Category Archives: information security news

Critical flaws in Orbit Fox WordPress plugin allows site takeover

Two vulnerabilities in the Orbit Fox WordPress plugin, a privilege-escalation issue and a stored XSS bug, can allow site takeover.

Security experts from Wordfence have discovered two security vulnerabilities in the Orbit Fox WordPress plugin. The flaws are a privilege-escalation vulnerability and a stored XSS bug that impacts over 40,000 installs.

The Orbit Fox plugin allows site administrators to add features such as registration forms and widgets, it has been installed by 400,000+ sites.

The plugin was developed by ThemeIsle, it is designed to enhance the Elementor, Beaver Builder, and Gutenberg editors and implements additional features 

Two vulnerabilities can be exploited by attackers to inject malicious code into websites using the vulnerable version of the plugin and take over them.

“One of these flaws made it possible for attackers with contributor level access or above to escalate their privileges to those of an administrator and potentially take over a WordPress site. The other flaw made it possible for attackers with contributor or author level access to inject potentially malicious JavaScript into posts.” reads the post published by Wordfence. “These types of malicious scripts can be used to redirect visitors to malvertising sites or create new administrative users, amongst many other actions.”

The authenticated privilege-escalation flaw has been rated as critical and has received a CVSS bug-severity score of 9.9. authenticated attackers with contributor level access or above can escalate privileges to administrator and potentially take over a website.

The authenticated stored cross-site scripting (XSS) issue allows attackers with contributor or author level access to inject JavaScript into posts. An attacker could exploit this flaw to conduct multiple malicious actions, such as malvertising attacks. The flaw rated as medium severity has received a CVSS score of 6.4.

Orbit Fox plugin includes a registration widget that can be used to create a registration form with customizable fields when using the Elementor and Beaver Builder page builder plugins. Upon creating the registration form, the plugin will provide the ability to set a default role to be used whenever a user registers using the form.

“Lower-level users like contributors, authors, and editors were not shown the option to set the default user role from the editor. However, we found that they could still modify the default user role by crafting a request with the appropriate parameter,” Wordfence continues. “The plugin provided client-side protection to prevent the role selector from being shown to lower-level users while adding a registration form. Unfortunately, there were no server-side protections or validation to verify that an authorized user was actually setting the default user role in a request.”

Experts pointed out that the lack of server-side validation in Orbit Fox allows lower-level users to set their role to that of an administrator upon successful registration.

“To exploit this flaw, user registration would need to be enabled and the site would need to be running the Elementor or Beaver Builder plugins,” continues Wordfence. “A site with user registration disabled or neither of these plugins installed would not be affected by this vulnerability.”

This vulnerability allowed lower-level users to add malicious JavaScript to posts that would execute in the browser whenever a user navigated to that page.

The two vulnerabilities have been addressed with the release of version 2.10.3.

Vulnerabilities in WordPress plugins are very dangerous and could allow attackers to carry out attacks on a large scale. On December, the development team behind the Contact Form 7 WordPress plugin discloses an unrestricted file upload vulnerability, the plugin has over 5 million active installs. The issue can exploit to upload a file that can be executed as a script file on the underlying server.

In November threat actors were observed actively exploiting a zero-day vulnerability in the popular Easy WP SMTP WordPress plugin installed on more than 500,000 sites.

In the same period hackers were actively exploiting a critical remote code execution vulnerability in the File Manager plugin, over 300,000 WordPress sites were potentially exposed at the time of the discovery.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Golang-based worm)

The post Critical flaws in Orbit Fox WordPress plugin allows site takeover appeared first on Security Affairs.

Security Affairs newsletter Round 297

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

It is time to re-evaluate Cyber-defence solutions
New Zealand central bank hit by a cyber attack
TeamTNT botnet now steals Docker API and AWS credentials
Connecting the dots between SolarWinds and Russia-linked Turla APT
Experts found gained access to the Git Repositories of the United Nations
Russian hacker Andrei Tyurin sentenced to 12 years in prison
Source code for malware that targets Qiui Cellmate device was leaked online
Ubiquiti discloses a data breach
Bitdefender releases free decrypter for Darkside ransomware
EMA: Some of Pfizer/BioNTech COVID-19 vaccine data was leaked online
Police took down DarkMarket, the worlds largest darknet marketplace
Sophisticated hacking campaign uses Windows and Android zero-days
Sunspot, the third malware involved in the SolarWinds supply chain attack
Attackers targeted Accellion FTA in New Zealand Central Bank attack
Data collection cheat sheet: how Parler, Twitter, Facebook, MeWes data policies compare
Rogue Android RAT emerges from the darkweb
CAPCOM: 390,000 people impacted in the recent ransomware Attack
CISA warns of recent successful cyberattacks against cloud service accounts
Cisco addresses a High-severity flaw in CMX Software
Classiscam expands to Europe: Russian-speaking scammers lure Europeans to pages mimicking classifieds
Expert discovered a DoS vulnerability in F5 BIG-IP systems
Operation Spalax, an ongoing malware campaign targeting Colombian entities
Cisco says its RV routers will no longer receive updates
Expert launched Malvuln, a project to report flaws in malware
Signal is down for multiple users worldwide
Winnti APT continues to target game developers in Russia and abroad
Jokers Stash, the largest carding site, is shutting down
Siemens fixed tens of flaws in Siemens Digital Industries Software products
Two kids found a screensaver bypass in Linux Mint

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 297 appeared first on Security Affairs.

