state-sponsored actors.
  • Massively distributed attacks with a short duration and wide impact are used with multiple objectives such as credential theft.
  • The motivation behind the majority of cyberattacks is still financial.
  • Ransomware remains widespread with costly consequences to many organisations.
  • Still many cybersecurity incidents go unnoticed or take a long time to be detected.
  • With more security automation, organisations will be invest more in preparedness using Cyber Threat Intelligence as its main capability.
  • The number of phishing victims continues to grow since it exploits the human dimension being the weakest link.

Let me close with the Top Threats 2020, for each threat the report includes detailed information on trends and observed evolution.

ENISA Threat Landscape Report 2020 2

Enjoy it!

Pierluigi Paganini

(SecurityAffairs – hacking, ENISA Threat Landscape Report 2020)

The post ENISA Threat Landscape Report 2020 appeared first on Security Affairs.

VMware fixes several flaws in its ESXi, Workstation, Fusion and NSX-T

VMware patched several flaws in its ESXi, Workstation, Fusion and NSX-T products, including a critical code execution vulnerability.

VMware has fixed several vulnerabilities in its ESXi, Workstation, Fusion and NSX-T products, including a critical flaw that allows arbitrary code execution.

The critical vulnerability, tracked as CVE-2020-3992, is a use-after-free issue that affects the OpenSLP service in ESXi. The vulnerability can allow remote attackers to execute arbitrary code on affected installations of the ESXi product.

The attacker can exploit the flaw needs to be on the management network and have access to port 427 on an ESXi machine in order to exploit the vulnerability.

“OpenSLP as used in ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the advisory published by VMware.

“A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.”

The vulnerability was reported to VMware on July 22 by Lucas Leong (@_wmliang_) from Trend Micro’s Zero Day Initiative.

The virtualization giant addressed the vulnerability in ESXi and VMware Cloud Foundation.

The company also patched a high-severity flaw in NSX-T, tracked as CVE-2020-3993, which is caused by the way a KVM host is allowed to download and install packages from the NSX manager. The flaw could be exploited by a MitM attacker to compromise transport nodes.

“VMware NSX-T contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.” reads the advisory.

“A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node.”

The researchers Reno Robert discovered an out-of-bounds read vulnerability in VMware ESXi, Workstation and Fusion. The issue is due to a time-of-check time-of-use issue in ACPI device.

An attacker with administrative access to a virtual machine may be able to exploit this flaw to leak memory from the vmx process.

VMware also addressed a vulnerability, tracked as CVE-2020-3994, in the vCenter Server session hijack vulnerability in the update function.

“A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.” reads the advisory.

The vulnerability was repored by Thorsten Tüllmann of the Karlsruhe Institute of Technology.

Pierluigi Paganini

(SecurityAffairs – hacking, VMware)

The post VMware fixes several flaws in its ESXi, Workstation, Fusion and NSX-T appeared first on Security Affairs.

Adobe releases a new set of out-of-band patches for its products

Adobe has released a second out-of-band security update to address critical vulnerabilities affecting several products. 

Adobe has released a second out-of-band security update to fix critical vulnerabilities that impact numerous products of the IT giant. 

The flaws impact Adobe Illustrator, Dreamweaver, Marketo, Animate, After Effects, Photoshop, Premiere Pro, Media Encoder, InDesign, and the Creative Cloud desktop application on Windows and macOS machines. 

Adobe has released seven critical vulnerabilities in Illustrator, including memory corruption and out of bounds read/write issues that can lead to arbitrary code execution. 

Below the vulnerability details:

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Out-of-Bounds Read


Arbitrary code execution  CriticalCVE-2020-24409
CVE-2020-24410
Out-of-Bounds WriteArbitrary code execution 


Critical


CVE-2020-24411
Memory Corruption    Arbitrary Code Execution    Critical CVE-2020-24412
CVE-2020-24413
CVE-2020-24414
CVE-2020-24415

Adobe has addressed an “important” uncontrolled search path element security flaw in Dreamweaver which could be exploited by attackers to escalate privilege.

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Uncontrolled Search Path Element
Privilege Escalation ImportantCVE-2020-24425

The company fixed four critical vulnerabilities in Animate, they are out-of-bounds read, stack overflow, and double-free flaws that can result in arbitrary code execution.  

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Double-freeArbitrary code executionCriticalCVE-2020-9747
Stack-based buffer overflowArbitrary code executionCriticalCVE-2020-9748
Out-of-bounds readArbitrary code executionCriticalCVE-2020-9749
CVE-2020-9750

Adobe addressed an “important” XSS issue impacting the Marketo Sales Insight Salesforce package that could have been weaponized to deploy malicious JavaScript in a browser session. 

 Vulnerability Category Vulnerability ImpactSeverityCVE numbers
Cross-site Scripting (stored) JavaScript execution in the browserImportantCVE-2020-24416

The company addressed

Vulnerability details

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Out-of-Bounds Read Arbitrary Code Execution     Critical  CVE-2020-24418
Uncontrolled search pathArbitrary Code Execution       CriticalCVE-2020-24419

Adobe addressed a single out-of-bounds read and an uncontrolled search path critial flaws in After Effects that could lead to the execution of malicious code are now patched. 

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Out-of-Bounds Read Arbitrary Code Execution     Critical  CVE-2020-24418
Uncontrolled search pathArbitrary Code Execution       CriticalCVE-2020-24419

Adobe has fixed a critical memory corruption flaw in InDesign that could also be exploited to execute arbitrary code. 

Vulnerability CategoryVulnerability ImpactSeverityCVE Number
Memory Corruption Arbitrary Code ExecutionCriticalCVE-2020-24421

The company also fixed other critical uncontrolled search path issues in PhotoshopPremiere ProMedia Encoder, and Creative Cloud installer for desktop.

Last week, Adobe released a separate set of out-of-band security patches affecting the Magento platform.

Pierluigi Paganini

(SecurityAffairs – hacking, code execution)

The post Adobe releases a new set of out-of-band patches for its products appeared first on Security Affairs.

Sweden bans Huawei and ZTE from building its 5G infrastructure

Sweden is banning Chinese tech giant Huawei and ZTE from building new 5G wireless networks due to national security concerns.

Another state, Sweden, announced the ban of Chinese tech companies Huawei and ZTE from building its 5G network infrastructure.

The Swedish Post and Telecom Authority announced this week that four wireless carriers bidding for frequencies in an upcoming spectrum auction for the new 5G networks (Hi3G Access, Net4Mobility, Telia Sverige and Teracom) cannot use network equipment from the Chinese firms.

The Swedish telecom regulator is also urging carriers to replace any existing equipment from Huawei or ZTE by January 1st, 2025, at the latest.

The decision is the result of assessments made by the Swedish military and security service.

“In accordance with new legislation, which entered into force on 1 January 2020, an examination of applications has been conducted in consultation with the Swedish Armed Forces and the Swedish Security Service, to ensure that the use of radio equipment in these bands does not cause harm to Sweden´s security.” reads a press release published by the Swedish Post and Telecom Authority.

The ban aims at new installations and new implementation of central functions for the radio use in the frequency bands.

Sweden is the latest country to ban Huawei from participating in building 5G networks.

Recently Belgian telecoms operators Orange Belgium and Proximus announced that it will gradually replace the equipment from the Chinese manufacturer Huawei.

Huawei ban

The U.S. is pushing its allies for banning Huawei, ZTE and other Chinese companies, Washington highlighted the risks for national security in case of adoption of Huawei equipment and is urging internet providers and telco operators in allied countries to ban Chinese firms.

The Chinese giant was already excluded by several countries from building their 5G internet networks. The United StatesAustraliaNew ZealandRomania, and Japan announced the exclusion of Huawei technology for their 5G internet networks.

In April 2018, the UK GCHQ intelligence agency warned UK telcos firms of the risks of using ZTE equipment and services for their infrastructure.

In December 2018, a Czech cyber-security agency is warned against using Huawei and ZTE technologies because they pose a threat to state security.

In September, the US Federal Communications Commission (FCC) estimated the cost of a full replacement of all Huawei and ZTE hardware on American wireless networks at $1.837bn.

Klas Friberg, the head of Sweden’s domestic security service (SAPO) declared that foreign states have intensified their intelligence activity and the protection of 5G networks from cyber espionage and hacking campaign from threat actors is crucial for homeland security.

“China is one of the biggest threats to Sweden,” Friberg said. “The Chinese state is conducting cyber espionage to promote its own economic development and develop its military capabilities. This is done through extensive intelligence gathering and theft of technology, research and development. This is what we must consider when building the 5G network of the future.”

Huawei was “surprised and disappointed” by the decision of the Swedish authority.

“Huawei has never caused even the slightest shred of threat to Swedish cyber security and never will,” reads a statement from the Chinese giant Huawei. “Excluding Huawei will not make Swedish 5G networks any more secure. Rather, competition and innovation will be severely hindered.

Pierluigi Paganini

(SecurityAffairs – hacking, 5G)

The post Sweden bans Huawei and ZTE from building its 5G infrastructure appeared first on Security Affairs.

Chrome 86.0.4240.111 fixes actively exploited CVE-2020-15999 zero-day

Google has released Chrome version 86.0.4240.111 that also addresses the CVE-2020-15999 flaw which is an actively exploited zero-day.

Google has released Chrome version 86.0.4240.111 that includes security fixes for several issues, including a patch for an actively exploited zero-day vulnerability tracked as CVE-2020-15999.

The CVE-2020-15999 flaw is a memory corruption bug that resides in the FreeType font rendering library, which is included in standard Chrome releases.

White hat hackers from the Google Project Zero team spotted attacks exploiting the vulnerability in the wild.

The researchers did not disclose technical details about the attacks exploiting the CVE-2020-15999 in the wild to avoid mass exploitation from threat actors.

Google Project Zero is recommending other app development teams who use the same FreeType library to update their software as well.

The FreeType version 2.10.4 address this issue.

Chrome users can update their install to v86.0.4240.111 via the browser’s built-in update function.

Experts pointed out that since the patch for this zero-day is visible in the source code of the FreeType open-source library, threat actors will be able to make a reverse-engineering of the code and develop working exploits for the issue.

In the recent twelve months, Google addressed another two zero-day vulnerabilities tracked as CVE-2019-13720 (Oct. 2019) and CVE-2020-6418 (Feb. 2020) respectively

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)

The post Chrome 86.0.4240.111 fixes actively exploited CVE-2020-15999 zero-day appeared first on Security Affairs.

