Feed aggregator

These 28+ Android Apps with 10 Million Downloads from the Play Store Contain Malware

The Hacker News - Wed, 07/27/2022 - 09:37
As many as 30 malicious Android apps with cumulative downloads of nearly 10 million have been found on the Google Play Store distributing adware. "All of them were built into various programs, including image-editing software, virtual keyboards, system tools and utilities, calling apps, wallpaper collection apps, and others," Dr.Web said in a Tuesday write-up. While masquerading as innocuous
Categories: Cyber Security News

The strange similarities between Lockbit 3.0 and Blackmatter ransomware

Security Affairs - Wed, 07/27/2022 - 07:25
Researchers found similarities between LockBit 3.0 ransomware and BlackMatter, which is a rebranded variant of the DarkSide ransomware.

Cybersecurity researchers have found similarities between the latest version of the LockBit ransomware, LockBit 3.0, and the BlackMatter ransomware.

The Lockbit 3.0 ransomware was released in June with important novelties such as a bug bounty program, Zcash payment, and new extortion tactics. The gang has been active since at least 2019 and today it is one of the most active ransomware gangs.

The ransomware appends the extension “HLJkNskOq” or “19MqZqZ0s” to filenames of the encripted files and change their icons to the one for the .ico file.

The ransom note references ‘Ilon Musk’ and the European Union’s General Data Protection Regulation (GDPR).

After the infection process is completed, the ransomware changes the wallpaper of the machine to inform them of the attack.

While debugging the Lockbit 3.0 sample, Trend Micro researchers noticed that multiple portions of LockBit 3.0’s code is borrowed from the BlackMatter ransomware.

“From our examination of the unpacked sample and an analysis provided by the researcher Chuong Dong, we discovered that LockBit 3.0 requires a pass parameter to decrypt its main routine.” reads the analysis published by Trend Micro.”LockBit 3.0 performs API harvesting by hashing the API names of a DLL, and then comparing it to the list of the APIs that the ransomware needs. This routine is identical to that of BlackMatter, as the externally available script for renaming BlackMatter’s APIs also works for LockBit 3.0.”

The experts highlight the similarities to the privilege escalation and harvesting routines used by BlackMatter to identify APIs ro conduct different activities.

In addition, the latest variant of LockBit also checks the victim machine’s UI language to avoid infecting machines with these languages used in the Commonwealth of Independent States (CIS) states.

The deletion of shadow copies implementare by Lockbit 3.0 and BlackMatter uses Windows Management Instrumentation (WMI) through COM objects. Experts pointer out that LockBit 2.0 uses vssadmin.exe for deletion.

“With the release of this latest variant — and the launch of LockBit’s bug bounty program, which rewards its affiliates — we expect the LockBit ransomware group to be even more active in the coming days.” concludes the report. “We advise organizations and end users to be wary of this new variant, especially since the bug bounty program might help the operators in making their ransomware an even more formidable one.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post The strange similarities between Lockbit 3.0 and Blackmatter ransomware appeared first on Security Affairs.

Categories: Cyber Security News

Taking the Risk-Based Approach to Vulnerability Patching

The Hacker News - Wed, 07/27/2022 - 07:00
Software vulnerabilities are a major threat to organizations today. The cost of these threats is significant, both financially and in terms of reputation.Vulnerability management and patching can easily get out of hand when the number of vulnerabilities in your organization is in the hundreds of thousands of vulnerabilities and tracked in inefficient ways, such as using Excel spreadsheets or
Categories: Cyber Security News

New Ducktail Infostealer Malware Targeting Facebook Business and Ad Accounts

The Hacker News - Wed, 07/27/2022 - 06:28
Facebook business and advertising accounts are at the receiving end of an ongoing campaign dubbed Ducktail designed to seize control as part of a financially driven cybercriminal operation.  "The threat actor targets individuals and employees that may have access to a Facebook Business account with an information-stealer malware," Finnish cybersecurity company WithSecure (formerly F-Secure
Categories: Cyber Security News

„Pani tutaj nie obsługujemy!” – kamery rozpoznające twarze konkretnych osób w sieci handlowej w UK.