Two kids found a screensaver bypass in Linux Mint

The development team behind the Linux Mint distro has fixed a security flaw that could have allowed users to bypass the OS screensaver.

The maintainers of the Linux Mint project have addressed a security bug that could have allowed attackers to bypass the OS screensaver.

The curious aspect of this vulnerability is related to its discovery, in fact, it was found by too children that were playing on their dad’s computer.

The process is simple and allow the screensaver lock by-pass by crashing the screensaver and unlock the desktop via the virtual keyboard.

In order to reproduce the bypass on a locked system, click on the virtual keyboard, then type at the real keyboard while typing on the virtual keyboard, both at the same time, as many keys as possible.

“A few weeks ago, my kids wanted to hack my linux desktop, so they typed and clicked everywhere, while I was standing behind them looking at them play… when the screensaver core dumped and they actually hacked their way in! wow, those little hackers…” states a bug report on GitHub.

“I thought it was a unique incident, but they managed to do it a second time. So I’d consider this issue… reproducible… by kids. I tried to recreate the crash on my own with no success, maybe because it required more than 4 little hands typing and using the mouse on the virtual keyboard. Maybe not the best bug report, but I’ve seen the screenlock crash twice already with my own eyes, so its pretty real. One last thing, after the desktop is unlocked, I can’t re-lock it again, the screensaver process is pretty dead and requires me to open a shell and run ‘cinnamon-screensaver’ manually to get it working.”

Linux Mint lead developer Clement Lefebvre confirmed that the bug resides in the libcaribou, the on-screen keyboard (OSK) component that is part of the Cinnamon desktop environment used by Linux Mint.

“We’ll most likely patch libcaribou here” wrote Lefebvre. “We have two different issues:

  • In all versions of Cinnamon, the on-screen keyboard (launched from the menu) runs within the Cinnamon process and uses libcaribou. Pressing ē crashes Cinnamon.
  • In versions of Cinnamon 4.2 and higher, there’s a libcaribou OSK in the screensaver. Pressing ē there crashes the screensaver.”

The vulnerability is triggered when users press the “ē” key on the on-screen keyboard, this causes the crash of the Cinnamon desktop process. If the on-screen keyboard is opened from the screensaver, the bug crashes the screensaver allowing users to access the desktop.

The issue was introduced in the Linux Mint OS since the Xorg update to fix CVE-2020-25712 heap-buffer overflow in October. The bug affects all distributions running Cinnamon 4.2+ and any software using libcaribou.

The vulnerability was addressed with the release of a patch for Mint 19.x, Mint 20.x and LMDE 4.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Linux Mint)

The post Two kids found a screensaver bypass in Linux Mint appeared first on Security Affairs.

Siemens fixed tens of flaws in Siemens Digital Industries Software products

Siemens has addressed tens of vulnerabilities in Siemens Digital Industries Software products that can allow arbitrary code execution.

Siemens has addressed 18 vulnerabilities affecting some products of Siemens Digital Industries Software which provides product lifecycle management (PLM) solutions.

The vulnerabilities affect Siemens JT2Go, a 3D viewing tool for JT data (ISO-standardized 3D data format) and the Teamcenter Visualization solution. JT2Go is a 3D JT viewing tool to allows its customers to view JT, PDF, Solid Edge, PLM XML with available JT, VFZ, CGM, and TIF data. Teamcenter Visualization software provides a comprehensive family of visualization solutions to access documents, 2D drawings and 3D models in a single environment.

“JT2Go and Teamcenter Visualization are affected by multiple vulnerabilities that could lead to arbitrary code execution or data extraction on the target host system. Siemens has released updates for both affected products and recommends to update to the latest versions.” states the advisory published by the vendor.

The company recommends limiting the opening of untrusted files in systems where JT2Go or Teamcenter Visualisation is installed to mitigate the risk of attacks exploiting these issues. It also suggests applying a Defense-in-Depth concept to reduce the probability that the untrusted code is run on the system.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory related to these security flaws.

According to CISA, the addressed flaws include Type Confusion, Improper Restriction of XML External Entity Reference, Out-of-bounds Write, Heap-based Buffer Overflow, Stack-based Buffer Overflow, Untrusted Pointer Dereference, and Out-of-bounds Read.

The following products are affected by the vulnerabilities addressed by Siemens:

  • JT2Go: All versions prior to v13.1.0
  • JT2Go: Version 13.1.0. only affected by CVE-2020-26989, CVE-2020-26990, CVE-2020-26991
  • Teamcenter Visualization: All versions prior to V13.1.0
  • Teamcenter Visualization: Version 13.1.0 only affected by CVE-2020-26989, CVE-2020-26990, CVE-2020-26991

Several vulnerabilities addressed by the vendor received a CVSS v3 base score of 7.8, including:

The flaws were reported by two researchers through Trend Micro’s Zero Day Initiative (ZDI) and the U.S. CISA.

Siemens also addressed six vulnerabilities in its Solid Edge solution that provides software tools for 3D design, simulation and manufacturing. The flaws could lead arbitrary code execution and information disclosure.

