Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Command and Control(C2). Show all posts
Microsoft 365
Command and Control(C2) Cyber Security Google Microsoft Hackers Microsoft 365

Rising Threat: Hackers Exploit Microsoft Graph for Command-and-Control Operations

 


Recently, there has been a trend among nation-state espionage groups they are tapping into native Microsoft services for their command-and-control (C2) operations. Surprisingly, different groups, unrelated to each other, have reached the same conclusion that It is smarter to leverage Microsoft's services instead of creating and managing their own infrastructure. This approach not only saves them money and hassle but also lets their malicious activities blend in more seamlessly with regular network traffic. In this regard, the Microsoft graph plays a major role. 
 
Microsoft Graph is like a toolbox for developers, offering an interface to connect to various data like emails, calendars, and files stored in Microsoft's cloud services. While it is harmless in its intended use, it has also become a tool for hackers to set up their command-and-control (C2) infrastructure using these same cloud services. Recently, Symantec found a new type of malware called "BirdyClient" being used against an organization in Ukraine. This malware sneaks into the Graph API to upload and download files through OneDrive. However, we are still waiting to hear from Microsoft about this.   
 
O'Brien emphasizes that organisations must be vigilant regarding unauthorized cloud account usage. Many individuals access personal accounts, like OneDrive, from work networks, which poses a risk as it makes it harder to detect malicious activities. To mitigate this risk, organizations should ensure that connections are limited to their enterprise accounts and implement strict access controls. 

In response to the concerning trend of hackers exploiting Microsoft Graph for command-and-control operations, organizations must prioritize proactive measures to fortify their cybersecurity posture. Firstly, staying vigilant with updates and patches for all Microsoft applications, particularly those related to Microsoft Graph, is imperative. Regularly monitoring network traffic for any anomalies or unauthorized access attempts can also help in the early detection of suspicious activities. Implementing robust access controls and multi-factor authentication protocols can significantly mitigate the risk of unauthorized access to sensitive data through Microsoft Graph. 

Additionally, conducting thorough employee training programs to raise awareness about the potential threats posed by such exploits and promoting a culture of cybersecurity consciousness throughout the organization are indispensable steps in bolstering defenses against cyber threats. By adopting these preventive measures, organizations can effectively safeguard their systems and data from the nefarious intentions of cyber adversaries.
Read more »
masOS Apps
Command and Control(C2) DNS attacks Hackers Kaspersky macOS malware masOS Apps

Hackers Drain Wallets via Cracked macOS Apps using Scripts Accessed From DNS Records


Hackers have found another clever way to transfer information-stealing malware to macOS users, apparently through DNS records that could hide malicious scripts.

The attack is being targeted to macOS Ventura and later, depending on the vulnerable applications repackaged as PKG files that include a trojan. 

Attack details

The attack was discovered by researchers at Kaspersky, following which they analyzed the stages of the infection chain. 

While downloading an Application/folder, victims tend to follow installation instructions, unaware that they are actually executing the malware. Following this, they open the bogus Activator window that asks for the administrator password. 

The malware uses the 'AuthorizationExecuteWithPrivileges' method to execute a 'tool' executable (Mach-O) after acquiring permission. If Python 3 is not already installed on the system, it installs it and appears to be "app patching."

The malware then contacts its C2 server, at a site named ‘apple-health[.]org,’ in order to obtain a base64- encoded Python script that is designed to run arbitrary commands on the targeted device. 

Researchers discovered that the attacker employed a clever technique to reach the C2 server at the right URL: a third-level domain name consisting of a random string of five letters and words from two hardcoded lists.

This way, the hacker was able to conceal its activity in traffic and download the Python script payload disguised as TXT records from the DNS server, which seem like common requests. 

Three TXT entries, each a base64-encoded portion of an AES-encrypted message containing the Python script, were included in the DNS server's response.

This first Python script served as a downloader for a second Python script that captures and sends information about the compromised system, including the CPU type, installed apps, directory listings, operating system version, and external IP address.

Kaspersky notes that during their analysis, the C2 provided upgraded copies of the backdoor script, indicating continuing development, but didn't see command execution, thus this might not have been deployed yet.