Hackers are targeting CVE-2020-3118 flaw in Cisco devices

Cisco warns of attacks attempting to exploit the CVE-2020-3118 vulnerability that affects multiple carrier-grade routers running Cisco IOS XR Software.

Cisco is warning of attacks targeting the CVE-2020-3118 high severity vulnerability that affects multiple carrier-grade routers running the Cisco IOS XR Software.

The flaw resides in the Cisco Discovery Protocol implementation for Cisco IOS XR Software and could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.

“The vulnerability is due to improper validation of string input from certain fields in Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device.” reads the advisory. “A successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device.”

Cisco experts pointed out that the flaw can be exploited by unauthenticated adjacent attackers (Layer 2 adjacent) in the same broadcast domain as the vulnerable devices.

It is listed in top 25 vulnerabilities, shared by the NSA, exploited by Chinese state-sponsored hacking groups in attacks in the wild.

The IOS XR Network OS runs on several Cisco router families including NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers.

The vulnerability also impacts third-party white box routers and Cisco products that have the Cisco Discovery Protocol enabled both on at least one interface and globally. Below the list of impacted devices:

  • ASR 9000 Series Aggregation Services Routers
  • Carrier Routing System (CRS)
  • IOS XRv 9000 Router
  • Network Convergence System (NCS) 540 Series Routers
  • Network Convergence System (NCS) 560 Series Routers
  • Network Convergence System (NCS) 1000 Series Routers
  • Network Convergence System (NCS) 5000 Series Routers
  • Network Convergence System (NCS) 5500 Series Routers
  • Network Convergence System (NCS) 6000 Series Routers

Cisco addressed the CVE-2020-3118 flaw in February 2020, along with four other severe issues collectively tracked as CDPwn.

“In October 2020, the Cisco Product Security Incident Response Team (PSIRT) received reports of attempted exploitation of this vulnerability in the wild,” states the updated advisory.

“Cisco recommends that customers upgrade to a fixed Cisco IOS XR Software release to remediate this vulnerability.”

The following table reports the fixed release for this flaw:

Cisco IOS XR Software ReleaseFirst Fixed Release for This Vulnerability
Earlier than 6.6Appropriate SMU
6.616.6.3 or appropriate SMU
7.07.0.2 (Mar 2020) or appropriate SMU
7.1Not vulnerable

The advisory includes mitigation to address the flaw, the company suggests disabling Cisco Discovery Protocol Globally and on an Interface for customers who can immediately apply the security updates.

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco CVE-2020-3118 flaw)

The post Hackers are targeting CVE-2020-3118 flaw in Cisco devices appeared first on Security Affairs.

Microsoft took down 120 of 128 Trickbot servers in recent takedown

Microsoft brought down TrickBot infrastructure last week, but a few days later the botmasters set up a new command and control (C&C) servers.

Microsoft’s Defender team, FS-ISACESETLumen’s Black Lotus LabsNTT, and Broadcom’s cyber-security division Symantec joined the forces and announced last week a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.

Even if Microsoft and its partners have brought down the TrickBot infrastructure TrickBot operators attempted to resume the operations by setting up new command and control (C&C) servers online.

TrickBot botnet

Microsoft provided an update on its takedown efforts and announced a new wave of takedown actions against TrickBot.

According to the IT giant, the operation conducted last week has taken down 94% of the servers composing the Trickbot infrastructure. Trickbot enables ransomware attacks which have been identified as one of the biggest threats to the upcoming U.S. elections. 

“We initially identified 69 servers around the world that were core to Trickbot’s operations, and we disabled 62 of them. The seven remaining servers are not traditional command-and-control servers but rather internet of things (IoT) devices Trickbot infected and was using as part of its server infrastructure; these are in the process of being disabled. As expected, the criminals operating Trickbot scrambled to replace the infrastructure we initially disabled. We tracked this activity closely and identified 59 new servers they attempted to add to their infrastructure.” said Tom Burt, CVP of Customer Security and Trust at Microsoft. “We’ve now disabled all but one of these new servers. In sum, from the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world.”

Microsoft has taken down 120 of the 128 servers that were composing the Trickbot infrastructure.

Microsoft announced to have taken down 62 of the original 69 TrickBot C&C servers, seven servers that could not be brought down last week were Internet of Things (IoT) devices.

Microsoft also revealed that operators tried to resume the operations, The company brought down 58 of the 59 servers the operators attempted to bring online after the recent takedown.

Burt praised the role of Microsoft’s lawyers who quickly requested new court orders to take down the new servers set up by the Trickbot operators in response to the takedown.

“We have identified new Trickbot servers, located their respective hosting provider, determined the proper legal methodology to take action, and completely disabled those servers in less than three hours. Our global coordination has allowed a provider to take quick action as soon as we notify them – in one case, in less than six minutes.” continues the expert. “What we’re seeing suggests Trickbot’s main focus has become setting up new infrastructure, rather than initiating fresh attacks, and it has had to turn elsewhere for operational help.”

Currently, a few Trickbot C2 servers are still active and operators are using them to control the botnet. Researchers from cyber-security firm Intel 471 reported that these servers are based in Brazil, Colombia, Indonesia, and Kyrgyzstan, and that they still are able to respond to Trickbot bot requests.

“This small number of working control servers was not listed in the most recent distributed Trickbot sample.” states Intel 471.

Burt pointed out that TrickBot operators are working to restore their infrastructure instead of conducting new attacks.

“We fully expect that Trickbot’s operators will continue looking for ways to stay operational, and we and our partners will continue to monitor them and take action.” Microsoft concludes. “We encourage others in the security community who believe in protecting the elections to join the effort and share their intelligence directly with hosting providers and ISPs that can take Trickbot’s infrastructure offline.”

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

The post Microsoft took down 120 of 128 Trickbot servers in recent takedown appeared first on Security Affairs.

NSA details top 25 flaws exploited by China-linked hackers

The US National Security Agency (NSA) has shared the list of top 25 vulnerabilities exploited by Chinese state-sponsored hacking groups in attacks in the wild.

The US National Security Agency (NSA) has published a report that includes details of the top 25 vulnerabilities that are currently being exploited by China-linked APT groups in attacks in the wild.

The knowledge of these vulnerabilities could allow IT and security staffs at organizations worldwide to protect their infrastructure against Chinese state-sponsored hacking campaigns.

The report includes well known vulnerabilites that have been already addressed by their vendors.

“This advisory provides Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks. Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks.” reads the report. “The majority of the products are either for remote access (T1133)1 or for external web services (T1190), and should be prioritized for immediate patching.”

The report includes a description of the vulnerability and the recommended mitigations.

The exploits for many of these vulnerabilities are publicly available and are employed by multiple threat actors, including China-linked hackers, in attacks in the wild.

The majority of the vulnerabilities can be exploited to gain initial access to the target networks, they affect systems that are directly accessible from the Internet, such as firewalls and gateways.

NSA confirmed that it is aware that National Security Systems, Defense Industrial Base, and Department of Defense networks are consistently scanned, targeted, and exploited by Chinese state-sponsored cyber actors. The US agency recommends that critical system owners will address the above vulnerabilities to mitigate the risk of loss of sensitive information that could have a significant impact on U.S. policies, strategies, plans, and competitive advantage.

The

These include:

1) CVE-2019-11510 – In Pulse Secure VPNs, ® 7 an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords.

2) CVE-2020-5902– In F5 BIG-IP® 8 proxy / load balancer devices, the Traffic Management User Interface (TMUI) – also referred to as the Configuration utility – has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

3) CVE-2019-19781 – An issue was discovered in Citrix® 9 Application Delivery Controller (ADC) and Gateway. They allow directory traversal, which can lead to remote code execution without credentials.

4+5+6) CVE-2020-8193CVE-2020-8195CVE-2020-8196– Improper access control and input validation, in Citrix® ADC and Citrix® Gateway and Citrix® SDWAN WAN-OP, allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users

7) CVE-2019-0708 (aka BlueKeep) – A remote code execution vulnerability exists within Remote Desktop Services®10 when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests

8) CVE-2020-15505 – A remote code execution vulnerability in the MobileIron®13 mobile device management (MDM) software that allows remote attackers to execute arbitrary code and take over remote company servers.

9) CVE-2020-1350 (aka SIGRed– A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.

10) CVE-2020-1472 (aka Netlogon) – An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).

11) CVE-2019-1040 – A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection.

12) CVE-2018-6789 – Sending a handcrafted message to an Exim mail transfer agent may cause a buffer overflow. This can be used to execute code remotely and take over email servers.

13) CVE-2020-0688 – A Microsoft Exchange® validation key remote code execution vulnerability exists when the software fails to properly handle objects in memory

14) CVE-2018-4939 – Certain Adobe ColdFusion versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.

15) CVE-2015-4852 – The WLS Security component in Oracle WebLogic 15 Server allows remote attackers to execute arbitrary commands via a crafted serialized Java object

16) CVE-2020-2555 – A vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware. This easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence systems.

17) CVE-2019-3396– The Widget Connector macro in Atlassian Confluence 17 Server allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

18) CVE-2019-11580 – Attackers who can send requests to an Atlassian Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution.

19) CVE-2020-10189 – Zoho ManageEngine Desktop Central allows remote code execution because of deserialization of untrusted data.

20) CVE-2019-18935 – Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization vulnerability. Exploitation can result in remote code execution.

21) CVE-2020-0601 (aka CurveBall) – A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.

22) CVE-2019-0803– An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.

23) CVE-2017-6327– The Symantec Messaging Gateway can encounter a remote code execution issue.

24) CVE-2020-3118 – A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.

25) CVE-2020-8515 – DrayTek Vigor devices allow remote code execution as root (without authentication) via shell metacharacters.

Pierluigi Paganini

(SecurityAffairs – hacking, NSA)

The post NSA details top 25 flaws exploited by China-linked hackers appeared first on Security Affairs.

How Automation can help you in Managing Data Privacy

The global data privacy landscape is changing and everyday we can see new regulations emerge.

These regulations are encouraging organizations to be better custodians of the consumers data and create a healthier space for data privacy. In order to do so organizations will need to rework their operations and revamp their processes in order to comply with these regulations.

According to a report by the International Association of Privacy Professionals, 33% of respondents have considered revamping their technology solutions around data privacy. This is where data privacy comes into play and organizations are looking for data privacy management softwares that can fulfill their data privacy needs, while complying with data regulations in order to avoid fines.

Tracking Personal Data

Data is stored in a plethora of internal and external systems in structured or unstructured form all across the organization. These systems can even spread over a geographical area depending on the size of the organization. In order to retrieve information, manual methods can be seen as tedious and time-consuming, not to mention the factor of human error.

