Category Archives: Cyber warfare

US ballistic missile defense systems (BMDS) open to cyber attacks

U.S. Ballistic Missile Defense Systems Fail Cybersecurity Audit

US DoD Inspector General’s report revealed United States’ ballistic missile defense systems (BMDS) fail to implements cyber security requirements.

The U.S. Department of Defense Inspector General published a report this week that revealed that lack of adequate cybersecurity for the protection of the United States’ ballistic missile defense systems (BMDS).

Ballistic missile defense systems are crucial components of the US Defense infrastructure, they aim to protect the country from short, medium, intermediate and long-range ballistic missiles.

BMDS United States ballistic missile defense systems BMDS

Experts warn of cyber attacks against these systems launched by nation-state actors.

Back on March 14, 2014, the DoD Chief Information Officer announced the DoD plans of implementing the National Institute of Standards and Technology (NIST) security controls to improve cybersecurity of systems.

More than four years later the situation is worrisome, according to a new DoD report the BMDS facilities have failed to implement security controls requested by the standard.

“We determined whether DoD Components implemented security controls and processes at DoD facilities to protect ballistic missile defense system (BMDS) technical information on classified networks from insider and external cyber threats.” reads the DoD report.

“We analyzed only classified networks because BMDStechnical information was not managed on unclassifiednetworks. The classified networks processed, stored, andtransmitted both classified and unclassified BMDStechnical information.”

The report states the BMDS did not implement security controls such as multifactor authentication, vulnerability assessment and mitigation, server rack security, protection of classified data stored on removable media, encrypting transmitted technical information, physical facility security such as cameras and sensors. Operators at BMDS facilities did not perform routine assessments to verify the level of cybersecurity implemented.

We determined that officials from … the did not consistently implement security controls and processes to protect BMDS technical information.” continues the report.

In a BMDS facility, users used single-factor authentication for up to 14 days during account creation, in another facility users were allowed to access a system that does not even support multifactor authentication.

The report also shows the failure in patch management for systems in many facilities. For some facilities, there were found vulnerabilities that had not been patched since their discovery in 2013.

“Although the vulnerability was initially identified in 2013, the still had not mitigated the vulnerability by our review in April 2018. Of the unmitigated vulnerabilities, the included only in a POA&M and could not provide an explanation for not including the remaining vulnerabilities in its POA&M” continues the report.

According to the report, facilities were also failing in encrypting data that was being stored on removable devices, they also failed in using systems that kept track of what data was being copied. 

“In addition, officials did not encrypt data stored on removable media. The system owner for the [redacted] and the Information System Security Officer for [redacted] stated that their components did not encrypt data stored on removable media because the [redacted] did not require the use of encryption,” continues the report. “Although the [redacted] did not require data stored on removable media to be encrypted, system owners and Information System Security Officers have a responsibility to implement and enforce Federal and DoD cybersecurity policies and procedures for encrypting data stored on removable media. In May 2018, the [redacted] directed [redacted] to begin encrypting data stored on removable media using Federal Information Processing Standard 140-2 certified methods by October 9, 2018, as a condition to operate on the [redacted].”

The report also reported physical security issues such as server racks not being locked, open doors to restricted locations, and the absence of security cameras at required locations.

The report also includes the following recommendations: 

  • using multifactor authentication;
  • mitigating vulnerabilities in a timely manner;
  • protecting data on removable media;
  • implementing intrusion detection capabilities

Pierluigi Paganini

(Security Affairs – United States’ ballistic missile defense systems (BMDS), DoD)

The post US ballistic missile defense systems (BMDS) open to cyber attacks appeared first on Security Affairs.

Security Affairs newsletter Round 192 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

STOLEN PENCIL campaign, hackers target academic institutions.
WordPress botnet composed of +20k installs targets other sites
A new Mac malware combines a backdoor and a crypto-miner
Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS
Expert devised a new WiFi hack that works on WPA/WPA2
Hackers defaced Linux.org with DNS hijack
Google will shut down consumer version of Google+ earlier due to a bug
Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries
Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept
A new variant of Shamoon was uploaded to Virus Total while Saipem was under attack
Cyber attack hit the Italian oil and gas services company Saipem
New threat actor SandCat exploited recently patched CVE-2018-8611 0day
Novidade, a new Exploit Kit is targeting SOHO Routers
French foreign ministry announced its Travel Alert Registry Hack
ID Numbers for 120 Million Brazilians taxpayers exposed online
Operation Sharpshooter targets critical infrastructure and global defense
A bug in Facebook Photo API exposed photos of 6.8 Million users
New Sofacy campaign aims at Government agencies across the world
WordPress version 5.0.1 addressed several vulnerabilities
Magellan RCE flaw in SQLite potentially affects billions of apps
Which are the worst passwords for 2018?

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 192 – News of the week appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 192 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

STOLEN PENCIL campaign, hackers target academic institutions.
WordPress botnet composed of +20k installs targets other sites
A new Mac malware combines a backdoor and a crypto-miner
Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS
Expert devised a new WiFi hack that works on WPA/WPA2
Hackers defaced Linux.org with DNS hijack
Google will shut down consumer version of Google+ earlier due to a bug
Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries
Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept
A new variant of Shamoon was uploaded to Virus Total while Saipem was under attack
Cyber attack hit the Italian oil and gas services company Saipem
New threat actor SandCat exploited recently patched CVE-2018-8611 0day
Novidade, a new Exploit Kit is targeting SOHO Routers
French foreign ministry announced its Travel Alert Registry Hack
ID Numbers for 120 Million Brazilians taxpayers exposed online
Operation Sharpshooter targets critical infrastructure and global defense
A bug in Facebook Photo API exposed photos of 6.8 Million users
New Sofacy campaign aims at Government agencies across the world
WordPress version 5.0.1 addressed several vulnerabilities
Magellan RCE flaw in SQLite potentially affects billions of apps
Which are the worst passwords for 2018?

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 192 – News of the week appeared first on Security Affairs.



Security Affairs

Cyber Security Project Investment Proposal – DIA Needipedia – Fight Cybercrime and Cyber Jihad With Sensors – Grab Your Copy Today!

Dear blog readers, I decided to share with everyone a currently pending project investment proposal regarding the upcoming launch of a proprietary Technical Collection analysis platform with the project proposal draft available on request part of DIA's Needipedia Project Proposal Investment draft or eventually through the Smith Richardson Foundation. In case you're interested in working with me

Security Affairs: New Sofacy campaign aims at Government agencies across the world

Security experts at Palo Alto Networks uncovered a new espionage campaign carried out by Russia-Linked APT group Sofacy.

Russian Cyber espionage group Sofacy (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium)) carried out a new cyber campaign aimed at government agencies in four continents in an attempt to infect them with malware.

The campaign has been focusing on Ukraine and NATO members like it has done in past attacks.

Earlier December the group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU). In November experts at Palo Alto Networks documents a new malware, dubbed Cannon in attacks on government entities worlwide.

The latest campaign documented by Palo Alto Networks was carried out from mid-October through mid-November, attackers used both the
Zebrocy backdoor and Cannon Trojan. 

Researchers noticed that in all the attacks threat actors used decoy documents that have the same author name Joohn.

“The delivery documents used in the October and November waves shared a large number of similarities, which allowed us to cluster the activity together. Most notably, the author name Joohn was used repeatedly in each delivery document.” reads the analysis published by Palo Alto Networks.

“There was a slight deviation in the November grouping, where the three samples we collected still used the Joohn author name for the last modified field but reverted to a default USER/user author name for the creator field.”

