Security Affairs

Subscribe to Security Affairs feed
Read, think, share … Security is everyone's responsibility
Updated: 1 week 2 days ago

Ukraine: Belarusian APT group UNC1151 targets military personnel with spear phishing

Fri, 02/25/2022 - 10:57
The CERT of Ukraine (CERT-UA) warned of a spear-phishing campaign targeting Ukrainian armed forces personnel.

The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of an ongoing spear-phishing campaign targeting private email accounts belonging to Ukrainian armed forces personnel.

The Ukrainian agency attributes the campaign to the Belarus-linked cyberespionage group tracked as UNC1151.

In mid-January, the government of Kyiv attributed the defacement of tens of Ukrainian government websites to Belarusian APT group UNC1151. Defaced websites were displaying the following message in Russian, Ukrainian and Polish languages.

“Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas.” reads a translation of the message.

In November 2021, Mandiant Threat Intelligence researchers linked the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus. In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites. According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.

Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.

Now Serhiy Demedyuk, deputy secretary of the national security and defence council, told Reuters, that the Ukrainian government blamed the UNC1151 APT group. Demedyuk explained that the attacks were carried out to cover for more destructive actions behind the scenes. 

The nation-state group is using the compromised accounts to target contacts in the victims’ address books. Attackers spear-phishing messages have been sent from email accounts using the domains i[.]ua-passport[.]space and id[.]bigmir[.]space.

The phishing messages used a classic social engineering technique in the attempt to trick victims into providing their information to avoid the permanent suspension of their email accounts.

The phishing attacks are also targeting Ukrainian citizens, reported the State Service of Special Communications and Information Protection of Ukraine (SSSCIP).

Warning A phishing #attack has started against Ukrainians! Citizens' e-mail addresses receive letters with attached files of uncertain nature. The mass distribution of such messages to messengers may happen. #cyberattacks #Ukraine pic.twitter.com/YPvFH2oNk0

— SSSCIP Ukraine (@dsszzi) February 25, 2022

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, SIM swapping)

The post Ukraine: Belarusian APT group UNC1151 targets military personnel with spear phishing appeared first on Security Affairs.

Categories: Cyber Security News

Anonymous launched its offensive on Russia in response to the invasion of Ukraine

Fri, 02/25/2022 - 10:04
The popular collective Anonymous declared war on Russia for the illegitimate invasion of Ukraine and announced a series of cyber attacks calling to action its members

The Anonymous collective is calling to action against Russia following the illegitimate invasion of Ukraine. The famous groups of hackivists is also calling for action Russian citizens inviting them to express their dissent to Putin.

“The Anonymous collective is officially in” cyber war “against the Russian government.” This was announced directly by the international network of hackers through their twitter account.

The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine

— Anonymous (@YourAnonOne) February 24, 2022

The collective has already started a campaign aimed at Russian Federation and warned that private organizations will be more impacted.

The first attacks carried by the group hit news sites used by Moscow for its propaganda, including Russia Today, which was taken offline by the offensive.

The #Anonymous collective has taken down the website of the #Russian propaganda station RT News.

— Anonymous (@YourAnonOne) February 24, 2022

of the Anonymous collective, we can in fact report the truths of Anonymous' collective actions against the Russian Federation. We want the Russian people to understand that we know it's hard for them to speak out against their dictator for fear of reprisals. (cont)

— Anonymous (@YourAnonNews) February 24, 2022

“We, as a collective want only peace in the world. We want a future for all of humanity. So, while people around the globe smash your internet providers to bits, understand that it’s entirely directed at the actions of the Russian government and Putin.” continues the group on Twitter. “Put yourself in the shoes of the Ukrainians being bombed right now. Together we can change the world, we can resist anything. It is time for the Russian people to unite and say no to Vladimir Putin’s war. We are Anonymous. We are a legion. Wait for us.” reads the Anounymous’s announcement.”

RT.com, a Russia-owned media outlet confirmed that it was hit by a massive denial-of-service (DDoS) attack. 

Experts also reported that the attacks hit the website of the Kremlin and State Duma lower house of parliament causing intermittent interruptions.

The call to action will likely attract Ucraine and foreign cybersecurity experts that could join in different way in the cyber dispute.

“Yegor Aushev, the co-founder of a cybersecurity company in Kyiv, told the news outlet that offensive volunteers will conduct digital espionage against Russian forces, while defensive volunteers will help protect the country’s infrastructure.” reported FoxNews.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Anonymous)

The post Anonymous launched its offensive on Russia in response to the invasion of Ukraine appeared first on Security Affairs.

Categories: Cyber Security News

US and UK details a new Python backdoor used by MuddyWater APT group

Fri, 02/25/2022 - 01:20
US and UK cybersecurity agencies provided details of a new malware used by Iran-linked MuddyWater APT.

CISA, the FBI, the US Cyber Command’s Cyber National Mission Force (CNMF), UK’s National Cyber Security Centre (NCSC-UK), and the NSA, and law enforcement agencies have published a joint advisory on new malware used by Iran-linked MuddyWater APT group (aka SeedWorm and TEMP.Zagros) in attacks aimed at critical infrastructure worldwide.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date. The group evolved over the years by adding new attack techniques to its arsenal. Across the years the APT group also has also targeted European and North American nations. 

The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors.

In January, US Cyber Command (USCYBERCOM) officially linked the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).

According to the joint report published by UK and US agencies, MuddyWater is targeting organizations in multiple sectors, including telecommunications, defense, local government, and oil and natural gas in Asia, Africa, Europe, and North America.

The report provides technical details about multiple pieces of malware in the arsenal of APT group, including PowGoop, Canopy/Starwhale, Mori, POWERSTATS and a previously unknown Python backdoor named Small Sieve.

Small Sieve is distributed using a Nullsoft Scriptable Install System (NSIS) installer, gram_app.exe which also achieves persistence by adding a registry run key.

“MuddyWater disguises malicious executables and uses filenames and Registry key names associated with Microsoft’s Windows Defender to avoid detection during casual inspection. The APT group has also used variations of Microsoft (e.g., “Microsift”) and Outlook in its filenames associated with Small Sieve [T1036.005].” reads the advisory.

Small Sieve implements backdoor capabilities and attempts to avoid detection by using custom string and traffic obfuscation schemes along with the Telegram Bot application programming interface (API).

