A malicious campaign targeting Discord users leverages multiple npm packages to deliver malware that steals their payment card information, Kaspersky researchers warn.
The malicious code hidden in the packages, and tracked as Lofy Stealer, is a modified version of an open-source token logger called Volt Stealer,
“The Python malware is a modified version of an open-source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines, along with the victim’s IP address, and upload them via HTTP.” reads the analysis published by Kaspersky.
The malicious code can detect when a user logs in, change email or password, enable/disable multi-factor authentication (MFA) and add new payment methods, including complete bank card details. The harvested data are uploaded to the remote endpoint whose address is hardcoded (e.g., life.polarlabs.repl[.]co, sock.polarlabs.repl[.]co, idk.polarlabs.repl[.]co).
Below is the timeline of uploaded malicious packages, which include the small-sm, pern-valids, lifeculer, or proc-title malicious npm modules:Package nameVersionTimestamp (UTC)small-sm8.2.02022-07-17 20:28:29small-sm4.2.02022-07-17 19:47:56small-sm4.0.02022-07-17 19:43:57small-sm1.1.02022-06-18 16:19:47small-sm1.0.92022-06-17 12:23:33small-sm1.0.82022-06-17 12:22:31small-sm1.0.72022-06-17 03:36:45small-sm1.0.52022-06-17 03:31:40pern-valids1.0.32022-06-17 03:19:45pern-valids1.0.22022-06-17 03:12:03lifeculer0.0.12022-06-17 02:50:34proc-title1.0.32022-03-04 05:43:31proc-title1.0.22022-03-04 05:29:58
Once harvested, this data is uploaded to one of several Replit-hosted instances whose addresses are hard-coded within the malware (e.g., life.polarlabs.repl[.]co, sock.polarlabs.repl[.]co, idk.polarlabs.repl[.]co).
Kaspersky states that they are constantly monitoring the updates to repositories to rapidly detect all new malicious packages.
(SecurityAffairs – hacking, Discord)
The post Malware-laced npm packages used to target Discord users appeared first on Security Affairs.
On July 21, 2022, Akamai mitigated the largest DDoS attack that ever hit one of its European customers.
The attack hit an Akamai customer in Eastern Europe that was targeted 75 times in the past 30 days with multiple types of DDoS attacks, including UDP, UDP fragmentation, ICMP flood, RESET flood, SYN flood, TCP anomaly, TCP fragment, PSH ACK flood, FIN push flood, and PUSH flood.
“On Thursday, July 21, 2022, Akamai detected and mitigated the largest DDoS attack ever launched against a European customer on the Prolexic platform, with globally distributed attack traffic peaking at 853.7 Gbps and 659.6 Mpps over 14 hours.” reads the post published by Akamai. “The attack, which targeted a swath of customer IP addresses, formed the largest global horizontal attack ever mitigated on the Prolexic platform.”
The malicious traffic peaked at 853.7 Gbps and 659.6 Mpps over 14 hours, this is the largest global horizontal attack ever mitigated on the Akami Prolexic platform.Source Akamai: Spike in BPS attack traffic
According to Akamai, threat actors used a highly-sophisticated, global botnet of compromised devices to launch the attack.
In September, the Russian Internet giant Yandex was hit by the largest DDoS attack in the history of Runet, the Russian Internet designed to be independent of the world wide web and ensure the resilience of the country to an internet shutdown. The attack was launched by the Mēris botnet and reached 21.8 million RPS (requests per second).
(SecurityAffairs – hacking, DDoS)
The post Akamai blocked the largest DDoS attack ever on its European customers appeared first on Security Affairs.
LibreOffice is an open-source office productivity software suite, a project of The Document Foundation (TDF).
LibreOffice maintainers addressed three security flaws in their suit, including an arbitrary code execution issue tracked as CVE-2022-26305. The CVE-2022-26305 flaw is classified as the execution of untrusted macros due to improper certificate validation. The issue could lead to the execution of malicious macros.
