Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Backdoor. Show all posts
Symbolic
Backdoor Cyber Attacks FortiGate devices Security Patch Symbolic

Over 16,000 Fortinet Devices Infected With the Symlink Backdoor

 

Over 16,000 internet-connected Fortinet devices have been identified as having a new symlink backdoor that permits read-only access to sensitive data on previously compromised systems. 

The Shadowserver Foundation, a threat monitoring platform, has stated that 14,000 machines were exposed. Earlier this week, Shadowserver's Piotr Kijewski told a local media source that the cybersecurity firm now recognises 16,620 devices affected by the newly discovered persistence method. 

Last week, Fortinet notified customers that they had found a new persistence mechanism employed by a threat actor to maintain read-only remote access to files in the root filesystem of previously hacked but now patched FortiGate devices. 

Fortinet stated that this was not due to the exploitation of new vulnerabilities, but rather to attacks beginning in 2023 and continuing into 2024, in which a threat actor used zero days to compromise FortiOS devices. 

After gaining access to the devices, they made symbolic connections to the root file system on SSL-VPN-enabled devices in the language files folder. Even after the initial vulnerabilities were fixed, the threat actor could still access the root file system by browsing to the language files, which are publically available on FortiGate devices with SSL-VPN enabled. 

"A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection," Fortinet stated. 

"Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device's file system, which may include configurations.” 

Earlier this month, Fortinet began discreetly notifying customers via email about FortiGate devices that FortiGuard discovered as being infected with this symlink backdoor. In order to identify and eliminate this malicious symbolic link from compromised devices, Fortinet has released an improved AV/IPS signature.

Additionally, the firmware has been updated to the most recent version in order to detect and remove the link. The upgrade also stops the integrated web server from serving unrecognised files and folders. Finally, if a device was identified as hacked, it is probable that the threat actors had access to the latest configuration files, including credentials.
Read more »
Ransomwares
Backdoor Backdoor Attacks Critical Infrastructure Cyber Attacks Healthcare Malware Attack RansomHub Ransomware attack Ransomwares

Symantec Links Betruger Backdoor Malware to RansomHub Ransomware Attacks

 

A sophisticated custom backdoor malware called Betruger has been discovered in recent ransomware campaigns, with Symantec researchers linking its use to affiliates of the RansomHub ransomware-as-a-service (RaaS) group. The new malware is considered a rare and powerful tool designed to streamline ransomware deployment by minimizing the use of multiple hacking tools during attacks. 

Identified by Symantec’s Threat Hunter Team, Betruger is described as a “multi-function backdoor” built specifically to aid ransomware operations. Its functions go far beyond traditional malware. It is capable of keylogging, network scanning, privilege escalation, credential theft, taking screenshots, and uploading data to a command-and-control (C2) server—all typical actions carried out before a ransomware payload is executed. Symantec notes that while ransomware actors often rely on open-source or legitimate software like Mimikatz or Cobalt Strike to navigate compromised systems, Betruger marks a departure from this norm. 

The tool’s development suggests an effort to reduce detection risks by limiting the number of separate malicious components introduced during an attack. “The use of custom malware other than encrypting payloads is relatively unusual in ransomware attacks,” Symantec stated. “Betruger may have been developed to reduce the number of tools dropped on a network during the pre-encryption phase.” Threat actors are disguising the malware under file names like ‘mailer.exe’ and ‘turbomailer.exe’ to pose as legitimate mailing applications and evade suspicion. While custom malware isn’t new in ransomware operations, most existing tools focus on data exfiltration. 

Notable examples include BlackMatter’s Exmatter and BlackByte’s Exbyte, both created to steal data and upload it to cloud platforms like Mega.co.nz. However, Betruger represents a more all-in-one solution tailored for streamlined attack execution. The RansomHub RaaS operation, previously known as Cyclops and Knight, surfaced in early 2024 and has quickly become a major threat actor in the cybercrime world. Unlike traditional ransomware gangs, RansomHub has focused more on data theft and extortion rather than just data encryption. Since its emergence, RansomHub has claimed several high-profile victims including Halliburton, Christie’s auction house, Frontier Communications, Rite Aid, Kawasaki’s EU division, Planned Parenthood, and Bologna Football Club. 