“Specifically, Small Sieve’s beacons and taskings are performed using Telegram API over Hypertext Transfer Protocol Secure (HTTPS), and the tasking and beaconing data is obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function.” continues the advisory.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

The post US and UK details a new Python backdoor used by MuddyWater APT group appeared first on Security Affairs.

Categories: Cyber Security News

CISA adds two Zabbix flaws to its Known Exploited Vulnerabilities Catalog

Thu, 02/24/2022 - 16:53
US CISA added two flaws impacting Zabbix infrastructure monitoring tool to its Known Exploited Vulnerabilities Catalog.

US Cybersecurity and Infrastructure Security Agency (CISA) added two new vulnerabilities impacting the Zabbix infrastructure monitoring tool to its Known Exploited Vulnerabilities Catalog.

Threat actors are actively exploiting the two vulnerabilities that are reported in the following table:

CVE IDVulnerability NameDue DateCVE-2022-23131Zabbix Frontend Authentication Bypass Vulnerability3/8/2022CVE-2022-23134Zabbix Frontend Improper Access Control Vulnerability3/8/2022

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Known Exploited Vulnerabilities Catalog and address the vulnerabilities in their infrastructure.

CISA orders all Federal Civilian Executive Branch Agencies (FCEB) agencies to address both security vulnerabilities in Zabbix by March 2022-03-08.

The first issue, tracked as CVE-2022-23131 (CVSS score: 9.8), is an unsafe client-side session storage that could be exploited to achieve authentication bypass/instance takeover via Zabbix Frontend with configured SAML.

The second flaw, tracked as CVE-2022-23134 (CVSS score: 5.3), could be exploited by threat actors to pass step checks and potentially change the configuration of Zabbix Frontend.

The two flaws affect Zabbix Web Frontend versions up to and including 5.4.8, 5.0.18 and 4.0.36, both issues have been reported by SonarSource researcher Thomas Chauchefoin.

“We discovered a high-severity vulnerability in Zabbix’s implementation of client-side sessions that could lead to the compromise of complete networks.” wrote Chauchefoin.

The issues have since been addressed with the release of versions 5.4.9, 5.0.9 and 4.0.37.

Below is the timeline for both flaws:

DateAction2021-11-18A security advisory is sent to Zabbix maintainers.2021-11-22Vendor confirms our findings.2021-12-14A first release candidate, 5.4.9rc1, is issued.2021-12-14We inform the vendor that the patch can be bypassed.2021-12-22A second release candidate, 5.4.9rc2, is released.2021-12-23versions 5.4.9, 5.0.9 and 4.0.37 are released.2021-12-29A public announcement is made at https://support.zabbix.com/browse/ZBX-20350.2022-01-116.0.0beta2 is released.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The post CISA adds two Zabbix flaws to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.

Categories: Cyber Security News

Data wiper attacks on Ukraine were planned at least in November and used ransomware as decoy

Thu, 02/24/2022 - 14:28
Experts reported that the wiper attacks that yesterday hit hundreds of systems in Ukraine used a GoLang-based ransomware decoy.

Yesterday, researchers from cybersecurity firms ESET and Broadcom’s Symantec discovered a new data wiper malware that was employed in a recent wave of attacks that hit hundreds of machines in Ukraine.

A tweet from ESET revealed that the company’s telemetry shows the presence of the wiper, tracked as “HermeticWiper” (aka KillDisk.NCV), on hundreds of machines in the country. According to the security firm, the infections followed the DDoS attacks against several Ukrainian websites, including Ministry of Foreign Affairs, Cabinet of Ministers, and Rada.

The first sample of the wiper was observed by ESET yesterday around 14h52 UTC (16h52 local time), but more interesting is the PE compilation timestamp of one of the samples which is 2021-12-28, suggesting that the cyber attack might have been in preparation for almost two months.

The malicious binary was signed using a code signing certificate issued to Hermetica Digital Ltd.

The Wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd 3/n pic.twitter.com/sGCl3Lbqc1

— ESET research (@ESETresearch) February 23, 2022

New information shared by Symantec on the data wiper attacks revealed that, in some cases, threat actors used a GoLang-based ransomware decoy.

The ransomware decoy also dropped a ransom note on the infected systems, which includes two email addresses to contact the alleged ransomware gang (i.e., [email protected] and [email protected]) and the following political message to the victims.

“The only thing that we learn from new elections is we learned nothing from the old!”

Source Bleeping Computer

“In several attacks Symantec has investigated to date, ransomware was also deployed against affected organizations at the same time as the wiper. As with the wiper, scheduled tasks were used to deploy the ransomware. File names used by the ransomware included client.exe, cdir.exe, cname.exe, connh.exe, and intpub.exe.  It appears likely that the ransomware was used as a decoy or distraction from the wiper attacks.” reads the report published by Symantec. “This has some similarities to the earlier WhisperGate wiper attacks against Ukraine, where the wiper was disguised as ransomware.”

The analysis made by ESET of the HermeticWiper malware revealed it was compiled on December 28th, 2021, a circumstance that suggests the attacks were planned at least two months ago.

Researchers from Symantec discovered those threat actors gained access to an organization in Lithuania at least one month before, in November 2021, by exploiting a Tomcat exploit in order to execute a PowerShell command, and that lead to the deployment of the wiper.

Symantec shared Indicators of Compromise for these attacks.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Data wiper attacks on Ukraine were planned at least in November and used ransomware as decoy appeared first on Security Affairs.

Categories: Cyber Security News

US and UK link new Cyclops Blink malware to Russian state hackers

Thu, 02/24/2022 - 00:31
UK and US cybersecurity agencies linked Cyclops Blink malware to Russia’s Sandworm APT

US and UK cybersecurity and law enforcement agencies published a joint security advisory about a new malware, dubbed Cyclops Blink, that has been linked to the Russian-backed Sandworm APT group.

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

Cyclops Blink is believed to be a replacement for the VPNFilter botnet, which was first exposed in 2018 and at the time was composed of more than 500,000 compromised routers and network-attached storage (NAS) devices.

The Cyclops Blink malware has been active since at least June 2019, it targets WatchGuard Firebox and other Small Office/Home Office (SOHO) network devices. According to WatchGuard, Cyclops Blink may have affected roughly 1% of all active WatchGuard firewall appliances.

“The Sandworm actor has replaced the exposed VPNFilter malware with a new more advanced framework.” reads the advisory published by the UK National Cyber Security Centre. “The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.”

