Security Affairs

Subscribe to Security Affairs feed
Read, think, share … Security is everyone's responsibility
Updated: 1 week 2 days ago

Microsoft fixed RCE flaw in a driver used by Azure Synapse and Data Factory

Tue, 05/10/2022 - 10:29
Microsoft disclosed a now-fixed vulnerability in Azure Synapse and Azure Data Factory that could have allowed remote code execution.

Microsoft announced to have addressed a critical remote code execution flaw, tracked as CVE-2022-29972 and named SynLapse, affecting Azure Synapse and Azure Data Factory.

The vulnerability was discovered by researchers from Orca Security and resides in a third-party driver used in the above solution.

“The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole.” reads the advisory published by Microsoft. “The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant.”

A threat actor can exploit this flaw to acquire the Azure Data Factory service certificate and execute commands in another tenant’s Azure Data Factory Integration Runtimes.

Researchers at Orca Security speculate that the tenant separation is not sufficiently robust to prevent users from accessing sensitive data of other tenants, including Azure’s service keys, API tokens, and passwords to other services.

Experts discovered the SynLapse issue in January 4 and fixed it on April 15, below is video PoC of the exploitation of the issue. The video shows a “customer” uses Azure Synapse Analytics to store credentials to an external service (HTTP server in this example) and the attacker exploring the issue to access these credentials while executing code on the customer’s machine.

Azure Synapse Security Advisory – Orca Security

“We are going to hold off on publishing technical details of the exploits we have found until June 14, for two reasons. First, the vulnerabilities are also present in the on-premises version of Synapse, and this will provide Microsoft’s customers some additional time to deploy and remediate the existing mitigations in their on-premises environments.” wrote Orca Security.”Second, we believe that the technical details of the exploit will make it easier for attackers to find more open attack vectors, and the delay will allow time for organizations to reconsider their usage of Synapse.”

Below is the timeline for this vulnerability:

  • January 4 – Orca reported the issue to Microsoft
  • March 2 – Microsoft completed rollout of initial hotfix
  • March 11 – Microsoft identified and notified customers affected by the researcher’s activity
  • March 30 – Orca notified Microsoft of an additional attack path to the same vulnerability
  • April 13 – Orca notified Microsoft of a second attack path to the same vulnerability
  • April 15 – Additional fixes deployed for the two newly reported attack paths as well as additional defense in depth measures applied

Microsoft said that it has found no evidence of attacks exploiting this flaw in the wild..

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)

The post Microsoft fixed RCE flaw in a driver used by Azure Synapse and Data Factory appeared first on Security Affairs.

Categories: Cyber Security News

Exclusive: Welcome “Frappo” – Resecurity identified a new Phishing-as-a-Service

Tue, 05/10/2022 - 02:04
The Resecurity HUNTER unit identified a new underground service called ‘Frappo’, which is available on the Dark Web.

“Frappo” acts as a Phishing-as-a-Service and enables cybercriminals the ability to host and generate high-quality phishing pages which impersonate major online banking, e-commerce, popular retailers, and online-services to steal customer data.

The platform has been built by cybercriminals to leverage spam campaigns that distribute professional phishing content. “Frappo” is actively advertised in the Dark Web and on Telegram where it has a group with over 1,965 active members – there cybercriminals discuss how successful they’ve been at attacking the customers of various online services. Initially, the service popped up in the Dark Web around 22nd March 2021, and has been significantly upgraded since then. The last update of the service was registered May 1, 2022.

“Frappo” grants cybercriminals the ability to work with stolen data anonymously and in an encrypted format. It provides anonymous billing, technical support, updates, and the tracking of collected credentials via a dashboard. “Frappo” was initially designed to be an anonymous cryptocurrency wallet based on a fork of Metamask and is completely anonymous, it doesn’t require a threat actor to register an account.The service provides phishing pages for over 20 financial institutions (FIs), online-retailers and popular services – including Amazon, Uber, Netflix, Bank of Montreal (BMO), Royal Bank of Canada (RBC), CIBC, TD Bank, Desjardins, Wells Fargo, Citizens, Citi and Bank of America.

The authors of “Frappo” provide several payment plans for cybercriminals depending on their chosen duration of the subscription. Like a SaaS-based services and platform for legitimate businesses, “Frappo” allows cybercriminals to minimize costs for the development of phishing-kits, and to use the same on a bigger scale.

Notably, the deployment process of phishing pages is fully automated – “Frappo” is leveraging a pre-configured Docker container and a secure channel allowing it to collect compromised credentials via API. 

Once “Frappo” is properly configured, statistical data will be collected and visualized – such as how many victims opened the phishing page, accessed authorization and entered credentials, uptime, and the server status. Compromised credentials will be visible in the “Logs” section with additional details about each victim such as IP address, User-Agent, Username, Password, and etc.

The observed phishing pages (or “phishlets”) are high-quality and contain interactive scenarios which trick the victims into entering authorization credentials.

Phishing-as-a-Service like “Frappo” are successfully used by threat actors for things like Account Takeover (ATO), Business Email Compromise (BEC), Payment and Identity Data Theft.

Cybercriminals are forever leveraging advanced tools and tactics to attack consumers globally. The protection of digital identity becomes one of the top key priorities for online safety, and subsequently becomes a new digital battlefield – wherein threat actors are hunting on stolen data.