Additionally, two functions in the downloaded script search the compromised system for Bitcoin Core and Exodus wallets; if they are detected, they replace the original wallets with backdoored versions obtained from 'apple-analyzer[.]com.'

The code in the compromised wallets transmits to the attacker's C2 server the seed phrase, password, name, and balance.

Users usually do not get suspicious when their wallet app suddenly asks them to re-enter their wallet details, making them vulnerable to getting their wallets emptied. 

As indicators of compromise, the cracked software used in this campaign is made public in the Kaspersky study. According to the researchers, these applications "are one of the easiest ways for malicious actors to get to users’ computers."

While using cracked programs to trick users into downloading malware is a popular attack vector, the campaign that Kaspersky examined demonstrates that threat actors are sufficiently crafty to devise novel ways of delivering the payload, such as concealing it in a DNS server's domain TXT record.  

Read more »
Unauthorized access
Chinese Actors Command and Control(C2) Data Breach Firewalls Multi-factor authentication Ransomware Attacks. Sensitive data Software Unauthorized access

XWorm Malware Exploits Critical Follina Vulnerability in New Attacks

Security researchers have identified a new wave of attacks using the XWorm malware that exploits the Follina vulnerability. XWorm is a remote access trojan (RAT) that has been previously linked to state-sponsored Chinese hacking groups. The Follina vulnerability is a critical vulnerability in Microsoft Windows systems that was first disclosed in 2022.

The XWorm malware uses Follina to spread across networks and exfiltrate sensitive information. The malware can also open a backdoor to allow attackers to gain remote access to compromised systems. The attacks have been observed targeting a range of organizations in different sectors, including finance, healthcare, and government.

According to security experts, the XWorm malware is particularly dangerous because it can bypass traditional security measures. The malware can evade detection by anti-virus software and firewalls, making it difficult to detect and remove. Moreover, the Follina vulnerability is easily exploitable, and attackers can use it to gain access to vulnerable systems with minimal effort.

The XWorm malware is usually delivered through phishing emails or through exploit kits. Once a user clicks on a malicious link or opens a malicious attachment, the malware is installed on the victim's system. The malware then establishes communication with a command and control (C&C) server, allowing attackers to remotely control the infected machine.

To protect against the XWorm malware, security experts recommend that organizations apply the latest security patches and updates to their operating systems. They also advise users to be cautious when opening emails and attachments from unknown sources. Additionally, organizations should implement multi-factor authentication, network segmentation, and strong password policies to reduce the risk of unauthorized access.

The XWorm malware is a potent threat that exploits the Follina vulnerability to spread across networks and steal sensitive data. Organizations need to remain vigilant and take appropriate measures to protect their systems and data from such attacks.
Read more »
Wordpress Vulnerability
Command and Control(C2) Linux Malicious actor Plugin Flaws Spyware URL Vulnerabilities and Exploits Wordpress Vulnerability

WordPress Sites Hit by New Linux Malware

According to an analysis by cybersecurity company Dr. Web, WordPress-based websites are being targeted by an unidentified Linux malware variant.

Recognized as LinuxBackDoor.WordPressExploit.1, while it can also operate on 64-bit Linux versions, the Trojan favors 32-bit versions. 30 vulnerabilities in numerous outdated WordPress plugins and themes have been used by Linux malware.  

Injecting harmful JavaScript into the webpages of websites using the WordPress content management system (CMS) is its primary purpose. The malware may be the malicious instrument that hackers have used for more than three years to perform specific attacks and generate income from the resale of traffic, or arbitrage, based on a study of an unearthed trojan program undertaken by Doctor Web's specialists. 

Malicious actors can remotely operate a Trojan by sending its command and control (C&C) server the URL of the site they want to infect. Threat actors can also remotely disable the spyware, turn it off, and stop recording its activities. 

The researchers described how the process works, adding that if a plugin or theme vulnerability is exposed, the injection is done so that, irrespective of the original contents of the page, the JavaScript would be launched first when the infected page is loaded. By clicking any part of the compromised website, users will be sent to the attackers' preferred website.

Additionally, it can take advantage of many plugins' flaws, including the Brizy WordPress Plugin, the FV Flowplayer Video Player, and the WordPress Coming Soon Page.