By default, LibreOffice executes macros only if they are stored in a trusted file location or if they are signed by a trusted certificate included in a list of certificates stored in the user’s configuration database.
“An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro was actually signed with the certificate.” reads the advisory published by LibreOffice. “An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted.”
This flaw cannot be exploited if the macro security level is set to very high or if the user has no trusted certificates.
The second issue fixed in the popular software is a static initialization vector that allows to recover passwords for Web Connections without knowing the master password.
“LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user.” reads the advisory. “A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user’s configuration data.”
The third issue addressed in the software, tracked as CVE-2022-26307, is related to the use of Weak Master Keys that could be guessed by attackers through a brute-force attack.
“LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user.” reads the advisory. “A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config.”
All the flaws were discovered by OpenSource Security GmbH on behalf of the German Federal Office for Information Security, they were fixed with the release of versions 7.2.7, 7.3.2, and 7.3.3.
(SecurityAffairs – hacking, LibreOffice)
The post LibreOffice fixed 3 flaws, including a code execution issue appeared first on Security Affairs.
In response to Microsoft’s decision steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default in Microsoft Office applications, threat actors are adopting new attack techniques.
Researchers from Proofpoint reported that threat actors are increasingly using container files such as ISO and RAR, and Windows Shortcut (LNK) files in their malware campaigns. Proofpoint researchers noticed that the of ISO, RAR and LNK file attachments reached nearly 175% during the same period and at least 10 malicious actors started using LNK files in their campaigns since February 2022.
“According to an analysis of campaigned threats, which include threats manually analyzed and contextualized by Proofpoint threat researchers, the use of macro-enabled attachments by threat actors decreased approximately 66% between October 2021 and June 2022.” reads the analysis published by Proofpoint.
Before October 2021, most of malicious phishing campaigns were spreading malware using weaponized Office documents. Upon tricking the victims into opening the file, the attack chain will start.
Microsoft’s move to block macros has pushed threat actors in finding alternative techniques to bypass Mark of the Web (MOTW) protections.
The Mark of the Web is a feature that was introduced by Microsoft to determine the origin of a file. If a file was downloaded from the Internet or from another location on a network, it would contain a comment in the file identifying the zone from which the file was downloaded from. Depending on this zone (e.g. intranet, internet etc) Windows would handle the file accordingly so as to avoid users from running or opening potentially harmful files from untrusted sources.
The researchers observed that the number of campaigns containing LNK files has increased by 1,675% since October 2021. Proofpoint tracked multiple threat actors, both cybercriminal gangs and APT groups, leveraging LNK files.
“Threat actors across the threat landscape are pivoting away from macro-enabled documents to increasingly use different filetypes for initial access. This change is led by the adoption ISO and other container file formats, as well as LNK files. Such filetypes can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft, and ransomware.” concludes the report. “Proofpoint researchers assess with high confidence this is one of the largest email threat landscape shifts in recent history. It is likely threat actors will continue to use container file formats to deliver malware, while relying less on macro-enabled attachments.”
(SecurityAffairs – hacking, macros)
The post Threat actors use new attack techniques after Microsoft blocked macros by default appeared first on Security Affairs.
ENISA published a report that provides anonymized and aggregated information about major telecom security incidents in 2021.
Every European telecom operator that suffers a security incident, notifies its national authorities which share a summary of these reports to ENISA at the start of every calendar year.
The reporting of security incidents has been part of the EU’s regulatory framework for telecoms
since the 2009 reform of the telecoms package.
This year the report includes data related to reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries.
The incident had a significant impact on the victim, the total user hours lost (resulted by
multiplying for each incident the number of users by the number of hours) was 5,106 million user
hours. Experts noticed a huge increase compared to 841 million user hours lost in 2020. The reason for this is the impact of a notable EU-wide incident that was reported separately by three MS. ENISA has published technical guidelines on incident reporting under the EECC1, including on thresholds and calculating hours lost.
