Security Affairs

Subscribe to Security Affairs feed
Read, think, share … Security is everyone's responsibility
Updated: 1 week 2 days ago

Cisco fixed two critical flaws in Expressway, TelePresence VCS solutions

Thu, 03/03/2022 - 08:00
Cisco fixed critical flaws in its Expressway Series and TelePresence Video Communication Server (VCS) unified communications products.

Cisco announced security patches for a couple of critical vulnerabilities, tracked as CVE-2022-20754 and CVE-2022-20755 (CVSS score of 9.0), in its Expressway Series and TelePresence Video Communication Server (VCS) unified communications products.

“Multiple vulnerabilities in the API and web-based management interfaces of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read/write privileges to the application to write files or execute arbitrary code on the underlying operating system of an affected device as the root user.” reads the advisory published by the IT giant.

A remote, authenticated attacker with read/write privileges to the vulnerable application can exploit the vulnerabilities to write files or execute arbitrary code on the underlying operating system with root privileges.

The CVE-2022-20754issue is an arbitrary file write vulnerability in Cisco Expressway Series and Cisco TelePresence VCS, it could be exploited to conduct directory traversal attacks and overwrite files on the underlying operating system. This flaw was caused by insufficient input validation of user-supplied command arguments.

“A vulnerability in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS could allow an authenticated, remote attacker with read/write privileges to the application to conduct directory traversal attacks and overwrite files on the underlying operating system of an affected device as the root user.” continues the advisory. “An attacker could exploit this vulnerability by authenticating to the system as an administrative user and then submitting crafted input to the affected command. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system as the root user.”

The CVE-2022-20755 flaw is a command injection vulnerability in Cisco Expressway Series and Cisco TelePresence VCS, it resides in their web-based management interface and could allow an authenticated, remote attacker with read/write privileges to the application to execute arbitrary code on the underlying operating system of an affected device as the root user.

“This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by authenticating to the system as an administrative user and then submitting crafted input to the affected command.” continues the advisory. “A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the root user.”

Both vulnerabilities have been addressed with the release of the 14.0.5 version.

The company is not aware of attacks exploiting these vulnerabilities in the wild.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Code execution issue)

The post Cisco fixed two critical flaws in Expressway, TelePresence VCS solutions appeared first on Security Affairs.

Categories: Cyber Security News

The Difference Between Human and Machine Identities

Thu, 03/03/2022 - 07:01
As digital transformation is advancing and automation is becoming an essential component of modern enterprises, collaboration between humans and machines is crucial.

With this level of interaction, a new identity problem is emerging as machines operate on behalf of humans.

Collaboration between humans and machines is a working reality today. Along with this comes the need for secure communication as machines operate increasingly on behalf of humans. While people need usernames and passwords to identify themselves, machines also need to identify themselves to one another. But instead of usernames and passwords, machines use keys and certificates that serve as machine identities so they can connect and communicate securely.

Image Source liberties.eu

Machine identities are rapidly expanding

The root of this new identity problem is an increasingly complex computing environment. The shift from on-premises data centers to cloud-based applications and workloads has created an explosion in the number of machines being deployed on enterprise networks. These machines are expanding well beyond traditional devices and servers to include:

  • Virtual servers and devices
  • Mobile devices
  • IoT devices
  • Cloud instances
  • Software applications and services, including APIs and algorithms
  • Containers that run apps and services

Each of these machines requires an identity that must be managed throughout its lifecycle. When you look at the infinite number of scenarios involving a combination of humans and machines accessing resources across this complex environment, keeping track of all the different identities that represent a single individual performing an action is a huge challenge. To make matters worse, the attack surface connected with machine identities is expanding much faster than human identities.

The consequences of poor machine identity management

Despite the growing importance of machine identities, organizations seem to forget about them. Instead, they focus only on protecting human identities. It is true that cybercriminals are breaking into corporate networks by compromising weak human identities – passwords or other credentials. But poorly managed machine identities can also become a path for infiltrating networks and stealing data. For example, threat actors frequently hide attacks in encrypted traffic. They can also compromise or forge a machine identity that can fool other machines into handing over sensitive data.

Navigating this massive volume of machine identities is made even more difficult by the fact that machine identity lifecycles are shortening. For many enterprises the need is compounded by digital transformation initiatives such as cloud migration and expanding DevOps processes. When organizations fail to keep up with the volume and variety of machine identities they need, the consequences can be dire.

Outages caused by expired certificates are the most visible symptom of poor machine identity management, but there are many other ways machine identities may be compromised. SSH keys, which are used to secure cloud-based servers and other machines, have been easily breached by the rising tide of SSH malware. Meanwhile, cybercriminals can steal private code signing keys to cloak malicious binaries within software updates, which are then unknowingly pushed out to unsuspecting end users.

Given that machine identities are of the least understood and weakly protected parts of enterprise networks, it should come as no surprise that cybercriminals are aggressively exploiting them. From Stuxnet to SolarWinds, attackers are increasingly abusing unprotected machine identities to launch a variety of attacks. In fact, over the past four years threats targeting weak machine identities have increased by 400%.

The disconnect in investing in machine identity management

Even though the impact of poorly managed machine identities is well documented in various studies, organizations are still investing almost solely on human identities. Why is there such a gap in allocated budgets for machine identities as opposed to human identities?

There are several factors that explain this disconnect:

  • Rapid changes in IT infrastructure due to the accelerated digital transformation of the past two years have dramatically increased the volume of machines on enterprise networks that need machine identities—a changing reality organizations are only beginning to confront.
  • The security and business risks connected with cryptographic keys and certificates serving as machine identities are poorly understood.
  • There has been a scarcity of concrete standards and guidelines that provide organizations with prescriptive advice on how to effectively protect machine identities in a consistent, measurable fashion.

Common controls for managing both forms of digital identities

Although human identities and machine identities share many differences, their management is guided by similar security principles. The list below provides an overview of the top security controls applicable for both human identities and machine identities.

  • Ensure they are strong
  • Keep them secret
  • If compromised, change them immediately
  • Know where they are
  • Centrally control them
  • Do not duplicate them
  • Remove access when use is terminated
  • Limit their usage
  • Review before issuing
  • Review them regularly

More information on digital identities and different keys and certificates can be found in this education center.

