An aggressive malware campaign targets US-based companies with Qakbot to deliver Black Basta Ransomware
Experts at the Cybereason Global SOC (GSOC) team have observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US.
In the last two weeks, the experts observed attacks against more than 10 different US-based customers.
Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model. Security researchers at Sentinel Labs recently shared details about Black Basta‘s TTPs and assess it is highly likely the ransomware operation has ties with FIN7.
“In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization’s network. QakBot, also known as QBot or Pinkslipbot, is a banking trojan primarily used to steal victims’ financial data, including browser information, keystrokes, and credentials.” reads the report published by Cybereason. “Once QakBot has successfully infected an environment, the malware installs a backdoor allowing the threat actor to drop additional malware—namely, ransomware.”
The attack chain starts with a QBot infection, The operators use the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the Black Basta ransomware. The attacks began with a spam/phishing email containing malicious URL links.
The researchers noticed that once obtained access to the network, the threat actor moves extremely fast. In some cases observed by Cybereason, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.
The threat actor was also spotted locking the victims out of the network by disabling DNS services, making the recovery even more complex.
In most of the attacks observed by the experts, the spear-phishing email contains a malicious disk image file. Upon opening the file, Qbot is executed, then the malware connects to a remote server to retrieve the Cobalt Strike payload.
Threat actors perform credential harvesting and lateral movement and use the gathered credentials to compromise as many endpoints as possible and deploy the Black Basta ransomware.
Experts observed the attackers that were looking for machines without a defense sensor in an attempt to deploy additional malicious tools without being detected.
The report includes indicators of compromise for this threat.
(SecurityAffairs – hacking, Black Basta ransomware)
Microsoft experts believe that threat actors behind a malicious campaign aimed at Indian critical infrastructure earlier this year have exploited security flaws in a now-discontinued web server called Boa.
The Boa web server is widely used across a variety of devices, including IoT devices, and is often used to access settings and management consoles as well as sign-in screens. The experts pointed out that Boa has been discontinued since 2005.
Researchers at Recorded Future observed several intrusion attempts on Indian critical infrastructure since 2020 and shared IOCs related to this campaign. Microsoft experts analyzed these IoCs and discovered that Boa servers were running on the IP addresses on the list of IOCs, they also explained that the electrical grid attack targeted exposed IoT devices running Boa.
Microsoft also discovered that half of the IP addresses in the list published by Recorded Future returned suspicious HTTP response headers, which might be associated with the active deployment of a malicious tool identified by Recorded Future.
“Investigating the headers further indicated that over 10% of all active IP addresses returning the headers were related to critical industries, such as the petroleum industry and associated fleet services, with many of the IP addresses associated to IoT devices, such as routers, with unpatched critical vulnerabilities, highlighting an accessible attack vector for malware operators.”reads the report published by Recorded Future. “Most of the suspicious HTTP response headers were returned over a short timeframe of several days, leading researchers to believe they may be associated with intrusion and malicious activity on networks.”
Microsoft experts explained that despite Boa being discontinued in 2005, many vendors across a variety of IoT devices and popular software development kits (SDKs) continue to use it.
The researchers identified over 1 million internet-exposed Boa server components around the world over the span of a week.
“We assessed the vulnerable component to be the Boa web server, which is often used to access settings and management consoles and sign-in screens in devices.” reads the report published by Microsoft.
“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files. Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.”
Boa is known to be affected by multiple flaws, including CVE-2017-9833 and CVE-2021-33558, which can allow unauthenticated attackers to read arbitrary files, obtain sensitive information, and gain remote code execution.
“The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network.” concludes the report.
“As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations.”
(SecurityAffairs – hacking, Boa)
The post Threat actors exploit discontinues Boa web servers to target critical infrastructure appeared first on Security Affairs.
Wielkie święto bezpieczeństwa zbliża się dużymi krokami. Już trzeciego grudnia w Warszawie odbędzie się współorganizowana przez nas konferencja Oh My [email protected], a do czwartku 24 listopada bilety można nabyć w lepszej cenie.