Below are the takeaways from incidents that took place in 2021:
- 4,16% of reported incidents in 2021 refer to OTT communication services, for this reason the European Agency required further attention for security incidents related to OTT services.
- This is the first time that incidents concerning confidentiality and authenticity were reported.
- The number of incidents labeled as malicious actions passed from 4% in 2020 to 8% in 2021.
- System failures continue to dominate in terms of impact but the downward trend continues. System failures accounted for 363 million user hours lost compared to 419 million user hours in 2020.
- The number of Incidents caused by human errors is the same as in 2020.
- Only 22% of incidents were reported as being related to third-party failures compared to 29%
Let me suggest reading the full report for additional information:
(SecurityAffairs – hacking, telecom security incidents)
The post ENISA provides data related to major telecom security incidents in 2021 appeared first on Security Affairs.
The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) researchers linked a threat group known as Knotweed to an Austrian surveillance firm named DSIRF, known for using multiple Windows and Adobe zero-day exploits. The group targets entities in Europe and Central America with a surveillance tool dubbed Subzero.
The DSIRF website states the provide services “to multinational corporations in the technology, retail, energy and financial sectors” and that they have “a set of highly sophisticated techniques in gathering and analyzing information.” They publicly offer several services including “an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities” and “highly sophisticated Red Teams to challenge your company’s most critical assets.”
Microsoft states that multiple news reports have linked the company to the Subzero malware toolset used to hack a broad range of devices, phones, computers, and network and internet-connected devices.
The researchers found evidence that links DSIRF to the Knotweed’s operation, including the C2 infrastructure used by Subzero, and code signing certificate issued to DSIRF that is used to sign an exploit.
Microsoft reported Subzero attacks against Microsoft customers in Austria, the United Kingdom, and Panama. The targeted entities are law firms, banks, and strategic consultancies.
MSTIC states that the KNOTWEED’s Subzero malware was deployed in multiple ways, the IT giant referred the different stages of Subzero malware as Jumplump for the persistent loader and Corelump for the main malware.
Once compromised the system, threat actors drop the Corelump downloader and inject it directly in memory to evade detection. It supports multiple features, including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED’s C2 server.
Microsoft researchers observed a variety of post-compromise actions on infected systems:
- Setting of UseLogonCredential to “1” to enable plaintext credentials
- Credential dumping via comsvcs.dll
- Attempt to access emails with dumped credentials from a KNOTWEED IP address
- Using Curl to download KNOTWEED tooling from public file shares such as vultrobjects[.]com
- Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF
Researchers from threat intelligence firm RiskIQ, using passive DNS data related to Knotweed attacks, linked the C2 infrastructure used by the malware since February 2020 to DSIRF.
One of the zero-day exploits used in Knotweed attacks was triggering the recently patched CVE-2022-22047 issue. The attackers used this exploit to escalate privileges, escape sandboxes, and gain system-level code execution on the vulnerable system.
“In 2021, MSRC received a report of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) being used in conjunction with an Adobe Reader exploit (CVE-2021-28550), all of which were patched in June 2021. MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.” reads the report. £We were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service (CVE-2021-36948), which allowed an attacker to force the service to load an arbitrary signed DLL. The malicious DLL used in the attacks was signed by ‘DSIRF GmbH’.”
Below is the list of recommendations published by Microsoft for its customers to prevent Subzero infections:
- All customers should prioritize patching of CVE-2022-22047.
- Confirm that Microsoft Defender Antivirus is updated to security intelligence update 1.371.503.0 or later to detect the related indicators.
- Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
- Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.
- Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. Note: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts.
- Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
“Microsoft will continue to monitor KNOTWEED activity and implement protections for our customers. The current detections and IOCs detailed below are in place and protecting Microsoft customers across our security products. Additional advanced hunting queries are also provided below to help organizations extend their protections and investigations of these attacks.” concludes Microsoft.
(SecurityAffairs – hacking, Subzero malware)
The post European firm DSIRF behind the attacks with Subzero surveillance malware appeared first on Security Affairs.