“Resecurity® is committed to protecting consumers and enterprises all over the globe, and is actively involved in public-private partnerships to share actionable cyber threat intelligence (CTI) with financial institutions, technology companies and law enforcement to ultimately minimize the risk of credentials being compromised and data breaches being executed” – said Christian Lees, Chief Technology Officer (CTO) of Resecurity, Inc.

Resecurity® is an Affiliate Member of FS-ISAC and an Official Member of Infragard which aim to combat cybercriminal activity targeting financial services and Internet users globally.

Detailed analysis of the Phishing-As-A-Service Frappo is available here:

https://resecurity.com/blog/article/welcome-frappo-the-new-phishing-as-a-service-used-by-cybercriminals-to-attack-customers-of-major-financial-institutions-and-online-retailers

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Frappo)

The post Exclusive: Welcome “Frappo” – Resecurity identified a new Phishing-as-a-Service appeared first on Security Affairs.

Categories: Cyber Security News

DCRat, only $5 for a fully working remote access trojan

Mon, 05/09/2022 - 11:53
Researchers warn of a remote access trojan called DCRat (aka DarkCrystal RAT) that is available for sale on Russian cybercrime forums.

Cybersecurity researchers from BlackBerry are warning of a remote access trojan called DCRat (aka DarkCrystal RAT) that is available for sale on Russian cybercrime forums. The DCRat backdoor is very cheap, it appears to be the work of a lone threat actor that goes online with the monikers of “boldenis44,” “crystalcoder,” and Кодер (“Coder”). Prices for the backdoor start at 500 RUB ($5) for a two-month license, 2,200 RUB ($21) for a year, and 4,200 RUB ($40) for a lifetime subscription.

“Sold predominantly on Russian underground forums, DCRat is one of the cheapest commercial RATs we’ve ever come across. The price for this backdoor starts at 500 RUB (less than 5 GBP/US$6) for a two-month subscription, and occasionally dips even lower during special promotions. No wonder it’s so popular with professional threat actors as well as script kiddies.” reads the report published by BlackBerry.

The author implemented an effective malware and continues to efficiently maintain it. The researchers pointed out that the price for this malware is a fraction of the standard price such RAT on Russian underground forums.

DCRat first appeared in the threat landscape in 2018, but a year later it was redesigned and relaunched.

DCRat is written in .NET and has a modular structure, affiliates could develop their own plugins by using a dedicated integrated development environment (IDE) called DCRat Studio.

The modular architecture of the malware allows to extend its functionalities for multiple malicious purposes, including surveillance, reconnaissance, information theft, DDoS attacks, and arbitrary code execution.

The DCRat consists of three components:

  • A stealer/client executable
  • A single PHP page, serving as the command-and-control (C2) endpoint/interface
  • An administrator tool

“All DCRat marketing and sales operations are done through the popular Russian hacking forum lolz[.]guru, which also handles some of the DCRat pre-sales queries. DCRat support topics are made available here to the wider public, while the main DCRat offering thread is restricted to registered users only.” continues the report.

The malware is under active development, the author announces any news and updates through a dedicated Telegram channel that had approximately 3k subscribers.

DCRat Telegram announcing discounts and price specials (source BlackBerry)

During recent months, the researchers ofter observed DCRat clients being deployed with the use of Cobalt Strike beacons through the Prometheus TDS (traffic direction system).

DCRat also implements a kill switch, which would render all instances of the DCRat administrator tool unusable, irrespective of subscriber license validity.

The Administrator tool allows subscribers to sign in to an active C2 server, configure (and generate) builds of the DCRat client executable, execute commands on infected systems

Experts concluded that the RAT is maintained daily, which means that the author is working on this project full-time.

“There are certainly programming choices in this threat that point to this being a novice malware author who hasn’t yet figured out an appropriate pricing structure. Choosing to program the threat in JPHP and adding a bizarrely non-functional infection counter certainly point in this direction. It could be that this threat is from an author trying to gain notoriety, doing the best with the knowledge they have to make something popular as quickly as possible.” concludes the report that also includes Indicators of Compromise (IoCs). “While the author’s apparent inexperience might make this malicious tool seem less appealing, some could view it as an opportunity. More experienced threat actors might see this inexperience as a selling point, as the author seems to be putting in a lot of time and effort to please their customers.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, DCRat)

The post DCRat, only $5 for a fully working remote access trojan appeared first on Security Affairs.

Categories: Cyber Security News

CERT-UA warns of malspam attacks distributing the Jester info stealer

Mon, 05/09/2022 - 08:17
The Computer Emergency Response Team of Ukraine (CERT-UA) warns of attacks spreading info-stealing malware Jester Stealer.

The Computer Emergency Response Team of Ukraine (CERT-UA) has detected malspam campaigns aimed at spreading an info-stealer called Jester Stealer.

The malicious messages spotted by the Ukrainian CERT have the subject line “chemical attack” and contain a link to a weaponized Microsoft Excel file. Upon opening the Office documents and activating the embedded macro, the infection process starts.

Government experts observed that malicious executables are downloaded from compromised web resources.

“The government’s team for responding to computer emergencies in Ukraine CERT-UA revealed the fact of mass distribution of e-mails on the topic of “chemical attack” and a link to an XLS-document with a macro.” reads the report published by CERT-UA. “If you open the document and activate the macro, the latter will download and run the EXE file, which will later damage the computer with the malicious program JesterStealer.” 