“Solid Edge is affected by multiple vulnerabilities that could allow arbitrary code execution on an affected system. Siemens has released an update for Solid Edge and recommends to update to the latest version.” reads the advisory.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Siemens)

The post Siemens fixed tens of flaws in Siemens Digital Industries Software products appeared first on Security Affairs.

Joker’s Stash, the largest carding site, is shutting down

Joker’s Stash to shut down on February 15, 2021.

Joker’s Stash, the largest carding marketplace online announced that it was shutting down its operations on February 15, 2021.

Joker’s Stash, the largest carding marketplace online, announced that its operations will shut down on February 15, 2021.

The administrator announced the decision via messages posted on various cybercrime forums.

Joker’s Stash Official Closing Message
Image source FlashPoint

Joker’s Stash is one of the most longevous carding websites, it was launched in October 2014 and is very popular in the cybercrime underground due to the freshness of its cards and their validity. The administrators always claimed the exclusivity of their offer that is based on “self-hacked bases.”

In December, Joker’s Stash was shut down as a result of a coordinated operation conducted by the FBI and Interpol.

Joker's Stash

At the time, the authorities only seized some of the servers used by the carding portal, but the Joker’s Stash site hosted on the ToR network was not affected by the operations conducted by the police.

The sized sites were at jstash.bazar, jstash.lib, jstash.emc, and jstash.coin, which are all those accessible via blockchain DNS.

Joker Stash admins said in a message published on a hacking forum that the law enforcement only seized the servers hosting the above domains, that were only used to redirecting visitors to the actual website.

The seizure operated by law enforcement in December had an impact on the reputation of the portal, some users were also claiming that the quality of the services offered by Joker’s Stash was decreasing.

“Throughout 2020, the typically active administrator JokerStash had several gaps in communications. JokerStash claimed that they were hospitalized due to a coronavirus infection. The decreasing number of large fresh bases also questioned their ability to source new card data.” reported FlashPoint.

The news of the closure of the card shop represents a major hit to the carding activities in the underground market.

The success of the recent operations might have pushed the administrators into an exit from their operations.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, carding)

The post Joker’s Stash, the largest carding site, is shutting down appeared first on Security Affairs.

Expert launched Malvuln, a project to report flaws in malware

The researcher John Page launched malvuln.com, the first website exclusively dedicated to the research of security flaws in malware codes.

The security expert John Page (aka hyp3rlinx) launched malvuln.com, the first platform exclusively dedicated to the research of security flaws in malware codes.

The news was first announced by SecurityWeek, the researcher explained that Malvuln is the first website dedicated to research and analysis of vulnerabilities in malware samples.

“malvuln.com is the first website exclusively dedicated to the research of security vulnerabilities within Malware itself.” wrote the expert. “There are many websites already offering information about Malware like Hashes, IOC, Reversing etc. However, none dedicated to research and analysis of vulnerabilities within Malware samples… until now. Long Live MALVULN.”

Sharing the knowledge of vulnerabilities affecting malware could allow incident response teams to neutralize the threat in case of infections, but could also help vxers to address them end improve their malware. For this reason, it is likely that Page will regulate the vulnerability disclosure process in the future.

This is a great initiative, we have to support it, everyone can get in contact with the expert via Twitter (@malvuln) or Email (malvuln13[at]gmail.com).

Currently, Page is the unique contributor of the Malvuln service, but he could start accepting third-party contributions in the future.

Clearly, the initiative is born for educational and research purposes only.

At the time of writing the site already includes 26 entries related to remotely exploitable buffer overflow flaws and privilege escalation issues. Most of the buffer overflow vulnerabilities could be exploited for remote code execution.

For each flaw reported through the website, the record includes multiple information such as the name of the malware, the MD5 hash, the type of vulnerability, a description of the vulnerability, dropped files, a memory dump, and proof-of-concept (PoC) exploit code.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Golang-based worm)

The post Expert launched Malvuln, a project to report flaws in malware appeared first on Security Affairs.

Winnti APT continues to target game developers in Russia and abroad

A Chinese Threat actor targeted organizations in Russia and Hong Kong with a previously undocumented backdoor, experts warn.

Cybersecurity researchers from Positive Technologies have uncovered a series of attacks conducted by a Chinese threat actor that aimed at organizations in Russia and Hong Kong. Experts attribute the attacks to the China-linked Winnti APT group (aka APT41) and reported that the attackers used a previously undocumented backdoor in the attacks.

The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, Group 72, Blackfly, and APT41, and ShadowPad.

The APT group targeted organizations in various industries, including the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.

The recent attacks documented by Positive Technologies were first spotted on May 12, 2020, at the time the experts detected several samples of the new malware that were initially incorrectly attributed to the Higaisa threat actors. Investigating the attack, the experts discover a number of new malware samples used by the attackers, including various droppers, loaders, and injectors. The attackers also used Crosswalk, ShadowPad, and PlugX backdoors, but security researchers also noticed a sample of a previously undocumented backdoor that they dubbed FunnySwitch.

In the first attack, the threat actors used LNK shortcuts to extract and run the malware payload, while in the second attack detected on May 30, the threat actor used a malicious archive (CV_Colliers.rar) containing the shortcuts to two bait PDF documents with a CV and IELTS certificate.