According to Aoife Harney, Compliance Manager at AON, “One of the most important aspects of any data protection program is having an in-depth and documented knowledge of the what, the why, the where, the who, and the how.”

Different data privacy softwares that incorporate data intelligence serve various purposes in the organization. Certain softwares deal with cookies and consent, while others could focus on breach notification.

Now a days, organizations need all in one privacy management software platform that can address all these requirements and integrate data privacy within all their operations:

Compliance Requirements

Data privacy regulations such as the CCPA and GDPR require organizations to take responsibility for their consumers’ data. All data privacy regulations impose obligations on businesses for the protection of privacy of consumers by restricting data capture mechanisms, providing privacy rights to consumers on their personal data and introducing accountability in businesses data policies. Furthermore it imposes responsibilities on data controllers who store and hold data to protect it from unauthorized disclosures and to inform consumers when and if their data is breached.

In order to comply with these obligations organizations need to revamp the following practices to stay in compliance with global data privacy regulations.

  • DSR Fulfillment: Organizations will be met with a plethora of Data Subject requests and will be required to fulfill them all in a specific time frame based on the regulations they are required to comply with. In order to make this process swift and seamless, organizations will have to automate their DSR fulfillment process.
  • Data Mapping: Organizations have stored immense amounts of data over their internal and external systems that can spread across on a geographic level. In order to quickly link this data to the owner to avoid any delays, data mapping automation plays a quintessential part in complying with any data privacy regulation.
  • Vendor Assessment: Manually assessing your third-party vendors and your own organization can be a tedious task that can present several bottlenecks and lack in collaboration. Whether you want to collaborate with key stakeholders or third-party vendors, there needs to be an automated system that can bring about this automation while simplifying the assessment process.
  • Consent Management: Regulations such as the CCPA and GDPR require organizations to take freely given consent from their consumers before processing their data. Doing this task manually leaves room for human error and also the use of time and resources. Organizations need to create a universal consent capture system that can make this process faster while freeing up resources as well.
  • Breach Notification: Privacy regulations require organizations to send a notification in case of a breach. Under the GDPR, for example,an obligatory 72-hour data breach notice for unauthorized access to systems and data, use and distribution of data is mandatory (Article 33). Recognizing a breach and then sending out a notification through manual means makes it virtually impossible to comply with the time frame given. Automating your breach notification system can save organizations thousands in fines.
  • Privacy Policy Management: One of the core parts of any regulation is the need to revamp an organization’s privacy policies. These policies need to be in line with the data privacy regulations in order to comply. Organizations will need to revisit their privacy policies and change them according to the guidelines provided by these privacy regulations.

Automation: the Future of Compliance

The future beckon the arrival of automation and organizations will have to quickly adopt this if they hope to improve their chances at complying with global privacy regulations. Irrespective of the current state of the globe, data regulations are still going into effect and being enforced. If an organization hopes to comply with these regulations they need to find a solution that will automate their operations and manage all the aforementioned privacy requirements.

Aoife Harney says “Being able to clearly see when a client’s personal data was collected, what legal basis is relied upon for that activity, who accesses that information, and when it’s appropriate to erase is incredibly useful to any organization,” 

Organizations need to find a solution that will help them with their compliance requirements. The ideal situation would be to get this solution from an organization that allows flexibility and customization, as well as one that considers your suggestions from early adopters.

Organizations can also consider SECURITI.ai which is reputed as the Privacy Leader that offers a one-stop data privacy solution to businesses.

Authors:

Ramiz Shah, Digital Content Producer at SECURITI.ai

Anas Baig, Team Lead at SECURITI.ai

Pierluigi Paganini

(SecurityAffairs – hacking, automation)

The post How Automation can help you in Managing Data Privacy appeared first on Security Affairs.

MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability

Researchers discovered that MMO game Street Mobster is leaking data of 1.9 million users due to SQL Injection critical vulnerability.

Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.

Original Post: https://cybernews.com/street-mobster-game-leaking-data-of-2-million-players

The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.

Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.

The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.

Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.

Street Mobster

What is SQL Injection?

First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.

Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.

The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.

The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.

How we found this vulnerability

Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.

What’s the impact of the vulnerability?

The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:

  • By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.
  • The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.
  • Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.

What to do if you’ve been affected?

If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks. 

However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.

Disclosure and lack of communication from BigMage Studios

Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well. 

We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration. 

Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue. 

Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.

Pierluigi Paganini

(SecurityAffairs – hacking, Street Mobster)

The post MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability appeared first on Security Affairs.

Nefilim ransomware gang published Luxottica data on its leak site

The Nefilim ransomware operators have posted a long list of files that appear to belong to Italian eyewear and eyecare giant Luxottica.

Luxottica Group S.p.A. is an Italian eyewear conglomerate and the world’s largest company in the eyewear industry. As a vertically integrated company, Luxottica designs, manufactures, distributes and retails its eyewear brands, including LensCrafters, Sunglass Hut, Apex by Sunglass Hut, Pearle Vision, Target Optical, Eyemed vision care plan, and Glasses.com. Its best known brands are Ray-Ban, Persol, and Oakley. Luxottica also makes sunglasses and prescription frames for designer brands such as Chanel, Prada, Giorgio Armani, Burberry, Versace, Dolce and Gabbana, Miu Miu, and Tory Burch.

Luxottica employs over 80,000 people and generated 9.4 billion in revenue for 2019.

On September 18, the company was hit by a cyberattack, some of the web sites operated by the company were not reachable, including Ray-Ban, Sunglass Hut, LensCrafters, EyeMed, and Pearle Vision.

Italian media outlets reported that the operations at the plants of Luxottica in Agordo and Sedico (Italy) were disrupted due to a computer system failure. Union sources confirmed that the personnel at the plants received an SMS in which they were notified that “the second workshift of today 21 September is suspended” due to “serious IT problems”.

BleepingComputer website, citing the security firm Bad Packets, speculates that the Italian was using a Citrix ADX controller device vulnerable to the critical CVE-2019-19781 vulnerability in Citrix devices.

At the time Luxottica has yet to release any official statement on the attack.

Security experts believe that threat actor exploited the above flaw to infect the systems at the company with ransomware.

Now we have more information about the incident, that seems to be the result of a ransomware attack.

The popular Italian cyber security expert Odysseus first revealed on the web site “Difesa e Sicurezza” that the Nefilim ransomware operators have posted a long list of files that appear to belong to Luxottica.

The huge trove of files appears to be related to the personnel office and finance departments.

Luxottica

The analysis of the leaked files revealed that they contain confidential information regarding the recruitment process, professional resumes, and info about the internal structures of the Group’s human resource department.

The exposed financial data includes budgets, marketing forecast analysis, and other sensitive data.

Nefilim ransomware operators also published a message which accuses Luxottica of having failed the properly manage the attack.

In the past months, the number of ransomware attacks surged, numerous ransomware gangs made the headlines targeting organizations worldwide and threating the victims of releasing the stolen data if the ransom was not paid.

“Extortion it’s the “new deal” of the cybercrime: now, more than in the past, companies can’t “hide” the cyber attack anymore. Now it becomes mandatory “manage” the breach from the communication perspective: dissembling is useless and harmful.” explained Odysseus. “And again, defend the companies from the cyber attacks becomes even more strategic: data leaks damages can generate tremendus amount of costs for companies worldwide.”

One of the crews that adopted this double-extortion model is the Nefilim ransomware gang that targeted several organizations including the mobile network operator Orange,  the independent European leader in multi-technical services The SPIE Group, the German largest private multi-service provider Dussman Group.

Pierluigi Paganini

(SecurityAffairs – hacking, Luxottica)

The post Nefilim ransomware gang published Luxottica data on its leak site appeared first on Security Affairs.

Pay it safe: Group-IB aids Paxful in repelling a series of web-bot attacks

Group-IB assisted Paxful, an international peer-to-peer cryptocurrency marketplace, in countering web-bot and social engineering attacks

Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has assisted Paxful, an international peer-to-peer cryptocurrency marketplace, in countering a wave of web-bot and social engineering attacks, and customer account takeovers. Powered with Group-IB’s solution for online fraud prevention Secure Portal, the platform has managed to fight off over 220,000 requests from web-bots in just two months, shielding its 4.5 million customers against possible attacks. The figure suggests that bitcoin platforms remain of great interest to threat actors. 

Cryptocurrencies, in general, are the apple of cybercriminals’ eye: Group-IB has alerted cryptocurrency holders to various scams on numerous occasions: fake giveawaysnon-existent cryptocurrency investment platforms, as well as personal data-exposing schemes, have found hundreds of thousands of people as their victims.

The scope of online threats that Paxful faced before acquiring Secure Portal ranged from social engineering attacks to customer account takeover, which is not surprising given the popularity of cryptocurrencies. But it was the detection and prevention of bad bot activity that pushed Paxful to adopt an additional layer of cybersecurity and resort to Group-IB. Bots, which are reported to generate about a quarter of global Web traffic, are de facto programs that emulate the actions of a real device for the purposes needed. They are a big headache for eCommerce businesses today, with cybercriminals using them to steal money, brute-force user credentials or carry out DDoS attacks. 

The brute-forcing of user credentials was the case with Paxful. To successfully thwart bad-bot activity, Group-IB Secure Portal creates a unique fingerprint of a device that is based on over a dozen of indicators and metrics, including info on the user-agent, platform, operation system, the time zone from which the user operates, device language, and others. Based on this fingerprinting and behavioral analysis, Group-IB Secure Portal identifies and issues an alert for any suspicious activity in real-time, after which this detection is used by Paxful to block bad bots. 

Trojans have also been spotted in the attacks on the marketplace: Group-IB Secure Portal has identified at least 1,200 user devices infected with Trojans. The detection of malware is considerably facilitated by the fact that Secure Portal is fueled by the information on threat actors, different malware strains’ behavior, malicious IPs and compromised data, such as login credentials or bank card data, from Group-IB attribution-based Threat Intelligence, a proprietary system that holds the most up-to-date data on advanced attackers and their TTPs. 

Group-IB Secure Portal also managed to identify over 100,000 accounts with three or more logins from the same device. Some of these accounts were simply compromised, others were used to boost rank on the platform for further fraud activity or were just resold. 

“For Paxful, Group-IB was the perfect solution; we were particularly impressed by the accuracy of Group-IB’s device fingerprint technology,” comments Dmitry Moiseev, the Chief Information Security Officer at Paxful. “The unique technology that easily detects suspicious devices is exactly what we were looking for. Interactive graph visualization tools and strong API create a truly comprehensive experience when it comes to fraud investigation. With reliable and helpful technical support, Group-IB is a well-rounded cybersecurity solution that works for us.” 

