If you want to also receive for free the newsletter with the international press subscribe here.Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other breachesDevices from Dell, HP, and Lenovo used outdated OpenSSL versionsGoogle fixed the eighth actively exploited #Chrome #zeroday this yearExperts investigate WhatsApp data leak: 500M user records for saleAn international police operation dismantled the spoofing service iSpoofUK urges to disconnect Chinese security cameras in government buildingsRansomExx Ransomware upgrades to Rust programming languageAn aggressive malware campaign targets US-based companies with Qakbot to deliver Black Basta RansomwareThreat actors exploit discontinues Boa web servers to target critical infrastructure
Pro-Russian group Killnet claims responsibility for DDoS attack that has taken down the European Parliament siteDucktail information stealer continues to evolveExperts claim that iPhone’s analytics data is not anonymousMicrosoft releases out-of-band update to fix Kerberos auth issues caused by a patch for CVE-2022-37966Exclusive – Quantum Locker lands in the Cloud5 API Vulnerabilities That Get Exploited by CriminalsResearcher warns that Cisco Secure Email Gateways can easily be circumventedAurora Stealer Malware is becoming a prominent threat in the cybercrime ecosystemTwo Estonian citizens arrested in $575M cryptocurrency fraud schemeEmotet is back and delivers payloads like IcedID and Bumblebee
Expert published PoC exploit code for macOS sandbox escape flawGoogle won a lawsuit against the Glupteba botnet operatorsGoogle provides rules to detect tens of cracked versions of Cobalt StrikeOctocrypt, Alice, and AXLocker Ransomware, new threats in the wildPoC exploit code for ProxyNotShell Microsoft Exchange bugs released online
(SecurityAffairs – hacking, newsletter)
The U.S. Federal Communications Commission (FCC) announced the total ban for telecom and surveillance equipment from Chinese companies Huawei, ZTE, Hytera, Hikvision, and Dahua due to an “unacceptable” national security threat.
The US government has already added the companies to the Covered List and the new rules aims at protecting the Americans from national security threats involving telecommunications.
“The Federal Communications Commission adopted new rules prohibiting communications equipment deemed to pose an unacceptable risk to national security from being authorized for importation or sale in the United States. This is the latest step by the Commission to protect our nation’s communications networks.” reads the announcement published by FCC. “In recent years, the Commission, Congress, and the Executive Branch have taken multiple actions to build a more secure and resilient supply chain for communications equipment and services within the United States.”
“The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here,” said Chairwoman Jessica Rosenworcel. “These new rules are an important part of our ongoing actions to protect the American people from national security threats involving telecommunications.”
The new rules implement the directive in the Secure Equipment Act of 2021, which was signed by President Biden in November.
Chinese firms Hytera, Hikvision, and Dahua have to provide details about the safeguards they have implemented on the sale of their devices for government use and the surveillance of critical infrastructure facilities.
The FCC explained that the above companies are subject to the exploitation, influence and control of the Chinese government, and the national security risks associated with such exploitation, influence, and control.
This week, the British government ordered its departments to stop installing Chinese security cameras at sensitive buildings due to security risks. The Government has ordered departments to disconnect the camera from core networks and to consider removing them.
(SecurityAffairs – hacking, Federal Communications Commission)
The post US FCC bans the import of electronic equipment from Chinese firms appeared first on Security Affairs.
Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other breaches
At the end of July, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting a now-fixed vulnerability in the popular social media platform.
The threat actor offered for sale the stolen data on the popular hacking forum Breached Forums. In January, a report published on Hacker claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options.
“The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account.” ” reads the description in the report submitted by zhirinovskiy via bug bounty platform HackerOne. “This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities”
The seller claimed that the database was containing data (i.e. emails, phone numbers) of users ranging from celebrities to companies. The seller also shared a sample of data in the form of a csv file.
In August, Twitter confirmed that the data breach was caused by the now-patched zero-day flaw submitted by the researchers zhirinovskiy via bug bounty platform HackerOne and that he received a $5,040 bounty.
“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.” reads the Twitter’s advisory. “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” continues the social media firm.
“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”
This week, the website 9to5mac.com claimed that the data breach was word than initially reported by the company. The website reports that multiple threat actors exploited the same flaw and the data available in the cyberscrime underground have differed sources.
“A massive Twitter data breach last year, exposing more than five million phone numbers and email addresses, was worse than initially reported. We’ve been shown evidence that the same security vulnerability was exploited by multiple bad actors, and the hacked data has been offered for sale on the dark web by several sources.” reads the post published by 9to5mac.comSource: Twitter account @sonoclaudio
9to5Mac‘s claims are based on the availability of the dataset that contained the same information in a different format offered by a different threat actor. The source told the website that the database was “just one of a number of files they have seen.” It seems that the impacted accounts are only those having the “Discoverability | Phone option (which is hard to find within Twitter’s settings)” enabled in late 2021.
The archive seen by 9to5Mac includes data belonging to Twitter users in the UK, almost every EU country, and parts of the US.
“I have obtained multiple files, one per phone number country code, containing the phone number <-> Twitter account name pairing for entire country’s telephone number space from +XX 0000 to +XX 9999.” the source told 9to5Mac. “Any twitter account which had the Discoverability | Phone option enabled in late 2021 was listed in the dataset.”
The experts speculate that multiple threat actors had access to the Twitter database and combined it with data from other security breaches.
The security researcher behind the account @chadloder (Twitter after the disclosure of the news) told 9to5Mac that the “email-twitter pairings were derived by running existing large databases of 100M+ email addresses through this Twitter discoverability vulnerability.”
The researcher told the website that they would reach out to Twitter for comment, but the entire media relations team left the company.