The Jester stealer is able to steal credentials and authentication tokens from Internet browsers, MAIL/FTP / VPN clients, cryptocurrency wallets, password managers, messengers, game programs, and more. 

The info-stealer implements anti-analysis capabilities (anti-VM/debug/sandbox), but it doesn’t implement any persistence mechanism. The threat actors exfiltrare data via Telegram using statically configured proxy addresses.

“Stolen data through statically defined proxy addresses (including in the TOR network) is transmitted to the attacker in the Telegram.” continues the report.

The report includes Indicators of Compromise (IoCs).

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Jester stealer)

The post CERT-UA warns of malspam attacks distributing the Jester info stealer appeared first on Security Affairs.

Categories: Cyber Security News

Bumblebee, a new malware loader used by multiple crimeware threat actors

Thu, 04/28/2022 - 10:49
Threat actors have replaced the BazaLoader and IcedID malware with a new loader called Bumblebee in their campaigns.

Cybercriminal groups that were previously using the BazaLoader and IcedID as part of their malware campaigns seem to have adopted a new loader called Bumblebee.

The loader appears to be under development and is a highly sophisticated malware that first appeared in the threat landscape in March 2022.

Proofpoint researchers have tracked at least three clusters of activity associated with the distribution of the Bumblebee. The campaigns overlap with activity detailed by the Google Threat Analysis Group in March that aimed at distributing Conti and Diavol ransomware.

Bumblebee implements anti-virtualization checks and a unique implementation of common downloader capabilities, it was observed dropping Cobalt Strike, shellcode, Sliver and Meterpreter. 

“Bumblebee is a sophisticated malware loader that demonstrates evidence of ongoing development. It is used by multiple cybercrime threat actors.” reads the analysis published by ProofPoint. “Based on the timing of its appearance in the threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new, multifunctional tool used by actors that historically favored other malware.”

The attacks observed by Proofpoint experts employed DocuSign-branded messages and aimed at tricking recipients into downloading a malicious ISO file hosted on OneDrive.

In one of the paths observed by the experts, threat actors send messages containing a “REVIEW THE DOCUMENT” hyperlink, while another one leverages an HTML attachment containing an URL that use of a traffic direction system (TDS) dubbed Prometheus to filter downloads based on the time zone and cookies of the potential victim.

Attackers also attempted to abuse the contact form on the target’s website and send to the recipient a message claiming copyright violations of images. The message includes a link to a landing page that directed the user to the download of an ISO file containing “DOCUMENT_STOLENIMAGES.LNK” and “neqw.dll”).

Proofpoint also observed a second campaign in April 2022 involved a thread-hijacking campaign delivering emails that appeared to be the replies to existing benign email conversations with malicious zipped ISO attachments (“doc_invoice_[number].zip”).

Proofpoint reported significant changes to Bumblebee functionality in the latest version of the loader employed in the April campaigns, such as the support for multiple C2s and the addition of an encryption layer to the network communications.

Experts believe that the threat actors using Bumblebee could be initial access brokers that have received the loader from the same threat actors.

Further technical details about the loader are included in the Proofpoint report along with Indicators of Compromise (IoCs).

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Bumblebee)

The post Bumblebee, a new malware loader used by multiple crimeware threat actors appeared first on Security Affairs.

Categories: Cyber Security News

CISA published 2021 Top 15 most exploited software vulnerabilities

Thu, 04/28/2022 - 09:49
Cybersecurity and Infrastructure Security Agency (CISA) published a list of 2021’s top 15 most exploited software vulnerabilities

Cybersecurity and Infrastructure Security Agency (CISA) published the list of 2021’s top 15 most exploited software vulnerabilities

This joint Cybersecurity Advisory (CSA) was coauthored by cybersecurity agencies of the United States, Australia, Canada, New Zealand, and the United Kingdom: the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United Kingdom’s National Cyber Security Centre (NCSC-UK). This advisory also includes other frequently exploited vulnerabilities.

“Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors.” reads the advisory published by CISA. “To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities—some of which were also routinely exploited in 2020 or earlier. The exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.”

Below is the list published by the government agency:

The list includes CVE-2021-21972 affecting VMware vSphere Client, CVE-2021-26084 in Atlassian Confluence, CVE-2021-40539 in Zoho ManageEngine AD SelfService Plus, CVE-2018-13379 in Fortinet FortiOS and FortiProxy, CVE-2019-11510 in Pulse Secure Pulse Connect Secure CVE-2019-11510), Log4Shell, ProxyLogon ProxyShell, and ZeroLogon.

The cybersecurity agency also shared a second table containing routinely exploited by threat cyber actors in 2021. 

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, SolarMarker)

The post CISA published 2021 Top 15 most exploited software vulnerabilities appeared first on Security Affairs.

Categories: Cyber Security News

CloudFlare blocked a record HTTPs DDoS attack peaking at 15 rps

Thu, 04/28/2022 - 05:36
Cloudflare has mitigated a distributed denial-of-service (DDoS) attack that peaked at 15.3 million request-per-second (RPS).

Cloudflare announced to have mitigated a distributed denial-of-service (DDoS) attack that peaked at 15.3 million request-per-second (RPS), which is one of the largest HTTPS DDoS attacks blocked by the company.