About the author: Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience managing IT projects and evaluating cybersecurity. He was assigned to various key positions in national, NATO, and EU headquarters and honored by numerous high-ranking officers for his expertise and professionalism during his service – nominated as a certified NATO evaluator for information security. 

Anastasios’ interests include, among others, cybersecurity policy and governance, ICS and IoT security, encryption, and certificates management. He explores the human side of cybersecurity – the psychology of security, public education, organizational training programs, and the effect of biases (cultural, heuristic, and cognitive) in applying cybersecurity policies and integrating technology into learning. 

Currently, he works as a cybersecurity content writer for Bora Design. 

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, machinese)

The post The Difference Between Human and Machine Identities appeared first on Security Affairs.

Categories: Cyber Security News

Ukrainian WordPress sites under massive complex attacks

Thu, 03/03/2022 - 06:37
Researchers observed a spike in the attacks against Ukrainian WordPress sites since the beginning of the military invasion of the country.

Cyber attacks are an important component of the military strategy against Ukraine, experts observed a spike in the attacks against Ukrainian WordPress sites since the beginning of the military invasion of the country.

The attacks aimed at making the websites unreachable and causing fear and distrust in the Ukrainian government, WordPress security firm Wordfence reported.

The company analyzed the number of exploit attempts on websites that it protects which is of 8,320 WordPress websites belonging to universities, government, military, and law enforcement entities in the country.

Experts pointed out that the term “attack” indicates a sophisticated exploit attempt and does not refer to simple brute force attacks (login guessing attempts) or distributed denial of service traffic.

The attacks were aimed at exploiting vulnerabilities on a target WordPress website.

Wordfence reported that the number of attacks peaked at 144,000 on February 25.

“The Russian invasion of Ukraine started on February 24th. The chart below shows the overall number of exploit attempts on websites that we protect, with the .UA Ukrainian TLD before and after the invasion. This data set includes 8,320 .UA websites. We will use the term “attack” in this blog post to indicate a sophisticated exploit attempt.” reads the analysis published by Wordfence. “This does not include simple brute force attacks (login guessing attempts) or distributed denial of service traffic. It only includes attempts to exploit a vulnerability on a target WordPress website, which are the sites that Wordfence protects.”

A big portion of these attacks focuses on a subset of 376 academic websites, starting February 25th, experts observed a spike that peaked at over 104,000 attacks in a single day.

Below is the attacks observed by the company:

  • 479 attacks on Feb 24th
  • 37,974 attacks on Feb 25th
  • 104,098 attacks on Feb 26th
  • 67,552 attacks on Feb 27th

At least 30 Ukrainian university websites, were compromised by attackers that defaced some of them while others were unavailable.

The threat actor behind the attacks against universities was named “theMx0nday,” evidence of the defaced websites are available on Zone-H.org

The group in the past hit Brazilian, Indonesian, Spanish, Argentinian, US, and Turkish websites, its activity is while their first entries on Zone-H date back to April 2019.

One of the tweets published by the group expressed support to the Russian government.

Wordfence decided to deploy real-time threat intelligence to all Ukrainian websites, a feature that is normally included only in Premium subscriptions.

“We are doing this to assist in blocking cyberattacks targeting Ukraine. This update requires no action from users of the Free version of Wordfence on the UA top-level domain. We are activating this live security feed for UA websites automatically until further notice. Within the next few hours, over 8,000 Ukrainian websites running the free version of Wordfence will automatically become far more secure against attacks, like these, that are targeting them.” concludes Wordfence. “The malicious IP addresses involved in this attack are included in our blocklist, which will completely block access to WordPress and other PHP applications installed alongside WordPress.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukrainian WordPress websites)

The post Ukrainian WordPress sites under massive complex attacks appeared first on Security Affairs.

Categories: Cyber Security News

IsaacWiper, the third wiper spotted since the beginning of the Russian invasion

Tue, 03/01/2022 - 18:14
IsaacWiper, a new data wiper was used against an unnamed Ukrainian government network after Russia’s invasion of Ukraine.

ESET researchers uncovered a new data wiper, tracked as IsaacWiper, that was used against an unnamed Ukrainian government network after Russia’s invasion of Ukraine.

The wiper was first spotted on February 24 within an organization that was not infected with the HermeticWiper malware (aka KillDisk.NCV), which infected hundreds of machines in the country on February 23. According to cybersecurity firms ESET and Broadcom’s Symantec discovered, the infections followed the DDoS attacks against several Ukrainian websites, including Ministry of Foreign Affairs, Cabinet of Ministers, and Rada.

Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n

— ESET research (@ESETresearch) February 23, 2022

The researchers have yet to attribute IsaacWiper to a certain threat actor.The first sample of the wiper was observed by ESET yesterday around 14h52 UTC (16h52 local time), but more interesting is the PE compilation timestamp of one of the samples which is 2021-12-28, suggesting that the cyber attack might have been in preparation for almost two months.

IsaacWiper was spotted in the form of either a Windows DLL or EXE with no Authenticode signature; 

The oldest PE compilation timestamp discovered by ESET is October 19th, 2021, a circumstance that suggests that the malware might have been used in previous operations months earlier without being detected.

IsaacWiper and HermeticWiper have no code similarities, the former is less sophisticated than the latter.

Once infected a system, IsaacWiper starts by enumerating the physical drives and calls DeviceIoControl with the IOCTL IOCTL_STORAGE_GET_DEVICE_NUMBER to get their device numbers. Then IsaacWiper wipes the first 0x10000 bytes of each disk using the ISAAC pseudorandom generator.

Then the malware enumerates the logical drives and wipes the content of each disk with random bytes also generated by the ISAAC PRNG. Experts pointed out that the malware recursively wipes the files in a single thread, but the process could be time-consuming for large disks.

ESET reported that threat actors on February 25 used the IsaacWiper version with debug logs.

Researchers speculate attackers were unable to wipe some of the targeted machines and used logs to determine which problem took place.

“At this point, we have no indication that other countries were targeted.” concludes the analysis published by ESET. “However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entities.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, IsaacWiper)

The post IsaacWiper, the third wiper spotted since the beginning of the Russian invasion appeared first on Security Affairs.

Categories: Cyber Security News

China-linked APT used Daxin, one of the most sophisticated backdoor even seen

Tue, 03/01/2022 - 10:24
Daxin is the most advanced backdoor in the arsenal of China-linked threat actors designed to avoid the detection of sophisticated defense systems.

