Security Affairs

Subscribe to Security Affairs feed
Read, think, share … Security is everyone's responsibility
Updated: 1 week 2 days ago

Chinese DriftingCloud APT exploited Sophos Firewall Zero-Day before it was fixed

Fri, 06/17/2022 - 19:00
China-linked threat actors exploited the zero-day flaw CVE-2022-1040 in Sophos Firewall weeks before it was fixed by the security vendor.

Volexity researchers discovered that the zero-day vulnerability, tracked as CVE-2022-1040, in Sophos Firewall was exploited by Chinese threat actors to compromise a company and cloud-hosted web servers it was operating.

The vulnerability was exploited by the Chinese attackers to drop a webshell into the target systems weeks before it was fixed by the security vendor.

On March 25, Sophos announced to have fixed the authentication bypass vulnerability, tracked as CVE-2022-1040, that resides in the User Portal and Webadmin areas of Sophos Firewall.

The CVE-2022-1040 flaw received a CVSS score of 9.8 and impacts Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier.

“An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed.” reads the advisory published by the company.

A remote attacker with access to the Firewall’s User Portal or Webadmin interface can exploit the flaw to bypass authentication and execute arbitrary code.

Source Sophos community

A few days later, Sophos warned that the CVE-2022-1040 flaw is actively exploited in attacks aimed at a small set of Asian organizations.

“Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.” reads the advisory published by the vendor.

Now researchers from Volexity revealed that a Chinese APT group, tracked as DriftingCloud, exploited the flaw since early March. The threat actors used a zero-day exploit to drop a webshell backdoor and target the customer’s staff.

“This particular attack leveraged a zero-day exploit to compromise the customer’s firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer’s staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites.” reads the report published by Volexity. “This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature.”

Volexity discovered the intrusion while investigating suspicious traffic originating from the Sophos Firewall to key systems in its customer’s networks. The analysis of the logs revealed significant and repeated suspicious access aimed at a valid JSP file (login.jsp).

Further investigation revealed that the threat actors use the Behinder framework, which was employed by other Chinese APT groups in attacks exploiting the recently disclosed CVE-2022-26134 flaw in Confluence servers.

The compromise of the Sophos Firewall was the phase of the attack chain, threat actors later performed man-in-the-middle (MitM) attacks to collect data and use them to compromise additional systems outside of the network where the firewall resided.

“Volexity discovered that the attacker used their access to the firewall to modify DNS responses for specially targeted websites in order to perform MITM attacks. The modified DNS responses were for hostnames that belonged to the victim organization and for which they administered and managed the content. This allowed the attacker to intercept user credentials and session cookies from administrative access to the websites’ content management system (CMS).” states the report.”Volexity determined that in multiple cases, the attacker was able to access the CMS admin pages of the victim organization’s websites with valid session cookies they had hijacked.”

Once gained access to the target webservers, the DriftingCloud APT deployed multiple open-source malware, including PupyRATPantegana, and Sliver.

Volexity researchers shared the indicators of compromise for the attacks and YARA rules to detect the attack pattern.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Sophos Firewall)

The post Chinese DriftingCloud APT exploited Sophos Firewall Zero-Day before it was fixed appeared first on Security Affairs.

Categories: Cyber Security News

Experts link Hermit spyware to Italian surveillance firm RCS Lab and a front company

Fri, 06/17/2022 - 16:00
Experts uncovered an enterprise-grade surveillance malware dubbed Hermit used to target individuals in Kazakhstan, Syria, and Italy since 2019.

Lookout Threat Lab researchers uncovered enterprise-grade Android surveillance spyware, named Hermit, used by the government of Kazakhstan to track individuals within the country.

The latest samples of this spyware were detected by the researchers in April 2022, four months after a series of nation-wide protests against government policies that were violently suppressed.

According to Lookout, the Hermit spyware was likely developed by Italian surveillance vendor RCS Lab S.p.A and Tykelab Srl, the latter is a telecommunications solutions company suspected to be operating as a front company.

The researchers reported that they observed the use of the Hermit spyware in other circumstance. In 2019, the spyware was used by the Italian authorities in an anti-corruption operation, experts also uncovered an unknown actor that used the surveillance software in northeastern Syria. 

RCS Lab, a well known “lawful intercept” company that officially only sells its products to law enforcement and intelligence agencies.

Hermit is a sophisticated threat with a modular structure, it allows operators to take full control over the infected devices.

“We obtained and analyzed 16 of the 25 known modules, each with unique capabilities. These modules, along with the permissions the core apps have, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.” reads the analysis published by Lookout.

“We theorize that the spyware is distributed via SMS messages pretending to come from a legitimate source. The malware samples analyzed impersonated the applications of telecommunications companies or smartphone manufacturers. Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background.”

The experts also added that all the samples they analyzed are Android versions of the spyware, however, they are aware of an iOS version of spyware.

The malware is likely distributed via SMS messages that trick victims into installing apps masquerading as Samsung, Vivo, and Oppo apps. Upon opening the apps, the website of the impersonated company is opened, while the infection process starts in the background.

The report published by Lookout states that RCS Lab also has past dealings with the Syrian authoritarian regime, as part of its collaboration with Berlin-based Advanced German Technology (AGT) to sell surveillance solutions.

According to leaked documents published in WikiLeaks in 2015, RCS Lab was a reseller of the notorious Italian surveillance firm HackingTeam. RCS Lab was providing its software to military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar and Turkmenistan.