The company blocked the attack earlier this month, the experts pointed out that HTTPS DDoS attacks are more expensive because require higher computational resources for establishing a secure TLS encrypted connection. On the other side, HTTPS DDoS attacks cost more to the victim to mitigate. 

“Earlier this month, Cloudflare’s systems automatically detected and mitigated a 15.3 million request-per-second (rps) DDoS attack — one of the largest HTTPS DDoS attacks on record.” reads the post published by CloudFlare. “We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.”

The attack was launched by a botnet composed of approximately 6,000 unique bots that was monitored by Cloudflare experts and that was involved in other massive attacks that peaked at 10M rps.

The DDoS attack blocked by the company lasted less than 15 seconds and targeted an unnamed customer operating a crypto launchpad. Crypto launchpads are platforms for launching new coins, crypto projects, and raising liquidity.

Volumetric DDoS attacks are designed to overwhelm a target network/service with significantly high volumes of malicious traffic, which typically originate from a botnet under a threat actor’s control.

The analysis of the malicious traffic revealed that it mostly originated from data centers, it originated from 112 countries around the world. 15% of the malicious traffic originated from Indonesia, followed by Russia, Brazil, India, Colombia, and the United States.

“Within those countries, the attack originated from over 1,300 different networks. The top networks included the German provider Hetzner Online GmbH (Autonomous System Number 24940), Azteca Comunicaciones Colombia (ASN 262186), OVH in France (ASN 16276), as well as other cloud providers.” concludes the post.

In August, the web infrastructure and website security company announced that it has mitigated the largest ever volumetric distributed denial of service (DDoS) attack at the time. The malicious traffic reached a record high of 17.2 million requests-per-second (rps), a volume three times bigger than previously reported HTTP DDoS attacks. Be aware, that the attack that the company blocked in August was an HTTP DDoS and not an HTTPS one.

In November 2021, the company mitigated a distributed denial-of-service (DDoS) attack that peaked just below 2 terabytes per second (Tbps), which is the largest attack Cloudflare has seen to date.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Cloudflare)

The post CloudFlare blocked a record HTTPs DDoS attack peaking at 15 rps appeared first on Security Affairs.

Categories: Cyber Security News

Russia-linked threat actors launched hundreds of cyberattacks on Ukraine

Thu, 04/28/2022 - 00:36
Microsoft revealed that Russia launched hundreds of cyberattacks against Ukraine since the beginning of the invasion.

Microsoft states that at least six separate Russia-linked threat actors launched more than 237 operations against Ukraine starting just before the invasion.

The cyber attacks included destructive wipers that were used to target critical infrastructure in a hybrid war against Ukraine. Wiper families employed in the attacks include:
WhisperGate / WhisperKill
FoxBlade, aka Hermetic Wiper
SonicVote, aka HermeticRansom
CaddyWiper
• DesertBlade
Industroyer2
• Lasainraw, aka IssacWiper
FiberLake, aka DoubleZero

“Starting just before the invasion, we have seen at least six separate Russia-aligned nation-state actors launch more than 237 operations against Ukraine – including destructive attacks that are ongoing and threaten civilian welfare.” reads the report published by Microsoft. The destructive attacks have also been accompanied by broad espionage and intelligence activities. The attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country’s leadership.”

Microsoft also reported having observed limited cyber espionage attacks aimed at other NATO member states, along with disinformation campaigns. 

Microsoft states that Russia-linked threat actors involved in the attacks include APT28, EnergeticBear, Gamaredon, Sandworm, Turla, DEV-0586, and Nobelium.

The experts pointed out that starting just before the invasion threat actors linked to the military intelligence service GRU launched destructive wiper attacks on hundreds of systems in Ukraine. More than 40% of the destructive attacks hit critical infrastructure sectors, the target have been chosen to impact the government, military, economy, and people. 32% percent of destructive attacks were aimed at Ukrainian government organizations at the national, regional, and city levels.

“Based on Russian military goals for information warfare, these actions are likely aimed at undermining Ukraine’s political will and ability to continue the fight, while facilitating collection of intelligence that could provide tactical or strategic advantages to Russian forces” reads the report published by Microsoft.

“Given Russian threat actors have been mirroring and augmenting military actions, we believe cyberattacks will continue to escalate as the conflict rages. Russian nation-state threat actors may be tasked to expand their destructive actions outside of Ukraine to retaliate against those countries that decide to provide more military assistance to Ukraine and take more punitive measures against the Russian government in response to the continued aggression.” Microsoft concludes.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Russia-linked threat actors launched hundreds of cyberattacks on Ukraine appeared first on Security Affairs.

Categories: Cyber Security News

US Department of State offers $10M reward for info to locate six Russian Sandworm members

Wed, 04/27/2022 - 10:32
The U.S. government offers up to $10 million for info that allows to identify or locate six Russian GRU hackers who are members of the Sandworm APT group.

The US Department of State is offering up to $10 million for info that allows to identify or locate six Russian GRU hackers who are members of the Sandworm APT group. The reward is covered by the Rewards for Justice program of the US government, which rewards people that can share information that can allow to identify or locate foreign government threat actors who conduct cyber operations against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).

The six individuals are Russian officers of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), a division of the Russian military intelligence that was often involved in malicious cyber operations against US infrastructure.

