Cyber Security News
Researchers from threat intelligence firm Cyble warn of new ransomware gangs that surfaced recently, named Lilith, RedAlert, and 0mega.
RedAlert (aka N13V) targets both Windows and Linux VMWare ESXi servers of target organizations. The name RedAlert comes after a string with the same name in the ransom note. Unlike other ransomware operations, RedAlert only accepts ransom payments in Monero.
RedAlert is human-operated ransomware, the ransomware uses NTRUEncrypt public key encryption algorithm for encryption. The ransomware targets a limited types of files, including log files (.log), swap files(.vswp), virtual disks(.vmdk), snapshot files (.vmsn) and memory files(.vmem) of VMware ESXi virtual machines. It appends a “.crypt[Random number]” extension to the filenames of encrypted files.
The Lilith ransomware is written in C/C++ and targets 64-bit Windows systems. The malware appends the “.lilith” extension to the filenames of encrypted files. The threat actors behind this operation adopt a double extortion model.
“Upon execution, Lilith ransomware initially searches for a list of hardcoded processes in the file and terminates its execution if any of them are running on the target’s machine. This step ensures that these processes do not block access to the files to be encrypted.” reads the analysis published by Cyble. “The ransomware searches for files to encrypt on the local system by enumerating the file directories using FindFirstFileW() and FindNextFileW() API functions. It ignores the file extensions such as EXE, DLL, and SYS and excludes a list of directory and file names from the encryption process.”
The Lilith ransomware encrypts files using a set of cryptographic APIs and a random key generated locally.
The 0mega ransomware is also targeting organizations worldwide using a double-extortion model.
The ransomware operation has been active at least since May 2022 and already claimed to have breached multiple organizations.
Victims of the ransomware reported that the malware adds the .0mega extension to the encrypted file’s names and creates for each victim a customized ransom note named DECRYPT-FILES.txt.
The operators behind this ransomware in some cases included in the ransom note details on how to disclose the attack to business partners and trade associations in case the victim will not pay the ransom.Source https://id-ransomware.blogspot.com/2022/05/0mega-ransomware.html
Like other ransomware gangs, the operators use a payment negotiation site hosted on the Tor network.
Victims can contact the operators via the negotiation site by uploading the ransom note dropped on their systems, obviously, the note includes a unique identifier.
“Ransomware groups continue to pose a severe threat to firms and individuals. Organizations need to stay ahead of the techniques used by TAs besides implementing the requisite security best practices and security controls. Ransomware victims are at risk of losing valuable data as a result of such attacks, resulting in financial loss and lost productivity. If the victim is unable or unwilling to pay the ransom, the TAs may leak or sell this data online, compromising sensitive user data for businesses and individuals and resulting in a loss of reputation for the affected organization(s).” concludes Cyble. “Throughout 2021 and 2022, we have observed record levels of ransomware activity. While notable examples of this are rebrands of existing groups, newer groups like LILITH, RedAlert, and 0mega are also proving to be potent threats.”
(SecurityAffairs – hacking, ransomware)
The post RedAlert, LILITH, and 0mega, 3 new ransomware in the wild appeared first on Security Affairs.
In June 2022, DDoS mitigation firm Cloudflare announce it has mitigated the largest HTTPS DDoS attack that was launched by a botnet they have called Mantis.
The Mantis botnet generated 26 million request per second using approximately 5000 hijacked virtual machines and powerful servers.
“The Mantis botnet was able to generate the 26M HTTPS requests per second attack using only 5,000 bots. I’ll repeat that: 26 million HTTPS requests per second using only 5,000 bots. That’s an average of 5,200 HTTPS rps per bot. Generating 26M HTTP requests is hard enough to do without the extra overhead of establishing a secure connection, but Mantis did it over HTTPS.” reads a report published by Cloudflare.
Experts consider Mantis as the evolution of the Meris botnet, which is composed of MikroTik devices, but Mantis includes a variety of VM platforms and supports running various HTTP proxies to perform the attacks.
Cloudflare reported that the Mantis was involved in attacks against one thousand of its customers. Over the past month, Mantis was used to launch over 3,000 HTTP DDoS attacks against Cloudflare customers.
Most of the Mantis attacks targeted organizations in the Internet & Telecommunications industry (36%), followed by News, Media & Publishing industry (15%), Gaming (12%), and Finance (10%).
Most of the targeted organizations are located in the US (20%), followed by Russia-based companies (15%), while less than five percent included Turkey, France, Poland, Ukraine, and more.
Mantis is considered by the experts the most powerful botnet to date, for this reason, it will be likely convolved in many other attacks in the next months.