Ostatnio otrzymujemy bardzo dużo zgłoszeń z pytaniami o następującego SMSa: Niektórzy nawet nie pytają, tylko od razu zgłaszają do nas temat jako 'nowy scam’. Rzeczywiście, mamy tutaj dziwny link skracacz, który prowadzi do: https://bonturystyczny.polska[.]travel/aktualnosci/bon-turystyczny-pobierz-i-wykorzystaj (jest to rzeczywiście „dobra” strona, chociaż niektórych może dziwić domena .travel). To ostanie jeszcze o niczym...
Artykuł Kampania SMSów od Polskiej Organizacji Turystycznej – scam czy niefortunny sposób komunikacji? pochodzi z serwisu Sekurak.
The Spanish police have arrested two men suspected to be the hackers behind cyberattacks that hit the country’s radioactivity alert network (RAR) between March and June 2021.
The RAR system is a mesh of gamma radiation detection sensors, deployed across the country in order to detect anomalous radiation levels and take protective measures to prevent damage to the environment and the population. The sensors are connected by telephone to the control center at the DGPCE headquarters that gathers the measures and transmits the necessary orders to the sensors.Source https://westobserver.com
The suspects are former workers of a company in charge of the maintenance of the RAR system, for this reason, they had technical knowledge of the system.
The duo was identified after a year-long investigation, the police carried out searches at two homes and one company in Madrid and San Agustín de Guadalix. The agents found numerous computers and communications devices that were used in the attack.
The two suspects had access to the network of the General Directorate of Civil Protection and Emergencies (DGPGE) and were able to disconnect the sensors from the system reducing their detection capacity even in the environment of nuclear power plants.
The Cyberattack Group of the National Police, with the help of the DGPGE, determined that once the attackers gained access to the network attempted to delete the RAR management web application in the control center. The suspects targeted more than 300 sensors out of the 800 existing ones.
The cyber attacks terminated in June 2021,
In parallel, the duo launched individual attacks against sensors, taking down 300 out of 800 spread across Spain, essentially breaking their link to the control center and disrupting the data exchange.
The cyberattacks against RAR stopped in June 2021 after the security breach was discovered by the Spanish authorities.
“During the investigation it was determined that the two detainees had been responsible for the maintenance program of the RAR system, through a company contracted by the DGPCE, for which they had a deep knowledge of it that made it easier for them to carry out the attacks and helped them in their efforts to mask their authorship, significantly increasing the difficulty of the investigation.” reads the announcement published by Policia National.
The police did not provide additional details about the attack, at this time the motivation behind the attack is unknown.
(SecurityAffairs – hacking, Zyxel)
The post Spain police arrested two men accused of cyber attacks on radioactivity alert network (RAR) appeared first on Security Affairs.
Microsoft warns of threat actors that are increasingly abusing Internet Information Services (IIS) extensions to establish covert backdoors into servers and maintain persistence in the target networks.
IIS backdoors are also hard to detect because they follow the same code structure as legitimate and harmless modules.
“Malicious IIS extensions are less frequently encountered in attacks against servers, with attackers often only using script web shells as the first stage payload. This leads to a relatively lower detection rate for malicious IIS extensions compared to script web shells.” reads the advisory published by Microsoft. “IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules. In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection.”
The attackers usually exploit a critical vulnerability in the hosted application to gain initial access and drop a script web shell as the first stage of the attack chain. Then the web shell is used to install a rogue IIS module that establishes persistent access to the server which is hard to discover. The shell also monitors incoming and outgoing requests and runs commands sent by remote attackers, it also allows attackers to dump credentials in the background as the user authenticates to the web application.
In early July, researchers from Kaspersky Lab discovered a new ‘SessionManager’ Backdoor that was employed in attacks targeting Microsoft IIS Servers since March 2021.
SessionManager is written in C++, it is a malicious native-code IIS module that is loaded by some IIS applications, to process legitimate HTTP requests that are continuously sent to the server.
