The Lockbit 3.0 ransomware was released in June with important novelties such as a bug bounty program, Zcash payment, and new extortion tactics. The gang has been active since at least 2019 and today it is one of the most active ransomware gangs.
The ransomware appends the extension “HLJkNskOq” or “19MqZqZ0s” to filenames of the encripted files and change their icons to the one for the .ico file.
The ransom note references ‘Ilon Musk’ and the European Union’s General Data Protection Regulation (GDPR).
After the infection process is completed, the ransomware changes the wallpaper of the machine to inform them of the attack.
While debugging the Lockbit 3.0 sample, Trend Micro researchers noticed that multiple portions of LockBit 3.0’s code is borrowed from the BlackMatter ransomware.
“From our examination of the unpacked sample and an analysis provided by the researcher Chuong Dong, we discovered that LockBit 3.0 requires a pass parameter to decrypt its main routine.” reads the analysis published by Trend Micro.”LockBit 3.0 performs API harvesting by hashing the API names of a DLL, and then comparing it to the list of the APIs that the ransomware needs. This routine is identical to that of BlackMatter, as the externally available script for renaming BlackMatter’s APIs also works for LockBit 3.0.”
The experts highlight the similarities to the privilege escalation and harvesting routines used by BlackMatter to identify APIs ro conduct different activities.
In addition, the latest variant of LockBit also checks the victim machine’s UI language to avoid infecting machines with these languages used in the Commonwealth of Independent States (CIS) states.
The deletion of shadow copies implementare by Lockbit 3.0 and BlackMatter uses Windows Management Instrumentation (WMI) through COM objects. Experts pointer out that LockBit 2.0 uses vssadmin.exe for deletion.
“With the release of this latest variant — and the launch of LockBit’s bug bounty program, which rewards its affiliates — we expect the LockBit ransomware group to be even more active in the coming days.” concludes the report. “We advise organizations and end users to be wary of this new variant, especially since the bug bounty program might help the operators in making their ransomware an even more formidable one.”
(SecurityAffairs – hacking, ransomware)
The post The strange similarities between Lockbit 3.0 and Blackmatter ransomware appeared first on Security Affairs.
Reuters donosi o dość niepokojącej praktyce: (…) system rozpoznawania twarzy, sprzedawany przez firmę Facewatch zajmującą się monitoringiem, tworzy profil biometryczny każdego odwiedzającego sklepy, w których zainstalowane są kamery, umożliwiając sieci Southern Cooperative stworzenie „czarnej listy” klientów. Jeśli klient z listy wejdzie do sklepu, personel zostaje zaalarmowany. It outlines how the...
Artykuł „Pani tutaj nie obsługujemy!” – kamery rozpoznające twarze konkretnych osób w sieci handlowej w UK. pochodzi z serwisu Sekurak.
Kolejny przeżywający reinstalacje systemu malware. Na celowniku Rosja/Chiny/Wietnam/Iran. [UEFI firmware rootkit]
Temat „niewidzialnych” backdorów nie jest nowy, ale większa popularność tego typu oprogramowania niestety jest już chyba blisko. Tym razem dowiadujemy się (https://securelist[.]com/cosmicstrand-uefi-firmware-rootkit/106973/) o prawdopodobnie chińskiej ekipie, która wykorzystuje jedną podatność w sterownikach do płyt głównych Gigabyte / ASUS: The rootkit is located in the firmware images of Gigabyte or ASUS...
Szczegóły podatności dostępne są tutaj: An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device. Czyli jak widać...
Artykuł CVE-2022-0342: ominięcie logowania na firewallach Zyxela. Absurdalnie prosty trick… pochodzi z serwisu Sekurak.
Security expert ProxyLife and Cyble researchers recently uncovered a Qakbot campaign that was leveraging the Windows 7 Calculator app for DLL side-loading attacks. Dynamic-link library (DLL) side-loading is an attack method that takes advantage of how Microsoft Windows applications handle DLL files. In such attacks, malware places a spoofed malicious DLL file in a Windows’ WinSxS directory so that the operating system loads it instead of the legitimate file
According to the researcher, the operators are using this technique since at least July 11.
Qakbot, also known as QBot, QuackBot and Pinkslipbot, is an info-stealing malware that has been active since 2008. The malware spreads via malspam campaigns, it inserts replies in active email threads.