Sekurak.pl - Wed, 07/27/2022 - 04:44

Reuters donosi o dość niepokojącej praktyce: (…) system rozpoznawania twarzy, sprzedawany przez firmę Facewatch zajmującą się monitoringiem, tworzy profil biometryczny każdego odwiedzającego sklepy, w których zainstalowane są kamery, umożliwiając sieci Southern Cooperative stworzenie „czarnej listy” klientów. Jeśli klient z listy wejdzie do sklepu, personel zostaje zaalarmowany. It outlines how the...

Artykuł „Pani tutaj nie obsługujemy!” – kamery rozpoznające twarze konkretnych osób w sieci handlowej w UK. pochodzi z serwisu Sekurak.

Kolejny przeżywający reinstalacje systemu malware. Na celowniku Rosja/Chiny/Wietnam/Iran. [UEFI firmware rootkit]

Sekurak.pl - Wed, 07/27/2022 - 03:54

Temat „niewidzialnych” backdorów nie jest nowy, ale większa popularność tego typu oprogramowania niestety jest już chyba blisko. Tym razem dowiadujemy się (https://securelist[.]com/cosmicstrand-uefi-firmware-rootkit/106973/) o prawdopodobnie chińskiej ekipie, która wykorzystuje jedną podatność w sterownikach do płyt głównych Gigabyte / ASUS: The rootkit is located in the firmware images of Gigabyte or ASUS...

Artykuł Kolejny przeżywający reinstalacje systemu malware. Na celowniku Rosja/Chiny/Wietnam/Iran. [UEFI firmware rootkit] pochodzi z serwisu Sekurak.

CVE-2022-0342: ominięcie logowania na firewallach Zyxela. Absurdalnie prosty trick…

Sekurak.pl - Wed, 07/27/2022 - 03:36

Szczegóły podatności dostępne są tutaj: An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device. Czyli jak widać...

Artykuł CVE-2022-0342: ominięcie logowania na firewallach Zyxela. Absurdalnie prosty trick… pochodzi z serwisu Sekurak.

Malicious IIS Extensions Gaining Popularity Among Cyber Criminals for Persistent Access

The Hacker News - Wed, 07/27/2022 - 03:17
Threat actors are increasingly abusing Internet Information Services (IIS) extensions to backdoor servers as a means of establishing a "durable persistence mechanism." That's according to a new warning from the Microsoft 365 Defender Research Team, which said that "IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target
Categories: Cyber Security News

Experts Find Similarities Between New LockBit 3.0 and BlackMatter Ransomware

The Hacker News - Tue, 07/26/2022 - 12:16
Cybersecurity researchers have reiterated similarities between the latest iteration of the LockBit ransomware and BlackMatter, a rebranded variant of the DarkSide ransomware strain that closed shop in November 2021. The new version of LockBit, called LockBit 3.0 aka LockBit Black, was released in June 2022, launching a brand new leak site and what's the very first ransomware bug bounty program,
Categories: Cyber Security News

Threat actors leverages DLL-SideLoading to spread Qakbot malware

Security Affairs - Tue, 07/26/2022 - 12:14
Qakbot malware operators are using the Windows Calculator to side-load the malicious payload on target systems.

Security expert ProxyLife and Cyble researchers recently uncovered a Qakbot campaign that was leveraging the Windows 7 Calculator app for DLL side-loading attacks. Dynamic-link library (DLL) side-loading is an attack method that takes advantage of how Microsoft Windows applications handle DLL files. In such attacks, malware places a spoofed malicious DLL file in a Windows’ WinSxS directory so that the operating system loads it instead of the legitimate file

According to the researcher, the operators are using this technique since at least July 11.

Qakbot, also known as QBot, QuackBot and Pinkslipbot, is an info-stealing malware that has been active since 2008. The malware spreads via malspam campaigns, it inserts replies in active email threads.

Cyble experts, who started their investigation from the IoCs shared by ProxyLife, analyzed the attack chain employed in the latest Qakbot attacks.

