Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Backdoor. Show all posts
WordPress Plugins
Backdoor CyberCrime CyberNAttacks Cybersecurity CyberThreat Supply Chain Attack WordPress Plugins

Hackers Slip Backdoor into WordPress Plugins in Latest Supply-Chain Attack

 


Security researchers announced on Monday that there had been a supply chain attack on up to 36,000 WordPress plugins running on a wide range of websites that had been backdoored by unknown hackers. Currently, researchers from security firm Wordfence report that the campaign has affected five plugins as of Monday morning. It has been active since last week. It has been reported that unknown threat actors have recently added malicious functionality to plugin updates on WordPress.org, which is the official site for the free open-source WordPress CMS. This update creates an attacker-controlled administrative account that can be used to control the compromised site, as well as add content designed to boost search results. 

The updates can be installed automatically when the updates are installed. There has been a significant amount of backdooring in WordPress plugins to allow malicious code to be injected which can lead to the creation of rogue administrator accounts which can be used for arbitrary purposes. As Wordfence security researcher Chloe Chamberland pointed out in an alert on Monday, the malware injects itself into the system, attempting to create an administrator user account and sending back that account's details to the attacker's server. 

Further, it appears that the threat actor may also have injected malicious JavaScript into the footers of websites, which appears to be causing SEO spam to be displayed throughout the website. According to Wordfence security researchers, a company that monitors the security of the biggest website builder platforms in the world, five plugins have been poisoned with a poisonous patching function so far. Whenever users patch these WordPress plugins, they are presented with a piece of code that creates a new admin account, which is then used by the attackers to establish the account login credentials. 

The perpetrators of this threat (whose identity has not been revealed yet) thus gain full and unrestricted access to the website in this way. The plugins that have been made available are called Social Warfare, BLAZE Retail Widget, Wrapper Link Elementor, and Contract Form 7 Multi-Step Add-on as well as Just Show Hooks. Combined, these five plugins have been installed 36,000 times. Of these, Social Warfare has the most number of installations at 30,000, far and away the most popular one. As of the time of publication, it was not yet clear how the attackers were able to compromise the patching process for these five plugins, and thus compromise their security.

It was reported that reporters at Ars Technica attempted to get in touch with the plugin developers (some did not even provide contact information on their plugin websites, meaning it was impossible to get in touch with them) but did not receive any response. There has been a sharp rise in the number of supply-chain attacks over the past decade, which has become one of the most effective ways to install malware within a supply chain. The threat actors have been able to achieve significant gains by poisoning the software source code so that by simply running a trusted update or installation file, they can infect large numbers of devices. 

This year, an almost disastrous event occurred when a backdoor was discovered, largely through chance, in the widespread open-source XZ Utils code library a week or so ahead of its general release date, narrowly averting disaster. In addition, there have been many other recent supply-chain attacks that can be found in the media. Researchers are currently working on investigating how and why the malware was uploaded to the plugin channel for downloading on the WordPress site to increase their knowledge about it. Several emailed questions were sent to representatives of WordPress, BLAZE, and Social Warfare, none of whom responded. 

Because there is no contact information on the websites of the developers of the remaining three plugins, it was impossible to connect with the representatives of those developers. As mentioned by the Wordfence researchers, they were first made aware of the attack on Saturday when they received an email from a member of the WordPress plugin review team that mentioned the attack. Based on their analysis of the malicious file, the researchers were able to identify four other plugins that had similar codes that were exposed to the same threat. 

There is generally a perception that WordPress is a secure platform for designing and building websites. However, it is a platform with a vast number of third-party themes and plugins, many of which suffer from poor protection, and/or don't enjoy the same level of maintenance as the platform itself. Consequently, they are considered to be a great entry point for threat actors, due to their unique nature. Moreover, the themes and plugins available for WordPress can be both free-to-use and commercially produced, but the latter are often abandoned or maintained by a single developer or hobbyist. 

There is therefore a strong need for WordPress administrators to use extreme caution when installing third-party additions to their websites. They need to ensure that only the files they intend to use are installed. It is imperative for users to ensure their WordPress plugins are always updated and to remain vigilant for any news regarding vulnerabilities. Individuals who have installed any of the compromised plugins should uninstall them immediately and thoroughly inspect their sites for any newly created admin accounts or unauthorized content. Users who utilize the Wordfence Vulnerability Scanner will be alerted if their site is running any of the affected plugins. 

Furthermore, the Wordfence post advises users to monitor their sites for connections originating from the IP address 94.156.79.8, as well as to check for admin accounts with the usernames "Options" or "PluginAuth."
Read more »
Software Security
Backdoor Courtroom Endpoint security malware Software Security

From Courtroom to Cyber Threat: The JAVS Viewer 8 Incident

From Courtroom to Cyber Threat: The JAVS Viewer 8 Incident

Hackers have broken into a popular brand of recording software used in courtrooms, jails, and prisons, allowing them to obtain complete control of the system via a backdoor implanted in an update to the application.

Software and its purpose

Justice AV Solutions (JAVS) uses its technologies to capture events such as lectures, court proceedings, and council meetings, and they have over 10,000 installations worldwide. It is available for download from the vendor's website and is a Windows installer package. 

The discovery 

However, the company announced this week that it had uncovered a security flaw in an earlier version of its JAVS Viewer program.

Through continuing monitoring and consultation with cyber authorities, the company discovered attempts to replace its Viewer 8.3.7 software with a tainted file.

The company removed all versions of Viewer 8.3.7 from the JAVS website, changed all passwords, and thoroughly assessed all JAVS systems. It also determined that all currently available files on the JAVS.com website are legitimate and free of malware. The company also confirmed that no JAVS source code, certificates, systems, or other software releases were affected during this event.

The backdoor

The malicious file, which contained malware, "did not originate from JAVS or any third party associated with JAVS," and the business advised users to ensure that any software they installed was digitally signed.

Rapid7, a cybersecurity firm, published an investigation of the vulnerability on Thursday, revealing that the compromised JAVS Viewer program — which opens media and logs files in the suite — contains a backdoored installer that allows attackers full access to an infected system. 

Installation and communication

The malware sends data about the host machine to the threat actors' command-and-control (C2) servers. Rapid7 identified the bug as CVE-2024-4978 and stated that it collaborated with the CISA to coordinate the disclosure of the problem. 

