Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label C&C. Show all posts
Ukraine
APT C&C C2 Encryption malware Payload Russian Hackers SSH Threat actors Ukraine

Data Theft Feature Added by Russian Nodaria APT

An updated piece of information-stealing malware is being used against targets in Ukraine by the Nodaria spy organization, also known as UAC-0056. The malware was created in Go and is intended to gather a variety of data from the infected computer, including screenshots, files, system information, and login passwords.

The two-stage threat known as graphiron consists of a downloader and a payload. The downloader has the addresses of command-and-control (C&C) servers hardcoded in. It will look for active processes when it is executed and compare them to a blacklist of malware analysis tools.

If no processes on the blacklist are discovered, this will connect to a C&C server, download the payload, and then decrypt it before adding it to autorun. The downloader is set up to run only once. It won't try again or send a signal if it is unable to download and run the payload.

Graphiron shares several characteristics with earlier Nodaria tools like GraphSteel and GrimPlant. Advanced features allow it to execute shell commands, gather system data, files, login passwords, screenshots, and SSH keys. Further, it uses port 443 to communicate with the C2 server, and all communications are encrypted using an AES cipher.

Attacks against Georgia and Kyrgyzstan have been carried out by Nodaria since at least March 2021. The recognized tools used by the group include WhisperGate, Elephant Dropper and Downloader, SaintBot downloader, OutSteel information stealer, GrimPlant, and GraphSteel information stealer.



Read more »
Vulnerability and Exploits
APT actors C&C Chinese Actors CISA & FBI CVE vulnerability NSA SQL Vulnerabilities and Exploits Vulnerability and Exploits

China's Attacks on Telecom Providers Were Exposed by US

 

Since 2020, US cybersecurity and intelligence agencies have cautioned about state-sponsored cyber attackers located in China using network vulnerabilities to target public and private sector enterprises.

Chinese hacking gangs have used publicly known vulnerabilities to infiltrate everything from unpatched small office/home office (SOHO) routers to moderate and even big enterprise networks, according to a joint cybersecurity alert released on Tuesday by the NSA, CISA, and the FBI. 

Several servers are used by China-linked APTs to create new email accounts, host command and control (C&C) domains, and connect with target networks, using hop points as an obfuscation strategy to mask its true location."Once within a telecommunications organization or network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, including systems critical to ensuring the stability of authentication, authorization, and accounting," as per the report. 

These threat actors are continually altering their techniques to avoid detection, according to US authorities, including watching network defenders' actions and adjusting current attacks to remain undiscovered. 

They were also seen changing the infrastructure and tools when the campaigns were made public. After stealing credentials to access underlying SQL databases, the attackers utilized SQL commands to discard user and admin credentials from key Remote Authentication Dial-In User Service (RADIUS) servers. The three US agencies have revealed that Chinese threat actors primarily exploit vulnerabilities in: 
  • Cisco (CVE-2018-0171, CVE-2019-15271, and CVE-2019-1652)
  • Citrix (CVE-2019-19781) 
  • DrayTek (CVE-2020-8515) 
  • D-Link (CVE-2019-16920) 
  • Fortinet (CVE-2018-13382) 
  • MikroTik (CVE-2018-14847) 
  • Netgear (CVE-2017-6862) 
  • Pulse ( (CVE-2020-29583) 

Open-source tools such as RouterSploit and RouterScan (vulnerability scanning framework) are used by threat actors to scan for vulnerabilities and conduct reconnaissance, allowing them to identify brands, models, and known problems that can be attacked. 

"Once within a network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, particularly systems critical to maintaining the security of authentication, authorization, and accounting," as per the joint advisory.

Lastly, the attackers altered or deleted local log files to eliminate proof of its presence and avoid discovery. Security updates should be applied as quickly as feasible, unneeded ports and protocols should be disabled to reduce the attack surface, and end-of-life network infrastructure which no longer receives security patches should be replaced, according to federal agencies.