According to Dr. Web, both Trojan variants include unreleased functionality for brute-force hacking the admin access of selected websites. Applying well-known logins and passwords while utilizing specialized vocabulary can accomplish this.

The researchers issued a warning, speculating that hackers may be considering using this feature in further iterations of the malware. Cybercriminals will even be able to effectively attack some of the websites that utilize current plugin versions with patched vulnerabilities.

WordPress is reportedly used by 43% of websites, making it a CMS that cybercriminals aggressively target.WordPress website owners are recommended by Dr. Web to update all parts of their platforms, including any third-party add-ons and themes, and to use secure passwords for their accounts.

Read more »
WordPress
Command and Control(C2) Doctor Web JavaScript exploit malware Vulnerabilities and Exploits WordPress

WordPress: New Linux Malware Exploits Over Two Dozen CMS Vulnerabilities


Recently, WordPress websites are being attacked by a previously unidentified Linux malware strain that compromises vulnerable systems by taking advantage of vulnerabilities in over twenty plugins and themes. 

In the attacks, a list of 19 different plugins and themes with known security flaws are weaponized and used to launch an implant that can target a specific website in order to increase the network's reach. 

"If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts […] As a result, when users click on any area of an attacked page, they are redirected to other sites," says Russian security vendor Doctor Web, in a report published last week. 

Additionally, Doctor Web says that it has identified a new version of the backdoor, that apparently uses a new command-and-control (C2) domain, along with an updated list of vulnerabilities over 11 additional plugins, taking this total to 30. 

While it is still unclear if the second version is a remnant from the earlier version or a functionality that is yet to be enabled, both variants includes an unimplemented method for brute-forcing WordPress administrator accounts. 

"If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities," the company said. 

Moreover, WordPress users are advised to keep all the components of the platforms updated, along with third-party add-ons and themes. It is recommended to use robust and unique logins and passwords in order to protect their accounts.  

Read more »
SQL
Botnet Cloud Security Command and Control(C2) cryptomining DNS Flaw Hackers malware SQL

5 Methods for Hackers Overcome Cloud Security

Nearly every major company has used cloud computing to varying degrees in its operations. To protect against the biggest threats to cloud security, the organization's cloud security policy must be able to handle the integration of the cloud.

The vulnerability could be exploited against the on-premises version, but the Amazon Web Services (AWS) WAF prohibited all attempts to do so against the cloud version by flagging the SQL injection payload as malicious.

What is cloud security?

Cloud computing environments, cloud-based apps, and cloud-stored data are all protected by a comprehensive set of protocols, technologies, and procedures known as cloud security. Both the consumer and the cloud provider are jointly responsible for cloud security. 

It helps maintain data security and privacy across web-based platforms, apps, and infrastructure. Cloud service providers and users, including individuals, small and medium-sized businesses, and enterprises, must work together to secure these systems. 

How do hackers breach cloud security?

While crypto mining is the primary focus of each hacking operation at present time, some of their methods may be applied to more malicious aims in the future.

1. Cloud Misconfiguration

A major factor in cloud data breaches is incorrectly configured cloud security settings. The tactics used by many enterprises to maintain their cloud security posture are insufficient for safeguarding their cloud-based infrastructure.

Default passwords, lax access controls, improperly managed permissions, inactive data encryption, and various other issues are usual vulnerabilities. Insider threats and inadequate security awareness are the root causes of many of these flaws.

A large data breach could occur, for instance, if the database server was configured incorrectly and data became available through a simple online search.

2. Denonia Cryptominer

Cloud serverless systems using AWS Lambda are the focus of the Denonia malware. The Denonia attackers use a scheme that uses DNS over HTTPS often referred to as DoH, sending DNS requests to resolver servers that are DoH-based over HTTPS. As a result, the attackers can conceal themselves behind encrypted communication, preventing AWS from seeing their fraudulent DNS lookups. As a result, the malware is unable to alert AWS.

The attackers also seem to have thrown in hundreds of lines of user agent HTTPS query strings as additional distractions to divert or perplex security investigators. In order to avoid mitm attacks and endpoint detection & response (EDR) systems, analysts claim that the malware discovered a way to buffer the binary.