Palo Alto Networks identified a total of 9 documents and associated payloads and targets.

Once opened a document, it will leverage the ability of Microsoft Word to retrieve a remote template to then load a malicious macro document.

“If the C2 server is active at the time the document is opened, it will successfully retrieve the malicious macro and load it in the same Microsoft Word session.” continues the report.

“The victim will then see a prompt to Enable Content as with any malicious macro document. If the C2 server is not active at this time, the download will fail and the victim will not receive a prompt to Enable Content as no macro is downloaded”

Sofacy bait

The latest Sofacy campaign hit targets around the world, including a foreign affairs organization in North America, foreign affairs organizations in Europe, as well as government entities in former USSR states. Experts also discovered evidence of possible targeting of local law enforcement agencies worldwide (i.e. North America, Australia, and Europe.) 

Palo Alto Networks reveals that, in addition to the delivery documents themselves, the remote templates too shared a common author name. The security researchers also noticed that the servers hosting the remote templates also hosted the C&C for the first-stage payloads.

Sofacy attackers used different variants of the Zebrocy malware and the Cannon backdoor. Palo Alto Networks identified a Cannon variant written in Delphi, variants of Zebrocy written in C# and VB.NET.

“The Sofacy group continues their attacks on organizations across the globe using similar tactics and techniques.” concludes the analysis.

“The group clearly shows a preference for using a simple downloader like Zebrocy as first-stage payloads in these attacks. The group continues to develop new variations of Zebrocy by adding a VB.NET and C# version, and it appears that they also have used different variants of the Cannon tool in past attack campaigns,” 

Pierluigi Paganini

(Security Affairs –Sofacy, cyber espionage)

The post New Sofacy campaign aims at Government agencies across the world appeared first on Security Affairs.



Security Affairs

New Sofacy campaign aims at Government agencies across the world

Security experts at Palo Alto Networks uncovered a new espionage campaign carried out by Russia-Linked APT group Sofacy.

Russian Cyber espionage group Sofacy (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium)) carried out a new cyber campaign aimed at government agencies in four continents in an attempt to infect them with malware.

The campaign has been focusing on Ukraine and NATO members like it has done in past attacks.

Earlier December the group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU). In November experts at Palo Alto Networks documents a new malware, dubbed Cannon in attacks on government entities worlwide.

The latest campaign documented by Palo Alto Networks was carried out from mid-October through mid-November, attackers used both the
Zebrocy backdoor and Cannon Trojan. 

Researchers noticed that in all the attacks threat actors used decoy documents that have the same author name Joohn.

“The delivery documents used in the October and November waves shared a large number of similarities, which allowed us to cluster the activity together. Most notably, the author name Joohn was used repeatedly in each delivery document.” reads the analysis published by Palo Alto Networks.

“There was a slight deviation in the November grouping, where the three samples we collected still used the Joohn author name for the last modified field but reverted to a default USER/user author name for the creator field.”

Palo Alto Networks identified a total of 9 documents and associated payloads and targets.

Once opened a document, it will leverage the ability of Microsoft Word to retrieve a remote template to then load a malicious macro document.

“If the C2 server is active at the time the document is opened, it will successfully retrieve the malicious macro and load it in the same Microsoft Word session.” continues the report.

“The victim will then see a prompt to Enable Content as with any malicious macro document. If the C2 server is not active at this time, the download will fail and the victim will not receive a prompt to Enable Content as no macro is downloaded”

Sofacy bait

The latest Sofacy campaign hit targets around the world, including a foreign affairs organization in North America, foreign affairs organizations in Europe, as well as government entities in former USSR states. Experts also discovered evidence of possible targeting of local law enforcement agencies worldwide (i.e. North America, Australia, and Europe.) 

Palo Alto Networks reveals that, in addition to the delivery documents themselves, the remote templates too shared a common author name. The security researchers also noticed that the servers hosting the remote templates also hosted the C&C for the first-stage payloads.

Sofacy attackers used different variants of the Zebrocy malware and the Cannon backdoor. Palo Alto Networks identified a Cannon variant written in Delphi, variants of Zebrocy written in C# and VB.NET.

“The Sofacy group continues their attacks on organizations across the globe using similar tactics and techniques.” concludes the analysis.

“The group clearly shows a preference for using a simple downloader like Zebrocy as first-stage payloads in these attacks. The group continues to develop new variations of Zebrocy by adding a VB.NET and C# version, and it appears that they also have used different variants of the Cannon tool in past attack campaigns,” 

Pierluigi Paganini

(Security Affairs –Sofacy, cyber espionage)

The post New Sofacy campaign aims at Government agencies across the world appeared first on Security Affairs.

Operation Sharpshooter targets critical infrastructure and global defense

McAfee uncovered a campaign tracked as Operation Sharpshooter that hit at least 87 organizations in global defense and critical infrastructure.

Security experts at McAfee uncovered a hacking campaign, tracked as Operation Sharpshooter, aimed at infrastructure companies worldwide. The threat actors are using malware associated with Lazarus APT group that carried out Sony Pictures attack back in 2014.

The current campaign os targeting nuclear, defense, energy, and financial companies, experts believe attackers are gather intelligence to prepare future attacks.

“In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and our analysis.” reads the analysis published by McAfee.

“Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest.”

Operation Sharpshooter

Threat actors are carrying out spear phishing attacks with a link poining to weaponized Word documents purporting to be sent by a job recruiter. The messages are in English and include descriptions for jobs at unknown companies, URLs associated with the documents belongs to a US-based IP address and to the Dropbox service.

The macros included in the malicious document uses an embedded shellcode to inject the Sharpshooter downloader into Word’s memory.

The macros act as a downloader for a second-stage implant dubbed Rising Sun that runs in memory and collects intelligence about the machine (network adapter information, computer name, username, IP address information, OS information, drive and process information, and other native system data). 
The Rising Sun implements tens of backdoor capabilities, including the abilities to terminate processes and write files to disk.

The binary is downloaded in the startup folder to gain persistence on the infected system. Experts observed that attackers behind the Operation Sharpshooter also downloads a second harmless Word document from the control server, most likely as a decoy to hide the malware.

The malware sends collected data to the C2 in an encrypted format, it uses the RC4 algorithm and encodes the encrypted data with Base64.

The control infrastructure is composed of servers located in the US, Singapore, and France.

Experts highlighted that the Rising Sun uses source code from Trojan Duuzer, a backdoor used by Lazarus Group in Sony attacks.

“This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.” continues the report.

Experts found other similarities, for example the documents that are being used to distribute Rising Sun contain metadata indicating they were created using a Korean-language version of Word.

Experts found many similarities between the malware used in the 
Operation Sharpshooter and the one used in the Sony hack, experts also found similarities in tactics, techniques, and procedures used by the attackers and the Lazarus Group.

Experts believe that threat actors behind Operation Sharpshooter are planting false flags to make attribution more difficult.

Further details on the campaign, including IoCs are reported in the analysis published by McAfee.

Pierluigi Paganini

(Security Affairs – Operation Sharpshooter, hacking)



The post Operation Sharpshooter targets critical infrastructure and global defense appeared first on Security Affairs.

Evidence in Marriott’s subsidiary Starwood hack points out to China intel

According to a report published by the Reuters, the massive Marriott data breach was carried out by Chinese state-sponsored hackers.

According to the Reuters, people investigating the Marriot data breach believe that it is the result of a cyberattack carried out by Chinese hackers.

Last week Marriott International announced that hackers compromised guest reservation database at its subsidiary Starwood hotels and stolen personal details of about 500 million guests.