With the deployment of Group-IB Secure Portal, Paxful is now even better equipped to mitigate fraud and prevent digital crimes well before they are even close to affecting the company’s multimillion customer base. 

“Businesses are struggling more than ever today and to ensure that their customers are safe from fraud when using online services is the new normal,” comments Group-IB International Business Development Director Nicholas Palmer. “Online fraud is one of the biggest hurdles on the path toward achieving a positive client experience. For online platforms, it is extremely important to ensure the safety of its users and the integrity of its cybersecurity, whose perimeter should extend to end-point devices and the protection of its clients. Group-IB Secure Portal is implementing this philosophy through its patented clientless detection technology, which protects clients’ customers without need for the latter to install any additional apps.”

About Group-IB Secure Portal

Group-IB Secure Portal is a client-side fraud prevention solution working across sessions, platforms, and devices in real time.

Group-IB Secure Portal effectively detects and prevents dangerous activities through behavior analysis, anomaly detection, daily automatic filter rule and signature updates based on unique data from Group-IB’s Threat Intelligence.

The combination of advanced anti-fraud technologies and intelligence protects both banking and retail customers. Moreover, it helps comply with legal requirements designed to protect funds belonging to individuals and companies against scammers.   

About Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks and online fraud. The company also specializes in high-profile cyber investigations and IP protection services.

Group-IB is a partner of INTERPOL, Europol, and has been recommended by the OSCE as a cybersecurity solutions provider.

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

The post Pay it safe: Group-IB aids Paxful in repelling a series of web-bot attacks appeared first on Security Affairs.

U.S. Charges Russia GRU Intelligence Officers for notorious attacks, including NotPetya

The U.S. DoJ announced charges against six Russian intelligence officers for their role in several major cyberattacks carried out over the last years.

The U.S. Department of Justice announced charges against six members of Russia’s GRU military intelligence agency for their alleged role in several major cyberattacks conducted over the past years.

The defendants are Yuriy Sergeyevich Andrienko, aged 32, Sergey Vladimirovich Detistov, 35, Pavel Valeryevich Frolov, 28, Anatoliy Sergeyevich Kovalev, 29, Artem Valeryevich Ochichenko, 27, and Petr Nikolayevich Pliskin, 32.

The six Russian intelligence officers are believed to be members of the Russia-linked Sandworm APT group (aka Telebots, Iron Viking and Voodoo Bear).

According to the indictment, the GRU officers were involved in attacks on Ukraine, including the attacks aimed at the country’s power grid in 2015 and 2016 that employed the BlackEnergy and Industroyer malware.

US DoJ charged the men with damaging protected computers, conspiracy to conduct computer fraud and abuse, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft.

Government experts linked the Russian APT group to major attacks, including NotPetya, a hacking operation targeting elections in France in 2017, the attack against PyeongChang Winter Olympics that involved the Olympic Destroyer malware, as well as a series of attacks on Georgian companies and government organizations.

“Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.” reads the press release published by the DoJ. “The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.”

Since November 2015 and until at least in October 2019, the defendants and their co-conspirators were involved in the development and deployment of destructive malware and took part in disruptive hacking campaign actions,.

Below the list overt acts for each defendant:

DefendantSummary of Overt Acts
Yuriy Sergeyevich Andrienko·      Developed components of the NotPetya and Olympic Destroyer malware.
Sergey Vladimirovich Detistov·      Developed components of the NotPetya malware; and·      Prepared spearphishing campaigns targeting the 2018 PyeongChang Winter Olympic Games. 
Pavel Valeryevich Frolov·       Developed components of the KillDisk and NotPetya malware.
Anatoliy Sergeyevich Kovalev·       Developed spearphishing techniques and messages used to target:-       En Marche! officials;-       employees of the DSTL;-       members of the IOC and Olympic athletes; and-       employees of a Georgian media entity.
Artem Valeryevich Ochichenko·       Participated in spearphishing campaigns targeting 2018 PyeongChang Winter Olympic Games partners; and·       Conducted technical reconnaissance of the Parliament of Georgia official domain and attempted to gain unauthorized access to its network.
Petr Nikolayevich Pliskin·       Developed components of the NotPetya and Olympic Destroyer malware. 

The FBI added the defendants to the Cyber’s Most Wanted list.

“The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are,” said FBI Deputy Director David Bowdich.  “But this indictment also highlights the FBI’s capabilities.  We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them.  As demonstrated today, we will relentlessly pursue those who threaten the United States and its citizens.”

“For more than two years we have worked tirelessly to expose these Russian GRU Officers who engaged in a global campaign of hacking, disruption and destabilization, representing the most destructive and costly cyber-attacks in history,” said Scott Brady, U.S. Attorney for the Western District of Pennsylvania. “The crimes committed by Russian government officials were against real victims who suffered real harm. We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims.”

GRU intelligence officers charged

Pierluigi Paganini

(SecurityAffairs – hacking, intelligence)

The post U.S. Charges Russia GRU Intelligence Officers for notorious attacks, including NotPetya appeared first on Security Affairs.

GravityRAT malware also targets Android and macOS

Researchers spotted new variants of the Windows GravityRAT spyware that now can also infect Android and macOS devices.

Researchers from Kaspersky Lab have spotted new variants of the GravityRAT malware that now can be also used to infect Android and macOS devices.

GravityRAT is a malware strain known for checking the CPU temperature of Windows computers to avoid being executed in sandboxes and virtual machines.

The GravityRAT malware Access Trojan (RAT) is believed to be the work of Pakistani hacker groups, it is under development at least since 2015.

“Today, Cisco Talos is uncovering a new piece of malware, which has remained under the radar for the past two years [since 2015] while it continues to be developed.” reads an analysis published by Cisco Talos that spotted the malware back in 2017 when it was used by an APT group targeting India.

The sample analyzed by Kaspersky last year is able to infect macOS and Android devices, unlike past variants that were focused on Windows.

Crooks also started using digital signatures to make the apps look more legitimate.

The malware researchers found the new Android GravityRAT sample in 2019, on VirusTotal. The hackers had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.

gravityRAT

The tainted app is able to steal contacts, emails, and documents from the infected device, then send them back to the command-and-control server (nortonupdates[.]online). The C&C server was also associated with other two malicious apps (Enigma and Titanium) targeting the Windows and macOS platforms.

The spyware is able to get information about the system and support multiple features, including:

  • search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
  • get a list of running processes
  • intercept keystrokes
  • take screenshots
  • execute arbitrary shell commands
  • record audio (not implemented in this version)
  • scan ports

The malware was distributed via applications that clone legitimate apps that act as downloader for the GravityRAT payloads.

The applications analyzed by Kaspersky were developed in .NET, Python and Electron framework, they achieve persistence by adding a scheduled task.

The researchers reported that the malware was employed in approximately 100 successful attacks between 2015 and 2018. The list of targets includes employees at defense, police, and other departments and organizations.

Threat actors tricked the victims into installing a malicious app disguised as a secure messenger in order to continue the conversation, the attackers contacted the victims through a fake Facebook account. The attackers likely sent to the victims download links.

“It is safe to assume that the current GravityRAT campaign uses similar infection methods — targeted individuals are sent links pointing to malicious apps.” concludes Kaspersky.

“The main modification seen in the new GravityRAT campaign is multiplatformity: besides Windows, there are now versions for Android and macOS. The cybercriminals also started using digital signatures to make the apps look more legitimate.”

Pierluigi Paganini

(SecurityAffairs – hacking, GravityRAT)

The post GravityRAT malware also targets Android and macOS appeared first on Security Affairs.

Alexander Vinnik, the popular cyber criminal goes on trial in Paris

The Russian citizen Alexander Vinnik goes on trial in Paris for having defrauded nearly 200 victims across the world of 135 million euros using ransomware.

The Russian man Alexander Vinnik goes on trial in Paris for having defrauded nearly 200 victims across the world of 135M euros using ransomware.

Alexander Vinnik allegedly headed the Bitcoin exchange BTC-e, he is charged with different hacking crimes in Russia, France, and the United States.

In 2017, Greek Police arrested the Russian national Alexander Vinnik and they accused the man of running the BTC-e Bitcoin exchange to launder more than US$4bn worth of the cryptocurrency.

AlexanderVinnik

The authorities reported that since 2011, 7 million Bitcoin went into the BTC-e exchange and 5.5 million withdrawn.

According to the Greek media outlet the Daily Thess, the FBI tracked Alexander Vinnik for more than a year.

The man is charged by the US authorities with fraud and money laundering for more than $4 billion worth amount of Bitcoin (BTC) resulting from criminal activities, the US prosecutors requested his extradition in July 2017.

Vinnik is also accused to be responsible for the failure of the Japanese bitcoin exchange Mt. Gox.

Mt. Gox was the biggest Bitcoin exchange at the time of the shut down in 2014 that occurred after the platform was the victim of a series of cyber heists for a total of $375 million in Bitcoin.

The U.S. authorities speculate the Russian man stole funds from Mt. Gox, with the help of an insider. The stolen funds were transferred to a wallet managed by Vinnik and funds were laundered through his platform BTC-e-service during a three-year period.

In July 2018 there was a twist, a Greek lower court agreed to extradite Vinnik to France to face with charges with hacking, money laundering, extortion and involvement in organized crime.

French authorities accused Vinnik of defrauding more than 100 people in six French cities between 2016 and 2018.

French prosecutors revealed that among the 188 victims of the Vinnik’s attacks, there were local authorities, businesses, and individuals across the world.

Vinnik continues to deny charges of extortion and money laundering and did not answer magistrates’ questions.

“Prosecutors identified 20 businesses in six cities across France among the victims and following the money trail through various bank accounts — as much as $8 million — identified one as belonging to Vinnik.” reported the AFP news.

In June, New Zealand police had frozen NZ$140 million (US$90 million) in assets linked to a Russian cyber criminal. New Zealand police had worked closely with the US Internal Revenue Service on the case and the investigation is still ongoing.

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

The post Alexander Vinnik, the popular cyber criminal goes on trial in Paris appeared first on Security Affairs.

The forum of the popular Albion Online game was hacked

Albion Online game maker discloses a data breach, hackers gained access to the company forum database by exploiting a known vulnerability.

Albion Online (AO) is a free medieval fantasy MMORPG developed by Sandbox Interactive, a studio based in Berlin, Germany

A threat actor has breached the forum of Albion Online and stole usernames and password hashes from its database.

According to Sandbox Interactive, the intrusion took place on Friday, October 16, and the hacker exploited a vulnerability in its forum platform, known as WoltLab Suite.

