Feed aggregator

Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts

The Hacker News - Sat, 08/06/2022 - 05:10
Twitter on Friday revealed that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform. "As a result of the vulnerability, if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,"
Categories: Cyber Security News

Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users

The Hacker News - Sat, 08/06/2022 - 04:44
Slack said it took the step of resetting passwords for about 0.5% of its users after a flaw exposed salted password hashes when creating or revoking shared invitation links for workspaces. "When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members," the enterprise communication and collaboration platform said in an alert on 4th
Categories: Cyber Security News

Twitter confirms zero-day used to access data of 5.4 million accounts

Security Affairs - Fri, 08/05/2022 - 18:08
Twitter confirmed that the recent data breach that exposed data of 5.4 million accounts was caused by the exploitation of a zero-day flaw.

At the end of July, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting a now-fixed vulnerability in the popular social media platform.

The threat actor offered for sale the stolen data on the popular hacking forum Breached Forums. In January, a report published on Hacker claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options.

“The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account.” ” reads the description in the report submitted by zhirinovskiy via bug bounty platform HackerOne. “This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities”

The seller claimed that the database was containing data (i.e. emails, phone numbers) of users ranging from celebrities to companies. The seller also shared a sample of data in the form of a csv file.

Source RestorePrivacy

“A few hours after the post was made, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the vulnerability from the HackerOne report above.” reads the post published by RestorePrivacy.

“We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.”

The seller told RestorePrivacy that he is asking for at least $30,000 for the entire database.

Now Twitter confirmed that the data breach was caused by the now-patched zero-day vulnerability submitted by zhirinovskiy via bug bounty platform HackerOne.

Twitter confirmed the existence of this vulnerability and awarded zhirinovskiy with a $5,040 bounty.

“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.” reads the Twitter’s advisory. “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” continues the social media firm.

“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”

The company is notifying the impacted users, it also added that it is aware of the risks caused by the security breach for those users operating a pseudonymous Twitter account to protect their privacy.

The company pointed out that no passwords were exposed, but encourages its users to enable 2-factor authentication using authentication apps or hardware security keys to protect their accounts from unauthorized logins.

BleepingComputer reported that two different threat actors purchased the data for less than the original selling price. This means that threat actors could use these data to target Twitter accounts in the future.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Data leak)

The post Twitter confirms zero-day used to access data of 5.4 million accounts appeared first on Security Affairs.

Categories: Cyber Security News

The popularity of Dark Utilities ‘C2-as-a-Service’ rapidly increases

Security Affairs - Fri, 08/05/2022 - 16:45
Dark Utilities “C2-as-a-Service” is attracting a growing number of customers searching for a command-and-control for their campaigns.

The popularity of the Dark Utilities “C2-as-a-Service” is rapidly increasing, over 3,000 users are already using it as command-and-control for their campaigns.

Dark Utilities was launched in early 2022, the platform that provides full-featured C2 capabilities to its users. Dark Utilities is advertised as a platform to enable remote access, command execution, conduct distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.

It allows threat actors to target multiple architectures without requiring technical skills. The operators of the platform offer technical support and assistance to the customers through Discord and Telegram.

“Dark Utilities provides payloads consisting of code that is executed on victim systems, allowing them to be registered with the service and establish a command and control (C2) communications channel.” reads the analysis published by Cisco Talos researchers. “The platform currently supports Windows, Linux and Python-based payloads, allowing adversaries to target multiple architectures without requiring significant development resources.”

The platform is hosted on both clear internet and Tor network, its operators offers premium access to the platform, associated payloads and API endpoints for 9.99 euros. At the time of writing, the platform had enrolled roughly 3,000 users, which is approximately 30,000 euros in income.

The Dark Utilities platform uses Discord for user authentication, it implements a dashboard displaying platform statistics, server health status and other metrics.

Users can generate new payloads for specific operating systems and deploy them on the victim machines.

“Selecting an operating system causes the platform to generate a command string that threat actors are typically embedding into PowerShell or Bash scripts to facilitate the retrieval and execution of the payload on victim machines.” continues the report.

The researchers pointed out that payloads provided by the platform are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention.

IPFS is a distributed, peer-to-peer network, that prevent takeover from authorities. IPFS supports gateways, which operate similar to Tor2Web gateways, to allow users on the internet to access contents hosted within IPFS without requiring a client application to be installed.

Dark Utilities appears to have been designed by a threat actor that goes under the moniker Inplex-sys. 