Rapid7 stated that the malicious copies of the software were signed by "Vanguard Tech Limited," which is reportedly headquartered in London. 

Rapid7's alert emphasized the importance to reimaging all endpoints where the software was installed, as well as resetting credentials on web browsers and any accounts authenticated into impacted endpoints, both local and remote. 

Data harvesting

Simply uninstalling the software is insufficient, as attackers could have installed further backdoors or malware. They wrote that reimagining allows for a fresh start.

"It is important to completely re-imagine compromised endpoints and reset associated passwords to guarantee that attackers have not persisted via backdoors or stolen credentials. 

A threat intelligence researcher originally raised the matter on X (previously Twitter) in April, claiming that "malware is being hosted on the official website of JAVS." 

On May 10, Rapid7 responded to a client's system warning and traced an infection to an installer downloaded from the JAVS website. The malicious file that the victim had downloaded appears to have been withdrawn from the website, and it is unclear who did so. 

Additional malware

A few days later, the researchers uncovered another installer file carrying malware on the JAVS website. 

Software updates have become a focus in cybersecurity because end users frequently click "update" when requested, or they have them enabled automatically. 

Several firms, most notably SolarWinds and 3CX, have grappled with nation-state intrusions that used the update process to secretly implant malware. 

Read more »
Social Engineering
APT42 Backdoor Google malware Social Engineering

Backdoor Malware: Iranian Hackers Disguised as Journalists

Backdoor Malware: Iranian Hackers Disguised as Journalists

Crafting convincing personas

APT42, an Iranian state-backed threat actor, uses social engineering attacks, including posing as journalists, to access corporate networks and cloud environments in Western and Middle Eastern targets.

Mandiant initially discovered APT42 in September 2022, reporting that the threat actors had been active since 2015, carrying out at least 30 activities across 14 countries.

The espionage squad, suspected to be linked to Iran's Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), has been seen targeting non-governmental groups, media outlets, educational institutions, activists, and legal services.

According to Google threat analysts who have been monitoring APT42's operations, the hackers employ infected emails to infect their targets with two custom backdoors, "Nicecurl" and "Tamecat," which allow for command execution and data exfiltration.

A closer look at APT42’s social engineering tactics

APT42 assaults use social engineering and spear-phishing to infect targets' devices with tailored backdoors, allowing threat actors to obtain initial access to the organization's networks.

The attack begins with emails from online personas posing as journalists, NGO representatives, or event organizers, sent from domains that "typosquat" (have identical URLs) with actual organizations.

APT42 impersonates media organizations such as the Washington Post, The Economist, The Jerusalem Post (IL), Khaleej Times (UAE), and Azadliq (Azerbaijan), with Mandiant claiming that the attacks frequently employ typo-squatted names such as "washinqtonpost[.]press".

Luring victims with tempting bait

After exchanging enough information to establish confidence with the victim, the attackers transmit a link to a document connected to a conference or a news item, depending on the lure theme.

APT42 assaults use social engineering and spear-phishing to infect targets' devices with tailored backdoors, allowing threat actors to obtain initial access to the organization's networks.

The attack begins with emails from online personas posing as journalists, NGO representatives, or event organizers, sent from domains that "typosquat" (have identical URLs) with actual organizations.

The imitation game

APT42 impersonates media organizations such as the Washington Post, The Economist, The Jerusalem Post (IL), Khaleej Times (UAE), and Azadliq (Azerbaijan), with Mandiant claiming that the attacks frequently employ typo-squatted names such as "washinqtonpost[.]press".

After exchanging enough information to establish confidence with the victim, the attackers transmit a link to a document connected to a conference or a news item, depending on the lure theme.

Nicecurl, Tamecat: Custom backdoor

APT42 employs two proprietary backdoors, Nicecurl and Tamecat, each designed for a specific function during cyberespionage activities.

Nicecurl is a VBScript-based backdoor that can run commands, download and execute other payloads, and extract data from the compromised host.

Tamecat is a more advanced PowerShell backdoor that can run arbitrary PS code or C# scripts, providing APT42 with significant operational flexibility for data theft and substantial system modification.

Tamecat, unlike Nicecurl, obfuscates its C2 connection with base64, allows for dynamic configuration updates, and examines the infected environment before execution to avoid detection by AV products and other active security mechanisms.

Exfiltration via Legitimate Channels

Both backdoors are sent by phishing emails containing malicious documents, which frequently require macro rights to run. However, if APT42 has established trust with the victim, this requirement becomes less of an impediment because the victim is more inclined to actively disable security features.

Volexity studied similar, if not identical, malware in February, linking the attacks to Iranian threat actors.

The full list of Indicators of Compromise (IoCs) for the recent APT42 campaign, as well as YARA rules for detecting the NICECURL and TAMECAT malware, are available at the end of Google's report.

Read more »
XZ Utils Library
Backdoor Information Security Linux Linux Security Vulnerabilities and Exploits XZ Utils Library

Unveiling the XZ Utils Backdoor: A Wake-Up Call for Linux Security

 

The recent discovery of a backdoor in the XZ Utils, a vital tool for lossless data compression on Linux, has sent shockwaves through the tech community. This revelation poses a significant risk to nearly all Linux systems, prompting urgent concerns about cybersecurity and system integrity. 

The Common Vulnerabilities and Exposures (CVE) system, a reference for publicly known information-security vulnerabilities, assigned a severity score of 10/10 to the Linux XZ Utils backdoor. This rating underscores the gravity of the situation and underscores the urgent need for action. 

The initial detection of the backdoor was made by Andres Freund, a PostgreSQL developer at Microsoft. Freund noticed unusual SSH login delays and CPU usage spikes on a Debian Linux system, leading to an investigation that uncovered the presence of the backdoor in the XZ Utils. This discovery exposed countless Linux servers and workstations to potential attacks, highlighting the widespread impact of the vulnerability. 

The backdoor was cleverly concealed within binary files in the XZ Utils’ test folder, encrypted using the XZ library itself, making it difficult to detect. While systems running Debian or Red Hat Linux distributions were particularly vulnerable, Arch Linux and Gentoo Linux appeared to be spared due to their unique system architectures. The malware exploited an audit hook in the dynamic linker, a fundamental component of the Linux operating system, enabling attackers to execute code remotely at the system level. 