“RFJ is seeking information on six officers of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) for their role in a criminal conspiracy involving malicious cyber activities affecting U.S. critical infrastructure.” reads the press release published by the Department of State. “GRU officers Yuriy Sergeyevich Andrienko (Юрий Сергеевич Андриенко), Sergey Vladimirovich Detistov (Сергей Владимирович Детистов), Pavel Valeryevich Frolov (Павел Валерьевич Фролов), Anatoliy Sergeyevich Kovalev (Анатолий Сергеевич Ковалев), Artem Valeryevich Ochichenko (Артем Валерьевич Очиченко), and Petr Nikolayevich Pliskin (Петр Николаевич Плискин) were members of a conspiracy that deployed destructive malware and took other disruptive actions for the strategic benefit of Russia through unauthorized access to victim computers.”

The six Russian officers are all members of the GRU’s Unit 74455, also known as Sandworm, Telebots, Voodoo Bear, and Iron Viking.

This isn’t the first time that the US government indicted these members of the Sandworm team, in October 2020 the U.S. Department of Justice charged the six officials for their alleged role in several major cyberattacks conducted over the past years.

According to the indictment, the GRU officers were involved in attacks on Ukraine, including the attacks aimed at the country’s power grid in 2015 and 2016 that employed the BlackEnergy and Industroyer malware.

US DoJ charged the men with damaging protected computers, conspiracy to conduct computer fraud and abuse, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft.

The US Department of State states that cyber activities conducted by the APT group collectively cost impatced U.S. entities nearly $1 billion in losses.

More information about this reward offer is available on the Rewards for Justice website, it is also possible to share information about these six individuals via the Tor-based tips-reporting channel at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required).

“Since its inception in 1984, the program has paid in excess of $200 million to more than 100 people across the globe who provided actionable information that helped prevent terrorism, bring terrorist leaders to justice, and resolve threats to U.S. national security.” concludes the press release.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Sandworm)

The post US Department of State offers $10M reward for info to locate six Russian Sandworm members appeared first on Security Affairs.

Categories: Cyber Security News

Linux Nimbuspwn flaws could allow attackers to deploy sophisticated threats

Wed, 04/27/2022 - 06:38
Microsoft disclosed two Linux privilege escalation flaws, collectively named Nimbuspwn, that could allow conducting various malicious activities.

The Microsoft 365 Defender Research Team has discovered two Linux privilege escalation flaws (tracked as CVE-2022-29799 and CVE-2022-29800) called “Nimbuspwn,” which can be exploited by attackers to conduct various malicious activities, including the deployment of malware.

“The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.” reads the advisory published by Microsoft.

The flaws can be exploited by attackers to achieve root access to the target systems and deploy by more sophisticated threats, such as ransomware.

The flaws reside in the systemd component called networked-dispatcher, which is dispatcher daemon for systemd-networkd connection status changes.

The review of the code flow for networkd-dispatcher revealed multiple security issues, including directory traversal, symlink race, and time-of-check-time-of-use race condition issues.

The researchers started enumerating services that run as root and listen to messages on the System Bus, performing both code reviews and dynamic analysis.

Chaining the issues, an attacker in control of a rogue D-Bus service that can send an arbitrary signal, can deploy backdoors on the compromised final touches.

The researchers were able to develop their own exploit that runs an arbitrary script as root. The exploit also copies /bin/sh to the /tmp directory, sets /tmp/sh as a Set-UID (SUID) executable, and then invokes “/tmp/sh -p”. (the “-p” flag is necessary to force the shell to not drop privileges)

Researchers recommend users of networkd-dispatcher to update their installs.

“To address the specific vulnerabilities at play, Microsoft Defender for Endpoint’s endpoint detection and response (EDR) capabilities detect the directory traversal attack required to leverage Nimbuspwn.” concludes the post.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Nimbuspwn flaws)

The post Linux Nimbuspwn flaws could allow attackers to deploy sophisticated threats appeared first on Security Affairs.

Categories: Cyber Security News

Wind Turbine giant Deutsche Windtechnik hit by a professional Cyberattack

Wed, 04/27/2022 - 04:52
The German wind turbine giant Deutsche Windtechnik was hit by a targeted cyberattack earlier this month.

German wind turbine giant Deutsche Windtechnik announced that some of its systems were hit by a targeted professional cyberattack earlier this month.

The attack took place during the night between April 11 and 12, the company switched off remote data monitoring connections to the wind turbines for security reasons. The connections were resumed two days later, the company pointed out that wind turbines did not suffer any damage and were never in danger.

“Deutsche Windtechnik’s operational maintenance activities for our clients resumed again on April 14 and are running with only minor restrictions. We were able to assess all IT systems in a secure environment and to identify and isolate the problems.” reads the press release published by the company. “The forensic analysis has been completed and the result has shown that this was a targeted professional cyber attack.”

Deutsche Windtechnik did not disclose details about the attack, but experts believe that the company was hit with ransomware.

At the end of March, the Conti ransomware gang hit the manufacturer of wind turbines Nordex, while in early March, wind turbine manufacturer Enercon GmbH lost remote connection to roughly 5,800 turbines due to an attack on Viasat’s satellite network.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Deutsche Windtechnik)

The post Wind Turbine giant Deutsche Windtechnik hit by a professional Cyberattack appeared first on Security Affairs.

Categories: Cyber Security News

Conti ransomware operations surge despite the recent leak

Wed, 04/27/2022 - 03:15
Conti ransomware gang continues to target organizations worldwide despite the massive data leak has shed light on its operations.