The post Oh My [email protected] 2022 – konkurs o wejściówkę i ostatnia okazja na tańszy bilet first appeared on Zaufana Trzecia Strona.
In late July 2022, researchers from WithSecure (formerly F-Secure Business) discovered an ongoing operation, named DUCKTAIL, that was targeting individuals and organizations that operate on Facebook’s Business and Ads platform.
Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to be active since 2018.
The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.
The end goal is to hijack Facebook Business accounts managed by the victims.
The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.
After a short pause, the DUCKTAIL campaign returned with slight changes in its TTPs.
Starting on September 6, 2022, the researchers detected new samples in-the-wild with a new variant that uses the .NET 7 NativeAOT feature which allows binaries to be compiled natively (ahead-of-time) from .NET code. The format of these binaries is different from the one used by traditional .NET assemblies.
“NativeAOT offers similar benefits to the .NET single-file feature that previous DUCKTAIL variants used for compilation, especially because they can be compiled as a framework independent binary that doesn’t require .NET runtime to be installed on the victim’s machine.” reads the report published by WithSecure.
Between 2nd and 4th October 2022, the security firm discovered new DUCKTAIL samples being submitted to VirusTotal from Vietnam. The samples contained a mixture of old and new DUCKTAIL variant code bases, compiled as self-contained .NET Core 3 Windows binaries, which suggests that the group is shifting to self-contained applications. On October 5, the operators started distributing DUCKTAIL malware to victims as self-contained .NET Core Windows binaries, abandoning NativeAOT and back to using self-contained .NET binaries.
The analysis of the variants written in .NET Core 3 revealed the presence of unused anti-analysis functions that were copied from a GitHub repository. This is yet another indication of the threat actor’s continuous efforts to evade analysis and detection mechanisms
WithSecure observed several multi-stage subvariants of DUCKTAIL that are used to deliver the final payload, the researchers highlighted that this is the primary information stealer malware in all cases.
“The malware still relies on Telegram as its C&C channel. At the time of writing, three active Telegram bots and channels were observed in the latest campaign, with the threat actor re-using the same Telegram chats that were initially discovered, indicating that only the bots (and access tokens) were refreshed with stricter administrator rights” concludes the report. “An interesting shift that was observed with the latest campaign is that [the Telegram command-and-control] channels now include multiple administrator accounts, indicating that the adversary may be running an affiliate program.”
(SecurityAffairs – hacking, DUCKTAIL)
Microsoft releases out-of-band update to fix Kerberos auth issues caused by a patch for CVE-2022-37966
Microsoft released an out-of-band update to address issues caused by a recent Windows security patch that causes Kerberos authentication problems.
An attacker can trigger this flaw to gain administrator privileges on vulnerable systems.
“An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment.” reads the advisory published by Microsoft.
After the release of the Patch Tuesday security updates, users started reporting issues related to the Kerberos authentication.
The IT giant investigated the reports and developed an out-of-band update to fix the problems.
“There is a known issue documented in the security updates that address this vulnerability, where Kerberos authentication might fail for user, computer, service, and GMSA accounts when serviced by Windows domain controllers that have installed Windows security updates released on November 8, 2022. Has an update been released that addresses this known issue?” continues the advisory.
“Yes. The issue is addressed by out-of-band updates released to Microsoft Update Catalog on and after November 17, 2022. Customers who have not already installed the security updates released on November 8, 2022 should install the out-of-band updates instead. Customers who have already installed the November 8, 2022 Windows security updates and who are experiencing issues should install the out-of-band updates.”
The IT giant recommends customers who have yet to install the security updates released on November 8, 2022 of only install the out-of-band updates. Customers who have already installed the Patch Tuesday security updates and are experiencing issues should install the out-of-band updates.
Microsoft is not aware of attacks in the wild exploiting the CVE-2022-37966 flaw.
(SecurityAffairs – hacking, Microsoft)
- Quantum Locker gang demonstrated capabilities to operate ransomware extortion even on cloud environments such as Microsoft Azure.