Sources quoted by the media agency revealed that the attack was carried out by the Chinese intelligence to gather information.

“Hackers behind a massive breach at hotel group Marriott International Inc left clues suggesting they were working for a Chinese government intelligence gathering operation, according to sources familiar with the matter.” reads the article published by the Reuters.

“Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers, said three sources who were not authorized to discuss the company’s private probe into the attack.”

The attribution of the Marriott data breach is based on the analysis of tactics, techniques, and procedures (TTPs) that were previously associated with Chinese APT groups.

In particular, Reuters’ sources admitted that some of the tools were exclusively used by Chinese attackers. The attribution is also difficult because the security breach occurred back in 2014, this means that since then other threat actors may have had access to the Starwood systems.

The relations between China and US are even more complicated, US Government accused in many circumstances Beijing of cyber espionage against Western entities.

Chinese authorities denied any involvement in the alleged cyber espionage operations.

“China firmly opposes all forms of cyber attack and cracks down on them in accordance with law,” Chinese Ministry of Foreign Affairs spokesman Geng Shuang told Reuters.”If offered evidence, the relevant Chinese departments will carry out investigations according to law.”

Starwood Data Breach

Marriott International has bought Starwood Hotels and Resorts Worldwide in 2016 for $13 billion. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.

According to the company, hackers accessed to the Starwood’s guest reservation system since 2014 and copied and encrypted the information.

The intrusion was detected on September 8 when a monitoring system found evidence regarding an attempt to access the Starwood guest reservation database in the United States. Two months later, on November 19, an investigation confirmed the intrusion into the archive containing “guest information relating to reservations at Starwood properties on or before September 10, 2018.”

Unknown hackers accessed personal information of nearly 327 million guests, compromised records include names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date.

Pierluigi Paganini

(Security Affairs – Marriot Data breach, hacking)

The post Evidence in Marriott’s subsidiary Starwood hack points out to China intel appeared first on Security Affairs.

Ukraine’s SBU: Russia carried out a cyberattack on Judiciary Systems

Ukraine is accusing Russian intelligence services of carrying out cyberattacks against one of its government organizations.

Ukraine’s security service SBU announced to have blocked a cyber attack launched by Russian intelligence aimed at breaching information and telecommunications systems used by the country’s judiciary.

Attackers launched a spear phishing attack using messages purporting to deliver accounting documents. The weaponized document included a strain of malware that was developed to disrupt the exfiltrate data and disrupt the Judiciary Systems.

Ukrainian government experts were able to determine the command and control (C&C) infrastructure that is using Russian IP addresses.

The attack was detected and neutralized thanks to the efforts of  result of collaboration between the State Service on Intellectual Property (SSIP) and the State Judicial Administration.

“Employees of the Security Service of Ukraine blocked the attempt of Russian special services to conduct a large-scale cyberattack on the information and telecommunication systems of the judiciary of Ukraine. Specialists of the SBU noted that the cyberattack began due to the sending by e-mail of counterfeit accounting documents infected by the virus.” reads the alert published by the SBU.

“After opening files on computers, malicious software for unauthorized interference with judicial information systems and theft of official information were hidden. Employees of the Security Service of Ukraine found that the detected virus program was connected from control-command servers that have, in particular, Russian IP addresses.”

In July, Ukraine ‘s SBU Security Service reportedly stopped VPNFilter attack at chlorine station, the malware infected the network equipment in the facility that supplies water treatment and sewage plants.

VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose, it is originating from Russia.

Technical analysis of the code revealed many similarities with another nation-state malware, the BlackEnergy malware that was specifically designed to target ISC-SCADA systems and attributed to Russian threat actors. BlackEnergy is considered the key element in the attack aimed at Ukrainian power grid in 2015 and 2016, it was also involved in attacks against mining and railway systems in the country.

This week, Adobe released security updates for Flash Player that address two vulnerabilities, including a zero-day flaw, tracked as CVE-2018-15982, exploited in targeted attacks.

Experts observed the exploitation of the Flash zero-day exploit in an attack aimed at the FSBI “Polyclinic No. 2” of the Administrative Directorate of the President of the Russian Federation.

Once opened, the decoy document shows a questionnaire for personnel of the Moscow-based hospital, while the zero-day exploit is executed in the background.

Gigamon has also published a blog post describing the flaw and the attack, the experts pointed out that the decoy document in Russian language was submitted tVirusTotal from a Ukranian IP address. Qihoo 360 researchers observed the attack was launched just days after the Kerch Strait incident that occurred on November 25, when Russian Federal Security Service (FSB) border service coast guard boats fired upon and captured three Ukrainian Navy vessels that had attempted to pass from the Black Sea into the Sea of Azov through the Kerch Strait while on their way to the port of Mariupol.

Some of the injured crew members were taken to hospitals in Moscow and one of these hospitals could be the Polyclinic No. 2. Malicious documents involved in this attack were uploaded to VirusTotal from a Ukrainian IP address, which could indicate that Ukrainian cyberspies targeted the hospital to obtain information on the state of the crew members.

Pierluigi Paganini

(Security Affairs – Ukraine, Russia)

The post Ukraine’s SBU: Russia carried out a cyberattack on Judiciary Systems appeared first on Security Affairs.

New PowerShell-based Backdoor points to MuddyWater

Security researchers at Trend Micro recently discovered PowerShell-based backdoor that resembles a malware used by MuddyWater threat actor.

Malware researchers at Trend Micro have discovered a Powershell-based backdoor that is very similar to a malware used by MuddyWater APT group.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by TEMP.Zagros group (another name used by the experts to track the MuddyWater), targeting Asia and Middle East regions from January 2018 to March 2018.

In the latest attacks detected by Trend Micro, threat actors used TTPs compatible with MuddyWater, the malicious code was uploaded to Virus Total from Turkey. The attackers used decoy documents that would drop a new PowerShell backdoor that is similar to MuddyWater’s POWERSTATS malware.

“These documents are named Raport.doc or Gizli Raport.doc (titles mean “Report” or “Secret Report” in Turkish) and maliyeraporti (Gizli Bilgisi).doc (“finance (Confidential Information)” in Turkish) — all of which were uploaded to Virus Total from Turkey.states Trend Micro.

“Our analysis revealed that they drop a new backdoor, which is written in PowerShell as MuddyWater’s known POWERSTATS backdoor. But, unlike previous incidents using POWERSTATS, the command and control (C&C) communication and data exfiltration in this case is done by using the API of a cloud file hosting provider.”

The new backdoor uses the API of a cloud file hosting provider to implement command and control (C&C) communication and data exfiltration.

The weaponized documents contain images showing blurry logos belonging to some Turkish government organizations, they trick victims into enabling macros to display the document properly.

MuddyWater

The macros contain strings encoded in base52, a technique that is not common and that was used by MuddyWater in past attacks. Once enabled, the macros will drop a .dll file (with a PowerShell code embedded) and a .reg file into %temp%directory.

The PowerShell code has several layers of obfuscation, the backdoor initially collects the system information and concatenates various pieces of information (i.e. OS name, domain name, user name, IP address) into one long string.

For communication, the malware uses files named <md5(hard disk serial number)> with various extensions associated with the purpose of the file:

  • .cmd – text file with a command to execute
  • .reg – system info as generated by myinfo() function, see screenshot above
  • .prc – output of the executed .cmd file, stored on local machine only
  • .res – output of the executed .cmd file, stored on cloud storage

“In both the older version of the MuddyWater backdoor and this recent backdoor, these files are used as an asynchronous mechanism instead of connecting directly to the machine and issuing a command.” continues the experts.