Researchers from Secureworks state that the Conti ransomware gang, tracked as a Russia-based threat actor Gold Ulrick, continues to operate despite the recent data leak on its internal activities.

The group’s activity returned to the levels that represented a peak in 2021, the gang rapidly reacted to the public disclosure of its communications, source code, and operational details.

“The number of victims added to the Conti leak site increased in February 2022. On February 27, the @ContiLeaks Twitter persona began leaking GOLD ULRICK data and communications. Despite these public disclosures, the number of Conti victims posted in March surged to the second-highest monthly total since January 2021.” reads the post published by Secureworks Conter Threat Unit (CTU).

One of the members of the GOLD ULRICK gang that goes online with the moniker ‘Jordan Conti’ said that the leak had a minimal impact on its operation.

According to a post published by ‘Jordan Conti’ on the RAMP underground forum the Conti darweb leak site only lists victims that refused to pay the ransom and that the gang has compromised twice that number.

This means that the Conti gang has a 50% payment success rate with an average payout of ‘700k’.

The Conti ransomware operators added 11 new victims to the list on their leak site in the first four days of April, its success is due to the evolution of its tactics, techniques and procedures.

“‘Jordan Conti’ indicates that GOLD ULRICK continues to evolve its ransomware, intrusion methods, and approaches to working with data. The Conti leak site added 11 victims in the first four days of April. If GOLD ULRICK operations continue at that pace, the group will continue to pose one of the most significant cybercrime threats to organizations globally.” concludes the analysis.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Conti ransomware)

The post Conti ransomware operations surge despite the recent leak appeared first on Security Affairs.

Categories: Cyber Security News

Iran-linked APT Rocket Kitten exploited VMware bug in recent attacks

Tue, 04/26/2022 - 14:00
The Iran-linked APT group Rocket Kitten has been observed exploiting a recently patched CVE-2022-22954 VMware flaw.

Iran-linked Rocket Kitten APT group has been observed exploiting a recently patched CVE-2022-22954 VMware Workspace ONE Access flaw to deploy ‘Core Impact’ Backdoor.

The CVE-2022-22954 vulnerability is a server-side template injection remote code execution issue, it was rated 9.8 in severity.

“VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the security advisory. “A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.”

In Mid-April, the virtualization giant reported that threat actors are actively exploiting the critical vulnerability in VMware Workspace ONE Access and Identity Manager.

On April 14 and 15, Morphisec researchers spotted attacks attempting to exploit the VMware flaw, researchers from BleepingComputer also reported the hacking attempts.

“A malicious actor exploiting this RCE vulnerability potentially gains an unlimited attack surface. This means highest privileged access into any components of the virtualized host and guest environment. Affected firms face significant security breaches, ransom, brand damage, and lawsuits.” reads the post published Morphisec Labs. “As part of the attack chain, Morphisec has identified and prevented PowerShell commands executed as child processes to the legitimate Tomcat prunsrv.exe process application.”

Threat actors attempt to gain initial access to a target environment by exploiting the VMWare Identity Manager Service issue, then they deploy a PowerShell stager that downloads the next stage payload dubbed by PowerTrash Loader.

The PowerTrash Loader is a heavily obfuscated PowerShell script with approximately 40,000 lines of code.

In the final stage of the attack chain, PowerTrash Loader injects the penetration testing framework Core Impact into memory.

Morphisec attributes the attacks to the Iranian APT Rocket Kitten based on the tactics, techniques, and procedures used by the threat actors.

“The widespread use of VMWare identity access management combined with the unfettered remote access this attack provides is a recipe for devastating breaches across industries,” concludes the report. “VMWare customers should also review their VMware architecture to ensure the affected components are not accidentally published on the internet, which dramatically increases the exploitation risks.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

The post Iran-linked APT Rocket Kitten exploited VMware bug in recent attacks appeared first on Security Affairs.

Categories: Cyber Security News

CISA adds new Microsoft, Linux, and Jenkins flaws to its Known Exploited Vulnerabilities Catalog

Tue, 04/26/2022 - 07:41
US Critical Infrastructure Security Agency (CISA) adds seven new flaws to its Known Exploited Vulnerabilities Catalog, including Microsoft, Linux, and Jenkins bugs.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added seven vulnerabilities to its Known Exploited Vulnerabilities Catalog, including flaws affecting Microsoft, Linux, WSO2, and Jenkins systems

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

The list of vulnerabilities added by CISA to the catalog includes a remote code execution issue (WSO2), privilege escalation flaws (Microsoft/Linux), and a Sandbox Bypass Vulnerability (Jenkins).

Below is the complete list of flaws added by CISA to its catalog in the latest turn:

The catalog now contains 654 vulnerabilities, including the date that federal agencies must apply the associated patches and security updates.

The above issues have to be addressed by federal agencies by May 16, 2022.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The post CISA adds new Microsoft, Linux, and Jenkins flaws to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.

Categories: Cyber Security News

Apr 17 – Apr 23 Ukraine – Russia the silent cyber conflict

Sun, 04/24/2022 - 05:21
This post provides a timeline of the events related to the Russian invasion of Ukraine from the cyber security perspective.

Below is the timeline of the events related to the ongoing invasion that occurred in the previous weeks:

April 23 – Phishing attacks using the topic “Azovstal” targets Ukrainian entities

Ukrainian CERT-UA warns of phishing attacks on Ukrainian state organizations using the topic “Azovstal” and Cobalt Strike Beacon.