This capability granted them full control over compromised systems, posing severe risks such as data theft, system disruption, and the deployment of additional malware or ransomware. Further investigations revealed that the breach of the XZ repository was a sophisticated and well-coordinated effort, likely involving multiple individuals. This complexity raises concerns about the extent of the damage and the potential for other undiscovered vulnerabilities. 

The attack's sophistication suggests a deep understanding of the Linux ecosystem and the XZ Utils, highlighting the need for enhanced security measures in open-source software development. Immediate steps, such as updating to patched versions of XZ Utils or reverting to safe earlier versions, are crucial for system security. This incident serves as a wake-up call for the Linux community to reassess its security practices and strengthen defenses against future attacks. 

Rigorous code reviews, increased use of security auditing tools, and fostering transparency and collaboration among developers and security researchers are essential steps to mitigate similar threats in the future. As the tech community grapples with the implications of this backdoor, ongoing research is underway to determine the full extent of the threat. This incident underscores the critical importance of system security and the need for continuous vigilance against evolving cyber threats. Together, we must learn from this experience and work towards building a more secure and resilient Linux ecosystem.
Read more »
Technology
AI Collaboration Artificial Intelligence Backdoor Cyberattacks Cybersecureity Cybersecurity Hugging Face ML Model ML Models Technology

Hugging Face ML Models Compromised with Silent Backdoors Aimed at Data Scientists

 


As research from security firm JFrog revealed on Thursday in a report that is a likely harbinger of what's to come, code uploaded to AI developer platform Hugging Face concealed the installation of backdoors and other forms of malware on end-user machines. 

The JFrog researchers said that they found approximately 100 files that were downloaded and loaded onto an end-user device that was not intended and performed unwanted and hidden acts when they were installed. All of the machine learning models that were subsequently flagged, went undetected by Hugging Face, and all of them appeared to be benign proofs of concept uploaded by users or researchers who were unaware of any potential danger. 

A report published by JFrog researchers states that ten of them were actually "truly malicious" because they violated the users' security when they were installed, in that they implemented actions that compromised their security. This blog post aims to broaden the conversation surrounding AI Machine Language (ML) models for security, which has been a neglected subject for a long time and it is important to begin a discussion about it right now. 

The JFrog Security Research team is investigating ways in which machine learning models can be employed to compromise an individual's environment through executing code to compromise the environment of a Hugging Face user. The purpose of this post is to discuss the investigation into a malicious machine learning model that has been uncovered by us. 

People are regularly monitoring and scanning AI models uploaded by users on other open-source repositories, as they do with other open-source repositories, and it has been discovered that loading a pickle file can lead to code execution. A payload of this model allows the attacker to gain full control over a victim’s machine through what is commonly referred to as a “backdoor”, which allows them to gain complete control over their machines. 

The silent infiltration could result in the unauthorized accessing of critical internal systems, paving the way for massive data breaches or corporate espionage, affecting not just individuals, but potentially entire organizations across the globe, all while leaving victims utterly unaware of their compromised status, allowing for a wide range of possible repercussions. The attack mechanism is explained in detail, which sheds light on its complexities and potential implications. 

Taking a closer look at the intricate details of this nefarious scheme, it may be instructive to keep in mind the lessons that can be learned from it, the attacker's intentions, and the identity of whoever conducted this attack. In the same way as any technology, AI models can pose security risks if they are not handled correctly. 

A threat that is possible is code execution, where a malicious actor can run arbitrary code on the machine that loads or runs the model, thus posing a security risk. As a result of this, JFrog has created an external HoneyPot on an external server, completely isolated from any sensitive network to gain further insight into the actors' intentions. This HoneyPot can result in data breaches, system compromises, or malicious actions. HoneyPots are designed to attract different types of attacks by impersonating legitimate systems and services, so defenders can monitor and analyze the activities of attackers by monitoring and analyzing their behaviour. 

Several proactive measures can be taken by data scientists to prevent malicious models from being created and exploited to execute code. Examples include source verification, security scanning, safe loading methods, updating dependencies, reviewing model code, isolating environments, and educating users so that these risks can be mitigated. Several security measures were implemented by Hugging Face, a platform for AI collaboration, to prevent malware attacks, pickle attacks, and secret attacks. 

It is the purpose of these features to alert the users or moderators whenever a file in the repository contains malicious code, unsafe deserialization, or sensitive information. Although the platform has taken several precautions to protect itself from real threats, recent incidents serve to accentuate the fact that it is not immune from them.
Read more »
U.S. targets
Agent Raccoon Backdoor Hacking malware Online Security Threat actor U.S. targets

Hackers Use This New Malware to Backdoor Targets in Middle East, Africa and U.S

 

Various entities in the Middle East, Africa, and the United States have fallen victim to an unidentified threat actor orchestrating a campaign involving the dissemination of a recently discovered backdoor named Agent Racoon. According to Chema Garcia, a researcher at Palo Alto Networks Unit 42, the malware is crafted using the .NET framework and exploits the domain name service (DNS) protocol to establish a covert communication channel, facilitating diverse backdoor functionalities.

The targeted organizations hail from a range of sectors, including education, real estate, retail, non-profit, telecommunications, and government. Despite the lack of attribution to a specific threat actor, the campaign is suspected to be state-sponsored due to discernible victimology patterns and the utilization of sophisticated detection and defense evasion techniques. Palo Alto Networks is monitoring this threat cluster under the label CL-STA-0002. The exact method of infiltration and the timeline of the attacks remain unclear at this point.

The adversary employs additional tools alongside Agent Racoon, such as a customized version of Mimikatz named Mimilite and a novel utility known as Ntospy. The latter utilizes a custom DLL module implementing a network provider to pilfer credentials for a remote server. Notably, while Ntospy is employed across the affected organizations, Mimilite and Agent Racoon are specifically found in the environments of non-profit and government-related organizations.

Agent Racoon, executed through scheduled tasks, enables the execution of commands, uploading and downloading of files, all while camouflaging itself as Google Update and Microsoft OneDrive Updater binaries. The command-and-control (C2) infrastructure linked to the implant dates back to at least August 2020, with the earliest sample of Agent Racoon uploaded to VirusTotal in July 2022.