(SecurityAffairs – hacking, Mantis)
The post Mantis botnet powered the largest HTTPS DDoS attack in June appeared first on Security Affairs.
ETH Zurich researchers Johannes Wikner and Kaveh Razavi discovered a new vulnerability, dubbed Retbleed, that affects multiple older AMD and Intel microprocessors. An attacker can exploit the flaw to bypass current defenses and perform in Spectre-based attacks.
The Retbleed vulnerability is tracked as CVE-2022-29900 (AMD) and CVE-2022-29901 (Intel).
“Retbleed (CVE-2022-29900 and CVE-2022-29901) is the new addition to the family of speculative execution attacks that exploit branch target injection to leak information, which we call Spectre-BTI. Unlike its siblings, who trigger harmful branch target speculation by exploiting indirect jumps or calls, Retbleed exploits return instructions.” reads the report about this issue. “This means a great deal, since it undermines some of our current Spectre-BTI defenses.”
Experts pointed out that many operating systems use a defense mechanism called retpoline, which works by replacing indirect jumps and calls with returns. Retpolines were first devised in 2018 to prevent Spectre-BTI attacks. The experts discovered that it is possible to exploit return instructions as an attack vector for speculation execution and predict the statements like indirect branches.
However, experts discovered that it is possible to exploit Retbleed due to the following issues:
- It is possible to trigger the microarchitectural conditions, on both AMD and Intel CPUs, that forces returns to be predicted like indirect branches. The experts developed custom tools to discover locations in the Linux kernel where these conditions are met.
- it is possible to inject branch targets that reside inside the kernel address-space, even as an unprivileged user. Even though we cannot access branch targets inside the kernel address-space — branching to such a target results in a page fault — the Branch Prediction Unit will update itself upon observing a branch and assume that it was legally executed, even if it’s to a kernel address.
“Intel. On Intel, returns start behaving like indirect jumps when the Return Stack Buffer, which holds return target predictions, is underflowed. This happens upon executing deep call stacks. In our evaluation, we found over a thousand of such conditions that can be triggered by a system call. The indirect branch target predictor for Intel CPUs has been studied in previous work.” explained the experts. “AMD. On AMD, returns will behave like an indirect branch regardless of the state of their Return Address Stack. In fact, by poisoning the return instruction using an indirect jump, the AMD branch predictor will assume that it will encounter an indirect jump instead of a return and consequentially predict an indirect branch target. This means that any return that we can reach through a system call can be exploited — and there are tons of them.”
Below is a video PoC of Retbleed leaking kernel memory on Intel and AMD CPUs:
(SecurityAffairs – hacking, chip)
The post The new Retbleed speculative execution attack impacts both Intel and AMD chips￼ appeared first on Security Affairs.
The former CIA programmer Joshua Schulte (33) was found guilty in New York federal court of stealing the agency’s hacking tools and leaking them to WikiLeaks in 2017.
The huge trove of data, called “Vault 7,” exposed the hacking capabilities of the US Intelligence Agency and its internal infrastructure. The archive includes confidential information, malicious codes, and exploits specifically designed to target popular products from various IT companies, including Samsung, Apple, Google, and Microsoft.
The arsenal used by the Central Intelligence Agency hackers was composed of hacking tools developed by the CCI’s Engineering Development Group (EDG).
The developers at EDG are tacked for developing and testing any kind of malicious code, including implants, backdoors, exploits, Trojans and viruses. The CIA has dozens of zero-day exploit codes in its arsenal that can be used to target almost any platform, from Windows and Linux PC, to Android and iOS mobile devices.
In middle May 2018, both The New York Times and The Washington Post, revealed the name of the alleged source of the Vault 7 leak, the man who passed the secret documents to Wikileaks. According to his LinkedIn profile, Schulte worked for the NSA for five months in 2010 as a systems engineer, after this experience, he joined the CIA as a software engineer and he left the CIA in November 2016.
Schulte was identified a few days after WikiLeaks started leaking the precious dumps.
Schulte was arrested for possession of child pornography, he was charged with three counts of receipt, possession and transportation of child pornography in August 2017.
The man was released in September 2017, but in December he was arrested again for violating the conditions of his release.
In November 2018, Joshua Adam Schulte faced new charges included in a new indictment filed in Manhattan federal court, he was charged with the unlawful transmission and attempted unlawful transmission of national defense secrets from prison.
In February 2018, the layers of the former CIA employee asked the court for a mistrial, in this case, they claimed the prosecutors withheld evidence that could exonerate his client during the trial in the Manhattan federal court.