“The malware operator leaves a command to execute in a .cmd file, and comes back later to retrieve the .res files containing the result of the issued command.”

The malware supports various commands including file upload, persistence removal, exit, file download, and command execution.

Experts concluded that the attacks aimed at Turkish government organizations related to the finance and energy sectors that were also hit by MuddyWater in the past.

“This is yet another similarity with previous MuddyWater campaigns, which were known to have targeted multiple Turkish government entities.” concludes Trend Micro.

“If the group is responsible for this new backdoor, it shows how they are improving and experimenting with new tools,” Trend Micro concludes.

Pierluigi Paganini

(Security Affairs – MuddyWater, backdoor)

 

The post New PowerShell-based Backdoor points to MuddyWater appeared first on Security Affairs.

Security Affairs newsletter Round 190 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      6,500+ sites deleted after Dark Web hosting provider Daniels Hosting hack
·      Hacking Gmails UX with from fields for phishing attacks
·      Instagram glitch exposed some user passwords
·      Suspected APT29 hackers behind attacks on US gov agencies, think tanks, and businesses
·      CarsBlues Bluetooth attack Affects tens of millions of vehicles
·      Cybaze ZLab – Yoroi team analyzed malware used in recent attacks on US entities attributed to APT29
·      Israel aims at hardening aviation industry assets from cyberattack
·      Tianfu Cup PWN hacking contest – White hat hackers earn $1 Million for Zero-Day exploits
·      Experts analyzed how Iranian OilRIG hackers tested their weaponized documents
·      Hackers target Drupal servers chaining several flaws, including Drupalgeddon2 and DirtyCOW
·      Mac users using Exodus cryptocurrency wallet targeted by a small spam campaign
·      TP-Link fixes 2 Remote Code Execution flaws in TL-R600VPN SOHO Router and other issues
·      Two hackers involved in the TalkTalk hack sentenced to prison
·      A flaw in US Postal Service website exposed data on 60 Million Users
·      Amazon UK is notifying a data breach to its customers days before Black Friday
·      Experts found flaws in Dell EMC and VMware Products. Patch them now!
·      Facebook increases rewards for its bug bounty program and facilitate bug submission
·      Sofacy APT group used a new tool in latest attacks, the Cannon
·      Chaining 3 zero-days allowed pen testers to hack Apple macOS computers
·      Experts found first Mirai bot targeting Linux servers via Hadoop YARN flaw
·      Flaw allowing identity spoofing affects authentication based on German eID cards
·      13 fraudulent apps into Google Play have been downloaded 560,000+ times
·      Beware Black Friday & Cyber Monday shoppers: fake products, credit cards scams and other types of fraud
·      Exclusive Cybaze ZLab – Yoroi – Hunting Cozy Bear, new campaign, old habits
·      New Emotet Thanksgiving campaign differs from previous ones
·      Software company OSIsoft has suffered a data breach
·      VMware fixed Workstation flaw disclosed at the Tianfu Cup PWN competition
·      Chat app Knuddels fined €20k under GDPR regulation
·      North Korea-linked group Lazarus targets Latin American banks
·      US Government is asking allies to ban Huawei equipment
·      Facebook appeals UK fine in Cambridge Analytica privacy Scandal

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 190 – News of the week appeared first on Security Affairs.

Security Affairs: North Korea-linked group Lazarus targets Latin American banks

According to security reearchers at Trend Micro, the North Korea-linked APT group Lazarus recently targeted banks in Latin America.

The North Korea-linked APT group Lazarus recently targeted banks in Latin America, Trend Micro experts reported.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

Recently, the group was involved in several attacks aimed at stealing millions from ATMs across Asia and Africa.

Security experts from Symantec have recently discovered a malware, tracked as FastCash Trojan, that was used by the Lazarus APT Group, in a string of attacks against ATMs.

The ATP group has been using this malware at least since 2016 to siphon millions of dollars from ATMs of small and midsize banks in Asia and Africa.

Now experts from Trend Micro have found a Lazarus backdoor on several machines belonging to financial institutions across Latin America. The malicious codes were installed by the APT group on the targeted machines on September 19.

“There seems to be a resurgence of activity from the group, and recent events show how their tools and techniques have evolved. Just last week they were found stealing millions from ATMs across Asia and Africa.” reads the analysis published by Trend Micro.

“We also recently discovered that they successfully planted their backdoor (detected by Trend Micro as BKDR_BINLODR.ZNFJ-A) into several machines of financial institutions across Latin America.”

The technique recently used by Lazarus resembles a 2017 wave of attacks that hit targets in Asia, at the time hackers used the FileTokenBroker.dll and a modularized backdoor.

In 2018 attacks, the Lazarus group used multiple backdoors, and also implemented a sophisticated technique that involves the three major components:

  • AuditCred.dll/ROptimizer.dll (detected by Trend Micro as BKDR_BINLODR.ZNFJ-A) – loader DLL that is launched as a service
  • Msadoz<n>.dll (detected by Trend Micro as BKDR64_BINLODR.ZNFJ-A) – encrypted backdoor
    n = number of characters in the loader dll’s filename
  • Auditcred.dll.mui/rOptimizer.dll.mui (detected by Trend Micro as TROJ_BINLODRCONF.ZNFJ-A) – encrypted configuration file

Lazarus Latin america attacks

Experts noticed that the loader DLL is installed as a service, it uses different names on different machines. The backdoor implements several capabilities, it can collect files and system information, download files and additional malware, launch/terminate/enumerate processes, update configuration data, delete files; inject code from files to other running process, utilize proxy, open reverse shell, and run in passive mode, where it opens and listens to a port to receive commands through it.

C&C information is contained in the encrypted configuration file, the backdoor requires a C&C connection for conducting activities.

“The Lazarus group is an experienced organization, methodically evolving their tools and experimenting with strategies to get past an organization’s defenses. The backdoors they are deploying are difficult to detect and a significant threat to the privacy and security of enterprises, allowing attackers to steal information, delete files, install malware, and more,” Trend Micro concludes.

Pierluigi Paganini

(Security Affairs – Hacking, Lazarus)

The post North Korea-linked group Lazarus targets Latin American banks appeared first on Security Affairs.



Security Affairs

North Korea-linked group Lazarus targets Latin American banks

According to security reearchers at Trend Micro, the North Korea-linked APT group Lazarus recently targeted banks in Latin America.

The North Korea-linked APT group Lazarus recently targeted banks in Latin America, Trend Micro experts reported.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

Recently, the group was involved in several attacks aimed at stealing millions from ATMs across Asia and Africa.

Security experts from Symantec have recently discovered a malware, tracked as FastCash Trojan, that was used by the Lazarus APT Group, in a string of attacks against ATMs.

The ATP group has been using this malware at least since 2016 to siphon millions of dollars from ATMs of small and midsize banks in Asia and Africa.

Now experts from Trend Micro have found a Lazarus backdoor on several machines belonging to financial institutions across Latin America. The malicious codes were installed by the APT group on the targeted machines on September 19.

“There seems to be a resurgence of activity from the group, and recent events show how their tools and techniques have evolved. Just last week they were found stealing millions from ATMs across Asia and Africa.” reads the analysis published by Trend Micro.

“We also recently discovered that they successfully planted their backdoor (detected by Trend Micro as BKDR_BINLODR.ZNFJ-A) into several machines of financial institutions across Latin America.”

The technique recently used by Lazarus resembles a 2017 wave of attacks that hit targets in Asia, at the time hackers used the FileTokenBroker.dll and a modularized backdoor.