“Unfortunately, we have become aware of a data breach in one of our systems, in which a malicious actor gained access to parts of our forum’s user database.” reads the message published on the forum.

“The intruder was able to access forum user profiles, which include the e-mail addresses connected to those forum accounts. On top of that, the attacker gained access to encrypted passwords (in technical terms: hashed and salted passwords).”

Albion Online

The moderator of the forum pointed out that the intruder did not access to payment information.

According to Sandbox Interactive, the passwords were hashed with the Bcrypt hashing function and then salted with random data, which makes it hard to crack if the password is not weak.

“However, there is a small possibility they could be used to identify accounts with particularly weak passwords.” continues the German game maker.

In response to the data breach, the game maker notified the forum members about the intrusion and asked them to reset passwords.

The company notified the authorities, but did not reveal the number of impacted users. The game maker announced to have addressed the flaw exploited in the attack.

“So far we have prioritized fixing vulnerabilities and informing players about this incident,” Sandbox Interactive said.

The game is believed to have more than 2.5 million players, while the number of registered members of the forum was 293,602 at the time of the attack.

Pierluigi Paganini

(SecurityAffairs – hacking, Albion Online)

The post The forum of the popular Albion Online game was hacked appeared first on Security Affairs.

New Emotet campaign uses a new ‘Windows Update’ attachment

After a short pause, a new Emotet malware campaign was spotted by the experts on October 14th, crooks began using a new ‘Windows Update’ attachment.

After a short interruption, a new Emotet malware campaign was spotted by the experts in October. Threat actors began using new Windows Update attachments in a spam campaign aimed at users worldwide.

The spam campaign uses a new malicious attachment that pretends to be a message from Windows Update and attempts to trick the victims recommending to upgrade Microsoft Word.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of a surge of Emotet attacks that have targeted multiple state and local governments in the U.S. since August.

During that time, the agency’s EINSTEIN Intrusion Detection System has detected roughly 16,000 alerts related to Emotet activity.

The new campaign was observed on October 14th, the attackers are using multiple lures, including invoices, purchase orders, shipping information, COVID-19 information, and information about President Trump’s health.

The spam messages come with malicious Word (.doc) attachments or include links to download the bait document.

Upon opening the attachments users are instructed to ‘Enable Content,’ in this way the malicious macros will be executed starting the infection process.

“To trick users into enabling the macros, Emotet uses various document templates, including pretending to be created on iOS devices, Windows 10 Mobile, or that the document is protected.” reported BleepingComputer.

The recent campaign employed a new template that pretends to be a message from Windows Update urging the update of Microsoft Word to correctly view the document.

Below the message displayed to the users:

Windows Update
Some apps need to be updated
These programs need to be upgrade because they aren't compatible with this file format.
* Microsoft Word
You need to click Enable Editing and then click Enable Content.
Emotet

Researchers recommend sharing knowledge about malicious document templates used by Emotet in order to quickly identify them and avoid being infected.

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

The post New Emotet campaign uses a new ‘Windows Update’ attachment appeared first on Security Affairs.

Fooling self-driving cars by displaying virtual objects

Researchers from the Ben-Gurion University of the Negev demonstrated how to fool self-driving cars by displaying virtual objects.

A group of researchers from the Ben-Gurion University of the Negev demonstrated that it is possible to fool self-driving cars by displaying virtual objects (phantoms).

The experts define as phantom a depthless visual object used to deceive ADASs and cause these systems to perceive it as real. A phantom object can be created by attackers by using a projector or be presented via a digital screen (e.g., billboard).

Boffins tested two commercial advanced driver-assistance systems (ADASs) belonging to Tesla X (versions HW2.5 and HW 3.0) and Mobileye 630, they were able to trick these systems by displaying “phantom” virtual objects in front of the 2 vehicles.

The researchers were able to simulate the presence of virtual objects, such as virtual road signs along with an image of a pedestrian displayed using a projector or a digital billboard, in front of the self-driving cars that interpreting them as real. In tests conducted by the researchers the depthless object is made from a picture of a 3D object (e.g., pedestrian, car, truck, motorcycle, traffic sign). 

“We demonstrate how attackers can apply split-second phantom attacks remotely by embedding phantom road signs into an advertisement presented on a digital billboard which causes Tesla’s autopilot to suddenly stop the car in the middle of a road and Mobileye 630 to issue false notifications.” reads the post published by the researchers. “We also demonstrate how attackers can use a projector in order to cause Tesla’s autopilot to apply the brakes in response to a phantom of a pedestrian that was projected on the road and Mobileye 630 to issue false notifications in response to a projected road sign.”

Experts also tested split-second phantom attacks that uses a phantom that appears for a few milliseconds and is treated as a real object/obstacle by an ADAS.

Below the minimal duration that a phantom needs to appear in order to fool the ADAS.

self-driving cars

Self-driving cars can be fooled by displaying virtual objects, in a real-world scenario, this attack could result in accidents and traffic jams.

The virtual objects triggered a response of the ADAS systems, in the case of Tesla, the vehicle stopped in 0.42 seconds, while Mobileye 360 stopped in 0.125 seconds.

The researchers also proposed countermeasures, dubbed GhostBusters, to prevent this attack such as the use of the camera sensor. The GhostBusters measure implements a “committee of experts” approach and combines the results obtained from four lightweight deep convolutional neural networks that allow analyzing each object based on its light, context, surface, and depth.

“We demonstrate our countermeasure’s effectiveness (it obtains a TPR of 0.994 with an FPR of zero) and test its robustness to adversarial machine learning attacks.” continues the post.

Unlike other attacks against self-driving cars devised by other teams of experts, this attack requires less expertise and fewer resources.

The full research paper, which includes technical details about the study, is available here.

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

The post Fooling self-driving cars by displaying virtual objects appeared first on Security Affairs.

Hackers claim to have compromised 50,000 home cameras and posted footage online

A hacker collective claims to have hacked over 50,000 home security cameras and published their footage online, some of them on adult sites.

A group of hackers claims to have compromised over 50,000 home security cameras and published their private footage online.

Some footages were published on adult sites, experts reported that crooks are offering lifetime access to the entire collection for US$150.

The news was reported by The New Paper, which also confirmed that over 70 members already paid the US$150 subscription for lifetime access to the loot.

“Clips from the hacked footage have been uploaded on pornographic sites recently, with several explicitly tagged as being from Singapore.” reported The New Paper.”

“The group, which can be found on social messaging platform Discord, has almost 1,000 members across the globe. As of Saturday, it has claimed to have shared more than 3TB of clips with over 70 members who paid a subscription fee of US$150 (S$203) for lifetime access.”

The videos show people of varying ages in compromising positions, in some cases undressed.

Most of the videos appear to belong to people from Singapore, other private footages come from people living in Thailand, South Korea, and Canada.

The gang uses the instant messaging app Discord and has nearly 1,000 members, it focuses on the hacking security cameras.

As proof of the hacks, the gang is offering a free sample containing 700 megabytes worth of data, including over 4,000 clips and pictures. They would also offer access to all hijacked cameras with their customers.

“The group claims to have a list of more than 50,000 hacked cameras that members can access. It also claims that VIP members will be taught how to “explore, watch live and even record” hacked cameras through tutorials and personalised sessions.” continues the article.

The news is not surprising, unfortunately in many cases IoT devices, including IP cameras, are deployed without proper security measures.

At the time of publishing this post, it is still unclear how the hackers compromised the IP cameras, likely hackers exploited some vulnerabilities in the devices or simply guessed weak passwords used to protect them.

Let’s remind that accessing these IP cameras could be considered a serious crime, where the victims are under the age of 16, the users could be charged for child pornography.

“As worrying as it may seem, this comes as a clear reminder that when cameras are placed on the internet, they must be properly installed with security in mind. When smart devices are set up, they are still regularly placed around the home with no second thought for privacy,” said ESET Security Specialist Jake Moore.

In 2017, thousands of IP cameras have been hijacked by the Persirai IoT botnet that targeted more than 1,000 IP camera models.

In June 2017, security experts at security firm F-Secure discovered tens of vulnerabilities in tens of thousands of Internet-connected cameras from China-based manufacturer Foscam.

The flaws could be exploited by attackers to take over the Internet-connected cameras, upload and download files from the built-in FTP server, and view video feeds.

Pierluigi Paganini

(SecurityAffairs – hacking, IP cameras)

The post Hackers claim to have compromised 50,000 home cameras and posted footage online appeared first on Security Affairs.

FIN11 gang started deploying ransomware to monetize its operations

The financially-motivated hacker group FIN11 has started spreading ransomware to monetize its cyber criminal activities.

The financially-motivated hacker group FIN11 has switched tactics starting using ransomware as the main monetization method.

The group carried out multiple high-volume operations targeting companies across the world, most of them in North America and Europe.

In recent attacks, the group was observed deploying the Clop ransomware into the networks of its victims.

Since August, FIN11 started targeting organizations in many industries, including defense, energy, finance, healthcare, legal, pharmaceutical, telecommunications, technology, and transportation.

Researchers from FireEye’s Mandiant observed FIN11 hackers using spear-phishing messages distributing a malware downloader dubbed FRIENDSPEAK.

“Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands.” reads the analysis published by FireEye. “The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion.”

The attack chain starts when the victims enable the macro embedded in an Excel spreadsheet that came with the phishing e-mails.

The macros download and execute the FRIENDSPEAK code, which in turn downloads the MIXLABEL malware.

Experts also reported that the threat actor modified the macros in Office documents used as bait and also added geofencing techniques.

Mandiant researchers highlighted an important with operations conducted by the TA505 cybercrime gang (aka Evil Corp), which has been active since 2014 focusing on retail and banking sectors.

TA505 also deployed the Clop ransomware in its malware campaigns and recently started exploiting the ZeroLogon critical flaw to compromise targeted organizations.

“Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware.” reads the analysis. “Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.”

fin11 services3

The experts pointed out that the FIN11 actors after dropped the Clop ransomware did not abandon the target after losing access, at least in one case they re-compromised the target organization a few months later.

The researchers believe FIN11 operates from the Commonwealth of Independent States (CIS – former Soviet Union countries).

The experts observed Russian-language file metadata in the code of the malware and reported that the Clop ransomware was only deployed on machines with a keyboard layout used outside CIS countries.

Mandiant researchers speculate FIN11 will continue to target organizations with sensitive proprietary data and that will likely pay the ransom to recover their operations after the attacks.

Pierluigi Paganini

(SecurityAffairs – hacking, FIN11)

The post FIN11 gang started deploying ransomware to monetize its operations appeared first on Security Affairs.