Now Schulte was convicted and prosecutors said that the man was aware of the damage his conduct caused to homeland security.
“Joshua Adam Schulte was a CIA programmer with access to some of the country’s most valuable intelligence-gathering cyber tools used to battle terrorist organizations and other malign influences around the globe. When Schulte began to harbor resentment toward the CIA, he covertly collected those tools and provided them to WikiLeaks, making some of our most critical intelligence tools known to the public – and therefore, our adversaries.” states US Attorney Damian Williams after the conviction. “Moreover, Schulte was aware that the collateral damage of his retribution could pose an extraordinary threat to this nation if made public, rendering them essentially useless, having a devastating effect on our intelligence community by providing critical intelligence to those who wish to do us harm. Today, Schulte has been convicted for one of the most brazen and damaging acts of espionage in American history.”
“Schulte was aware that the collateral damage of his retribution could pose an extraordinary threat to this nation if made public, rendering them essentially useless,” US Attorney Damian Williams said in a statement after the conviction.
The leak had “a devastating effect on our intelligence community by providing critical intelligence to those who wish to do us harm,” said Williams..
Schulte is also charged with pornography charges and is facing a separate trial.
(SecurityAffairs – hacking, Vault7)
The post Former CIA employee Joshua Schulte was convicted of Vault 7 massive leak appeared first on Security Affairs.
Microsoft publicly disclosed technical details for an access issue vulnerability, tracked as CVE-2022-26706, that resides in the macOS App Sandbox.
“Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system.” reads the post published by Microsoft.
Microsoft reported the issue to Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in October 2021. Apple addressed the CVE-2022-26706 flaw on May 16, 2022.
“An access issue was addressed with additional sandbox restrictions on third-party applications. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4. A sandboxed process may be able to circumvent sandbox restrictions.” reads the description of this issue.
An attacker can trigger the flaw using a specially crafted Office document containing malicious macro code that allows to bypass sandbox restrictions and execute commands on the system.
The Apple App Sandbox provides protection to system resources and user data by limiting your app’s access to resources requested through entitlements.
Developers that want to distribute a macOS app through the Mac App Store must enable the App Sandbox capability.
Microsoft researchers demonstrated that using specially crafted codes could bypass the sandbox rules. An attacker could exploit the sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing malicious payloads.
“We found the vulnerability while researching potential ways to run and detect malicious macros in Microsoft Office on macOS. For backward compatibility, Microsoft Word can read or write files with an “~$” prefix.” reads the post. “Our findings revealed that it was possible to escape the sandbox by leveraging macOS’s Launch Services to run an open –stdin command on a specially crafted Python file with the said prefix.”
The root cause of the issue is backward compatibility, which allows Microsoft Word to read and write files with the prefix “~$.” .
The experts first created a POC exploit to create a macro that launches a shell script with the Terminal app, bit it was captured by the sandbox because it was automatically given the extended attribute com.apple.quarantine which prevents the execution by the Terminal. Then the experts tried using Python scripts, but the Python app had similar issues running files having the said attribute.
In one of the hacking attempts, the researchers created a proof-of-concept (PoC) that used the -stdin option for the open Command on a Python file to bypass the “com.apple.quarantine” extended attribute restriction. In this way, there was no way for Python to determine that the contents from its standard input originated from a quarantined file.
“Our POC exploit thus became simply as follows:
- Drop a “~$exploit.py” file with arbitrary Python commands.
- Run open –stdin=’~$exploit.py’ -a Python, which runs the Python app with our dropped file serving as its standard input. Python happily runs our code, and since it’s a child process of launchd, it isn’t bound to Word’s sandbox rules.” continues the post.
The researchers also developed a shorted version of the exploit code that can be included in a Twitter post:
(SecurityAffairs – hacking, macOS)
The post Microsoft published exploit code for a macOS App sandbox escape flaw appeared first on Security Affairs.
VMware addressed a high-severity privilege escalation flaw, tracked as CVE-2021-22048 (CVSSv3 base score of 7.1.), in vCenter Server ‘s IWA (Integrated Windows Authentication) mechanism after eight months since its disclosure.
The vulnerability can be exploited by an attacker with non-administrative access to vulnerable vCenter Server deployments to elevate privileges to a higher privileged group.
“The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism.” reads the advisory published by the company. “A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group.”
The CVE-2021-22048 flaw affects multiple vCenter Server versions, including 6.5, 6.7, and 7.0. VMware addressed the flaw with the release of vCenter Server 7.0 Update 3fm which only addresses the vulnerability for servers running the latest release.