Segmenting networks to prevent lateral movement and enabling robust monitoring on internet-exposed services to discover attack attempts as soon as possible are also recommended.
Read more »
WinRAR
Bitcoin C&C Crypto-Mining DLL malware P2P Botnets Symantec Trojan Attacks WinRAR

Clipminer Botnet Made 1.7 Million Dollars From Crypto Mining

 

Threat researchers have found a large-scale operation of Clipminer, a new cryptocurrency mining virus that netted its users at least $1.7 million in transaction hijacking.

Clipminer is built on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and mine cryptocurrency on affected computers. 

Clipminer is based on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and harvest cryptocurrency on affected computers. Researchers were taken aback by the new malware because it had fast grown in size by the time it was discovered. According to the Symantec team, these operations involved 4375 bitcoin wallet addresses that received stolen monies from victims.

Downloads or pirated software, are used to spread malware; malicious clipminer botnet files are distributed over torrent sites and other pirating methods. This bitcoin miner can be installed on the machine as a WinRAR archive, which will immediately start the extraction process and launch the control panel file, leading to the download of the dynamic link library. 

The infected DLL creates registry values and installs malware in several files in the Windows directory. Those files are named after ransoms so that the profile may be hosted and the main miner's payload can be downloaded and installed afterward. The system receives identification, which is sent on to the C&C server, which then sends out a request for the payload. The malware is delivered as a 10MB file in the Program Files directory. Once the trojan has been successfully executed, scheduled actions are set up to ensure the malware's persistence. To avoid re-infecting the same host, registry modification is also performed.

According to Symantec, the first Clipminer samples began to circulate in January 2021, with malicious activity picking up in February. Ever since the malware has spread over P2P networks, torrent indexers, YouTube videos, and through game and pirated software cracks. To avoid becoming infected with Clipminer or other malware, avoid downloading software from unknown sources. Verify the entered cryptocurrency wallet address before initiating the transaction to protect yourself from a clipboard hijacker.
Read more »
RDP Flaw
Botnets C&C Cyber SecurityTrojan Attacks Kaspersky Phishing and Spam RDP Flaw

Small Businesses Remain Vulnerable, With Rising Cyberattacks

 

Small businesses are three times more likely than big corporations to fall prey to scammers in 2021. A single cyberattack's average loss has risen from $34,000 to just about $200,000. These businesses have had to deal with legal bills, compliance penalties, reputational harm, and client loss in addition to cash losses. Many small enterprises are unable to recover from these setbacks.

Kaspersky Lab researchers tracked the amount of Trojan-PSW (Password Stealing Ware) detections in 2022: 4,003,323 versus 3,029,903, up nearly a quarter from the same period in 2021. Trojan-PSW is malware that collects passwords and other account information, allowing attackers to gain access to a company's network and steal important information. Web malware has been particularly bad in Indonesia, the United States, Peru, and Egypt, with the number of incidents in these nations growing several times in the last year.

Several firms have adopted the Remote Desktop Protocol (RDP), a technology that allows computers on the same corporate network to be linked together and accessed remotely, even when employees are at home. However, because RDP is of particular interest to cybercriminals, if an attacker gains access to the corporate network through RDP, they can commit fraud on any of the company's PCs that have been linked. 

The general number of RDP attacks has fallen marginally, but not across the board. There were around 47.5 million attacks in the first trimester of 2021 in the United States, compared to 51 million in the same period in 2022. 

Advanced security services might include built-in training to keep IT professionals informed about the latest cyberthreats. Business owners can transform themselves into sought-after cybersecurity specialists by investing in training and education. 

These specialists will be able to understand how threats may affect their organization and change technological and organizational cybersecurity measures accordingly. Experts at Kaspersky recommend investing in an advanced security product that can perform incident analysis. 

These authorities can figure out where and how a leak happened, they will be better equipped to deal with any unwanted ramifications. Kaspersky Endpoint Security Cloud Pro is a new edition of Kaspersky Endpoint Security Cloud that includes advanced new features such as automated response options and an expanded range of security controls in a single solution. 