Talos researchers believe Inplex-sys collaborated with one of the operators of a botnet service called Smart Bot, which is designed to launch spam attacks, or “raids” against the Discord and Twitch communication platforms.

“Although the Dark Utilities platform was recently established, thousands of users have already been enrolled and joined the platform. Given the amount of functionality that the platform provides and the relatively low cost of use, we expect this platform will continue to rapidly expand its user base.” concludes the report. “This will likely result in an increase in the volume of malware samples in the wild attempting to establish C2 using the platform.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, c2-as-a-service)

The post The popularity of Dark Utilities ‘C2-as-a-Service’ rapidly increases appeared first on Security Affairs.

Categories: Cyber Security News

Iranian Hackers likely Behind Disruptive Cyberattacks Against Albanian Government

The Hacker News - Fri, 08/05/2022 - 10:37
A threat actor working to further Iranian goals is said to have been behind a set of disruptive cyberattacks against Albanian government services in mid-July 2022. Cybersecurity firm Mandiant said the malicious activity against a NATO state represented a "geographic expansion of Iranian disruptive cyber operations." The July 17 attacks, according to Albania's National Agency of Information
Categories: Cyber Security News

DHS warns of critical flaws in Emergency Alert System encoder/decoder devices

Security Affairs - Fri, 08/05/2022 - 10:10
The U.S. DHS warns of critical security vulnerabilities in Emergency Alert System (EAS) encoder/decoder devices.

The Department of Homeland Security (DHS) warned of critical security vulnerabilities in Emergency Alert System (EAS) encoder/decoder devices. Threat actors could exploit the flaws to send fake emergency alerts via TV, radio networks, and cable networks.

The Emergency Alert System (EAS) is a national public warning system that requires radio and TV broadcasters, cable TV, wireless cable systems, satellite and wireline operators to provide the President with capability to address the American people within 10 minutes during a national emergency.

The alert was issued by the DHS Federal Emergency Management Agency (FEMA) through the Integrated Public Alert and Warning System (IPAWS).

The vulnerabilities in EAS encoder/decoder devices were discovered by security researcher Ken Pyle from CYBIR.

“We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network).reads the advisory. “This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.”

The US DHS did not disclose details about the flaw to prevent active exploitation in the wild.

The researcher plan to disclose as a proof of concept for the issues at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.

FEMA recommends EAS participants to ensure that:

  1. EAS devices and supporting systems are up to date with the most recent software versions and security patches;
  2. EAS devices are protected by a firewall;
  3. EAS devices and supporting systems are monitored and audit logs are regularly reviewed looking for unauthorized access.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Emergency Alert System)

The post DHS warns of critical flaws in Emergency Alert System encoder/decoder devices appeared first on Security Affairs.

Categories: Cyber Security News

CISA adds Zimbra email bug to Known Exploited Vulnerabilities Catalog

Security Affairs - Fri, 08/05/2022 - 09:03
US Critical Infrastructure Security Agency (CISA) adds a recently disclosed flaw in the Zimbra email suite to its Known Exploited Vulnerabilities Catalog.

The Cybersecurity & Infrastructure Security Agency (CISA) has added a recently disclosed flaw in the Zimbra email suite, tracked as CVE-2022-27924, to its Known Exploited Vulnerabilities Catalog.

In middle June, researchers from Sonarsource discovered the high-severity vulnerability impacting the Zimbra email suite, tracked as CVE-2022-27924 (CVSS score: 7.5). It can be exploited by an unauthenticated attacker to steal login credentials of users without user interaction.

“Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.” reads the advisory published by NIST.

Once obtained the login credentials, attackers can access the victims’ mailboxes and potentially escalate their access to targeted organizations.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

The researchers published a video PoC that demonstrates how an unauthenticated attacker can steal the password of a known user of a targeted instance.

The vulnerability is triggered the next time the victim uses a mail client to connect to the Zimbra server of a target organization.

Threat actors, which know the victims’ email addresses, can overwrite an entry in the cache to forward all IMAP traffic to an attacker-controlled server, including the cleartext credentials of a targeted user.

Zimbra addressed the issue on May 10, 2022, with the release of versions 8.8.15 P31.1 and 9.0.0 P24.1.

CISA orders federal agencies to fix the issue by August 25, 2022.

CISA hasn’t shared technical details of the attacks that exploit the Zimbra flaw.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Zimbra)

The post CISA adds Zimbra email bug to Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.