April 21 – US, Australia, Canada, New Zealand, and the UK warn of Russia-linked threat actors’ attacks

Cybersecurity agencies of the Five Eyes intelligence alliance warn of cyberattacks conducted by Russia-linked threat actors on critical infrastructure.

April 20 – Russian Gamaredon APT continues to target Ukrainian entities

Russia-linked threat actor Gamaredon targets Ukrainian entities with new variants of the custom Pterodo backdoor.

April 20 – Anonymous hacked other Russian organizations, some of the breaches could be severe

The Anonymous collective and affiliate groups intensify their attacks and claimed to have breached multiple organizations.

Feb 27- Mar 05 Ukraine – Russia the silent cyber conflict Feb 7- Feb 27 Ukraine – Russia the silent cyber conflict Mar 06- Mar 12 Ukraine – Russia the silent cyber conflict Mar 13- Mar 19 Ukraine – Russia the silent cyber conflict Mar 20- Mar 26 Ukraine – Russia the silent cyber conflict Mar 27 – Apr 02 Ukraine – Russia the silent cyber conflict Apr 03 – Apr 09 Ukraine – Russia the silent cyber conflict Apr 10 – Apr 16 Ukraine – Russia the silent cyber conflict

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Russia conflict)

The post Apr 17 – Apr 23 Ukraine – Russia the silent cyber conflict appeared first on Security Affairs.

Categories: Cyber Security News

Security Affairs newsletter Round 362 by Pierluigi Paganini

Sun, 04/24/2022 - 04:55
A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

T-Mobile confirms Lapsus$ had access its systemsAre you using Java 15/16/17 or 18 in production? Patch them now!Phishing attacks using the topic “Azovstal” targets entities in UkraineConti ransomware claims responsibility for the attack on Costa RicaCyber Insurance and the Changing Global Risk EnvironmentA stored XSS flaw in RainLoop allows stealing users’ emailsQNAP firmware updates fix Apache HTTP vulnerabilities in its NASPwn2Own Miami hacking contest awarded $400,000 for 26 unique ICS exploitsLemon_Duck cryptomining botnet targets Docker serversCritical bug in decoder used by popular chipsets exposes 2/3 of Android
Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns By Mimicking Government Vendors
Static SSH host key in Cisco Umbrella allows stealing admin credentialsCVE-2022-20685 flaw in the Modbus preprocessor of the Snort makes it unusableUS, Australia, Canada, New Zealand, and the UK warn of Russia-linked threat actors’ attacksRussian Gamaredon APT continues to target UkraineAnonymous hacked other Russian organizations, some of the breaches could be severeCISA adds Windows Print Spooler to its Known Exploited Vulnerabilities CatalogNew BotenaGo variant specifically targets Lilin security camera DVR devicesQNAP users are recommended to disable UPnP port forwarding on routersESET warns of three flaws that affect over 100 Lenovo notebook models
Kaspersky releases a free decryptor for Yanluowang ransomware
NSO Group Pegasus spyware leverages new zero-click iPhone exploit in recent attacksNew SolarMarker variant upgrades evasion abilities to avoid detectionCrooks steal $182 million from Beanstalk DeFi platformExperts spotted Industrial Spy, a new stolen data marketplaceCISA adds VMware, Chrome flaws to its Known Exploited Vulnerabilities CatalogApr 10 – Apr 16 Ukraine – Russia the silent cyber conflictEnemybot, a new DDoS botnet appears in the threat landscapeStolen OAuth tokens used to download data from dozens of organizations, GitHub warns

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 362 by Pierluigi Paganini appeared first on Security Affairs.

Categories: Cyber Security News

T-Mobile confirms Lapsus$ had access its systems

Sat, 04/23/2022 - 16:31
Telecommunication giant T-Mobile confirmed the LAPSUS$ extortion group gained access to its networks in March.

Telecom company T-Mobile on Friday revealed that LAPSUS$ extortion gang gained access to its networks.

The popular investigator and journalist Brian Krebs first surmised that the LAPSUS$ gang has breached T-Mobile after he reviewed a copy of the private chat messages between members of the cybercrime group.

Telegram channels that were restricted to the core seven members of the group – Source KrebsonSecurity

The logs show the LAPSUS$ group has access to the network of T-Mobile multiple times in March, the hackers have stolen source code for multiple company projects.

The VPN credentials for initial access are said to have been obtained from illicit websites like Russian Market with the goal of gaining control of T-Mobile employee accounts, ultimately allowing the threat actor to carry out SIM swapping attacks at will.

“The bigger challenge for LAPSUS$ was the subject mentioned by “Lapsus Jobs” in the screenshot above: Device enrollment. In most cases, this involved social engineering employees at the targeted firm into adding one of their computers or mobiles to the list of devices allowed to authenticate with the company’s virtual private network (VPN).” wrote Krebs. “The messages show LAPSUS$ members continuously targeted T-Mobile employees, whose access to internal company tools could give them everything they needed to conduct hassle-free “SIM swaps” — reassigning a target’s mobile phone number to a device they controlled.”

LAPSUS$ leader White/Lapsus Jobs looking up the Department of Defense in T-Mobile’s internal Atlas system. – Source KrebsOnSecurity

The telecom company says no customer or government information was compromised, despite the images shared in the chats show the gang gaining access to the internal “Atlas” system, along to Slack and Bitbucket accounts.