“According to its own website, Tykelab provides innocuous technology solutions. However, we found various publicly-available clues that suggest otherwise. In addition to the Italian parliamentary document, we found several pieces of evidence tying Tykelab to RCS Lab.” continues the report. “For example, a current Tykelab employee’s LinkedIn profile indicates that they also work at RCS Lab. In addition, the company offers services that require skills that may be useful in the development and delivery of surveillanceware, such as knowledge or interaction with telecommunications networks, social media analysis, SMS services and mobile app development. One of the Tykelab job postings for a security engineer we found spells out desired skills that would have direct application to surveillance of mobile networks and devices.”

The researchers also provided further evidence that links Tykelab to Hermit and RCS, they also published Indicators of Compromise for this threat.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Hermit spyware)

The post Experts link Hermit spyware to Italian surveillance firm RCS Lab and a front company appeared first on Security Affairs.

Categories: Cyber Security News

A Microsoft 365 feature can ransom files on SharePoint and OneDriveCould

Fri, 06/17/2022 - 02:34
Experts discovered a feature in Microsoft 365 suite that could be abused to encrypt files stored on SharePoint and OneDrive and target cloud infrastructure.

Researchers from Proofpoint reported that a feature in the in Microsoft 365 suite could be abused to encrypt files stored on SharePoint and OneDrive.

“Proofpoint has discovered a potentially dangerous piece of functionality in Office 365 or Microsoft 365 that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker.” reads the post published by Proofpoint.

The researchers detailed an attack chain that allows encrypting files in the compromised users’ accounts, unfortunately for the victims, these files can then only be retrieved by paying a ransom to receive the decryption keys.

The researchers pointed out that the actions composing the attack chain can be automated using Microsoft APIs, command line interface (CLI) scripts and PowerShell scripts. Below is the attack chain described by ProofPoint:

  1. Initial Access: Gain access to one or more users’ SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities.
  2. Account Takeover & Discovery: The attacker now has access to any file owned by the compromised user or controlled by the third-party OAuth application (which would include the user’s OneDrive account as well).
  3. Collection & Exfiltration: Reduce versioning limit of files to a low number such as 1, to keep it easy. Encrypt the file more times than the versioning limit. With the example limit of 1, encrypt the file twice. This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware. In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic. 
  4. Monetization: Now all original (pre-attacker) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account. At this point, the attacker can ask for a ransom from the organization. 

The infection sequence can be carried out using a combination of Microsoft APIs, command-line interface (CLI) scripts, and PowerShell scripts, the enterprise security firm added.

Researchers at Proofpoint reported that the attack abuses the “AutoSave” feature that creates cloud backups of older file versions when users edit a file stored on OneDrive or SharePoint Online.

Every document library in SharePoint Online and OneDrive is characterized with a set of attributes, including the number of saved versions that can be changed by the site owner can change, regardless of their other roles. The versioning settings are under list settings for each document library. 

“By design, when you reduce the document library version limit, any further changes to the files in the document library will result in older versions becoming very hard to restore (see responsible disclosure and discussion). There are two ways to abuse the versioning mechanism to achieve malicious aims – either by creating too many versions of a file or by reducing the version limits of a document library.” continues the report. “Edits that increment a version of a file include changes to the document contents, filename, file metadata and the file encryption status.”  

An attacker can either create too many versions of a file or reduce the version limit of a document library to a lower such as “1” and then encrypt each file more times than the versioning limit.

Microsoft downplayed the issue stating that older versions of files can be potentially recovered and restored for an additional 14 days with the assistance of Microsoft Support.

“However, Proofpoint attempted to retrieve and restore old versions through this process (i.e., with Microsoft Support) and was not successful. Secondly, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.” concludes the report.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft 365)

The post A Microsoft 365 feature can ransom files on SharePoint and OneDriveCould appeared first on Security Affairs.

Categories: Cyber Security News

BlackCat Ransomware affiliates target unpatched Microsoft Exchange servers

Thu, 06/16/2022 - 17:53
The BlackCat ransomware gang is targeting unpatched Exchange servers to compromise target networks, Microsoft warns.

Microsoft researchers have observed BlackCat ransomware gang targeting unpatched Exchange servers to compromise organizations worldwide.

The compromise of Exchange servers allows threat actors to access the target networks, perform internal reconnaissance and lateral movement activities, and steal sensitive documents before encrypting them.

“For example, while the common entry vectors for these threat actors include remote desktop applications and compromised credentials, we also saw a threat actor leverage Exchange server vulnerabilities to gain target network access. In addition, at least two known affiliates are now adopting BlackCat: DEV-0237 (known for previously deploying Ryuk, Conti, and Hive) and DEV-0504 (previously deployed Ryuk, REvil, BlackMatter, and Conti).” reads the post published by Microsoft 365 Defender Threat Intelligence Team.

In one of the attacks observed by Microsoft, threat actors started lateral movements two and a half days after the initial compromise. The ransomware operators signed into one of the target devices discovered during their initial reconnaissance using compromised credentials via interactive sign-in. Then they opted for a credential theft technique that didn’t rely tools like Mimikatz because they are easy to detect. The attackers created a dump file of the LSASS.exe process via Taskmgr.exe and saved the file to a ZIP archive.

The continues the discovery phase using a PowerShell script version of ADRecon (ADRecon.ps1), which is a tool designed to gather extensive information about an Active Directory (AD) environment. Then the attackers attempt to connect devices using server message block (SMB) and remote desktop protocol (RDP).

“For discovered devices, the attackers attempted to navigate to various network shares and used the Remote Desktop client (mstsc.exe) to sign into these devices, once again using the compromised account credentials.” continues the analysis. “These behaviors continued for days, with the attackers signing into numerous devices throughout the organization, dumping credentials, and determining what devices they could access.”