​Symantec researchers discovered a highly sophisticated backdoor, named Daxin, which is being used by China-linked threat actors to avoid advanced threat detection capabilities.

The malicious code was likely designed for long-running espionage campaigns against government entities and critical infrastructure targets.

The experts pointed out that this threat exhibits a technical complexity previously unseen by such actors.

The attribution to China is based on the nature of the targets, most of which appear to be organizations and governments of strategic interest to China, and the use of tools associated with China-linked cyberespionage campaigns.

“Daxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor.” states the report published by Symantec. “Considering its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions.”

Daxin is in the form of a Windows kernel driver, which is a rare choice of malware authors. The malware implements advanced communication capabilities, that allow the attackers to communicate with infected computers on highly secured networks, where direct internet connectivity is not available.

The malware can hide its traffic in normal network traffic on the target’s network and abuses legitimate services already running on the infected computers.

Daxin also implemented network tunneling to communicate with legitimate services on the target’s network that can be reached from any infected computer.

Experts believe that the features implemented by the backdoor are reminiscent of the Regin malware that was spotted in 2014.

Daxin can hijack legitimate TCP/IP connections to communicate, The backdoor monitors all incoming TCP traffic for specific patterns. Upon detecting the patterns, the malware disconnects the legitimate recipient and takes over the connection.

This trick allows the backdoor to hide malicious traffic in apparently legitimate communications.

“Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies.” continues the analysis.

The capabilities of the Daxin backdoor could be improved by adding additional components to the infected computer, the malware provides a dedicated communication mechanism for such components by implementing a device named \\.\Tcp4.

“The malicious components can open this device to register themselves for communication. Each of the components can associate a 32-bit service identifier with the opened \\.\Tcp4 handle. The remote attacker is then able to communicate with selected components by specifying a matching service identified when sending messages of a certain type.” continues Symantec.

Daxin also stands out due to its capability to establish intricate communication pathways across multiple infected computers at once, using a single command to a set of nodes.

Experts speculate that the most interesting functionality implemented by the backdoor allows it to create a new communications channel across multiple infected computers, where the list of nodes is provided by the attacker in a single command.

Unlike other malware, the communications channel across multiple infected computers is not done step-by-step, in fact, Daxin does it with a single operation to target well-guarded networks

Symantec links Daxin to the China-linked cyberespionage group Slug (aka Owlproxy) and believes that the group is using the backdoor since at least 2013. has been actively used in attacks since at least November 2019, while researchers spotted signs of its deployment again in May 2020 and July 2020.

The most recent attacks involving Daxin were observed by the security firm in November 2021, they were aimed at telecommunication, transportation, and manufacturing companies. According to Symantec, the backdoor remained undetected until 2019.

“In summary, Daxin includes some of the most complex features we have seen in a highly probable China-linked malware campaign. We will publish follow-up blogs over the coming days with more detailed technical analysis and other insights from our research and collaborations.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Daxin)

The post China-linked APT used Daxin, one of the most sophisticated backdoor even seen appeared first on Security Affairs.

Categories: Cyber Security News

CISA and FBI warn of potential data wiping attacks spillover

Tue, 03/01/2022 - 04:28
US CISA and the FBI warned US organizations that data wiping attacks targeting Ukraine entities could spill over to targets worldwide.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint cybersecurity advisory to warn US organizations of data wiping attacks targeting Ukraine that could hit targets worldwide.

The advisory warns of the potential effects of the two destructive malware, tracked as WhisperGate and HermeticWiper, on organizations worldwide.

The US agencies believe that further disruptive data wiping attacks could target organizations in Ukraine and may unintentionally spill over to organizations in other countries.

This joint Cybersecurity Advisory (CSA) provides information on the two wipers as well as indicators of compromise (IOCs) that could be used by defenders to detect and prevent infections. The advisory also provides recommended guidance and considerations for organizations to address as part of network architecture, security baseline, continuous monitoring, and incident response practices.

“Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries.” reads the advisory. “Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.”

Below is the list of actions recommended to the organizations:
• Set antivirus and antimalware programs to conduct regular scans.
• Enable strong spam filters to prevent phishing emails from reaching end users.
• Filter network traffic.
• Update software.
• Require multifactor authentication.

The advisory also includes recommendations for System and Application Hardening and Recovery and Reconstitution Planning along with Incident Response instructions.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, data wiping attacks)

The post CISA and FBI warn of potential data wiping attacks spillover appeared first on Security Affairs.

Categories: Cyber Security News

FoxBlade malware targeted Ukrainian networks hours before Russia’s invasion

Mon, 02/28/2022 - 19:12
Microsoft revealed that Ukrainian entities were targeted with a previous undetected malware, dubbed FoxBlade, several hours before the invasion.

The Microsoft Threat Intelligence Center (MSTIC) continues to investigate the attacks that are targeting Ukrainian networks and discovered that entities in Ukraine were targeted with a previously undetected malware, dubbed FoxBlade, several hours before Russia’s invasion.

“This trojan can use your PC for distributed denial-of-service (DDoS) attacks without your knowledge.” reads the advisory published by Microsoft.

The IT giant immediately advised the Ukrainian government about the ongoing attacks and provided it with technical advice on how to detect and neutralize the malicious code. Microsoft pointed out that its experts have written signatures to detect the malware within three hours of this discovery.

“Several hours before the launch of missiles or movement of tanks on February 24, Microsoft’s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure,” said Microsoft President and Vice-Chair Brad Smith. “These recent and ongoing cyberattacks have been precisely targeted, and we have not seen the use of the indiscriminate malware technology that spread across Ukraine’s economy and beyond its borders in the 2017 NotPetya attack.”

FoxBlade is the third malware that was discovered at this time which was involved in attacks against Ukrainian entities. Two other destructive malware, tracked as WhisperGate and HermeticWiper, were used in data wiping attacks against organizations in Ukraine.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, FoxBlade)

The post FoxBlade malware targeted Ukrainian networks hours before Russia’s invasion appeared first on Security Affairs.

Categories: Cyber Security News

Anonymous hit Russian Nuclear Institute and leak stolen data

Mon, 02/28/2022 - 16:50
Anonymous and other hacker groups that responded to the call to war against Russia continue to launch cyberattacks on gov organizations and businesses.

Anonymous and numerous hacker groups linked to the popular collective continue to launch cyber attacks against Russian and Belarussian government organizations and private businesses.