Microsoft released out-of-band Windows fixes for 2 RCE issues

Microsoft released two out-of-band security updates to address remote code execution (RCE) bugs in the Microsoft Windows Codecs Library and Visual Studio Code.

Microsoft has released two out-of-band security updates to address two remote code execution (RCE) vulnerabilities that affect the Microsoft Windows Codecs Library and Visual Studio Code.

The two vulnerabilities, tracked as CVE-2020-17022 and CVE-2020-17023, have been rated as important severity.

The CVE-2020-17022 is a remote code execution vulnerability that exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker can exploit the vulnerability to execute arbitrary code.

“Exploitation of the vulnerability requires that a program process a specially crafted image file.” reads the advisory. “The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.”

The CVE-2020-17022 vulnerability affects all devices running Windows 10, version 1709 or later, and a vulnerable library version.

Windows 10 devices are not affected in their default configuration and that “only customers who have installed the optional HEVC or ‘HEVC from Device Manufacturer’ media codecs from Microsoft Store may be vulnerable.”

The CVE-2020-17022 flaw was reported to Microsoft by Dhanesh Kizhakkinan from FireEye.

The CVE-2020-17023 vulnerability is a remote code execution vulnerability that exists in Visual Studio Code. An attacker can trigger the flaw by tricking a user into opening a malicious ‘package.json’ file, then he could run arbitrary code in the context of the current user.

“If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the advisory.

“To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious ‘package.json’ file. The update address the vulnerability by modifying the way Visual Studio Code handles JSON files.”

The CVE-2020-17023 vulnerability was reported by Justin Steven.

The IT giant did not provide any mitigating measures or workarounds for the two vulnerabilities.

According to Microsoft, both vulnerabilities are not being exploited in the wild.

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Windows)

The post Microsoft released out-of-band Windows fixes for 2 RCE issues appeared first on Security Affairs.

Iran-linked Silent Librarian APT targets universities again

Iran-linked cyberespionage group Silent Librarian has launched a new phishing campaign aimed at universities around the world.

Iran-linked APT group Silent Librarian has launched another phishing campaign targeting universities around the world.

The Silent Librarian, also tracked as Cobalt Dickens and TA407, targeted tens of universities in four continents in the last couple of years.

In August 2018, the security firm SecureWorks uncovered a phishing campaign carried out by the APT group targeting universities worldwide. The operation involved sixteen domains hosting more than 300 spoofed websites for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.

Since mid-September, researchers from Malwarebytes observed a new spear-phishing campaign carried out by the group that is expanding its target list to include more countries.

Silent Librarian hackers targeted both employees and students at the universities, experts noticed that the threat actor set up a new infrastructure to avoid a takeover.

“Considering that Iran is dealing with constant sanctions, it strives to keep up with world developments in various fields, including that of technology. As such, these attacks represent a national interest and are well funded,” states Malwarebytes. “The new domain names follow the same pattern as previously reported, except that they swap the top level domain name for another.”

The threat actor used domain names following a pattern observed in past campaigns, although they use a different top-level domain name (the “.me” TLD instead of “.tk” and “.cf”).

Silent Librarian

The hackers use Cloudflare for phishing hostnames in an attempt to hide the real hosting origin. Anyway, Malwarebytes was able to identify some of the infrastructure which was located in Iran, likely because it is considered a bulletproof hosting option due to the lack of cooperation between US and European law enforcement and local police in Iran.

“Clearly we only uncovered a small portion of this phishing operation. Although for the most part the sites are taken down quickly, the attacker has the advantage of being one step ahead and is going for many possible targets at once,” Malwarebytes concludes.

The security firm also published Indicators of Compromise (IoCs) for this campaign.

Pierluigi Paganini

(SecurityAffairs – hacking, Silent Librarian)

The post Iran-linked Silent Librarian APT targets universities again appeared first on Security Affairs.

Security Affairs newsletter Round 286

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

Hackers targeted the US Census Bureau network, DHS report warns
Tyler Technologies finally paid the ransom to receive the decryption key
Underestimating the FONIX – Ransomware as a Service could be an error
APT groups chain VPN and Windows Zerologon bugs to attack US government networks
Microsoft partnered with other security firms to takedown TrickBot botnet
Researchers found alleged sensitive documents of NATO and Turkey
Researchers received $288,500 for 32 out of 55 issues reported to Apple
Adobe addresses a critical security flaw in Adobe Flash Player
Five Eyes nations plus India and Japan call for encryption backdoor once again
IoT Cybersecurity: 5 Major Vulnerabilities and How to Tackle Them
Leading Law firm Seyfarth Shaw discloses ransomware attack
Microsoft October 2020 Patch Tuesday fixes 87 flaws, including 21 RCEs
The British government aims at improving its offensive cyber capability
German authorities raid the offices of the FinFisher surveillance firm
Google researcher found BleedingTooth flaws in Linux Bluetooth
Norway blames Russia for cyber attack on Parliament
Talos experts disclosed unpatched DoS flaws in Allen-Bradley adapter
The G7 expresses its concern over ransomware attacks
Crooks hit Puerto Rico Firefighting Department Servers
Egregor ransomware gang leaked data alleged stolen from Ubisoft, Crytek
Iran acknowledged cyberattacks on two governmental departments
U.S. Bookstore giant Barnes & Noble hit by cyberattack
Zoom now supports end-to-end encrypted (E2EE) calls
Adobe fixes Magento flaws that can lead to code execution
Almost 800,000 SonicWall VPN appliances online are vulnerable to CVE-2020-5135
Breach at Dickeys Barbecue Pit compromises 3 million Cards
Britains information commissioner fines British Airways for 2018 Hack
Juniper fixes tens of flaws affecting the Junos OS

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 286 appeared first on Security Affairs.

QQAAZZ crime gang charged for laundering money stolen by malware gangs

Multiple members of QQAAZZ multinational cybercriminal gang were charged for providing money-laundering services to high-profile malware operations.

20 members of the multinational cybercriminal group QQAAZZ were charged this week in the US, Portugal, Spain, and the UK for providing money-laundering services.

The arrests are the result of an unprecedented international law enforcement operation, coordinated by the Europol and dubbed Operation 2BaGoldMule, involving agencies from 16 countries. The police executed more than 40 house searches in Latvia, Bulgaria, the United Kingdom, Spain, and Italy.

The police also seized an extensive bitcoin mining operation in Bulgaria associated with QQAAZZ.

According to law enforcement bodies, the gang provides services to multiple malware operations, including Dridex, GozNym, and Trickbot.

QQAAZZ attempted to launder tens of millions stolen from victims starting with 2016 by the world’s foremost cybercriminals.

“Comprised of several layers of members mainly from Latvia, Georgia, Bulgaria, Romania, and Belgium, the QQAAZZ network opened and maintained hundreds of corporate and personal bank accounts at financial institutions throughout the world to receive money from cybercriminals who stole it from accounts of victims.” reads the press release published by Europol. “The funds were then transferred to other QQAAZZ-controlled bank accounts and sometimes converted to cryptocurrency using ‘tumbling’ services designed to hide the original source of the funds.  After taking a fee of up to 50-percent, QQAAZZ returned the balance of the stolen funds to their cybercriminal clientele.”  

The QQAAZZ gang advertised its services as a ‘global, complicit bank drops service’ on multiple Russian-speaking online cybercriminal forums.

QQAAZZ gang

The member of the gang used instant messaging apps to instruct their client on how to transfer the stolen funds to bank accounts under their control. The bank accounts were opened by money mules using fake and legitimate Polish and Bulgarian ID documents.

QQAAZZ also leverages dozens of shell companies to open other bank accounts.

The money laundering operation involved hundreds of corporate and personal bank accounts at financial institutions throughout the world.

Some of the money was also “converted to cryptocurrency using ‘tumbling’ services designed to hide the original source of the funds.”

“The funds were then transferred to other QQAAZZ-controlled bank accounts and sometimes converted to cryptocurrency using “tumbling” services designed to hide the original source of the funds.” states the DoJ. “After taking a fee of up to 40 to 50 percent, QQAAZZ returned the balance of the stolen funds to their cybercriminal clientele.”

“Cybercriminals are constantly exploring new possibilities to abuse technology and financial frameworks to victimise millions of users in a moment from anywhere in the world,” said Edvardas Šileris, Head of Europol’s European Cybercrime Centre.

“Today’s operation shows how through a proper law enforcement international coordination we can turn the table on these criminals and bring them to justice.”

Pierluigi Paganini

(SecurityAffairs – hacking, QQAAZZ cybercrime gang)

The post QQAAZZ crime gang charged for laundering money stolen by malware gangs appeared first on Security Affairs.

TikTok launched a public bug bounty program

Chinese video-sharing social networking service TikTok announced this week the launch of a public bug bounty program in collaboration with HackerOne.

The popular Chinese video-sharing social networking service TikTok has launched this week a public bug bounty program through the HackerOne platform.

White hat hackers are invited to report security flaws in TikTok websites, including several subdomains, and both Android and iOS apps.

The company is offering between $1,700 and $6,900 for high-severity flaws, the payout for a critical issue can go up to $14,800.

“We encourage security researchers to focus their efforts on finding security vulnerabilities demonstrating meaningful impact. Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard).” reads the program description.

The idea to reward white hat hackers for reporting security flaws is not new for the Chinese firm that claimed to have already paid out more than $40,000 through its bug bounty program.

The company has had a Vulnerability Reporting Policy and follows a Coordinated Disclosure Policy with a waiting period of 90 days from submission.

“This partnership will help us to gain insight from the world’s top security researchers, academic scholars and independent experts to better uncover potential threats and make our security defenses even stronger,” said Luna Wu of TikTok’s Global Security Team.

tiktok
Source: Messagero

President Trump is trying to ban TikTok in the United States due to security and privacy concerns. TikTok has denied any accusation of sharing data with the Beijing government. TikTok confirmed that all US user data is stored in the US, with a backup in Singapore.

TikTok challenged the decision in a US court and the judge blocked the President’s request to ban the Chinese company in the country.

The US Government is making pressure on TikTok’s parent firm Bytedance to sell its U.S. operations to an American company.

Pierluigi Paganini

(SecurityAffairs – hacking, TikTok)

The post TikTok launched a public bug bounty program appeared first on Security Affairs.

Four npm packages found opening shells and collecting info on Linux, Windows systems

On Thursday, four JavaScript packages have been removed from the npm portal because they have been found containing malicious code.

NPM staff removed four JavaScript packages from the npm portal because were containing malicious code. Npm is the largest package repository for any programming language.