In 2018 attacks, the Lazarus group used multiple backdoors, and also implemented a sophisticated technique that involves the three major components:

  • AuditCred.dll/ROptimizer.dll (detected by Trend Micro as BKDR_BINLODR.ZNFJ-A) – loader DLL that is launched as a service
  • Msadoz<n>.dll (detected by Trend Micro as BKDR64_BINLODR.ZNFJ-A) – encrypted backdoor
    n = number of characters in the loader dll’s filename
  • Auditcred.dll.mui/rOptimizer.dll.mui (detected by Trend Micro as TROJ_BINLODRCONF.ZNFJ-A) – encrypted configuration file

Lazarus Latin america attacks

Experts noticed that the loader DLL is installed as a service, it uses different names on different machines. The backdoor implements several capabilities, it can collect files and system information, download files and additional malware, launch/terminate/enumerate processes, update configuration data, delete files; inject code from files to other running process, utilize proxy, open reverse shell, and run in passive mode, where it opens and listens to a port to receive commands through it.

C&C information is contained in the encrypted configuration file, the backdoor requires a C&C connection for conducting activities.

“The Lazarus group is an experienced organization, methodically evolving their tools and experimenting with strategies to get past an organization’s defenses. The backdoors they are deploying are difficult to detect and a significant threat to the privacy and security of enterprises, allowing attackers to steal information, delete files, install malware, and more,” Trend Micro concludes.

Pierluigi Paganini

(Security Affairs – Hacking, Lazarus)

The post North Korea-linked group Lazarus targets Latin American banks appeared first on Security Affairs.

Security Affairs newsletter Round 189 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      CVE-2018-15961: Adobe ColdFusion Flaw exploited in attacks in the wild
·      Linux Cryptocurrency miner leverages rootkit to avoid detection
·      A critical flaw in GDPR compliance plugin for WordPress exploited in the wild
·      Elon Musk BITCOIN Twitter scam, a simple and profitable fraud for crooks
·      France seeks Global Talks on Cyberspace security and a code of good conduct
·      Hacking the hackers – IOT botnet author adds his own backdoor on top of a ZTE router backdoor
·      Reading the Android Ecosystem Security Transparency Report
·      Cathay Pacific waited six months before disclosing the security breach
·      Expert found a way to bypass Windows UAC by mocking trusted Directory
·      Google Services down due to BGP leak, traffic hijacked through Russia, China, and Nigeria
·      Microsofts Patch Tuesday updates for November 2018 fix actively exploited Windows flaw
·      Operation Shaheen – Pakistan Air Force members targeted by nation-state attackers
·      Adobe Patch Tuesday updates for November 2018 fix known Acrobat flaw
·      Boffins discovered seven new Meltdown and Spectre attacks
·      Cyber espionage group used CVE-2018-8589 Windows Zero-Day in Middle East Attacks
·      Facebook flaw could have exposed private info of users and their friends
·      The ‘MartyMcFly investigation: Italian naval industry under attack
·      Chinese TEMP.Periscope cyberespionage group was using TTPs associated with Russian APTs
·      Congress passes bill that create new Cybersecurity and Infrastructure Security Agency at DHS
·      Kaspersky Lab opens first Transparency Center in Zurich
·      Pwn2Own Tokyo 2018 – iPhone X exploits paid over $100,000
·      Senior German officials wants exclude Chinese firms from building 5G infrastructure
·      Cybaze ZLab- Yoroi team spotted a new variant of the APT28 Lojax rootkit
·      Group-IB presented latest cybercrime and nation-state hacking trends in Asia
·      tRat is a new modular RAT used by the threat actor TA505
·      Two hacker groups attacked Russian banks posing as the Central Bank of Russia
·      Using Microsoft Powerpoint as Malware Dropper
·      Japanese governments cybersecurity strategy chief has never used a computer
·      New set of Pakistani banks card dumps goes on sale on the dark web
·      Protonmail hacked …. a very strange scam attempt

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 189 – News of the week appeared first on Security Affairs.

Security Affairs: Cybaze ZLab- Yoroi team spotted a new variant of the APT28 Lojax rootkit

Malware researchers at the Cybaze ZLab- Yoroi team spotted a new variant of the dangerous APT28 Lojax rootkit.

A new variant of the infamous APT28 Lojax (aka Double-Agent) has been discovered by the Cybaze ZLab – Yoroi team. It is the latest version of the well-known rootkit Double-Agent, previously analyzed by ESET researchers.

The behavior of the Lojax sample seems to be similar to the previous versions and exploits the legitimate “Absolute Lojack” software to grant its persistence on the infected system. Lojack is an anti-theft and localization software developed by Absolute Software Corporation and it is pre-installed in the BIOS image of several Lenovo, HP, Dell, Fujitsu, Panasonic, Toshiba, and Asus machines. In the past, this software was known as “Computrace”.

Despite its legitimate purposes, the Absolute Lojack software acts like a rootkit (more precisely as a bootkit): its BIOS component forces the writing of a small agent named “rpcnetp.exe” into the system folder. The agent periodically contacts the Absolute server and sends to it the current machine’s position.

The control flow of the Lojack software is detailed in the following figure:

APT28 Lojax

Figure 1. Lojack control flow (Source:ESET)

 

Technical Analysis

The size of the malicious artifact is the same as the legitimate one, so the only manipulation seems to the modification of the C2C address, in according with other firms that previously analyzed the malware.

Hash Sha256: 6d626c7f661b8cc477569e8e89bfe578770fca332beefea1ee49c20def97226e
Names rpcnetp.exe
Digital Signature
First Submission 2018-11-05
Icon APT28 Lojax ico 2
Notes Lojack Double-Agent

File size: 17 KB

When it starts, the malware copies itself into a new DLL: the final file is the same of the initial one except for some header flags. After this, Lojax searches some components belonging to the legitimate software that should be already installed into the machine, with whom tries to establish a connection via RPC channel. If the Absolute Lojack components are not found, the malware kills itself.

Hash Sha256: aa5b25c969234e5c9a8e3aa7aefb9444f2cc95247b5b52ef83bf4a68032980ae
Names rpcnetp.dll
Digital Signature
First Submission 2018-11-05
Icon APT28 Lojax ico 2
Notes Double-Agent

File size: 17 KB

Through a static analysis of the sample, we have discovered a new C2 address, unknown to the community and to the threat intelligence platforms until now. This address, ciphered using XOR encryption with a single byte key 0xB5, was hidden in the section “.cdata”.

After the decryption of the address, the result is “regvirt.com”, as shown in the below figure:

APT28 Lojax

 

Domain “regvirt.com”

The domain has been registered on 10th Oct 2017 by “Tibor Kovacs” (tiborkovacsr@protonmail.com) and it’s handled by the “Shinjiru Technology Sdn Bhd” provider. The username part of the mailbox contains the same name and surname found in the Registrant name, with the addition of a terminal “r” tiborkovacsr,  its not clear if this letter could be a clue usable to focus the investigation to an hypothetical profile of the registrant.

Registrant Name: Tibor Kovacs

Registrant Organization:

Registrant Street: Vezer u 43

Registrant City: Budapest

Registrant State/Province: Budapest

Registrant Postal Code: 1141

Registrant Country: HU

Registrant Phone: +36.361578632154

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email: tiborkovacsr@protonmail.com

The domain hosts have inactive subdomains, such as mail.regvirt.com pointing to the localhost address 127.0.0.1. Also, it has resolved to a different IP address 209.99.40.226 during the 16th Oct 16 07th Nov  time period, this address is related the Confluence Network ISP: that IP has been blacklisted for a limited time by abuse.ch, between 2017-09-18 and   2017-10-19, and have been reported as malicious by the abuseipdb on December 2017.  Other malicious activities related to the cybercrime threat actors have been reported through the ransomware tracker platform, where the IP is associated with several Locky ransomware distribution domains back in 2016. However, all the possible reported misuse of the ip address does not apparently  match the regvirt.com’s resolution time period.