In the last few days massive DDoS attacks have taken offline numerous websites of Russian government entities, including the Duma and Ministry of Defense.

However, a cyber attack announced today by the Anonymous-linked group Network Battalion 65 could have serious consequences. The group claims to have compromised the Russian Nuclear Institute and released over 40.000 documents. Network Battalion 65 is also asking for support to translate the huge quantity of documents (written in Cyrillic) that could contain sensitive data and information that can be used for sabotage operations.

#Anonymous Network Battalion 65’ have just released
40k files from the #Russian #Nuclear Institute
Translators needed ASAP get this information to the correct sources https://t.co/fgGWiZEUvKpic.twitter.com/Er7FoI2ZH2

— Anonymous ветеран (@Doemela_X) February 27, 2022

The research institute is tasked with monitoring the safety of nuclear plants in Russia, for this reason, the documents allegedly stolen by the group could contain sensitive data.

The news of the attack was re-launched through other Twitter accounts used by other groups linked to the Anonymous collective.

Today Anonymous also targeted websites belonging to Russian propaganda media, including TASS, Izvestia, Fontaka, RBC and Kommersant defacing them.

BREAKING: #Anonymous invades sites belonging to Russian propaganda media such as:
TASS, Izvestia, Fontaka, RBC and Kommersant.#Ukraine pic.twitter.com/BkorZYUW9L

— IT Army of Ukraine (@ITarmyUA) February 28, 2022

The collective also launched massive DDoS attacks against banks in Belarus, it took down the websites of the following banks:

JUST IN: Top Banks in #Belarus are DOWN by #Anonymous. #OpRussia #FckPutin #OpKremlin #Ukraine https://t.co/dErmWjt2KK – DOWNhttps://t.co/2VTh8yqspc – DOWNhttps://t.co/eaRijslPPY – DOWN pic.twitter.com/JQEH9qg88U

— IT Army of Ukraine (@ITarmyUA) February 28, 2022

Stay tuned …..

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Anonymous)

The post Anonymous hit Russian Nuclear Institute and leak stolen data appeared first on Security Affairs.

Categories: Cyber Security News

Toyota Motors halted production due to a cyber attack on a supplier

Mon, 02/28/2022 - 14:23
Japanese carmaker Toyota Motors was forced to stop car production due to a cyberattack against one of its suppliers.

Japanese carmaker Toyota Motors was forced to halt its production due to a cyber attack that suffered by one of its suppliers, Kojima Industries.

“It is true that we have been hit by some kind of cyberattack. We are still confirming the damage and we are hurrying to respond, with the top priority of resuming Toyota’s production system as soon as possible.” an official close to Kojima Industries told Nikkei.

Kojima Industries is a business partner of Toyota Motor Corporation, it provides interior and exterior automotive plastic components.

“Due to a system failure at a domestic supplier (KOJIMA INDUSTRIES CORPORATION), we have decided to suspend the operation of 28 lines at 14 plants in Japan on Tuesday, March 1st (both 1st and 2nd shifts). We apologize to our relevant suppliers and customers for any inconvenience this may cause.” reads the announcement published by Toyota motors. “We will also continue to work with our suppliers in strengthening the supply chain and make every effort to deliver vehicles to our customers as soon as possible.”

In response to the incident, the company decided to suspend the operation of 28 production lines in 14 plants in Japan, starting from tomorrow, March 1, 2022.

According to NikkeiAsia, the shutdown will affect the production of around 13,000 vehicles or 4% to 5% of Toyota’s monthly output in Japan.

The shutdown will also impact Toyota’s subsidiaries Daihatsu Motors and Hino Motors, but at this time it is not clear the impact on the productions of both carmakers. Hino Motors and Daihatsu Motors announced that they will shut down a three plants.

The hypothesis of the attack was also reported by local media, according to Tokyo NP website, Kojima was hit by a cyberattack.

“The government is confirming the actual situation.” said Prime Minister Fumio Kishida.

Kishida did not link the attack to Russia

“He declined to state that his relationship with Russia was “difficult to answer without confirmation.” reported Tokyo NP website. “It is believed that this is the first time Toyota has shut down all plants due to a system failure at a supplier. The Ministry of Economy, Trade and Industry has begun investigating the possibility of a cyber attack.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, SIM swapping)

The post Toyota Motors halted production due to a cyber attack on a supplier appeared first on Security Affairs.

Categories: Cyber Security News

Researcher leaked Conti’s internal chat messages in response to its support to Russia

Mon, 02/28/2022 - 09:35
A Ukrainian researcher leaked tens of thousands of internal chat messages belonging to the Conti ransomware operation.

A Ukrainian researcher leaked 60,694 messages internal chat messages belonging to the Conti ransomware operation after the announcement of the group of its support to Russia.

Researchers from cybersecurity firm Hold Security confirmed that the researcher was able to access the database XMPP chat server of the Conti group.

conti jabber leaks https://t.co/0FzXiXhI2d

— conti leaks (@ContiLeaks) February 27, 2022

BREAKING: @HoldSecurity tells me Conti's systems have been infiltrated by cybercrime researchers for some time. The data was dumped by a Ukrainian cyber security researcher pissed off after Conti expressed support for Russia in the conflict. #infosecurity

— The Ransomware Files (@ransomwarefiles) February 28, 2022

The leak was also reported by the popular malware researcher Vitali Kremez through BleepingComputer.

The messages are only related to chat conversations since January 21, 2021, their analysis coulg give analysis precious information about the operations conducted by the group, including unreported victims due to private deals with companies that opted out to pay the ransom avoid the public disclosure of the security breach.

These conversations contain various information about the gang’s activities, including previously unreported victims, private data leak URLs, bitcoin addresses, and discussions about their operations.

BleepingComputer reported the existence of conversations about TrickBot’s Diavol ransomware operation and 239 bitcoin addresses containing $13 million in payments.

239 Bitcoin addresses representing ~$13.1 million in payments from the Conti leak have been added to https://t.co/lBxHWCQm7S. The full dataset is available to download from the site.#ransomware #Conti

— Ransomwhere (@ransomwhere_) February 27, 2022

Clearly the attack against the Conti ransomware and the data leak is a retaliation for its support for the Russian invasion of Ukraine. The attack will have a significant impact on the operation of the gang, considering also that many Conti’s affiliates are Ukrainian groups.