“The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value,” T-Mobile said. “Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”

The gang obtained the VPN credentials for initial access to the target systems from darkweb marketplaces, then used the access to perform SIM swapping attacks.

“Perhaps to mollify his furious teammates, White changed the subject and told them he’d gained access to T-Mobile’s Slack and Bitbucket accounts. He said he’d figured out how to upload files to the virtual machine he had access to at T-Mobile.” wrote Krebs. “Roughly 12 hours later, White posts a screenshot in their private chat showing his automated script had downloaded more than 30,000 source code repositories from T-Mobile.”

Over the last months, the Lapsus$ gang compromised many prominent companies such as NVIDIASamsungUbisoft, Mercado Libre, Vodafone, MicrosoftOkta, and Globant.

Early April, the City of London Police charged two of the seven teenagers who were arrested for their alleged role in the LAPSUS$ data extortion gang. UK police suspect that a 16-year-old from Oxford is one of the leaders of the popular Lapsus$ group.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, T-Mobile)

The post T-Mobile confirms Lapsus$ had access its systems appeared first on Security Affairs.

Categories: Cyber Security News

Are you using Java 15/16/17 or 18 in production? Patch them now!

Sat, 04/23/2022 - 14:12
A researcher has released proof-of-concept (PoC) code for a digital signature bypass vulnerability in Java.

Security researcher Khaled Nassar released a proof-of-concept (PoC) code for a new digital signature bypass vulnerability, tracked as CVE-2022-21449 (CVSS score: 7.5), in Java.

The vulnerability was discovered by ForgeRock researcher Neil Madden, who notified Oracle on November 11, 2021.

An unauthenticated attacker with network access via multiple protocols can trigger the issue to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.

The flaw impacts the following versions of Java SE and Oracle GraalVM Enterprise Edition:

  • Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18
  • Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2

The vulnerability, dubbed Psychic Signatures, resides in Java’s implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA).

The flaw allows presenting a totally blank signature that is accepted as valid by the vulnerable implementation.

Successful exploitation of the flaw could permit an attacker to forge signatures and bypass authentication measures put in place.

Nassar demonstrated that setting up a malicious TLS server could deceive a client into accepting an invalid signature from the server, effectively allowing the rest of the TLS handshake to continue.

Oracle addressed the issue with the release of the April 2022 Critical Patch Update (CPU).

Organizations that have deployed Java 15, Java 16, Java 17, or 18 in production should install the security updates immediately.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(Security Affair hacking, cryptography)

The post Are you using Java 15/16/17 or 18 in production? Patch them now! appeared first on Security Affairs.

Categories: Cyber Security News

Phishing attacks using the topic “Azovstal” targets entities in Ukraine

Sat, 04/23/2022 - 04:37
Ukraine CERT-UA warns of phishing attacks on state organizations of Ukraine using the topic “Azovstal” and Cobalt Strike Beacon.

The Computer Emergency Response Team of Ukraine (CERT-UA) warns of phishing attacks aimed at organizations in the country using the topic “Azovstal”.

The phishing message use the subject “Azovstal” and a weaponized office document. Upon opening the attachment and enabling the macro, it will start the infection process. The malicious code will download, create on disk and run the malicious DLL “pe.dll”. 

The last stage malware installed on the infected systems is a Cobalt Strike Beacon that allows attackers to take over them.

The analysis of encryption techniques employed in the attack allowed the government experts to associate the campaign with the cybercrime group Trickbot.

Since February the notorious cybercrime operation Trickbot is controlled by Conti ransomware, the ransomware gang that publicly announced its support to Russia after the invasion of Ukraine by Russian cyber militaries.

The alert published by the Ukraine CERT-UA includes Indicators of Compromise (IoCs) for this campaign and recommendations.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Phishing attacks using the topic “Azovstal” targets entities in Ukraine appeared first on Security Affairs.

Categories: Cyber Security News

Conti ransomware claims responsibility for the attack on Costa Rica

Fri, 04/22/2022 - 18:51
Conti ransomware gang claimed responsibility for a ransomware attack that hit the government infrastructure of Costa Rica.

Last week a ransomware attack has crippled the government infrastructure of Costa Rica causing chaos.

The Conti ransomware gang claimed responsibility for the attack, while the Costa Rican government refused to pay a ransom.

“The Costa Rican state will not pay anything to these cybercriminals.” said Costa Rica President Carlos Alvarado.

The attack took place early this week, it impacted multiple government services from the Finance Ministry to the Labor Ministry.

“The initial attack forced the Finance Ministry to shut down for several hours the system responsible for the payment of a good part of the country’s public employees, which also handles government pension payments. It also has had to grant extensions for tax payments.” reads the post published by the Associated Press.

Costa Rican businesses fear that the ransomware gang could have infiltrated confidential information they provided to the government. The leak of this data could pose a serious risk to these organizations.

At the time of this writing, the Conti ransomware gang had published 50% of the stolen data.

It is not clear if this attack was politically motivated, while Conti ransomware gang announced its support for Russia’s invasion of Ukraine, Costa Rica publicly condemned the invasion.

“You also can’t separate it from the complex global geopolitical situation in a digitalized world,” Alvarado said.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Costa Rica)

The post Conti ransomware claims responsibility for the attack on Costa Rica appeared first on Security Affairs.

Categories: Cyber Security News

Pages