 

The 46.21.147.71 ip address, instead, has been resolved since the first registration of the “regvirt.com” domain back in 2017. This network destination has been reported as command and control server of altered CompuTrace/Lojack’s software, part of the APT28 arsenal. The report published by the UK’s National Cyber Security Centre on October 2018 states this implant have been used to modify system memory and maintain persistence on compromised hosts in the long run.

 

Domain Time-period between
2017-10-17 and 2018-11-13
Time-period between
2018-10-16 and 2018-11-07
regvirt.com 46.21.147.71
DEDICATED-SERVERS NL(Eureka Solutions Sp. z o.o. PL)regvirt.com MX
mail.regvirt.com
209.99.40.226
TX1-CONFLUENCE-4 AE(Confluence Networks Inc.)
www.regvirt.com www.regvirt.com CNAME regvirt.com
mail.regvirt.com mail.regvirt.com A 127.0.0.1

 

Mitigation

Despite the presence of the UEFI “Secure Boot”, this malware could execute itself because it replaces only the “rpcnetp.exe” component. Anyhow, the MalwareLab researchers advise to keep enabled the UEFI Secure Boot and keep always updated the Operative System and the anti-malware solution.

Indicator of Compromise

C2:

  • regvirt[.com
  • regvirt[.com
  • regvirt[.com
  • hxxp:// www.regvirt[.com

YARA Rule

rule rpcnetp {

meta:

description = “Yara Rule for Lojack Double-Agent”

author = “Cybaze-Yoroi”

last_updated = “2018-11-13”

tlp = “white”

category = “informational”

strings:

$a1 = {50 61 74 68 73 5C 69 65 78 70 6C 6F 72 65 2E 65 78 65}

$a2 = {D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04}

$b1 = “rpcnetp exe”

$b2 = {00 48 1A B5 E5 9B A0 26 F2 C7 D0 D2 C3 DC C7 C1 9B D6 DA D8 B5 B5 B5 B5 B5 B5 B5 B5 B5 0A 02 07 10 06 06 00}

condition:

1 of ($b*) and $a1 and $a2

}

Pierluigi Paganini

(Security Affairs – APT28 Lojax, malware)

The post Cybaze ZLab- Yoroi team spotted a new variant of the APT28 Lojax rootkit appeared first on Security Affairs.



Security Affairs

Cybaze ZLab- Yoroi team spotted a new variant of the APT28 Lojax rootkit

Malware researchers at the Cybaze ZLab- Yoroi team spotted a new variant of the dangerous APT28 Lojax rootkit.

A new variant of the infamous APT28 Lojax (aka Double-Agent) has been discovered by the Cybaze ZLab – Yoroi team. It is the latest version of the well-known rootkit Double-Agent, previously analyzed by ESET researchers.

The behavior of the Lojax sample seems to be similar to the previous versions and exploits the legitimate “Absolute Lojack” software to grant its persistence on the infected system. Lojack is an anti-theft and localization software developed by Absolute Software Corporation and it is pre-installed in the BIOS image of several Lenovo, HP, Dell, Fujitsu, Panasonic, Toshiba, and Asus machines. In the past, this software was known as “Computrace”.

Despite its legitimate purposes, the Absolute Lojack software acts like a rootkit (more precisely as a bootkit): its BIOS component forces the writing of a small agent named “rpcnetp.exe” into the system folder. The agent periodically contacts the Absolute server and sends to it the current machine’s position.

The control flow of the Lojack software is detailed in the following figure:

APT28 Lojax

Figure 1. Lojack control flow (Source:ESET)

 

Technical Analysis

The size of the malicious artifact is the same as the legitimate one, so the only manipulation seems to the modification of the C2C address, in according with other firms that previously analyzed the malware.

Hash Sha256: 6d626c7f661b8cc477569e8e89bfe578770fca332beefea1ee49c20def97226e
Names rpcnetp.exe
Digital Signature
First Submission 2018-11-05
Icon APT28 Lojax ico 2
Notes Lojack Double-Agent

File size: 17 KB

When it starts, the malware copies itself into a new DLL: the final file is the same of the initial one except for some header flags. After this, Lojax searches some components belonging to the legitimate software that should be already installed into the machine, with whom tries to establish a connection via RPC channel. If the Absolute Lojack components are not found, the malware kills itself.

Hash Sha256: aa5b25c969234e5c9a8e3aa7aefb9444f2cc95247b5b52ef83bf4a68032980ae
Names rpcnetp.dll
Digital Signature
First Submission 2018-11-05
Icon APT28 Lojax ico 2
Notes Double-Agent

File size: 17 KB

Through a static analysis of the sample, we have discovered a new C2 address, unknown to the community and to the threat intelligence platforms until now. This address, ciphered using XOR encryption with a single byte key 0xB5, was hidden in the section “.cdata”.

After the decryption of the address, the result is “regvirt.com”, as shown in the below figure:

APT28 Lojax

 

Domain “regvirt.com”

The domain has been registered on 10th Oct 2017 by “Tibor Kovacs” (tiborkovacsr@protonmail.com) and it’s handled by the “Shinjiru Technology Sdn Bhd” provider. The username part of the mailbox contains the same name and surname found in the Registrant name, with the addition of a terminal “r” tiborkovacsr,  its not clear if this letter could be a clue usable to focus the investigation to an hypothetical profile of the registrant.

Registrant Name: Tibor Kovacs

Registrant Organization:

Registrant Street: Vezer u 43

Registrant City: Budapest

Registrant State/Province: Budapest

Registrant Postal Code: 1141

Registrant Country: HU

Registrant Phone: +36.361578632154

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email: tiborkovacsr@protonmail.com

The domain hosts have inactive subdomains, such as mail.regvirt.com pointing to the localhost address 127.0.0.1. Also, it has resolved to a different IP address 209.99.40.226 during the 16th Oct 16 07th Nov  time period, this address is related the Confluence Network ISP: that IP has been blacklisted for a limited time by abuse.ch, between 2017-09-18 and   2017-10-19, and have been reported as malicious by the abuseipdb on December 2017.  Other malicious activities related to the cybercrime threat actors have been reported through the ransomware tracker platform, where the IP is associated with several Locky ransomware distribution domains back in 2016. However, all the possible reported misuse of the ip address does not apparently  match the regvirt.com’s resolution time period.

 

The 46.21.147.71 ip address, instead, has been resolved since the first registration of the “regvirt.com” domain back in 2017. This network destination has been reported as command and control server of altered CompuTrace/Lojack’s software, part of the APT28 arsenal. The report published by the UK’s National Cyber Security Centre on October 2018 states this implant have been used to modify system memory and maintain persistence on compromised hosts in the long run.

 

Domain Time-period between
2017-10-17 and 2018-11-13
Time-period between
2018-10-16 and 2018-11-07
regvirt.com 46.21.147.71
DEDICATED-SERVERS NL(Eureka Solutions Sp. z o.o. PL)regvirt.com MX
mail.regvirt.com
209.99.40.226
TX1-CONFLUENCE-4 AE(Confluence Networks Inc.)
www.regvirt.com www.regvirt.com CNAME regvirt.com
mail.regvirt.com mail.regvirt.com A 127.0.0.1

 

Mitigation

Despite the presence of the UEFI “Secure Boot”, this malware could execute itself because it replaces only the “rpcnetp.exe” component. Anyhow, the MalwareLab researchers advise to keep enabled the UEFI Secure Boot and keep always updated the Operative System and the anti-malware solution.