The group also leaked Change Healthcare’s stolen data after the BlackCat/ALPHV ransomware group’s infamous $22 million exit scam. More recently, the gang claimed responsibility for breaching BayMark Health Services, North America’s largest addiction treatment provider. BayMark serves over 75,000 patients daily across more than 400 locations in the US and Canada. According to the FBI, as of August 2024, RansomHub affiliates have compromised over 200 organizations, many of which are part of critical infrastructure sectors such as government, healthcare, and energy. 

As ransomware groups evolve and adopt more custom-built malware like Betruger, cybersecurity experts warn that defenses must adapt to meet increasingly sophisticated threats.
Read more »
Ransomwares
Backdoor Backdoor Attacks Critical Infrastructure Cyber Attacks RansomHub ransomware ransomware attacks Ransomwares

Betruger Backdoor Linked to RansomHub Ransomware Attacks on Critical Infrastructure

 

A newly discovered backdoor malware, dubbed Betruger, has been identified in multiple recent ransomware attacks. Researchers at Symantec believe at least one affiliate of the RansomHub ransomware-as-a-service (RaaS) operation is using this sophisticated tool to facilitate cyber intrusions. 

Unlike many conventional malware strains, Betruger functions as a multi-purpose backdoor designed to prepare networks for ransomware deployment while minimizing the need for additional malicious software. Betruger comes equipped with several advanced features commonly associated with pre-ransomware attack stages. These include keylogging, network scanning, privilege escalation, credential theft, screenshot capture, and the ability to upload files to a command-and-control (C2) server. 

Its design suggests that attackers are looking to streamline their intrusion process, reducing reliance on multiple external tools and instead using a single, custom-built malware to execute various attack functions. This approach is relatively rare, as ransomware operators typically rely on widely available tools such as Mimikatz and Cobalt Strike to conduct their attacks. To avoid detection, cybercriminals are disguising Betruger under the filenames ‘mailer.exe’ and ‘turbomailer.exe,’ making it appear like a legitimate email-related application. 

While other ransomware groups have developed proprietary tools for data exfiltration, such as BlackMatter’s Exmatter and BlackByte’s Exbyte, Betruger appears to have a broader range of capabilities beyond just stealing data. The emergence of Betruger coincides with ongoing attacks by RansomHub, a ransomware operation that has been active since February 2024. Previously known as Cyclops and Knight, RansomHub has gained a reputation for focusing on extortion through data theft rather than encrypting victim files. 

Over the past year, the group has targeted several major organizations, including Halliburton, Christie’s, Frontier Communications, Rite Aid, and Kawasaki’s EU division. It was also responsible for leaking Change Healthcare’s stolen data after the BlackCat/ALPHV group’s $22 million exit scam. More recently, RansomHub claimed responsibility for breaching BayMark Health Services, a leading addiction treatment provider in North America. 

The company operates over 400 treatment centers across the U.S. and Canada, serving approximately 75,000 patients daily. The FBI has linked RansomHub affiliates to more than 200 ransomware attacks affecting various critical infrastructure sectors in the U.S., including government agencies, healthcare institutions, and other essential services. With the deployment of Betruger, the group’s operations appear to be evolving, indicating a continued threat to businesses and organizations worldwide.
Read more »
WhatsApp
AI Backdoor Data Encryption Pegasus Spyware Technology WhatsApp

Frances Proposes Law Requiring Tech Companies to Provide Encrypted Data


Law demanding companies to provide encrypted data

New proposals in the French Parliament will mandate tech companies to give decrypted messages, email. If businesses don’t comply, heavy fines will be imposed.

France has proposed a law requiring end-to-end encryption messaging apps like WhatsApp and Signal, and encrypted email services like Proton Mail to give law enforcement agencies access to decrypted data on demand. 

The move comes after France’s proposed “Narcotraffic” bill, asking tech companies to hand over encrypted chats of suspected criminals within 72 hours. 

The law has stirred debates in the tech community and civil society groups because it may lead to building of “backdoors” in encrypted devices that can be abused by threat actors and state-sponsored criminals.

Individuals failing to comply will face fines of €1.5m and companies may lose up to 2% of their annual world turnover in case they are not able to hand over encrypted communications to the government.

Criminals will exploit backdoors

Few experts believe it is not possible to bring backdoors into encrypted communications without weakening their security. 

According to Computer Weekly’s report, Matthias Pfau, CEO of Tuta Mail, a German encrypted mail provider, said, “A backdoor for the good guys only is a dangerous illusion. Weakening encryption for law enforcement inevitably creates vulnerabilities that can – and will – be exploited by cyber criminals and hostile foreign actors. This law would not just target criminals, it would destroy security for everyone.”