Categories: Cyber Security News

150 czarnych t-shirtów sekuraka do rozdania :-D

Sekurak.pl - Fri, 08/05/2022 - 08:38

Żeby zbytnio nie przynudzać, potrzebujemy Waszej lekkiej pomocy w temacie promocji otwartego / bezpłatnego szkolenia z tematyki cyber-awareness – szczegóły tutaj (może zapisać się każdy). Dobra, ale o co chodzi z tymi t-shirtami? Jeśli pracujesz w firmie zatrudniającej > 200 osób, napisz z maila firmowego na: [email protected] i napisz dosłownie...

Artykuł 150 czarnych t-shirtów sekuraka do rozdania :-D pochodzi z serwisu Sekurak.

Resolving Availability vs. Security, a Constant Conflict in IT

The Hacker News - Fri, 08/05/2022 - 06:39
Conflicting business requirements is a common problem – and you find it in every corner of an organization, including in information technology. Resolving these conflicts is a must, but it isn’t always easy – though sometimes there is a novel solution that helps. In IT management there is a constant struggle between security and operations teams. Yes, both teams ultimately want to have secure
Categories: Cyber Security News

Emergency Alert System Flaws Could Let Attackers Transmit Fake Messages

The Hacker News - Fri, 08/05/2022 - 06:25
The U.S. Department of Homeland Security (DHS) has warned of critical security vulnerabilities in Emergency Alert System (EAS) encoder/decoder devices. If left unpatched, the issues could allow an adversary to issue fraudulent emergency alerts over TV, radio, and cable networks. The August 1 advisory comes courtesy of DHS' Federal Emergency Management Agency (FEMA). CYBIR security researcher Ken
Categories: Cyber Security News

A Growing Number of Malware Attacks Leveraging Dark Utilities 'C2-as-a-Service'

The Hacker News - Fri, 08/05/2022 - 06:06
A nascent service called Dark Utilities has already attracted 3,000 users for its ability to provide command-and-control (C2) services with the goal of commandeering compromised systems. "It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems," Cisco Talos said in a report shared
Categories: Cyber Security News

Mysterious threat actor TAC-040 used previously undetected Ljl Backdoor

Security Affairs - Fri, 08/05/2022 - 04:49
A threat actor, tracked as TAC-040, exploited Atlassian Confluence flaw CVE-2022-26134 to deploy previously undetected Ljl Backdoor.

Cybersecurity firm Deepwatch reported that a threat actor, tracked as TAC-040, has likely exploited the CVE-2022-26134 flaw in Atlassian Confluence servers to deploy a previously undetected backdoor dubbed Ljl Backdoor. The attackers exploited the flaw in an attack against an unnamed organization in the research and technical services sector.

The attack took place in May and lasted seven days, the analysis of the network logs suggests TAC-040 exfiltrated around 700MBs of data from the victim system.

“ATI’s thorough analysis determined that the attack occurred during the end of May over a seven day period. TAC-040 highly likely exploited a vulnerability in an Atlassian Confluence server. The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian’s Confluence directory.” reads the analysis published by Deepwatch.

Experts also speculated attackers could have alternatively exploited the Spring4Shell vulnerability (CVE-2022-22965) to gain initial access to the Confluence web application.

After the initial compromise, the attackers ran multiple commands to enumerate the local system, network, and Active Directory environment.

The researchers discovered the presence of an XMRig crypto-miner on the compromised system. 

“The threat actor likely utilized a memory-based webshell or opted to run commands directly through the
exploit, as no dropper commands or forensic records of an on-disk webshell were recovered. Several opensource reports detail similar defense/detection avoidance techniques concerning the exploitation of CVE2022-26134, but technical details on these techniques are sparse.” continues the report.

The Deepwatch Threat Intel Team confirmed that the ljl Backdoor is a never-before-seen and persistent backdoor which implements the following capabilities:

  • Reverse Proxy.
  • Query whether the victim is active or idle.
  • Exfiltrate files/directories.
  • Load arbitrary and remotely downloaded .NET assemblies as “plugins.”
  • Get user accounts.
  • Get the foreground window and window text.
  • Get victim system information, such as CPU name, GPU name, hardware id, bios manufacturer,
  • Mainboard name, total physical memory, LAN IP address, and mac address.
  • Get victim geographic information, such as ASN, ISP, country name, country code, region name, region code, city, postal code, continent name, continent code, latitude, longitude, metro code, time zone, and date and time.