- Criminal operators of the Quantum gang demonstrated the ability to hunt and delete secondary backup copies stored in cloud buckets and blobs.
- Quantum Locker gang targets IT administration staff to gather sensitive network information and credential access.
- During their intrusions, Quantum operators steal access to enterprise cloud file storage services such as Dropbox, to gather sensitive credentials.
- Cloud root account takeovers have been observed in q4 2022 during Quantum gang intrusions in North Europe.
During the latest weeks, the Belgian company Computerland shared insights with the European threat intelligence community about Quantum TTPs adopted in recent attacks. The shared information revealed Quantum gang used a particular modus operandi to target large enterprises relying on cloud services in the NACE region.
The disclosed technical details about recent intrusions confirm the ability of the Quantum Locker gang to conduct sabotage and ransomware attacks even against companies heavily relying on cloud environments.
For instance, TTPs employed in a recent attack include the complete takeover of company Microsoft cloud services through the compromise of the root account (T1531). Such action is particularly harrowing for the victim company: all the Microsoft services and users, including email services and regular users, would remain unusable until the Vendor’s response, which could last even days, depending on the reset request verification process.
In addition, the insights on q4 2022 attacks reported Quantum Locker operators are able to locate and delete all the victim Microsoft Azure’s Blob storages to achieve secondary backup annihilation and business data deletion (T1485). Even if cloud services could theoretically provide support for the restoration of old blobs and buckets, the recovery of “permanently deleted” data often requires days and might not even be available due to the provider’s internal technical restrictions.
The favorite initial targets of Quantum operators during their recent activities in North Europe were IT administrators and networking staff. Through accessing their personal resources and shared Dropbox folders, the threat actors were able to gather sensitive administrative credentials to extend the attack on the cloud surface (T1530).
Incident insights from the Belgian firm also confirm Quantum is coupling these new techniques even with more traditional ransomware delivery techniques, such as the modification of domain Group Policies (T1484.001) to distribute ransomware across the on-prem Windows machines and users’ laptops, along with the abuse of the legitimate Any Desk software as remote access tool (T1219).
Also, during the recent intrusions, Quantum operators extensively altered the configuration of endpoint defense tools such as Microsoft Defender (T1562.001). In fact, threat actors were able to programmatically insert ad hoc exclusions to blind the onboard endpoint protection system without raising any shutdown warning.
The Belgian firm also reports Quantum Locker’s average encryption speed in real-world cloud hybrid scenario results around 13 MB/s, an amount particularly slower than other ransomware families adopting intermitted encryption, extending the responders’ windows of opportunity for in-time interception and containment.
Threat Actor Brief
Quantum Locker ransomware was originally born from the hashes of the MountLocker ransomware program operated by Russian-speaking cybercriminals back in 2020. Before its actual name, Quantum Locker has been rebranded many times first with the AstroLocker name, and then with the XingLocker alias.
Quantum Locker was also involved in many high-profile attacks such as the Israelian security company BeeSense, the alleged attack on the local administration of the Sardinia region in Italy, and government agencies in the Dominican Republic.
Indicator of Compromise
- Intrusion and Exfiltration infrastructure
- 146.70.87,66 M247-LOS-ANGELES US
- 42.216.183,180 NorthStar CN
- Distribution Infrastructure:
- 146.70.87,186 M247-LOS-ANGELES
About the author : Luca Mella, Cyber Security Expert
(SecurityAffairs – hacking, Quantum Locker)
It’s no secret that cyber security has become a leading priority for most organizations — especially those in industries that handle sensitive customer information. And as these businesses work towards building robust security strategies, it’s vital that they account for various threat vectors and vulnerabilities.
One area that requires significant scrutiny is API security. APIs, short for application programming interfaces, have become a common building block for digitally enabled organizations. They facilitate communication as well as critical business operations, and they also support important digital transformations. It’s no surprise then that the average number of APIs per company increased 221% in the last year.