Researchers stress that the French proposals aren’t technically sound without “fundamentally weakening the security of messaging and email services.” Similar to the “Online Safety Act” in the UK, the proposed French law exposes a serious misunderstanding of the practical achievements with end-to-end encrypted systems. Experts believe “there are no safe backdoors into encrypted services.”

Use of spyware may be allowed

The law will allow using infamous spywares such as NSO Group’s Pegasus or Pragon that will enable officials to remotely surveil devices. “Tuta Mail has warned that if the proposals are passed, it would put France in conflict with European Union laws, and German IT security laws, including the IT Security Act and Germany’s Telecommunications Act (TKG) which require companies to secure their customer’s data,” reports Computer Weekly.

Read more »
Network Security
Backdoor China Contec Data Breach Healthcare Network Security

Experts Find Hidden Backdoors Inside Chinese Software Stealing Patient Data

Experts Find Hidden Backdoors Inside Chinese Software Stealing Patient Data

Cybersecurity & Infrastructure Security Agency (CISA) in the US rolled out an investigation report concerning three firmware variants used in Contec CMS800, a patient monitoring system used in healthcare facilities and hospitals. 

CIS finds hidden backdoor in Chinese software

Experts found that the devices had a hidden backdoor with a hard-coded IP address, enabling transmission of patient data. This is doable as the devices will start a link to a central monitoring system through a wireless or wired network, as per the product description. 

The agency disclosed the codes that send data to a select IP address. The decoded data includes detailed information- patients, hospital department, doctor’s name, date of birth, admission date, and other details about the device users. 

Details about three flaws

The flaw is filed under “CVE-2025-0626 with a CVSS v4 score of 7.7 out of 10” says Tom’s Hardware, while also talking about two other vulnerabilities “filed under CVE-2024- 12248, which indicates that it could allow an attacker to write data remotely to execute a code” and “CVE-2025-0683, which relates to privacy vulnerability.”

Impact of vulnerabilities

The three cybersecurity flaws can allow threat actors to dodge cybersecurity checks, get access, and also manipulate the device, the FDA says, not being “aware of any cybersecurity incidents, injuries, or deaths related to these cybersecurity vulnerabilities at this time."

FDA said that Contec Medical Systems is a device manufacturer in China, its products are used in the healthcare industry- clinics, hospitals, etc., in the US and European Union. However, experts found that these can also be bought from eBay for $599. 

About Contec

These devices are also rebranded as Epsimed MN-120, the FDA believes. Contec products are FDA-approved and sold in more than 130 countries. As part of its vulnerability disclosure process, the CISA research team discovered uncovered this flaw. 

The agency has also mentioned that the IP address is not linked with any medical device manufacturer, “Still, it is a third-party university, though it doesn't mention the university, the IP address, or the country it is sending data to,” reports Tom Hardware. 

The CISA has also assessed that the coding was meant to be a substitute update system because it doesn’t include standard update techniques like doing integrity checks or tracking updated versions. Instead, it offers a remote file sent to the IP address. To solve this, the FDA suggests removing the monitoring device from its network and tracking the patient’s physical condition and vital stats.

Read more »
malware
Backdoor Badbox BSI Germany malware

Germany Warns of Pre-Installed Malware on 30,000 Devices

 

Earlier this week, Germany's cybersecurity office issued a warning about at least 30,000 internet-connected devices across the nation being compromised by pre-installed malware known as BadBox.

The Federal Office for Information Security (BSI) announced that it had successfully halted communication between the infected devices and the hackers' control servers, preventing further damage. However, devices with outdated software remain at significant risk.

BadBox: A Threat to Low-Cost Devices

The hacker group behind BadBox primarily targets Android devices by embedding malicious code into their firmware. Affected devices include:

  • Smartphones
  • Tablets
  • Connected TV streaming boxes

BadBox’s operators focus on low-cost devices distributed through online merchants or resale platforms. These devices come pre-installed with Triada malware, which opens a backdoor, enabling attackers to:

  • Remotely control the device
  • Inject new software
  • Perform illegal actions

Capabilities of the BadBox Malware

BSI discovered that the malware on compromised devices, such as digital photo frames and streaming gadgets, can discreetly:

  • Generate email and messenger accounts
  • Propagate fake news
  • Commit advertising fraud
  • Act as a proxy for cyberattacks or illegal content distribution

BSI’s Countermeasures

German cyber officials employed a technique known as sinkholing to redirect traffic from infected devices to secure servers, effectively limiting hackers' access. Additionally, the BSI mandated that all German internet service providers (ISPs) with over 100,000 subscribers reroute BadBox traffic to its sinkhole.

