Kilka 0-dayów wpuszczonych do akcji przez konkurenta Pegasusa. Zaczęło się od infekcji serwisu informacyjnego…
Chodzi o mało znaną ekipę o kryptonimie Candiru. Swoja drogą oczywiście dla samych atakujących wygodniej jest pozostawać w cieniu, niż być na świeczniku jak choćby NSO – producent Pegasusa. Ale przechodząc do konkretów – Avast donosi o wykrytej przez siebie celowanej kampanii hackerskiej wykorzystującej kilka naprawdę ciekawych technik. Technika pierwsza...
Researchers from the antivirus firm Avast reported that the DevilsTongue spyware, developed, by Israeli surveillance firm Candiru, was used in attacks against journalists in the Middle East and exploited recently fixed CVE-2022-2294 Chrome zero-day.
The flaw, which was fixed by Google on July 4, 2022, is a heap buffer overflow that resides in the Web Real-Time Communications (WebRTC) component, it is the fourth zero-day patched by Google in 2022.
Most of the attacks uncovered by Avast researchers took place in Lebanon and threat actors used multiple attack chains to target the journalists. Other infections were observed in Turkey, Yemen, and Palestine since March 2022.
In one case the threat actors conducted a watering hole attack by compromising a website used by employees of a news agency.
This injected code was used to route the victims to the exploit server, through a chain of domains under the control of the attacker.
Once the victim lands on the exploit server, the code developed by Candiru gathers more information the target system, and only if the collected data satisfies the exploit server the exploit is used to deliver the spyware.
“While the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much wider. Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based browsers (like Microsoft Edge) but also different browsers like Apple’s Safari.” reads the analysis published by Avast. “We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did.”
The zero-day was chained with a sandbox escape exploit, but experts were not able to recover it due to the protection implemented by the malware.
After getting a foothold on the victim’s machine, the DevilsTongue spyware attempts to elevate its privileges by exploiting another zero-day exploit. The malicious software targets a legitimate signed kernel driver in a BYOVD (Bring Your Own Vulnerable Driver) fashion. In order to exploit the the driver, it has to be first dropped to the filesystem (Candiru used the path C:\Windows\System32\drivers\HW.sys), experts pointed out that this could be used as an indicator of compromise.
“While there is no way for us to know for certain whether or not the WebRTC vulnerability was exploited by other groups as well, it is a possibility. Sometimes zero-days get independently discovered by multiple groups, sometimes someone sells the same vulnerability/exploit to multiple groups, etc. But we have no indication that there is another group exploiting this same zero-day.” concludes the report.
(SecurityAffairs – hacking, Candiru)
The post Candiru surveillance spyware DevilsTongue exploited Chrome Zero-Day to target journalists appeared first on Security Affairs.
Zhackowali największą kompanię radiową na Ukrainie i rozgłaszali radiem fake newsa o krytycznym stanie zdrowia prezydenta Zełeńskiego.
O jeszcze świeżym temacie donosi Kijów Independent: 21 lipca hakerzy zaatakowali jedną z największych ukraińskich sieci radiowych, TavrMedia, nadając fałszywe wiadomości o rzekomych problemach zdrowotnych prezydenta Wołodymira Zełeńskiego. Niezidentyfikowani hakerzy przekazali doniesienia, że Zełeński przebywał na oddziale intensywnej terapii, a jego obowiązki tymczasowo pełnił przewodniczący ukraińskiego parlamentu Rusłan Stefańczuk Hackers...
A threat actor, tracked as TA4563, leverages the EvilNum malware to target European financial and investment entities, Proofpoint reported. The group focuses on entities with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi).
The EvilNum is a backdoor that can allow attackers to steal data and load additional payloads, it implements multiple components to evade detection.
The TA4563 group is targeting various entities in Europe since late 2021.
Proofpoint researchers state their analysis has some overlap with EvilNum activity publicly reported by Zscaler in June 2022.
The analysis of a campaign that started in December 2021 revealed that the attackers used messages purported to be related to financial trading platform registration or related documents. The attackers also used weaponized Microsoft Word documents used to install an updated version of the EvilNum backdoor.
In early 2022, the threat actors continued to target European financial entities but used different techniques. The malspam messages attempted to deliver multiple OneDrive URLs that contained either an ISO or .LNK attachment.
In other campaigns, the messages were delivering a compressed .LNK file.
In Mid 2022, threat actors changed again its technique and started delivering Microsoft Word documents to attempt to download a remote template to start EvilNum infection.
“EvilNum malware and the TA4563 group poses a risk to financial organizations. Based on Proofpoint analysis, TA4563’s malware is under active development. Although Proofpoint did not observe follow-on payloads deployed in identified campaigns, third-party reporting indicates EvilNum malware may be leveraged to distribute additional malware including tools available via the Golden Chickens malware-as-a-service.” concludes the report. “TA4563 has adjusted their attempts to compromise the victims using various methods of delivery, whilst Proofpoint observed this activity and provided detection updates to thwart this activity, it should be noted that a persistent adversary will continue to adjust their posture in their compromise attempts.”