The researchers who leaked the data belonging to Conti’s communications announced more dumps are coming.

Ukraine is recruiting a volunteer IT army of cyber security experts and white hat hackers to launch cyberattacks on a list of Russian entities. The list is composed of 31 targets including Russian critical infrastructure, government agencies, banks, hosting prividers.

Ukraine’s Minister for Digital Transformation Mykhaylo Fedorov called to action against Russia attempting to create an “IT Army” to launch a massive offensive against Russia.

A Telegram channel was used to coordinate the efforts and plan the cyber-attacks that will be conducted by the IT Army.

Below a timeline of the events related to the Russia invasion of Ukraine from the cyber security perspective.

Feb 7- Feb 27 Ukraine – Russia the silent cyber conflict

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Conti Ransomware)

The post Researcher leaked Conti’s internal chat messages in response to its support to Russia appeared first on Security Affairs.

Categories: Cyber Security News

Security Affairs newsletter Round 355

Mon, 02/28/2022 - 06:32
A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Anonymous breached the internal network of Belarusian railwaysFeb 7- Feb 27 Ukraine – Russia the silent cyber conflictUkraine: Volunteer IT Army is going to hit tens of Russian targets from this listChipmaker giant Nvidia hit by a ransomware attackFileless SockDetour backdoor targets U.S.-based defense contractorsRussia restricts Twitter in the country amid conflict with UkraineAnonymous hacked the Russian Defense Ministry and is targeting Russian companiesUK’s NHS Digital warns of an RCE in Okta Advanced Server Access clientUkraine calls on independent hackers to defend against Russia, Russian underground responds
Ukraine: Belarusian APT group UNC1151 targets military personnel with spear phishing
Anonymous launched its offensive on Russia in response to the invasion of UkraineUS and UK details a new Python backdoor used by MuddyWater APT groupCISA adds two Zabbix flaws to its Known Exploited Vulnerabilities CatalogData wiper attacks on Ukraine were planned at least in November and used ransomware as decoyDeadbolt Ransomware targets Asustor and QNap NAS DevicesNew Wiper Malware HermeticWiper targets Ukrainian systemsUS and UK link new Cyclops Blink malware to Russian state hackersResearchers shared technical details of NSA Equation Group’s Bvp47 backdoorSophos linked Entropy ransomware to Dridex malware. Are both linked to Evil Corp?Horde Webmail Software is affected by a dangerous bug since 2012Iranian Broadcaster IRIB hit by wiper malwareThreat actors target poorly protected Microsoft SQL ServersCookware giant Meyer Corporation discloses cyberattackPolice dismantled a gang that used phishing sites to steal credit cardsChina-linked APT10 Target Taiwan’s financial trading industryA cyber attack heavily impacted operations of Expeditors InternationalXenomorph Android banking trojan distributed via Google Play StoreHow SMS PVA services could undermine SMS-based verificationA flaw in the encryption algorithm of Hive Ransomware allows retrieving encrypted files
Threat Report Portugal: Q4 2021
BEC scammers impersonate CEOs on virtual meeting platformsThreat actors stole at least $1.7M worth of NFTs from tens of OpenSea usersTrickbot operation is now controlled by Conti ransomware

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 355 appeared first on Security Affairs.

Categories: Cyber Security News

Iran-linked UNC3313 APT employed two custom backdoors against a Middle East gov entity

Mon, 02/28/2022 - 05:29
An Iran-linked threat actor, tracked as UNC3313, was observed using two custom backdoor against an unnamed Middle East government entity.

UNC3313 is an Iran-linked threat actor that was linked with “moderate confidence” to the MuddyWater nation-state actor (aka Static Kitten, Seedworm, TEMP.Zagros, or Mercury) by cybersecurity firm Mandiant.

UNC3313 was observed deploying two new custom backdoors, tracked as GRAMDOOR and STARWHALE, as part of an attack against an unnamed government entity in the Middle East in November 2021.

The APT group gained access to the organizations through spear-phishing attacks, it also leveraged publicly available tools to maintain remote access to the target’s environment.

“In November 2021, Mandiant Managed Defense detected and responded to an UNC3313 intrusion at a Middle East government customer. During the investigation, Mandiant identified new targeted malware, GRAMDOOR and STARWHALE, which implement simple backdoor functionalities.” reads the analysis published by Mandiant. “UNC3313 initially gained access to this organization through a targeted phishing email and leveraged modified, open-source offensive security tools to identify accessible systems and move laterally.”

UNC3313 was observed establishing remote access by using ScreenConnect which allowed the group to infiltrate systems within an hour of initial compromise. Mandiant pointed out that it was able to quickly contain and remediate the intrusion.

The phishing messages masqueraded as a job promotion attempted to trick victims into clicking a URL pointing to a RAR archive file hosted on cloud storage service OneHub. The archive contained a Windows Installer .msi file that was used to install ScreenConnect remote access software to establish a foothold

In the successive phases, threat actors escalated privileges, carried out internal reconnaissance, and attempted to download additional tools and payloads by running obfuscated PowerShell commands.

The STARWHALE backdoor is a Windows Script File (.WSF) that executes commands received commands from a hardcoded command-and-control (C2) server. STARWHALE communicates with the C2 server via HTTP.

The second implant discovered by the expert is GRAMDOOR, the comes from its capability to use the Telegram Bot API for communication. 

The backdoor sends and receives messages from a Telegram chat room under the control of the group.

GRAMDOOR is deployed as an NSIS installer and achieved persistence by setting the Windows Run registry key.

The analysis includes Indicators of compromise for this attack.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, UNC3313)

The post Iran-linked UNC3313 APT employed two custom backdoors against a Middle East gov entity appeared first on Security Affairs.

Categories: Cyber Security News

Anonymous breached the internal network of Belarusian railways

Sun, 02/27/2022 - 18:13
The Anonymous hacker collective claims to have breached the Belarusian Railway’s data-processing network.

The Anonymous collective announced that the internal network of Belarusian railways has been compromised, the group claims to have blocked all services and will deactivate them until Russian troops will leave the territory of Belarus.

The internal network of Belarusian railways has been attacked, all services are out of order and will soon be deactivated until Russian troops leave the territory of #Belarus. #StandWithUkriane

— Anonymous (@LatestAnonPress) February 27, 2022

Purpose of attack – to disrupt the deployment of the occupation forces and to give to Ukrainians more time to repel the attack.

