Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label BlackBerry. Show all posts

Cyber Attacks Threaten Essential Services

 


As per a recent report by BlackBerry, it was revealed that critical infrastructure providers faced a surge in cyberattacks during the latter part of 2023. Shockingly, these providers bore the brunt of 62% of all industry-related cyberattacks tracked from September through December. What’s more concerning is the 27% increase in the use of novel malware during this period, indicating a deliberate effort by threat actors to circumvent traditional defense mechanisms. With over 5,300 unique malware samples targeting BlackBerry’s customers daily, the urgency for enhanced cybersecurity measures becomes evident.

Threat actors are not only leveraging novel malware but also exploiting critical vulnerabilities in widely used products such as Citrix Netscaler, Cisco Adaptive Security Appliance, and JetBrains TeamCity. By exploiting these vulnerabilities, threat groups can infiltrate targeted organisations, posing a substantial risk to their operations. Additionally, VPN appliances remain highly attractive targets for state-linked threat actors, further stressing the need for heightened security measures across all sectors.

The backdrop of rising geopolitical tensions, including Russia’s invasion of Ukraine and escalating conflicts in the Asia-Pacific region, adds another layer of complexity to the situation. U.S. authorities have already issued warnings regarding the increased threat to critical infrastructure providers, particularly from state-sponsored groups like Volt Typhoon, with ties to the People’s Republic of China. These groups aim to disrupt essential services, potentially causing mass panic and diverting attention from other geopolitical agendas.

Ismael Valenzuela, VP of threat research and intelligence at BlackBerry, underscored the gravity of the situation, stating, “The end goal of attacks, whether from financially motivated attackers or nation states, is to cause havoc.” Organisations operating in critical infrastructure sectors understand the urgency to mitigate these threats promptly, often resorting to quick payments to restore operations.

Moreover, the report highlights the growing trend of attacks exploiting vulnerable VPN devices to gain unauthorised access to critical industries. Additionally, specific malware families like PrivateLoader, RisePro, SmokeLoader, and PikaBot have witnessed increased usage, further complicating cybersecurity efforts.

This spike in cyberattacks targeting critical infrastructure demands immediate attention from stakeholders worldwide. As threat actors continue to evolve their tactics, it is imperative for organisations to prioritise cybersecurity measures and stay cautious against emerging threats. Failure to do so could have severe implications not only for individual institutions but also for the stability of essential services and national security.


NewsPenguin Initiates Phishing Camapaign for Maritime & Military Secrets


Using a sophisticated malware tool, a new threat actor known as "NewsPenguin" has been conducting espionage operations against Pakistan's military-industrial complex for months. 

Researchers from Blackberry detailed how this group meticulously prepared a phishing campaign targeting attendees of the upcoming Pakistan International Maritime Expo & Conference (PIMEC) in a blog post on February 9. 

PIMEC is set to be held over the course of the following weekend. It is a Pakistan navy initiative that will provide opportunities to the maritime industry both in the public and private sectors to display products and develop business relationships. 

"The event will also highlight Pakistan's Maritime potential and provide the desired fillip for economic growth at national level," reads the government press release. "Attendees at PIMEC include nation-states, militaries, and military manufacturers, among others. That fact, combined with NewPenguin's use of a bespoke phishing lure and other contextual details of the attack, led the researchers to conclude "that the threat actor is actively targeting government organizations." 

How NewsPenguin Operates the Phishing Campaign? 

NewsPenguin lures its victims via spear-phishing emails that are apparently attached to a Word document, in a pretense of being an “Exhibitor Manual” for the PIMEC. 

Although this file’s name should have been a warning sign, i.e. “Important Document. doc” its contents— which included official seals and the same aesthetic as other materials released by the event's organizers — appear to have been lifted verbatim from the materials themselves. 

Initially, the document opens in a protected view. To read the page, the victim must then click "enable content," which starts a remote template injection attack. For a fact, Remote template injection attacks ingeniously avoid easy detection by infecting an associate template rather than a document. It is "a special technique that allows the attacks to fly under the radar[…] especially for the [email gateways] and endpoint detection and response (EDR)-like products. That's because the malicious macros are not in the file itself but on a remote server — in other words, outside of the victim's infrastructure. That way, the traditional products built to protect the endpoint and internal systems won't be effective," says Dmitry Bestuzhev, a threat researcher at BlackBerry. 