(SecurityAffairs – hacking, TA4563)
The post TA4563 group leverages EvilNum malware to target European financial and investment entities appeared first on Security Affairs.
Researchers from Cisco Talos discovered an uncommon piece of malware that was employed in an attack against a large Ukrainian software development company.
The software development company produces software that is used by various state organizations in Ukraine.
Researchers believe that the attackers could be linked to Russia and targeted the firm in an attempt to conduct a supply chain attack. At this time it is not clear if the attack was successful. The analysis of the malicious code revealed that it is a slightly modified version of the “GoMet” open-source backdoor.
Talos researchers pointed out that there are only two documented cases of usage of this backdoor by advanced threat actors. The first one took place in 2020, threat actors were dropping this backdoor after the compromise of a network by exploiting the CVE-2020-5902 vulnerability in F5 BIG-IP. The second time the backdoor was involved took place recently, the attackers deployed the malware after successful exploitation of the CVE-2022-1040 vulnerability in Sophos Firewall.
The original GoMet was published on GitHub on March 31, 2019, it had commits until April 2, 2019, but the author has not added any features since its first appearance.
“The backdoor itself is a rather simple piece of software written in the Go programming language. It contains nearly all the usual functions an attacker might want in a remotely controlled agent. Agents can be deployed on a variety of operating systems (OS) or architectures (amd64, arm, etc.). GoMet supports job scheduling (via Cron or task scheduler depending on the OS), single command execution, file download, file upload or opening a shell.” reads the analysis published by Talos. “An additional notable feature of GoMet lies in its ability to daisy chain — whereby the attackers gain access to a network or machine and then use that same information to gain access to multiple networks and computers — connections from one implanted host to another. Such a feature could allow for communication out to the internet from otherwise completely “isolated” hosts.”
The researchers noticed that the version employed in the attack was changed by the attackers, in particular, the cronjob was configured to run every two seconds instead of every hour. The change prevents an hour-long sleep if the connection fails.
Another change is related to the action that the malware does in case C2 is unreachable, it will sleep for a random amount of time between five and 10 minutes.
Talos researchers found two samples of this backdoor that have minor differences, but that likely use the same source code.
“The malicious activity we detected included a fake Windows update scheduled tasks created by the GoMet dropper. Additionally, the malware used a somewhat novel approach to persistence. It enumerated the autorun values and, instead of creating a new one, replaced one of the existing goodware autorun executables with the malware. This potentially could avoid detection or hinder forensic analysis.” continues the report.
The samples detected by Talos have the IP address of the C2 hardcoded (111.90.139[.]122) and contact it via HTTPS on the default port.
The server uses a self-signed certificate that was issued on April 4, 2021.
“In this instance, we saw a software company targeted with a backdoor designed for additional persistent access. We also observed the threat actor take active steps to prevent detection of their tooling by obfuscating samples and utilizing novel persistence techniques. This access could be leveraged in a variety of ways, including deeper access or launching additional attacks, including the potential for software supply chain compromise.” concludes the report. “It’s a reminder that although the cyber activities haven’t necessarily risen to the level many have expected, Ukraine is still facing a well-funded, determined adversary that can inflict damage in a variety of ways — this is just the latest example of those attempts.”
(SecurityAffairs – hacking, Ukraine)
The post Threat actors target software firm in Ukraine using GoMet backdoor appeared first on Security Affairs.
Researchers from Intezer discovered a previously undetected malware, tracked as Lightning Framework, which targets Linux systems. The malicious code has a modular structure and is able to install rootkits.
“Lightning Framework is a new undetected Swiss Army Knife-like Linux malware that has modular plugins and the ability to install rootkits.” reads the report published by the experts. “It is rare to see such an intricate framework developed for targeting Linux systems.”
The Lightning framework could install multiple types of rootkit and run different plugins. The framework is able to open SSH on an infected machine.
The framework is composed of a downloader and a core module, it could expand its capabilities using a number of plugins, some of them are open-source tools.
The main function of the downloader is to fetch the other components and execute the core module. The core module was designed to receive commands from the Commend and Control and execute the plugins.
This malware is yet to be spotted in the wild, and some of its components (referenced in the source code) are yet to be found and analyzed.
The malware uses typosquatting to avoid detection, for example, the downloader masquerades as the Seahorse GNOME password and encryption key manager to evade detection.
Both Core and Downloader modules communicate with C2 over TCP sockets while data are in JSON structures.
“The C2 is stored in a polymorphic encoded configuration file that is unique for every single creation. This means that configuration files will not be able to be detected through techniques such as hashes. The key is built into the start of the encoded file.” reads the analysis.
The framework can also uses a passive mode of communication if the operators executes the RunShellPure command. This starts an SSH service on the infected machine using the Linux.Plugin.Lightning.Sshd plugin, which is an OpenSSH daemon that has hardcoded private and host keys. The operators can open up SSH into the infected machine using their own SSH key.