Cyclops Blink is sophisticated malware with a modular structure. It supports functionality to add new modules at run-time allowing Sandworm operators to implement additional capability as required.

The malware leverages the firmware update process to achieve persistence. The malware manages clusters of victims and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses. 

“Cyclops Blink persists on reboot and throughout the legitimate firmware update process. Affected organizations should therefore take steps to remove the malware,” concludes the advisory. “WatchGuard has worked closely with the FBI, CISA and the NCSC, and has provided tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process.”

Indicators of compromise (IoCs) are included in the Cyclops Blink malware analysis report.

In February, the French security agency ANSSI warned of a series of attacks targeting Centreon monitoring software used by multiple French organizations and attributes them to the Russia-linked Sandworm APT group.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The post US and UK link new Cyclops Blink malware to Russian state hackers appeared first on Security Affairs.

Categories: Cyber Security News

Researchers shared technical details of NSA Equation Group’s Bvp47 backdoor

Wed, 02/23/2022 - 15:33
Pangu Lab researchers disclosed details of the Bvp47 backdoor that was used by the US NSA Equation Group.

Researchers from The China’s Pangu Lab have disclosed details of a Linux top-tier APT backdoor, tracked as Bvp47, which is associated with the U.S. National Security Agency (NSA) Equation Group.

The name “Bvp47” comes form numerous references to the string “Bvp” and the numerical value “0x47” used in the encryption algorithm.

The Bvp47 backdoor was first discovered in 2013 while conducting a forensic investigation into a security breach suffered by a Chinese government organization.

The experts extracted the backdoor from Linux systems “during an in-depth forensic investigation of a host in a key domestic department.”

The malware appeared as a top-tier APT backdoor, but in order to further investigate the malicious code required the attacker’s asymmetric encrypted private key to activate the remote control function.

In 2016 and 2017, the hacking group The Shadow Brokers leaked a bunch of data allegedly stolen from the Equation Group, including many hacking tools and exploits.

At the end of October 2016, the hackers leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

Pangu Lab researchers discovered the Bvp47 backdoor within the data leaked by The Shadow Brokers.

The leaked data revealed that the Equation Group hit more than 287 targets in 45 countries, including Russia, Japan, Spain, Germany, Italy in a time span of ten years.

The group targeted multiple industries, including governments, telecom, aerospace, energy, financial institutions, nuclear research, oil and gas, military, transportation, and companies developing encryption technologies.

Pangu Lab has tracked the attacks involving the Bvp47 backdoor as “Operation Telescreen,” the malicious code was developed to allow operators to achieve long-term control over infected devices.

“The implementation of Bvp47 includes complex code, segment encryption and decryption, Linux multi-version platform adaptation, rich rootkit anti-tracking techniques, and most importantly, it integrates advanced BPF engine used in advanced covert channels, as well as cumbersome communication encryption and decryption process” reads the report published by the experts.

The experts believe that there were no defense against the network attack capability of the backdoor that is equipped by zero-day vulnerabilities. 

Technical details of the backdoor are included in the Pangu Lab’s report, it also provides insights on the link between the Equation Group and the US NSA.

The attribution to the Equation Group is based on overlaps with exploits contained in the encrypted archive file “eqgrp-auction-file.tar.xz.gpg” published by the Shadow Brokers after the 2016 failed auction.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, backdoor)

The post Researchers shared technical details of NSA Equation Group’s Bvp47 backdoor appeared first on Security Affairs.

Categories: Cyber Security News

Sophos linked Entropy ransomware to Dridex malware. Are both linked to Evil Corp?

Wed, 02/23/2022 - 10:57
The code of the recently-emerged Entropy ransomware has similarities with the one of the infamous Dridex malware.

The recently-emerged Entropy ransomware has code similarities with the popular Dridex malware.

Experts from Sophos analyzed the code of Entropy ransomware employed in two distinct attacks.

“A pair of incidents at different organizations in which attackers deployed a ransomware called Entropy were preceded by infections with tools that provided the attackers with remote access — Cobalt Strike beacons and Dridex malware — on some of the targets’ computers, before the attackers launched the ransomware.” reads a report published by Sophos.

The forensic analysis conducted by researchers revealed the presence of multiple instances of the general-purpose Dridex malware which was also used to distribute other malware.

In both attacks, endpoint protection solutions detected the threat, according to the experts the anti-malware solution detected the packer code used by Entropy through a signature created to detect the packer code employed by Dridex.

SophosLabs researchers also noticed that some of the other subroutines that Entropy uses to hide its behavior were similar to those for the same functions in Dridex.

The packer used by Entropy works in two stages to decompress the program code. In a first stage it allocates the memory space where to copy the encrypted data and whose content is executed by the packer. Then, in the second stage the packer decrypts the code into another portion of the same memory allocation where it stored the encrypted data, and then transfers the execution to this second layer

“The instructions that dictate how Entropy performs the first “layer” of unpacking are similar enough to Dridex that the analyst who looked at the packer code, and in particular the portion that refers to an API called LdrLoadDll — and that subroutine’s behavior, described it as “very much like a Dridex v4 loader,” and compared it to a similar loader used by a Dridex sample from 2018.” continues the report. “The behavior in question has been highlighted in other vendors’ research about Dridex. Specifically, it is looking for a DLL named snxhk.dll, which is a memory protection component of another company’s endpoint security product, in order to sabotage that protection.”

SophosLabs also reported detections of this particular packer code on machines protected by Sophos where attackers had unsuccessfully attempted to run the DoppelPaymer ransomware.

DoppelPaymer and Dridex were both attributed to the operation of a cybercrime gang known as Evil Corp, which launched in October a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments.

The Evil Corp cybercrime group (aka the Dridex gang Indrik Spider, the Dridex gang, and TA505) has been active in cybercrime activities since 2007. The group started its operations by developing and distributing the infamous Dridex banking Trojan, then it switched to ransomware operation by infecting victims’ computer networks with the BitPaymer ransomware.

In 2019, the U.S. Department of Justice (DoJ) has charged Russian citizens Maksim V. (32) and Igor Turashev (38) for distributing the infamous Dridex banking Trojan, and for their involvement in international bank fraud and computer hacking schemes.

The US Government announced sanctions for ransomware negotiation firms that will support victims of the Evil Corp group in the ransom payments.

Due to these sanctions, Evil Corp launched several ransomware operations that employed different strains of ransomware, such as WastedLockerHadesPhoenix Locker, and PayloadBin.