#Qakbot – obama201 – html > .zip > .iso > .lnk > calc.exe > .dll > .dll

T1574 – DLL Search Order Hijacking

cmd.exe /q /c calc.exe

regsvr32 /s C:UsersUserAppDataLocalTempWindowsCodecs.dll

regsvr32.exe 7533.dllhttps://t.co/8EI63li9ol

IOC'shttps://t.co/BYhFkccqky pic.twitter.com/PEkfEzLxYv

— proxylife (@pr0xylife) July 14, 2022

In this campaign, the spam message contains an HTML file that has base64 encoded images and a password-protected ZIP file. The password-protected zip file contains an ISO file (i.e. Report Jul 14 47787.iso), and the password for opening it is reported in the HTML file. The use of password-protected zip file is a common technique adopted by threat actors to evade detection.

Once clicked the image file, it is mounted and shows a .lnk file masquerading as a PDF file. If the victim opens the .lnk file, the Qakbot infection process starts.

The ISO file contains four different files:

  • a .lnk file
  • a legitimate calc .exe
  • WindowsCodecs.dll
  • 7533.dll.

The .LNK file appears as a PDF containing information of interest for the victims. The shortcut points to the Calculator app in Windows. Upon executing the Windows 7 Calculator, it will automatically attempt to load the legitimate WindowsCodecs DLL file. The code will load any DLL with the same name if placed in the same folder as the Calc.exe executable resulting in the execution of a malicious DLL.

“In this case, the application is calc.exe, and the malicious file named WindowsCodecs.dll masquerades as a support file for calc.exe.” reads the analysis published by Cyble. “Upon executing the calc.exe, it further loads WindowsCodec.dll and executes the final Qakbot payload using regsvr32.exe. The final payload injects its malicious code into explorer.exe and performs all the malicious activities.”

The threat actors bundle the Windows 7 version of the DLL because the attack doesn’t work against Windows 10 Calc.exe and later.

Cyber shared MITRE ATT&CK® Techniques and Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Threat actors leverages DLL-SideLoading to spread Qakbot malware appeared first on Security Affairs.

Categories: Cyber Security News

4 Steps Financial Industry Can Take to Cope With Their Growing Attack Surface

The Hacker News - Tue, 07/26/2022 - 12:01
The financial services industry has always been at the forefront of technology adoption, but the 2020 pandemic accelerated the widespread of mobile banking apps, chat-based customer service, and other digital tools. Adobe's 2022 FIS Trends Report, for instance, found that more than half of the financial services and insurance firms surveyed experienced a notable increase in digital/mobile
Categories: Cyber Security News

Hackers Increasingly Using WebAssembly Coded Cryptominers to Evade Detection

The Hacker News - Tue, 07/26/2022 - 08:13
As many as 207 websites have been infected with malicious code designed to launch a cryptocurrency miner by leveraging WebAssembly (Wasm) on the browser. Web security company Sucuri, which published details of the campaign, said it launched an investigation after one of its clients had their computer slowed down significantly every time upon navigating to their own WordPress portal. This
Categories: Cyber Security News

Critical FileWave MDM Flaws Open Organization-Managed Devices to Remote Hackers

The Hacker News - Tue, 07/26/2022 - 06:12
FileWave's mobile device management (MDM) system has been found vulnerable to two critical security flaws that could be leveraged to carry out remote attacks and seize control of a fleet of devices connected to it. "The vulnerabilities are remotely exploitable and enable an attacker to bypass authentication mechanisms and gain full control over the MDM platform and its managed devices," Claroty
Categories: Cyber Security News

SmokeLoader Infecting Targeted Systems with Amadey Info-Stealing Malware

The Hacker News - Tue, 07/26/2022 - 03:18
An information-stealing malware called Amadey is being distributed by means of another backdoor called SmokeLoader. The attacks hinge on tricking users into downloading SmokeLoader that masquerades as software cracks, paving the way for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last week. Amadey, a
Categories: Cyber Security News

Zero Day attacks target online stores using PrestaShop

Security Affairs - Tue, 07/26/2022 - 02:22
Thera actors are exploiting a zero-day vulnerability to steal payment information from sites using the open source e-commerce platform PrestaShop.

Threat actors are targeting websites using open source e-commerce platform PrestaShop by exploiting a zero-day flaw, tracked as CVE-2022-36408, that can allow to execute arbitrary code and potentially steal customers’ payment information.