Indicator of Compromise

C2:

  • regvirt[.com
  • regvirt[.com
  • regvirt[.com
  • hxxp:// www.regvirt[.com

YARA Rules and additional technical details are available on the Yoroi blog.

Pierluigi Paganini

(Security Affairs – APT28 Lojax, malware)

The post Cybaze ZLab- Yoroi team spotted a new variant of the APT28 Lojax rootkit appeared first on Security Affairs.

Chinese TEMP.Periscope cyberespionage group was using TTPs associated with Russian APTs

Chinese TEMP.Periscope cyberespionage group targeted a UK-based engineering company using TTPs associated with Russia-linked APT groups.

Attribution of cyber attacks is always a hard task, in many cases attackers use false flags to masquerade their identities.

Chinese hackers have targeted a UK-based engineering company using techniques and artifacts attributed to the Russia-linked APT groups Dragonfly and APT28, according to security researchers.

Threat intelligence experts from Recorded Future discovered that Chinese threat actor TEMP.Periscope was using TTPs associated with Russian APT groups in the attempt to make hard the attribution. The same campaign that targeted the U.K.-based engineering company also hit a freelance journalist based in Cambodia, attackers used a command and control infrastructure that was used in the past by the TEMP.Periscope APT group.

“Employees of a U.K.-based engineering company were among the targeted victims of a spearphishing campaign in early July 2018. The campaign also targeted an email address possibly belonging to a freelance journalist based in Cambodia who covers Cambodian politics, human rights, and Chinese development.” reads the analysis published by Recorded Future.

“We believe both attacks used the same infrastructure as a reported campaign by Chinese threat actor TEMP.Periscope (also known as Leviathan), which targeted Cambodian entities in the run-up to their July 2018 elections. Crucially, TEMP.Periscope’s interest in the U.K. engineering company they targeted dates back to attempted intrusions in May 2017.”

The attackers used the domain scsnewstoday[.]com as C2, the same that was used in a recent TEMP.Periscope campaign targeting the Cambodian government.

The spear-phishing messages were sent by using the popular Chinese email client, Foxmail.

It is interesting to note that attackers employed a unique technique used in the past by Dragonfly APT group in attacks aimed at critical infrastructure. The attackers used a “file://” path in the in the spearphish calling out to a malicious C2 to steal SMB credentials.

A unique technique documented as a Dragonfly TTP in targeting critical infrastructure was used in the attack. The technique attempts to acquire SMB credentials using a “file://” path in the spearphish calling out to a malicious C2.” continues the analysis.

“The attack probably made use of a version of the open source tool Responder as an NBT-NS poisoner. APT28 used Responder in attacks against travelers staying at hotels in 2017.”

The same UK engineering company was already targeted by TEMP.Periscope in a May 2017, months later the hackers also hit the US engineering and academic entities.

“Recorded Future expects TEMP.Periscope to continue to target organisations in the high-tech defence and engineering sectors,” concludes the report.

“The Chinese strategic requirement to develop advanced technology, particularly in marine engineering, remains an intense focus as China looks to dominate the South China Sea territory.”

chinese-threat-actor-temp-periscope

“We believe TEMP.Periscope will continue to use commodity malware because it is still broadly successful and relatively low cost for them to use. They will continue to observe ‘trending’ vulnerabilities to exploit and use techniques that have been publicly reported in order to gain access to victim networks.”

“We have to understand and tackle the underlying economic ecosystem that enables, funds and supports criminal activity on a global scale to stem the tide and better protect ourselves. By better understanding the systems that support cyber-crime, the security community can better understand how to disrupt and stop them.”

Pierluigi Paganini

(Security Affairs – TEMP.Periscope, hacking)

The post Chinese TEMP.Periscope cyberespionage group was using TTPs associated with Russian APTs appeared first on Security Affairs.

The ‘MartyMcFly’ investigation: Italian naval industry under attack

Experts at Yoroi’s Cyber Security Defence Center along with Fincantieri’s security team investigated the recently discovered Martymcfly malware attacks.

Background

On October 17th we disclosed the ‘MartyMcFly’ Threat (Rif. Analysis) where unknown attackers were targeting Italian naval industries. The analysis was cited by  Kaspersky’s ICS CERT who exposed a wider threat extension across multiple countries such as: Germany, Spain, and India. Thanks to Kaspersky’s extended analysis we decided to harvest more indicators and to check more related threats by asking a joint cyber force with Fincantieri, one of the biggest player on Naval Industry across Europe. Fincantieri who was not involved in the previous ‘MartyMcFly’ attack identified and blocked additional threats targeting their wide infrastructure intercepted on during the week of 20th August 2018, about a couple of months before the ‘MartyMcFly’ campaign. Our task was to figure out if there were a correlation between those attacks targeting Italian Naval Industries and try to identify a possible attribution.

Malicious Email

Fincantieri’s security team shared with us a copy of a malicious email, carefully themed as the ones intercepted by the Yoroi’s Cyber Security Defence Center between 9th and 15th October. At first look the message appears suspicious due to inconsistent sender’s domain data inside the SMTP headers:

  • From: alice.wu@anchors-chain.com
  • Subject: Quotation on Marine Engine & TC Complete
  • User-Agent: Horde Application Framework 5
  • X-PPP-Vhost: jakconstruct.com

The email messages have been sent from a mailbox related to the “jakconstruct.com” domain name, which is owned by the Qatari’s “AK CONSTRUCTION W.L.L.”, suggesting a possible abuse of their email infrastructure.

Figure 1. SMTP header smtp details

The “anchors-chain.com” domain found in the SMTP “From” header has been purchased a few weeks before the delivery of the malicious message: a privacy-protected user registered the domain on 21 June 2018,  through the “NameSilo, LLC” provider.

Figure 2. Whois data of “anchors-chain.com”

During the time period between the 22nd of June and the 2nd of September 2018, this domain resolved to the IP address 188.241.39.10, owned by “Fast Serv Inc.”, hosting provider sometimes abused for illicit purposes (e.g. command and control services of info stealers malware). Unfortunately, the domain results offline at the time of writing, so it wasn’t possible to assess the presence of redirections to legit services as an observer on the “MartyMcFly” case.

Also, the  “anchors-chain.com” domain shows an explicit reference to an Asian company producing chains for a wide range of customers in the shipbuilding industry: the “Asian Star Anchor Chain Co. Ltd.” or “AsAc Group”. The real domain of the group spells almost the same: “anchor-chain.com”, the letter “s” is the only difference between the name registered by the attacker and the legit one. Moreover, the message body has been written in Chinese language and the signature includes a link to another legit domain of the group, confirming the attacker was trying to impersonate personnel from AsAc Group, simulating the transmission of quotations and price lists.

 

Figure 4. Malicious email message

Attachment

The email message contains a pdf document named ”Marine_Engine_Spare__Parts_Order.pdf”, originally prepared from an Office document using “Microsoft Word 2013” and then converted into PDF format using the “Online2PDF.com” online service. The document does not contain any javascript or exploit code, however, the single page inside the document tries to lure the victim to open up the real document on a so-called “Adobe Online Protection” secure portal.  The embedded link points to an external resource protected by the URL shortening service “Ow.ly”.