The LNK files contain links to target pages hosted on Zeplin, a legitimate collaboration services between designers and developers.

The payload consists of two files, the svchast.exe that acts as a simple local shellcode loader, and ‘3t54dE3r.tmp’ that is the shellcode containing the main payload (the Crosswalk malware).

The Crosswalk was first spotted by researchers from FireEye in 2017 Crosswalk and included in an analysis of the activities associated with the APT41 (Winnti) group. The malware is a modular backdoor that implements system reconnaissance capabilities and is able to deliver additional payloads.

Experts also discovered a significant overlap of the network infrastructure with the APT41’s infrastructure.

“The network infrastructure of the samples overlaps with previously known APT41 infrastructure: at the IP address of one of the C2 servers, we find an SSL certificate with SHA-1 value of b8cff709950cfa86665363d9553532db9922265c, which is also found at IP address 67.229.97[.]229, referenced in a 2018 CrowdStrike report. Going further, we can find domains from a Kaspersky report written in 2013.” reads the report published by Positive Technologies. “All this leads us to conclude that these LNK file attacks were performed by Winnti (APT41), which “borrowed” this shortcut technique from Higaisa.”

Winnti infrastructure

The Winnti group focus on computer game industry, in the past they targeted game developers and recently they hit Russian companies in the same industry. The targets of the recent attacks include Battlestate Games, a Unity3D game developer from St. Petersburg.

On June, the researchers detected an active HttpFileServer on one of the active C2 servers. The HFS was containing an email icon, screenshot from a game with Russian text, screenshot of the site of a game development company, and a screenshot of information about vulnerability CVE-2020-0796 from the Microsoft website. The files were used two months later, on August 20, 2020, in attacks that also leveraged a self-contained loader for Cobalt Strike Beacon PL shellcode.

The discovery lead the experts into believing that they detected traces of preparation for, and subsequent successful implementation of, an attack on Battlestate Games.

“Winnti continues to pursue game developers and publishers in Russia and elsewhere. Small studios tend to neglect information security, making them a tempting target. Attacks on software developers are especially dangerous for the risk they pose to end users, as already happened in the well-known cases of CCleaner and ASUS. By ensuring timely detection and investigation of breaches, companies can avoid becoming victims of such a scenario.” concludes the report.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Winnti APT)

The post Winnti APT continues to target game developers in Russia and abroad appeared first on Security Affairs.

Expert discovered a DoS vulnerability in F5 BIG-IP systems

A security researcher discovered a flaw in the F5 BIG-IP product that can be exploited to conduct denial-of-service (DoS) attacks.

The security expert Nikita Abramov from Positive Technologies discovered a DoS vulnerability, tracked as CVE-2020-27716, that affects certain versions of F5 BIG-IP Access Policy Manager (APM).

The F5 BIG-IP Access Policy Manager is a secure, flexible, high-performance access management proxy solution that delivers unified global access control for your users, devices, applications, and application programming interfaces (APIs).

The vulnerability resides in the Traffic Management Microkernel (TMM) component which processes all load-balanced traffic on BIG-IP devices.

“When a BIG-IP APM virtual server processes traffic of an undisclosed nature, the Traffic Management Microkernel (TMM) stops responding and restarts. (CVE-2020-27716)” reads the advisory published by F5. “Traffic processing is disrupted while TMM restarts. If the affected BIG-IP system is configured as part of a device group, the system triggers a failover to the peer device.”

An attacker could trigger the flaw by simply sending a specially crafted HTTP request to the server hosting the BIG-IP configuration utility, and that would be enough to block access to the controller for a while (until it automatically restarts).

Vulnerabilities like this one are quite commonly found in code. They can occur for different reasons, for example unconsciously neglected bydevelopers or due to insufficient additional checks being carried out. I discovered this vulnerability during binary analysis. Flaws like this one can be detected using non-standard requests and by analyzing logic and logical inconsistencies.” Nikita Abramov researcher at Positive Technologies explains.

The flaw impacts versions 14.x and 15.x, the vendor already released security updates that address it.

In June, researchers at F5 Networks addressed another flaw, tracked as CVE-2020-5902, which resides in undisclosed pages of Traffic Management User Interface (TMUI) of the BIG-IP product.

The vulnerability could be exploited by attackers to gain access to the TMUI component to execute arbitrary system commands, disable services, execute arbitrary Java code, and create or delete files, and potentially take over the BIG-IP device

The CVE-2020-5902 vulnerability received a CVSS score of 10, this means that is quite easy to exploit. The issue could be exploited by sending a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

Immediately after the public disclosure of the flaw, that several proof-of-concept (PoC) exploits have been released, some of them are very easy to use.

A few days after the disclosure of the vulnerability in the F5 Networks BIG-IP product threat actors started exploiting it in attacks in the wild. Threat actors exploited the CVE-2020-5902 flaw to obtain passwords, create web shells, and infect systems with various malware.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, F5 BIG-IP)

The post Expert discovered a DoS vulnerability in F5 BIG-IP systems appeared first on Security Affairs.

Operation Spalax, an ongoing malware campaign targeting Colombian entities

Security experts from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian government institutions and private companies.