Update: After discussing with my colleague @sonoclaudio, we noticed that the post on the popular breach forum reports that 1.4 accounts were suspended. Now the question is, why months after the accounts were suspended, the data were still present in the database? Which is the retention period for Twitter? Does Twitter violate the GDPR for European users?
(SecurityAffairs – hacking, Twitter)
Binarly researchers discovered that devices from Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library.
The OpenSSL software library allows secure communications over computer networks against eavesdropping or need to identify the party at the other end. OpenSSL contains an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
The researchers discovered the issue by analyzing firmware images used devices from the above manufacturers.
EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and UEFI Platform Initialization (PI) specifications.
The main EDKII repository is hosted on Github and is frequently updated.
The experts first analyzed Lenovo Thinkpad enterprise devices and discovered that they used different versions of OpenSSL in the firmware image.
Lenovo Thinkpad enterprise devices used three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j. The most recent OpenSSL version was released in 2018.
“Many of the security-related firmware modules contain significantly outdated versions of OpenSSL. Some of them like InfineonTpmUpdateDxe contain code known to be vulnerable for at least eight (8) years.” reads the report published by Binarly. “The InfineonTpmUpdateDxe module is responsible for updating the firmware of Trusted Platform Module (TPM) on the Infineon chip. This clearly indicates the supply chain problem with third-party dependencies when it looks like these dependencies never received an update, even for critical security issues.”
One of the firmware modules named InfineonTpmUpdateDxe uses the OpenSSL version 0.9.8zb that was released on August 4, 2014.
The researchers discovered that most recent OpenSSL version is used by on Lenovo enterprise devices and dates back to the summer of 2021.
The following image reports for each vendor all the versions of OpenSSL detected by the Binarly Platform in the wild:
The experts pointed out that the same device firmware code often rely on different versions of OpenSSL.
The reason for this design choice is that the supply chain of third-party code depends on their own code base, which is often not available to device firmware developers. The researchers explained that this introduces an extra layer of supply chain complexity.
“Most of the OpenSSL dependencies are linked statically as libraries to specific firmware modules that create compile-time dependencies which are hard to identify without deep code analysis capabilities.” continues the report. “Historically the problem within third-party code dependencies is not an easy issue to solve at the compiled code level.”
The experts noticed that devices from Dell and Lenovo relied on version 0.9.8l that dates back to 2009.
Some Lenovo devices used the version 1.0.0a that dates back 2010, while the three vendors (Lenovo, Dell, HP) were observed using version 0.9.8w that dates back 2012.
“We see an urgent need for an extra layer of SBOM Validation when it comes to compiled code to validate on the binary level, the list of third-party dependency information that matches the actual SBOM provided by the vendor,” concludes the report. “A ‘trust-but-verify’ approach is the best way to deal with SBOM failures and reduce supply chain risks.”
(SecurityAffairs – hacking, firmware)
The post Devices from Dell, HP, and Lenovo used outdated OpenSSL versions appeared first on Security Affairs.
Google rolled out an emergency security update for the desktop version of the Chrome web browser to address a new zero-day vulnerability, tracked as CVE-2022-4135, that is actively exploited.
The CVE-2022-4135 vulnerability is a heap buffer overflow issue in GPU. The vulnerability was reported Clement Lecigne of Google’s Threat Analysis Group on November 22, 2022.
As usual, Google did not share technical details about the vulnerability in order to allow users to update their Chrome installations.
“Google is aware that an exploit for CVE-2022-4135 exists in the wild.” reads the advisory published by Google. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
An attacker can exploit the heap buffer overflow to potentially gain arbitrary code execution on systems running vulnerable versions of the browser.
Google fixed the zero-day with the release of version 107.0.5304.121 for Mac and Linux and 107.0.5304.121/.122 for Windows, which the company plans to roll out over the coming days/weeks.
The CVE-2022-4135 vulnerability is the eighth actively exploited Chrome zero-day addressed by Google this year, below is the list of the other zero-day fixed by the tech giant:
- CVE-2022-3075 (September 2) – Insufficient data validating in the Mojo collection of runtime libraries.
- CVE-2022-2856 (August 17) – Insufficient validation of untrusted input in Intents
- CVE-2022-2294 (July 4) – Heap buffer overflow in the Web Real-Time Communications (WebRTC) component
- CVE-2022-0609 – (February 14) – use after free issue that resides in the Animation component.
Chrome users are recommended to update their installations as soon as possible to neutralize attacks attempting to exploit the zero-day.
(SecurityAffairs – hacking, zero-day)
The post Google fixed the eighth actively exploited #Chrome #zeroday this year appeared first on Security Affairs.
Original post published by Cybernews: https://cybernews.com/news/whatsapp-data-leak/
On November 16, an actor posted an ad on a well-known hacking community forum, claiming they were selling a 2022 database of 487 million WhatsApp user mobile numbers.
The dataset allegedly contains WhatsApp user data from 84 countries. Threat actor claims there are over 32 million US user records included.
Another huge chunk of phone numbers belongs to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million).
The dataset for sale also allegedly has nearly 10 million Russian and over 11 million UK citizens’ phone numbers.
The threat actor told Cybernews they were selling the US dataset for $7,000, the UK – $2,500, and Germany – $2,000.
Such information is mostly used by attackers for smishing and vishing attacks, so we recommend users to remain wary of any calls from unknown numbers, unsolicited calls and messages.
WhatsApp is reported to have more than two billion monthly active users globally.
Upon request, the seller of WhatsApp’s database shared a sample of data with Cybernews researchers. There were 1097 UK and 817 US user numbers in the shared sample.
Cybernews investigated all the numbers included in the sample and managed to confirm that all of them are, in fact, WhatsApp users.
