Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Alibaba. Show all posts

Belgian Intelligence Service are Scrutinising Alibaba For Possible Spying

 

The Veiligheid van de Staat (VSSE), the state security agency of the European country, is concerned about "possible espionage" at Alibaba's logistics base at a Belgian airport. 

Belgian intelligence officials have been keeping an eye on Cainiao, Alibaba's logistics division, at the cargo airport in Liège for any signs of spying or other types of espionage concerning shipments made for Beijing, as first reported by the Financial Times. 

The VSSE is eager to "detect and fight against possible spying and/or interference activities carried out by Chinese entities, including Alibaba," according to a statement issued to media outlets. 

Alibaba was unable to respond to our inquiries concerning the current scenario. "We strongly deny the allegations... based on prior conjecture," a spokesperson for the mega-corp told CNN earlier. Cainiao complies with all rules and regulations in the countries where it operates."

Cainiao will be floated and spun out by the Chinese e-commerce and cloud giant within the next six to twelve months.

According to the FT, which cited "people familiar with the matter," the VSSE is worried about software systems that compile private economic data.

The VSSE informed the newspaper that China "has the intent and capability to use this data for non-commercial purposes" since China's national intelligence law forces Chinese organisations to share information with the government. 

The logistics facility, which became operational in 2021, mostly deals with products that European customers have ordered through the online marketplace AliExpress. We believe that there is concern that Beijing, through Alibaba, may discover what sort of items are being shipped through the facility or potentially interfere with people's goods.

Cainiao apparently wants to increase the size of its airport warehouses by more than three times, from 30,000 square metres to 100,000 square metres. The negotiations between Alibaba and Belgium to host the logistics centre, according to Belgium's law minister Vincent Van Quickenborne, took place in "a previous century" and that "times of naiveté have changed." 

The espionage fears coincide with new warnings from Western nations about Chinese espionage and data theft. 

Chinese spies are believed to have broken into Outlook and Exchange Online accounts hosted by Microsoft over the summer and stolen more than 60,000 emails belonging to US government personnel.

US and Japanese government agencies issued a warning late last month that Beijing's spies might be lurking in Cisco routers and using that access to collect organisations' IP and other sensitive data. 

In the meantime, FBI Director Christopher Wray has frequently warned that China has 50 cybercriminals for each infosec operative employed by the agency. However, China reversed course and claimed that the US had broken into Huawei systems and stolen data going all the way back to 2009.

AWS, and Alibaba Cloud was Attacked by Crypto Miners

 

An intel source recently provided Cisco Talos with modified versions of the TeamTNT cybercrime team's infected shell scripts, an earlier version of which was documented by Trend Micro. The malware creator modified these tools after learning that security experts had disclosed the prior version of its scripts. These scripts are intended primarily for Amazon Web Services (AWS), but they might also be used on-premise, in containers, or in other Linux instances. 

There are multiple TeamTNT payloads focusing on bitcoin mining, persistence, and lateral movement employing tactics like identifying and installing on with all Kubernetes pods in a local network, in addition to the primary credential stealer scripts. A script containing user credentials for the distribution system server and another with an API key which may allow remote access to a tmate shared login session is also included. Defense evasion functions aimed at defeating Alibaba cloud security technologies are included in some TeamTNT scripts.

When it comes to decision making obtaining credentials, the script looks for them in the following places and APIs: 

  • It attempts to obtain the string 'AWS' from /proc/*/environ from the Linux system environment variables. 
  • Obtaining the string 'AWS' from Docker environment variables with the command $(docker inspect $) (docker ps -q).
  • /home/.aws/credentials and /root/.aws/credentials are the default AWS CLI credential file locations.
While the query itself will not be caught by Cisco Secure Cloud Analytics, the alert "AWS Temporary Token Persistence" will detect later use of these credentials to generate further temporary credentials. Finally, the virus saves any credentials acquired by the preceding functions to the file "/var/tmp/TeamTNT AWS STEALER.txt" and uses cURL to transfer it to the URL http://chimaera[.]cc/in/AWS.php before deleting it. 

No CloudTrail, GuardDuty, or SCA events were generated when the script ran on the target EC2 instance for all network traffic was restricted by the VPC Security Group such as the script could not access TeamTNT's servers. 