Malware researchers from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian entities exclusively.

The attacks aimed at government institutions and private companies, most of them in the energy and metallurgical sectors.  The campaign has been active at least since 2020, the attackers leverage remote access trojans to spy on their victims. 

The attacks share some similarities with other campaigns targeting Colombian entities, in particular a campaign detailed in February 2019, by QiAnXin. The operations described by QiAnXin are attributed to an APT group active since at least April 2018.

Below the similarities found by ESET:

  • We saw a malicious sample included in IoCs of QiAnXin’s report and a sample from the new campaign in the same government organization. These files have fewer than a dozen sightings each.
  • Some of the phishing emails from the current campaign were sent from IP addresses corresponding to a range that belongs to Powerhouse Management, a VPN service. The same IP address range was used for emails sent in the earlier campaign.
  • The phishing emails have similar topics and pretend to come from some of the same entities – for example, the Office of the Attorney General (Fiscalia General de la Nacion) or the National Directorate of Taxes and Customs (DIAN).
  • Some of the C&C servers in Operation Spalax use linkpc.net and publicvm.com subdomains, along with IP addresses that belong to Powerhouse Management. This also happened in the earlier campaign.

However, experts found differences in the attachments used for phishing emails, the remote access trojans (RATs) used the operator’s C&C infrastructure.

The attacks start with phishing messages that lead to the download of RAR archives hosted on OneDrive or MediaFire containing a malicious executable.

“We’ve found a variety of packers used for these executables, but their purpose is always to have a remote access trojan running on the victimized computer, usually by decrypting the payload and injecting it into legitimate processes.” continues the report. “We have seen the attackers use three different RATs: Remcos, njRAT and AsyncRAT.”

Operation Spalax

The phishing messages used a wide range of topics as lures, such as notifications of driving infractions, to attend court hearings, and to take mandatory COVID-19 tests.

ESET also documented the use of heavily obfuscated AutoIt droppers, in this attack scenario the first-stage malware performs the injection and execution of the payload. The malware use two shellcodes contained in the compiled AutoIt script, the first one decrypts the payload and the second injects it into some process.

The Trojans used in Operation Spalax implements several capabilities to spy on targets, such as keylogging, screen capture, clipboard hijacking, exfiltration of files, and the ability to download and execute other payloads.

ESET pointed out that the attackers leveraged on large network C2 infrastructure, experts observed at least 24 different IP addresses in use in the second half of 2020. Attackers probably compromised devices to use them as proxies for their C2 servers. The threat actors also used dynamic DNS services to manage a pool of 70 different domain names (and also register new ones on a regular basis) that are dynamically assigned to IP addresses. In the second half of 2020 alone they used 24 IP addresses.

“Targeted malware attacks against Colombian entities have been scaled up since the campaigns that were described last year,” ESET concludes. “The landscape has changed from a campaign that had a handful of C2 servers and domain names to a campaign with very large and fast-changing infrastructure with hundreds of domain names used since 2019.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Spalax)

The post Operation Spalax, an ongoing malware campaign targeting Colombian entities appeared first on Security Affairs.

CAPCOM: 390,000 people impacted in the recent ransomware Attack

Capcom revealed that the recent ransomware attack has potentially impacted 390,000 people, an increase of approximately 40,000 people from the previous report.

In November, Japanese game developer Capcom admitted to have suffered a cyberattack that is impacting business operations.

The company has developed multiple multi-million-selling game franchises, including Street Fighter, Mega Man, Darkstalkers, Resident Evil, Devil May Cry, Onimusha, Dino Crisis, Dead Rising, Sengoku Basara, Ghosts ‘n Goblins, Monster Hunter, Breath of Fire, and Ace Attorney as well as games based on Disney animated properties.

At the time, the Notice Regarding Network Issues published by the company revealed that on the morning of November 2nd, 2020 is suffered a cyberattack, In response to the incident the game developer shut down portions of their corporate network to prevent the malware from spreading.

The incident has not impacted connections for its players, the company initially declared that had not found any evidence that customer data was stolen.

In Mid-November, the company confirmed that the attackers accessed the personal information of its employees, along with financial and business information. The company believes that other information potentially accessed includes sales reports, financial information, game development documents, other information related to business partners.

No credit card information was compromised in the security breach.

After the attack, the Ragnar Locker ransomware operators claimed to have stolen over 1TB of data from the company.

In an update published by the Ragnar ransomware gang on it leak site the operators leaked a collection of archives as proof of the hack.Greetings !

“Unfortunately even such worldwide leading company as CAPCOM doesn’t values much privacy and security. They was notified about vulnerability and data leak numerous time.” reads the post published by Ragnar gang on its leak site. They checked our page with proofs but even this didn’t help them to make a right decision and save data from leakage. Also we would help them to decrypt and also provide with recommendations on security measures improvement, to avoid such issues in future.” reads the post published by the ransomware on its leak site.

“We are sure that everyone should know about CAPCOM’s decision and careless attitude regarding data privacy. This might seems crazy in 21st century, all corporates should work harder on their security measures, especially IT and online based companies.”

CAPCOM

This week, Capcom provided an update on its investigation, that revealed the incident was worse than initially thought because the number of impacted people is larger than initially believed.