BlackCat ransomware operators used both MEGAsync and Rclone for data exfiltration, they renamed them as legitimate Windows process names (for example, winlogon.exemstsc.exe) to avoid raising suspicion.

The ransomware payload is deployed two weeks from the initial compromise, often the attackers distributed of the payload using PsExec.exe.

The ALPHA/BlackCat gang has been active since at least December 2021 when malware researchers from Recorded Future and MalwareHunterTeam discovered their operation. The ALPHA/BlackCat is the first professional ransomware strain that was written in the Rust programming language.

BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is “very sophisticated.

Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.

ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims don’t pay.

Recently, the ALPHV/BlackCat ransomware group has adopted a new strategy to force victims into paying the ransom, the gang began publishing victims’ data on the clear web to increase the pressure. Publishing data online will make data indexable by search engines, increasing the potential impact on the victims due to the public availability of the stolen data.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Blackcat ransomware)

The post BlackCat Ransomware affiliates target unpatched Microsoft Exchange servers appeared first on Security Affairs.

Categories: Cyber Security News

ALPHV/BlackCat ransomware gang starts publishing victims’ data on the clear web

Thu, 06/16/2022 - 11:07
ALPHV/BlackCat ransomware group began publishing victims’ data on the clear web to increase the pressure on them and force them to pay the ransom.

ALPHV/BlackCat ransomware group has adopted a new strategy to force victims into paying the ransom, the gang began publishing victims’ data on the clear web to increase the pressure. Publishing data online will make data indexable by search engines, increasing the potential impact on the victims due to the public availability of the stolen data.

The ALPHA/BlackCat gang has been active since at least December 2021 when malware researchers from Recorded Future and MalwareHunterTeam discovered their operation. The ALPHA/BlackCat is the first professional ransomware strain that was written in the Rust programming language.

BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is “very sophisticated.

Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.

ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims don’t pay.

In the past, many victims of past ransomware attacks were not concerned about the publication of their data on a leak site in the Tor network believing that dark nets are not easy to access to the masses.

The ransomware gangs set up a website on the clear web for each victims and publish the stolen data on it.

It’s unclear if ALPHV plans to pursue this approach with every victim, but other recent victims of the crime group include a school district and a U.S. city. Most likely, this is a test run to see if it improves results.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post ALPHV/BlackCat ransomware gang starts publishing victims’ data on the clear web appeared first on Security Affairs.

Categories: Cyber Security News

Researchers disclosed a remote code execution flaw in Fastjson Library

Thu, 06/16/2022 - 06:14
Researchers disclosed a remote code execution vulnerability, tracked as CVE-2022-25845, in the popular Fastjson library.

Cybersecurity researchers from JFrog disclosed details of a now patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution.

Fastjson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to an equivalent Java object. Fastjson can work with arbitrary Java objects including pre-existing objects that you do not have source-code of.

The flaw, tracked as CVE-2022-25845 (CVSS score: 8.1), resides in a feature called “AutoType” and is related to the deserialization of untrusted data. The AutoType function allows specifying a custom type when parsing a JSON input that can then be deserialized into an object of a specific class.

“this vulnerability allows an attacker to bypass the “AutoTypeCheck” mechanism in Fastjson and achieve remote code execution.” reads the analysis published by JFrog’s Uriya Yavnieli.

The impact of this flaw is huge, it affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize. The experts pointed out that almost 5000 Maven projects rely on Fastjson.

The vulnerability was addressed with the release of version 1.2.83 on May 23, 2022.

Initially, the issue was addressed by the development team by introducing a safeMode that disables AutoType and implementing a blocklist of classes to defend against deserialization issues. Unfortunately, experts discovered how to bypass these restrictions to achieve remote code execution forcing the development team to introduce new fixes.

“To conclude, we assess that currently this vulnerability does not seem to pose a high threat. Although a public PoC exploit exists and the potential impact is very high (remote code execution) the conditions for the attack are not trivial (passing untrusted input to specific vulnerable APIs) and most importantly – target-specific research is required to find a suitable gadget class to exploit (which will probably not exist at all, due to its unlikely attributes).” Yavnieli concludes.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Fastjson library)

The post Researchers disclosed a remote code execution flaw in Fastjson Library appeared first on Security Affairs.

Categories: Cyber Security News

Cisco fixed a critical Bypass Authentication flaw in Cisco ESA and Secure Email and Web Manager

Thu, 06/16/2022 - 04:41
Cisco addressed a critical bypass authentication flaw in Cisco Email Security Appliance (ESA) and Secure Email and Web Manager.

Cisco addressed a critical bypass authentication vulnerability affecting Email Security Appliance (ESA) and Secure Email and Web Manager. The flaw, tracked as CVE-2022-20798 (CVSS score 9.8), can be exploited by an unauthenticated, remote attacker to bypass authentication and log in to the web management interface of a vulnerable device.

The vulnerability was discovered by IT giant during the resolution of a TAC support case.

The flaw could be easily exploited by entering a specific input on the login page of the affected device.

“A vulnerability in the external authentication functionality of Cisco Secure Email and Web Manager, formerly known as Cisco Security Management Appliance (SMA), and Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass authentication and log in to the web management interface of an affected device.” reads the advisory published by Cisco. “This vulnerability is due to improper authentication checks when an affected device uses Lightweight Directory Access Protocol (LDAP) for external authentication. An attacker could exploit this vulnerability by entering a specific input on the login page of the affected device. A successful exploit could allow the attacker to gain unauthorized access to the web-based management interface of the affected device.”