The seller did not specify how they obtained the database, suggesting they “used their strategy” to collect the data, and assured Cybernews all the numbers in the instance belong to active WhatsApp users.
Cybernews reached out to WhatsApp’s parent company, Meta, but received no immediate response. We will update the article as soon as we learn more.
The information on WhatsApp users could be obtained by harvesting information at scale, also known as scraping, which violates WhatsApp’s Terms of Service.
This claim is purely speculative. However, quite often, massive data dumps posted online turn out to be obtained by scraping.
Meta itself, long criticized for letting third parties scrape or collect user data, saw over 533 million user records leaked on a dark forum. The actor was sharing the dataset practically for free.
Leaked phone numbers could be used for marketing purposes, phishing, impersonation, and fraud.
“In this age, we all leave a sizeable digital footprint – and tech giants like Meta should take all precautions and means to safeguard that data,” head of Cybernews research team Mantas Sasnauskas said. “We should ask whether an added clause of ‘scraping or platform abuse is not permitted in the Terms and Conditions’ is enough. Threat actors don’t care about those terms, so companies should take rigorous steps to mitigate threats and prevent platform abuse from a technical standpoint.”
If you want to know how to prevent data leaks, read the original post published by CyberNews.
About the author: Jurgita Lapienytė Chief Editor at CyberNews
(SecurityAffairs – hacking, WhatsApp)
The post Experts investigate WhatsApp data leak: 500M user records for sale appeared first on Security Affairs.
An international law enforcement operation that was conducted by authorities in Europe, Australia, the United States, Ukraine, and Canada, with the support of Europol, has dismantled online phone number spoofing service called iSpoof. The iSpoof service allowed fraudsters to impersonate trusted corporations or contacts in an attempt to gain access to sensitive information from victims.
Threat actors used the service to trick victims into disclosing financial or private information or transferring money.
“The services of the website allowed those who sign up and pay for the service to anonymously make spoofed calls, send recorded messages, and intercept one-time passwords.” reads the announcement published by Europol. “The users were able to impersonate an infinite number of entities (such as banks, retail companies and government institutions) for financial gain and substantial losses to victims.”
The ‘spoofing’ service is believed to have caused an estimated worldwide loss in excess of GBP 100 million (EUR 115 million).
“According to the police, some victims have seen their savings or pension pot disappear within hours.” reported the Dutch Police.
The investigation, dubbed Operation Elaborate, was launched in October 2021 at the request of the UK authorities. The iSpoof was launched in December 2020 and authorities estimated it had 59,000 users.
“The exploitation of technology by organised criminals is one of the greatest challenges for law enforcement in the 21st century. Together with the support of partners across UK policing and internationally, we are reinventing the way fraud is investigated. The Met is targeting the criminals at the centre of these illicit webs that cause misery to thousands.” London’s Metropolitan Police Commissioner Sir Mark Rowley stated. “By taking away the tools and systems that have enabled fraudsters to cheat innocent people at scale, this operation shows how we are determined to target corrupt individuals intent on exploiting often vulnerable people.”
In the coordinated effort led by the United Kingdom, 142 suspects have been arrested, including the administrator of the iSpoof website (ispoof[.]me and ispoof[.]cc).
The police seized the servers behind the service and two days later Ukrainian and U.S. agencies took them offline.
“The arrests today send a message to cybercriminals that they can no longer hide behind perceived international anonymity. Europol coordinated the law enforcement community, enriched the information picture and brought criminal intelligence into ongoing operations to target the criminals wherever they are located.” Europol’s Executive Director Ms Catherine De Bolle said. “Together with our international partners, we will continue to relentlessly push the envelope to bring criminals to justice.”
“As cybercrime knows no borders, effective judicial cooperation across jurisdictions is key in bringing its perpetrators to court. Eurojust supports national authorities in their efforts to protect citizens against online and offline threats, and to help see that justice gets done.” Eurojust President Mr Ladislav Hamran said.
(SecurityAffairs – hacking, iSpoof)
The post An international police operation dismantled the spoofing service iSpoof appeared first on Security Affairs.
Reuters reports that the British government ordered its departments to stop installing Chinese security cameras at sensitive buildings due to security risks. The Government has ordered departments to disconnect the camera from core networks and to consider removing them.
“The decision comes after a review of “current and future possible security risks associated with the installation of visual surveillance systems on the government estate,” cabinet office minister Oliver Dowden said in a written statement to parliament.” states Reuters.
The security cameras of the two Chinese firms are widely adopted by a number of government departments, including the interior and business ministries.
Dowden pointed out that the surveillance cameras must be carefully scrutinized because of their capability and connectivity of these systems.
“The review has concluded that, in light of the threat to the UK and the increasing capability and connectivity of these systems, additional controls are required,” Dowden said. “Departments have therefore been instructed to cease deployment of such equipment onto sensitive sites, where it is produced by companies subject to the National Intelligence Law of the People’s Republic of China.”
The risk is related to the use of security cameras manufactured by Chinese-owned companies Dahua and Hikvision. Both companies are also on the Covered List maintained by the the U.S. Federal Communications Commission (FCC).
The Covered List, published by Public Safety and Homeland Security Bureau published, included products and services that could pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.
(SecurityAffairs – hacking, security cameras)
The post UK urges to disconnect Chinese security cameras in government buildings appeared first on Security Affairs.
The main reason to rewrite malware in Rust is to have lower AV detection rates, compared to malware written in more common languages.
RansomExx2 was developed to target Linux operating system, but experts believe that ransomware operators are already working on a Windows version.