Evasion Techniques used by NewsPenguin 

The blog post refers to the executable with the generic name "updates.exe" as the payload at the end of the attack flow. The most noteworthy feature of this never-before-seen espionage weapon is how far it goes to avoid notice and scrutiny. 

For instance, in order to evade making any loud noises in the targeted network area, the malware tends to operate at the slowest pace, taking around five minutes before each command. 

Additionally, the NewsPenguin malware initiates a chain of actions to monitor whether it is operating a virtual machine or sandbox. Cybersecurity experts like trapping and analyzing malware in these network environments, isolating any unwanted effects from the rest of a computer or network. 

What does NewsPenguin Want? 

No known threat actors could be linked by the researchers to NewsPenguin. Having said that, the team has been operating for some time. 

Despite PIMEC only taking place this weekend, the domains linked to the campaign were already registered in June and October of last year. 

"Short-sighted attackers usually don't plan operations so far in advance, and don't execute domain and IP reservations months before their utilization[…] This shows that NewsPenguin has done some advance planning and has likely been conducting activity for a while," the authors of the report said. 

The authors add that NewsPenguin has been "continuously improving its tools to infiltrate victim systems." 

The broader image begins to emerge due to the attack's premeditation and the victims' profiles. "What happens at conference booths?" Bestuzhev asks. "Attendees approach the exhibitors, chat, and exchange contact information, which the booth's personnel register as leads using simple forms like spreadsheets. The NewsPenguin malware is built to steal that information, and we should note that the whole conference is about military and marine technologies."  

Conti Gang Doppelganger Adopts Recycled Code 

A ransomware attack from a brand-new gang dubbed 'Monti,' which primarily exploits Conti code has come to the surface. 

The Monti ransomware was found and revealed by MalwareHunterTeam on Twitter on June 30, but Intel471 and BlackBerry independently announced their study into Monti on September 7th.

The malware's developers constitute a well-known ransomware group that has launched numerous attacks. They operate under "Wizard Spider" and could be linked with the global Trickbot cybercrime ring. 

Reportedly, the cybercrime group that has a base in Russia, supports the Russian government's goals, particularly the Ukraine conflict. 

In return for a portion of the ransom money collected, the Conti gang offers 'its members' access to its software. The group's ability to scale operations is a direct result of the aforementioned. The group resorts to the ransomware as a service (RaaS) approach to disseminate the infection.

According to Intel471, "Monti might be a rebranded version of Conti or even a new ransomware version that has been developed utilizing the disclosed source code," it was published on February. It really doesn't appear like Monti has been involved in enough activities for the security company to establish a connection to Conti." 

Since the Conti disclosures in February effectively handed Monti malicious actors a step-by-step roadmap to mimicking Conti's notoriously successful actions, BlackBerry appears to be more certain that Monti is a copycat than a legitimate successor to its namesake.

Apart from one, Monti threat actors used the Action1 Remote Monitoring and Maintenance (RMM) agent, and the majority of Indicators of Compromise (IOCs) discovered by the BlackBerry IR team in the Monti attack were also detected in prior Conti ransomware attacks. 

Experts want to highlight a useful technique that was made feasible by our awareness of the code repetition before  Monti's reuse of Conti's encryptor code. 

The BlackBerry IR team was aware that Conti encryptor payloads do not always completely encrypt each file because we were familiar with Conti v2 and v3 encryptor payloads. Source code research reveals that Conti payloads combine a file's location, type, and size to decide which encryption techniques to employ. 

The BlackBerry IR team was able to recover completely, unencrypted strings from encrypted log files because of this information.

Conti's activities have slowed down recently, some experts have proposed that Conti's reduced activity is the consequence of a rebranding effort similar to those undertaken by various ransomware strains in the past, perhaps involving several members of the Conti gang. Other sources claim that other RaaS firms, like Karakurt and BlackByte, have engaged former Conti operators.

Whether Conti is being dubbed Monti to spoof the earlier strain or it is simply another new ransomware variety remains unclear, we will probably continue to see this new version have an impact on organizations all around the world. However, utilizing publicly accessible binaries to develop fresh ransomware or relaunch an old one would potentially offer defenders a head start as Monti develops.