Below are the impacted software releases:

Cisco AsyncOS ReleaseFirst Fixed Release111 and earlierMigrate to fixed release.12Migrate to fixed release.12.8Migrate to fixed release.13.013.0.0-27713.613.6.2-09013.813.8.1-09014.014.0.0-41814.114.1.0-250

Email Security Appliance: CSCvy13453

Cisco AsyncOS ReleaseFirst Fixed ReleaseEarlier than 111Migrate to fixed release.11Migrate to fixed release.12Migrate to fixed release.13Migrate to fixed release.1414.0.1-033

The good news is that Cisco PSIRT is not aware of any attacks in the wild exploiting this flaw:

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco ESA)

The post Cisco fixed a critical Bypass Authentication flaw in Cisco ESA and Secure Email and Web Manager appeared first on Security Affairs.

Categories: Cyber Security News

Malicious apps continue to spread through the Google Play Store

Thu, 06/16/2022 - 03:00
Researchers at antivirus firm Dr. Web discovered malware in the Google Play Store that was downloaded two million times.

An investigation conducted by the antivirus firm Dr. Web in May resulted in the discovery of multiple adware and information-stealing malware on the official Google Play Store.

However, the experts warn that info-stealing Trojans are the most dangerous threats for Android users, they could be used to steal sensitive data such as login credentials and authorization for multiple services online.

The principal trends emerged from the Dr.Web report is the decreased activity of the Android.Spy.4498 trojan, while the activity of adware trojans increased.

The Android.Spy.4498 is a trojan that allows operators to steal the contents of other apps’ notifications, download other apps, and prompt users to install them.

The most common unwanted program discovered by the researchers is Program.FakeAntiVirus.1, it is an adware that masquerades as anti-virus software. These apps inform users of non-existing threats, deceive them, and ask the victims to purchase the software’s full version.

“In May, Doctor Web specialists discovered a large number of threats on Google Play. The adware trojans Android.HiddenAds.3158 and Android.HiddenAds.3161 were among them.” reads the report published by Dr.Web.

Researchers discovered five malicious apps in the Google Play Store that totalized two million downloads.

  • PIP Pic Camera Photo Editor, an image-editing software with 1 million downloads.
  • Wild & Exotic Animal Wallpaper, an image-collection app with 500,000 downloads.
  • ZodiHoroscope – Fortune Finder, an astrology-related software with 500,000 downloads.
  • PIP Camera 2022, an image-editing software with 50,000 downloads.
  • Magnifier Flashlight, a flashlight application with 10,000 downloads.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Malicious apps continue to spread through the Google Play Store appeared first on Security Affairs.

Categories: Cyber Security News

Hertzbleed Side-Channel Attack allows to remotely steal encryption keys from AMD and Intel chips

Wed, 06/15/2022 - 18:59
Hertzbleed attack: Researchers discovered a new vulnerability in modern Intel and AMD chips that could allow attackers to steal encryption keys.

Researchers from University of Texas, University of Illinois Urbana-Champaign, and the University of Washington, devised a new side-channel attack technique dubbed Hertzbleed that could allow remote attackers to steal encryption keys from modern Intel and AMD chips.

“Hertzbleed is a new family of side-channel attacks: frequency side channels. In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure.” reads the website set up to describe the attack.

The experts will present their findings at the 31st USENIX Security Symposium that will take place in Boston, 10–12 August 2022.

The principle behind the Hertzbleed attack is that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed.

“First, Hertzbleed shows that on modern x86 CPUs, power side-channel attacks can be turned into (even remote!) timing attacks—lifting the need for any power measurement interface. The cause is that, under certain circumstances, periodic CPU frequency adjustments depend on the current CPU power consumption, and these adjustments directly translate to execution time differences (as 1 hertz = 1 cycle per second).” continues the post. “Second, Hertzbleed shows that, even when implemented correctly as constant time, cryptographic code can still leak via remote timing analysis. The result is that current industry guidelines for how to write constant-time code (such as Intel’s one) are insufficient to guarantee constant-time execution on modern processors.”

The issue is tracked CVE-2022-23823 on AMD and CVE-2022-24436 on Intel, at this time there is no fix for the issue.

Experts pointed out that the Hertzbleed is not a bug, the cause of the issue is dynamic frequency scaling, which is a feature implemented in modern processors to reduce power consumption (during low CPU loads).

The experts shared their findings, along with proof-of-concept code, to Intel, Cloudflare and Microsoft in Q3 2021 and to AMD in Q1 2022.

At this time Intel and AMD don’t plan to release microcode to mitigate the Hertzbleed attack.

Intel provided guidance to mitigate the attack by hardening their libraries and applications.

Is there a workaround?

“Technically, yes. However, it has a significant system-wide performance impact.” concludes the experts. “In most cases, a workload-independent workaround to mitigate Hertzbleed is to disable frequency boost. Intel calls this feature “Turbo Boost”, and AMD calls it “Turbo Core” or “Precision Boost”. Disabling frequency boost can be done either through the BIOS or at runtime via the frequency scaling driver. In our experiments, when frequency boost was disabled, the frequency stayed fixed at the base frequency during workload execution, preventing leakage via Hertzbleed. However, this is not a recommended mitigation strategy as it will significantly impact performance.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Hertzbleed)

The post Hertzbleed Side-Channel Attack allows to remotely steal encryption keys from AMD and Intel chips appeared first on Security Affairs.

Categories: Cyber Security News

A critical flaw in Citrix Application Delivery Management allows resetting admin passwords

Wed, 06/15/2022 - 14:39
Citrix fixed a critical flaw in Citrix Application Delivery Management (ADM), tracked as CVE-2022-27511, that can allow attackers to reset admin passwords.

Citrix fixed a critical vulnerability in Citrix Application Delivery Management (ADM), tracked as CVE-2022-27511, that can be exploited by attackers to reset admin passwords.