RansomExx operation has been active since 2018, the list of its victims includes government agencies, the computer manufacturer and distributor GIGABYTE, and the Italian luxury brand Zegna. RansomExx is operated by the DefrayX threat actor group (Hive0091), the group also developed the PyXie RAT, Vatet loader, and Defray ransomware strains.
The functionality implemented in RansomExx2 is very similar to previous RansomExx Linux variants.
“RansomExx2 has been completely rewritten using Rust, but otherwise, its functionality is similar to its C++ predecessor. It requires a list of target directories to encrypt to be passed as command line parameters and then encrypts files using AES-256, with RSA used to protect the encryption keys.” reads the analysis published by IBM Security X-Force.
The ransomware iterates through the specified directories, enumerating and encrypting files. The malware encrypts any file greater than or equal to 40 bytes and gives a new file extension to each file.
The RansomExx2 encrypts files using the AES-256 algorithm, it drops a ransom note in each encrypted directory.
“RansomExx is yet another major ransomware family to switch to Rust in 2022 (following similar efforts with Hive and Blackcat).” concludes the report. “While these latest changes by RansomExx may not represent a significant upgrade in functionality, the switch to Rust suggests a continued focus on the development and innovation of the ransomware by the group, and continued attempts to evade detection.”
(SecurityAffairs – hacking, RansomExx ransomware)
The post RansomExx Ransomware upgrades to Rust programming language appeared first on Security Affairs.
An aggressive malware campaign targets US-based companies with Qakbot to deliver Black Basta Ransomware
Experts at the Cybereason Global SOC (GSOC) team have observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US.
In the last two weeks, the experts observed attacks against more than 10 different US-based customers.
Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model. Security researchers at Sentinel Labs recently shared details about Black Basta‘s TTPs and assess it is highly likely the ransomware operation has ties with FIN7.
“In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization’s network. QakBot, also known as QBot or Pinkslipbot, is a banking trojan primarily used to steal victims’ financial data, including browser information, keystrokes, and credentials.” reads the report published by Cybereason. “Once QakBot has successfully infected an environment, the malware installs a backdoor allowing the threat actor to drop additional malware—namely, ransomware.”
The attack chain starts with a QBot infection, The operators use the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the Black Basta ransomware. The attacks began with a spam/phishing email containing malicious URL links.
The researchers noticed that once obtained access to the network, the threat actor moves extremely fast. In some cases observed by Cybereason, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.
The threat actor was also spotted locking the victims out of the network by disabling DNS services, making the recovery even more complex.
In most of the attacks observed by the experts, the spear-phishing email contains a malicious disk image file. Upon opening the file, Qbot is executed, then the malware connects to a remote server to retrieve the Cobalt Strike payload.
Threat actors perform credential harvesting and lateral movement and use the gathered credentials to compromise as many endpoints as possible and deploy the Black Basta ransomware.
Experts observed the attackers that were looking for machines without a defense sensor in an attempt to deploy additional malicious tools without being detected.
The report includes indicators of compromise for this threat.
(SecurityAffairs – hacking, Black Basta ransomware)
Microsoft experts believe that threat actors behind a malicious campaign aimed at Indian critical infrastructure earlier this year have exploited security flaws in a now-discontinued web server called Boa.
The Boa web server is widely used across a variety of devices, including IoT devices, and is often used to access settings and management consoles as well as sign-in screens. The experts pointed out that Boa has been discontinued since 2005.
Researchers at Recorded Future observed several intrusion attempts on Indian critical infrastructure since 2020 and shared IOCs related to this campaign. Microsoft experts analyzed these IoCs and discovered that Boa servers were running on the IP addresses on the list of IOCs, they also explained that the electrical grid attack targeted exposed IoT devices running Boa.
Microsoft also discovered that half of the IP addresses in the list published by Recorded Future returned suspicious HTTP response headers, which might be associated with the active deployment of a malicious tool identified by Recorded Future.
“Investigating the headers further indicated that over 10% of all active IP addresses returning the headers were related to critical industries, such as the petroleum industry and associated fleet services, with many of the IP addresses associated to IoT devices, such as routers, with unpatched critical vulnerabilities, highlighting an accessible attack vector for malware operators.”reads the report published by Recorded Future. “Most of the suspicious HTTP response headers were returned over a short timeframe of several days, leading researchers to believe they may be associated with intrusion and malicious activity on networks.”
Microsoft experts explained that despite Boa being discontinued in 2005, many vendors across a variety of IoT devices and popular software development kits (SDKs) continue to use it.
The researchers identified over 1 million internet-exposed Boa server components around the world over the span of a week.
“We assessed the vulnerable component to be the Boa web server, which is often used to access settings and management consoles and sign-in screens in devices.” reads the report published by Microsoft.
“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files. Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.”
Boa is known to be affected by multiple flaws, including CVE-2017-9833 and CVE-2021-33558, which can allow unauthenticated attackers to read arbitrary files, obtain sensitive information, and gain remote code execution.
“The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network.” concludes the report.
“As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations.”
(SecurityAffairs – hacking, Boa)
The post Threat actors exploit discontinues Boa web servers to target critical infrastructure appeared first on Security Affairs.
In late July 2022, researchers from WithSecure (formerly F-Secure Business) discovered an ongoing operation, named DUCKTAIL, that was targeting individuals and organizations that operate on Facebook’s Business and Ads platform.
Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to be active since 2018.
The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.
The end goal is to hijack Facebook Business accounts managed by the victims.
The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.
After a short pause, the DUCKTAIL campaign returned with slight changes in its TTPs.
Starting on September 6, 2022, the researchers detected new samples in-the-wild with a new variant that uses the .NET 7 NativeAOT feature which allows binaries to be compiled natively (ahead-of-time) from .NET code. The format of these binaries is different from the one used by traditional .NET assemblies.