Capcom revealed that the personal information of 16,415 people was stolen by the ransomware gang. Impacted people includes 3,248 business partners, 9,164 former employees, and related parties, and 3,994 employees and related parties. Only 9 people were impacted.

“Further, because the overall number of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack, Capcom has listed the maximum number of items it has determined to potentially have been affected at the present time.” reads the update published by the company.

Cumulative maximum number of potentially impacted people is 390,000, an increase of approximately 40,000 people from the previous report.

1. Information verified to have been compromised (updated)

i. Personal Information16,406 people *cumulative total since investigation began: 16,415 peopleBusiness partners, etc.: 3,248 people
At least one of the following: name, address, phone number, email address, etc.Former employees and related parties: 9,164 people
At least one of the following: name, email address, HR information, etc.Employees and related parties: 3,994 people
At least one of the following: name, email address, HR information, etc.
ii. Other InformationSales reports, financial information, game development documents, other information related to business partners

2. Potentially compromised data (updated)

i. Personal InformationApplicants: approx. 58,000 people
At least one of the following: name, address, phone number, email address, etc.*Cumulative maximum number of potentially compromised data for customers,
business partners and other external parties: 390,000 people*Regarding the cumulative maximum number of potentially compromised data above: as part of its ongoing investigation, Capcom has determined that it currently does not see evidence for the possibility of data compromise for the approximate 18,000 items of personal information from North America (Capcom Store member information and esports operations website members) that the company included in its November 16, 2020 announcement. As such, these have been removed from this cumulative maximum number of potentially compromised data.

The company pointed out that the investigation is still ongoing and that new fact may come to light.

“At this point in time, Capcom’s internal systems have in large part recovered, and business operations have returned to normal.” concludes the update.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, CAPCOM)

The post CAPCOM: 390,000 people impacted in the recent ransomware Attack appeared first on Security Affairs.

Classiscam expands to Europe: Russian-speaking scammers lure Europeans to pages mimicking classifieds

Russian-speaking scammers started targeting users of European marketplaces and classifieds is a criminal scheme dubbed Classiscam.

Group-IB, a global threat hunting and and adversary-centric cyber intelligence company, has discovered that Russian-speaking scammers started targeting users of European marketplaces and classifieds. The scheme, dubbed Classiscam by Group-IB, is an automated scam as a service designed to steal money and payment data. The scheme uses Telegram bots that provide scammers with ready-to-use pages mimicking popular classifieds, marketplaces and sometimes delivery services. According to Group-IB, over 20 large groups, leveraging the scheme, currently operate in Bulgaria, the Czech Republic, France, Poland, Romania, the US, and post-Soviet countries, while 20 more groups work in Russia. These 40 groups altogether made at least USD 6.5 mln in 2020. Scammers are actively abusing brands of popular international classifieds and marketplaces, such as Leboncoin, Allegro, OLX, FAN Courier, Sbazar, and etc. Group-IB has sent notifications to the affected brands so they could take the necessary steps to protect against Classiscam. 

Classiscam

The scheme, which initially exploited delivery brands, has been tried and tested in Russia. Analysts warn that it is now growing rapidly and reaching users of European classifieds and marketplaces, which were chosen as a target by Russian-speaking scammers to increase their profits and reduce the risk of being caught. Fighting the scam requires joint efforts by classifieds, marketplaces, and delivery services. It is also key to use advanced digital risk protection technology to ensure that any brand impersonating attacks are quickly detected and taken down. 

Exporting Classiscam

Group-IB Computer Emergency Response Team (CERT-GIB) for the first time recorded the Classiscam in Russia in the summer of 2019. Peak activity was recorded in the spring of 2020 due to the massive switch to remote working and an increase in online shopping.

“In the summer of 2020 we took down 280 scam pages as part of the Classiscam scheme, and by December that number grew 10-fold and reached up to 3,000 pages,” says Yaroslav Kargalev, the deputy head of CERT-GIB. “We see that Classiscammers are now actively migrating from Russia to Europe and other countries. It’s not the first time when Russia serves as a testing ground for cybercriminals with global ambitions.” 

Group-IB’s Digital Risk Protection and CERT-GIB experts have so far identified at least 40 active Classiscam gangs that use scam pages mimicking popular classified, marketplace, and delivery companies with every one of them running a separate Telegram bot. Half of the groups already operate outside of Russia. Despite that scammers are making their first attempts in Europe, an average theft costs users about USD 120. The scam was localized for the markets of Eastern and Western Europe. The brands abused by scammers include the French marketplace Leboncoin, Polish brand Allegro, Czech site Sbazar, Romanian FAN Courier, DHL and many others. An analysis of underground forums and chats revealed that scammers are getting ready to use new brands in their scams, these are FedEx and DHL Express in the US and Bulgaria.

As part of the scheme, scammers publish bait ads on popular marketplaces and classified websites. The ads usually offer cameras, game consoles, laptops, smartphones, and similar items for sale at deliberately low prices. The buyer contacts the seller, who lures the former into continuing the talk through a third party messenger, such as  WhatsApp. It’s noteworthy that scammers pose as both buyers and sellers. To be more persuasive, the scammers use local phone numbers when speaking with their victims. Such services are offered in the underground. 

