Security Affairs

Subscribe to Security Affairs feed
Read, think, share … Security is everyone's responsibility
Updated: 1 week 2 days ago

Ukraine is using Clearview AI’s facial recognition during the conflict

Mon, 03/14/2022 - 10:48
Ukraine’s defense ministry began using Clearview AI’s facial recognition technology to uncover Russian assailants, combat misinformation and identify the dead.

Ukraine’s defense ministry announced it will use the AI’s facial recognition technology offered by Clearview. Clearview’s chief executive Hoan Ton-That confirmed the news to Reuters, the technology will allow the Ukrainian military to uncover Russian assailants, combat misinformation and identify the dead. The company offered its support to Ukraine immediately after the beginning of the invasion, the Reuters reports, Clearview pointed out that it has never had Russia as a client

The AI-based system provided by Clearview could analyze more than 2 billion images from the Russian social network VKontakte, while its overall database contains over 10 billion photos.

We can distinguish harmless usages of the technology from those potentially dangerous. The former includes the identification of the dead, the identification of people to reunite refugees separated from their families or the debunking of false social media posts related to the conflict. Another use is related to the identification of Russian operatives on the battlefield.The exact purpose for which Ukraine’s defense ministry is using the technology is unclear, Ton-That said. Other parts of Ukraine’s government are expected to deploy Clearview in the coming days, he and Wolosky said.

The use of so powerful technology during a conflict is scary, it could allow identifying people of interest at checkpoints, but in a contest where there is no time to reflect false positives could cause the death of people.

“At least one critic says facial recognition could misidentify people at checkpoints and in battle.” Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project in New York, told Reuters. “A mismatch could lead to civilian deaths, just like unfair arrests have arisen from police use, said Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project in New York.”

“We’re going to see well-intentioned technology backfiring and harming the very people it’s supposed to help,” he added.

Ton-That always recommended to use its technology along with other sources of identification and it must be used to prevent abuses in wartime.

Clearview technology is in the middle of a heated debate, some governments are accusing the company of violating privacy rights by scraping images online without the explicit consent of the owners.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Clearview)

The post Ukraine is using Clearview AI’s facial recognition during the conflict appeared first on Security Affairs.

Categories: Cyber Security News

The hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for two years

Sun, 03/13/2022 - 10:47
The hidden C2Lampion trojan release 212 is on the rise and using a C2 server for two years.

Lampion trojan is one of the most active banking trojans impacting Portuguese Internet end users since 2019. This piece of malware is known for the usage of the Portuguese Government Finance & Tax (Autoridade Tributária e Aduaneira) email templates to lure victims to install the malicious loader (a VBS file). However, fake templates of banking organizations in Portugal have been used by criminals to disseminate the threat in the wild, as observed in Figure 1 below with a malicious PDF (151724540334 Pedidos.pdf).

Figure 1: Emails templates are delivering malicious PDFs impersonating banking organizations in Portugal to spread Lampion trojan.

The malware TTP and their capabilities remain the same observed in 2019, but the trojan loader – the VBS files – propagated along with the new campaign has significant differences. Also, the C2 server is the same noticed on the past campaigns since 2020, suggesting, thus, that criminals are using the same server geolocated in Russia for two years to orchestrate all the malicious operations.

FUD capabilities of the Lampions’ VBS loader

Filename: Comprovativo de pagamento_2866-XRNM_15-02-2022 06-43-54_28.vbs
MD5: 2e295f9e683296d8d6b627a88ea34583

As expected, the Lampions’  VBS loader has been changed in the last years, and its modus operandi is similar to other Brazilian trojans, such as MaxtrilhaURSAGrandoreiro, and so on. In detail, criminals are enlarging the file size around 56 MB of junk to bypass its detection in contrast to the samples from 2019 with just 13.20 KB.

Figure 2: Lampions’ VBS loader file enlarge technique to bypass its detection.

The VBS file contains a lot of junk sequences, and after some rounds of code cleaning and deobfuscation, 31.7 MB of useless lines of code were removed.

Figure 3: Lampions’ VBS loader size before and after removing the junk sequences.

The final file after the cleaning process has around 24.7 MB, and it is responsible for creating other files, including:

  • a 2nd VBS file with a random name (2nd_stage_vbs) that will download the Lampions’ final stage – two DLLs from AWS S3 buckets
  • other VBS file that will execute the previous file by using a scheduled task also created by the 1st VBS loader.

The next figure presents the structure of the Lampions’ VBS loader after the cleaning and deobfuscation process.

Figure 4: Lampion’s VBS loader after some rounds of deobfuscation.

As mentioned,  the 1st stage (Comprovativo de pagamento_2866-XRNM_15-02-2022 06-43-54_28.vbs) creates a new VBS file (2nd_stage_vbs) inside the %AppData%\Local\Temp folder with a random name (sznyetzkkg.vbs). Also, another VBS (jghfszcekwr.vbs) is created with code responsible for executing the previous VBS file (sznyetzkkg.vbs) via a scheduled task.

A scheduled task is created with the service description and author Administrator user associated. This scheduled task will execute the second VBS file jghfszcekwr.vbs that contains instructions to finally run the sznyetzkkg.vbs file (the 2nd VBS stage).

Figure 5: Creation of the 2nd VBS file and the auxiliary VBS file. Also, the scheduled task responsible for creating the auxiliary VBS file is shown.

After running the initial VBS file, the two additional VBS files are finally prepared to be triggered. That task is then performed by the scheduled task as presented in Figure 6. The source code of the jghfszcekwr.vbs file is quite simple and just executes the 2nd VBS file (sznyetzkkg.vbs). We believe this is just a procedure to make hard the malware analysis as well as difficult its detection – something we confirmed during the analysis, as the AVs don’t detect properly those files during the malware infection chain.

Figure 6: Schedule task (1) responsible for executing an auxiliary VBS (2) file which in turn runs the second VBS stage.

After that, the VBS file dubbed sznyetzkkg.vbs is executed. All the steps highlighted in Figure 7 are typically known from the last Lampions campaigns. This VBS file is quite similar to their predecessors, and it performs some tasks:

  • Deletes all the files from the startup folder with the following extension: lnk, vbs, cmd, exe, bat and js.
  • Decrypts the URLs containing the final stage of Lampion trojan.
  • Creates a .cmd file into the Windows startup folder to maintain persistence.

Figure 7:  Source-code of the 2nd VBS file and the encrypted URLs that will download the last stage of the Lampion trojan banker.

From this point, the modus operandi and TTP are the same observed since 2019. The clear sign is the same algorithm used in 2019 to decrypt the hardcoded strings with the malicious URLs was used. The script can be downloaded from GitHub here.

Figure 8: Lampion trojan VBS decryptor.

After running the script, we obtained the malicious URLs that download the next stage of Lampion trojan. Once again, the AWS S3 buckets were the criminals’ choice, as observed in the last releases of this malware.

The first DLL (the trojan loader) is a point of interest in this analysis. This file was also enlarged with lots of random BMP images inside – a well-known technique that is being used by Latin American gangs in their malware. This is a clear sign of cooperation between the several groups.

The P-17-4 DLL is then renamed when downloaded and injected into the memory via the DLL injection technique. The EAT function “mJ8Lf9v0GZnptOVNB2I” is triggered to start the DLL loader.C:\Windows\System32\rundll32.dll\”%AppData%\Local\Temp\rand_folder\random_name.dll” mJ8Lf9v0GZnptOVNB2I

Figure 9: Lampion DLLs – release 212 (February 2022).

The main goal of the DLL loader is just to unzip the 2nd DLL called “soprateste.zip” which is protected with a hardcoded password. All the process from this point is the same  as the last articles we have published, namely:

Details of the Lampion release 212

The single task of the first DLL is just to unzip the 2nd one with a hardcoded password. As usual, the DLL inside soprateste.zip carries a message in Chinese for researchers:

Figure 10: Message hardcoded inside the soprateste.zip DLL (the Lampion itself) and part of the unzip process.

As usual, the trojan maintains intact its EAT since 2019. The call “DoThisBicht” is invoked from the DLL loader, and the malware starts its malicious activity. Figure 11 below shows the comparison of the EAT between the different versions from 2019 to 2022, and no differences were noticed.

Figure 11: Export Address Table (EAT) from the DLL inside the soprateste.zip file (the Lampion trojan itself).

The target brands are the same observed in the past campaigns, with the focus on Brazilian and Portuguese banking organizations.