Unit 42's investigation revealed instances of successful data exfiltration from Microsoft Exchange Server environments, resulting in the theft of emails matching various search criteria. The threat actor has also been observed harvesting victims' Roaming Profile. Despite these findings, the tool set associated with this campaign has not been definitively linked to a specific threat actor and appears to extend beyond a single cluster or campaign, according to Garcia.
Read more »
Shell
Atlassian Backdoor Cyber Security Ransomware Attacks. Server Exploit servers Shell

Effluence Backdoor: A Lingering Menace in Atlassian Confluence Servers

According to current cybersecurity developments, despite intensive efforts to patch vulnerabilities in Atlassian Confluence servers, the infamous Effluence backdoor remains a persistent danger. Because of this online shell's invisibility and the possible threats it poses to companies, security experts and researchers have expressed alarm.

Effluence, a covert backdoor identified in Atlassian Confluence servers, has been a focal point in the cybersecurity community due to its ability to evade detection and persist even after patching. Reports from prominent sources like The Hacker News and OPP Today reveal that despite efforts to secure Confluence servers, the Effluence backdoor remains active, allowing unauthorized access and potential exploitation.

TS2 Space, a cybersecurity platform, sheds light on the clandestine nature of the Effluence backdoor, emphasizing its stealthy capabilities. The backdoor's ability to operate without authentication makes it a formidable threat, enabling hackers to infiltrate systems undetected. This characteristic poses a significant challenge for organizations relying on Atlassian Confluence for collaborative work, as the backdoor can potentially compromise sensitive data and lead to severe security breaches.

Aon Cyber Labs has been at the forefront of efforts to detect and mitigate the Effluence backdoor. Their insights into unauthenticated Confluence web shell attacks provide valuable information for organizations looking to fortify their cybersecurity defenses. The challenge lies not only in patching known vulnerabilities but also in actively identifying and eliminating instances of the Effluence backdoor that may have already infiltrated systems.

Concerns have been raised by cybersecurity specialists regarding a possible link between ransomware attacks and Effluence. Effluence poses increased threats, since hackers may use it as a doorway to spread ransomware and extort businesses for money. This rise in risks emphasizes how urgent it is for businesses to take comprehensive and quick action against the Effluence backdoor.

The Effluence backdoor's continued existence is a sobering reminder of the difficulties businesses confront in protecting their digital infrastructure as the cybersecurity scene changes. Proactive patching, ongoing monitoring, and strong detection methods are just a few of the many strategies needed to combat this danger. Preventing possible breaches is crucial for preserving the security and integrity of organizational data in an era where cyber threats are growing more complex.


Read more »
Tech Industry
Android Backdoor Financial Fraud Personal Data Privacy Smart TV Supply Chain Attack Tech Industry

Discovering the Threat from Android TV Backdoors

Android TV streaming boxes are already commonplace in homes all over the world because they provide an easy method to access a wealth of content. A pernicious backdoor that poses a serious risk to user security and privacy, however, is concealed within some of these devices.

Recent investigations have revealed the worrying ubiquity of this backdoor, which permits unauthorized access to critical data. Reputable reports emphasize the severity of this problem, shocking the tech industry.

The backdoor, dubbed 'BADBOX,' has been found in thousands of Android TV boxes, turning them into potential ticking time bombs. It allows cybercriminals to gain unrestricted access to personal data, opening the door to identity theft, financial fraud, and other malicious activities. What's even more alarming is that this backdoor is notoriously difficult to detect and eliminate, as it's deeply embedded in the device's firmware.

Experts warn that these compromised devices are not limited to a specific brand or model. In fact, they are spread across various manufacturers, making it a widespread issue that affects a broad spectrum of users. This has raised concerns about the supply chain integrity of these devices, prompting calls for stricter quality control measures.

The implications of this security breach are far-reaching. Families, individuals, and businesses alike are at risk of falling victim to cyberattacks, putting their sensitive information in the wrong hands. As we increasingly rely on smart technology for convenience and entertainment, the need for robust cybersecurity measures has never been more pressing.

To combat this threat, manufacturers, government agencies, and cybersecurity specialists are working nonstop. Users are being urged to exercise caution and maintain their devices patched with the most recent security updates. Customers are also encouraged to buy equipment from reliable vendors and to exercise caution when contemplating unofficial or off-brand retailers.

The discovery of the Android TV backdoor is a sobering reminder of how rapidly cybersecurity dangers are changing. Our attempts to protect our digital lives must grow at the same rate as technology. We can all work together to create a better and more secure digital future by remaining informed, implementing best practices, and supporting industry-wide initiatives.
Read more »
servers
attacks Backdoor Cyber Security Safety servers

Vietnamese Public Companies Targeted by SPECTRALVIPER Backdoor

 

Vietnamese public companies are facing an ongoing targeted campaign involving the SPECTRALVIPER backdoor. This backdoor, previously undisclosed and in the x64 variant, offers a range of capabilities such as manipulating files, impersonating tokens, and loading PE files. Elastic Security Labs has identified these attacks as the work of REF2754, a threat actor associated with the Vietnamese APT32 group, also known as Canvas Cyclone, Cobalt Kitty, and OceanLotus.

In the latest attack chain, SysInternals ProcDump utility is utilised to load an unsigned DLL file containing DONUTLOADER, which then loads SPECTRALVIPER and other malware. 

SPECTRALVIPER establishes communication with a server controlled by the threat actor to receive commands and employs obfuscation techniques to evade analysis. Additional malware involved in these attacks includes P8LOADER, capable of launching arbitrary payloads from files or memory, and a PowerShell runner named POWERSEAL, which executes provided PowerShell scripts or commands.

REF2754 exhibits tactical similarities to another group known as REF4322, which has targeted Vietnamese entities using the PHOREAL implant. These connections suggest a high likelihood of state-affiliated threats originating from Vietnam.

Meanwhile, Check Point Research has discovered a cyberespionage campaign targeting Libyan organizations, employing a customized backdoor named Stealth Soldier. This malware possesses advanced surveillance capabilities and is believed to be linked to a threat actor known as "The Eye on the Nile."

In the realm of Linux malware, the BPFDoor has received updates to enhance its stealth capabilities, including stronger encryption and improved reverse shell communications. Notably, the latest version of BPFDoor has not been detected as malicious by any currently available antivirus engines for the platform.