Hackers Can Use a Replay Attack Due to a Honda Vulnerability

 

A 'replay attack' vulnerability has been discovered in specific Honda and Acura automobile models, allowing a nearby hacker to open the car and even start it from a short distance. The threat actor captures the RF signals transferred from the key fob to the automobile and resends them to gain control of the victim's car's remote keyless entry unit. 

A hostile hacker can employ a replay attack to mislead a website or service into giving them access to the user by recycling the information used to identify the user. If a hacker can find and repeat a specific string of information, someone can use it to deceive a website into believing it was there, allowing anyone to get access to the online account.

Attackers might utilize CVE-2022-27254 to perform a Man-in-the-Middle (MitM) attack, or more particularly a replay attack, in which someone intercepted and manipulated the RF signals sent from a remote key fob to the automobile, and then re-transmitted these signals at a later time to unlock the car at his leisure. 

According to analysts, Blake Berry, Hong Liu, and Ruolin Zhou of the University of Massachusetts, as well as Cybereason Chief Security Officer Sam Curry, who discovered the vulnerability, the vulnerability in earlier models is mostly unaddressed. Honda owners, on the other hand, maybe able to defend themselves against such an attack. The remote engine start portion of the problem is also demonstrated in a video supplied by the researchers, however, no technical details or proof-of-concept (PoC) exploit code were published at the time. 

The Honda Civic (LX, EX, EX-L, Touring, Si, and Type R) models from 2016 through 2020 are the most afflicted by this issue. In a GitHub repository, Blake Berry explained it was also possible to change the intercepted commands and re-send them to get a completely different result. 

According to the experts' recommendations, automotive manufacturers should include "rolling codes," also known as "hopping codes." This security method responds to each authentication request with a unique code, ensuring the codes cannot be "replayed" by an offender at a later time. However, "At this moment, Honda has no plans to update older vehicles," the company stated. "It's crucial to remember this, while Honda is always improving security features as new models are released, motivated and technologically sophisticated thieves are striving to circumvent those safeguards." 

When not in use, users should store the key fobs in signal-blocking 'Faraday pouches', however, this strategy won't prevent a determined attacker from eavesdropping on signals when the fob is utilized. Consumers should choose Passive Keyless Entry (PKE) over Remote Keyless Entry (RKE), which makes it much tougher for an intruder to clone/read the signal due to the closeness they would need to be at to do so.

Russian Hackers Employ Malicious Traffic Direction Systems to Spread Malware



Researchers have discovered possible linkages among a subscription-based crimeware-as-a-service (Caas) solution as well as a cracked copy of Cobalt Strike according to what they presume is being offered as a tool for customers to stage post-exploitation operations. 

Prometheus is an open-source activity monitoring and warning system for cloud applications that are based on metrics. Nearly 800 cloud-native companies, namely Uber, Slack, Robinhood, as well as others, employ it. 

Prometheus offers convenient observation of a system's state along with hardware and software metrics like memory use, network utilization, and software-specific defined metrics by scraping real-time information from numerous endpoints (ex. number of failed login attempts to a web application).

Prometheus has an understood policy of omitting built-in support for security features like authentication and encryption because the numeric metrics it collects are not deemed sensitive data. This allows the company to focus on creating monitoring-related services. It's being advertised on Russian underground forums as a traffic direction system (TDS) which allows bulk phishing redirection to rogue landing pages, designed to deliver malware payloads on targeted computers for $250 per month. 

"A system of a malicious technology, malicious email circulation, illicit folders across authorized platforms, traffic diversion, and the capacity to deliver infected files are the significant elements of Prometheus," the BlackBerry Research and Intelligence Team stated in a report. 

The redirection comes from one of two places: malicious advertisements on normal websites, or websites that have been tampered with to install harmful code. The attack network begins with a spam email that contains an HTML file or a Google Docs page; when opened, it redirects the victim to a compromised website that hosts a PHP backdoor fingerprint smudges the machine to determine whether to serve the victim with malware or redirect the user to another page that may contain a phishing scam.