The Macaw Locker was recently involved in attacks against Olympus and the Sinclair Broadcast Group.

Experts pointed out that in both attacks investigated by Sophos, the attackers targeted vulnerable Windows systems that were not updated. 

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Dridex)

The post Sophos linked Entropy ransomware to Dridex malware. Are both linked to Evil Corp? appeared first on Security Affairs.

Categories: Cyber Security News

Horde Webmail Software is affected by a dangerous bug since 2012

Wed, 02/23/2022 - 06:07
Experts found a nine-year-old unpatched flaw in the Horde Webmail software that could allow access to email accounts.

A feature in the Horde Webmail is affected by a nine-year-old unpatched security vulnerability that could be abused to gain complete access to email accounts simply by previewing an attachment.

Horde Webmail is a free, enterprise-ready, and browser-based communication suite developed by the Horde project. This webmail solution is widely adopted by universities and government agencies.

“We discovered a code vulnerability in Horde that allows an attacker to gain full access to the email account of a victim when it loads the preview of a harmless-looking email attachment.” reads a report published by Sonarsource. “This gives the attacker access to all sensitive and perhaps secret information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization.”

The vulnerability discovered by Sonarsource is a stored XSS vulnerability that was introduced with the commit 325a7ae, 9 years ago. The bug affects all the versions since the commit that took place on 30 Nov 2012.

The issue can be triggered by previewing a specially crafted OpenOffice document to execute a malicious JavaScript payload. Upon exploiting the issue, the attacker can steal all emails the victim has sent and received.

“An attacker can craft an OpenOffice document that when transformed to XHTML by Horde for preview can execute a malicious JavaScript payload.” continues the report. “The vulnerability triggers when a targeted user views an attached OpenOffice document in the browser.”

In the worst case, the attacker can compromise an administrator account and take over the webmail server.

Sonarsource reported this flaw almost 6 months ago, there is currently no official patch available. 

The researchers recommend disabling the rendering of OpenOffice attachments. Administrators can edit the config/mime_drivers.php file in the content root of their Horde installation add the

'disable' => true

configuration option to the OpenOffice mime handler:

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Horde Webmail)

The post Horde Webmail Software is affected by a dangerous bug since 2012 appeared first on Security Affairs.

Categories: Cyber Security News

Iranian Broadcaster IRIB hit by wiper malware

Wed, 02/23/2022 - 03:06
Iranian national media corporation, Islamic Republic of Iran Broadcasting (IRIB), was hit by a wiper malware in late January 2022.

An investigation into the attack that hit the Islamic Republic of Iran Broadcasting (IRIB) in late January, revealed the involvement of a disruptive wiper malware along with other custom-made backdoors, and scripts and configuration files used to install and configure the malicious executables.

Researchers from CheckPoint that investigated the attack reported that the attackers used a wiper malware to disrupt the state’s broadcasting networks, damaging both TV and radio networks.

According to the experts, the effects of the attack were more serious than officially reported.

Check Point was not able to find any evidence that demonstrates a previous use of these tools, or attribute them to a specific threat actor.

During the attack, threat actors transmitted pictures of Mujahedin-e-Khalq Organization (MKO) leaders Maryam and Massoud Rajavi along with the image of Ayatollah Khamenei crossed out with red lines and  the declaration “Salute to Rajavi, death to (Supreme Leader) Khamenei!.” 

“During a period of 10 seconds, the faces and voices of hypocrites appeared on (our) Channel One,” IRIB said.

“Our colleagues are investigating the incident. This is an extremely complex attack and only the owners of this technology could exploit and damage the backdoors and features that are installed on the systems,” Deputy IRIB chief Ali Dadi told state TV channel IRINN.

“Similar disruptions happened to the Koran Channel, Radio Javan and Radio Payam,” he added, referring to other state-affiliated broadcast channels.

The experts discovered two identical .NET samples named msdskint.exe that were used to wipe the files, drives, and MBR on the infected devices, making them unusable.

The malware has also the ability to clear Windows Event Logs, delete backups, kill processes, and change users’ passwords.

The report details the use of four backdoors in the attack:

  • WinScreeny, used to make screenshots of the victim’s computer;
  • HttpCallbackService, a Remote Administration Tool (RAT);
  • HttpService, another backdoor that listens on a specified port;
  • ServerLaunch, a C++ dropper.

Iranian officials attribute the attack to MEK, however, the opposition group itself denies any involvement.

The hacktivist group Predatory Sparrow, which claimed responsibility for the attacks against the national railway services, the transportation ministry, and the Iranian gas stations, claimed responsibility for the attack on IRIB via its Telegram channel.

“The use of wiper malware in the attack against a state entity in Iran begs us to compare the tools with those belonging to Indra, who, among other attacks, is responsible for unleashing a wiper in the Iranian Railways and Ministry of Roads systems. Although these wipers are coded and behave very differently, some implementation details such as execution based on batch files, or the password changing patterns ([random sequence]aA1! for this attack and Aa153![random sequence] in Indra’s case), suggests that the attackers behind the IRIB hack may have been inspired by previous attacks happened in Iran.” the researchers conclude.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, IRIB)

The post Iranian Broadcaster IRIB hit by wiper malware appeared first on Security Affairs.

Categories: Cyber Security News

Threat actors target poorly protected Microsoft SQL Servers

Tue, 02/22/2022 - 15:46
Threat actors install Cobalt Strike beacons on vulnerable Microsoft SQL Servers to achieve a foothold in the target network.

Researchers from Ahn Lab’s ASEC spotted a new wave of attacks deploying Cobalt Strike beacons on vulnerable Microsoft SQL Servers to achieve initial access to target networks and deploy malicious payloads.

The threat actors behind the campaign are targeting poorly secured Microsoft SQL Servers exposed online.

The attack chain starts threat actors scanning for MS-SQL servers which have an open TCP port 1433. Then the attackers carry out brute-forcing and dictionary attacks in an attempt to crack the password.

Upon gaining access to the server, the attackers have been observed deploying crypto-currency miners such as Lemon DuckKingMiner, and Vollgar. The attackers achieve persistence by installing the post-exploitation tool Cobalt Strike and use it for lateral movement.