“NativeAOT offers similar benefits to the .NET single-file feature that previous DUCKTAIL variants used for compilation, especially because they can be compiled as a framework independent binary that doesn’t require .NET runtime to be installed on the victim’s machine.” reads the report published by WithSecure.
Between 2nd and 4th October 2022, the security firm discovered new DUCKTAIL samples being submitted to VirusTotal from Vietnam. The samples contained a mixture of old and new DUCKTAIL variant code bases, compiled as self-contained .NET Core 3 Windows binaries, which suggests that the group is shifting to self-contained applications. On October 5, the operators started distributing DUCKTAIL malware to victims as self-contained .NET Core Windows binaries, abandoning NativeAOT and back to using self-contained .NET binaries.
The analysis of the variants written in .NET Core 3 revealed the presence of unused anti-analysis functions that were copied from a GitHub repository. This is yet another indication of the threat actor’s continuous efforts to evade analysis and detection mechanisms
WithSecure observed several multi-stage subvariants of DUCKTAIL that are used to deliver the final payload, the researchers highlighted that this is the primary information stealer malware in all cases.
“The malware still relies on Telegram as its C&C channel. At the time of writing, three active Telegram bots and channels were observed in the latest campaign, with the threat actor re-using the same Telegram chats that were initially discovered, indicating that only the bots (and access tokens) were refreshed with stricter administrator rights” concludes the report. “An interesting shift that was observed with the latest campaign is that [the Telegram command-and-control] channels now include multiple administrator accounts, indicating that the adversary may be running an affiliate program.”
(SecurityAffairs – hacking, DUCKTAIL)
Microsoft releases out-of-band update to fix Kerberos auth issues caused by a patch for CVE-2022-37966
Microsoft released an out-of-band update to address issues caused by a recent Windows security patch that causes Kerberos authentication problems.
An attacker can trigger this flaw to gain administrator privileges on vulnerable systems.
“An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment.” reads the advisory published by Microsoft.
After the release of the Patch Tuesday security updates, users started reporting issues related to the Kerberos authentication.
The IT giant investigated the reports and developed an out-of-band update to fix the problems.
“There is a known issue documented in the security updates that address this vulnerability, where Kerberos authentication might fail for user, computer, service, and GMSA accounts when serviced by Windows domain controllers that have installed Windows security updates released on November 8, 2022. Has an update been released that addresses this known issue?” continues the advisory.
“Yes. The issue is addressed by out-of-band updates released to Microsoft Update Catalog on and after November 17, 2022. Customers who have not already installed the security updates released on November 8, 2022 should install the out-of-band updates instead. Customers who have already installed the November 8, 2022 Windows security updates and who are experiencing issues should install the out-of-band updates.”
The IT giant recommends customers who have yet to install the security updates released on November 8, 2022 of only install the out-of-band updates. Customers who have already installed the Patch Tuesday security updates and are experiencing issues should install the out-of-band updates.
Microsoft is not aware of attacks in the wild exploiting the CVE-2022-37966 flaw.
(SecurityAffairs – hacking, Microsoft)
- Quantum Locker gang demonstrated capabilities to operate ransomware extortion even on cloud environments such as Microsoft Azure.
- Criminal operators of the Quantum gang demonstrated the ability to hunt and delete secondary backup copies stored in cloud buckets and blobs.
- Quantum Locker gang targets IT administration staff to gather sensitive network information and credential access.
- During their intrusions, Quantum operators steal access to enterprise cloud file storage services such as Dropbox, to gather sensitive credentials.
- Cloud root account takeovers have been observed in q4 2022 during Quantum gang intrusions in North Europe.
During the latest weeks, the Belgian company Computerland shared insights with the European threat intelligence community about Quantum TTPs adopted in recent attacks. The shared information revealed Quantum gang used a particular modus operandi to target large enterprises relying on cloud services in the NACE region.
The disclosed technical details about recent intrusions confirm the ability of the Quantum Locker gang to conduct sabotage and ransomware attacks even against companies heavily relying on cloud environments.
For instance, TTPs employed in a recent attack include the complete takeover of company Microsoft cloud services through the compromise of the root account (T1531). Such action is particularly harrowing for the victim company: all the Microsoft services and users, including email services and regular users, would remain unusable until the Vendor’s response, which could last even days, depending on the reset request verification process.
In addition, the insights on q4 2022 attacks reported Quantum Locker operators are able to locate and delete all the victim Microsoft Azure’s Blob storages to achieve secondary backup annihilation and business data deletion (T1485). Even if cloud services could theoretically provide support for the restoration of old blobs and buckets, the recovery of “permanently deleted” data often requires days and might not even be available due to the provider’s internal technical restrictions.
The favorite initial targets of Quantum operators during their recent activities in North Europe were IT administrators and networking staff. Through accessing their personal resources and shared Dropbox folders, the threat actors were able to gather sensitive administrative credentials to extend the attack on the cloud surface (T1530).
Incident insights from the Belgian firm also confirm Quantum is coupling these new techniques even with more traditional ransomware delivery techniques, such as the modification of domain Group Policies (T1484.001) to distribute ransomware across the on-prem Windows machines and users’ laptops, along with the abuse of the legitimate Any Desk software as remote access tool (T1219).
Also, during the recent intrusions, Quantum operators extensively altered the configuration of endpoint defense tools such as Microsoft Defender (T1562.001). In fact, threat actors were able to programmatically insert ad hoc exclusions to blind the onboard endpoint protection system without raising any shutdown warning.
The Belgian firm also reports Quantum Locker’s average encryption speed in real-world cloud hybrid scenario results around 13 MB/s, an amount particularly slower than other ransomware families adopting intermitted encryption, extending the responders’ windows of opportunity for in-time interception and containment.