Crafting an API security strategy is a complex task. APIs have unique threat implications that aren’t fully solved by web application firewalls or identity and access management solutions. The first step to getting it right is to understand what the common vulnerabilities are.5 Common API Vulnerabilities Explained
In its API Security Top 10, the Open Web Application Security Project (OWASP) identifies the top ten threats to APIs. Below, we take a closer look at some of the most common.1. Broken Object Level Authentication (BOLA)
APIs with broken object level authentication allow attackers to easily exploit API endpoints by manipulating the ID of an object sent within an API request. The result? BOLA authorization flaws can lead to unauthorized viewing, modification or destruction of data, or even a full account takeover.
Today, BOLA accounts for 40% of all API attacks. One of the primary reasons they’re so prevalent is that traditional security controls like WAFs or API gateways can’t identify them as anomalous to the baseline API behavior. Instead, businesses need an API solution that can spot whenan authenticated user is trying to gain unauthorized access to another user’s data.2. Broken User Authentication
There are a number of factors that can lead to broken user authentication in an API. This includes weak password complexity or poor password hygiene, missing account lockout thresholds, long durations for password or certificate rotations, or relying on API keys alone for authentication.
When an API experiences broken user authentication, cyber criminals can use authentication-related attacks like credential stuffing and brute-force attacks to gain access to applications. Once they’re in, the attackers can then take over user accounts, manipulate data, or make unauthorized transactions.
When it comes to traditional security methods, they often lack the ability to track traffic over time, meaning they can’t easily identify high-volume attacks like credential stuffing. As such, an API security solution should be able to identify abnormal behavior against a typical authentication sequence.3. Excessive Data Exposure
A common issue with most APIs is that, for the sake of efficiency, they’re often set up to share more information than is needed in an API response. They then leave it to the client application to filter the information and render it for the user. This is problematic because attackers can use the redundant data to extract sensitive information from the API.
While some traditional security solutions can identify this type of vulnerability, they can’t always differentiate between legitimate data returned by the API and sensitive data that shouldn’t be returned. This means an API security solution should be able to spot when a user is consuming too much sensitive data.4. Lack of Resources and Rate Limiting
APIs don’t always have restrictions for the number of resources that can be requested by the client or a user. This leaves them open to server disruptions that cause denial of service, as well as brute-force and enumeration attacks against APIs responsible for authentication and data fetching. Plus, attackers can set up automated attacks against APIs that don’t have limits, including credential cracking and token cracking.
Traditional solutions will have some basic rate limiting functionality, but it’s not always easy to deploy at scale. As such, these security tools often lack the context required to flag an attack when it’s happening. A modern API security solution should be able to identify any activity that falls outside of normal usage values.5. Security Misconfiguration
There are a number of security misconfigurations that can accidentally introduce vulnerabilities into APIs. These include incomplete configurations, misconfigured HTTP headers, verbose error messages, open cloud storage, and more. Attackers can leverage these to learn more about the API components, and then exploit the misconfigurations as part of their attack.Close the Gaps
Comprehensive API solutions can identify these misconfigurations and provide remediation suggestions.
Attackers are always evolving their strategies for compromising APIs, looking for new threat vectors and leveraging new vulnerabilities. What’s common in most successful attacks is that they target gaps in business logic. This means that to establish a proactive API security strategy, organizations must account for these gaps at every step.
About the Author: Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well suited for writing in the cybersecurity space. She is also a regular writer for Bora.
(SecurityAffairs – hacking, API Vulnerabilities)
The post 5 API Vulnerabilities That Get Exploited by Criminals appeared first on Security Affairs.
An anonymous researcher publicly disclosed a series of techniques to bypass some of the filters in Cisco Secure Email Gateway appliance and deliver malware using specially crafted emails.
The researcher pointed out that the attack complexity is low, it also added that working exploits have already been published by a third party. The expert disclosed the technique within a coordinated disclosure procedure.
“This report is being published within a coordinated disclosure procedure. The researcher has been in contact with the vendor but not received a satisfactory response within a given time frame.” wrote the researcher on the Full Disclosure mailing list. “As the attack complexity is low and exploits have already been published by a third party there must be no further delay in making the threads publicly known.”