“If the attacker succeeds to log in to the admin account through these processes, they use various methods including the xp_cmdshell command to execute the command in the infected system.” reads the analysis published by Ahn Lab’s ASEC. “Cobalt Strike that has recently been discovered was downloaded through cmd.exe and powershell.exe via the MS-SQL process as shown below.”

The Cobalt Strike beacon is injected into the legitimate Windows wwanmm.dll process, it waits for the commands of the attackers.

“Cobalt Strike that is executed in MSBuild.exe has an additional settings option to bypass detection of security products, where it loads the normal dll wwanmm.dll, then writes and executes a beacon in the memory area of the DLL.” continues the analysis. “As the beacon that receives the attacker’s command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection.”

At this, it is unclear how attackers installed the malware on the compromised MS-SQL

Although it is not certain in which method the attacker dominated MS-SQL and installed the malware, experts believe that the targeted system had inappropriately managed the account credentials.

AhnLab’s published Indicators of Compromise for these attacks, including download URLs, MD5 hashes for the beacons, and C2 server URLs.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft SQL Servers)

The post Threat actors target poorly protected Microsoft SQL Servers appeared first on Security Affairs.

Categories: Cyber Security News

Cookware giant Meyer Corporation discloses cyberattack

Tue, 02/22/2022 - 10:47
US cookware distributor giant Meyer Corporation discloses a data breach that affected thousands of its employees.

Meyer Corporation, the second-largest cookware distributor globally, has disclosed a data breach that affects thousands of its employees.

The attack took place on October 25, 2021, as reported by the data breach notification letter shared with the U.S. Attorney General offices of Maine and California.

“On or around October 25, 2021, Meyer was the victim of a cybersecurity attack by an unauthorized third party that impacted our systems and operations. Upon detecting the attack, Meyer initiated an investigation with the assistance of our cybersecurity experts, including third-party forensic professionals. On or around December 1, 2021, our investigation identified potential unauthorized access to employee information.” reported the data breach notification letter. “While we do not currently have evidence that your specific information has been actually accessed or impacted, we want to inform you of this incident so that you may consider taking additional steps to help protect your information.”

The company launched an investigation into the incident that was concluded on December 1, 2021. Experts involved in the investigation discovered that intruders gained access to personal information belonging to employees of Meyer and its subsidiaries.

The company did not provide details about the attack, but the Conti ransomware gang claimed responsibility for the attack and included the firm in the list of its victims on the leak site since November 2021.

Compromised data includes:

  • Full names
  • Physical address
  • Date of birth
  • Gender
  • Ethnicity
  • Social Security number
  • Health insurance information
  • Medical condition
  • Random drug screening results
  • COVID vaccination cards
  • Driver’s license
  • Passports
  • Government ID number
  • Permanent resident cards
  • Immigration status information
  • Information on dependents

The company is offering two years of identity protection services to affected employees and their dependents.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Cookware giant Meyer Corporation discloses cyberattack appeared first on Security Affairs.

Categories: Cyber Security News

Police dismantled a gang that used phishing sites to steal credit cards

Tue, 02/22/2022 - 10:15
The Ukrainian police arrested a gang specialized in the sale of stolen payment card data through phishing attacks.

The cybercrime unit of the Ukrainian police has arrested a group of cybercriminals who managed to steal payment card data from at least 70,000 people by setting up mobile fake top-up services.

The police arrested five that created and administered more than 40 phishing sites used to harvest bank card data of unaware citizens. Once obtained the data, crooks used it to empty their victims’ bank accounts.

One of the members of the group set up his own servers to operate the fraudulent scheme, he also hired three citizens who acted as so-called money mules (individuals that removed the funds from the accounts and transferred them to other accounts under the control of the gang or supported cash out). The money mules maintained a percentage of profit for each operation they carried out.

“Users entered bank card details on phishing sites in order to top up their mobile account or make a transfer. Thus, the attacker received payment information from more than 70 thousand people. Later, using this data, the group members embezzled citizens’ money.” reads the announcement published by the Ukrainian Cyberpolice. “The organizer also used paid marketing and analytical resources to bring these sites to the forefront of search services, as well as advertise services on social networks.”

The police raided the houses of the five suspects and seized 2 million hryvnias ($70,000) in cash, mobile phones, flash drives, bank cards, and computers. According to a preliminary investigation, the group stole more than 5 million hryvnias ($175,000) from the victims.

The arrested people now face criminal charges under Part 2 of Art. 361 (Unauthorized interference in the work of computers, automated systems, computer networks or telecommunications networks) and Part 3 of Art. 190 (Fraud) of the Criminal Code of Ukraine. The members of the gang face up to eight years in prison.

“Cyberpolice reminds you to check the URL carefully, as any inaccuracies can mean that the user has been caught on a phishing site. Do not enter third-party resources or disclose bank card details, especially CVV, PIN and card expiration date.” concludes the announcement.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

The post Police dismantled a gang that used phishing sites to steal credit cards appeared first on Security Affairs.

Categories: Cyber Security News

China-linked APT10 Target Taiwan’s financial trading industry

Tue, 02/22/2022 - 08:20
China-linked APT group APT10 (aka Stone Panda, Bronze Riverside) targets Taiwan’s financial trading sector with a supply chain attack.

The campaign was launched by the APT10 group started in November 2021, but it hit a peak between 10 and 13 2022, Taiwanese cybersecurity firm CyCraft reported.

The group (also known as Cicada, Stone Panda, MenuPass group, Bronze Riverside, and Cloud Hopper) has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide. In November 2020, researchers uncovered a large-scale campaign conducted by China-linked APT10 targeting businesses using the recently-disclosed ZeroLogon vulnerability.

According to CyCraft, nation-state attackers compromised the supply chain of software systems of financial institutions as part of a campaign codenamed Operation Cache Panda.

The attack caused “abnormal cases of placing orders.”

The attackers exploited a vulnerability in the web management interface of an unnamed security software firm in Taiwan and deployed a web shell to deliver the Quasar RAT on the target system.

Quasar RAT is available as an open-source tool on several public repositories, attackers use to avoid detection leveraging methods such as password protection and encoded macros. 

Quasar RAT has been used in the past by many hacking groups, including APT33APT10Dropping ElephantStone Panda, and The Gorgon Group.

Quasar RAT is a publicly available open-source remote access trojan (RAT) written in .NET. Its features include capturing screenshots, recording webcam, editing registry, keylogging, and stealing passwords.