Threat Actor Brief
Quantum Locker ransomware was originally born from the hashes of the MountLocker ransomware program operated by Russian-speaking cybercriminals back in 2020. Before its actual name, Quantum Locker has been rebranded many times first with the AstroLocker name, and then with the XingLocker alias.
Quantum Locker was also involved in many high-profile attacks such as the Israelian security company BeeSense, the alleged attack on the local administration of the Sardinia region in Italy, and government agencies in the Dominican Republic.
Indicator of Compromise
- Intrusion and Exfiltration infrastructure
- 146.70.87,66 M247-LOS-ANGELES US
- 42.216.183,180 NorthStar CN
- Distribution Infrastructure:
- 146.70.87,186 M247-LOS-ANGELES
About the author : Luca Mella, Cyber Security Expert
(SecurityAffairs – hacking, Quantum Locker)
It’s no secret that cyber security has become a leading priority for most organizations — especially those in industries that handle sensitive customer information. And as these businesses work towards building robust security strategies, it’s vital that they account for various threat vectors and vulnerabilities.
One area that requires significant scrutiny is API security. APIs, short for application programming interfaces, have become a common building block for digitally enabled organizations. They facilitate communication as well as critical business operations, and they also support important digital transformations. It’s no surprise then that the average number of APIs per company increased 221% in the last year.
Crafting an API security strategy is a complex task. APIs have unique threat implications that aren’t fully solved by web application firewalls or identity and access management solutions. The first step to getting it right is to understand what the common vulnerabilities are.5 Common API Vulnerabilities Explained
In its API Security Top 10, the Open Web Application Security Project (OWASP) identifies the top ten threats to APIs. Below, we take a closer look at some of the most common.1. Broken Object Level Authentication (BOLA)
APIs with broken object level authentication allow attackers to easily exploit API endpoints by manipulating the ID of an object sent within an API request. The result? BOLA authorization flaws can lead to unauthorized viewing, modification or destruction of data, or even a full account takeover.
Today, BOLA accounts for 40% of all API attacks. One of the primary reasons they’re so prevalent is that traditional security controls like WAFs or API gateways can’t identify them as anomalous to the baseline API behavior. Instead, businesses need an API solution that can spot whenan authenticated user is trying to gain unauthorized access to another user’s data.2. Broken User Authentication
There are a number of factors that can lead to broken user authentication in an API. This includes weak password complexity or poor password hygiene, missing account lockout thresholds, long durations for password or certificate rotations, or relying on API keys alone for authentication.
When an API experiences broken user authentication, cyber criminals can use authentication-related attacks like credential stuffing and brute-force attacks to gain access to applications. Once they’re in, the attackers can then take over user accounts, manipulate data, or make unauthorized transactions.
When it comes to traditional security methods, they often lack the ability to track traffic over time, meaning they can’t easily identify high-volume attacks like credential stuffing. As such, an API security solution should be able to identify abnormal behavior against a typical authentication sequence.3. Excessive Data Exposure
A common issue with most APIs is that, for the sake of efficiency, they’re often set up to share more information than is needed in an API response. They then leave it to the client application to filter the information and render it for the user. This is problematic because attackers can use the redundant data to extract sensitive information from the API.
While some traditional security solutions can identify this type of vulnerability, they can’t always differentiate between legitimate data returned by the API and sensitive data that shouldn’t be returned. This means an API security solution should be able to spot when a user is consuming too much sensitive data.4. Lack of Resources and Rate Limiting
APIs don’t always have restrictions for the number of resources that can be requested by the client or a user. This leaves them open to server disruptions that cause denial of service, as well as brute-force and enumeration attacks against APIs responsible for authentication and data fetching. Plus, attackers can set up automated attacks against APIs that don’t have limits, including credential cracking and token cracking.
Traditional solutions will have some basic rate limiting functionality, but it’s not always easy to deploy at scale. As such, these security tools often lack the context required to flag an attack when it’s happening. A modern API security solution should be able to identify any activity that falls outside of normal usage values.5. Security Misconfiguration
There are a number of security misconfigurations that can accidentally introduce vulnerabilities into APIs. These include incomplete configurations, misconfigured HTTP headers, verbose error messages, open cloud storage, and more. Attackers can leverage these to learn more about the API components, and then exploit the misconfigurations as part of their attack.Close the Gaps
Comprehensive API solutions can identify these misconfigurations and provide remediation suggestions.
Attackers are always evolving their strategies for compromising APIs, looking for new threat vectors and leveraging new vulnerabilities. What’s common in most successful attacks is that they target gaps in business logic. This means that to establish a proactive API security strategy, organizations must account for these gaps at every step.
About the Author: Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well suited for writing in the cybersecurity space. She is also a regular writer for Bora.
(SecurityAffairs – hacking, API Vulnerabilities)
The post 5 API Vulnerabilities That Get Exploited by Criminals appeared first on Security Affairs.
An anonymous researcher publicly disclosed a series of techniques to bypass some of the filters in Cisco Secure Email Gateway appliance and deliver malware using specially crafted emails.
The researcher pointed out that the attack complexity is low, it also added that working exploits have already been published by a third party. The expert disclosed the technique within a coordinated disclosure procedure.
“This report is being published within a coordinated disclosure procedure. The researcher has been in contact with the vendor but not received a satisfactory response within a given time frame.” wrote the researcher on the Full Disclosure mailing list. “As the attack complexity is low and exploits have already been published by a third party there must be no further delay in making the threads publicly known.”
The researchers explained that Cisco Secure Email Gateways can be circumvented by a remote attacker that leverages error tolerance and different MIME decoding capabilities of email clients.