The core of the defense impairment functions is directed against Alibaba Cloud Security's numerous agents, how, they also target Tencent Cloud Monitor and third-party BMC Helix Cloud Security, agents. While the bulk of malicious scripts targets AWS Elastic Compute Cloud (EC2) virtual machines, these bots are most typically detected running inside Alibaba Cloud Elastic Compute Service (ECS) or a Tencent Cloud VM. They could theoretically be put on a VM operating on AWS or any other service, but it would be unusual. TeamTNT makes no attempt to disable AWS CloudWatch, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other popular cloud security tools in the United States. 

The Alibaba defense damage routines have been retrieved and saved here from the script Kubernetes root payload 2.sh. Since static analysis of the defense impairment functions is problematic due to the presence of multiple Base64 encoded strings, those functions have been decrypted and placed back into the file ali-defense-impairment-base64-decoded.sh.txt. 

"Cybercriminals who have been exposed by security researchers should update those tools to keep functioning successfully," stated Darin Smith of Talos. 

The serious remote code execution problem in Spring Framework (CVE-2022-22965) has been leveraged to deploy cryptocurrency miners, in yet another example of how threat actors quickly co-opt recently revealed flaws into existing attacks. To deploy the cryptocurrency miners, the exploitation efforts employ a unique web shell, but not before switching off the firewall and disabling other virtual currency miner processes.

Malware Abcbot Related to the Xanthe Cryptomining Bug Developer's

 

Abcbot, the newly discovered botnet has a longer history than what was originally believed. The Xanthe-based cryptojacking campaign found by Cisco's Talos security research team in late 2020 has a clear link, according to the ongoing examination of this malware family. When Talos was notified of an intrusion on one of their Docker honeypots, they discovered malware that looked like a bitcoin mining bot. 

The virus is known as Xanthe, and its main goal is to mine cryptocurrency using the resources of a compromised system. Based on the findings, the same threat actor is behind both Xanthe and Abcbot, and its goal has shifted from mining cryptocurrency on compromised hosts to more classic botnet activity like DDoS attacks.

Abcbot attacks, first reported by Qihoo 360's Netlab security team in November 2021, are triggered by a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet but not before terminating processes from competing threat actors and establishing persistence. The shell script in question is an updated version of one found by Trend Micro in October 2021, which targeted Huawei Cloud's vulnerable ECS instances. 

Further investigation of the botnet, which included mapping all known Indicators of Compromise (IoCs) such as IP addresses, URLs, and samples, revealed Abcbot's code and feature-level similarities to that of a cryptocurrency mining operation known as Xanthe, which spread the infection using incorrectly configured Docker implementations. 

The semantic similarities between the two malware families range from the way the source code is formatted to the names given to the routines, with some functions having not only identical names and implementations (e.g., "nameservercheck"), but also have the word "go" appended to the end of the function names (e.g., "filerungo"). According to experts, Abcbot also contains spyware that allows four malicious users to be added to the hacked machine: 
  • Logger 
  • Ssysall 
  • Ssystem 
  • sautoupdater 
Researchers believe that there are substantial links between the Xanthe and Abcbot malware families, implying that the same threat actor is involved. The majority of these would be difficult and inefficient to recreate identically, including string reuse, mentions of shared infrastructure, stylistic choices, and functionality that can be seen in both instances. If the same threat actor is behind both campaigns, it signals a shift away from cryptocurrency mining on compromised devices and toward botnet-related operations like DDoS attacks.

Alibaba Cloud Servers Hacked, Trend Micro Reports

 

Trend Micro announced on Monday that numerous hacking groups have been targeting Alibaba Cloud servers to install cryptocurrency mining malware known as "cryptojacking". 

One of the challenges with Alibaba ECS, as per Trend Micro, is the absence of distinct privilege tiers configured on an instance, including all instances providing root privileges by default. This allows malicious actors who obtain access to login credentials to connect to the targeted system via SSH as root without performing any preparatory (escalation of privilege) work. 

Alibaba is a Chinese technology behemoth with an international market presence, with cloud services mainly used throughout Southeast Asia. 

The ECS service, in specific, is advertised as having fast memory, Intel CPUs, and favorable low-latency operations. Perhaps better, ECS comes with a security agent pre-installed to safeguard against malware such as crypto miners. 

"The threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials, or data leakage," explains Trend Micro's report. 

Moreover, the cyber attackers can use these administrative privileges to generate firewall rules that drop incoming packets from IP ranges about internal Alibaba servers, preventing the installed security agent from sensing suspicious behavior. 

Owing to the ease with which kernel module rootkits and cryptojacking malware can be planted considering the elevated privileges, it is not surprising that numerous threat actors compete to take over Alibaba Cloud ECS instances. 