Once TAC-040 achieved persistence on the target systems, it employed various publicly available open-source tools cloned from GitHub including:

  • Open-source tools cloned from GitHub:
  • NetRipper
  • PowerSploit
  • Invoke-Vnc
  • CME-PowerShell-Scripts
  • CrackMapExec: attack framework with multiple tools
  • Invoke-Obfuscation
  • SessionGopher
  • mimipenguin
  • mimikittenz
  • RID_Hijacking
  • RandomPS-Scripts

At this time, it is unclear who is behind the TAC-040, experts only speculate that it operates to gather intelligence despite the discovery of XMRig crypto miner on the system suggests it could be financially motivated.

The Monero address managed by the group threat actors has netted at least 652 XMR (more than $100K).

“Regarding this activity cluster, there are still a few unanswered questions. First and foremost, we cannot be certain of TAC040’s intentions and goals due to visibility gaps. However, it is likely that TAC-040’s goal was espionage-related. However, we can not completely rule out that they were financially motivated. The Threat Intel Team needs additional evidence to build confidence in this hypothesis.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ljl Backdoor)

The post Mysterious threat actor TAC-040 used previously undetected Ljl Backdoor appeared first on Security Affairs.

Categories: Cyber Security News

New Linux botnet RapperBot brute-forces SSH servers

Security Affairs - Fri, 08/05/2022 - 03:55
RapperBot is a new botnet employed in attacks since mid-June 2022 that targets Linux SSH servers with brute-force attacks.

Researchers from FortiGuard Labs have discovered a new IoT botnet tracked as RapperBot which is active since mid-June 2022. The bot borrows a large portion of its code from the original Mirai botnet, but unlike other IoT malware families, it implements a built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.

Experts also noticed that the most recent samples include the code to maintain persistence, which is rarely implemented in other Mirai variants.

RapperBot has limited DDoS capabilities, it was designed to target ARM, MIPS, SPARC, and x86 architectures.

“Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.” reads the analysis published by FortiGuard Labs. “A distinctive feature of the brute forcing implementation in RapperBot is the use of “SSH-2.0-HELLOWORLD” to identify itself to the target SSH server during the SSH Protocol Exchange phase.” 

Earlier samples of the malware had the brute-forcing credential list hardcoded into the binary, but from July the samples started retrieving the list from the C2 server.

Since mid-July, RapperBot started using self-propagation to maintaining remote access into the brute-forced SSH servers. The bot runs a shell command to replace remote victims’ ~/.ssh/authorized_keys with one containing the threat actors’ SSH public key with the comment “helloworld,”

Once stored public keys stored in ~/.ssh/authorized_keys, anyone with the corresponding private key can authenticate the SSH server without supplying a password.

RapperBot is also able to retain its foothold on any devices on which it is executed by appending the same aforementioned SSH key to the local “~/.ssh/authorized_keys” on the infected device upon execution. This allows the malware to maintain its access to these infected devices via SSH even after a device reboot or the removal of RapperBot from the device. 

“In the latest RapperBot samples, the malware also started adding the root user “suhelper” to the infected device by directly writing to “/etc/passwd” and “/etc/shadow/”, further allowing the threat actor to take complete control of the device.” continues the report. “In conjunction, it adds the root user account every hour by writing the following script to “/etc/cron.hourly/0” in the event that other users (or botnets) attempt to remove their account from the victim system.”

Early versions of the bot had strings in plaintext, subsequent ones added extra obfuscation to the strings by building them on the stack to avoid detection. 

Since mid-June, the botnet used over 3,500 unique IPs worldwide to scan and attempt brute-forcing Linux SSH servers with the SSH-2.0-HELLOWORLD client identification string. Most of the IPs are from the US, Taiwan, and South Korea.

Experts pointed out that the goal of RapperBot is still unclear.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, RapperBot)

The post New Linux botnet RapperBot brute-forces SSH servers appeared first on Security Affairs.

Categories: Cyber Security News

CISA Adds Zimbra Email Vulnerability to its Exploited Vulnerabilities Catalog

The Hacker News - Fri, 08/05/2022 - 01:54
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a recently disclosed high-severity vulnerability in the Zimbra email suite to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue in question is CVE-2022-27924 (CVSS score: 7.5), a command injection flaw in the platform that could lead to the execution of arbitrary
Categories: Cyber Security News

New Woody RAT used in attacks aimed at Russian entities

Security Affairs - Thu, 08/04/2022 - 15:13
An unknown threat actor is targeting Russian organizations with a new remote access trojan called Woody RAT.