SPECTRALVIPER can be compiled as either an executable or DLL to mimic known binary exports. The malware leverages encrypted communication channels (HTTP and named pipe) with AES encryption and either Diffie-Hellman or RSA1024 key exchange. All samples of SPECTRALVIPER undergo heavy obfuscation using the same obfuscator, with varying levels of hardening, making analysis challenging.

Read more »
Safety
Backdoor Cyber Security Data Safety data security PyPI python Safety

PyPI Enforces the Usage of Two-factor Authentication for All Software Publishes

 

The Python Package Index (PyPI) has stated that by the end of the year, every account that maintains a project on the system will be compelled to enable two-factor authentication (2FA). PyPI is a software repository for Python programming language packages. 

The index contains 200,000 packages, allowing developers to identify existing packages that meet specific project needs, saving time and effort. The PyPI team said the decision to make 2FA required for all accounts is part of their long-term commitment to strengthening platform security, and it supports earlier steps such as barring compromised credentials and enabling API tokens.

The reduced danger of supply chain assaults is one advantage of 2FA protection. These attacks occur when an intruder obtains authority over a software maintainer's account and installs a backdoor or malware to a package that is used as a dependency in other software projects.

Depending on the popularity of the product, such attacks may affect millions of people. While developers are responsible for thoroughly checking the building components of their projects, PyPI's measures should make it easier to avoid this type of issue.

Furthermore, in recent months, the Python project repository has been plagued by frequent virus uploads, famous package imitations, and the re-submission of dangerous code using hijacked identities.

The problem became so severe that PyPI was forced to temporarily halt new user and project registrations last week until an adequate defense solution could be designed and implemented. 2FA protection will help to lessen the problem of account takeover attempts, and it should also limit the number of new accounts a suspended user may create in order to re-upload dangerous packages. The deadline for implementing 2FA on all project and organization maintainer accounts is the end of 2023.

In the next months, impacted customers should prepare for and implement the additional security precaution, which may be accomplished using either a hardware key or an authentication app.

“The most important things you can do to prepare are to enable 2FA for your account as soon as possible, either with a security device (preferred) or an authentication app, and to switch to using either Trusted Publishers (preferred) or API tokens to upload to PyPI.” - PyPI

In accordance to the PyPI team, the preparatory work performed in previous months, such as introducing 'Trusted Publishing,' combined with parallel initiatives from platforms such as GitHub that have helped developers familiarise themselves with 2FA requirements, make this year an ideal time to introduce the measure.
Read more »
Software
Backdoor Data Backup Data Breach Encryption Firewalls MFA Software

Safeguarding Your Data: 10 Best Practices to Prevent a Data Breach

 

Data breaches have become a significant concern for organizations and individuals alike, as cyber threats continue to evolve in complexity and scale. The consequences of a data breach can be severe, ranging from financial loss and reputational damage to legal implications. It is crucial for businesses to implement robust preventive measures to protect their valuable data and maintain customer trust. Here are some best practices and tactics to prevent a data breach.
  1. Develop a comprehensive security strategy: Establish a well-defined security plan that includes policies, procedures, and guidelines for data protection. Regularly review and update this strategy to adapt to evolving threats.
  2. Educate and train employees: Human error is a leading cause of data breaches. Conduct regular training sessions to educate employees on data security practices, such as strong password management, recognizing phishing attempts, and handling sensitive data appropriately.
  3. Implement strong access controls: Limit access to sensitive data and ensure that access rights are granted based on a need-to-know basis. Regularly review and update user permissions as employees change roles or leave the organization.
  4. Encrypt sensitive data: Utilize encryption techniques to protect data both at rest and in transit. Encryption adds an extra layer of security, making it difficult for unauthorized individuals to access and interpret the data.
  5. Regularly patch and update systems: Keep all software, operating systems, and applications up to date with the latest security patches. Vulnerabilities in outdated software can be exploited by attackers to gain unauthorized access.
  6. Use multi-factor authentication (MFA): Implement MFA for accessing critical systems and sensitive data. MFA adds an extra layer of authentication, making it harder for attackers to gain unauthorized access even if passwords are compromised.
  7. Conduct regular security assessments: Perform comprehensive security assessments, including vulnerability scans and penetration testing, to identify potential weaknesses and address them proactively.
  8. Implement data backup and recovery procedures: Regularly back up critical data and test the restoration process. In the event of a breach, having reliable backups can help restore systems and minimize downtime.
  9. Monitor network and system activity: Employ intrusion detection and prevention systems, as well as log monitoring and analysis tools, to identify and respond to suspicious activity promptly.
  10. Establish an incident response plan: Develop a well-defined incident response plan that outlines the steps to be taken in the event of a data breach. This plan should include communication strategies, containment measures, and coordination with relevant stakeholders.
By following these best practices, organizations can significantly reduce the risk of a data breach and protect sensitive information. However, it's essential to stay informed about emerging threats, industry best practices, and regulatory requirements to ensure ongoing data security. Remember, prevention is key when it comes to data breaches, and a proactive approach can save you from costly and damaging repercussions.


Read more »
Security
Backdoor Cyber campaign Cyber Security Data Rootkit Safety Security

Year-long Cyber Campaign Reveals Potent Backdoor and Custom Implant,

 

A new hacking group has targeted the government, aviation, education, and telecom industries in South and Southeast Asia as part of a highly focused campaign that began in mid-2022 and extended into the first quarter of 2023. 

Broadcom Software's Symantec is monitoring the activity under the insect-themed moniker Lancefly, with the attacks employing a "powerful" backdoor called Merdoor. So far, data suggests that the personalized implant was used as early as 2018. Based on the instruments and the victimology pattern, the campaign's ultimate purpose is intelligence gathering.

"The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted," Symantec said in an analysis shared with The Hacker News.

"The attackers in this campaign also have access to an updated version of the ZXShell rootkit."

While the precise initial intrusion vector is unknown, it is believed to have entailed the use of phishing lures, SSH brute-forcing, or the exploitation of internet-exposed servers. The attack chains eventually lead to the distribution of ZXShell and Merdoor, fully-featured malware capable of communicating with an actor-controlled server for more commands and logging keystrokes.

ZXShell, first discovered by Cisco in October 2014, is a rootkit with several functionalities for harvesting sensitive data from affected hosts. In the past, the use of ZXShell has been linked to several Chinese actors such as APT17 (Aurora Panda) and APT27 (aka Budworm or Emissary Panda).