The attack was uncovered amid the presentation of draft amendments to the National Security Act by Taiwan’s Parliament. The laws were proposed to contrast the economic and industrial espionage conducted by Bejing. The goal of Taiwanese authorities is to protect its semiconductor industry from Chinese industrial espionage.

“The Executive Yuan on Thursday approved draft amendments to the National Security Act that would make it a crime to engage in “economic espionage” or the unapproved use of critical national technologies and trade secrets outside of Taiwan. Sentences would be set at up to 12 years and 10 years in jail, respectively.” reported Nikkei Asia.

People that will use critical national technologies and trade secrets outside of the country without any government authorization could be sentenced up to a 12-year prison.

People and organizations that will support Chinese companies setting up operations in the country could face three years in prison or an up to NT$15 million fine.

“High-tech industry is the lifeline of Taiwan. However, the infiltration of the Chinese supply chain into Taiwan has become serious in recent years,” Lo Ping-cheng, minister without portfolio and spokesperson for the Executive Yuan, said at a news conference on Thursday. “They are luring away high-tech talent, stealing national critical technologies, circumventing Taiwan’s regulations, operating in Taiwan without approval and unlawfully investing in Taiwan, which is causing harm to Taiwan’s information technology security as well as the industry’s competitiveness.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, APT10)

The post China-linked APT10 Target Taiwan’s financial trading industry appeared first on Security Affairs.

Categories: Cyber Security News

A cyber attack heavily impacted operations of Expeditors International

Tue, 02/22/2022 - 03:36
American worldwide logistics and freight forwarding company Expeditors International shuts down global operations after cyber attack

American logistics and freight forwarding company Expeditors International was hit by a cyberattack over the weekend that paralyzed most of its operations worldwide.

Expeditors company has over 18,000 employees worldwide and has annual gross revenue of around $10 billion. The company discovered the attack on February 20, 2022, it doesn’t provide details about the attack and announced to have launched an investigation into the incident.

“Expeditors International of Washington, Inc. (NASDAQ:EXPD) announced that on February 20, 2022, we determined that our company was the subject of a targeted cyber-attack. Upon discovering the incident, we shut down most of our operating systems globally to manage the safety of our overall global systems environment.” reads the announcement published by the company.”The situation is evolving, and we are working with global cybersecurity experts to manage the situation. While our systems are shut down we will have limited ability to conduct operations, including but not limited to arranging for shipments of freight or managing customs and distribution activities for our customers’ shipments.”

The information publicly available on the attack suggests the company was the victim of a ransomware attack and was forced to shut down its network to avoid the threat from spreading.

The attack impacted the company’s operations, including the capability to arrange for shipments of freight or managing customs and distribution activities for our customers’ shipments.

The company hired cybersecurity experts to investigate the security breach and recover from the attack.

The company warned the incident could have a material adverse impact on our business, revenues, results of operations and reputation

“We are incurring expenses relating to the cyber-attack to investigate and remediate this matter and expect to continue to incur expenses of this nature in the future. Depending on the length of the shutdown of our operations, the impact of this cyber-attack could have a material adverse impact on our business, revenues, results of operations and reputation.” concludes the advisory.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, cyber attack)

The post A cyber attack heavily impacted operations of Expeditors International appeared first on Security Affairs.

Categories: Cyber Security News

Xenomorph Android banking trojan distributed via Google Play Store

Mon, 02/21/2022 - 17:21
Xenomorph Android trojan has been observed distributed via the official Google Play Store targeting 56 European banks.

Researchers from ThreatFabric have spotted a new Android banking trojan, dubbed Xenomorph, distributed via the official Google Play Store that has over 50,000 installations.

The banking Trojan was used to target 56 European banks and steal sensitive information from the devices of their customers.

The analysis of the code revealed the presence of not implemented features and the large amount of logging present, a circumstance that suggests that this threat is under active development.

Xenomorph shares overlaps with the Alien banking trojan, but it has functionalities radically different from the Alien’s one. 

Researchers speculate that the two malware could have been developed by the same actor, or at least by someone familiar with the codebase of the Alien banking Trojan.

Alien was spotted by ThreatFabric in September 2020, it implements multiple features allowing it to steal credentials from 226 applications. Alien operation was providing a Malware-as-a-Service (MaaS) an it was advertised on several underground hacking forums. According to researchers, Alien borrows portions of the source code from the Cerberus malware.

ThreatFabric pointed out that Cerberus operators attempted to sell their project because several issues in the malware remained unsolved for a long time due to shortcomings of the development team in the criminal gang. The delay in addressing the problems allowed Google Play Protect to detect the threat on all infected devices. Alien is not affected by the same issues and this is the reason for the success of its MaaS model

Alien is considered a next-generation banking trojan that also implements remote-access features into its codebase.

Xenomorph, like Alien, was ably to bypass security protections implemented by Google Play Store, the researchers found it on the official store masqueraded as productivity apps such as “Fast Cleaner.”

Fast Cleaner (vizeeva.fast.cleaner) is still available on the Play Store, the analysis of the overlay revealed Xenomorph was developed to target users from Spain, Portugal, Italy, and Belgium, as well as some general-purpose applications like emailing services, and cryptocurrency wallets.

Xenomorph leverages the classic overlay attack powered by Accessibility Services privileges as an attack vector.

“Once the malware is up and running on a device, its background services receive accessibilty events whenever something new happens on the device. if the application opened is part of the list of targets, then Xenomorph will trigger an overlay injection and show a WebView Activity posing as the targeted package. Here as a few examples of triggered overlays” reads the analysis published by ThreatFabric. “In addition, the malware is able to abuse Accessibility Services to log everything that happens on the device. At the moment of writing, all the information gathered is only displayed on the local device logs, but in the future a very minor modification would be enough to add keylogging and Accessibility logging capabilities to the malware.”

Xenomorph shows the interest of crooks in exploiting Google Play Store to spread their malware and the effort they dedicate to bypass security checks implemented by Google.

“The surfacing of Xenomorph shows, once again, that threat actors are focusing their attention on landing applications on official markets. This is also a signal that the underground market for droppers and distribution actors has increased its activity, considering that we just very recently observed Medusa and Cabassous also being distributed side-by-side.” concludes the report. “Xenomorph currently is an average Android Banking Trojan, with a lot of untapped potential, which could be released very soon. Modern Banking malware is evolving at a very fast rate, and criminals are starting to adopt more refined development practices to support future updates. Xenomorph is at the forefront of this change.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Xenomorph)

The post Xenomorph Android banking trojan distributed via Google Play Store appeared first on Security Affairs.