Malwarebytes researchers observed an unknown threat actor targeting Russian organizations with a new remote access trojan called Woody RAT. The attackers were delivering the malware using archive files and Microsoft Office documents exploiting the Follina Windows flaw (CVE-2022-30190).

The assumption that attackers focus on Russian entities is based on a fake domain they registered, Malwarebytes is aware that they tried to target a Russian aerospace and defense entity known as OAK.

“The earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by @MalwareHunterTeam.” states the report published by Malwarebytes.

In the attacks leveraging the archive files (anketa_brozhik.doc.zip, which contains Woody Rat executable, and Anketa_Brozhik.doc.exe, zayavka.zip containing Woody Rat masqueraded as application participation in the selection.doc.exe), the archives are sent to victims via spear-phishing emails.

Attacks exploiting the Windows Follina flaw were spotted on June 7, 2022, when researchers observed threat actors using a weaponized Microsoft Office document titled Памятка.docx. The lure document, called “Information security memo,” provides security practices for passwords, confidential information, etc.

To evade network-based monitoring, the Woody RAT malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the command and control server. 

The RAT is equipped with multiple backdoor capabilities, such as writing arbitrary files to the machine, executing additional malware, capturing screenshots, enumerating directories, deleting files, and gathering a list of running processes.

The analysis of the malicious code revealed that the malware has 2 .NET DLLs embedded inside named named WoodySharpExecutor and WoodyPowerSession respectively. WoodySharpExecutor allows the malware to run .NET code received from the C2, while WoodyPowerSession allows the malware to execute PowerShell commands and scripts received from the C2.

Once created the command threads, the malware deletes itself from the disk using the ProcessHollowing technique. 

“This very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren’t any solid indicators to attribute this campaign to a specific threat actor.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Woody RAT)

The post New Woody RAT used in attacks aimed at Russian entities appeared first on Security Affairs.

Categories: Cyber Security News

Unauthenticated RCE can allow hacking DrayTek Vigor routers without user interaction

Security Affairs - Thu, 08/04/2022 - 12:48
A critical flaw in multiple models of DrayTek Vigor routers can allow unauthenticated, remote attackers to fully compromise affected devices.

Tens of router models from Taiwanese SOHO manufacturer DrayTek are affected by a critical, unauthenticated, remote code execution vulnerability, tracked as CVE-2022-32548, that can be exploited to fully compromise a vulnerable device and gain unauthorized access to the broader network.

Researchers from Trellix discovered the vulnerability, the attack can be performed without user interaction if the management interface of the device has been exposed online, for this reason, it has been rated with a CVSS score of 10.0.

“The attack can be performed without user interaction if the management interface of the device has been configured to be internet facing. A one-click attack can also be performed from within the LAN in the default device configuration.” reads the advisory published by Trellix. “The attack can lead to a full compromise of the device and may lead to a network breach and unauthorized access to internal resources. All the affected models have a patched firmware available for download on the vendor’s website.”

The researchers discovered a buffer overflow on the login page at /cgi-bin/wlogin.cgi of the web management interface. An attacker can trigger the flaw by supplying carefully crafted username and/or password as base64 encoded strings inside the fields aa and ab of the login page. The root cause of the problem is the lack of size verification of these encoded strings.

“By default, this attack is reachable on the LAN and may be reachable via the internet (WAN) as well if the user has enabled remote web management on their device. The consequence of this attack is a takeover of the so called “DrayOS” that implements the router functionalities.” continues the analysis. “On devices that have an underlying Linux operating system (such as the Vigor 3910) it is then possible to pivot to the underlying operating system and establish a reliable foothold on the device and local network. Devices that are running the DrayOS as a bare-metal operating system will be harder to compromise as it requires that an attacker has better understanding of the DrayOS internals.”

Experts discovered over 200,000 vulnerable devices currently exposed on the internet that can be exploited without user interaction.

The vendor has already released a patch to address the vulnerability in DrayTek devices, Trellix applauds the manufacturer for their great responsiveness and the release of a patch less than 30 days after the disclosure of the issue of the vulnerability to their security team

The researchers pointed out that the compromise of a network appliance such as the Vigor 3910 can lead to the following outcomes:

  • Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)
  • Access to the internal resources located on the LAN that would normally require VPN-access or be present “on the same network”
  • Man in the middle of the network traffic
  • Spying on DNS requests and other unencrypted traffic directed to the internet from the LAN through the router
  • Packet capture of the data going through any port of the router
  • Botnet activity (DDoS, hosting malicious data, etc.)
  • Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)
  • Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)
  • Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)

Failed exploitation attempts can lead to:

  • Reboot of the device
  • Denial of Service of affected devices
  • Other possible abnormal behavior

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, DrayTek Vigor)

The post Unauthenticated RCE can allow hacking DrayTek Vigor routers without user interaction appeared first on Security Affairs.