PrestaShop is currently used by 300,000 shops worldwide and is available in 60 different languages.

The vulnerability affects PrestaShop versions 1.6.0.10 or later and versions 1.7.8.2 or later running modules vulnerable to SQL injection (i.e. Wishlist 2.0.0 to 2.1.0 module).

“The maintainer team has been made aware that malicious actors are exploiting a combination of known and unknown security vulnerabilities to inject malicious code in PrestaShop websites, allowing them to execute arbitrary instructions, and potentially steal customer’s payment information.” reads the advisory published by the maintainers at PrestShop. “While investigating this attack, we found a previously unknown vulnerability chain that we are fixing.”

Threat actors are targeting online shops running outdated software or modules, or third-party modules affected by known vulnerabilities or zero-day flaws.

Below is the attack chain reconstructed by the experts investigating the attacks:

  1. The attacker submits a POST request to the endpoint vulnerable to SQL injection.
  2. After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
  3. The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.

Once the attackers have taken over the online store, they injected a fake payment form on the front-office checkout page to steal credit card information when visitors make purchases.

The researchers provided indicators of compromises for these attacks, such as the activation of the MySQL Smarty cache storage.

“Be aware that not finding this pattern on your logs doesn’t necessarily mean that your shop has not been affected by the attack: the complexity of the exploit means that there are several ways of performing it, and attackers might also try and hide their tracks.” concludes the report.

Admins have to install the PrestaShop version 1.7.8.7.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, CMS)

The post Zero Day attacks target online stores using PrestaShop appeared first on Security Affairs.

Categories: Cyber Security News

Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores

The Hacker News - Mon, 07/25/2022 - 23:09
Malicious actors are exploiting a previously unknown security flaw in the open source PrestaShop e-commerce platform to inject malicious skimmer code designed to swipe sensitive information. "Attackers have found a way to use a security vulnerability to carry out arbitrary code execution in servers running PrestaShop websites," the company noted in an advisory published on July 22. PrestaShop is
Categories: Cyber Security News

CosmicStrand, a new sophisticated UEFI firmware rootkit linked to China

Security Affairs - Mon, 07/25/2022 - 19:10
Kaspersky uncovered a new UEFI firmware rootkit, tracked as CosmicStrand, which it attributes to an unknown Chinese-speaking threat actor. 

Researchers from Kaspersky have spotted a UEFI firmware rootkit, named CosmicStrand, which has been attributed to an unknown Chinese-speaking threat actor. This malware was first spotted by Chinese firm Qihoo360 in 2017.

The researchers were not able to determine the initial attack vector, but the analysis of the malicious code allowed the experts to discover which devices can be infected by the CosmicStrand. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, which are related to designs using the H81 chipset. The researchers speculate the existence of a common vulnerability that was exploited by the attackers to inject the rootkit into the firmware’s image.

“In these firmware images, modifications have been introduced into the CSMCORE DXE driver, whose entry point has been patched to redirect to code added in the .reloc section. This code, executed during system startup, triggers a long execution chain which results in the download and deployment of a malicious component inside Windows.” reads the analysis published by the experts. “Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware.”

The researchers believe that the attackers could have used a precursor malware implant to inject the rootkit or may have had physical access to the target device.

The infection process aims at tampering with the OS loader to set up another hook in a function of the Windows kernel. Once this function is called during the normal bootstrap procedure of the OS, the malware takes control of the execution flow one last time.

The malicious code injects a shellcode in memory and contacts the C2 server to retrieve the actual malicious payload to run on the target machine.

CosmicStrand retrieves the final payload by sending a specifically crafted UDP (preferably) or TCP packet to the C2 server (update.bokts[.]com), which in turn replies one or several packets containing chunks of 528 bytes with a specific structure. Then the chunks are reassembled into a series of bytes that are mapped into kernel space and interpreted as a shellcode.

The victims identified by the researchers are private individuals located in China, Vietnam, Iran, and Russia, with no link with any organization or industry vertical.

The experts attribute the rootkit to a Chinese-speaking threat actor due to code overlaps between CosmicStrand and other malware strains, such as the MyKings botnet and the MoonBounce UEFI implant.