 

 

Figure 5. Malicious PDF document

The link “http://ow.ly/laqJ30lt4Ou“  has been deactivated for “spam” issues and is no longer available at the time of writing. However, analyzing automated sandox report dated back to the attack time-period is possible to partially reconstruct the dynamics of the payload execution, since the click on the embedded “ow.ly” link.

Figure 6. Attachment’s process tree

The dynamic trace recorded some network activity directed to two suspicious domains on the “.usa.cc” TLD  originated right after the launch of the “iexplore.exe” browser’s process: respectively “wvpznpgahbtoobu.usa.cc” and  “xtyenvunqaxqzrm.usa.cc”.

Figure 7. DNS requests intercepted

The first network interaction recorded is related to the embedded link inside the pdf attachment “http://ow.ly/laqJ30lt4Ou”, returning a redirection to another resource protected by the same URL shortening service.

Figure 8. Redirection to the second ow.ly url

The opening of the next url “http://ow.ly/Kzr430lt4NV” obtains another HTTP 301 redirect to an HTTPS resource related to one of the  previously identified “usa.cc” domain:

Figure 9. Redirection to “wvpznpgahbtoobu.usa.cc”

Analyzing the SSL/TLS traffic intercepted during the dynamic analysis session shows multiple connections to the ip address 188.165.199.85, a dedicated server hosted by OVH SAS. The SSL certificate has been released by the “cPanel,  Inc“ CA and is valid since 16th August 2018; this encryption certificate is likely related to the previously discussed HTTP 301 redirection due to the common name “CN=wvpznpgahbtoobu.usa.cc” found in the Issuer field.

Figure 10. SSL Certificate details  “wvpznpgahbtoobu.usa.cc”

Another SSL/TLS connections recorded shows traffic related to the “xtyenvunqaxqzrm.usa.cc” domain directed to the same 188.165.199.85 ip address:

Figure 11. SSL Certificate details “xtyenvunqaxqzrm.usa.cc”

OSINT investigations gathered evidence of past abuses of the “xtyenvunqaxqzrm.usa.cc” for malicious purposes, for instance an urlquery report dated back on 23rd August 2018 shows a phishing portal previously reachable at “https://xtyenvunqaxqzrm .usa.cc/maesklines/Maerskline/maer.php” contained a login page of a fake “Maersk” holding’s shipping portal, multinational company operating in the logistics sector, one of the world’s largest container shipping company.

Figure 12. Phishing page previously hosted on xtyenvunqaxqzrm.usa.cc 

The elements found in the dynamic execution report indicates a compatibility between the OSINT information about the “xtyenvunqaxqzrm.usa.cc” domain and the attachment itself: one of the dropped file recorded during the automated analysis section is named “login.html” and it has been classified as phishing template on the VT platform (hash  4cd270fd943448d595bfd6b0b638ad10).

Figure 13. login.html page dropped during the execution

Conclusion

The evidence collected during the joint analysis with the Fincantieri’s security team suggests some, still unspecified, targeted threat is likely trying to establish a foothold at least into the Italian naval industry.  At this time is not possible to confirm the two waves of attack have been planned and executed by the same threat actor of the “MartyMcFly” campaign, many differences such as the distinct type of payload are relevant. However, at the same time, common elements impose to not discard the possibility of this relationship, for example, the following indicators are likely suggesting correlations:

  • impersonification of the service provider and satellite companies of the naval industry sector.
  • usage of domain names carefully selected to appear similar to legit names of known companies.
  • usage of professional sounding emails containing reference and documents carefully aligned with impersonification context.
  • possible usage of “Microsoft Word 2013

Having said that we would like to thanks colleagues of Fincantieri’s security team for sharing data about these attacks, helping us in the investigation of this threat.

Further details including IoC are available in the report published by Yoroi.

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

 

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – italian naval industry, MartyMcFly malware)

The post The ‘MartyMcFly’ investigation: Italian naval industry under attack appeared first on Security Affairs.

Operation Shaheen – Pakistan Air Force members targeted by nation-state attackers

Security firm Cylance has uncovered a sophisticated state-sponsored campaign, tracked as Operation Shaheen, against the Pakistan Air Force.

According to the experts the campaign was carried out by a nation-state actor tracked as the White Company with access to zero-day exploits and exploit developers.

“The preliminary findings detail one of the group’s recent campaigns, a year-long espionage effort directed at the Pakistani Air Force. Cylance calls the campaign Operation Shaheen and the organization The White Company—in acknowledgement of the many elaborate measures the organization takes to whitewash all signs of its activity and evade attribution.” reads the press release published by Cylance.

“The Pakistani Air Force is not just an integral part of the country’s national security establishment—including its nuclear weapons program—but it is also the newly announced home of the country’s National Centre for Cyber Security. A successful espionage operation against such a target could yield significant tactical and strategic insight to a range of foreign powers.”

As part of Operation Shaheen, White Company hackers targeted members of the Pakistan Air Force with spear-phishing messages that weaponized lure files with names referenced events, government documents, or news articles of interest for the targets (i.e. the Pakistani Air Force, the Pakistani government, and Chinese Military and advisers in Pakistan).

Attackers initially used phishing messages with links to compromised websites, then they switched to emails using infected Word documents as attachments.

In both cases, the researchers found, the emails were specifically crafted to reference topics that would be relevant to appeal to the targets: the Pakistani Air Force, the Pakistani government, and Chinese Military and advisers in Pakistan.

“We cannot say with precision where those documents went, or which were successful. However, we can say that the Pakistan Air Force was a primary target. This is evident by the overriding themes expressed in document filenames, the contents of the decoy documents, and the specificity employed in the military-themed lures.” continues the report published by Cylance.

“In addition, as explained below, the malware delivered by these lures was delivered from domains not just of legitimate, compromised Pakistani organizations — a common tactic attackers use to make any traffic the target might observe seem benign — but legitimate, compromised Pakistani organizations with an explicit connection to the Pakistani military.”

The malicious code used by White Company hackers was able to evade major antivirus solutions, including Sophos, ESET, Kaspersky, BitDefender, Avira, Avast, AVG, and Quickheal.

The malware used in the campaign implements five different packing techniques that placed the ultimate payload within a series of layers.

Attribute the attack to a specific actor is very difficult, a broad range of nation-state attackers would have an interest in spying on the Pakistani Air Force members.

“Cylance does not endeavor to conclusively attribute attacks or campaigns to specific
entities, as a matter of principle, for several reasons. This approach is particularly prudent in this case. The threat actor in question took great pains to elude attribution. They cobbled together tools created by several different developers, some of whom took steps to cover their tracks. These efforts served to complicate the overall picture of what occurred and who was behind it.” concludes the firm.

“Pakistan is a tumultuous, nuclear-armed nation with a history of explosive internal politics. Their position on the geopolitical chessboard makes them an obvious target of all the nation states with well-developed cyber programs (i.e. the Five Eyes, China, Russia, Iran, DPRK, Israel),” 

“They also draw attention from emerging cyber powers like India and the Gulf nations.”

Additional info are included in the report published by the experts.

Pierluigi Paganini

(Security Affairs – Pakistani Air Force, Operation Shaheen)

The post Operation Shaheen – Pakistan Air Force members targeted by nation-state attackers appeared first on Security Affairs.

Joining Team Astalavista – Stay Tuned!

Dear blog readers I wanted to let everyone know that I will be shortly joining Team Astalavista - The World's Most Popular Information Security Portal acting a Managing Director following a successful career as Managing Director through 2003-2006 where I used to maintain a highly informative and educational Security Newsletter featuring exclusive content and security interviews (Security