Citrix Application Delivery Management (ADM) is a comprehensive platform that enables automation, orchestration, management, and analytics for application delivery across hybrid multi-cloud environments.

The flaw is an Improper Access Control issue reported by the security researcher Florian Hauser from Code White.

“Corruption of the system by a remote, unauthenticated user. The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted.” reads the advisory published by the IT giant.

The flaw impacts all supported versions of Citrix Application Delivery Management server.

Citrix recommends customers update their installs of Citrix ADM server and Citrix ADM agent as soon as possible, the affected builds are Citrix ADM 13.1 before 13.1-21.53, and Citrix ADM 13.0 before 13.0-85.19.

Customers must upgrade both Citrix ADM server and all associated Citrix ADM agents. Please see the product documentation for assistance with upgrading the Citrix ADM server and Citrix ADM agents. 

Customers that cannot immediately address the issue with the security patches are recommended that network traffic to the Citrix ADM’s IP address is segmented, either physically or logically, from standard network traffic.   

The IT giant also fixes an Improper Control of a Resource Through its Lifetime tracked as CVE-2022-27512. Successful exploitation of this flaw could cause the temporary disruption of the ADM license service.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Citrix Application Delivery Management)

The post A critical flaw in Citrix Application Delivery Management allows resetting admin passwords appeared first on Security Affairs.

Categories: Cyber Security News

Experts warn of ransomware attacks against government organizations of small states

Tue, 05/31/2022 - 03:13
Cyber Research Labs reported a rise in ransomware attacks in the second quarter of 2022, small states are more exposed to these attacks.

Cyber Research Labs observed a rise in ransomware attacks in the second quarter of 2022, some of them with a severe impact on the victims, such as the attack that hit the Costa Rican government that caused a nationwide crisis.

The experts warn of ransomware attacks against government organizations. They observed a total of 48 government organizations from 21 countries that were hit by 13 ransomware attacks in 2022.

Cyble researchers warn that cybercriminal organizations have changed tactics, switching from businesses to small states threatening to subvert government apparatus.

Small states are easy targets due to the low level of security of their critical infrastructure due to the low budget to protect them.

“The notorious ransomware group Conti began targeting the Costa Rican government in April 2022. A similar attack was seen in May 2021, when the gang targeted Ireland’s publicly funded health care system and demanded a ransom of USD20 million.” reads the post published by Cyble. “The timing could be a pure coincidence; however, Conti was seemingly trying the same tactics with Costa Rica, but this time on a larger scale, shortly after a change in government in the country.“

The Conti ransomware gang after the attack against Costa Rica also hit Peru. The experts also reported other ransomware attacks that hit government organizations in Latin America, including Brazilian and Peruvian government organizations.

“Cyble Research Labs conducted research over vulnerable instances of the Peruvian government’s cyberinfrastructure and identified 21 instances from 11 ministerial websites with the most exploited CVEs from 2021.” continues Cyble.

The researchers also reported the sale on underground cybercrime forums of data exfiltrated from the server of government organizations, including the Ministry of Energy & Natural Resources, the Federal Court of Malaysia, and the Department of Management Services under the Malaysian Ministry of Personnel & Organizational Development, the National Bank of Angola, the Civil Service Commission of Republic of Philippines.

The experts highlight the importance for smaller states to improve their detection capabilities and to put in place systems to quickly respond to cyberattacks. Cyble remarks the need to invest in capacity-building to cultivate skilled manpower, enhance awareness among citizens and narrow the technology gap to minimize their risk footprint.

“Typically, cyberattacks on small nations by state-sponsored and renowned APTs are adopted by a few sponsoring nations to impact the socio-politico fabric and gain a political and diplomatic edge when it comes to trade and investment.” concludes the report. “Ransomware gangs targeting one-off government establishments for monetary returns are also not a new phenomenon. Regardless, the global cybersecurity fraternity and policymakers must closely monitor ransomware gangs mobilizing their resources to strike at these nation’s foundations.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Experts warn of ransomware attacks against government organizations of small states appeared first on Security Affairs.

Categories: Cyber Security News

Three Nigerian men arrested in INTERPOL Operation Killer Bee

Mon, 05/30/2022 - 16:07
Interpol arrested three Nigerian men in Lagos, who are suspected of using the Agent Tesla RAT to reroute financial transactions and steal sensitive data.

Interpol arrested 3 Nigerian men in Lagos, as part of an international operation codenamed Killer Bee. The three men are suspected of using the Agent Tesla RAT to reroute financial transactions and steal confidential details from corporate organizations. The suspects, aged between 31 and 38, the police found them in possession of fake documents, including fraudulent invoices and forged official letters.

The list of victims includes oil and gas companies in South East Asia, the Middle East and North Africa.

Agent Tesla, first discovered in late 2014, is an extremely popular “malware-as-a-service” Remote Access Trojan (RAT) tool used by threat actors to steal information such as credentials, keystrokes, clipboard data and other information from its operators’ targets.
Both cybercriminal groups and actors involved in espionage operations use this RAT due to Agent Tesla’s stability, flexibility and functionality that allows for the collection of sensitive data and exfiltration from the victim. 

The operation Killer Bee involved INTERPOL’s General Secretariat headquarters and National Central Bureaus (NCBs) and law enforcement agencies from 11 countries across Southeast Asia.  

One of the fraudsters, Hendrix Omorume, has been charged and convicted of three counts of serious financial fraud, the two other men are still on trial. Omorume faces a one-year prison sentence. 