Cyble experts, who started their investigation from the IoCs shared by ProxyLife, analyzed the attack chain employed in the latest Qakbot attacks.
#Qakbot – obama201 – html > .zip > .iso > .lnk > calc.exe > .dll > .dll
T1574 – DLL Search Order Hijacking
cmd.exe /q /c calc.exe
regsvr32 /s C:UsersUserAppDataLocalTempWindowsCodecs.dll
In this campaign, the spam message contains an HTML file that has base64 encoded images and a password-protected ZIP file. The password-protected zip file contains an ISO file (i.e. Report Jul 14 47787.iso), and the password for opening it is reported in the HTML file. The use of password-protected zip file is a common technique adopted by threat actors to evade detection.
Once clicked the image file, it is mounted and shows a .lnk file masquerading as a PDF file. If the victim opens the .lnk file, the Qakbot infection process starts.
The ISO file contains four different files:
- a .lnk file
- a legitimate calc .exe
The .LNK file appears as a PDF containing information of interest for the victims. The shortcut points to the Calculator app in Windows. Upon executing the Windows 7 Calculator, it will automatically attempt to load the legitimate WindowsCodecs DLL file. The code will load any DLL with the same name if placed in the same folder as the Calc.exe executable resulting in the execution of a malicious DLL.
“In this case, the application is calc.exe, and the malicious file named WindowsCodecs.dll masquerades as a support file for calc.exe.” reads the analysis published by Cyble. “Upon executing the calc.exe, it further loads WindowsCodec.dll and executes the final Qakbot payload using regsvr32.exe. The final payload injects its malicious code into explorer.exe and performs all the malicious activities.”
The threat actors bundle the Windows 7 version of the DLL because the attack doesn’t work against Windows 10 Calc.exe and later.
Cyber shared MITRE ATT&CK® Techniques and Indicators of Compromise (IoCs).
(SecurityAffairs – hacking, malware)
The post Threat actors leverages DLL-SideLoading to spread Qakbot malware appeared first on Security Affairs.
Threat actors are targeting websites using open source e-commerce platform PrestaShop by exploiting a zero-day flaw, tracked as CVE-2022-36408, that can allow to execute arbitrary code and potentially steal customers’ payment information.
PrestaShop is currently used by 300,000 shops worldwide and is available in 60 different languages.
The vulnerability affects PrestaShop versions 188.8.131.52 or later and versions 184.108.40.206 or later running modules vulnerable to SQL injection (i.e. Wishlist 2.0.0 to 2.1.0 module).
“The maintainer team has been made aware that malicious actors are exploiting a combination of known and unknown security vulnerabilities to inject malicious code in PrestaShop websites, allowing them to execute arbitrary instructions, and potentially steal customer’s payment information.” reads the advisory published by the maintainers at PrestShop. “While investigating this attack, we found a previously unknown vulnerability chain that we are fixing.”
Threat actors are targeting online shops running outdated software or modules, or third-party modules affected by known vulnerabilities or zero-day flaws.
Below is the attack chain reconstructed by the experts investigating the attacks:
- The attacker submits a POST request to the endpoint vulnerable to SQL injection.
- After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
- The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.
Once the attackers have taken over the online store, they injected a fake payment form on the front-office checkout page to steal credit card information when visitors make purchases.
The researchers provided indicators of compromises for these attacks, such as the activation of the MySQL Smarty cache storage.
“Be aware that not finding this pattern on your logs doesn’t necessarily mean that your shop has not been affected by the attack: the complexity of the exploit means that there are several ways of performing it, and attackers might also try and hide their tracks.” concludes the report.
Admins have to install the PrestaShop version 220.127.116.11.
(SecurityAffairs – hacking, CMS)
The post Zero Day attacks target online stores using PrestaShop￼ appeared first on Security Affairs.
Researchers from Kaspersky have spotted a UEFI firmware rootkit, named CosmicStrand, which has been attributed to an unknown Chinese-speaking threat actor. This malware was first spotted by Chinese firm Qihoo360 in 2017.
The researchers were not able to determine the initial attack vector, but the analysis of the malicious code allowed the experts to discover which devices can be infected by the CosmicStrand. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, which are related to designs using the H81 chipset. The researchers speculate the existence of a common vulnerability that was exploited by the attackers to inject the rootkit into the firmware’s image.