0x5106a0c (28): banco montepio 0x5106a38 (16): montepio 0x5106a6c (26): millenniumbcp 0x5106aa8 (18): Santander 0x5106ac8 (14): BPI Net 0x5106ae4 (18): Banco BPI 0x5106b18 (24): Caixadirecta 0x5106b40 (42): Caixadirecta Empresas 0x5106b8c (20): NOVO BANCO 0x5106bc4 (14): EuroBic 0x5106bfa (16): Credito Agricola 0x5106c24 (20): Login Page 0x5106c48 (22): CA Empresas 0x5106c80 (18): Bankinter 0x5106cb4 (20): ActivoBank 0x5107118 (36): itauaplicativo.exe 0x5109568 (14): TravaBB 0x5109586 (32): Banco do Brasil 0x51095b4 (16): Traazure 0x51095d6 (32): Caixa Economica 0x5109604 (20): Travsantos 0x510962a (20): Santander 0x510964c (14): Travsic 0x510966a (14): Sicred 0x5109688 (14): Travite 0x51096c0 (18): Travdesco 0x51096e2 (18): Bradesco 0x5109704 (22): BANRITRAVAR 0x510972a (18): Banrisul 0x510974c (20): TravaBitco 0x5109772 (32): Mercado Bitcoin 0x51097a0 (14): Travcit 0x51097be (18): Citibank 0x51097e0 (18): Travorigs 0x5109802 (30): Banco Original 0x5109830 (18): SICTRAVAR 0x5109852 (14): Sicoob

When started, the trojan collects information about the opened processes on the target machine. If the title of the pages matches the hardcoded strings presented above, then it starts the malicious overlay process that presents fake messages and windows impersonating the target bank to lure the victims.

Figure 12: Lampion overlay screens (courtesy of MllenniumBCP – Portugal).

Figure 13: Part of the hardcoded messages present on the Delphi forms that are exhibited during the trojan execution.

As mentioned, Lampion is using the same C2 server geolocated in Russia at least for two years. Figure 14 compares the Lampion release 207 – from 2020 – and the new release 212 – February 2022. As presented, the server “5.188.9.28” has been used at least since 2020 by the criminals’ gang in order to orchestrate all the operations.

Figure 14: Lampion is using the same C2 server observed in 2020 and gelocated in Russia.

Interestingly, the C2 server – a Windows machine – has the Microsoft RPC Endpoint Mapper service exposed, which allows mapping some of the services running on the machine, associated pipes, hostname, etc.

Through this information, it was possible to obtain the hostname of the remote machine: \WIN-344VU98D3RU.

After a quick search, the hostname seems to have already been associated with other malicious groups operating different types of malware, such as the bazaar (see the article here), and also LockBit 2.0 ransomware (take a look here).

Figure 15: IoCs related to the hostname used by Lampions C2 server (\WIN-344VU98D3RU).

Although it is not possible to confirm whether this is a hostname associated with other Cloud machines and used by legitimate systems, it was possible to identify that there are machines spread all over the world with the same hostname, and in some situations, only a few machines available per country.

In total, 81.503 machines were identified, with around 45k in The Netherlands, 25k in Russia, 2.5k Turkey, 2K Ukraine, 1.5k in US, etc.


The complete list of hosts can be found below.

Final Thoughts

Nowadays, we are facing a growing of Brazilian trojans at a very high speed. Each one of them with its peculiarities, TTPs, etc. With this in mind, criminals achieve a FUD condition that allows them to avoid detection and impact a large number of users around the world.

In this sense, monitoring these types of IoCs is a crucial point now, as it is expected that in the coming weeks or months new infections or waves can emerge.

Mitre Att&ck Matrix and Indicators of Compromise (IOCs) are available in the original post published by the cybersecurity researchers Pedro Tavares:

https://seguranca-informatica.pt/the-hidden-c2-lampion-trojan-release-212-is-on-the-rise-and-using-a-c2-server-for-two-years/#.Yi32dnrMK5d

About the author  Pedro Tavares:

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca–informatica.pt.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Lampion trojan)

The post The hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for two years appeared first on Security Affairs.

Categories: Cyber Security News

Mar 06- Mar 12 Ukraine – Russia the silent cyber conflict

Sun, 03/13/2022 - 09:23
This post provides a timeline of the events related to the Russia invasion of Ukraine from the cyber security perspective.

March 12 – Russian Internet watchdog Roskomnadzor is going to ban Instagram

Russian Internet watchdog Roskomnadzor is going to ban Instagram in Russia to prevent the spreading of info related to the Ukraine invasion.

March 11 – Anonymous hacked Roskomnadzor agency revealing Russian disinformation

The Anonymous collective continues to launch attacks against Russian entities, this is a summary of recent offensives.

March 10 – Crooks target Ukraine’s IT Army with a tainted DDoS tool

Threat actors are spreading password-stealing malware disguised as a security tool to target Ukraine’s IT Army.

March 9 – Multiple Russian government websites hacked in a supply chain attack

Threat actors hacked Russian federal agencies’ websites in a supply chain attack involving the compromise of a stats widget.

March 9 – Anonymous hacked Russian cams, websites, announced a clamorous leak

The collective Anonymous has hacked public cameras in Russia and transmitted their live feed on a website, it also announced a clamorous leak.

March 8 – Google TAG: Russia, Belarus-linked APTs targeted Ukraine

Google TAG observed Russian, Belarusian, and Chinese threat actors targeting Ukraine and European government and military orgs.

March 8 – Ukraine’s CERT-UA warns of phishing attacks against Ukrainian citizens

Ukraine’s CERT-UA warned citizens of new phishing attacks launched through compromised email accounts belonging to Indian entities.

March 7 – Coinbase blocked 25,000 crypto addresses linked to Russian individuals and entities

Coinbase announced that it’s blocking access to more than 25,000 blockchain addresses linked to Russian individuals and entities.

March 7 – Anonymous hacked Russian streaming services to broadcast war footage

Anonymous hacked into the most popular Russian streaming services to broadcast war footage from Ukraine.

March 6 – Anonymous offers $52,000 worth of Bitcoin to Russian troops for surrendered tank. Is it fake news?

The popular hacker collective Anonymous is offering to Russian troops $52,000 in BTC for each surrendered tank.

March 6 – Charities and NGOs providing support in Ukraine hit by malware

Malware based attacks are targeting charities and non-governmental organizations (NGOs) providing support in Ukraine

Below is the timeline of the events related to the previous weeks:

https://securityaffairs.co/wordpress/128727/cyber-warfare-2/feb-27-mar-05-ukraine-russia-cyberwar.html

https://securityaffairs.co/wordpress/128478/cyber-warfare-2/russian-invasion-of-ukraine-timeline.html

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Mar 06- Mar 12 Ukraine – Russia the silent cyber conflict appeared first on Security Affairs.

Categories: Cyber Security News

Security Affairs newsletter Round 357 by Pierluigi Paganini

Sun, 03/13/2022 - 08:31
A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

LockBit ransomware group claims to have hacked Bridgestone AmericasAttackers use website contact forms to spread BazarLoader malwareRussian Internet watchdog Roskomnadzor is going to ban InstagramUbisoft suffered a cyber security incident that caused a temporary disruptionAnonymous hacked Roskomnadzor agency revealing Russian disinformationOpen database leaves major Chinese ports exposed to shipping chaosLapsus$ Ransomware Group is hiring, it announced recruitment of insidersVodafone investigates claims of a data breach made by Lapsus$ gangCrooks target Ukraine’s IT Army with a tainted DDoS toolCISA added 98 domains to the joint alert related to Conti ransomware gangNew Emotet botnet is rapidly growing, with +130K unique bots spread across 179 countriesTLStorm flaws allow to remotely manipulate the power of millions of enterprise UPS devicesGoogle blocked China-linked APT31’s attacks targeting U.S. GovernmentMultiple Russian government websites hacked in a supply chain attackAnonymous hacked Russian cams, websites, announced a clamorous leakHP addressed 16 UEFI firmware flaws impacting laptops, desktops, PoS systemsSamsung data breach: Lapsus$ gang stole Galaxy devices’ source codeMicrosoft March 2022 Patch Tuesday updates fix 89 vulnerabilitiesGoogle TAG: Russia, Belarus-linked APTs targeted UkraineAccess:7 flaws impact +150 device models from over 100 manufacturers
CISA urges to fix actively exploited Firefox zero-days by March 21
Ragnar Locker ransomware group breached at least 52 organizations across 10 critical infrastructure sectorsUkraine’s CERT-UA warns of phishing attacks against Ukrainian citizensDirty Pipe Linux flaw allows gaining root privileges on major distrosCoinbase blocked 25,000 crypto addresses linked to Russian individuals and entitiesSharkBot, the new generation banking Trojan distributed via Play StoreAnonymous hacked Russian streaming services to broadcast war footageMozilla addresses two actively exploited zero-day flaws in FirefoxAnonymous offers $52,000 worth of Bitcoin to Russian troops for surrendered tank. Is it fake news?CVE-2022-0492 flaw in Linux Kernel cgroups feature allows container escapeCharities and NGOs providing support in Ukraine hit by malware

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 357 by Pierluigi Paganini appeared first on Security Affairs.

