Schemat jest cały czas taki sam, straty duże – więc i przestępcy cały czas próbują „szczęścia”. Tym razem donosi Policja z Lublina: 69-letni ksiądz z jednej z podlubelskich parafii mógł stracić 300 tysięcy złotych. (…) Z informacji jakie przekazał wynikało, że zadzwonił do niego mężczyzna podający się za policjanta. Oszust...
Artykuł Duchowny był minuty od utraty 300 000 zł. Chcieli go oszukać „na policjanta” pochodzi z serwisu Sekurak.
Gootkit runs on an access-a-as-a-service model, it is used by different groups to drop additional malicious payloads on the compromised systems. Gootkit has been known to use fileless techniques to deliver threats such as the SunCrypt, and REvil (Sodinokibi) ransomware, Kronos trojans, and Cobalt Strike.
In the past, Gootkit distributed malware masquerading as freeware installers, now it uses legal documents to trick users into downloading these files.
The attack chain starts with a user searching for specific information in a search engine. Attackers use black SEO technique to display a website compromised by Gootkit operators among the results.
Upon visiting the website, the victim will notice that it is presented as an online forum directly answering his query. This forum hosted a ZIP archive that contains the malicious .js file, which is used to establish persistence and drop a Cobalt Strike binary in the memory of the infected system.
“When the user downloaded and opened this file, it spawned an obfuscated script which, through registry stuffing, installed a chunk of encrypted codes in the registry and added scheduled tasks for persistence. The encrypted code in the registry was then reflectively loaded through PowerShell to reconstruct a Cobalt Strike binary that runs directly in the memory filelessly.” reads the analysis published by Trend Micro. “Much of what we have just described is still in line with the behavior we reported in 2020, but with a few minor updates. This indicates that Gootkit Loader is still actively being developed and has proved successful in compromising unsuspecting victims.”
Experts pointed out that encrypted registries now use custom text replacement algorithm instead of base64 encoding.
The Cobalt Strike binary loaded directly to the memory of the victim’s system has been observed connecting to the IP address 89[.]238[.]185[.]13, which is a Cobalt Strike C2.
“One key takeaway from this case is that Gootkit is still active and improving its techniques. This implies that this operation has proven effective, as other threat actors seem to continue using it. Users are likely to encounter Gootkit in other campaigns in the future, and it is likely that it will use new means of trapping victims.” concludes the report. “This threat also shows that SEO poisoning remains an effective tactic in luring unsuspecting users. The combination of SEO poisoning and compromised legitimate websites can mask indicators of malicious activity that would usually keep users on their guard. Such tactics highlight the importance of user awareness and the responsibility of website owners in keeping their cyberspaces safe.”
(SecurityAffairs – hacking, Gootkit)
The post Gootkit AaaS malware is still active and uses updated tactics appeared first on Security Affairs.
At the end of July, Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) researchers linked a threat group known as Knotweed to an Austrian surveillance firm named DSIRF, known for using multiple Windows and Adobe zero-day exploits. The group targets entities in Europe and Central America with a surveillance tool dubbed Subzero.
Microsoft states that multiple news reports have linked the company to the Subzero malware toolset used to hack a broad range of devices, phones, computers, and network and internet-connected devices.
The researchers found evidence that links DSIRF to the Knotweed’s operation, including the C2 infrastructure used by Subzero, and code signing certificate issued to DSIRF that is used to sign an exploit.
Microsoft reported Subzero attacks against Microsoft customers in Austria, the United Kingdom, and Panama. The targeted entities are law firms, banks, and strategic consultancies.
Last week, Austria announced it is investigating the report that links DSIRF to spyware targeting entities in at least three countries.
Austria’s interior ministry said it is not aware of any incidents and has no business relationships with it
“Of course, DSN (the National Security and Intelligence Directorate) checks the allegations. So far, there is no proof of the use of spy software from the company mentioned,” reads a statement published by Austria’s interior ministry.
Austria’s Kurier newspaper confirmed that the DSIRF developed the Subzero surveillance software, but added that it had not been misused and was developed exclusively for use by authorities in EU states- The newspaper also added that the spyware was not commercially available.
(SecurityAffairs – hacking, DSIRF)
The post Austria investigates DSIRF firm for allegedly developing Subzero spyware appeared first on Security Affairs.
The ALPHV/BlackCat ransomware gang claims to have hacked the European gas pipeline Creos Luxembourg S.A.