The company provided a workaround for this issue, suggesting switching to AD over LDAPS authentication OR Identity Provider Federation for AD FS (vSphere 7.0 only) from Integrated Windows Authentication (IWA).
The CVE-2021-22048 flaw was reported by CrowdStrike researchers Yaron Zinar and Sagi Sheinfeld on November 10th, 2021.
(SecurityAffairs – hacking, privilege escalation)
The post VMware fixed a flaw in vCenter Server discovered eight months ago appeared first on Security Affairs.
Qakbot, also known as QBot, QuackBot and Pinkslipbot, is an info-stealing malware that has been active since 2008. The malware spreads via malspam campaigns, it inserts replies in active email threads.
The threat continues to evolve implementing new attack vectors to evade detection, Zscaler Threatlabz researchers warn. The experts spotted a significant uptick in the spread of Qakbot malware over the past six months using several new techniques.
“Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0 to trick victims into downloading malicious attachments that install Qakbot.” reads the analysis published by Zscaler. “Other more subtle techniques are being deployed by threat actors to prevent automated detection and raise the odds that their attack will work, including obfuscating code, leveraging multiple URLs to deliver the payload, using unknown file extension names to deliver the payload, and altering the steps of the process by introducing new layers between initial compromise, delivery, and final execution.”
The attacks observed by Zscaler employed malicious messages using ZIP archive file having embedded files such as Microsoft Office files, LNK, and Powershell.
ThreatLabz reported that the attackers are using various different file names to disguise attachments designed to deliver Qakbot. Common file names used in the recent campaigns include a description, generated numbers, and dates (i.e. Compensation-1172258432-Feb-16.xlsb, Compliance-Report-1634724067-Mar-22.xlsb). The files also feature common keywords for finance and business operations the attempt to trick victims into believing that they are everyday business documents.
“Once the user clicks “Enable Content” to view the attachment, the macro is activated to look for a subroutine with a pre-defined function, in this case starting with auto_open777777. In the next step of the sequence, the URLDownloadToFile function is imported and called to download the malicious Qakbot Payload and drop it into the C:\ProgramData\ location on the victim’s machine with the filename .OCX which is actually Qakbot DLL.” continues the analysis. “Then WinAPI EXEC from Excel4Macro directly executes the malicious payload or loads the payload using regsvr32.exe.”
The experts also observed the use of PowerShell to download the malicious code and a switch from regsvr32.exe to rundlll32.exe to load the malicious payload in the attempt to evade detection.
Zscaler researchers highlight the importance of the human factor for the success of these attacks, it recommends that organizations train users to properly manage attachments, avoiding to open attachments sent from untrusted or unknown sources. The experts also recommend users to verify URLs in their browser address bar before entering credentials.
(SecurityAffairs – hacking, malware)
The post Qakbot operations continue to evolve to avoid detection appeared first on Security Affairs.
The multinational technology company Lenovo released security fixes to address three vulnerabilities that reside in the UEFI firmware shipped with over 70 product models, including several ThinkBook models.
A remote attacker can trigger these flaws to execute arbitrary code on the vulnerable systems in the early stages of the boot avoiding the detection of security features.
The three buffer overflow vulnerabilities in UEFI firmware, tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892, were discovered by researchers from ESET.
Below is the list of vulnerabilities in Lenovo Notebook BIOS reported in the vendor’s advisory:
- CVE-2022-1890: A buffer overflow has been identified in the ReadyBootDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
- CVE-2022-1891: A buffer overflow has been identified in the SystemLoadDefaultDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
- CVE-2022-1892: A buffer overflow has been identified in the SystemBootManagerDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
The root cause of the flaws is the insufficient validation of DataSize parameter, which is passed to the UEFI Runtime Services function GetVariable. Threat actors can exploit the flaw by creating a specially crafted NVRAM variable, triggering the buffer overflow of the Data buffer in the second GetVariable call.
“The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features.” wrote ESET in a series of tweets. “These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call.”
These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call. 3/6 pic.twitter.com/HC5ow6KTN0— ESET research (@ESETresearch) July 13, 2022
ESET researchers pointed out that the issues are “typical UEFI “double GetVariable” vulnerability” that can also be identified in the firmware code by assessing it with IDA plugin efiXplorer @binarly_io. However, ESET did not find the three vulnerabilities by using this plugin because they were not covered by the plugin at the time of discovery.
Owners of affected devices are highly recommended to update to the latest firmware version. The list of models affected by the three issues and the firmware updates are reported in the Lenovo Advisory.
(SecurityAffairs – hacking, Lenovo)
The post Three UEFI Firmware flaws found in tens of Lenovo Notebook models appeared first on Security Affairs.