Categories: Cyber Security News

LockBit ransomware group claims to have hacked Bridgestone Americas

Sun, 03/13/2022 - 06:08
LockBit ransomware gang claimed to have hacked Bridgestone Americas, one of the largest manufacturers of tires.

LockBit ransomware gang claimed to have compromised the network of Bridgestone Americas, one of the largest manufacturers of tires, and stolen data from the company.

The Bridgestone Americas family of enterprises includes more than 50 production facilities and 55,000 employees throughout the Americas.

Lockbit operators plan to release the stolen data by March 15, 2022 23:59, if the company will not pay the ransom.

On February 27, some company employees at Bridgestone’s La Vergne plant reported being sent home due to a possible cyber attack. Bridgestone launched an investigation into the incident and hired a prominent consultant firm to understand the full scope and nature of the incident.

“Bridgestone Americas are currently investigating a potential information security incident. Since learning of the potential incident in the early morning hours of February 27, we have launched a comprehensive investigation to quickly gather facts while working to ensure the security of our IT systems. Out of an abundance of caution, we disconnected many of our manufacturing and retreading facilities in Latin America and North America from our network to contain and prevent any potential impact.” read Bridgestone’s full statement published by NewsChannel5. “Until we learn more from this investigation, we cannot determine with certainty the scope or nature of any potential incident, but we will continue to work diligently to address any potential issues that may affect our operations, our data, our teammates, and our customers.”

Lockbit continues to be one of the most active ransomware operations at this time, unlike other groups, it pointed out that it is an apolitical group and is only interested in money.

“Many people ask us, will our international community of post-paid pentesters, threaten the west on critical infrastructure in response to cyber aggression against Russia?
Our community consists of many nationalities of the world, most of our pentesters are from the CIS including Russians and Ukrainians, but we also have Americans, Englishmen, Chinese, French, Arabs, Jews, and many others in our team. Our programmers developers live permanently around the world in China, the United States, Canada, Russia and Switzerland. Our servers are located in the Netherlands and the Seychelles, we are all simple and peaceful people, we are all Earthlings.” reads a statement published by the group on its Tor leaksite. “For us it is just business and we are all apolitical. We are only interested in money for our harmless and useful work. All we do is provide paid training to system administrators around the world on how to properly set up a corporate network. We will never, under any circumstances, take part in cyber-attacks on critical infrastructures of any country in the world or engage in any international conflicts.”

In February, the Federal Bureau of Investigation (FBI) has issued a flash alert containing technical details and indicators of compromise associated with LockBit ransomware operations.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit)

The post LockBit ransomware group claims to have hacked Bridgestone Americas appeared first on Security Affairs.

Categories: Cyber Security News

Attackers use website contact forms to spread BazarLoader malware

Sat, 03/12/2022 - 11:40
Threat actors are spreading the BazarLoader malware via website contact forms to evade detection, researchers warn.

Researchers from cybersecurity firm Abnormal Security observed threat actors spreading the BazarLoader/BazarBackdoor malware via website contact forms.

TrickBot operation has recently arrived at the end of the journey, according to AdvIntel some of its top members move under the Conti ransomware gang, which is planning to replace the popular banking Trojan with the stealthier BazarBackdoor.

BazarBackdoor was developed by TrickBot’s core team of developers and was used to achieve remote access into corporate networks and use it to deploy the ransomware.

With the increasing popularity of TrickBot it became easy to detect it with antimalware solutions, for this reason, the gang began employing the BazarBackdoor for initial access to networks.

The BazarBackdoor malware is usually spread through phishing messages using weaponized documents. 

The security firms rapidly updated their solution to detect these campaigns forcing the threat actors behind the malware to use new techniques to deliver the malware.

“Between December 2021 and January 2022, we identified a series of phishing campaigns targeting several of our customers.” reads the analysis published by Abnormal Security. “Rather than directly sending a phishing email, the attacker in these cases initiated a conversation through an organization’s website contact form. In these initial contact form submissions, the attacker posed as an employee at a Canadian luxury construction company looking for a quote for a product provided by the target.”

The attacks leveraging an organization’s website contact form started in December 2021, threat actors used BazarBackdoor to deploy ransomware strains or Cobalt Strike beacons.

In one of the attacks analyzed by the experts, the attackers posed as employees of a Canadian construction company who submitted a request for a quote of product supplied by the target.

Once an employee has responded to the phishing attempt, the attackers continued negotiations in an effort to trick victim into downloading a malicious file.

The attacks analyzed by the experts used a malicious ISO file supposedly relevant to the negotiation, the victims are invited to download it from file-sharing services like TransferNow and WeTransfer.

Contact forms were already used in the past, in April, Microsoft researchers spotted a malware campaign abusing contact forms on legitimate websites to deliver the IcedID malware.

The ISO image used in the attacks observed by Abnormal Security contains a .lnk file and a .log file, the former includes a command instruction to open a terminal window using regsvr32.exe to run the so-named file DumStack.log, which is, in reality, a BazarBackdoor DLL.

“With a process injection technique, the DLL uses svchost.exe service to evade detection and establish a connection with their command and control (C2) server at the IP address 13.107.21[.]200 using port 443.” continues the analysis.

The backdoor is injected into the svchost.exe process and waits commands from the C2 server. At the time of the investigation, some of the C2 IP addresses were down, while others were not able to provide the second stage malware making it impossible to analyze it.

“Based on this, it’s clear that the threat actors were attempting to execute a multi-stage attack with BazarLoader as a first step.” concludes the report. “BazarLoader is usually the first stage in a more sophisticated, multi-stage malware attack, often used to deploy Conti ransomware or Cobalt Strike, for example.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, BazarLoader)

The post Attackers use website contact forms to spread BazarLoader malware appeared first on Security Affairs.

Categories: Cyber Security News

Open database leaves major Chinese ports exposed to shipping chaos

Fri, 03/11/2022 - 06:06
The freight logs of two major Chinese shipping ports have been leaking data, a problem which if left unresolved could disrupt the supply chain of up to 70,000 tonnes of cargo a day, with potentially serious consequences for international shipping.

The cybernews® research team identified an open ElasticSearch database, which contained more than 243GB of data detailing current and historic ship positions that is exposed to the public. Analyzing the data, the team determined that it is highly likely to belong to the Yangtze river ports of Nanjing and Zhangjiagang.

Source Maritime intelligence

The discovery is especially timely, given the escalation of the geopolitical situation caused by Russia’s recent decision to invade Ukraine. “This could have gone very badly if bad guys had found it before we did,” said a spokesperson for Cybernews.

ElasticSearch lacks a default authentication and authorization system – meaning the data must be put behind a firewall, or else run the risk of being freely accessed, modified or deleted by threat actors. The push access logs of the zjgeport.com found on the database contained user IDs and, most importantly, API keys that could in theory permit universal access, allowing a cybercriminal to write new data about current ship positions.

In layman’s terms, what this means is that if left unplugged, the gap could allow threat actors to read, delete or alter any of the entries in the exposed databases – or even create new ones for cargoes or ships that don’t exist. Moreover, conventional criminals could physically hijack a ship and jam its communications, leaving the port that controls and tracks its movements unaware that the vessel had been boarded.

That in turn could jeopardize up to 3,100 vessels that transport more than 250 million tonnes of cargo annually to and from the two ports – not to mention putting at risk the lives of the estimated 40,000 passengers a year that use Nanjing for sea travel.

The Cybernews team said: “Because of the way ElasticSearch architecture is built, anybody with access to the link has full administrator privileges over the data warehouse, and is thus able to edit or delete all of the contents and, most likely, disrupt the normal workflow of these ports.

“Because both of these ports directly connect factories based in China to international waters, it’s more than likely that they carry international cargo, thus creating a butterfly effect likely to affect the whole supply chain worldwide if the open instance is not closed.”

Zhangjiagang’s main cargoes include steel, timber, coal, cement and chemical fertilizers, while Nanjing typically trades in goods such as metal ore, light industrial goods, petroleum and pharmaceutical products. With Russia having incurred global sanctions as a result of its invasion of Ukraine, the fate of China’s economy will be more important than ever as it seeks to fill the vacuum created by its superpower neighbor’s expulsion from the world stage.

Since being alerted to the problem by Cybernews, the owners of the ElasticSearch database have enforced HTTP Authentication as a requirement for access, effectively cutting it off from the public side of the internet.

Original Post @CyberNews

https://cybernews.com/security/open-database-leaves-major-chinese-ports-exposed-to-shipping-chaos/

About the author Damien Black

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Chinese ports)

The post Open database leaves major Chinese ports exposed to shipping chaos appeared first on Security Affairs.

Categories: Cyber Security News

Lapsus$ Ransomware Group is hiring, it announced recruitment of insiders

Fri, 03/11/2022 - 04:01
Lapsus$ Ransomware gang is looking for insiders willing to sell remote access to major technology corporations and ISPs.