Classiscam
Classiscam

Although many marketplaces and classifieds that sell new and used goods have an active policy of protecting users from fraudsters by posting warnings on their resources, victims continue to give away their data. 

Evildoers ask victims to provide their contact information to allegedly arrange a delivery. The scammer then sends the buyer an URL to either a fake popular courier service website or a scam website mimicking a classified or a marketplace with a payment form, which turns out to be a scam page. As a result, the fraudster obtains payment data or withdraws money through a fake merchant website. Another scenario invlolves a scammer contacting a legitimate seller under the guise of a customer and sending a fake payment form mimicking a marketplace and obtained via Telegram bot, so that the seller could reportedly receive the money from the scammer. 

Classiscam
5.png
Classiscam
Classiscam
Classiscam

Classiscam Hierarchy 

Group-IB discovered at least 40 groups leveraging Classiscam, with each of them running a separate Telegram chat-bot. At least 20 of these groups focus on European countries. On average, they make around US $61,000 monthly, but profits may differ from group to group. It is estimated that all 40 most active criminal groups make US $522,000 per month in total. 

The hierarchy of the scammer groups represents a pyramid, with the topic starters on top. They are responsible for recruiting new members, creating scam pages, registering new accounts, and providing assistance when the bank blocks the recipient’s card or the transaction. The topic starters’ share is about 20-30 percent of the stolen sum. “Workers” get 70-80 percent of the stolen sum for communicating with victims and sending them phishing URLs. 

Classiscam

All details of deals made by workers (including the sum, payment number and username) are displayed in a Telegram bot. That’s how Group-IB experts were able to calсulate their estimated monthly haul. 

Based on payment statistics, the most successful workers move to the top of the list and become influential members of the project. By doing so, they gain access to VIP options in the chats and can work on European marketplaces, which offer a higher income and involve less risks for Russian-speaking scammers. Workers’ assistants are called “callers” and “refunders.” They pretend to be tech support specialists and receive 5-10 percent of the revenue.

Phishing kit in Telegram

The scheme is simple and straightforward, which makes it all the more popular. There are more reasons behind its growing popularity, however, such as automated management and expansion through special Telegram chat bots. More than 5,000 users (scammers) were registered in 40 most popular Telegram chats by the end of 2020.  

As it stands, workers just need to send a link with the bait product to the chatbot, which then generates a complete phishing kit including courier URL, payment, and refund. There are more than 10 types of Telegram bots that create scam pages for brands from Bulgaria, the Czech Republic, France, Poland, and Romania. For each brand and country, scammers write scripts that help newbie workers log in to foreign sites and communicate with victims in the local language.

Chatbots also have shops where you can purchase accounts to various marketplaces, e-wallets, targeted mailings, and manuals, or even hire a lawyer to represent you in court.  

“So far, the scam’s expansion in Europe is hindered by language barriers and difficulties with cashing our stolen money abroad,” says Dmitriy Tiunkin, Head of Group-IB Digital Risk Protection Department, Europe. “Once the scammers overcome these barriers, Classiscam will spread in the West. The downside of popularity is competition among scammers, who sometimes frame each other without knowing it.” 

Fighting the Classiscam

In order to protect their brands from Classiscam, companies need to go beyond the simple monitoring and blocking approach. Instead, it is necessary to identify and block adversary infrastructure using AI-driven digital risk protection systems enriched with data about adversary infrastructure, techniques, tactics, and new fraud schemes. 

Classiscam

The recommendations for users are quite simple and include: 

·     Trust only official websites. Before entering your login details and payment information, double check the URL and Google it to see when it was created. If the site is only a couple of months old, it is highly likely to be a scam or a phishing page.

·      When using services for renting or selling new and used goods, do not switch to messengers. Keep all your communication in the official chat.

·      Do not order goods or agree to deals involving a prepaid transaction. Pay only after you receive the goods and make sure that everything is working properly.

·      Large discounts and unbelievable promotions may be just that: too good to be true. They are likely to indicate a bait product and a phishing page. Be careful.

About the author: Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks and online fraud. The company also specializes in high-profile cyber investigations and IP protection services. 

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Classiscam)

The post Classiscam expands to Europe: Russian-speaking scammers lure Europeans to pages mimicking classifieds appeared first on Security Affairs.

Cisco addresses a High-severity flaw in CMX Software

Cisco addressed tens of high-severity flaws, including some flaws in the AnyConnect Secure Mobility Client and in its small business routers.

This week Cisco released security updates to address 67 high-severity vulnerabilities, including issues affecting Cisco’s AnyConnect Secure Mobility Client and small business routers (i.e. Cisco RV110W, RV130, RV130W, and RV215W). One of the flaws fixed by the tech giant, tracked as CVE-2021-1144, is a high-severity vulnerability that affects Cisco Connected Mobile Experiences (CMX), which is a smart Wi-Fi solution that uses the Cisco wireless infrastructure to provide location services and location analytics for consumers’ mobile devices. CMX supports your organization’s Wi-Fi and mobile engagement and allows them to directly deliver content to smartphones and tablets that are personalized to visitors’ preferences and pertinent to their real-time indoor locations.

The vulnerability, which received a CVSS score of 8.8 out of 10, could be exploited by a remote authenticated attacker to change the password for any account user on affected systems.