Creos Luxembourg S.A. owns and manages electricity networks and natural gas pipelines in the Grand Duchy of Luxembourg. In this capacity, the company plans, constructs and maintains high, medium and low-voltage electricity networks and high, medium and low-pressure natural gas pipelines, which it owns or which it is responsible for managing.
The ALPHV/BlackCat ransomware group claims to have stolen more than 150 GB from the company, a total of 180.000 files. Stolen data include contracts, agreements, passports, bills, and emails.
The company Encevo, which owns the majority of Creos, published a security advisory to announce that the gas pipeline form has suffered a cyber attack that took place between July 22 and 23. Encevo registered a complaint with the Police of the Grand Duchy and of course notified the CNPD (National Commission for Data Protection), the ILR (Luxembourg Institute of Regulation) and the competent ministries.
“The Encevo Group would like to inform that its Luxembourg entities Creos (network operator) and Enovos (energy supplier) were victims of a cyberattack on the night of July 22 to 23, 2022. The Encevo Group crisis unit was triggered immediately and the situation is currently under control. We are in the process of gathering all the elements necessary for the understanding and complete resolution of the incident.” reads the announcement. “However, this attack has a negative impact on the operation of the Creos and Enovos customer portals.”
Creos and Enovos pointed out that the cyberattack did not impact the supply of electricity and gas and that the breakdown service is guaranteed.
On July 28, Encevo Group published a new announcement confirming that threat actors have exfiltrate data from its systems.
“Following the announcement of Monday, July 25 and in accordance with our legal information obligations, we confirm that the various entities of the Encevo Group have been the victim of a Cyber-attack. During this attack, a number of data were exfiltrated from computer systems or made inaccessible by hackers.”
For the moment, Encevo Group is investigating the incident to determine potentially impacted individuals. The company is asking its customers not to contact the group’s services on this subject for the time being, it set up a website (https://www.encevo.eu/en/encevo-cyberattack/)that will be updated as the situation evolves.
In early July, BlackCat (aka ALPHV) Ransomware gang introduced an advanced search by stolen victim’s passwords, and confidential documents.
Resecurity (USA), a Los Angeles-based cybersecurity company protecting Fortune 500 companies, has detected a significant increase in the value of ransom demand requests by the notorious Blackcat ransomware gang.
Based on the observed recently compromised victims based in the Nordics region (which haven’t been disclosed by the group yet) the amount to be paid exceeds $2 million. One of the tactics used offers close to 50% discount to the victim in the case they are willing to pay – several ransom demands valued at $14 million were decreased to $7 million, but such amounts are still complicated for enterprises facing cybersecurity incidents. The most common ransom demand practiced by BlackCat jumped up to $2.5 million and it seems its trajectory will only grow.
The average ransomware payment climbed 82% since 2020 to a record high of $570,000 in the first half of 2021, and then by 2022 it almost doubled.
BlackCat has been operating since at least November 2021, and launched major attacks in January to disrupt OilTanking GmbH, a German fuel company, and in February 2022, the attack on an aviation company, Swissport. The group is targeting high-profile businesses in critical industries including energy, financial institutions, legal services, and technology.
Blackcat ransomware is one of the fastest-growing Ransomware-as-a-Service (RaaS) underground groups practicing so called “quadruple extortion” by pressing victims to pay – leveraging encryption, data theft, denial of service (DoS) and harassment.
The BlackCat is also known as “ALPHV”, or “AlphaVM” and “AphaV”, a ransomware family created in the Rust programming language. The group’s leader with identical alias in communications on Dark Web forums outlined Rust as one of the competitive advantages of their locker compared to Lockbit and Conti. Despite the fact Blackcat and Alpha have completely different URLs in TOR Network, the scripting scenarios used on their pages are identical, and likely developed by the same actors.
The group was the pioneer of search in the indexed stolen data – allowing customers and employees of the affected companies to check exposed data.
In a recent post from 10 Jul 2022, 15:35 pm in Dark Web, “ALPHV” introduced search not only by text signatures, but also supporting tags for search of passwords and compromised PII. It seems that some of the stolen files are still under indexing, but majority is already available for quick navigation. There were over 2,270 indexed documents identified containing access credentials and password information in plaintext, and over 100,000 documents containing confidential marking, including indexed e-mail communications and sensitive attachments.