The four packages, which had a total of one thousand of downloads, are:

“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” the npm security team said.

“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,”

The researcher AX Sharma, who analyzed the packages, revealed that plutov-slack-clientnodetest1010, and nodetest199 share identical code.

Experts warn that systems running applications that imported one of these packages should be potentially compromised because the three JavaScript libraries opened web shells on the computers running them.

web shell is a code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to gain remote access and code execution.

The npmpubman, unlike the other packages, was found collecting user data from the environment variables and uploads the gathered info to a remote host.

The malicious code could work on both Windows and *nix operating systems, including major distros, including Linux, FreeBSD, OpenBSD.

One of the packages was uploaded on the npm portal in May, while the remaining ones were uploaded in September 2018.

“It is possible that all four packages were authored by the same attacker(s) despite conflicting data provided in the package.json manifests.” reported Bleeping Computer.

“In a real-world scenario, npmpubman could be used as a part of an attacker’s reconnaissance efforts to collect information about a system, whereas the other packages establish a direct connection between the attacker’s and the victim’s computers.”

In August, the npm security team has removed the JavaScript library “fallguys” from the npm portal because it was containing a malicious code used to steal sensitive files from an infected users’ browser and Discord application.

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Four npm packages found opening shells and collecting info on Linux, Windows systems appeared first on Security Affairs.

Google warned users of 33,015 nation-state attacks since January

Google delivered over 33,000 alerts to its users during the first three quarters of 2020 to warn them of attacks from nation-state actors.

Google delivered 33,015 alerts to its users during the first three quarters of 2020 to warn them of phishing attacks, launched by nation-state actors, targeting their accounts.

Google sent 11,856 government-backed phishing warnings during Q1 2020, 11,023 in Q2 2020, and 10,136 in Q3 2020.

Shane Huntley, Director at Google’s Threat Analysis Group (TAG), revealed that her team has shared its findings with the campaigns and the Federal Bureau of Investigation.

The IT giant pointed out that major events like elections and COVID-19 represent opportunities for threat actors.

The trend in the nation-state attacks is consistent with what others have subsequently reported.

Google TAG report nation-state actors

“Overall, we’ve seen increased attention on the threats posed by APTs in the context of the U.S. election. U.S government agencies have warned about different threat actors, and we’ve worked closely with those agencies and others in the tech industry to share leads and intelligence about what we’re seeing across the ecosystem.” reads the report published by Google TAG.

Since last summer, TAG team has tracked a large spam network linked to China that is running an influence operation on multiple platforms, primarily on YouTube. The threat actor behind this campaign was primarily acquiring or hijacking existing accounts and using them to spread content crafted for their intent.

According to Google, the alerts are shown to up to 0.1% of all Gmail accounts. The company’s alert advises Gmail users to take several measures to secure their accounts, such as enrolling in the Advanced Protection Program, keeping software up to date, enabling Gmail 2-step verification, as well as using Google Authenticator and/or a physical security key for 2-step verification.

As the course of the COVID-19 pandemic evolves, Google experts warn of threat actors evolving their tactics as well. During the last summer, Google observed threat actors from China, Russia, and Iran targeting pharmaceutical companies and researchers involved in the development of a vaccine. 

In September, Google experts started to observe attacks carried out by multiple North Korea-linked APT groups aimed at COVID-19 researchers and pharmaceutical companies, especially those based in South Korea.

This week, the Google Cloud team revealed that in September 2017 it has mitigated DDoS attack that reached 2.54 Tbps, the largest DDoS attack of ever.

This attack is the largest DDoS attack recorded to date and according to a report published by the Google Threat Threat Analysis Group (TAG) it was carried out by a state-sponsored threat actor.

Pierluigi Paganini

(SecurityAffairs – hacking, Google TAG)

The post Google warned users of 33,015 nation-state attacks since January appeared first on Security Affairs.

UK NCSC recommends organizations to fix CVE-2020-16952 SharePoint RCE flaw asap

The U.K. National Cyber Security Centre (NCSC) issued an alert to urge organizations to patch CVE-2020-16952 RCE vulnerability in MS SharePoint Server.

The U.K. National Cyber Security Centre (NCSC) issued an alert to warn of the risks of the exploitation for the CVE-2020-16952 remote code execution (RCE) vulnerability in Microsoft SharePoint Server and urges organizations to address the flaw.

Attackers could exploit this vulnerability to run arbitrary code and execute operations in the context of the local administrator on vulnerable SharePoint servers.

The issue is caused by the improper validation in user-supplied data and can be exploited when a user uploads a specially crafted SharePoint application package to a vulnerable version of SharePoint.

The vulnerability affects Microsoft SharePoint Foundation 2013 Service Pack 1, Microsoft SharePoint Enterprise Server 2016, and Microsoft SharePoint Server 2019, while SharePoint Online as part of Office 365 is not impacted.

“The NCSC strongly advises that organizations refer to the Microsoft guidance referenced in this alert and ensure the necessary updates are installed in affected SharePoint products,” reads the alert. “The NCSC generally recommends following vendor best practice advice in the mitigation of vulnerabilities. In the case of this SharePoint vulnerability, it is important to install the latest updates as soon as practicable.”

The server-side include (SSI) vulnerability CVE-2020-16952 was reported by the researcher Steven Seeley from Qihoo 360 Vulcan Team, who also provided a proof-of-concept exploit for the RCE flaw.

An exploit module for the open-source Metasploit penetration testing framework was also available, it works on SharePoint 2019 on Windows Server 2016.

Security experts recommend applying the October 2020 SharePoint security updates ([1],[2],[3]).

Experts pointed out that SharePoint servers are used in enterprise environments, for this reason, such kind of vulnerabilities is very dangerous.

The UK NCSC confirms that both CVE-2020-16952 and CVE-2015-1641 flaws are included in the list of most exploited vulnerabilities since 2016 published in a joint advisory by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-16952)

The post UK NCSC recommends organizations to fix CVE-2020-16952 SharePoint RCE flaw asap appeared first on Security Affairs.

Google mitigated a 2.54 Tbps DDoS attack in 2017, the largest DDoS ever seen

The Google Cloud team revealed that in September 2017 it has mitigated DDoS attack that reached 2.54 Tbps, the largest DDoS attack of ever.

The Google Cloud team revealed that back in September 2017 it has mitigated a powerful DDoS attack that clocked at 2.54 Tbps.

This attack is the largest distributed denial of service attack recorded to date.

“Our infrastructure absorbed a 2.5 Tbps DDoS in September 2017, the culmination of a six-month campaign that utilized multiple methods of attack. Despite simultaneously targeting thousands of our IPs, presumably in hopes of slipping past automated defenses, the attack had no impact.” reads the post published by Damian Menscher, a Security Reliability Engineer for Google Cloud.

“The attacker used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses to us.”

DDoS

Google researchers pointed out that the attack they mitigated was four times larger than the 623 Gbps attack launched from the Mirai botnet in 2016.

Experts noticed that this attack is bigger than the 2.3 Tbps DDoS attack mitigated by Amazon’s AWS in February.

A report published by the Google Threat Threat Analysis Group (TAG) speculates that the attack was carried out by a state-sponsored threat actor.

“we’ve seen bigger players increase their capabilities in launching large-scale attacks in recent years. For example in 2017, our Security Reliability Engineering team measured a record-breaking UDP amplification attack sourced out of several Chinese ISPs (ASNs 4134, 4837, 58453, and 9394), which remains the largest bandwidth attack of which we are aware.” reads the report published by Google.

Menscher revealed that the attack was part of a campaign that leveraged multiple DDoS amplification methods to hit Google’s servers.

Google decided to disclose the DDoS attack today to warn of an increasing trend of state-sponsored actors abusing DDoS attacks to target online resources.

Experts believe that DDoS attacks are becoming even more dangerous and would intensify in the coming years.

Pierluigi Paganini

(SecurityAffairs – hacking, distributed denial of service)

The post Google mitigated a 2.54 Tbps DDoS attack in 2017, the largest DDoS ever seen appeared first on Security Affairs.

Juniper fixes tens of flaws affecting the Junos OS

Juniper Networks has addressed tens of vulnerabilities, including serious flaws that can be exploited to take over vulnerable systems.

Juniper Networks has addressed tens of vulnerabilities, including serious issues that can be exploited to take control of vulnerable systems.

The vendor has published 40 security advisories related to security vulnerabilities in the Junos OS operating system that runs on Juniper’s firewalls and other third-party components.

The vendor addressed multiple critical flaws in the Juniper Networks Mist Cloud UI. The vulnerabilities affect the Security Assertion Markup Language (SAML) authentication, they could be exploited by a remote attacker to bypass SAML authentication.

“Juniper Networks Mist Cloud UI, when SAML authentication is enabled, may incorrectly handle SAML responses, allowing a remote attacker to bypass SAML authentication security controls.” reads the security advisory published by Juniper.

“If SAML authentication is not enabled, the product is not affected. These vulnerabilities can be exploited alone or in combination. The CVSS score below represents the worst case chaining of these vulnerabilities.”

Multiple vulnerabilities in Juniper Networks Junos OS have been fixed by updating third party software included with Junos OS devices.

Juniper fixed a critical remote code execution vulnerability in Telnet server tracked as CVE-2020-10188.

“A vulnerability in the telnetd Telnet server allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions.” reads the advisory.

“This issue only affects systems with inbound Telnet service enabled. SSH service is unaffected by this vulnerability.”

The company also addressed high-severity denial-of-service (DoS) and arbitrary code execution issues.

The good news is that Juniper is not aware of attacks in the wild exploiting the vulnerabilities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also urges organizations to apply the security updates released by the vendor.

“Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.” reads alert issued by CISA.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates.”

Pierluigi Paganini

(SecurityAffairs – hacking, Junos)

The post Juniper fixes tens of flaws affecting the Junos OS appeared first on Security Affairs.

Britain’s information commissioner fines British Airways for 2018 Hack

Britain’s information commissioner has fined British Airways 20 million pounds for the 2018 hack that exposed data of 400,000 customers.

In September 2018, British Airways suffered a data breach that exposed the personal information of 400,000 customers.

The hackers potentially accessed the personal data of approximately 429,612 customers and staff. Exposed data included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Experts believe the hackers also accessed the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

An investigation conducted by researchers at RiskIQ revealed that the attack on the airline was carried out by the notorious crime gang MageCart.

Now Britain’s information commissioner (British ICO) has fined British Airways 20 million pounds (approximately $25 million) for failing to protect personal data belonging to its customers. This is the largest fine the British ICO has ever issued.