Thursday, March 10, Lapsus$ ransomware gang announced they’re starting to recruit insiders employed within major technology giants and ISPs, such companies include Microsoft, Apple, EA Games and IBM. Their scope of interests include – major telecommunications companies such as Claro, Telefonica and AT&T.

Notably, the actors are looking to buy remote VPN access and asking potential insiders to contact them privately via Telegram, they then reward them by paying for the access granted.
Cybersecurity experts agree such activity creates a major insider threat risk and likely will be leveraged more actively by various threat actors on Dark Web.  

“Such tactics were previously used by some cybercriminal and APT groups covertly – when employees of major corporations received similar proposals via Linkedin and or personal e-mails.” – said Christian Lees, CTO of Resecurity, Inc, a Los Angeles-based cybersecurity company providing managed threat detection and response. “Based on our investigation, the group is successful in their activities, and such tactics may generate a new trend in Dark Web for access brokers, especially, in post-pandemic times and increase of geopolitical tensions globally” – he added.

The announcement came right after the publication of stolen data from 2 major technology giants in the face of Nvidia and Samsung – the dumps released as Torrent files contain gigabytes of sensitive documents, digital code-signing certificates and source codes. Hackers have leaked the credentials of more than 71,000 Nvidia employees, source code of NVIDIA’s DLSS (Deep Learning Super Sampling) AI rendering technology, information about six supposed unannounced GPUs, and 190GB of Samsung source codes related to trusted applets in the smartphone TrustZone environment. 

Just recently, Lapsus$ group has published speculative information about the next possible victim company to be released and created a poll on their Telegram channel. As options they offered – 200 GB presumably stolen from Vodafone, databases of Portuguese media corporation Impresa or the source code for MercadoLibre and MercadoPago, both Argentinian e-commerce companies. According to CNN, Vodafone started an internal investigation and is collaborating with law enforcement to clarify the nature of these claims. 

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Lapsus$ Ransomware Group is hiring, it announced recruitment of insiders appeared first on Security Affairs.

Categories: Cyber Security News

Vodafone investigates claims of a data breach made by Lapsus$ gang

Fri, 03/11/2022 - 01:15
Vodafone is investigating a recently suffered cyberattack, after a ransomware gang Lapsus$ claimed to have stolen its source code.

Vodafone announced to have launched an investigation after the Lapsus$ cybercrime group claimed to have stolen its source code.

The Lapsus$ gang claims to have stolen approximately 200 GB of source code files, allegedly contained in 5,000 GitHub repositories.

Early this week, the cybercrime group asked their subscribers in a poll on messaging app Telegram: “What should we leak next?” followed by three options:

  • Vodafone source code.
  • The source code and databases of Portuguese media corporation Impresa,
  • The source code for MercadoLibre and MercadoPago e-commerce companies.

The poll will end on March 13.

“We are investigating the claim together with law enforcement, and at this point we cannot comment on the credibility of the claim.” a Vodafone spokesperson told CNBC. “However, what we can say is that generally the types of repositories referenced in the claim contain proprietary source code and do not contain customer data.”

In February, Vodafone Portugal suffered a major cyberattack that caused service outages in the country, media reported the temporary disruption of 4G/5G communications and television services.

The Lapsus$ gang recently claimed to have stolen sensitive data from NVIDIA and Samsung.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Vodafone)

The post Vodafone investigates claims of a data breach made by Lapsus$ gang appeared first on Security Affairs.

Categories: Cyber Security News

Crooks target Ukraine’s IT Army with a tainted DDoS tool

Thu, 03/10/2022 - 16:51
Threat actors are spreading password-stealing malware disguised as a security tool to target Ukraine’s IT Army.

Cisco Talos researchers have uncovered a malware campaign targeting Ukraine’s IT Army, threat actors are using infostealer malware mimicking a DDoS tool called the “Liberator.” The Liberator tool is circulating among pro-Ukraina hackers that use it to target Russian propaganda websites.

After Russia started invading Ukraine, the Ukrainian Minister for Digital Transformation Mykhaylo Fedorov called to action against Russia attempting to create an “IT Army,” composed of volunteers, to launch a massive offensive against Russia. A Telegram channel was used to coordinate the efforts and plan the cyber-attacks that will be conducted by the IT Army.

“Opportunistic cybercriminals are attempting to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities. Once downloaded, these files infect unwitting users rather than delivering the tools originally advertised.” reads the analysis published by Talos. “In one such instance, we observed a threat actor offering a distributed denial-of-service (DDoS) tool on Telegram intended to be used against Russian websites. The downloaded file is actually an information stealer that infects the unwitting victim with malware designed to dump credentials and cryptocurrency-related information.”

Now the tainted Liberator tool was advertised on Telegram, the original version of the tool was developed by a group called disBalancer. Liberator is advertised as a DDoS tool to launch attacks against “Russian propaganda websites.”

The tool was developed to allow not technical people to easily launch an attack against a list of Russian sites fetched from a server. 

The campaign uses a dropper disguised as the Disbalancer.exe tool which is protected with the ASProtect packer for Windows executables.

Once the malware is dropped on the victims’ systems, it performs anti-debug checks, then it follows a process injection step to load the Phoenix information stealer in memory.

“If a researcher tries to debug the malware execution, it will be confronted with a general error. The malware, after performing the anti-debug checks, will launch Regsvcs.exe, which is included along with the .NET framework. In this case, the regsvcs.exe is not used as a living off the land binary (LoLBin). It is injected with the malicious code, which consists of the Phoenix information stealer.” continues the report.

The variant employed in the attack against the IT Army is able to steal a broad range of data, including web browser data, VPN tools, Discord, Steam, and cryptocurrency wallets. The collected data is sent to a remote IP address (95[.]142[.]46[.]35) on port 6666.

Talos experts believe this is an opportunistic campaign, the same IP address is has been distributing Phoenix since November 2021.

“Cisco Talos constantly observes actors using any and all means to get their malware installed on systems, and the war in Ukraine is no exception. In this case, we found some cybercriminals distributing an infostealer, but it could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation-state.” concludes the report. “We remind users to be wary of installing software whose origins are unknown, especially software that is being dropped into random chat rooms on the internet.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, IT Army)

The post Crooks target Ukraine’s IT Army with a tainted DDoS tool appeared first on Security Affairs.

Categories: Cyber Security News

CISA added 98 domains to the joint alert related to Conti ransomware gang

Thu, 03/10/2022 - 11:10
The U.S. CISA has updated the alert on Conti ransomware and added 98 domain names used by the criminal gang.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated the alert on Conti ransomware operations, the agency added 100 domain names used by the group.

The joint report published by CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) in September warned of an increased number of Conti ransomware attacks against US organizations.

The Indicators of Compromise (IoCs) added to the report was provided by the U.S. Secret Service.

Recently a Ukrainian researcher leaked 60,694 messages internal chat messages belonging to the Conti ransomware operation after the announcement of the group of its support to Russia. He was able to access the database XMPP chat server of the Conti group.

The attack against the Conti ransomware and the data leak is retaliation for its support for the Russian invasion of Ukraine.

The leaked data in a second round included the source code for the Conti ransomware encryptor, decryptor, and builder, along with the administrative panel and the BazarBackdoor API.

The leaked data include information about the attack infrastructure used by the gang including domains employed in BazarBackdoor-based attacks.

“Conti cyber threat actors remain active and reported Conti ransomware attacks against U.S. and international organizations have risen to more than 1,000. Notable attack vectors include Trickbot and Cobalt Strike (see below for details).” reads the report. “The following domains have registration and naming characteristics similar to domains used by groups that have distributed Conti ransomware. Many of these domains have been used in malicious operations; however, some may be abandoned or may share similar characteristics coincidentally.”

CISA added 98 domain names that were used by the gang and that share registration and naming characteristics similar to those used in Conti ransomware operations. The experts pointed out that the new domains added to the report were not included in the leak of the Ukrainian researcher.