“Through its global police network and constant monitoring of cyberspace, INTERPOL had the globally sourced intelligence needed to alert Nigeria to a serious security threat where millions could have been lost without swift police action,” said INTERPOL’s Director of Cybercrime, Craig Jones. “Further arrests and prosecutions are foreseen across the world as intelligence continues to come in and investigations unfold.”

Last week, the Interpol, the Nigeria Police Force, with the support of several cybersecurity companies (Group-IB, Palo Alto Networks Unit 42 and Trend Micro) has identified a 37-year-old Nigerian man that is believed to be one of the leaders of the SilverTerrier cybercrime group.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

The post Three Nigerian men arrested in INTERPOL Operation Killer Bee appeared first on Security Affairs.

Categories: Cyber Security News

A new WhatsApp OTP scam could allow the hijacking of users’ accounts

Mon, 05/30/2022 - 10:49
Experts warn of a new ongoing WhatsApp OTP scam that could allow attackers to hijack users’ accounts through phone calls.

Recently CloudSEK founder Rahul Sasi warned of an ongoing WhatsApp OTP scam that could allow threat actors to hijack users’ accounts through phone calls.

The fraudulent scheme is simple, threat actors make a phone call to the victims to trick them into making a call at a phone number starting either with 405 or 67. Sasi explained that after a few minutes their WhatsApp account is logged out and attackers are able to take over them.

The number dialed by the victims is a service request for Jio and Airtel to do Call Forwarding when a mobile user is busy. Using this scheme, the attacker tricks the victims into enabling the call forwarding to a number under their control. Then the threat actors start the WhatsApp registration process for the victim’s number asking to send the OPT via phone call.

Since the phone is busy, the phone call is directed to the attacker’s phone, allowing him to gain control of the victim’s WhatsApp account.

At this time, this fraudulent schema is targeting only WhatsApp users in India, but experts warn that this kind of attack could be observed in almost any country where a similar forwarding service is available.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp)

The post A new WhatsApp OTP scam could allow the hijacking of users’ accounts appeared first on Security Affairs.

Categories: Cyber Security News

Multiple Microsoft Office versions impacted by an actively exploited zero-day

Mon, 05/30/2022 - 08:06
A zero-day flaw in Microsoft Office that could be exploited by attackers to achieve arbitrary code execution on Windows systems.

The cybersecurity researcher nao_sec discovered a malicious Word document (“05-2022-0438.doc”) that was uploaded to VirusTotal from Belarus. The document uses the remote template feature to fetch an HTML and then uses the “ms-msdt” scheme to execute PowerShell code.

Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt

— nao_sec (@nao_sec) May 27, 2022

https://t.co/q9Mj9lRUjU pic.twitter.com/GhBo0qUBjo

— nao_sec (@nao_sec) May 27, 2022

The popular cybersecurity expert Kevin Beaumont published an analysis of the flaw.

“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.” reads the analysis published by Beaumont. “There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.”

The issue affects multiple Microsoft Office versions, including Office, Office 2016, and Office 2021.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, domain name system)

The post Multiple Microsoft Office versions impacted by an actively exploited zero-day appeared first on Security Affairs.

Categories: Cyber Security News

GoodWill Ransomware victims have to perform socially driven activities to decryption their data

Mon, 05/30/2022 - 07:20
Researchers discovered a new ransomware family called GoodWill that asks victims to donate the ransom for social causes.

CloudSEK’s Threat Intelligence Research team has disclosed a new ransomware strain called GoodWill, that demands victims the payment of a ransom through donations for social causes and financially helping people in need.

“The ransomware group propagates very unusual demands in exchange for the decryption key. The Robin Hood-like group claims to be interested in helping the less fortunate, rather than extorting victims for financial motivations.” reads the analysis published by CloudSEK. “The group’s multiple-paged ransom note suggests that victims perform three socially driven activities to be able to download the decryption key.”

The GoodWill ransomware is written in .NET, in order to evade detection it is packed with UPX packers and sleeps for 722.45 seconds before starting its activity.

The researchers attribute the attack to a threat actor based in India. Ransomware operators request the victims to perform three socially driven activities in exchange for the decryption key.

Researchers observed that the ransomware code is based on the HiddenTear open-source ransomware.

Victims have to donate new clothes to the homeless, record their action, and post it on social media. In addition, the victims can accompany less fortunate children to Dominos, Pizza Hut or KFC for a treat, take pictures and videos, and post them on social media.

The last action for the victims consists of providing financial assistance to anyone who needs urgent medical attention, but cannot afford it, at a nearby hospital, recording audio, and sharing it with the operators.

“Once all three activities are completed, the victims should also write a note on social media (Facebook or Instagram) on “How you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill.” said the researchers. “Since there are no known victims/ targets for the ransomware group, their Tactics, Techniques and Procedures remain unknown.”

The researchers also shared indicators of compromise (IoCs) for this ransomware.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, GoodWill ransomware)

The post GoodWill Ransomware victims have to perform socially driven activities to decryption their data appeared first on Security Affairs.

Categories: Cyber Security News

EnemyBot malware adds new exploits to target CMS servers and Android devices

Mon, 05/30/2022 - 03:09
The operators of the EnemyBot botnet added exploits for recently disclosed flaws in VMware, F5 BIG-IP, and Android systems.

Operators behind the EnemyBot botnet are expanding the list of potential targets adding exploits for recently disclosed critical vulnerabilities in from VMware, F5 BIG-IP, and Android.

The botnet was first discovered by Fortinet in March, the DDoS botnet targeted several routers and web servers by exploiting known vulnerabilities. The botnet targets multiple architectures, including arm, bsd, x64, and x86.