The BSI refrained from naming the manufacturers of the compromised devices but advised consumers who received warnings from authorities to disconnect or cease usage of the affected products immediately.

BSI President Claudia Plattner reassured consumers, stating: "There is no immediate danger for these devices as long as the BSI maintains the sinkholing measure. Malware on internet-enabled products is unfortunately not a rare phenomenon. Outdated firmware versions, in particular, pose a huge risk."

Plattner also stressed the need for collective action: "We all have a duty here: manufacturers and retailers have a responsibility to ensure that such devices do not come onto the market."

Takeaways for Consumers

To protect against threats like BadBox, consumers should:

  • Ensure devices are updated with the latest firmware
  • Purchase devices only from reputable manufacturers
  • Stay vigilant about warnings from cybersecurity authorities

As malware threats continue to evolve, proactive measures and industry accountability remain essential in safeguarding digital ecosystems.

Read more »
WordPress Plugins
Backdoor CyberCrime CyberNAttacks Cybersecurity CyberThreat Supply Chain Attack WordPress Plugins

Hackers Slip Backdoor into WordPress Plugins in Latest Supply-Chain Attack

 


Security researchers announced on Monday that there had been a supply chain attack on up to 36,000 WordPress plugins running on a wide range of websites that had been backdoored by unknown hackers. Currently, researchers from security firm Wordfence report that the campaign has affected five plugins as of Monday morning. It has been active since last week. It has been reported that unknown threat actors have recently added malicious functionality to plugin updates on WordPress.org, which is the official site for the free open-source WordPress CMS. This update creates an attacker-controlled administrative account that can be used to control the compromised site, as well as add content designed to boost search results. 

The updates can be installed automatically when the updates are installed. There has been a significant amount of backdooring in WordPress plugins to allow malicious code to be injected which can lead to the creation of rogue administrator accounts which can be used for arbitrary purposes. As Wordfence security researcher Chloe Chamberland pointed out in an alert on Monday, the malware injects itself into the system, attempting to create an administrator user account and sending back that account's details to the attacker's server. 

Further, it appears that the threat actor may also have injected malicious JavaScript into the footers of websites, which appears to be causing SEO spam to be displayed throughout the website. According to Wordfence security researchers, a company that monitors the security of the biggest website builder platforms in the world, five plugins have been poisoned with a poisonous patching function so far. Whenever users patch these WordPress plugins, they are presented with a piece of code that creates a new admin account, which is then used by the attackers to establish the account login credentials. 

The perpetrators of this threat (whose identity has not been revealed yet) thus gain full and unrestricted access to the website in this way. The plugins that have been made available are called Social Warfare, BLAZE Retail Widget, Wrapper Link Elementor, and Contract Form 7 Multi-Step Add-on as well as Just Show Hooks. Combined, these five plugins have been installed 36,000 times. Of these, Social Warfare has the most number of installations at 30,000, far and away the most popular one. As of the time of publication, it was not yet clear how the attackers were able to compromise the patching process for these five plugins, and thus compromise their security.

It was reported that reporters at Ars Technica attempted to get in touch with the plugin developers (some did not even provide contact information on their plugin websites, meaning it was impossible to get in touch with them) but did not receive any response. There has been a sharp rise in the number of supply-chain attacks over the past decade, which has become one of the most effective ways to install malware within a supply chain. The threat actors have been able to achieve significant gains by poisoning the software source code so that by simply running a trusted update or installation file, they can infect large numbers of devices. 

This year, an almost disastrous event occurred when a backdoor was discovered, largely through chance, in the widespread open-source XZ Utils code library a week or so ahead of its general release date, narrowly averting disaster. In addition, there have been many other recent supply-chain attacks that can be found in the media. Researchers are currently working on investigating how and why the malware was uploaded to the plugin channel for downloading on the WordPress site to increase their knowledge about it. Several emailed questions were sent to representatives of WordPress, BLAZE, and Social Warfare, none of whom responded. 

Because there is no contact information on the websites of the developers of the remaining three plugins, it was impossible to connect with the representatives of those developers. As mentioned by the Wordfence researchers, they were first made aware of the attack on Saturday when they received an email from a member of the WordPress plugin review team that mentioned the attack. Based on their analysis of the malicious file, the researchers were able to identify four other plugins that had similar codes that were exposed to the same threat. 