"The source code of this rootkit is publicly available so it may be used by multiple different groups," Symantec said. "The new version of the rootkit used by Lancefly appears to be smaller in size, while it also has additional functions and targets additional antivirus software to disable."

Another Chinese connection is that the ZXShell rootkit is signed by the certificate "Wemade Entertainment Co. Ltd," which Mandiant previously identified as being related to APT41 (aka Winnti) in August 2019.

Lancefly incursions have also been linked to the use of PlugX and its successor ShadowPad, the latter of which has been used by several Chinese state-sponsored entities since 2015. However, it is also known that certificate and tool sharing is common among Chinese state-sponsored groups, making identification to a specific known assault crew challenging.

"While the Merdoor backdoor appears to have been in existence for several years, it appears to only have been used in a small number of attacks in that time period," Symantec noted. "This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar."
Read more »
URL
APT Backdoor Botnet Chinese Hackers Data Breach Sensitive Information Software URL

Chinese APT Group Hijacks Software Updates for Malware Delivery

An advanced persistent threat (APT) group from China, known as Evasive Panda, has been discovered to be hijacking legitimate software update channels of Chinese-developed applications to deliver custom malware to individuals in China and Nigeria for cyber-espionage purposes. Researchers from Eset discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses. The modular malware allows Evasive Panda to spy on victims and enhance its capabilities on the go.

The APT group's activity was fairly easy to attribute to Evasive Panda as researchers have never observed any other threat actors using the MgBot backdoor. The attacks have been ongoing for two years, and the primary goal is to steal credentials and data for espionage purposes. This is another example of state-sponsored actors' increasing sophistication and persistence in cyberspace.

Using legitimate software update channels is a clever technique employed by the group to avoid detection by traditional security measures. Once the malware is delivered through the update, it can operate in the background undetected, and the APT group can exfiltrate sensitive information from the victim's device.

This discovery highlights the importance of maintaining a secure software supply chain and the need for constant vigilance in monitoring the activity of state-sponsored threat actors. Organizations and individuals should always keep their software up to date, maintain robust security measures, and be wary of any suspicious activity or unexpected system changes.

The Eset researchers noted that the MgBot malware has been specifically customized for each victim, suggesting a high degree of sophistication and customization by the APT group. This type of advanced malware is difficult to detect and defend against, making it imperative for individuals and organizations to be proactive in their cybersecurity measures.
Read more »
Windows Hack
Backdoor Data Leak malware User Privacy User Safety Windows Hack

Threat Analysts Identity an Incredibly Sneaky Windows Backdoor

 

Researchers have identified a sophisticated piece of malware that exploits a feature in Microsoft Internet Information Services to secretly exfiltrate data and run malicious code on Windows devices (IIS).

IIS is a general-purpose web server that works with Windows machines. It accepts requests from distant clients and responds appropriately in the role of a web server. According to network analytics company Netcraft, there were 51.6 million IIS instances scattered across 13.5 million distinct domains as of July 2021. 

When a web request comes in from a remote client, IIS's Failed Request Event Buffering functionality records metrics and additional information. Two examples of the information that can be gathered are client IP addresses, port numbers, and HTTP headers with cookies. FREB extracts requests that satisfy specific requirements from a buffer and writes them to disc, assisting administrators in troubleshooting unsuccessful web requests. The approach can assist in isolating the root cause of 401 or 404 problems as well as stopped or abandoned queries. 

Criminal hackers have discovered a way to take advantage of this FREB feature to sneak harmful code into secure areas of a network that has already been infiltrated and execute it there. The same protected zones' data can likewise be exfiltrated by hackers via FREB. The method offers a covert means to penetrate the hacked network because it imitates legitimate eeb requests. 

Researchers from Symantec have named the post-exploit virus that makes this possible Frebniis, and they reported on its use on Thursday. Prior to hijacking FREB's execution, Frebniis first makes sure that it is enabled. Then, it introduces malicious code into the IIS process memory and makes it run. After the code is in place, Frebniis is able to examine each HTTP request that the IIS server receives.

“By hijacking and modifying IIS web server code, Frebniis is able to intercept the regular flow of HTTP request handling and look for specially formatted HTTP requests,” Symantec researchers stated. “These requests allow remote code execution and proxying to internal systems in a stealthy manner. No files or suspicious processes will be running on the system, making Frebniis a relatively unique and rare type of HTTP backdoor seen in the wild.” 

A hacker must first gain access to the Windows system that is running the IIS server in order for Frebniis to function. Symantec researchers have not yet discovered Frebniis' method for doing this.

Frebniis parses each HTTP POST request that uses the default.aspx or logon.aspx files, which are used to serve default web pages and generate login pages, respectively. By submitting one of these requests and including the password "7ux4398!" as a parameter, attackers can smuggle requests into a server that is infected. Frebniis decrypts and executes after receiving such a request. The primary backdoor functionalities are controlled by net code. The code leaves no files on disk in order to make the procedure more covert

The.NET code accomplishes two tasks. First off, it gives attackers a proxy through which they can connect or communicate with internal resources that are otherwise unreachable from the Internet using the infected IIS server. The.Net code's secondary function is to enable the IIS server to run code supplied by an attacker remotely. Frebniis will automatically decode and run any C# code that is sent as a request to the default.aspx or logon.aspx files in memory. Once more, the backdoor is significantly more difficult to find because the code is executed directly in memory. 

It's unclear how popular Frebniis is right now. Although the post gives two file hashes linked to the backdoor, it doesn't describe how to check a system to determine whether they are present.
Read more »
white hat hacking
Backdoor Data Breach Email Hacking Email scam Supply Chain Attack User Privacy white hat hacking

Data Breached on Toyota Supplier Portal

Eaton Zveare, a US-based researcher proactively informed Toyota of the breach found in the Global Supplier Preparation Information Management System (GSPIMS) of the corporation.

According to Zveare, the problem stemmed from installing JWT, or JSON Web Token, authentication that could have given anyone with a working email address access to any account.

JWT is a session token that is created when a user logs onto a website and is used to verify the user's access to secure APIs or portions of the website. The automaker's web platform, known as GSPIMS, enables remote login and management of the company's global supply chain for employees and suppliers.

The researcher could predict an email address by scanning the internet for Toyota personnel who might be involved in the incident. Corporate Toyota email addresses are simple to guess because they use the format firstname.lastname@toyota.com.