The attack forced the Belarusian railway to switch to manual control mode, with a significant impact on the operations that caused the slowdown of the movement of trains. The attacks don’t put in danger the population but aim at interfering with the transportation in a country that is offering its support to Russia while invading Ukraine.

At the time of this writing the websites pass.rw.by, portal.rw.by, rw.by are not reachable.

This week, Anonymous launched a war on Russia and against those countries that are supporting military operations in Ukraine, like Belarus. The collective has stolen around 200GB of emails from Belarusian weapons maker Tetraedr. This company provided logistical support to Vladimir Putin during the invasion of Ukraine.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Anonymous)

The post Anonymous breached the internal network of Belarusian railways appeared first on Security Affairs.

Categories: Cyber Security News

Feb 7- Feb 27 Ukraine – Russia the silent cyber conflict

Sun, 02/27/2022 - 09:03
This post provides a timeline of the events related to the Russia invasion of Ukraine from the cyber security perspective.

Below is the timeline of Russia – Ukraine cyber dispute

February 27 – Ukraine: Volunteer IT Army is going to hit tens of Russian targets from this list

Ukraine is recruiting a volunteer IT army composed of white hat hackers to launch attacks on a list of Russian entities.

February 26 – Russia restricts Twitter in the country amid conflict with Ukraine

Global internet monitor working group NetBlocks reported that Twitter has been restricted in Russia amid conflict with Ukraine.

February 25 – Ukraine calls on independent hackers to defend against Russia, Russian underground responds

While Ukraine calls for hacker underground to defend against Russia, ransomware gangs make their moves.

February 25 – Ukraine: Belarusian APT group UNC1151 targets military personnel with spear phishing

The CERT of Ukraine (CERT-UA) warned of a spear-phishing campaign targeting Ukrainian armed forces personnel.

February 25 – Anonymous launched its offensive on Russia in response to the invasion of Ukraine

The popular collective Anonymous declared war on Russia for the illegitimate invasion of Ukraine and announced a series of cyber attacks calling to action its members

February 24 – Data wiper attacks on Ukraine were planned at least in November and used ransomware as decoy

Experts reported that the wiper attacks that yesterday hit hundreds of systems in Ukraine used a GoLang-based ransomware decoy.

February 19 – White House and UK Gov attribute DDoS attacks on Ukraine to Russia’s GRU

The White House has linked the recent DDoS attacks against Ukraine ‘s banks and defense agencies to Russia’s GRU.

February 15 – Ukraine: Military defense agencies and banks hit by cyberattacks

Ukraine ‘s defense agencies and two state-owned banks were hit by Distributed Denial-of-Service (DDoS) attacks.

February 14 – SSU: Russia-linked actors are targeting Ukraine with ‘massive wave of hybrid warfare’

The Security Service of Ukraine (SSU) said the country is the target of an ongoing “wave of hybrid warfare.”

February 7 – Russian Gamaredon APT is targeting Ukraine since October

Russia-linked APT group Gamaredon is behind spear-phishing attacks against Ukrainian entities and organizations since October 2021.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Feb 7- Feb 27 Ukraine – Russia the silent cyber conflict appeared first on Security Affairs.

Categories: Cyber Security News

Ukraine: Volunteer IT Army is going to hit tens of Russian targets from this list

Sun, 02/27/2022 - 08:05
Ukraine is recruiting a volunteer IT army composed of white hat hackers to launch attacks on a list of Russian entities.

Ukraine is recruiting a volunteer IT army of cyber security experts and white hat hackers to launch cyberattacks on a list of Russian entities. The list is composed of 31 targets including Russian critical infrastructure, government agencies, banks, hosting prividers.

Ukraine’s Minister for Digital Transformation Mykhaylo Fedorov called to action against Russia attempting to create an “IT Army” to launch a massive offensive against Russia.

We are creating an IT army. We need digital talents. All operational tasks will be given here: https://t.co/Ie4ESfxoSn. There will be tasks for everyone. We continue to fight on the cyber front. The first task is on the channel for cyber specialists.

— Mykhailo Fedorov (@FedorovMykhailo) February 26, 2022

A Telegram channel was used to coordinate the efforts and plan the cyber-attacks that will be conducted by the IT Army.

“We are creating an IT army. We need digital talents. All operational tasks will be given here: https://t.me/itarmyofurraine. There will be tasks for everyone. We continue to fight on the cyber front. The first task is on the channel for cyber specialists.” reads the message published by Fedorov.

Below the list of targets shared on Telegram:

“For all IT specialists from other countries, we translated tasks in English. 
Task # 1 We encourage you to use any vectors of cyber and DDoS attacks on these resources.  

Business corporations 

At this time the Kremlin, State Duma, and Ministry of Defense websites are still offline.

The operations that will be conducted by the IT army will increase the pressure on the Russian infrastructure already the target of a powerful operation launched by Anonymous.

A few hours after the Anonymous collective has called to action against Russia following the illegitimate invasion of Ukraine its members have taken down the website of the Russian propaganda station RT News, yesterday the group compromised the servers of the Russian Defense Ministry.

“Anonymous, a group of hacktivists, successfully hacked and leaked the database of the website of the Ministry of Defense of Russia.” reported the Pravda agency.

The website of the Kremlin (Kremlin.ru) was also unreachable, but it is unclear if it is the result of the Anonymous attack or if the government has taken offline it to prevent disruptive attacks.

The Russian Government’s portal, and the websites of other ministries were running very slow. 

The collective is also threatening the Russian Federation and private organizations of attacks, it is a retaliation against Putin’s tyranny.

Two days, Ukraine’s government started asking for volunteers from the hacker underground to provide their support in protecting critical infrastructure and carry out offensive operations against Russian state-sponsored hackers, reported Reuters which cited two e experts involved in the project.

The call for action against Russia was shared on hacker forums on Thursday morning.

“Ukrainian cybercommunity! It’s time to get involved in the cyber defense of our country,” reads the post published on the forum. “We have an army inside our country,” “We need to know what they are doing.”

Volunteers could submit an application via Google docs, detailing their professional cyber skills.

The post was written by Yegor Aushev, co-founder of the Ukrainian cybersecurity firm Cyber Unit Technologies. The cybersecurity expert told Reuters he wrote the post at the request of a senior Defense Ministry official who contacted him on Thursday.