While TDS's aren't a novel concept, the level of sophistication, support, and cheap financial cost lend validity to the hypothesis that this is a trend that will likely emerge in the threat environment in the near future, the researchers wrote.

In addition to enabling these techniques, it is strongly advised for anyone with a Prometheus implementation to query the previously listed endpoints to see if sensitive data was exposed before the identification and TLS functionalities in Prometheus were implemented.

BlackBerry Discovers Initial Access Broker Linked to 3 Different Hacker Groups

 

The latest report from BlackBerry revealed an initial access broker termed "Zebra2104" that has links with three harmful cybercriminals groups, and few are involved in phishing campaigns and ransomware attacks Research and Intelligent team at Blackberry discovered that Zebra2104 gave entry points to ransomware groups such as MountLocker, Phobos, and StrongPity APT. 

The access was given to various organizations in Australia and Turkey which fell victim to the attacks. The StrongPity APT attacked Turkish firms in the healthcare sector, and also targeted smaller enterprises. As per Blackberry, its research suggests an access broker having a lot of manpower, or actors might've built large hidden traps on the web. 

The report also suggests that an inquiry confirmed that MountLocker ransomware was working along with StrongPity, an APT group that dates back to 2012, a Turkish state-sponsored group (allegedly). As of now, it might be hard to believe that criminal groups are sharing resources, but the experts have found a common link, enabled by a fourth criminal group termed Zebra2104, which the experts believe to be an Initial Access Broker (IAB). According to experts, there is an abundance of hacking groups working together, more than mentioned in this article. 

The single-domain directed the experts to a path where they discovered various ransomware attacks, and an APT C2 (command and control). The path turned out to be an IAB--Zebra2104 infrastructure. IAB's general gets access to the top bidders in dark web platforms on underground forums. Following that, the winning bidder deploys ransomware or any other malware in the target organization's systems, the campaign depends on the goals of the attack. 

"A few of the domains had been involved in a phishing campaign that went after state government departments in Australia as well as real estate companies there in September 2020. With the help of other Microsoft reports, the researchers were able to trace the campaigns further to an indicator of compromise of a MountLocker intrusion," reports ZD Net.

Nation States Are Using Cyber Crime Groups to Carry Attacks: States Blackberry Threat Report 2021

 

Nation-states are employing cybercriminals for hacking activities to perpetrate assaults in order to conceal their own presence. An e-security report by BlackBerry researchers indicates that the advent of advanced cybercrime – as – a – service schemes means that nations have the potential to cooperate more and more with organizations that can render attacks for them. 

Researchers at BlackBerry stated that Nation-state hacker organizations no longer have to do their work: they may recruit criminal cartels to break targets - with the extra advantage, analysts claim, that it really is difficult to monitor the attack back on them. 

Such cyber-criminal activity provides malicious hacking activities such as phishing, ransomware, or network violations and is compensated for their activities when information or access remains open to the nation-state that requested the operation. It also comes with the additional advantage that, since cybercriminals who use their own technology and tactics to carry out the attack, it is hard to reconnect the action with the state which had requested the operation. 

"The emergence, sophistication, and anonymity of crimeware-as-a-service means that nation-states can mask their efforts behind third-party contractors and an almost impenetrable wall of plausible deniability," warns the Blackberry 2021 Threat Report. 

Researchers are pointing out how advanced cyber-criminal campaigns have grown to the existence of extensive hacking operations, such as Bahamut. Bahamut used phishing, social engineering, malicious applications, modified malware, and zero-day attacks, originally defined by BlackBerry last year – and had been doing this for several years until it was discovered. 

Researchers note that Bahamut works with multiple consumers, who have an eye for work openings that give it more money—and some nation-states have the most money to spend on campaigning when it comes to funding—these are all just too diverse profiles and geographical areas of their victims to match their priorities with a single bad actor's interests. 

"Threat actor identification can be challenging for threat researchers due to several factors, such as overlapping infrastructure, disparate targeting, and unusual tactics. This is especially true when only part of a campaign is outsourced," said the report. 

Although networks can be difficult to defend against specific cyber-attacks, it is possible that companies apply cyber protection practices to help them keep out intrusions, such as having remote access for those who need them and always monitoring the network for unauthorized behaviors which are deemed suspicious.