“The following domains have registration and naming characteristics similar to domains used by groups that have distributed Conti ransomware. Many of these domains have been used in malicious operations; however, some may be abandoned or may share similar characteristics coincidentally.” continues the alert.

badiwaw[.]com
balacif[.]com
barovur[.]com
basisem[.]com
bimafu[.]com
bujoke[.]com
buloxo[.]com
bumoyez[.]com
bupula[.]com
cajeti[.]com
cilomum[.]com
codasal[.]com
comecal[.]com
dawasab[.]com
derotin[.]com
dihata[.]com
dirupun[.]com
dohigu[.]com
dubacaj[.]com
fecotis[.]comfipoleb[.]com
fofudir[.]com
fulujam[.]com
ganobaz[.]com
gerepa[.]com
gucunug[.]com guvafe[.]com
hakakor[.]com
hejalij[.]com
hepide[.]com
hesovaw[.]com
hewecas[.]com
hidusi[.]com
hireja[.]com
hoguyum[.]com
jecubat[.]com
jegufe[.]com
joxinu[.]com
kelowuh[.]com
kidukes[.]comkipitep[.]com
kirute[.]com
kogasiv[.]com
kozoheh[.]com
kuxizi[.]com
kuyeguh[.]com
lipozi[.]com
lujecuk[.]com
masaxoc[.]com
mebonux[.]com
mihojip[.]com
modasum[.]com
moduwoj[.]com
movufa[.]com
nagahox[.]com
nawusem[.]com
nerapo[.]com
newiro[.]com
paxobuy[.]com
pazovet[.]compihafi[.]com
pilagop[.]com
pipipub[.]com
pofifa[.]com
radezig[.]com
raferif[.]com
ragojel[.]com
rexagi[.]com
rimurik[.]com
rinutov[.]com
rusoti[.]com
sazoya[.]com
sidevot[.]com
solobiv[.]com
sufebul[.]com
suhuhow[.]com
sujaxa[.]com
tafobi[.]com tepiwo[.]com
tifiru[.]comtiyuzub[.]com
tubaho[.]com
vafici[.]com
vegubu[.]com
vigave[.]com
vipeced[.]com
vizosi[.]com
vojefe[.]com
vonavu[.]com
wezeriw[.]com
wideri[.]com
wudepen[.]com
wuluxo[.]com
wuvehus[.]com
wuvici[.]com
wuvidi[.]com
xegogiv[.]com
xekezix[.]com

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Conti)

The post CISA added 98 domains to the joint alert related to Conti ransomware gang appeared first on Security Affairs.

Categories: Cyber Security News

New Emotet botnet is rapidly growing, with +130K unique bots spread across 179 countries

Thu, 03/10/2022 - 06:34
A few months after its return the Emotet botnet has already infected over 130,000 unique bots spread across 179 countries.

The Emotet botnet continues to grow and has infected approximately 130,000 hosts since its resurrection in November 2021.

Early 2021, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action. 

This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

The law enforcement agencies were able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure. The FBI collected millions of email addresses used by Emotet operators in their malware campaigns as part of the cleanup operation.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as ContiProLockRyuk, and Egregor.

In November 2021 researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that threat actors were using the TrickBot malware to drop an Emoted loader on infected devices. The experts tracked the campaign aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure as Operation Reacharound.

Since its report Emotet operators have amassed an impressive number of infected systems, researchers from Lumen’s Black Lotus Labs reported.

Researchers pointed out that the new Emotet botnet supports new features to avoid detection and analysis, such as the use encryption for network traffic and the separation of the process list into its own module.

The new version uses elliptic curve cryptography (ECC), with a public key to perform the encryption and a separate algorithm that is used to perform data validation.

The new version is also able to gather additional information about the infected host. Experts also reported significant growth of the C2 pool late February through March 4.

“While Black Lotus Labs tracked more than 300 unique Emotet C2s in May of 2019, the number of unique C2s in the roughly four months since the resurgence is roughly 200. As Figure 2 reflects, when Emotet came back online in November 2021, it did so with a smaller, but relatively consistent pool of Tier 1 C2s.” reads the report published by the experts. “Over the last few months, the C2 pool has continued to grow to an average of 77 unique Tier 1 C2s per day from late February through March 4.”

One of the most important features in the new Emotet infrastructure is the apparent absence of Bot C2s, which are bots that would receive a UPnP module that enabled an infected device to act as a C2 by opening a port on the user’s router that would then allow it to proxy traffic from Emotet bots to a higher-tier C2.

Most of the Emotet C2s are located in the United States and Germany, the rest of the list of top 10 countries by volume of C2s includes France, Brazil, Thailand, Singapore, Indonesia, Canda, United Kingdom and India.

“The growth and distribution of bots is an important indicator of Emotet’s progress in restoring its once sprawling infrastructure. Each bot is a potential foothold to a coveted network and presents an opportunity to deploy Cobalt Strike or eventually be promoted to a Bot C2.” Black Lotus Labs concludes.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

The post New Emotet botnet is rapidly growing, with +130K unique bots spread across 179 countries appeared first on Security Affairs.

Categories: Cyber Security News

TLStorm flaws allow to remotely manipulate the power of millions of enterprise UPS devices

Thu, 03/10/2022 - 00:37
Three flaws in APC Smart-UPS devices, tracked as TLStorm, could be exploited by remote attackers to hack and destroy them.

Researchers from IoT security company Armis have discovered three high-impact security flaws, collectively tracked as TLStorm, affecting APC Smart-UPS devices.

The flaws can allow remote attackers to manipulate the power of millions of enterprise devices carrying out extreme cyber-physical attacks.

Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical systems.

“If exploited, these vulnerabilities, dubbed TLStorm, allow for complete remote take-over of Smart-UPS devices and the ability to carry out extreme cyber-physical attacks. According to Armis data, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities.” reads the analysis published by Armis.

APC has over 20 million devices worldwide, according to the researchers, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities. 

Two of the TLStorm vulnerabilities reside in the TLS implementation used by Cloud-connected Smart-UPS devices, while the third one is a design flaw in the firmware upgrade process of Smart-UPS devices.

The researchers discovered that the firmware upgrades are not properly signed and validated.

This third flaw could be exploited by an attacker to achieve persistence by planting a malicious update on vulnerable UPS devices.

Below is the list of the flaws discovered by the experts:

  • CVE-2022-22806 – TLS authentication bypass: A state confusion in the TLS handshake leads to authentication bypass, leading to remote code execution (RCE) using a network firmware upgrade.
  • CVE-2022-22805 – TLS buffer overflow: A memory corruption bug in packet reassembly (RCE).
  • CVE-2022-0715 – Unsigned firmware upgrade that can be updated over the network (RCE).

An attacker can trigger one of the above issues to gain remote code execution on vulnerable devices and interfere with the operation of the UPS to cause physical damage.

“The fact that UPS devices regulate high voltage power, combined with their Internet connectivity—makes them a high-value cyber-physical target. In the television series Mr. Robot, bad actors cause an explosion using an APC UPS device.” continues Armis. “However, this is no longer a fictional attack. By exploiting these vulnerabilities in the lab, Armis researchers were able to remotely ignite a Smart-UPS device and make it literally go up in smoke.”

Experts pointed out that vulnerabilities in the firmware upgrade process are often abused by sophisticated APT groups.

Armis reported the flaws to Schneider Electric’s APC on October 31, 2021, the vendor addressed them with the release of Patch Tuesday security updates on March 8, 2022.

“UPS devices, like many other digital infrastructure appliances, are often installed and forgotten. Since these devices are connected to the same internal networks as the core business systems, exploitation attempts can have severe implications.” concludes the report. It’s important for security professionals to have complete visibility of all assets, along with the ability to monitor their behavior, in order to identify anomalies and/or exploit attempts. However traditional security solutions do not cover these assets. As a result, they remain “unseen” and therefore expose the organization to significant risk.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, IoT)

The post TLStorm flaws allow to remotely manipulate the power of millions of enterprise UPS devices appeared first on Security Affairs.

Categories: Cyber Security News

Google blocked China-linked APT31’s attacks targeting U.S. Government

Wed, 03/09/2022 - 16:09
Google has blocked a phishing campaign conducted by China-linked group APT31 aimed at Gmail users associated with the U.S. government.

Google announced to have blocked a phishing campaign originating conducted by China-linked cybereaspionage group APT31 (aka Zirconium, Judgment Panda, and Red Keres) and aimed at Gmail users associated with the U.S. government.

The campaign took place in February and Google Threat Analysis Group (TAG) team was not able to link it to the ongoing invasion of Ukraine. Google Threat Analysis Group (TAG) director Shane Huntley confirmed that the IT giant was able to detect and block all phishing messages.

Update on recent batch of Google TAG Government Backed Attack Warnings:

In February, we detected an APT31 phishing campaign targeting high profile Gmail users affiliated with the U.S. government. 100% of these emails were automatically classified as spam and blocked by Gmail.

— Shane Huntley (@ShaneHuntley) March 8, 2022

APT31 is a China-linked APT group that was involved in multiple cyber espionage operations, it made the headlines recently after the Check Point Research team discovered that the group used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool, years before it was leaked online by Shadow Brokers hackers.

In July 2021, the French national cyber-security agency ANSSI warned of ongoing attacks against a large number of French organizations conducted by the Chine-linked APT31 cyberespionage group. The state-sponsored hackers were hijacking home routers to set up a proxy mesh of compromised devices to conceal its attack infrastructure.

The cyberespionage group targeted entities in EU, the United States, Canada in previous campaigns. In August 2021, the APT31 group employed a new strain of malware in attacks aimed at entities in Mongolia, Belarus, Canada, the US, and Russia.