“Aushev said the volunteers would be divided into defensive and offensive cyber units. The defensive unit would be employed to defend infrastructure such as power plants and water systems. In a 2015 cyberattack, widely attributed to Russia state hackers, 225,000 Ukrainians lost electricity.” reported the Reuters.

The offensive volunteer unit Aushev said he is organizing would help Ukraine’s military conduct digital espionage operations against invading Russian forces.

A lot of cyber experts are offering their support to Aushev’s initiative.

On the other side, some prominent ransomware gangs seem to be ready to provide their support to Russia. One of these gangs is the Conti ransomware gang, it published the following message on its leak site:

“As a response to Western warmongering and American threats to use cyber warfare against the citizens of Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world. We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression.”

The position of the cybercrime gang is clear.

Stay Tuned!

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, SIM swapping)

The post Ukraine: Volunteer IT Army is going to hit tens of Russian targets from this list appeared first on Security Affairs.

Categories: Cyber Security News

Chipmaker giant Nvidia hit by a ransomware attack

Sun, 02/27/2022 - 04:45
The chipmaker giant Nvidia was the victim of a ransomware attack that took down some of its systems for two days.

The chipmaker giant Nvidia was victim of a ransomware attack that impacted some of its systems for teo days. The security breach is not connected to the ongoing crisis in Ukraine, according to a person familiar with the incident.

The incident also impacted the company’s developer tools and email systems, but business and commercial activities were not affected.

“Our business and commercial activities continue uninterrupted,” Nvidia said in a statement. “We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time.”

The company is investigating the incident to determine the extent of the intrusion, it is still unclear if threat actors exfiltrated business or customer data.

“We are investigating an incident. Our business and commercial activities continue uninterrupted. We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time,” continues the statement.

Bleeping Computer reported that an insider described the security breach as having “completely compromised.”

The Lapsus$ ransomware gang is claiming responsibility for this attack, the group announced to have stolen 1 TB of data from Nvidia’s network. The ransomware gang leaked online credentials for all Nvidia employees.

[ALERT] LAPSUS ransomware gang leaked the credentials of NVIDIA employees. And announced that it would soon release 1TB of stolen data. pic.twitter.com/0WVb7G88So

— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) February 26, 2022

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, NVIDIA)

The post Chipmaker giant Nvidia hit by a ransomware attack appeared first on Security Affairs.

Categories: Cyber Security News

Fileless SockDetour backdoor targets U.S.-based defense contractors

Sat, 02/26/2022 - 13:44
Researchers provided details about a stealthy custom malware dubbed SockDetour that targeted U.S.-based defense contractors.

Cybersecurity researchers from Palo Alto Networks’ Unit 42 have analyzed a previously undocumented and custom backdoor tracked as SockDetour that targeted U.S.-based defense contractors.

According to the experts, the SockDetour backdoor has been in the wild since at least July 2019.

Unit 42 attributes the malware to an APT campaign codenamed TiltedTemple (aka DEV-0322), threat actors also exploited the Zoho ManageEngine ADSelfService Plus vulnerability (CVE-2021-40539) and ServiceDesk Plus vulnerability (CVE-2021-44077). The attackers successfully compromised more than a dozen organizations across multiple industries, including technology, energy, healthcare, education, finance and defense.

SockDetour serves as a backup fileless Windows backdoor in case the primary one is removed. The analysis of one of the command and control (C2) servers used by TiltedTemple operators revealed the presence of other miscellaneous tools, including memory dumping tool and several webshells.

“SockDetour is a backdoor that is designed to remain stealthily on compromised Windows servers so that it can serve as a backup backdoor in case the primary one fails,” reads the analsysi published by Palo Alto Networks. “It is difficult to detect, since it operates filelessly and socketlessly on compromised Windows servers.”

Once SockDetour is injected into the process’s memory, it hijacks legitimate processes’ network sockets to establish an encrypted C2 channel, then it loads an unidentified plugin DLL file retrieved from the server.

According to Microsoft DEV-0322 is an APT group based in China, which employed commercial VPN solutions and compromised consumer routers in their attacker infrastructure.

Microsoft first spotted the DEV-0322 attacks by analyzing the Microsoft 365 Defender telemetry during a routine investigation in July 2021.

At least four defense contractors were targeted by the threat actor, and one of them was compromised.

SockDetour was delivered from an external FTP server, a compromised QNAP to a U.S.-based defense contractor’s internet-facing Windows server on July 27, 2021. The researchers speculate the QNAP NAS server was previously infected with QLocker ransomware.

“While it can be easily altered, the compilation timestamp of the SockDetour sample we analyzed suggests that it has likely been in the wild since at least July 2019 without any update to the PE file. Plus, we did not find any additional SockDetour samples on public repositories. This suggests that the backdoor successfully stayed under the radar for a long time.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, backdoor)

The post Fileless SockDetour backdoor targets U.S.-based defense contractors appeared first on Security Affairs.

Categories: Cyber Security News

Anonymous hacked the Russian Defense Ministry and is targeting Russian companies

Sat, 02/26/2022 - 06:43
Anonymous collective has hacked the Russian Defense Ministry and leaked the data of its employees in response to the Ukraine invasion.

A few hours after the Anonymous collective has called to action against Russia following the illegitimate invasion of Ukraine its members have taken down the website of the Russian propaganda station RT News and news of the day is the attack against the servers of the Russian Defense Ministry.

The #Anonymous collective has leaked the database of the Russian Ministry of Defense website. #Ukraine

— Anonymous (@YourAnonOne) February 25, 2022

Faced with this series of attacks that Ukraine has been suffering from the Russian dictator Vladimir Putin,
we could not help but support the Ukrainian people.

People are dying. People are hurt. Homeless people.#Anonymous #TangoDown #OpRussia https://t.co/M0auj25aSj pic.twitter.com/YiBO5r7aHd

— Anonymous (@LatestAnonPress) February 26, 2022

“Anonymous, a group of hacktivists, successfully hacked and leaked the database of the website of the Ministry of Defense of Russia.” reported the Pravda agency.

The website of the Kremlin (Kremlin.ru) is also unreachable, but it is unclear if it is the result of the Anonymous attack or if the government has taken offline it to prevent disruptive attacks.

The Russian Government’s portal, and the websites of other ministries are running very slow. 