Categories: Cyber Security News

Who Has Control: The SaaS App Admin Paradox

The Hacker News - Thu, 08/04/2022 - 11:50
Imagine this: a company-wide lockout to the company CRM, like Salesforce, because the organization's external admin attempts to disable MFA for themselves. They don't think to consult with the security team and don't consider the security implications, only the ease which they need for their team to use their login.  This CRM, however, defines MFA as a top-tier security setting; for example,
Categories: Cyber Security News

Critical RCE Bug Could Let Hackers Remotely Take Over DrayTek Vigor Routers

The Hacker News - Thu, 08/04/2022 - 09:10
As many as 29 different router models from DrayTek have been identified as affected by a new critical, unauthenticated, remote code execution vulnerability that, if successfully exploited, could lead to full compromise of the device and unauthorized access to the broader network. "The attack can be performed without user interaction if the management interface of the device has been configured
Categories: Cyber Security News

New Woody RAT Malware Being Used to Target Russian Organizations

The Hacker News - Thu, 08/04/2022 - 08:55
An unknown threat actor has been targeting Russian entities with a newly discovered remote access trojan called Woody RAT for at least a year as part of a spear-phishing campaign. The advanced custom backdoor is said to be delivered via either of two methods: archive files and Microsoft Office documents leveraging the now-patched "Follina" support diagnostic tool vulnerability (CVE-2022-30190)
Categories: Cyber Security News

Taiwan Government websites suffered DDoS attacks during the Nancy Pelosi visit

Security Affairs - Thu, 08/04/2022 - 08:50
Taiwan government websites were temporarily forced offline by cyber attacks during the visit to Taipei of US House Speaker Nancy Pelosi.

Major Taiwan government websites were temporarily forced offline by distributed denial of service (DDoS) attacks attacks during the visit to Taipei of US House Speaker Nancy Pelosi.

The cyber attacks forced offline the government English portal, some websites of the presidential office, foreign ministry, and defence ministry.

Experts believe that the attack was coordinated by China-linked threat actors as retaliation for the visit of Nancy Pelosi.

Taiwan’s foreign ministry stated that the attacks were originated from Chinese and Russian IP addresses, the malicious traffic peaked up to 8.5 million times per minute.

“As cyber attacks from foreign hostile forces could still occur at any time, the foreign ministry will continue to remain vigilant” spokeswoman Joanne Ou told reporters. The presidential office said it would up its monitoring in the face of “hybrid information warfare by external forces”.

In August 2020, Chinese hackers gained access to around 6,000 email accounts belonging to at least 10 Taiwan government agencies, officials said.

In November 2021, Taiwanese government representatives revealed that around five million cyber attacks hit Taiwan’s government agencies every day, and most of the hacking attempts are originated from China.

Cyber security department director Chien Hung-wei told parliament representatives that government infrastructure faces “five million attacks and scans a day”. 

“We are strengthening the government’s defensive measures and collecting relevant data for analysis in a bid to stop the attacks when they are initiated,” Chien told lawmakers.

Taiwan’s defence ministry warned of an increase in the attacks carried by China-linked actors against its systems.

In February 2022, China-linked APT group APT10 (aka Stone Panda, Bronze Riverside) targeted Taiwan’s financial trading sector with a supply chain attack.

The campaign was launched by the APT10 group in November 2021, but it hit a peak between February 10 and 13 2022, Taiwanese cybersecurity firm CyCraft reported.

The group (also known as Cicada, Stone Panda, MenuPass group, Bronze Riverside, and Cloud Hopper) has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide. In November 2020, researchers uncovered a large-scale campaign conducted by China-linked APT10 targeting businesses using the recently-disclosed ZeroLogon vulnerability.

According to CyCraft, nation-state attackers compromised the supply chain of software systems of financial institutions as part of a campaign codenamed Operation Cache Panda.

The attack caused “abnormal cases of placing orders.”

The attackers exploited a vulnerability in the web management interface of an unnamed security software firm in Taiwan and deployed a web shell to deliver the Quasar RAT on the target system.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Taiwan)

The post Taiwan Government websites suffered DDoS attacks during the Nancy Pelosi visit appeared first on Security Affairs.

Categories: Cyber Security News

Pages