(SecurityAffairs – hacking, Creos Luxembourg)
The post ALPHV/BlackCat ransomware gang claims to have stolen data from Creos Luxembourg S.A. appeared first on Security Affairs.
The 24-year-old Australian national Jacob Wayne John Keen has been charged for his alleged role in the development and sale of spyware known as Imminent Monitor (IM).
The Australian Federal Police (AFP) launched an investigation into the case, codenamed Cepheus, in 2017 after it received information about a “suspicious RAT” from cybersecurity firm Palo Alto Networks and the U.S. FBI.
The man created the malicious code, a remote access trojan (RAT), when he was 15 years old, and maintained its infrastructure from 2013 to 2019. In November 2019, Europol announced to have dismantled the global organized cybercrime ring behind the Imminent Monitor RAT.
The Imminent Monitor RAT is a hacking tool that allows threat actors to remotely control the victim’s computers. The malware can be delivered in multiple ways, including emails and text messages, and could be used to carry out various malicious actions such as:
- recording keystrokes,
- stealing data and passwords from browsers,
- spying on victims via their webcams,
- download/execute files,
- disabling anti-virus and anti-malware software,
- terminate running processes,
- and perform dozens of other actions.
The international operation conducted by law enforcement agencies targeted both the sellers and users of the Imminent Monitor Remote Access Trojan (IM-RAT).
According to the authorities, the popular hacking tool was used across 124 countries where it was bought by more than 14 500 hackers, that now after the operation will no longer be able to use it.
The police seized the infrastructure used by the organization behind the Imminent Monitor RAT and seized over 430 devices used by the gang and its customers.
Imminent Monitor RAT was very popular because it is easy to use, and it is very cheap, it was offered for as little as $25 with lifetime access. According to the Australian police, the RAT cost about AUD$35 (US$25) and was allegedly advertised on a cybercrime forum. The authorities believe the man earned between $300,000 and $400,000 from selling the malware.
Law enforcement speculates hackers using the hacking tool to steal personal details, passwords, private photographs, video footage, and data from tens of thousands of victims.
“An Australian man, 24, who sparked a global law enforcement operation for allegedly creating and selling spyware purchased by domestic violence perpetrators and other criminals, has been charged by the AFP.” reads a press release published by the Australian Federal Police (AFP). “It will be alleged the Frankston man engaged with a network of individuals and sold the spyware, named Imminent Monitor (IM), to more than 14,500 individuals across 128 countries.”
The investigation conducted by the AFP identified 201 individuals in Australia who bought the RAT. According to the Australian authorities, 14.2% of Australia-based PayPal purchasers of IM RAT are associated with people named as respondents on domestic violence orders. Additionally, one of these purchasers is also registered on the Child Sex Offender Register.
The defendant has been charged with six counts of committing a computer offense by developing, selling and administrating the RAT.
The man was charged with:
- One count of producing data with intent to commit a computer offence, contrary to section 478.4(1) of the Criminal Code Act 1995 (Cth);
- Two counts of supplying data with intent to commit a computer offence, contrary to section 478.4(1) of the Criminal Code Act 1995 (Cth);
- One count of aiding, abetting, counselling or procuring the commission of an offence, namely the unauthorised modification of data to cause impairment, contrary to sub-sections 11.2(1) and 477.2(1) of the Criminal Code Act 1995 (Cth); and
- Two counts of dealing in the proceeds of crime to the value of $100,000 or more, contrary to section 400.4(1) of the Criminal Code Act 1995 (Cth).
The authorities also accused the mother of the man who was served a summons to face one count of dealing with the proceeds of crime.
As part of Operation Cepheus, eighty-five search warrants were executed globally, with 434 devices seized and 13 people arrested for using the Imminent Monitor (IM) spyware for alleged criminal activities.
“These types of malware are so nefarious because it can provide an offender virtual access to a victim’s bedroom or home without their knowledge,’’ Commander Goldsmid said.
“Unfortunately there are criminals who not only use these tools to steal personal information for financial gain but also for very intrusive and despicable crimes. One of the jobs for the AFP is to educate the public about identifying and protecting themselves from spear-phishing attacks or socially-engineered messaging – essentially emails or texts messages that trick individuals into uploading malware.”
Let me close with some recommendations included in the press release:
Be aware of the infection signs:
- Your internet connection is unusually slow;
- Unknown processes are running in your system (visible in the Process tab in Task Manager);
- Your files are modified or deleted without your permission;
- Unknown programs are installed on your device (visible in the Add or Remove Programs tab in the Control Panel).