The #Anonymous collective has taken down the website of the #Russian propaganda station RT News.

— Anonymous (@YourAnonOne) February 24, 2022

The collective is also threatening the Russian Federation and private organizations of attacks, it is a retaliation against Putin’s tyranny.

Anonymous pointed out that it is not targeting Russian citizens, but only their government.

“We want the Russian people to understand that we know it’s hard for them to speak out against their dictator for fear of reprisals.”

of the Anonymous collective, we can in fact report the truths of Anonymous' collective actions against the Russian Federation. We want the Russian people to understand that we know it's hard for them to speak out against their dictator for fear of reprisals. (cont)

— Anonymous (@YourAnonNews) February 24, 2022

Anonymous is also launching its offensive against those countries that are supporting military operations in Ukraine, like Belarus. The collective is also leaking around 200GB of emails from Belarusian weapons maker Tetraedr. This company provided logistical support to Vladimir Putin in his invasion of Ukraine.

#Anonymous leaks around 200GB of emails from Belarusian weapons maker Tetraedr. This company provided logistical support to Vladimir Putin in his invasion of #Ukraine.#OpRussia #StandWithUkraine pic.twitter.com/GvYXYRDhMB

— Anonymous (@LatestAnonPress) February 26, 2022


GazpromEN
has been also taken offline in support of the people living in Ukraine.

#Anonymous #OpRussia @GazpromEN has been taken offline in support of the people living in #Ukraine.

We are legion. Expect Us!

Check Host: https://t.co/KYWwZNyGt3 pic.twitter.com/J9OSdBLnzf

— Anonymous (@LiteMods) February 25, 2022

Ukraine is a democratic country being invaded by a fascist dictatorship, the battle isn't NATO vs Russia, the battle is democracy vs fascism

— Anonymous (@YourAnonNews) February 25, 2022

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Anonymous hacked the Russian Defense Ministry and is targeting Russian companies appeared first on Security Affairs.

Categories: Cyber Security News

UK’s NHS Digital warns of an RCE in Okta Advanced Server Access client

Sat, 02/26/2022 - 05:45
The UK’s NHS Digital agency warns of an RCE in the Windows client for the Okta Advanced Server Access authentication management platform.

The UK’s NHS Digital agency published a security advisory to warn organizations of a remote code execution flaw, tracked as CVE-2022-24295, impacting the Windows client for the Okta Advanced Server Access authentication management platform.

Okta Advanced Server Access provides Zero Trust identity and access management for cloud and on-premises infrastructure, it is used by thousands of compainies worldwide.

The vulnerability affects Okta Advanced Server Access Client for Windows prior to version 1.57.0.

The vulnerability is a remote code execution issue, remote attackers can trigger the vulnerability to perform command injection via a specially crafted URL.

“Okta has released a security update to address a remote code execution (RCE) vulnerability. A remote, unauthenticated attacker could exploit this command injection vulnerability by sending a specially crafted URL and take control of an affected system.” reads the advisory published by the company.

The successful exploitation of the vulnerability can lead to complete takeover of the vulnerable system.

The agency urges organizations to install security patches to address the vulnerability.

The vendor did not provide technical details about the issue to avoid its malicious exploitation in the wild. Customers have to apply the update urgently due to the absence of mitigations or workarounds.

The NHS Digital’s advisory also states that Okta has updated its response to Log4Shell vulnerabilities, CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228.

“In addition to the main vulnerability mentioned in this cyber alert, please note that Okta has updated its response to Log4Shell vulnerabilities, CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228. Further information can be found on Okta Security Advisories page and the blog post Okta’s response to CVE-2021-44228 (“Log4Shell”).” continues the advisory.

“NHS and social care organisations are invited visit our cyber alerts article Log4Shell RCE Vulnerability CC-3989 and to use the Cyber Associates Network to find out additional information and participate in discussion about the Log4Shell remote code execution vulnerability and affected products.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, NHS Digital)

The post UK’s NHS Digital warns of an RCE in Okta Advanced Server Access client appeared first on Security Affairs.

Categories: Cyber Security News

Ukraine calls on independent hackers to defend against Russia, Russian underground responds

Fri, 02/25/2022 - 15:33
While Ukraine calls for hacker underground to defend against Russia, ransomware gangs make their moves.

Ukraine’s government is asking for volunteers from the hacker underground to provide their support in protecting critical infrastructure and carry out offensive operations against Russian state-sponsored hackers, reported Reuters which cited two e experts involved in the project.

The call for action against Russia was shared on hacker forums on Thursday morning.

“Ukrainian cybercommunity! It’s time to get involved in the cyber defense of our country,” reads the post published on the forum. “We have an army inside our country,” “We need to know what they are doing.”

Volunteers could submit an application via Google docs, detailing their professional cyber skills.

The post was written by Yegor Aushev, co-founder of the Ukrainian cybersecurity firm Cyber Unit Technologies. The cybersecurity expert told Reuters he wrote the post at the request of a senior Defense Ministry official who contacted him on Thursday.

“Aushev said the volunteers would be divided into defensive and offensive cyber units. The defensive unit would be employed to defend infrastructure such as power plants and water systems. In a 2015 cyberattack, widely attributed to Russia state hackers, 225,000 Ukrainians lost electricity.” reported the Reuters.

The offensive volunteer unit Aushev said he is organizing would help Ukraine’s military conduct digital espionage operations against invading Russian forces.

On the other side, some prominent ransomware gangs seem to be ready to provide their support to Russia. One of these gangs is the Conti ransomware gang, it published the following message on its leak site:

“As a response to Western warmongering and American threats to use cyber warfare against the citizens of Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world. We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression.”

The position of the cybercrime gang is clear.

I also noticed this week that the Tor leak site of the Everest ransomware gang was down mysteriously down. Are the members of the gang involved in the cyber dispute in some way?

Recently we also observed another mysterious pause of the popular cybercrime forum Raid Forums (RF) that is crowded with Russian-speaking threat actors. At the time of this writing RF seems to have problems again.

How to interpret these signals? Is the Russian cybercrime underground providing support to Russia-linked APT groups?

Ransomware gangs could provide their support for state-sponsored hackers, for example, providing them accesses to already compromised government organizations and businesses.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Ukraine calls on independent hackers to defend against Russia, Russian underground responds appeared first on Security Affairs.

Categories: Cyber Security News

Pages