The researchers attribute the botnet to the cybercrime group Keksec which focuses on DDoS-based extortion. Upon installing the threat, the bot drops a file in /tmp/.pwned, containing a message that attributes itself to Keksec. The message was stored as cleartext in earlier samples, new samples were released with the message encoded with an XOR operation using a multiple-byte key.

Experts pointed out that the malware is being actively developed.

The Enemybot botnet borrows the code from the Gafgyt bot and re-used some codes from the infamous Mirai botnet. Gafgyt is a popular choice for launching large-scale DDoS attacks, it first appeared in the threat landscape in 2014. The botnet implements multiple obfuscation techniques to avoid detection and hides C2 on the Tor network.

The Enemybot botnet employs several methods to spread and targets other IoT devices. It uses a list of hardcoded username/password combinations to login into devices in the attempt to access systems using weak or default credentials. The bot also tries to run shell commands to infect misconfigured Android devices that expose the Android Debug Bridge port (5555).

The first version of the bot exploits tens of known vulnerabilities including:

Now researchers from AT&T Alien Labs analyzed the latest variants of the EnemyBot bot and discovered that it included exploits for 24 vulnerabilities, including issues that don’t even have a CVE number.

“We have also listed the current vulnerabilities EnemyBot uses. As mentioned, some of them have not been assigned a CVE yet.” states the report published by AT&T Alien Labs.

CVE NumberAffected devicesCVE-2021-44228, CVE-2021-45046Log4J RCECVE-2022-1388F5 BIG IP RCENo CVE (vulnerability published on 2022-02)Adobe ColdFusion 11 RCECVE-2020-7961Liferay Portal – Java Unmarshalling via JSONWS RCENo CVE (vulnerability published on 2022-04)PHP Scriptcase 9.7 RCECVE-2021-4039Zyxel NWA-1100-NH Command injectionNo CVE (vulnerability published on 2022-04)Razar Sila – Command injectionCVE-2022-22947Spring Cloud Gateway – Code injection vulnerabilityCVE-2022-22954VMWare Workspace One RCECVE-2021-36356, CVE-2021-35064Kramer VIAware RCENo CVE (vulnerability published on 2022-03)WordPress Video Synchro PDF plugin LFINo CVE (vulnerability published on 2022-02)Dbltek GoIP LFINo CVE(vulnerability published on 2022-03)WordPress Cab Fare Calculator plugin LFINo CVE(vulnerability published on 2022-03)Archeevo 5.0 LFICVE-2018-16763Fuel CMS 1.4.1 RCECVE-2020-5902F5 BigIP RCENo CVE (vulnerability published on 2019)ThinkPHP 5.X RCENo CVE (vulnerability published on 2017)Netgear DGN1000 1.1.00.48 ‘Setup.cgi’ RCECVE-2022-25075TOTOLink A3000RU command injection vulnerabilityCVE-2015-2051D-Link devices – HNAP SOAPAction – Header command injection vulnerabilityCVE-2014-9118ZHOME < S3.0.501 RCECVE-2017-18368Zyxel P660HN – unauthenticated command injectionCVE-2020-17456Seowon SLR 120 router RCECVE-2018-10823D-Link DWR command injection in various models

The new variant of the bot includes exploits for the following security issues:

AT&T researchers reported the availability of the EnemyBot source code on GitHub, this means that threat actors can modify it to create their own version of the bot.

Researchers recommend properly configuring the firewall to protect the devices exposed online, enable automatic updates, and monitor network traffic.

“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept).” concludes the report. “This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, EnemyBot)

The post EnemyBot malware adds new exploits to target CMS servers and Android devices appeared first on Security Affairs.

Categories: Cyber Security News

Pro-Russian hacker group KillNet plans to attack Italy on May 30

Sun, 05/29/2022 - 14:43
Pro-Russian hacker group KillNet is threatening again Italy, it announced a massive and unprecedented attack on May 30.

Pro-Russian hacker group KillNet is threatening again Italy, it announced a massive and unprecedented attack on May 30.

Pro-Russian ‘hacktivist’ group Killnet is one of the most active non-state actors operating since the beginning of the Russian invasion of Ukraine.

KillNet started its operation on 25 February 2022, prior to this the group appeared to have been selling a cyber tool. The group declared war on Anonymous and Western countries, it has its own Telegram channel with tens of thousands of members.

Cyberknow researchers published a timeline of the attacks conducted by the group:

CyberKnown speculates the group has a semi-formal structured organization, KillNet Order of Battle (ORBAT).

“With different levels of superiority, command lines and tasking. This does suggest that regardless of their sophistication levels, they have a sound level of command and control structure.” reads the analysis published by CyberKnown.

One of the main targets of the gang is Italy, the group has called to action it members providing them a list of Italian targets, including banks, media, energy firms, and more. At this time the attacks haven’t caused any problems to the Italian entities, only three government websites were unreacheable during the first wave of attacks.

Now the group announced a massive attack against Italy, planned on Monday, 30 at 05:00, the collective is also challenging Anonymous which is their adversary.

Below are the messages published by Killnet on Telegram:

“May 30 – 05:00 the meeting point is Italy!” state the messages.

“I have always been interested in one question: does Russia generally support our activities? Since we will make an irreparable blow in Italy due to the war with Anonymous. Will we at least be remembered in our native land?”

The Italian CSIRT has published an alert to warn of potential risk of cyber attacks against national bodies and organizations has been identified.

Stay tuned …

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Killnet)

The post Pro-Russian hacker group KillNet plans to attack Italy on May 30 appeared first on Security Affairs.