Categories: Cyber Security News

How SMS PVA services could undermine SMS-based verification

Mon, 02/21/2022 - 14:31
Crooks abuse some SMS PVA services that allow their customers to create disposable user accounts to conduct malicious activities.

While investigating SMS PVA services (phone-verified account services), Trend Micro researchers discovered a rogue platform using a botnet of thousands of Android devices used to carry out malicious activities.

SMS PVA services provide alternative mobile numbers used by customers to register for online services and platforms. SMS PVA services could be abused to bypass SMS verification mechanisms, attackers can register disposable accounts in bulk or create phone-verified accounts to use for fraudulent activities.

Owners of compromised smartphones are not aware that their devices have been compromised and these services have access to private data, messages, and applications. The operators behind this campaign used Guerrilla malware (“plug.dex“) to capture and parse SMS messages received on infected Android devices, check and exfiltrate data of interest.

The malicious code used specially crafted regex provided by the C&C to analyze only SMSs that match specific conditions in an attempt to avoid raising suspicion. Experts pointed out that if the SMS PVA service allows its customers to access all messages on the infected phones, the owners would quickly discover the compromise. 

Top seven affected smartphone brands and models are Lava, ZTE, Mione, Meizu, Huawei, Oppo, and HTC.

Most of the infections have been observed in Southeast Asia (Indonesia, Thailand), South Asia (India, Bangladesh), the Middle East (United Arab Emirates), and Eastern Europe.

One of the SMS PVA services analyzed by the experts, smspva[.]net, supports a broad range of platforms for which it can extract the verification code by parsing the SMS verification message.

smspva[.]net supports several popular messaging apps (LINE, WeChat, WhatsApp, Telegram), social media (TikTok, Twitter, Facebook), payment and finance (PayPal, Alipay, MoneyLion), content livestream (17LIVE aka LIVIT, EME Hive), or online shopping apps (Jingdong, Flipkart).
The large number of messaging apps supported by smspva[.]net is likely linked to increased to spam and fraud from fake accounts in these platforms.

Trend Micro speculates the Android devices have been infected with SMS-intercepting malware, through malware downloaded accidentally by the user or through malicious software preloaded into the devices as result of a compromise of the supply-chain.

The advertising for the service claims the availability for a “bulk virtual phone numbers (across more than 100 countries)” that could be used on various platforms via an API.

“In August 2020, ReceiveCode’s first post advertised “bulk virtual phone numbers” for use on various
platforms such as Facebook, Google, Hotmail, Yahoo, Vkontakte, TikTok, Amazon, Alibaba, Uber, Twitter,
YouTube, LinkedIn, and Instagram. Based on the account name alone, one can already tell that it enables
one to receive the SMS verification code when registering to online services.” reads the analysis published by Trend Micro.

Experts also reported that the authentication processes for new accounts often leverages cross-checking the location (i.e., IP address) of the users against their phone numbers during registration. SMS PVA services avoid this restriction by using residential proxies and VPNs to connect to the desired platform.

“SMS verification has become the default authentication method for many online platforms and applications. Many IT departments treat SMS verification as a “secure” black box validation tool for user accounts. Currently, however, online services and platforms should be wary about heavily relying on SMS verification.These SMS PVA services prove that cybercriminals are indeed able to defeat SMS verification at scale.” concludes the report. “This also means that there could be authenticated and verified accounts on platforms that behave like bots, trolls, or fraudulent accounts. “

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, SMS PVA services)

The post How SMS PVA services could undermine SMS-based verification appeared first on Security Affairs.

Categories: Cyber Security News

A flaw in the encryption algorithm of Hive Ransomware allows retrieving encrypted files

Mon, 02/21/2022 - 03:16
Researchers discovered a flaw in the encryption algorithm used by Hive ransomware that allowed them to decrypt data.

Researchers discovered a flaw in the encryption algorithm used by Hive ransomware that allowed them to decrypt data without knowing the private key used by the gang to encrypt files.

The Hive ransomware operation has been active since June 2021, it provides Ransomware-as-a-Service Hive and adopts a double-extortion model threatening to publish data stolen from the victims on their leak site (HiveLeaks). In April 2021, the Federal Bureau of Investigation (FBI) has released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang. According to a report published by blockchain analytics company Chainalysis, the Hive ransomware is one of the top 10 ransomware strains by revenue in 2021. The group used a variety of attack methods, including malspam campaigns, vulnerable RDP servers, and compromised VPN credentials.

“Hive ransomware uses a hybrid encryption scheme, but uses its own symmetric cipher to encrypt files. We were able to recover the master key for generating the file encryption key without the attacker’s private key, by using a cryptographic vulnerability identified through analysis. As a result of our experiments, encrypted files were successfully decrypted using the recovered master key based on our mechanism.” reads the paper published by researchers from Kookmin University (South Korea). “To the best of our knowledge, this is the first successful attempt at decrypting the Hive ransomware. We experimentally demonstrated that more than 95% of the keys used for encryption could be recovered using the method we suggested.”

The technique devised by the team of academics was able to recover more than 95% of the keys used
for the encryption process that is represented in the following image:

The experts detailed the process used by Hive ransomware to generate and store master key for victim files. The ransomware generates 10MiB of random data, and uses it as a master key. The malware extracted from a specific offset of the master key 1MiB and 1KiB of data for each file to be encrypted and uses as a keystream. The offset is stored in the encrypted file name of each file. This means that experts were able to determine the offset of the keystream stored in the filename and decrypt the file.

“Hive ransomware encrypts files by XORing the data with a random keystream that is different for each file. We found that this random keystream was sufficiently guessable.” continues the paper. “Hive ransomware generates a data encryption keystream (EKS) that appears random for each file, and encrypts the file by XORing EKS with the file. However, EKS is created using two keystreams extracted from the previously created master key During the encryption process, only the part of the file, not the entire area, is encrypted.”

The results of the tests demonstrated the efficiency of the method, the master key recovered 92% succeeded in decrypting approximately 72% of the files, while the master key restored 96% succeeded in decrypting approximately 82% of the files, and the master key restored 98% succeeded in decrypting approximately 98% of the files.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post A flaw in the encryption algorithm of Hive Ransomware allows retrieving encrypted files appeared first on Security Affairs.