Yesterday, the Google Threat Analysis Group (TAG) researchers revealed to have blocked attacks against hundreds of Ukrainians conducted by Belarus and Russian state-sponsored hackers.

The attacks have been attributed to the Russia-linked FancyBear group (aka APT28) and the Belarus-linked Ghostwriter (aka UNC1151) APT group.

Google TAG observed Russian, Belarusian, and Chinese threat actors targeting Ukrainian and European government and military organizations, as well as individuals. The attackers carried out both phishing campaigns and DDoS attacks.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, APT31)

The post Google blocked China-linked APT31’s attacks targeting U.S. Government appeared first on Security Affairs.

Categories: Cyber Security News

Multiple Russian government websites hacked in a supply chain attack

Wed, 03/09/2022 - 10:57
Threat actors hacked Russian federal agencies’ websites in a supply chain attack involving the compromise of a stats widget.

Some Russian federal agencies’ websites were compromised in a supply chain attack, threat actors compromised the stats widget used to track the number of visitors by several government agencies. Threat actors were able to deface the websites and block access to them.

“Disruptions in the operation of the federal agencies’ websites occurred on Tuesday evening due to the hacking of the service (widget) of the monitoring system of state agencies’ websites, which is being maintained by the Ministry of Economic Development and is integrated into the websites of a number of state agencies, the press service for the Russian Ministry of Digital Development, Communications, and Mass Media told Interfax.” reported the Interfax.

The compromised service was restored within an hour of the hack.

The hacked websites included the websites of the Energy Ministry, the Federal State Statistics Service, the Federal Penitentiary Service, the Federal Bailiff Service, the Federal Antimonopoly Service, the Culture Ministry, and other Russian state agencies.

“The websites of state agencies are under serious protection and round-the-clock monitoring by cybersecurity teams. It is difficult to compromise these websites directly, so hackers attack resources through external services and thus gain access to demonstrate incorrect content,” the press service said.

“Hackers hacked an application (widget), which is loaded on the websites of state bodies from an external resource, the press service added. After hacking the widget, hackers were able to publish incorrect content on the pages of the websites. The incident was promptly localized.”

The impacted websites displayed an image against the current invasion of Ukraine.

The official website of the #Russian Federal Penitentiary Service was hacked. A picture against the war with #Ukraine appears instead of the home page pic.twitter.com/FRDVXxiDHk

— NEXTA (@nexta_tv) March 8, 2022

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Russia supply chain attack)

The post Multiple Russian government websites hacked in a supply chain attack appeared first on Security Affairs.

Categories: Cyber Security News

HP addressed 16 UEFI firmware flaws impacting laptops, desktops, PoS systems

Wed, 03/09/2022 - 06:40
Researchers disclosed 16 high-severity flaws in different implementations of Unified Extensible Firmware Interface (UEFI) firmware impacting multiple HP enterprise devices.

Researchers from cybersecurity firm Binarly discovered 16 high-severity vulnerabilities in various implementations of Unified Extensible Firmware Interface (UEFI) firmware impacting multiple HP enterprise devices.

An attacker can exploit these vulnerabilities to implant a firmware that survives operating system updates and bypasses UEFI Secure Boot, Intel Boot Guard, and virtualization-based security.

Impacted devices include multiple HP enterprise devices, including laptops, desktops, point-of-sale systems, and edge computing nodes.

“By exploiting the vulnerabilities disclosed, attackers can leverage them to perform privileged code execution in firmware, below the operating system, and potentially deliver persistent malicious code that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot and Virtualization-Based Security isolation.” reads the analysis published by Binarly.

Below is the list of vulnerabilities discovered by the researchers:

CVE IDBINARLY IDDescriptionCVSS ScoreCVE-2021-39297BRLY-2021-003DXE stack buffer overflow (arbitrary code execution)7.7 HighCVE-2021-39298BRLY-2021-004SMM callout (privilege escalation)8.8 HighCVE-2021-39299BRLY-2021-005DXE stack buffer overflow (arbitrary code execution)8.2 HighCVE-2021-39300BRLY-2021-006DXE stack overflow vulnerability (arbitrary code execution)8.2 HighCVE-2021-39301BRLY-2021-007DXE stack overflow (arbitrary code execution)7.7 HighCVE-2022-23924BRLY-2021-032SMM heap buffer overflow (arbitrary code execution)8.2 HighCVE-2022-23925BRLY-2021-033SMM memory corruption (arbitrary code execution)8.2 HighCVE-2022-23926BRLY-2021-034SMM memory corruption (arbitrary code execution)8.2 HighCVE-2022-23927BRLY-2021-035SMM memory corruption (arbitrary code execution)8.2 HighCVE-2022-23928BRLY-2021-036SMM memory corruption (arbitrary code execution)8.2 HighCVE-2022-23929BRLY-2021-037SMM memory corruption (arbitrary code execution)8.2 HighCVE-2022-23930BRLY-2021-038SMM memory corruption (arbitrary code execution)8.2 HighCVE-2022-23931BRLY-2021-039SMM memory corruption (arbitrary code execution)8.2 HighCVE-2022-23932BRLY-2021-040SMM callout (privilege escalation)8.2 HighCVE-2022-23933BRLY-2021-041SMM callout (privilege escalation)8.2 HighCVE-2022-23934BRLY-2021-042SMM memory corruption (arbitrary code execution)8.2 High

“Binarly believes that the lack of a knowledge base of common firmware exploitation techniques and primitives related to UEFI firmware makes these failures repeatable for the entire industry. We are working hard to fill this gap by providing comprehensive technical details in our advisories. This knowledge base is crucial for developing effective mitigations and defense technologies for device security.”,
said Alex Matrosov, Founder and CEO at Binarly.

The most severe of the vulnerabilities discovered by the researchers are memory corruption issues affecting the System Management Mode (SMM) of the firmware. An attacker could trigger them to gain arbitrary code execution with the highest privileges.

HP addressed the flaws with the release of HP UEFI Firmware February 2022 security updates issued in February.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, SIM swapping)

The post HP addressed 16 UEFI firmware flaws impacting laptops, desktops, PoS systems appeared first on Security Affairs.

Categories: Cyber Security News

Samsung data breach: Lapsus$ gang stole Galaxy devices’ source code

Wed, 03/09/2022 - 02:50
Samsung confirmed that threat actors had access to the source code of its Galaxy smartphones in recent security breach.

Samsung this week disclosed a data breach, threat actors had access to internal company data, including the source code of Galaxy models.

Last week the Lapsus$ ransomware gang claimed to have stolen a huge trove of sensitive data from Samsung Electronics and leaked 190GB of alleged Samsung data as proof of the hack.

The gang announced the availability of the sample data on its Telegram channel and shared a Torrent file to download it. They also shared an image of the source code included in the stolen data.

Stolen data contains confidential Samsung source code, including:

  • DEVICES/HARDWARE -Source code for every Trusted Applet (TA) installed on all samsung device’s TrustZone (TEE) with specific code for every type of TEE OS (QSEE, TEEGris etc). THIS INCLUDES DRM MODULES AND KEYMASTER/GATEKEEPER!
  • Algorithms for all biometric unlock operations, including source code that communicates directly with sensor (down to the lowest level, we’re talking individual RX/TX bitstreams here).
  • Bootloader source code for all recent Samsung devices, including Knox data and code for authentication.
  • Various other data, confidential source code from Qualcomm.
Source: Lapsus$ gang’s Telegram Channel

Now the company confirmed that the attack resulted in then exposure of sensitive company data.

“There was a security breach relating to certain internal company data,” Samsung told Bloomberg. “According to our initial analysis, the breach involves some source code relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees. Currently, we do not anticipate any impact to our business or customers. We have implemented measures to prevent further such incidents and will continue to serve our customers without disruption.”

At this time it is not possible to determine the ransom demand make to Samsung by the LAPSUS$ gang.

Recently, the Lapsus$ ransomware gang claimed responsibility for the cyber attack against chipmaker giant NVIDIA. The group announced to have stolen 1 TB of data from the company’s network. The ransomware gang leaked online around 20GB of data, including credentials for all Nvidia employees.

The gang released over 70,000 employee email addresses and NTLM password hashes.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Lapsus$ ransomware)

The post Samsung data breach: Lapsus$ gang stole Galaxy devices’ source code appeared first on Security Affairs.

Categories: Cyber Security News

Microsoft March 2022 Patch Tuesday updates fix 89 vulnerabilities

Tue, 03/08/2022 - 19:26
Microsoft March 2022 Patch Tuesday security updates address 89 vulnerabilities in multiple products, including 3 zero-days.

Microsoft March 2022 Patch Tuesday security updates address 89 vulnerabilities in multiple products, including Microsoft Windows components, Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge (EdgeHTML), Exchange Server, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V.