Then, Zveare created a legitimate JWT using that email address and utilized it to access the GSPIMS. He used the same way to access a system administrator account he found after performing some portal reconnaissance.

The company avoided a potentially disastrous leak thanks to Zveare's effective disclosure practices, yet the reward for disclosing this vital issue was $0.Despite following the rules of disclosure and rescuing the company from a potentially disastrous leak, It acts as a strong deterrent to investing more time and energy in investigating the infrastructure security of Toyota, he adds. Due to this, similar, exploitable application weaknesses can go unnoticed—at least by 'white hat' researchers like Zveare.

An administrator of the GSPIMS system has access to private data such as secret documents, project schedules, vendor rankings, and customer data for 14,000 users. To allow this option, it appears that the code that creates the JWT based on email address was developed; nevertheless, this backdoor into the network was also created.


Read more »
User Privacy
Access Tokens Backdoor Check Point Crypto Crypto Exchange Cyber Crime Investors User Privacy

Dingo Token Charging 99% Fee is a Scam

A major cryptocurrency scam by Dingo Token, as per researchers who discovered backdoor features intended to steal users' money.

Check Point analysts observed this fraudulent charge modification 47 times before issuing the alert. The Dingo Smart Contract's purchase and sell fees are adjustable by up to 99% using a backdoor method called 'setTaxFeePercent,' according to Check Point Research (CPR), which examined the code for the contract. Despite the fact that the project's whitepaper claims that only a 10% fee for each transaction, this is the case. 

According to the cyber security software company, one customer purchased 427 million Dingo Tokens for $26.89 but received 4.27 million, or $0.27 value of Dingo Tokens. Dingo Token had a current market valuation of $223,992 and was rated 1915 on CoinMarketCap.  Recent complaints about the Dingo Token have also been made by users of CoinMarketCap and Twitter. Crypto dealer IncredibleJoker stated in a post on February 5 they could not sell their assets.

According to Check Point's head of product vulnerabilities research, Oded Vanunu, what his group uncovered at Dingo Token is becoming more regular, "this is a popular method that locks users' funds until the scammers gradually withdraw the entire sum. A growing number of scammers are lured to cryptocurrencies. They can remain unidentified. It moves quickly. It's profitable." 

Users are worried that once the creators determine that the value has peaked, they will turn on the backdoor to steal 99% of all users' coins. Investors in cryptocurrencies should be upfront about their questions in order to hear what other people have to say about a project. Whether you are new to trading, it is advised to diversify your money over several different coins and only utilize reliable exchange providers.

DingoToken: What is it?

DingoToken enables users to quickly deposit ANY tokens, including BEP-20 tokens, into an NFT. Now, a rare NFT can be turned into a basket containing a variety of different tokens. An entirely new NFT world is made possible by the DingoToken platform, a new protocol layer. The decentralized app (DApp) built on top of the DingoToken Protocol and targeted at art/collectible NFTs will also be made available for our public launch.

The DApp enables users to Mint / Generate an NFT, deposit their preferred asset into it, and then create their own NFTs. Only NFTs produced with the Dingo NFT Minting Station are supported in our v1 online application. To protect platform users' safety, steps are being taken by the firm. The option to mint one's own NFTs or buy those produced by Dingo Token platform users is available to users.


Read more »
User Privacy
Backdoor Cyber Security E-Commerce Websites E-Skimming Retail Industry USB User Privacy

Retail Cybersecurity Threats Analysis

 

Cybercriminals are increasingly focusing their attention on thriving markets and enterprises, and the retail industry is no exception. Retail is a common target for hackers who want to steal both money and client information.

Customers are directly responsible for the success of any retail firm, and every incident that negatively impacts customers will have an impact on business. Financial stability is a key component of any business's success, and one of the worst effects of cyberattacks is the unpredictability of financial losses. Retailers have unique financial risks, such as the possibility that an attacker will lower the price of pricey items in an online store. The retailer will lose money if the attack is undetected and the products are sold and shipped at a discounted price.

Card skimmers, unprotected point-of-sale (PoS) systems, unprotected or public Wi-Fi networks, USB drives or other physical hacking equipment, unprotected Internet of Things (IoT) devices, social engineering, and insider threats are all ways that threat actors can access companies after physically being present there.

Threat actors can also steal or hack susceptible IoT devices using the default technical information or credentials. Last but not least, there are still more potential entry points for cyber infiltration, including inexperienced staff, social engineering, and insider threats.

Potential Threats

Unsecured Point-of-Sale (PoS) Systems and Card Skimmers: It is possible to physically plant fake card readers, or 'skimmers,' inside a store to copy or skim card data. These can also be used for other smart cards, such as ID cards, although they are frequently used to steal credit card information. In places with poor security, like ATMs or petrol pumps, legitimate card readers might have skimmer attachments. Skimmers are simple to install and use Bluetooth to send the data they collect.

Public or insecure Wi-Fi Networks: Backdoors into a company's systems can be created using rogue networks or access points, which can be put on a network's wired infrastructure without the administrator's knowledge. In order to deceive users into connecting to them and aiding man-in-the-middle attacks, they seem to be legal Wi-Fi networks. Hackers can view all file sharing and traffic sent between a user and a server on a public Wi-Fi network if the facility has an encryption-free connection.

Virus-Carrying USB Devices: Once a USB drive is plugged into a target computer, an attacker can utilize it to deliver and run malware directly on business computers. This can be done manually or automatically. Additionally, malicious USB charging stations and cables have been reported in the past. In one example, a USB charging cable for an electronic cigarette contained a tiny chip that was secretly encased in malware.

Untrained Employees, Social Engineering, & Cyberespionage: Threat actors might work out of physical places to use inexperienced workers to get access to company systems. Employees are frequently duped into giving login passwords, account information, or access to company resources through social engineering.

The transition to e-commerce is generally a positive development for retailers. However, this change of direction also poses a threat to e-commerce cybersecurity.


Read more »
Trojan Attacks
Antivirus APT Backdoor Botnets Cyber Crime Endpoint ESET Symantec Trojan Attacks

Hacker Group Cranefly Develops ISS Method

The novel method of reading commands from seemingly innocent Internet Information Services (IIS) logs has been used to install backdoors and other tools by a recently leaked dropper. Cybersecurity experts at Symantec claimed an attacker is utilizing the malware known as Cranefly also known as UNC3524 to install Trojan. Danfuan, another undocumented malware, as well as other tools.