“CosmicStrand is a sophisticated UEFI firmware rootkit that allows its owners to achieve very durable persistence: the whole lifetime of the computer, while at the same time being extremely stealthy. It appears to have been used in operation for several years, and yet many mysteries remain.” concludes the report. “How many more implants and C2 servers could still be eluding us? What last-stage payloads are being delivered to the victims? But also, is it really possible that CosmicStrand has reached some of its victims through package “interdiction”? In any case, the multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, CosmicStrand)

The post CosmicStrand, a new sophisticated UEFI firmware rootkit linked to China appeared first on Security Affairs.

Categories: Cyber Security News

Flaws in FileWave MDM could have allowed hacking +1000 organizzations

Security Affairs - Mon, 07/25/2022 - 14:00
Multiple flaws in FileWave mobile device management (MDM) product exposed organizations to cyberattacks.

Claroty researchers discovered two vulnerabilities in the FileWave MDM product that exposed more than one thousand organizations to cyber attacks. FIleWave MDM is used by organizations to view and manage device configurations, locations, security settings, and other device data. An organization may use the MDM platform to push mandatory software and updates to devices, change device settings, lock, and, when necessary, remotely wipe devices.

The now patched vulnerabilities are an authentication bypass issue tracked as CVE-2022-34907 and a hardcoded cryptographic key tracked as CVE-2022-34906. Both issues reside in FileWave MDM before version 14.6.3 and 14.7.x, prior to 14.7.2. FileWave addressed the vulnerabilitied in version 14.7.2 earlier this month.

A remote attacker can trigger the vulnerabilities to bypass authentication and gain full control over the MDM platform and its managed devices. 

The authentication bypass vulnerability can allow a remote attacker to achieve “super_user” access and take full control of the MDM install, then use it to manage any device of the target organization.

“During our research, we were able to identify a critical flaw in the authentication process of the FileWave MDM product suite, allowing us to create an exploit that bypasses authentication requirements in the platform and achieve super_user access, (the platform’s most privileged user).” reads the analysis published by Claroty. “By exploiting this authentication bypass vulnerability, we were able to take full control over any internet-connected MDM instance.”

The researchers discovered more than 1,100 organizations in multiple industries using the flawed MDM.

In order to demonstrate the CVE-2022-34907 flaw, the experts created a standard FileWave setup, and enrolled 6 devices of our own. They used the vulnerability to leak data about all of the devices managed by the instance of the MDM server. 

“Lastly, using regular MDM functionality which allows IT administrators to install packages and software on managed devices, we installed malicious packages on each controlled device, popping a fake ransomware virus on each of those managed devices. Doing so, we demonstrated how a potential attacker can leverage Filewave’s capabilities in order to take control over different managed devices.” reads the post published by Claroty.

The researchers demonstrated how to exploit the flaw to install a ransomware on the devices that are managed by an instance that was compromised by the experts.

“This exploit, if used maliciously, could allow remote attackers to easily attack and infect all internet-accessible instances managed by the FileWave MDM, below, allowing attackers to control all managed devices, gaining access to users’ personal home networks, organizations’ internal networks, and much more,” concludes Claroty.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, FileWave MDM)

The post Flaws in FileWave MDM could have allowed hacking +1000 organizzations appeared first on Security Affairs.

Categories: Cyber Security News

Microsoft Adds Default Protection Against RDP Brute-Force Attacks in Windows 11

The Hacker News - Mon, 07/25/2022 - 11:43
Microsoft is now taking steps to prevent Remote Desktop Protocol (RDP) brute-force attacks as part of the latest builds for the Windows 11 operating system in an attempt to raise the security baseline to meet the evolving threat landscape. To that end, the default policy for Windows 11 builds – particularly, Insider Preview builds 22528.1000 and newer – will automatically lock accounts for 10
Categories: Cyber Security News

Experts Uncover New 'CosmicStrand' UEFI Firmware Rootkit Used by Chinese Hackers

The Hacker News - Mon, 07/25/2022 - 10:05
An unknown Chinese-speaking threat actor has been attributed to a new kind of sophisticated UEFI firmware rootkit called CosmicStrand. "The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset," Kaspersky researchers said in a new report published today. "This suggests that a common
Categories: Cyber Security News

Pages