“In these firmware images, modifications have been introduced into the CSMCORE DXE driver, whose entry point has been patched to redirect to code added in the .reloc section. This code, executed during system startup, triggers a long execution chain which results in the download and deployment of a malicious component inside Windows.” reads the analysis published by the experts. “Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware.”
The researchers believe that the attackers could have used a precursor malware implant to inject the rootkit or may have had physical access to the target device.
The infection process aims at tampering with the OS loader to set up another hook in a function of the Windows kernel. Once this function is called during the normal bootstrap procedure of the OS, the malware takes control of the execution flow one last time.
The malicious code injects a shellcode in memory and contacts the C2 server to retrieve the actual malicious payload to run on the target machine.
CosmicStrand retrieves the final payload by sending a specifically crafted UDP (preferably) or TCP packet to the C2 server (update.bokts[.]com), which in turn replies one or several packets containing chunks of 528 bytes with a specific structure. Then the chunks are reassembled into a series of bytes that are mapped into kernel space and interpreted as a shellcode.
The victims identified by the researchers are private individuals located in China, Vietnam, Iran, and Russia, with no link with any organization or industry vertical.
“CosmicStrand is a sophisticated UEFI firmware rootkit that allows its owners to achieve very durable persistence: the whole lifetime of the computer, while at the same time being extremely stealthy. It appears to have been used in operation for several years, and yet many mysteries remain.” concludes the report. “How many more implants and C2 servers could still be eluding us? What last-stage payloads are being delivered to the victims? But also, is it really possible that CosmicStrand has reached some of its victims through package “interdiction”? In any case, the multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later.”
(SecurityAffairs – hacking, CosmicStrand)
The post CosmicStrand, a new sophisticated UEFI firmware rootkit linked to China￼ appeared first on Security Affairs.
Claroty researchers discovered two vulnerabilities in the FileWave MDM product that exposed more than one thousand organizations to cyber attacks. FIleWave MDM is used by organizations to view and manage device configurations, locations, security settings, and other device data. An organization may use the MDM platform to push mandatory software and updates to devices, change device settings, lock, and, when necessary, remotely wipe devices.
The now patched vulnerabilities are an authentication bypass issue tracked as CVE-2022-34907 and a hardcoded cryptographic key tracked as CVE-2022-34906. Both issues reside in FileWave MDM before version 14.6.3 and 14.7.x, prior to 14.7.2. FileWave addressed the vulnerabilitied in version 14.7.2 earlier this month.
A remote attacker can trigger the vulnerabilities to bypass authentication and gain full control over the MDM platform and its managed devices.
The authentication bypass vulnerability can allow a remote attacker to achieve “super_user” access and take full control of the MDM install, then use it to manage any device of the target organization.
“During our research, we were able to identify a critical flaw in the authentication process of the FileWave MDM product suite, allowing us to create an exploit that bypasses authentication requirements in the platform and achieve super_user access, (the platform’s most privileged user).” reads the analysis published by Claroty. “By exploiting this authentication bypass vulnerability, we were able to take full control over any internet-connected MDM instance.”
The researchers discovered more than 1,100 organizations in multiple industries using the flawed MDM.
In order to demonstrate the CVE-2022-34907 flaw, the experts created a standard FileWave setup, and enrolled 6 devices of our own. They used the vulnerability to leak data about all of the devices managed by the instance of the MDM server.
“Lastly, using regular MDM functionality which allows IT administrators to install packages and software on managed devices, we installed malicious packages on each controlled device, popping a fake ransomware virus on each of those managed devices. Doing so, we demonstrated how a potential attacker can leverage Filewave’s capabilities in order to take control over different managed devices.” reads the post published by Claroty.
The researchers demonstrated how to exploit the flaw to install a ransomware on the devices that are managed by an instance that was compromised by the experts.
“This exploit, if used maliciously, could allow remote attackers to easily attack and infect all internet-accessible instances managed by the FileWave MDM, below, allowing attackers to control all managed devices, gaining access to users’ personal home networks, organizations’ internal networks, and much more,” concludes Claroty.
(SecurityAffairs – hacking, FileWave MDM)
The post Flaws in FileWave MDM could have allowed hacking +1000 organizzations appeared first on Security Affairs.