Mandiant reported that Cranefly mainly targeted the emails of individuals who specialized in corporate development, merger and acquisitions, and significant corporate transactions when it was originally founded in May. Mandiant claims that these attackers remained undetected on target networks for at least 18 months by using backdoors on equipment without support for security measures.

One of the main malware strains used by the gang is QUIETEXIT, a backdoor installed on network equipment like cloud services and wireless access point controllers that do not enable antivirus or endpoint monitoring. This allows the attacker to remain undetected for a long time.

Geppei and Danfuan augment Cranefly's arsenal of specialized cyber weapons, with Geppei serving as a dropper by collecting orders from IIS logs that look like normal web access requests delivered to a compromised host.

The most recent Symantec advisory now claims that UNC3524 used Hacktool-based backdoors in some instances. Multiple advanced persistent threat (APT) clusters use the open-source technology Regeorg.
Additionally, Symantec has cautioned that Cranefly is a 'pretty experienced' hacking group as evidenced by the adoption of a new method in conjunction with the bespoke tools and the measures made to conceal their activity.

On its alert and Protection Bulletins website, Symantec lists the indicators of compromise (IoC) for this attack. Polonium is another threat actor that usually focuses on gathering intelligence, and ESET recently saw Polonium utilizing seven different backdoor variants to snoop on Israeli firms.

Cranefly employs this sneaky method to keep a foothold on compromised servers and gather information covertly. As attackers can send commands through various channels, including proxy servers, VPNs, Tor, or online development environments, this method also aids in avoiding detection by investigators and law enforcement.

It is unclear how many systems have been compromised or how often the threat actors may have utilized this technique in ongoing operations.



Read more »
Security
attacks Backdoor Cyber Data malware Safety Security

Irresponsibile Malware Operators Squandered an "Undetectable" Windows Backdoor

 

Due to the malware operators' careless behaviour, a "completely undetectable" backdoor has been discovered. 

SafeBreach Labs claims to have discovered a brand new PowerShell backdoor that, when properly executed, grants attackers remote access to compromised endpoints. From there, the attackers could launch a variety of stage-two attacks, ranging from data stealers to ransomware (opens in new tab) and everything in between. 

Based on the report, an unknown threat actor created "ApplyForm[.]docm," a weaponized Word document. It contained a macro that, when activated, ran an unknown PowerShell script.

"The macro drops updater.vbs, creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under '%appdata%\local\Microsoft\Windows," the researchers explained

Updater.vbs would then execute a PowerShell script, granting the attacker remote access. The malware creates two PowerShell scripts, Script.ps1 and Temp.ps1, before running the scheduled task. The contents are concealed and placed in text boxes within the Word document, which is then saved in the fictitious update directory. As a result, antivirus software fails to identify the file as malicious.

Script.ps1 connects to the command and control server to assign a victim ID and receive additional instructions. Then it executes the Temp.ps1 script, which stores data and executes commands. The attackers made the mistake of issuing victim IDs in a predictable sequence, which allowed researchers to listen in on conversations with the C2 server.

While it is unknown who is behind the attack, the malicious Word document was uploaded from Jordan in late August of this year and has so far compromised approximately one hundred devices, most of which belong to people looking for new jobs. The Register reader described their encounter with the backdoor, offering advice to businesses looking to mitigate the damage that unknown backdoors can cause.

“I run an MSP and we were alerted to this on the 3rd of October. Client was a 330 seat charity and I did not link it to this specific article until I read it this morning."

"They have zero-trust [ZT] and Ringfencing so although the macro ran, it didn't make it outside of Excel,” they said. “A subtle reminder to incorporate a ZT solution in critical environments as it can stop zero-day stuff like this."
Read more »
Spear Phishing Campaign
Backdoor BYOVD Attack Cyber Attacks North Korean Hackers Spear Phishing Campaign

Lazarus Hackers Employed Spear-Phishing Campaign to Target European Workers

 

ESET researchers have spotted the infamous Lazarus APT group installing a Windows rootkit that exploits a Dell hardware driver in a Bring Your Own Vulnerable Driver (BYOVD) attack. 

In a spear-phishing campaign that began in the autumn of 2021 and ran until March 2022, the hackers targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium. 

Exploiting Dell driver for BYOVD assaults 

According to ESET, the malicious campaign was mostly geared toward attacking European contractors with fake job offers. The hackers exploited LinkedIn and WhatsApp by posing as recruiters to deliver malicious components disguised as job descriptions or application forms. 

Upon clicking on these documents, a remote template was downloaded from a hardcoded address, followed by infections involving malware loaders, droppers, custom backdoors, and more. 

The most notable tool delivered in this campaign was a new FudModule rootkit that employs a BYOVD (Bring Your Own Vulnerable Driver) methodology to exploit a security bug in a Dell hardware driver.

The hackers were exploiting the vulnerability tracked CVE-2021-21551 in a Dell hardware driver (“dbutil_2_3.sys”), which corresponds to a set of five flaws that remained susceptible for 12 years before the computer vendor finally published security patches for it. 

The APT group employed Bring Your Own Vulnerable Driver (BYOVD) technique to install authentic, signed drivers in Windows that also contain known vulnerabilities. As the kernel drivers are signed, Windows allowed the driver to be installed in the operating system. However, the hackers can now exploit the driver’s flaws to launch commands with kernel-level privileges. 

Last year in December, Rapid 7 researchers issued a warning regarding this specific driver being a perfect match for BYOVD assaults due to Dell’s inadequate fixes, allowing kernel code execution even on recent, signed versions. It appears that Lazarus was familiar with this potential for exploitation and abused the Dell driver well before threat analysts issued their public warnings. 

“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way,” researchers explained. 

The APT group also delivered its trademark custom HTTP(S) backdoor ‘BLINDINGCAN,’ first unearthed by U.S. intelligence in August 2020 and linked to Lazarus by Kaspersky in October last year. Other tools deployed in the spear-phishing campaign are the FudModule Rootkit, an HTTP(S) uploader employed for secure data theft, and multiple trojanized open-source apps like wolfSSL and FingerText.
Read more »
Subscribe to: Posts (Atom)