Along with all the more ground capabilities, Cobb, the security consultant, recommends that businesses invest in three extra protection measures: 
  • Data backup solution: This ensures that information that has been compromised or lost during a breach can be easily restored from a different place. 
  • Businesses may consider adopting encryption software to protect sensitive data such as employee records, client/customer information, and financial statements. 
  • Password-security software or two-step authentication: To limit the likelihood of password cracking, use these technologies with internal programs.
Read more »
US Government
Advertisement Botnet C&C Fraud malware Swiss US Government

 US Reclaimed $15 Million From an Ad Fraud Operation

 

The US government has recovered more than $15 million in earnings from the 3ve digital advertising fraud enterprise, which cost firms more than $29 million in unviewed ads. 

Sergey Ovsyannikov, Yevgeniy Timchenko, and Aleksandr Isaev, according to the Justice Department, accessed more than 1.7 million infected computers between December 2015 and October 2018, using tens of command and control (C&C) servers as the Kovter botnet, a click-fraud malware would quietly run in the background while connecting to sites to consume advertisements. 

A forfeiture order, according to the Justice Department, resulted in the transfer of $15,111,453.84 from Swiss bank accounts to the US government. The technique resulted in the falsification of billions of ad views and the spoofing of over 86,000 domains. According to the US Department of Justice, groups paid over $29 million for advertising never seen by real people. 

Ovsyannikov and Timchenko were arrested in 2018, pleaded guilty, and sentenced to jail terms in the United States. For this role in 3ve (pronounced "Eve"), Isaev and five others are accused of money laundering, wire fraud, computer intrusion, and identity theft, yet they stay free. 

The US also charged Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, and Dmitry Novikov, five Russian citizens, with running the Methbot ad fraud scheme, which is thought to have netted the fraudsters more than $7 million in illegal gains. 

"This forfeiture is the greatest international cybercrime recovery in the Eastern District of New York's history," said United States Attorney Peace in a press statement.
Read more »
TrickBot
BazarLoader C&C Conti Ransomware cybercriminals Data Breach Encrypted Files Russian Hackers TrickBot

Data Stolen From Parker Hannifin was Leaked by the Conti Gang

 

Several gigabytes of data allegedly taken from US industrial components major Parker Hannifin have been leaked by a known Conti gang. Parker Hannifin is a motion and control technology business which specializes in precision-built solutions for the aerospace, mobile, and industrial industries. 

The Fortune 250 business said in a legal statement on Tuesday, the compromise of its systems was discovered on March 14. Parker shut down several systems and initiated an inquiry after detecting the incident. Law enforcement has been alerted, and cybersecurity and legal specialists have been summoned to help. Although the investigation is ongoing, the company announced some data, including employee personal information, was accessed and taken. 

"Relying on the Company's early evaluation and currently available information, the incident has had no major financial or operational impact, and the Company does not think the incident will have a significant impact on its company, operations, or financial results," Parker stated. "The Company's business processes are fully operating, and it retains insurance, subject to penalties and policy limitations customary of its size and industry." 

While the company has not shared any additional details regarding the incident, cybersecurity experts have learned the infamous Conti gang has taken credit for the Parker breach. More than 5 GB of archive files supposedly comprising papers stolen from Parker have been leaked by the hacker group. However, this could only be a small percentage of the data they've obtained; as per the Conti website, only 3% of the data theft has been made public. Usually, hackers inform victims they must pay millions of dollars to restore encrypted files and avoid stolen information from being leaked. 

Conti ransomware is a very destructive malicious actor because of how quickly it encrypts data and transfers it to other computers. To gain remote access to the affected PCs, the organization is using phishing attempts to deploy the TrickBot and BazarLoader Trojans. The cyber-crime operation is said to be led by a Russian gang operating under the Wizard Spider moniker and members of Conti came out in support of Russia's invasion of Ukraine in February.

Conti data, such as malicious source code, chat logs, identities, email addresses, and C&C server details, have been disclosed by someone pretending to be a Ukrainian cybersecurity researcher. Conti works like any other business, with contractors, workers, and HR issues, as revealed by the released documents. Conti spent about $6 million on staff salaries, tools, and professional services in the previous year, according to a review conducted by crisis response firm BreachQuest.