- Ensure that your security software and operating system are up to date;
- Ensure that your device’s firewall is active;
- Only download apps and software from sources you can trust;
- Cover your webcam when not in use;
- Regularly back up your data;
- Be wary while browsing the internet and do not click on suspicious links, pop ups or dialogue boxes;
- Keep your web browser up to date and configured to alert new window is opened or anything is downloaded;
- Do not click on links and attachments within unexpected or suspicious emails.
The post Australian man charged with creating and selling the Imminent Monitor spyware appeared first on Security Affairs.
Microsoft demaskuje austriacką grupę hackerską KNOTWEED. Oferują malware min. z 0dayami na Windows/Adobe reader.
Microsoft wspomina, że firma ma niby oferować zwykłe (no dobra, nieco niezwykłe – bo zaawansowane) pentesty: they provide services “to multinational corporations in the technology, retail, energy and financial sectors” and that they have “a set of highly sophisticated techniques in gathering and analyzing information.” They publicly offer several services including...
Artykuł Rekonesans środowiska Active Directory za pomocą BloodHound [bezpieczeństwo Windows] pochodzi z serwisu Sekurak.
The CVE-2022-30563 vulnerability impacting Dahua IP Camera can allow attackers to seize control of IP cameras. The issue affects Dahua’s implementation of the Open Network Video Interface Forum (ONVIF).
ONVIF provides and promotes standardized interfaces for effective interoperability of IP-based physical security products.
The vulnerability was discovered by researchers from Nozomi Networks and received a CVSS score of 7.4.
“We’re publishing the details of a new vulnerability (tracked under CVE-2022-30563) affecting the implementation of the Open Network Video Interface Forum (ONVIF) WS-UsernameToken authentication mechanism in some IP cameras developed by Dahua, a very popular manufacturer of IP-based surveillance solutions.” reads the advisory published by Nozomi Networks. “This vulnerability could be abused by attackers to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.”
ONVIF-conformant products allow users to perform a variety of actions on the remote device through a set of standardized Application Programming Interfaces (APIs), including watching camera footage, locking or unlocking a smart door, and performing maintenance operations.
The flaw resides in the “WS-UsernameToken” authentication mechanism implemented by Dahua in some of its IP cameras. Due to the lack of checks to prevent reply attacks, a threat actor can sniff an unencrypted ONVIF interaction and indefinitely replay the credentials in new requests towards the camera, which would be accepted as valid authenticated requests by the device.
Once obtained the credentials, an attacker can add an administrator account and use it to obtain full access to the device and perform actions such as watching live footage from the camera as shown below.
An attacker can conduct this attack by capturing one unencrypted ONVIF request authenticated with the WS-UsernameToken schema.
The following versions of Dahua video products, are affected:
- Dahua ASI7XXX: Versions prior to v1.000.0000009.0.R.220620
- Dahua IPC-HDBW2XXX: Versions prior to v2.820.0000000.48.R.220614
- Dahua IPC-HX2XXX: Versions Prior to v2.820.0000000.48.R.220614
The vendor addressed the issue with the release of a patch on June 28, 2022,
“In addition to building security, surveillance cameras are used throughout many critical infrastructure sectors such as oil & gas, power grids, telecommunications, etc. These cameras are used to oversee many production processes, providing remote visibility to process engineers. Threat actors, nation-state threat groups in particular, could be interested in hacking IP cameras to help gather intel on the equipment or production processes of the target company.” concludes Nozomi. “This information could aid in reconnaissance conducted prior to launching a cyberattack. With more knowledge of the target environment, threat actors could craft custom attacks that can physically disrupt production processes in critical infrastructure.”
(SecurityAffairs – hacking, IP Cameras)
The post A flaw in Dahua IP Cameras allows full take over of the devices appeared first on Security Affairs.
The Federal Communications Commission (FCC) issued an alert to warn Americans of the rising threat of smishing (robotexts) attacks aimed at stealing their personal information or for financial scams.
“The FCC’s Robocall Response Team is alerting consumers to the rising threat of robotexts. Substantial increases in consumer complaints to the FCC, reports by non-government robocall and robotext blocking services, and anecdotal and news reporting make it clear that text messages are increasingly being used by scammers to target American consumers.” reads the alert published by FCC.