The ICO fined the airline because the company failed in implementing adequate security measures, the company detected the security breach to months later the initial compromise.

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.” said Information Commissioner Elizabeth Denham.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

The ICO issued the penalty under the Data Protection Act 2018 for infringements of the GDPR.

Let’s remind that under the European Union’s General Data Protection Rules imposed in 2018, organizations face fines of up to 20 million euros ($23 million) or 4% of annual global turnover.

“The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003. This penalty was issued under the Data Protection Act 2018 for infringements of the GDPR.” concludes the ICO.

Pierluigi Paganini

(SecurityAffairs – hacking, British Airways)

The post Britain’s information commissioner fines British Airways for 2018 Hack appeared first on Security Affairs.

Breach at Dickey’s Barbecue Pit compromises 3 million Cards

Dickey’s Barbecue Pit, the largest barbecue restaurant chain in the US, suffered a POS breach, card details for 3 Million customers were posted online.

Dickey’s Barbecue Pit is a family-owned American barbecue restaurant chain, the company suffered a POS breach and card details of more than three million customers have been posted on the carding portal Joker’s Stash.

The huge trove of payment card data was spotted by researchers from the cyber-security firm Gemini Advisory.

The Joker’s Stash dark web marketplace is one of the most popular carding websites, it is known for advertising and card details from major breaches.

The card details of Dickey’s Barbecue Pit‘s customers were included in a dump titled “BLAZINGSUN.” JokerStash originally claimed that the breach would be available in August, then again in September, and finally it was posted online on October 12.

“Gemini Advisory determined that the compromised point of purchase (CPP) was Dickey’s Barbecue Pit, a US-based restaurant franchise.” reads the post published by Gemini Advisory.

“The advertisement claimed that BLAZINGSUN would contain 3 million compromised cards with both track 1 and track 2 data. They purportedly came from 35 US states and “some” countries across Europe and Asia.”

This BLAZINGSUN breach contains 3 million compromised payment records that are available for a median price of $17 per card.

The experts worked with several partner financial institutions who independently confirmed the authenticity of the stolen data.

According to Gemini, the hackers obtained the card details after compromised the in-store Point-of-Sale (POS) system used at Dickey’s Barbecue Pit restaurants.

Crooks compromised 156 of Dickey’s 469 locations across 30 states, most of them in California and Arizona.

Dickey’s locations are marked by the blue restaurant icon while the locations confirmed to be compromised are marked in red.

The compromise took place between July 2019 and August 2020. Gemini reported that the root cause of the security breach was the use of the outdated magstripe method for payment transactions, which exposed car holders to PoS malware attacks.

The company published an official statement that confirmed that it has immediately started the incident response procedure.

We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved.” reads the statement provided by the company. “We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.” 

The payment card records are mostly for cards using outdated magstripe technologies and are being sold for a median price of $17 per card.

“Based on previous Joker’s Stash major breaches, the records from Dickey’s will likely continue to be added to this marketplace over several months.”concludes the post.

Pierluigi Paganini

(SecurityAffairs – hacking, Dickey’s Barbecue Pit)

The post Breach at Dickey’s Barbecue Pit compromises 3 million Cards appeared first on Security Affairs.

Adobe fixes Magento flaws that can lead to code execution

Adobe released a series of out-of-band security fixes to address multiple Magento vulnerabilities that lead to code execution, customer list tampering.

Adobe has released a series of out-of-band security fixes to address multiple Magento vulnerabilities that lead to code execution, customer list tampering.

Eight of the vulnerabilities are considered either critical or important, only one is considered a moderate-severity flaw. The critical flaws are tracked as CVE-2020-24407 and CVE-2020-24400.

Below the list of affected versions:

ProductVersionPlatform
Magento Commerce 2.3.5-p1 and earlier versions  All
Magento Commerce 2.4.0 and earlier versions All
Magento Open Source 2.3.5-p1 and earlier versionsAll
Magento Open Source 2.4.0 and earlier versions All

One of the critical flaws addressed by Adobe is a file upload issue that can allow list bypass. Another critical SQL injection issue can lead to the execution of arbitrary code or arbitrary read/write database access. Both issues require an attacker to have already obtained admin privileges. 

Adobe has also addressed a vulnerability, tracked as CVE-2020-24402, that can allow attackers to manipulate and modify customer lists. 

Other flaws fixed by Adobe include a stored cross-site scripting (XSS) issue (CVE-2020-24408), a user session invalidation bug (CVE-2020-24401), and a security vulnerability that allows Magento CMS pages to be modified without permission (CVE-2020-24404). The company also addressed two restricted resource access bugs, tracked as CVE-2020-24405 and CVE-2020-24403 respectively, and unintended disclosure of a document root path that could lead to sensitive information disclosure (CVE-2020-24406).

This week, Adobe has also released a security update to address a critical remote code execution flaw in Adobe Flash Player (CVE-2020-9746) that could be exploited by threat actors by tricking the victims into visiting a website.

Attackers could exploit this flaw by simply inserting malicious strings in HTTP responses while unaware users visit a website.

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe)

The post Adobe fixes Magento flaws that can lead to code execution appeared first on Security Affairs.

Almost 800,000 SonicWall VPN appliances online are vulnerable to CVE-2020-5135

The Tripwire VERT security team spotted almost 800,000 SonicWall VPN appliances exposed online that are vulnerable to the CVE-2020-5135 RCE flaw.

Security experts from the Tripwire VERT security team have discovered 795,357 SonicWall VPN appliances that were exposed online that are vulnerable to the CVE-2020-5135 RCE flaw.

“A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.” reads the advisory published by SonicWall.

The CVE-2020-5135 is a stack-based buffer overflow that affects the SonicWall Network Security Appliance (NSA). The vulnerability can be exploited by an unauthenticated HTTP request involving a custom protocol handler.

The flaw resides in the HTTP/HTTPS service used for product management as well as SSL VPN remote access.

“An unskilled attacker can use this flaw to cause a persistent denial of service condition. Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible.” reads the analysis published by Tripwire. “This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet.”

This vulnerability is very dangerous, especially during the COVID-19 pandemic because SonicWall NSA devices are used as firewalls and SSL VPN portals allow employees to access corporate networks.

The vulnerability affects the following versions:

  • SonicOS 6.5.4.7-79n and earlier
  • SonicOS 6.5.1.11-4n and earlier
  • SonicOS 6.0.5.3-93o and earlier
  • SonicOSv 6.5.4.4-44v-21-794 and earlier
  • SonicOS 7.0.0.0-1

Security experts from Tenable have published a post detailing the flaw, they also shared Shodan dorks for searching SonicWall VPNs.

“Our own Shodan search for vulnerable SonicWall devices led us to two specific search queries:

The combined results from Shodan using these search queries led to a total of 795,674 hosts. In the VERT advisory, they specified that 795,357 hosts were vulnerable.” wrote Tenable.

At the time of this post, the first search query provides 448,400 results, the second one 24,149, most of the vulnerable devices are in the United States.

SonicWall has already released updates to address the flaw, the company also recommends to disconnect SSL VPN portals from the Internet as temporary mitigation before installing one of the following versions:

  • SonicOS 6.5.4.7-83n
  • SonicOS 6.5.1.12-1n
  • SonicOS 6.0.5.3-94o
  • SonicOS 6.5.4.v-21s-987
  • Gen 7 7.0.0.0-2 and onwards

The CVE-2020-5135 is a critical vulnerability rated as 9.4 out of 10, it could be easily exploited by unauthenticated attackers.

At the time this post was published, no PoC exploit code was available for the CVE-2020-5135 flaw.

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-5135)

The post Almost 800,000 SonicWall VPN appliances online are vulnerable to CVE-2020-5135 appeared first on Security Affairs.

Iran acknowledged cyberattacks on two governmental departments

Iran ’s cybersecurity authority revealed that two governmental departments were hit by cyberattacks this week, state media reported.

State media reported on Thursday that Iran’s cybersecurity authority acknowledged cyberattacks on two unnamed governmental departments.

The state-owned IRAN daily newspaper revealed that the cyberattacks took place on Tuesday and Wednesday respectively.

Iranian authorities are investigating the attacks that were defined as important.

Other governmental departments temporarily took down their online operation as a precaution measure.

Iran’s cybersecurity authority did not attribute the attack to a specific threat actor

This isn’t the first time that Irans‘ authorities claim to have been targeted by cyber attacks. In December 2019, the Iran telecommunications minister announced for two times in a week to have foiled a cyber attack against its infrastructure.

At the time, the Iranian minister Mohammad Javad Azari-Jahromi confirmed that the attack was neutralized by the national cyber shield, it also added that the attack was launched by the China-linked APT27 group seeking for gathering intelligence its country.

In October 2019, Iran announced it was fearing retaliation from Western countries that are accusing it to carry out physical and cyber attacks against their infrastructure and countries in the Middle East.

At the time, Iran’s oil ministry said that the Government of Washington has launched a full-scale economic war” against the Islamic Republic in retaliation for the shooting down of a US drone as well as attacks on oil tankers that the US has blamed Iran.

Tensions between Tehran and Washington have escalated since 2018 when President Trump reimposed sanctions on Iran. The situation went out of control after a US drone strike killed top Iranian general Qasem Soleimani in January.

The order to kill Soleimani was issued by President Trump that said Soleimani was planning an “imminent” attack on US personnel in Baghdad.

In January, the U.S. Department of Homeland Security (DHS) has issued warnings about the possibility of cyber-attacks launched by Iran-linked threat actors. The attacks could be the response of Teheran after Maj. Gen. Qassim Suleimani was killed by a U.S. drone airstrike at the Baghdad airport in Iraq.

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

The post Iran acknowledged cyberattacks on two governmental departments appeared first on Security Affairs.

Crooks hit Puerto Rico Firefighting Department Servers

Puerto Rico’s firefighting department discloses a security breach, hackers breached its database and demanded $600,000.

Puerto Rico’s firefighting department discloses a security breach, hackers breached its database and demanded a $600,000 ransom.

According to the department’s director, Alberto Cruz, the ability of the department to respond to emergencies was not impacted by the attack.

The department received an email from the threat actors that notifies it that they had encrypted its servers and demanded the payment of a ransom to release them.

Local police launched an investigation into the incident, while the department decided to don’t pay the ransom.

“The department contacted police and have not paid the money, officials said. The investigation is ongoing.” reported the Associated Press.

Pierluigi Paganini

(SecurityAffairs – hacking, Puerto Rico’s firefighting department)

The post Crooks hit Puerto Rico Firefighting Department Servers appeared first on Security Affairs.