“A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system.” reads the advisory published by Cisco.

“The vulnerability is due to incorrect handling of authorization checks for changing a password. An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device. A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.”

The flaw affects Cisco CMX releases 10.6.0, 10.6.1, and 10.6.2.

The vendor addressed the flaw with the release of 10.6.3 software version, it also informed customers that are no workarounds that address this issue.

Cisco also addressed a DLL Injection flaw, tracked as CVE-2021-1237, in Cisco AnyConnect Secure Mobility Client for Windows.

The flaw received a CVSS score of 7.8, attackers could exploit it to conduct a dynamic-link library (DLL) injection attack.

“A vulnerability in the Network Access Manager and Web Security Agent components of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL injection attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.” reads the advisory.

“The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges.”

Cisco also fixed a series of flaws in Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface that could lead remote command execution and denial of service attacks.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, CMX)

The post Cisco addresses a High-severity flaw in CMX Software appeared first on Security Affairs.

CISA warns of recent successful cyberattacks against cloud service accounts

The US CISA revealed that several recent successful cyberattacks against various organizations’ cloud services. 

The Cybersecurity and Infrastructure Security Agency (CISA) announced that several recent successful cyberattacks hit various organizations’ cloud services.

According to the agency, the attackers conducted phishing campaigns and exploited poor cyber hygiene practices of the victims in the management of cloud services configuration.

CISA has published a report that includes information collected exclusively from several CISA incident response engagements, these data are extremely precious because detail the tactics, techniques, and procedures used by threat actors and indicators of compromise (IOCs). Data in the Analysis Report is not explicitly tied to the supply chain attack on SolarWinds Orion Platform software.

“The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.” reads the report published by CISA.

The US revealed that threat actors bypassed multi-factor authentication (MFA) authentication protocols to compromise cloud service accounts.

Attackers may have used browser cookies to defeat MFA with a “pass-the-cookie” attack ([T1550.004]).

Government experts confirmed that the threat actors initially attempted brute force logins on some accounts without success.

At least in one case, the attackers modified or set up email forwarding rules to redirect the emails to an account under their control.

Threat actors also modified existing rules to search users’ email messages (subject and body) for keywords that could allow them to identify messages containing sensitive data (i.e. Financial information) and forward them to their accounts.

“In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users,” continues CISA.

The FBI also warned US organizations about scammers abusing auto-forwarding rules on web-based email clients in Business Email Compromise (BEC) attacks.

Last week, Cybersecurity and Infrastructure Security Agency (CISA) revealed that threat actors behind the SolarWinds supply chain attack also employed common hacker techniques to compromise the networks of the targeted organizations, including password guessing and password spraying.

CISA also added that inappropriately secured administrative credentials accessible via external remote access services were abused by the attackers.

CISA added that it is investigating incidents in which threat actors abused the Security Assertion Markup Language (SAML) tokens.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Golang-based worm)

The post CISA warns of recent successful cyberattacks against cloud service accounts appeared first on Security Affairs.

Attackers targeted Accellion FTA in New Zealand Central Bank attack

The root cause for the hack of the New Zealand Central Bank was the Accellion FTA (File Transfer Application) file sharing service.

During the weekend, the New Zealand central bank announced that a cyber attack hit its infrastructure. According to the Government organization, one of its data systems has been breached by an unidentified hacker, commercially and personally sensitive information might have been accessed by the attackers.

According to Governor Adrian Orr the attack did not impact the bank’s core operations, anyway, it added that the security breach has been contained. In response to the incident, the affected system had been taken offline.

“We are actively working with domestic and international cyber security experts and other relevant authorities as part of our investigation. This includes the GCSB’s National Cyber Security Centre which has been notified and is providing guidance and advice,” the bank’s governor, Adrian Orr, said.

“We have been advised by the third party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised.” “We recognise the public interest in this incident however we are not in a position to provide further details at this time.”

National authorities immediately launched an investigation into the incident with the help of cybersecurity experts.

According to the bank, threat actors compromised a service that stored commercially and personally sensitive information.

Early this week, the Reserve Bank of New Zealand confirmed that it uses Accellion FTA service to share information with external stakeholders.

“The Reserve Bank of New Zealand – Te Pūtea Matua continues to respond with urgency to a breach of a third party file sharing service used to share information with external stakeholders.” reads the press release published by the Reserve Bank.

The bank confirmed that a third party file sharing service provided by Accellion called FTA (File Transfer Application), which it was using, was illegally accessed in mid-December.

The bank is not providing additional information on the intrusion to avoid affecting the investigation.

According to Ancellion, less than 50 customers were affected by the flaw.

“In mid-December, Accellion was made aware of a P0 vulnerability in its legacy File Transfer Appliance (FTA) software. Accellion FTA is a 20 year old product that specializes in large file transfers.” reads the advisory published by the company. “Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected.”

Accellion pointed out that its enterprise content firewall platform, kiteworks, was not involved in any way.

“While Accellion maintains tight security standards for its legacy FTA product, we strongly encourage our customers to update to kiteworks, the modern enterprise content firewall platform,for the highest level of security and confidence,” concludes the US-based vendor.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, New Zealand)

The post Attackers targeted Accellion FTA in New Zealand Central Bank attack appeared first on Security Affairs.