There is generally a perception that WordPress is a secure platform for designing and building websites. However, it is a platform with a vast number of third-party themes and plugins, many of which suffer from poor protection, and/or don't enjoy the same level of maintenance as the platform itself. Consequently, they are considered to be a great entry point for threat actors, due to their unique nature. Moreover, the themes and plugins available for WordPress can be both free-to-use and commercially produced, but the latter are often abandoned or maintained by a single developer or hobbyist. 

There is therefore a strong need for WordPress administrators to use extreme caution when installing third-party additions to their websites. They need to ensure that only the files they intend to use are installed. It is imperative for users to ensure their WordPress plugins are always updated and to remain vigilant for any news regarding vulnerabilities. Individuals who have installed any of the compromised plugins should uninstall them immediately and thoroughly inspect their sites for any newly created admin accounts or unauthorized content. Users who utilize the Wordfence Vulnerability Scanner will be alerted if their site is running any of the affected plugins. 

Furthermore, the Wordfence post advises users to monitor their sites for connections originating from the IP address 94.156.79.8, as well as to check for admin accounts with the usernames "Options" or "PluginAuth."
Read more »
Software Security
Backdoor Courtroom Endpoint security malware Software Security

From Courtroom to Cyber Threat: The JAVS Viewer 8 Incident

From Courtroom to Cyber Threat: The JAVS Viewer 8 Incident

Hackers have broken into a popular brand of recording software used in courtrooms, jails, and prisons, allowing them to obtain complete control of the system via a backdoor implanted in an update to the application.

Software and its purpose

Justice AV Solutions (JAVS) uses its technologies to capture events such as lectures, court proceedings, and council meetings, and they have over 10,000 installations worldwide. It is available for download from the vendor's website and is a Windows installer package. 

The discovery 

However, the company announced this week that it had uncovered a security flaw in an earlier version of its JAVS Viewer program.

Through continuing monitoring and consultation with cyber authorities, the company discovered attempts to replace its Viewer 8.3.7 software with a tainted file.

The company removed all versions of Viewer 8.3.7 from the JAVS website, changed all passwords, and thoroughly assessed all JAVS systems. It also determined that all currently available files on the JAVS.com website are legitimate and free of malware. The company also confirmed that no JAVS source code, certificates, systems, or other software releases were affected during this event.

The backdoor

The malicious file, which contained malware, "did not originate from JAVS or any third party associated with JAVS," and the business advised users to ensure that any software they installed was digitally signed.

Rapid7, a cybersecurity firm, published an investigation of the vulnerability on Thursday, revealing that the compromised JAVS Viewer program — which opens media and logs files in the suite — contains a backdoored installer that allows attackers full access to an infected system. 

Installation and communication

The malware sends data about the host machine to the threat actors' command-and-control (C2) servers. Rapid7 identified the bug as CVE-2024-4978 and stated that it collaborated with the CISA to coordinate the disclosure of the problem. 

Rapid7 stated that the malicious copies of the software were signed by "Vanguard Tech Limited," which is reportedly headquartered in London. 

Rapid7's alert emphasized the importance to reimaging all endpoints where the software was installed, as well as resetting credentials on web browsers and any accounts authenticated into impacted endpoints, both local and remote. 

Data harvesting

Simply uninstalling the software is insufficient, as attackers could have installed further backdoors or malware. They wrote that reimagining allows for a fresh start.

"It is important to completely re-imagine compromised endpoints and reset associated passwords to guarantee that attackers have not persisted via backdoors or stolen credentials. 

A threat intelligence researcher originally raised the matter on X (previously Twitter) in April, claiming that "malware is being hosted on the official website of JAVS." 

On May 10, Rapid7 responded to a client's system warning and traced an infection to an installer downloaded from the JAVS website. The malicious file that the victim had downloaded appears to have been withdrawn from the website, and it is unclear who did so. 

Additional malware

A few days later, the researchers uncovered another installer file carrying malware on the JAVS website. 

Software updates have become a focus in cybersecurity because end users frequently click "update" when requested, or they have them enabled automatically. 

Several firms, most notably SolarWinds and 3CX, have grappled with nation-state intrusions that used the update process to secretly implant malware. 

Read more »
Subscribe to: Posts (Atom)