The update includes fixes for 7 flaws in MS Exchange and 21 Microsoft Edge vulnerabilities. 14 vulnerabilities have been rated as Critical and 75 are listed as Important in severity. Two of these vulnerabilities are listed as publicly known while five are actively exploited.

Three flaws addressed by the Microsoft March 2022 Patch Tuesday security updates are zero-day issues, and for two of them, CVE-2022-21990 and CVE-2022-24459, public exploits are available.

  • CVE-2022-21990 – Remote Desktop Client Remote Code Execution Vulnerability
  • CVE-2022-24459 – Windows Fax and Scan Service Elevation of Privilege Vulnerability
  • CVE-2022-24512 – .NET and Visual Studio Remote Code Execution Vulnerability

None of the above zero-day have been exploited in attacks.

The most severe flaws fixed by the IT giant are:

  • CVE-2021-26867 – Windows Hyper-V Remote Code Execution Vulnerability (CVSS 9.9)
  • CVE-2021-26897 – Windows DNS Server Remote Code Execution Vulnerability (CVSS 9.8)
  • CVE-2021-27080 – Azure Sphere Unsigned Code Execution Vulnerability (CVSS 9.3)

Below is the complete list of vulnerabilities addressed by Microsoft:

TagCVE IDCVE TitleSeverity.NET and Visual StudioCVE-2022-24512.NET and Visual Studio Remote Code Execution VulnerabilityImportant.NET and Visual StudioCVE-2022-24464.NET and Visual Studio Denial of Service VulnerabilityImportant.NET and Visual StudioCVE-2020-8927Brotli Library Buffer Overflow VulnerabilityImportantAzure Site RecoveryCVE-2022-24506Azure Site Recovery Elevation of Privilege VulnerabilityImportantAzure Site RecoveryCVE-2022-24517Azure Site Recovery Remote Code Execution VulnerabilityImportantAzure Site RecoveryCVE-2022-24470Azure Site Recovery Remote Code Execution VulnerabilityImportantAzure Site RecoveryCVE-2022-24471Azure Site Recovery Remote Code Execution VulnerabilityImportantAzure Site RecoveryCVE-2022-24520Azure Site Recovery Remote Code Execution VulnerabilityImportantAzure Site RecoveryCVE-2022-24518Azure Site Recovery Elevation of Privilege VulnerabilityImportantAzure Site RecoveryCVE-2022-24519Azure Site Recovery Elevation of Privilege VulnerabilityImportantAzure Site RecoveryCVE-2022-24515Azure Site Recovery Elevation of Privilege VulnerabilityImportantAzure Site RecoveryCVE-2022-24467Azure Site Recovery Remote Code Execution VulnerabilityImportantAzure Site RecoveryCVE-2022-24468Azure Site Recovery Remote Code Execution VulnerabilityImportantAzure Site RecoveryCVE-2022-24469Azure Site Recovery Elevation of Privilege VulnerabilityImportantMicrosoft Defender for EndpointCVE-2022-23278Microsoft Defender for Endpoint Spoofing VulnerabilityImportantMicrosoft Defender for IoTCVE-2022-23265Microsoft Defender for IoT Remote Code Execution VulnerabilityImportantMicrosoft Defender for IoTCVE-2022-23266Microsoft Defender for IoT Elevation of Privilege VulnerabilityImportantMicrosoft Edge (Chromium-based)CVE-2022-0790Chromium: CVE-2022-0790 Use after free in Cast UIUnknownMicrosoft Edge (Chromium-based)CVE-2022-0789Chromium: CVE-2022-0789 Heap buffer overflow in ANGLEUnknownMicrosoft Edge (Chromium-based)CVE-2022-0809Chromium: CVE-2022-0809 Out of bounds memory access in WebXRUnknownMicrosoft Edge (Chromium-based)CVE-2022-0791Chromium: CVE-2022-0791 Use after free in OmniboxUnknownMicrosoft Edge (Chromium-based)CVE-2022-0803Chromium: CVE-2022-0803 Inappropriate implementation in PermissionsUnknownMicrosoft Edge (Chromium-based)CVE-2022-0804Chromium: CVE-2022-0804 Inappropriate implementation in Full screen modeUnknownMicrosoft Edge (Chromium-based)CVE-2022-0801Chromium: CVE-2022-0801 Inappropriate implementation in HTML parserUnknownMicrosoft Edge (Chromium-based)CVE-2022-0802Chromium: CVE-2022-0802 Inappropriate implementation in Full screen modeUnknownMicrosoft Edge (Chromium-based)CVE-2022-0807Chromium: CVE-2022-0807 Inappropriate implementation in AutofillUnknownMicrosoft Edge (Chromium-based)CVE-2022-0808Chromium: CVE-2022-0808 Use after free in Chrome OS ShellUnknownMicrosoft Edge (Chromium-based)CVE-2022-0805Chromium: CVE-2022-0805 Use after free in Browser SwitcherUnknownMicrosoft Edge (Chromium-based)CVE-2022-0806Chromium: CVE-2022-0806 Data leak in CanvasUnknownMicrosoft Edge (Chromium-based)CVE-2022-0800Chromium: CVE-2022-0800 Heap buffer overflow in Cast UIUnknownMicrosoft Edge (Chromium-based)CVE-2022-0794Chromium: CVE-2022-0794 Use after free in WebShareUnknownMicrosoft Edge (Chromium-based)CVE-2022-0795Chromium: CVE-2022-0795 Type Confusion in Blink LayoutUnknownMicrosoft Edge (Chromium-based)CVE-2022-0792Chromium: CVE-2022-0792 Out of bounds read in ANGLEUnknownMicrosoft Edge (Chromium-based)CVE-2022-0793Chromium: CVE-2022-0793 Use after free in ViewsUnknownMicrosoft Edge (Chromium-based)CVE-2022-0796Chromium: CVE-2022-0796 Use after free in MediaUnknownMicrosoft Edge (Chromium-based)CVE-2022-0798Chromium: CVE-2022-0798 Use after free in MediaStreamUnknownMicrosoft Edge (Chromium-based)CVE-2022-0797Chromium: CVE-2022-0797 Out of bounds memory access in MojoUnknownMicrosoft Edge (Chromium-based)CVE-2022-0799Chromium: CVE-2022-0799 Insufficient policy enforcement in InstallerUnknownMicrosoft Exchange ServerCVE-2022-23277Microsoft Exchange Server Remote Code Execution VulnerabilityCriticalMicrosoft Exchange ServerCVE-2022-24463Microsoft Exchange Server Spoofing VulnerabilityImportantMicrosoft IntuneCVE-2022-24465Microsoft Intune Portal for iOS Security Feature Bypass VulnerabilityImportantMicrosoft Office VisioCVE-2022-24510Microsoft Office Visio Remote Code Execution VulnerabilityImportantMicrosoft Office VisioCVE-2022-24509Microsoft Office Visio Remote Code Execution VulnerabilityImportantMicrosoft Office VisioCVE-2022-24461Microsoft Office Visio Remote Code Execution VulnerabilityImportantMicrosoft Office WordCVE-2022-24462Microsoft Word Security Feature Bypass VulnerabilityImportantMicrosoft Office WordCVE-2022-24511Microsoft Office Word Tampering VulnerabilityImportantMicrosoft Windows ALPCCVE-2022-23287Windows ALPC Elevation of Privilege VulnerabilityImportantMicrosoft Windows ALPCCVE-2022-24505Windows ALPC Elevation of Privilege VulnerabilityImportantMicrosoft Windows ALPCCVE-2022-23283Windows ALPC Elevation of Privilege VulnerabilityImportantMicrosoft Windows Codecs LibraryCVE-2022-24451VP9 Video Extensions Remote Code Execution VulnerabilityImportantMicrosoft Windows Codecs LibraryCVE-2022-22007HEVC Video Extensions Remote Code Execution VulnerabilityImportantMicrosoft Windows Codecs LibraryCVE-2022-22006HEVC Video Extensions Remote Code Execution VulnerabilityCriticalMicrosoft Windows Codecs LibraryCVE-2022-24452HEVC Video Extensions Remote Code Execution VulnerabilityImportantMicrosoft Windows Codecs LibraryCVE-2022-24453HEVC Video Extensions Remote Code Execution VulnerabilityImportantMicrosoft Windows Codecs LibraryCVE-2022-24501VP9 Video Extensions Remote Code Execution VulnerabilityCriticalMicrosoft Windows Codecs LibraryCVE-2022-24457HEIF Image Extensions Remote Code Execution VulnerabilityImportantMicrosoft Windows Codecs LibraryCVE-2022-24456HEVC Video Extensions Remote Code Execution VulnerabilityImportantMicrosoft Windows Codecs LibraryCVE-2022-22010Media Foundation Information Disclosure VulnerabilityImportantMicrosoft Windows Codecs LibraryCVE-2022-21977Media Foundation Information Disclosure VulnerabilityImportantMicrosoft Windows Codecs LibraryCVE-2022-23295Raw Image Extension Remote Code Execution VulnerabilityImportantMicrosoft Windows Codecs LibraryCVE-2022-23300Raw Image Extension Remote Code Execution VulnerabilityImportantMicrosoft Windows Codecs LibraryCVE-2022-23301HEVC Video Extensions Remote Code Execution VulnerabilityImportantPaint 3DCVE-2022-23282Paint 3D Remote Code Execution VulnerabilityImportantRole: Windows Hyper-VCVE-2022-21975Windows Hyper-V Denial of Service VulnerabilityImportantSkype Extension for ChromeCVE-2022-24522Skype Extension for Chrome Information Disclosure VulnerabilityImportantTablet Windows User InterfaceCVE-2022-24460Tablet Windows User Interface Application Elevation of Privilege VulnerabilityImportantVisual Studio CodeCVE-2022-24526Visual Studio Code Spoofing VulnerabilityImportantWindows Ancillary Function Driver for WinSockCVE-2022-24507Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityImportantWindows CD-ROM DriverCVE-2022-24455Windows CD-ROM Driver Elevation of Privilege VulnerabilityImportantWindows Cloud Files Mini Filter DriverCVE-2022-23286Windows Cloud Files Mini Filter Driver Elevation of Privilege VulnerabilityImportantWindows COMCVE-2022-23290Windows Inking COM Elevation of Privilege VulnerabilityImportantWindows Common Log File System DriverCVE-2022-23281Windows Common Log File System Driver Information Disclosure VulnerabilityImportantWindows DWM Core LibraryCVE-2022-23291Windows DWM Core Library Elevation of Privilege VulnerabilityImportantWindows DWM Core LibraryCVE-2022-23288Windows DWM Core Library Elevation of Privilege VulnerabilityImportantWindows Event TracingCVE-2022-23294Windows Event Tracing Remote Code Execution VulnerabilityImportantWindows Fastfat DriverCVE-2022-23293Windows Fast FAT File System Driver Elevation of Privilege VulnerabilityImportantWindows Fax and Scan ServiceCVE-2022-24459Windows Fax and Scan Service Elevation of Privilege VulnerabilityImportantWindows HTML PlatformCVE-2022-24502Windows HTML Platforms Security Feature Bypass VulnerabilityImportantWindows InstallerCVE-2022-23296Windows Installer Elevation of Privilege VulnerabilityImportantWindows KernelCVE-2022-23297Windows NT Lan Manager Datagram Receiver Driver Information Disclosure VulnerabilityImportantWindows KernelCVE-2022-23298Windows NT OS Kernel Elevation of Privilege VulnerabilityImportantWindows MediaCVE-2022-21973Windows Media Center Update Denial of Service VulnerabilityImportantWindows PDEVCVE-2022-23299Windows PDEV Elevation of Privilege VulnerabilityImportantWindows Point-to-Point Tunneling ProtocolCVE-2022-23253Point-to-Point Tunneling Protocol Denial of Service VulnerabilityImportantWindows Print Spooler ComponentsCVE-2022-23284Windows Print Spooler Elevation of Privilege VulnerabilityImportantWindows Remote DesktopCVE-2022-21990Remote Desktop Client Remote Code Execution VulnerabilityImportantWindows Remote DesktopCVE-2022-23285Remote Desktop Client Remote Code Execution VulnerabilityImportantWindows Remote DesktopCVE-2022-24503Remote Desktop Protocol Client Information Disclosure VulnerabilityImportantWindows Security Support Provider InterfaceCVE-2022-24454Windows Security Support Provider Interface Elevation of Privilege VulnerabilityImportantWindows SMB ServerCVE-2022-24508Windows SMBv3 Client/Server Remote Code Execution VulnerabilityImportantWindows Update StackCVE-2022-24525Windows Update Stack Elevation of Privilege VulnerabilityImportantXBoxCVE-2022-21967Xbox Live Auth Manager for Windows Elevation of Privilege VulnerabilityImportant