Trend Micro has also noticed scripts that search for processes running on specific ports frequently used by malware and backdoors and terminate the associated processes to eliminate competing malware. An auto-scaling system, which allows the service to automatically adjust computing resources depending on the volume of user queries, is yet another ECS feature used by the threat actors. 

This is to prevent future service disruptions and niggles caused by unexpected traffic loads, but it also provides an opportunity for cryptojackers. Abusing this while it is involved on the targeted account allows the actors to increase their Monero mining power while incurring extra costs to the instance owner.

Stolen Card Validation Service Illuminated A New Corner of the Skimming Ecosystem

 

In the recent analysis, experts discovered that the digital credit card skimming ecosystem evolves as experts identify new players, tooling, services, and economies that make it up in much of the recent threat infrastructure studies. Experts also noticed that significant patterns emerge in the infrastructure that these groups utilize and share. 

Many domains used for digital skimming and other criminal activities have been hosted on Alibaba IP space in recent years. Because bulletproof hosting companies host a large percentage of skimming campaigns, Alibaba IP space's popularity could be due to one of these bulletproof services exploiting Alibaba hosting services. Some of these domains have recently been accused of abusing Google's user content hosting service. 

While looking into the MobileInter skimmer's infrastructure, the analysts discovered that one of its skimmer domains was temporarily hosted by a Google IP address. This IP then hosted a domain that offered card skimmers a useful service that allowed them to validate stolen payment data for a fee. The experts were able to discover multiple associated websites, services, and social media accounts connected to this authentication activity known as bit2check using RiskIQ's Internet Intelligence Graph. Some bit2check names have been spotted abusing Alibaba and Google hosting services in the same way as that of Magecart domains.

Following additional investigation, the analysts discovered that the person behind bit2check is a Kurdish actor who goes by the name Hama. There was no apparent relationship between an individual and the bulletproof hosting operation seen on Alibaba. On the other hand, this connection could lead to more information about who is providing these malicious hosting services. 

The bit2check website advertises a bit2check Telegram group and promotes itself as the "greatest CVV/cc checker in town." Many Kurdish language telegram channels also link to the bit2check site and others, including bin-checker[.]net, which is a free version of bit2check. These card-skimming services promote each other through links on their websites and Telegram channels. 

The domains and accounts linked to Hama are also associated with the activities of other players in the carding sector. Code produced by another actor known as namso can be seen on some of Hama's websites. A directory called namso_files can be found in Hama's Github source. 

Since RiskIQ first reported on Magecart in 2016 and its historic attack against British Airways in 2018, they have been investigating browser-based card skimming. 

Bit2check is another part of this vast ecosystem that caters to skimmers looking to validate their loot or buy more stolen information. Many of the companies in this ecosystem network, both the skimmers and the services that cater to them, are using the same strategies and infrastructure, according to RiskIQ.

Alibaba's Online Store Redmart Suffers Data Breach of More Than Million Accounts, Experts say Company's Fault

 

Lazada, a Singapore firm owned by e-commerce company Alibaba, suffered a hacking attack that cost more than one million accounts. On Friday, the e-commerce company said it lost user accounts containing personal information like credit card credentials and addresses. In what is considered one of the most significant data breach incidents, Singapore suffered a data breach of 5.7 million accounts. 

According to ZDNet, "once beloved for its streamlined and clean users interface, the integrated RedMart experience was described by customers as cluttered, difficult navigate, and missing several popular features such as the ability to update a scheduled order and access to the favorite items list." In its email, the firm confirmed that the hackers took the information from the database of its online grocery platform, RedMart. RedMart had been inactive for more than eighteen months. Experts say that the attack on RedMart was bound to happen as the company didn't take cybersecurity measures when it incorporated the app into its digital platform around a year ago. 

There were various flaws in the integration policy when the company merged. According to experts, Lazada should have done a review of the process after completing the transition. After a hacker claimed that he had access to RedMart's one million accounts, the incident became famous, including personal information like banking details, passwords, contacts, addresses, and names. Lazada had taken RedMart in November 2016. The company has notified the affected users about the data breach. The user accounts have automatically logged out and have been told to change their passwords. Lazada has confirmed that RedMart's database was on a third party provider's hosting service and the accounts hacked were out of date. 

The company says it has taken immediate measures to prevent the issue, and any illegal access has been denied, and no customer data has been breached. "The Southeast Asian e-commerce operator in January 2019 announced plans to integrate the RedMart app into its platform, more than two years after it acquired RedMart. Lazada itself was acquired by Chinese e-commerce giant Alibaba in April 2016," reports ZDNet.