Threat actors use multiple lures to trick victims into providing their information or sending them money. SMS used by the attackers include false-but-believable claims about unpaid bills, package delivery snafus, bank account problems, or law enforcement actions against the victims.
In some cases, the information collected as part of these smishing attacks may be used in future scams. The alert recommends Americans don’t respond or click on any links in the message.
The alert is based on the increased number of consumer complaints about unwanted text messages, in recent years it raised from approximately 5,700 in 2019, 14,000 in 2020, 15,300 in 2021, to 8,500 through June 30, 2022.
“In addition, some independent reports estimate billions of robotexts each month – for example, RoboKiller estimates consumers received over 12 billion robotexts in June.” continues the alert.
To defend against smishing attacks, FCC provides the following recommendations:
- Do not respond to suspicious texts, even if the message requests that you “text STOP” to end messages.
- Do not click on any links.
- Do not provide any information via text or website.
- File a complaint.
- Forward unwanted texts to SPAM (7726).
- Delete all suspicious texts.
- Update your smart device OS and security apps.
- Consider installing anti-malware software.
- Review companies’ policies regarding opting out of text alerts and selling/sharing your information.
- Review text blocking tools in your mobile phone settings, available third-party apps, and your mobile phone carrier’s offerings
“If you think you’re the victim of a texting scam, report it immediately to your local law enforcement agency and notify your wireless service provider and financial institutions where you have accounts,” states the FCC. “For more information about scam calls and texts, visit the FCC Consumer Help Center and the FCC Scam Glossary.”
(SecurityAffairs – hacking, smishing)
The post US Federal Communications Commission (FCC) warns of the rise of smishing attacks appeared first on Security Affairs.
MBDA is a European multinational developer and manufacturer of missiles that was the result of the merger of the main French, British and Italian missile systems companies (Aérospatiale–Matra, BAE Systems, and Finmeccanica (now Leonardo). The name MBDA comes from the initialism of the names missile companies: Matra, BAe Dynamics and Alenia.
A threat actor that goes online with the moniker Adrastea, and that defines itself as a group of independent cybersecurity specialists and researchers, claims to have hacked MBDA.
Adrastea said that they have found critical vulnerabilities in the company infrastructure and have stolen 60 GB of confidential data.
The attackers said that the stolen data includes information about the employees of the company involved in military projects, commercial activities, contract agreements and correspondence with other companies.
“Hello! We are “Adrastea” – a group of independent specialists and researchers in the field of cybersecurity. We found critical vulnerabilities in your network infrastructure and gained access to the company’s files and confidential data. Currently, the volume of downloaded data is approximately 60 GB.” reads the adv published by the group on a popular hacker forum. “The downloaded data contains confidential and closed information about the employees of your company, which took part in the development of closed military projects of MBDA (PLANCTON, CRONOS, CA SIRIUS, EMADS, MCDS, B1NT etc.) and about the commercial activities of your company in the interests of the Ministry of Defense of the European Union (design documentation of the air defense, missile systems and systems of coastal protection, drawings, presentation , video and photo (3D) materials, contract agreements and correspondence with other companies Rampini Carlo, Netcomgroup, Rafael, Thales, ST Electronics etc.).”
As a proof of the hack Adrastea shared a link to a password-protected linked archive containing internal documents related to projects and correspondence.
At this time it is not clear if the threat actors have breached only one of the national divisions of the company, they did not disclose details about the attack.
(SecurityAffairs – hacking, MBDA)
The post Threat actor claims to have hacked European manufacturer of missiles MBDA appeared first on Security Affairs.
Zapraszamy do nowego wydania Weekendowej Lektury. Chcieliśmy w tym tygodniu uniknąć skarg na zbyt dużą liczbę linków do przejrzenia, ale chyba nam nie wyszło. Każdy ma za to szansę znaleźć coś dla siebie. Życzymy udanej lektury.
W dzisiejszym wydaniu szczególnie polecamy w części fabularnej wpis na blogu Gynvaela Coldwinda o tym, jak nieuczciwi gracze CTF mogą zepsuć zabawę innym (pkt 6) oraz artykuł Briana Krebsa pokazujący, jak luka w usłudze Microleaves ujawniła przestępczą działalność jej właściciela (pkt 16).… Czytaj dalej
The post Weekendowa Lektura: odcinek 478 [2022-07-31]. Bierzcie i czytajcie first appeared on Zaufana Trzecia Strona.