The methods disclosed by the researcher could allow attackers to bypass Cisco Secure Email Gateway, they work against several email clients, such as Outlook, Thunderbird, Mutt, and Vivaldi.
The three methods are:
- Method 1: Cloaked Base 64 – This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. The method impacts several Email Clients, including Microsoft Outlook for Microsoft 365 MSO (Version 2210 Build 16.0.15726.20070) 64-bit, Mozilla Thunderbird 91.11.0 (64-bit), Vivaldi 5.5.2805.42 (64-bit), Mutt 2.1.4-1ubuntu1.1, and others.
- Method 2: yEnc Encoding – This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. The method impacts Mozilla Thunderbird 91.11.0 (64-bit) email client.
- Method 3: Cloaked Quoted-Printable – This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. The method impacts Vivaldi 5.5.2805.42 (64-bit) and Mutt 2.1.4-1ubuntu1.1 Email Clients.
Cisco published a bug report warning of an issue in the Sophos and McAfee scanning engines of Cisco Secure Email Gateway that could allow an unauthenticated, remote attacker to bypass specific filtering features.
“The issue is due to improper identification of potentially malicious emails or attachments. An attacker could exploit this issue by sending a malicious email with malformed Content-Type headers (MIME Type) through an affected device.” reads the alert. “An exploit could allow the attacker to bypass default anti-malware filtering features based on the affected scanning engines and successfully deliver malicious messages to the end clients.”
The issues impact devices running with a default configuration.
The researcher explained that the code employing the attack methods, and many similar techniques to manipulate MIME encoding, are implemented in an open-source Toolkit for generating and testing bad MIME that is available on GitHub.
known for many years and have been found in the products of several vendors.
(SecurityAffairs – hacking, Cisco Secure Email Gateways)
The post Researcher warns that Cisco Secure Email Gateways can easily be circumvented appeared first on Security Affairs.
Aurora Stealer is an info-stealing malware that was first advertised on Russian-speaking underground forums in April 2022. Aurora was offered as Malware-as-a-Service (MaaS) by a threat actor known as Cheshire. It is a multi-purpose botnet with data stealing and remote access capabilities.
Researchers at SEKOIA identified 7 traffers teams on Dark Web forums that announced the availability of the Aurora Stealer in their arsenal, a circumstance that confirms the increased popularity of the malware among threat actors.Traffers TeamMalware arsenalLaunch dateLast observed activityRavenLogsAurora, Redline17/10/202214/11/2022BrazzersLogsAurora, Raccoon14/11/202214/11/2022DevilsTraffAurora, Raccoon30/10/202214/11/2022YungRussiaAurora16/10/202231/10/2022Gfbg6Aurora14/09/202224/10/2022SAKURAAurora10/08/202204/11/2022HellRideAurora09/07/202215/07/2022
In October and November 2022, the researchers analyzed several hundreds of collected samples and identified dozens of active C2 servers. The experts also observed multiple infection chains leading to the deployment of Aurora stealer. The attackers used methods to deliver the malware, including phishing websites masquerading as legitimate ones, YouTube videos and fake “free software catalogue” websites.
“These infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites.” reads the analysis by the experts.
The malware was also able to target 40 cryptocurrency wallets and applications like Telegram.
Threat actors behind this malware also advertised its loader capabilities, the malicious code in fact is able to deploy a next-stage payload using a PowerShell command.
“Aurora is another infostealer targeting data from browsers, cryptocurrency wallets, local systems, and acting as a loader. Sold at a high price on market places, collected data is of particular interest to cybercriminals, allowing them to carry out follow-up lucrative campaigns, including Big Game Hunting operations.” concludes the report. “As multiple threat actors, including traffers teams, added the malware to their arsenal, Aurora Stealer is becoming a prominent threat.”
(SecurityAffairs – hacking, Aurora Stealer)
The post Aurora Stealer Malware is becoming a prominent threat in the cybercrime ecosystem appeared first on Security Affairs.
Two Estonian nationals were arrested in Tallinn, Estonia, after being indicted in the US for running a fraudulent cryptocurrency Ponzi scheme that caused more than $575 million in losses.
According to the indictment, Sergei Potapenko and Ivan Turõgin, both 37, allegedly defrauded hundreds of thousands of victims through a crypto Ponzi scheme. The duo used shell companies to launder the cash from the fraudulent activity and to buy real estate and luxury cars.
“They induced victims to enter into fraudulent equipment rental contracts with the defendants’ cryptocurrency mining service called HashFlare. They also caused victims to invest in a virtual currency bank called Polybius Bank.” reads the press release published by DoJ. “In reality, Polybius was never actually a bank, and never paid out the promised dividends. Victims paid more than $575 million to Potapenko and Turõgin’s companies.”
The defendants are accused to have defrauded the victims between December 2013 and August 2019, they operated with other co-conspirators residing in Estonia, Belarus, and Switzerland.
Potapenko and Turõgin tricked the investors into believing that HashFlare was a massive cryptocurrency mining operation, the victims were requested to pay for rent computing power and receive a proportional part of the cryptocurrencies mined. The bad news for the investors is that HashFlare did not have the virtual currency mining equipment it claimed to have.
According to the indictment, HashFlare’s equipment performed Bitcoin mining at a rate of less than one percent of the computing power it claimed to have.
When investors asked to withdraw their mining proceeds, the defendants either resisted making the payments or in some cases, they paid off the investors using virtual currency that were purchased on the open market.
HashFlare shut down its operations in 2019, but since May 2017, the duo started offering investments in a company called Polybius, which they claimed to form a bank specializing in virtual currency.