Conti and other ransomware organizations continue to pose a threat to businesses and ordinary services, and measures should be taken to help prevent a severe cyberattack.
Read more »
Ukraine
C&C Conti Ransomware malware RaaS Russian Hacker Ukraine

Ukrainian Security Researcher  Source Code for New Conti Malware Has Been Exposed

 

The source code of a fresh version of the Conti ransomware has been disclosed by a Ukrainian security researcher. This is the latest in a string of leaks sparked by the criminal group's support for Russia. Conti is a ransomware gang based in Russia which uses a ransomware-as-a-service (RaaS) business model. While some ransomware demands are in the millions of dollars, Coveware thinks the average Conti demand is just over $765,000. 

The renowned Conti ransomware organization published a statement soon after Russia launched its incursion of Ukraine, warning this was prepared to strike the key infrastructure of Russia's adversaries in revenge for any assaults on Russia. 

In response, an anonymous user created the "Conti Leaks" Twitter account and began distributing materials supposedly stolen from the cybercrime ring. The first set of disclosures included correspondence sent within the Conti organization in the preceding year. More chat logs, credentials, email addresses, C&C server information, and source code for the Conti ransomware and other malware were included in the second phase. 

After a period of inactivity of more than two weeks, the Twitter account resurfaced over the weekend, releasing what looks to be the source code for a newer version of Conti. Previously, some speculated that the leaker was a Ukrainian security researcher, while others speculated that he was a rogue employee of the Conti group. Messages were leaked and shared. 

The discharge of ransomware source code, particularly for advanced operations such as Conti, can have catastrophic consequences for corporate networks and consumers. This is due to the fact other threat actors frequently exploit the disclosed raw code to create their own ransomware attacks. In the past, a researcher released the source code for ransomware called 'Hidden Tear,' which was soon adopted by several threat actors to begin various operations.
Read more »
Teamviewer
APT actors C&C DNS Hacking ESET Illegal spying Iranian hackers malware Teamviewer

Iranian Hackers Employed a New Marlin Backdoor in a Surveillance Operation 

 

Iranian hackers are using the New Marlin backdoor as part of a long-running surveillance operation that began in April 2018. ESET, a Slovak cybersecurity firm, linked the attacks, entitled "Out to Sea," to a threat actor known as OilRig (aka APT34), firmly linking its actions to another Iranian group known as Lyceum as well (Hexane aka SiameseKitten).

Since 2014, the hacking organization has attacked Middle Eastern governments as well as a range of industry verticals, including chemical, oil, finance, and telecommunications. In April 2021, the threat actors used an implant dubbed SideTwist to assault a Lebanese company. 

"Victims of the campaign include diplomatic institutions, technological businesses, and medical organizations in Israel, Tunisia, and the United Arab Emirates," according to a report by ESET.

Lyceum has previously conducted campaigns in Israel, Morocco, Tunisia, and Saudi Arabia to single out IT companies. Since the campaign's discovery in 2018, the Lyceum infecting chains have developed to drop many backdoors, starting with DanBot and progressing to Shark and Milan in 2021. Later attacks, utilizing a new data harvesting virus dubbed Marlin, were detected in August 2021. 

The hacking organization discarded the old OilRig TTPs, which comprised command-and-control (C&C) connections over DNS and HTTPS. For its C2 activities, Marlin relies on Microsoft's OneDrive API. ESET identified parallels in tools and tactics between OilRig's backdoors and those of Lyceum as "too numerous and specific," stating the initial access to the network was gained through spear-phishing and management applications like ITbrain and TeamViewer. 

"The ToneDeaf backdoor connected with its C&C primarily over HTTP/S, but featured a secondary route, DNS tunneling, which did not work effectively," the researcher indicated. "Shark has similar problems, with DNS as its primary communication channel and an HTTP/S secondary one which isn't working." 

Marlin randomly selects the executable code's internal structure, denying the attacker a comprehensive assessment of instruction addresses needed to build the intended exploit payload. The findings also revealed the usage of several folders in a backdoor's file menu for sending and receiving data from the C&C server, the concurrent use of DNS as a C&C communication route while also utilizing HTTP/S as a backup communication mechanism.
Read more »
Subscribe to: Posts (Atom)