The attackers were exploring the ProxyLogon vulnerabilities in Exchange Server to launch the SessionManager.
Microsoft researchers also detailed a campaign that took place between January and May 2022, threat actors targeted Exchange servers exploiting the ProxyShell flaws to ultimately deploy a backdoor called “FinanceSvcModel.dll.”
“After a period of doing reconnaissance, dumping credentials, and establishing a remote access method, the attackers installed a custom IIS backdoor called FinanceSvcModel.dll in the folder C:\inetpub\wwwroot\bin\. The backdoor had built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration, as detailed below.” continues the analysis.
Microsoft grouped the malicious IIS extensions observed over the past year in the following categories:
- Web shell-based variants;
- Open-source variants;
- IIS handlers;
- Credential stealers;
To mitigate ISS backdoor attacks, experts recommend to:
- install the latest security updates, especially for server components;
- enable antivirus and other security protections;
- review sensitive roles and groups;
- restrict access by applying the principle of least privilege;
- prioritize alerts;
- inspect config file and bin folder;
(SecurityAffairs – hacking, Microsoft)
The post Attackers increasingly abusing IIS extensions to establish covert backdoors appeared first on Security Affairs.
Researchers from WithSecure (formerly F-Secure Business) have discovered an ongoing operation, named DUCKTAIL, that targets individuals and organizations that operate on Facebook’s Business and Ads platform.
Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to be active since 2018.
“Our investigation reveals that the threat actor has been actively developing and distributing malware linked to the DUCKTAIL operation since the latter half of 2021. Evidence suggests that the threat actor may have been active in the cybercriminal space as early as late 2018.” reads the report published by the experts.
The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.
The end goal is to hijack Facebook Business accounts managed by the victims.
The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.
WithSecure researchers noticed that samples employed in the DUCKTAIL operation were written in .NET Core and were compiled using its single file feature. This feature bundles all dependent libraries and files into a single executable, it also includes the main assembly. Experts pointed out that the usage of .NET Core and its single-file feature is uncommon in malware development.
The use of .Net Core allows the attackers to embed Telegram.Bot client as well as any other external
dependencies into a single executable and use Telegram channels as Command and Control (C&C).
“Since late last year, the threat actor has shifted entirely to using Telegram as their C&C channel making use of the Telegram Bot functionality. Currently, the adversary only exfiltrates stolen information through the C&C channel and no commands are sent from the C&C to the victim’s machine other than potentially sending e-mail addresses for business hijacking purposes.” continues the report.
In order to steal Facebook session cookies from the victims, the malware scans the machine for popular browsers, including Google Chrome, Microsoft Edge, Brave Browser, and Firefox. For each of the browsers that it finds, it extracts all the stored cookies, including any Facebook session cookie.
The malware also steals information from the victim’s personal Facebook account, including name, email address, date of birth, and user ID, along with other data such as 2FA codes, user agents, IP address, and geolocation
Once obtained the above data, the attackers can access to the victim’s personal account, hijack it by adding their email address retrieved from the Telegram channel and grant themselves Admin and Finance editor access.
“They can edit business credit card information and financial details like transactions, invoices, account spend and payment methods. Finance editors can add businesses to your credit cards and monthly invoices. These businesses can use your payment methods to run ads.” states the report.
Countries affected by DUCKTAIL samples analyzed by the experts includes US, India, Saudi Arabia, Italy, Germany, Sweden, Finland, and the Philippines.
“WithSecure cannot determine the success, or lack thereof, that the threat actor has had in circumventing Facebook’s existing security features and hijacking businesses.” concludes the report. “However, the threat actor has continued to update and push out the malware in an attempt to improve its ability to bypass existing/new Facebook security features alongside other implemented features.”
Facebook Business administrators are recommended to check access permissions for their business accounts and remove any unknown users.
(SecurityAffairs – hacking, Ducktail operation)
The post DUCKTAIL operation targets Facebook’s Business and Ad accounts appeared first on Security Affairs.