Categories: Cyber Security News

Threat Report Portugal: Q4 2021

Mon, 02/21/2022 - 02:58
The Threat Report Portugal: Q4 2021 compiles data collected on the malicious campaigns that occurred from October to December, Q4, of 2021.

The Portuguese Abuse Open Feed 0xSI_f33d is an open sharing database with the ability to collect indicators from multiple sources, developed and maintained by Segurança-Informática. This feed is based on automatic searches and is also supported by a healthy community of contributors.  This makes it a reliable and trustworthy and continuously updated source, focused on the threats targeting Portuguese citizens. 0xSI_f33d is part of the official VirusTotal ingestors since July 2021 allowing the community to verify threats worldwide provided by this feed.

The Threat Report Portugal: Q4 2021 compiles data collected on the malicious campaigns that occurred from October to December, Q4, of 2021. The submissions were classified as either phishing or malware. In addition, the report highlights the threats, trends, and key takeaways of threats observed and reported into 0xSI_f33d. This report provides intelligence and indicators of compromise (IOCs) that organizations can use to fight current attacks, anticipate emerging threats, and manage security awareness in a better way.

Phishing and Malware Q4 2021

The results depicted in Figure 1 show that phishing campaigns (92,2%) were more prevalent than malware (7,8%) during Q4 2021. A growing trend in phishing submissions was observed in Q4 (1180), with malware having 7.8% of the total, in comparison with 20.2% in Q3 2021.

Regarding Q1 2021, the campaigns of phishing and malware increased in reference to 2020, probably as a result of the Facebook data breach leaked in early January 2021. Criminals are using those kinds of data for performing massive campaigns and targeting Portuguese Internet end users. Q2 maintained the uptrend with criminals using novel techniques to distribute phishing related to the bank sector in the wild. Also, campaigns related to the Autoridade Tributária e Aduaneira were observed, using Telegram to notify criminals about new infections. August ended with a massive campaign impersonating the Continente supermarket brand, with a lot of domains submitted into the 0xSI_f33d.

In terms of malware, the popular QakBot trojan banker was observed as an increased threat in Q1-Q3 2021 in Portugal. This piece of malware is focused on stealing banking credentials and victims’ secrets using different techniques tactics and procedures (TTP) which have evolved over the years, including its delivery mechanisms, C2 techniques, and anti-analysis and reversing features.

Also, two new pieces of malware were documented: HorusEyes RAT taking advantage of a RAT that comes from underground forums, and the dangerous and 100% FullyUndetectable (FUD) Maxtrilha trojan.

For more information about the Maxtrilha trojan check below the full analysis.

Last, it is possible to verify that there was a high number of phishing campaigns in November and December, and this is an indicator connected to a social engineering campaign related to package delivery services, including CTT, DHL, UPS, FedEx, etc. Notice that, this campaign has been tracked by Segurança-Informática and all the malicious domains submitted on the 0xSI_f33d every day.

Malware by Numbers

Overall, the Satori/Mirai botnet, MS Office documents (macros), and Qakbot trojan were some of the most prevalent threats affecting Portuguese citizens during Q4 2021. Other trojan bankers variants and families affecting users from different banks in Portugal were also observed. These kinds of malware come from Brazil and the attacks are disseminated via phishing campaigns. Criminals are also using smishing to enlarge the scope and to impact a large group of victims.

Threats by Sector

Regarding the affected sectors, Retail was the most affected with both phishing and malware campaigns hitting Portuguese citizens during Q4 2021. Next, was Banking and Health, as the most sectors affected in this season.

Threat campaigns during Q1 2022 will be published on a daily basis into 0xSI_f33d, as well as additional incidents and investigations that are being documented and published on Segurança-Informatica.

The infographic containing the report can be downloaded from here in printable format: PDF or PNG.

The infographic containing the report can be downloaded from here in printable format: PDF or PNG.

Download: [PDF] or [PNG]

Original Post at https://seguranca-informatica.pt/threat-report-portugal-q4-2021/#.YhKSa9_MK5c

About the author: Pedro Tavarez

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca–informatica.pt.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Threat Report Portugal)

The post Threat Report Portugal: Q4 2021 appeared first on Security Affairs.

Categories: Cyber Security News

BEC scammers impersonate CEOs on virtual meeting platforms

Sun, 02/20/2022 - 14:07
The FBI warned US organizations and individuals are being increasingly targeted in BECattacks on virtual meeting platforms

The Federal Bureau of Investigation (FBI) warned this week that US organizations and individuals are being increasingly targeted in BEC (business email compromise) attacks on virtual meeting platforms.

Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both entities and individuals who perform legitimate transfer-of-funds requests

Cybercriminals are targeting organizations of any size and individuals, in BEC attack scenarios attackers pose as someone that the targets trust in, such as business partners, CEO, executives, and service providers.

Scammers use to compromise legitimate business or personal email accounts through different means, such as social engineering or computer intrusion to conduct unauthorized transfers of funds.

Crooks started using virtual meeting platforms due to the popularity they have reached during the pandemic.

The Public Service Announcement published by FBI warns of a new technique adopted by scammers that are using virtual meeting platforms to provide instructions to the victims to send unauthorized transfers of funds to fraudulent accounts.

“Between 2019 through 2021, the FBI IC3 has received an increase of BEC complaints involving the use of virtual meeting platforms to instruct victims to send unauthorized transfers of funds to fraudulent accounts. A virtual meeting platform can be defined as a type of collaboration technique used by individuals around the world to share information via audio, video conferencing, screen sharing and webinars.” reads the FBI’s PSA.

Crooks are using the virtual meeting platforms for different purposes, including impersonating CEOs in virtual meetings and infiltrating meetings to steal sensitive and business information.

Below are some of the examples provided by the FBI regarding the use of virtual meeting platforms by crooks:

  • Compromising an employer or financial director’s email, such as a CEO or CFO, and requesting employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or “deep fake1” audio, and claim their video/audio is not properly working. They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email.
  • Compromising employee emails to insert themselves in workplace meetings via virtual meeting platforms to collect information on a business’s day-to-day operations.
  • Compromising an employer’s email, such as the CEO, and sending spoofed emails to employees instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer.

Below are recommendations provided by the FBI:

  • Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.
  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business/individual it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
  • Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
  • Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, BEC)

The post BEC scammers impersonate CEOs on virtual meeting platforms appeared first on Security Affairs.

Categories: Cyber Security News

Pages