Experts noticed that the malware also hides its presence by modifying malicious artifacts’ timestamps using timestomping. The files have their last modified time edited to match that of either whoami, find, or su. The framework also hides its Process ID (PID) and any related network ports using one of the rootkits it can deploy.
The core module achieves persistence by creating a script, named elastisearch, under at /etc/rc.d/init.d/ that is executed upon system boot. The name seems typosquat elasticsearch.
“The Lightning Framework is an interesting malware as it is not common to see such a large framework developed for targeting Linux. Although we do not have all the files, we can infer some of the missing functionality based on strings and code of the modules that we do possess.” concludes the report.
(SecurityAffairs – hacking, Zyxel)
The post Lightning Framework, a previously undetected malware that targets Linux systems appeared first on Security Affairs.
Atlassian released security updates to address a critical hardcoded credentials vulnerability in Confluence Server and Data Center tracked as CVE-2022-26138.
A remote, unauthenticated attacker can exploit the vulnerability to log into unpatched servers.
Once installed the Questions for Confluence app (versions 2.7.34, 2.7.35, and 3.0.2), a Confluence user account with the username “disabledsystemuser” is created.
According to Atlassian, the account allows administrators to migrate data from the app to Confluence Cloud. The bad news is that the account is created with a hard-coded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default.
“When the Questions for Confluence app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username disabledsystemuser. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default.” reads the advisory published by Atlassian. “A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the group has access to.”
The affected versions are:Questions for Confluence 2.7.x2.7.34
2.7.35Questions for Confluence 3.0.x3.0.2
The company pointed out that uninstalling the Questions for Confluence app does not solve this vulnerability because the disabledsystemuser account is not removed after the app has been uninstalled. Admins of impacted Confluence Server or Data Center instances can remediate this vulnerability with the following actions:
- Option 1: Update to a non-vulnerable version of Questions for Confluence
- Option 2: Disable or delete the disabledsystemuser account
The good news is that Atlassian is not aware of attacks in the wild exploiting this vulnerability.
To determine if someone has used the hardcoded password to log into the disabledsystemuser account, admins can get a list of users’ last logon times and if the last authentication time for the hardcoded account is null, that means the account was never used to access the device.
(SecurityAffairs – hacking, Atlassian)
The post Atlassian patched a critical Confluence vulnerability appeared first on Security Affairs.
Makra pakietu MS Office, to chyba jedna częściej wykorzystywanych funkcji w atakach phishingowych. Złośliwe makra w dość łatwy sposób są w stanie zapewnić atakującym przyczółek w sieci ofiary. A później już z górki – może być infekowana cała sieć. O planowanym, domyślnym wyłączeniu makr informowaliśmy w lutym, ale nie wszystko poszło całkiem gładko. Microsoft ogłosił...
Artykuł Microsoft (jednak) już za chwilę zablokuje makra pakietu Office [pliki pochodzące z Internetu] pochodzi z serwisu Sekurak.
Apple released security updates to fix 37 vulnerabilities impacting iOS, iPadOS, macOS, tvOS, and watchOS devices. The flaws addressed by Apple lead to arbitrary code execution, privilege escalation, denial-of-service (DoS), and information disclosure.
Below is the list of Apple security updates:Name and information linkAvailable forRelease dateSafari 15.6macOS Big Sur and macOS Catalina20 Jul 2022watchOS 8.7Apple Watch Series 3 and later20 Jul 2022Security Update 2022-005 CatalinamacOS Catalina20 Jul 2022macOS Big Sur 11.6.8macOS Big Sur20 Jul 2022macOS Monterey 12.5macOS Monterey20 Jul 2022tvOS 15.6Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD20 Jul 2022
One of the most severe issues addressed by the IT giant is a heap buffer overflow tracked as CVE-2022-2294. The vulnerability resides in the Web Real-Time Communications (WebRTC) component and was discovered by Google researchers who confirmed it is actively exploited in the wild in attacks aimed at Chrome users.
The vulnerability was reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01.
Another arbitrary code execution issue that was addressed by the company with the release of Safari 15.6 are:
- CVE-2022-32792 – An out-of-bounds write issue was addressed with improved input validation.
The company also addressed several arbitrary code execution flaws impacting Neural Engine, Audio, GPU Drivers, ImageIO, and Kernel.
Users should upgrade their devices by installing iOS 15.6, iPadOS 15.6, macOS (Monterey 12.5, Big Sur 11.6.8, and 2022-005 Catalina), tvOS 15.6, and watchOS 8.7.
(SecurityAffairs – hacking, arbitrary code execution)
The post Apple fixes multiple flaws in iOS, iPadOS, macOS, tvOS, and watchOS devices appeared first on Security Affairs.
Zahardkodowane hasło w jednym z pluginów do Confluence. Daje nieuwierzytelniony dostęp do wszystkich danych. CVE-2022-26138
Wygląda to trochę jak backdoor: Problem występuje w pluginie Questions for Confluence, a Atlassian pisze o temacie w ten sposób: The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password...