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft March 2022 Patch Tuesday)

The post Microsoft March 2022 Patch Tuesday updates fix 89 vulnerabilities appeared first on Security Affairs.

Categories: Cyber Security News

Google TAG: Russia, Belarus-linked APTs targeted Ukraine

Tue, 03/08/2022 - 16:44
Google TAG observed Russian, Belarusian, and Chinese threat actors targeting Ukraine and European government and military orgs.

Google Threat Analysis Group (TAG), which focuses on the analysis of nation-state threat actors, revealed to have blocked attacks against hundreds of Ukrainians conducted by Belarus and Russian state-sponsored hackers.

The attacks have been attributed to the Russia-linked FancyBear group (aka APT28) and the Belarus-linked Ghostwriter (aka UNC1151) APT group.

Google TAG observed Russian, Belarusian, and Chinese threat actors targeting Ukrainian and European government and military organizations, as well as individuals. The attackers carried out both phishing campaigns and DDoS attacks.

“In the last 12 months, TAG has issued hundreds of government-backed attack warnings to Ukrainian users alerting them that they have been the target of government backed hacking, largely emanating from Russia.” wrote Shane Huntley, Google’s TAG lead. Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter. This activity ranges from espionage to phishing campaigns.”

FancyBear has conducted several large credential phishing campaigns aimed at the users of Ukrainian media company UkrNet. Threat actors sent phishing emails from a large number of compromised accounts (non-Gmail/Google).

TAG researchers said that in two recent campaigns, the nation-state actors created Blogspot domains that were used as the initial landing page, which then redirected visitors to credential phishing pages.

Google TAG team observed the Ghostwriter threat actors targeting Polish and Ukrainian military and government organizations in the last week, they were gathering intelligence while the Russian army was invading Ukraine.

The CERT-UA recently warned Ukrainian citizens of new phishing attacks launched through compromised email accounts belonging to Indian entities.

Google also reported that China-linked Mustang Panda cyberespionage group (aka Temp.Hex) have targeted European entities with lures related to the Ukrainian invasion. In some attacks spotted by Google, threat actors used malicious attachments with file names such as ‘Situation at the EU borders with Ukraine.zip’. The researchers pointed out that this is the first time they observed Mustang Panda targeting European entities, the group was regularly observed targeting Southeast Asian organizations.

Google TAG also observed DDoS attacks against numerous Ukrainian government websites, including the Ministry of Foreign Affairs, Ministry of Internal Affairs.

“We expanded eligibility for Project Shield, our free protection against DDoS attacks, so that Ukrainian government websites, embassies worldwide and other governments in close proximity to the conflict can stay online, protect themselves and continue to offer their crucial services and ensure access to the information people need.” concludes the report. “Project Shield allows Google to absorb the bad traffic in a DDoS attack and act as a “shield” for websites, allowing them to continue operating and defend against these attacks. As of today, over 150 websites in Ukraine, including many news organizations, are using the service.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Google TAG: Russia, Belarus-linked APTs targeted Ukraine appeared first on Security Affairs.

Categories: Cyber Security News

Access:7 flaws impact +150 device models from over 100 manufacturers

Tue, 03/08/2022 - 14:55
Many IoT and medical devices are affected by seven serious flaws, collectively tracked as Access:7, in widely used Axeda platform.

Researchers from medical device cybersecurity company CyberMDX have discovered seven serious flaws, collectively tracked as Access:7, in the widely used Axeda platform of IIoT solutions provider PTC.

“Access:7 could enable hackers to remotely execute malicious code, access sensitive data or alter configuration on medical and IoT devices running PTC’s Axeda remote code and management agent.”reads the report published by CyberMDX.

The platform allows remote access and management of connected devices to manufacturers through an agent is installed on devices.

The impact of these flaws is widespread, experts determine that the issues impact more than 150 device models from over 100 manufacturers. Most of the impacted vendors are in the healthcare sector (55%), followed by IoT (24%), IT (8%), financial services (5%), and manufacturing (4%).

Three of the ‘Access:7’ vulnerabilities are critical remote code execution issues, an attacker can exploit these flaws to take over a device, gain initial access to a network, and exfiltrate sensitive data.

Some of the vulnerabilities could be exploited to trigger a DoS condition and disrupt the operations of affected devices.

Below is the complete list of the Access:7 vulnerabilities shared CISA:

PTC has released security patches for Axeda despite it has reached the end of life, it also released mitigations and workarounds for the vulnerabilities.

The good news is that PTC is not aware of the exploitation of these vulnerabilities in attacks in the wild.

“PTC has no indication nor has been made aware that any of these vulnerabilities has been or is being exploited,” reads the PTC’s advisory.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, IoT)

The post Access:7 flaws impact +150 device models from over 100 manufacturers appeared first on Security Affairs.

Categories: Cyber Security News

Pages