Categories: Cyber Security News

Security Affairs newsletter Round 367 by Pierluigi Paganini

Sun, 05/29/2022 - 10:33
A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs for free in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Experts believe that Russian Gamaredon APT could fuel a new round of DDoS attacksThe strange link between Industrial Spy and the Cuba ransomware operationReuters: Russia-linked APT behind Brexit leak websiteGitHub: Nearly 100,000 NPM Users’ credentials stolen in the April OAuth token attackAndroid pre-installed apps are affected by high-severity vulnerabilitiesGhostTouch: how to remotely control touchscreens with EMIFBI: Compromised US academic credentials available on various cybercrime forumsERMAC 2.0 Android Banking Trojan targets over 400 appsExperts released PoC exploit code for critical VMware CVE-2022-22972 flaw
Exposed: the threat actors who are poisoning Facebook
Zyxel addresses four flaws affecting APs, AP controllers, and firewallsExperts warn of a new malvertising campaign spreading the ChromeLoaderDo not use Tails OS until a flaw in the bundled Tor Browser will be fixedItaly announced its National Cybersecurity Strategy 2022/26Unknown APT group is targeting Russian government entitiesInternationa police operation led to the arrest of the SilverTerrier gang leaderChaining Zoom bugs is possible to hack users in a chat by sending them a messageCISA adds 41 flaws to its Known Exploited Vulnerabilities CatalogTrend Micro addressed a flaw exploited by China-linked Moshen Dragon APT
Microsoft warns of new highly evasive web skimming campaigns
Nation-state malware could become a commodity on dark web soon, Interpol warnsRussia-linked Turla APT targets Austria, Estonia, and NATO platformRussia-linked Fronton botnet could run disinformation campaignsA flaw in PayPal can allow attackers to steal money from users’ accountCytrox’s Predator spyware used zero-day exploits in 3 campaignsThreat actors target the infoSec community with fake PoC exploitsSecurity Affairs newsletter Round 366 by Pierluigi PaganiniNorth Korea-linked Lazarus APT uses Log4J to target VMware serversThe Pwn2Own Vancouver 2022: Trend Micro and ZDI awarded $1,155,000

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 367 by Pierluigi Paganini appeared first on Security Affairs.

Categories: Cyber Security News

US man sentenced to 4 years in prison for his role in Infraud scheme

Sun, 05/29/2022 - 09:39
A man from New York was sentenced to four years in prison for trading stolen credit card data and assisting the Infraud Organization.

John Telusma (aka ‘Peterelliot’), a New York man from New York (37), was sentenced this week to four years in prison for purchasing stolen or compromised credit cards and assisting the Infraud Organization in monetizing their criminal activity fraudulent activity. Telusma is the 14th defendant that was arrested for his role in the Infraud scheme.

“A New York man was sentenced Wednesday to four years in prison for purchasing stolen or compromised credit cards and assisting other members of the Infraud Organization in monetizing their fraudulent activity.” reads the press release published by DoJ.

The motto of the Infraud Organization was “In Fraud We Trust,” it had a primary role in the criminal ecosystem as a “premier one-stop shop for cybercriminals worldwide,” explained Deputy Assistant Attorney General David Rybicki.

The Infraud Organization used a number of websites to commercialize the data, it implemented a classic and efficient e-commerce for the stolen card and personal data, implementing also a rating and feedback system and an escrow” service for payments in digital currencies like Bitcoin.

The transnational cybercrime ring was engaged in the mass acquisition and sale of fraud-related goods and services, including stolen identities, compromised credit card data, and computer malware.

The Infraud Organization is responsible for the purchase and sale of over four million stolen credit and debit card numbers. The fraudulent activities conducted by the gang cost victims more than $568 million dollars. 

Telusma pleaded guilty to one count of racketeering conspiracy on October 13, 2021. He joined the gang in August 2011 and worked for the organization for five-and-a-half years, DoJ states that he was among the most prolific and active members of the gang.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

The post US man sentenced to 4 years in prison for his role in Infraud scheme appeared first on Security Affairs.

Categories: Cyber Security News

Experts believe that Russian Gamaredon APT could fuel a new round of DDoS attacks

Sat, 05/28/2022 - 11:55
360 Qihoo reported DDoS attacks launched by APT-C-53 (aka Gamaredon) conducted through the open-source DDoS Trojan program LOIC.

Researchers at 360 Qihoo observed a wave of DDoS attacks launched by Russia-linked APT-C-53 (aka Gamaredon) and reported that the threat actors also released as open-source the code of a DDoS Trojan called LOIC. The instances of the malware spotted by the experts were compiled in early March, a few days after the Russian invasion of Ukraine began.

“We found that multiple C2 servers distributed an open-source DDoS Trojan program LOIC compiled by .net from March 4th to 5th, 2022.” reads the analysis published by 360 Qihoo.

While monitoring the activity of the APT group, experts observed threat actors conducting multiple attacks, including phishing campaigns and malware attacks. The experts were able to locate the C2 infrastructure used by the nation-state actors.

Below is the list of domains involved in the DDoS attacks:

decree.maizuko.**caciques.gloritapa.**delicate.maizuko.**jealousy.jump.artisola.**dense.gitrostan.**decision.lotorgas.**decency.maizuko.**junior.jacket.artisola.**defective88.maizuko.**deception.lotorgas.**destination.delight.coffiti.**cachinate.gloritapa.**January.josie.artisola.**defective19.maizuko.**deception.lotorgas.**destination.delight.coffiti.**

The malicious code distributed by the APT group includes hardcoded IP addresses and ports for the targets.

“The distribution of the LOIC Trojan may be the prelude to a new round of DDoS attacks.” concludes the researchers that also shared Indicators of compromise for the attacks.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Gamaredon

The post Experts believe that Russian Gamaredon APT could fuel a new round of DDoS attacks appeared first on Security Affairs.

Categories: Cyber Security News

Pages