The researchers explained that Cisco Secure Email Gateways can be circumvented by a remote attacker that leverages error tolerance and different MIME decoding capabilities of email clients.
The methods disclosed by the researcher could allow attackers to bypass Cisco Secure Email Gateway, they work against several email clients, such as Outlook, Thunderbird, Mutt, and Vivaldi.
The three methods are:
- Method 1: Cloaked Base 64 – This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. The method impacts several Email Clients, including Microsoft Outlook for Microsoft 365 MSO (Version 2210 Build 16.0.15726.20070) 64-bit, Mozilla Thunderbird 91.11.0 (64-bit), Vivaldi 5.5.2805.42 (64-bit), Mutt 2.1.4-1ubuntu1.1, and others.
- Method 2: yEnc Encoding – This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. The method impacts Mozilla Thunderbird 91.11.0 (64-bit) email client.
- Method 3: Cloaked Quoted-Printable – This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. The method impacts Vivaldi 5.5.2805.42 (64-bit) and Mutt 2.1.4-1ubuntu1.1 Email Clients.
Cisco published a bug report warning of an issue in the Sophos and McAfee scanning engines of Cisco Secure Email Gateway that could allow an unauthenticated, remote attacker to bypass specific filtering features.
“The issue is due to improper identification of potentially malicious emails or attachments. An attacker could exploit this issue by sending a malicious email with malformed Content-Type headers (MIME Type) through an affected device.” reads the alert. “An exploit could allow the attacker to bypass default anti-malware filtering features based on the affected scanning engines and successfully deliver malicious messages to the end clients.”
The issues impact devices running with a default configuration.
The researcher explained that the code employing the attack methods, and many similar techniques to manipulate MIME encoding, are implemented in an open-source Toolkit for generating and testing bad MIME that is available on GitHub.
known for many years and have been found in the products of several vendors.
(SecurityAffairs – hacking, Cisco Secure Email Gateways)
The post Researcher warns that Cisco Secure Email Gateways can easily be circumvented appeared first on Security Affairs.
Aurora Stealer is an info-stealing malware that was first advertised on Russian-speaking underground forums in April 2022. Aurora was offered as Malware-as-a-Service (MaaS) by a threat actor known as Cheshire. It is a multi-purpose botnet with data stealing and remote access capabilities.
Researchers at SEKOIA identified 7 traffers teams on Dark Web forums that announced the availability of the Aurora Stealer in their arsenal, a circumstance that confirms the increased popularity of the malware among threat actors.Traffers TeamMalware arsenalLaunch dateLast observed activityRavenLogsAurora, Redline17/10/202214/11/2022BrazzersLogsAurora, Raccoon14/11/202214/11/2022DevilsTraffAurora, Raccoon30/10/202214/11/2022YungRussiaAurora16/10/202231/10/2022Gfbg6Aurora14/09/202224/10/2022SAKURAAurora10/08/202204/11/2022HellRideAurora09/07/202215/07/2022
In October and November 2022, the researchers analyzed several hundreds of collected samples and identified dozens of active C2 servers. The experts also observed multiple infection chains leading to the deployment of Aurora stealer. The attackers used methods to deliver the malware, including phishing websites masquerading as legitimate ones, YouTube videos and fake “free software catalogue” websites.
“These infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites.” reads the analysis by the experts.
The malware was also able to target 40 cryptocurrency wallets and applications like Telegram.
Threat actors behind this malware also advertised its loader capabilities, the malicious code in fact is able to deploy a next-stage payload using a PowerShell command.
“Aurora is another infostealer targeting data from browsers, cryptocurrency wallets, local systems, and acting as a loader. Sold at a high price on market places, collected data is of particular interest to cybercriminals, allowing them to carry out follow-up lucrative campaigns, including Big Game Hunting operations.” concludes the report. “As multiple threat actors, including traffers teams, added the malware to their arsenal, Aurora Stealer is becoming a prominent threat.”
(SecurityAffairs – hacking, Aurora Stealer)
The post Aurora Stealer Malware is becoming a prominent threat in the cybercrime ecosystem appeared first on Security Affairs.