“They promised to pay investors dividends from Polybius’s profits. The men raised at least $25 million in this scheme and transferred most of the money to other bank accounts and virtual currency wallets they controlled. Polybius never formed a bank or paid any dividends.” continues the DoJ.
According to the indictment, the defendants also conspired to launder their criminal proceeds through shell companies and phony contracts and invoices. The money laundering conspiracy involved “at least 75 real properties, six luxury vehicles, cryptocurrency wallets, and thousands of cryptocurrency mining machines.”
Potapenjo and Turõgin are being charged with conspiracy to commit wire fraud, 16 counts of wire fraud, and one count of conspiracy to commit money laundering. Both could face a maximum penalty of 20 years in prison.
(SecurityAffairs – hacking, cryptocurrency fraud scheme)
The post Two Estonian citizens arrested in $575M cryptocurrency fraud scheme appeared first on Security Affairs.
In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default.
In June, Proofpoint experts spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser.
Over time, Emotet operators have enhanced their attack chain by employing multiple attack vectors to remain under the radar.
The Emotet operators remained inactive between July and November 2022.
Threat actors were spotted distributing hundreds of thousands of emails per day, this activity suggests Emotet is returning to its full functionality acting as a delivery network for major malware families.
The experts noticed multiple changes to the bot and its payloads, and the operators introduced changes to the malware modules, loader, and packer. Below are the changes observed by Proofpoint:
- New Excel attachment visual lures
- Changes to the Emotet binary
- IcedID loader dropped by Emotet is a light new version of the loader
- Reports of Bumblebee dropped in addition to IcedID
“The volume of emails that Emotet sending bots attempt to deliver each day is in the hundreds of thousands. These numbers are comparable to historic averages. Hence, it does not appear that the Emotet botnet lost any significant spamming capability during the inactive period.” reads the report published by Proofpoint.
The wave of attacks observed by the security firm primarily targeted the U.S., the U.K., Japan, Germany, Italy, France, Spain, Mexico, and Brazil.
The emails observed in recent attacks typically used a weaponized Excel attachment or a password-protected zip attachment containing an Excel file inside. The Excel files contain XL4 macros that download the Emotet payload from several (typically four) built-in URLs.
The novelty of the Excel files used in recent campaigns is that they contain instructions for recipients to copy the file to a Microsoft Office Template location and run it from there instead. This location is “trusted,” which means that opening a document located in this folder will not display any warnings.
“However, while moving a file to a template location, the operating system asks users to confirm and that administrator permissions are required to do such a move.” observed the experts. “It remains unclear how effective this technique is. While there is no longer a need for users to enable macros with an extra click, there is instead a need to perform a file move, acknowledge the dialog, and the user must have Administrator privileges.”
The Emotet variant employed in recent attacks supports new commands, has a new implementation of the communication loop, uses a new check-in packet format, and a new packer.
Currentt version of the bot supports 5 commands:
- 1 – Update bot
- 2 – Load module
- 3 – Load executable
- 4 – Load executable via regsvr32.exe
- 16343 – invoke rundll32.exe with a random named DLL and the export PluginInit
The last two were added to the latest version of the botnet.
“Overall, these modifications made to the client indicate the developers are trying to deter researchers and reduce the number of fake or captive bots that exist within the botnet. The addition of commands related to IcedID and the widespread drop of a new IcedID loader might mean a change of ownership or at least the start of a relationship between IcedID and Emotet.” concludes the report.
(SecurityAffairs – hacking, Moshen Dragon)
The post Emotet is back and delivers payloads like IcedID and Bumblebee appeared first on Security Affairs.
Researcher Wojciech Reguła (@_r3ggi) of SecuRing published technical details and proof-of-concept (PoC) code for a macOS sandbox escape vulnerability tracked as CVE-2022-26696 (CVSS score of 7.8).
In a wrap-up published by Regula, the researcher observed that the problem is caused by a strange behavior he observed in a sandboxed macOS app that may launch any application that won’t inherit the main app’s sandbox profile.
According to ZDI, This vulnerability allows remote attackers to escape the sandbox on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
“A sandboxed process may be able to circumvent sandbox restrictions.” reads the advisory published by Apple that addressed the flaw with improved environment sanitization.
According to ZDI, a remote attacker can trigger the flaw to escape the sandbox on vulnerable Apple macOS installs. ZDI pointed out that an attacker can exploit the bug only he has first obtained the ability to execute low-privileged code on the target system.
“This vulnerability allows remote attackers to escape the sandbox on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.” reads the report published by ZDI. “The specific flaw exists within the handling of XPC messages in the LaunchServices component. A crafted message can trigger execution of a privileged operation. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the current user.”
The issue was reported to the vendor on December 22, 2021 and it was disclosed on August 15, 2022.
Regula focused his analysis on an Objective-C method of the Terminal.app.
“+[TTApplication isRunningInInstallEnvironment] will return YES when the __OSINSTALL_ENVIRONMENT environment variable was set.” wrote the expert. “So, when Terminal.app starts, some of the environment variables were not cleared when +[TTApplication isRunningInInstallEnvironment] returned YES. Great, with simple command injection I was able to execute code within the Terminal.app context without any sandbox!”
The expert was able to weaponize the flaw by embedding the exploit in a Word document and load the Mythic’s JXA payload.
“Executing code within the Terminal.app context can be really dangerous as it can also have some TCC permissions already granted.” Regula explained.
Reguła shared a video PoC that demonstrates how to weaponize Word document to escape the sandbox and execute code within the Terminal.
(SecurityAffairs – hacking, macOS Sandbox Escape)
The post Expert published PoC exploit code for macOS sandbox escape flaw appeared first on Security Affairs.