3. CoinStomp malware 

Cloud-native malware called CoinStomp targets cloud security providers in Asia with the intention of cryptojacking. In order to integrate into the Unix environments of cloud systems, it also uses a C2 group based on a dev/tcp reverse shell. Then, using root rights, the script installs and runs additional payloads as system-wide system services. 

4.WhatDog Crptojacker

The WatchDog crypto-mining operation has obtained as many as 209 Monero cryptocurrency coins. WatchDog mining malware consists of a multi-part Go Language binary set. One binary emulates the Linux WatchDog daemon mechanism. 

5. Mirai botnet 

In order to build a network of bots that are capable of unleashing destructive cyberattacks, the Mirai botnet searches the internet for unprotected smart devices before taking control of them.

When ARC-based smart devices are infected with the malware known as Mirai, a system of remotely operated bots is created. DDoS attacks are frequently carried out via botnets.
The Mirai malware is intended to attack weaknesses in smart devices and connect them to form an infected device network called a botnet by exploiting the Linux OS, which many Internet of Things (IoT) devices run on.

The WAF did not recognize the new SQL injection payload that Claroty researchers created, yet it was acceptable for the database engine to analyze. They did this by using a JSON syntax. All of the affected vendors responded to the research by including JSON syntax support in their products, but Claroty thinks additional WAFs may also be affected.


Read more »
Raspberry Robin
Command and Control(C2) Evil Corp IBM Security LockBit malware Microphone QNAP Raspberry Robin

Raspberry Robin Worm Threats Uncovered by Microsoft

According to Microsoft Security Threat Intelligence analysts, threat actors have continued to target Raspberry Robin virus victims, indicating that the worm's creators have sold access to the infected devices to other ransomware gangs.

Raspberry Robin is malware that infects Windows systems via infected USB devices. It is also known as QNAP Worm due to the usage of compromised QNAP storage servers for command and control.

The malware loader Bumblebee, the Truebot trojan, and IdedID also known as BokBot, a banking trojan, have all been distributed using Raspberry Robin. Microsoft analysts claim that hackers also instructed it to launch the LockBit and Clop ransomware on hijacked computers.

The FakeUpdates malware, which resulted in DEV-0243 activity, was installed on Raspberry Robin-infected devices in July 2022, according to a report from Microsoft. DEV-0243 is a ransomware-focused threat actor with ties to EvilCorp that is also thought to have used the LockBit ransomware in some campaigns.

A malicious payload associated with Raspberry Robin has reportedly been the subject of at least one alert on almost 3,000 devices across 1,000 companies, according to data gathered by Microsoft's Defender for Endpoint product over the past 30 days.

When Raspberry Robin-infected devices were updated with the FakeUpdates backdoor earlier in July, Microsoft analysts discovered Evil Corp's pre-ransomware behavior on those networks. The activity was linked to the access broker monitored as DEV-0206, and it was seen during that time period.

In September, IBM's Security X-Force discovered additional linkages between Raspberry Robin and Dridex, including structural and functional parallels between a Raspberry Robin DLL and a malware loader used by Dridex.

Microsoft further speculated that the hackers of such malware operations linked to Raspberry Robin are funding the worm's operators for payload distribution, allowing them to stop using phishing as a method of acquiring new victims. According to Microsoft, the malware is anticipated to develop into a threat that is severe.

Read more »
Telegram
Command and Control(C2) Cyber Security DDOS Attacks Encryption Ransomware Attacks. Russian Hackers Telegram

Evolution of LilithBot Malware and Eternity Threat Group

A variant of the versatile malware LilithBot was recently uncovered by ThreatLabz in its database. This was connected to the Eternity group, also known as the Eternity Project, a threat entity affiliated with the Russian Jester Group, which has been operating since at least January 2022, according to further investigation.

In the darknet, Eternity disseminates many malware modules bearing the Eternity name, such as a stealer, miner, botnet, ransomware, worm+dropper, and DDoS bot.

LilithBot Malware

The distribution channels for the LilithBot that were found were a specialized Telegram group and a Tor connection that offered one-stop shopping for these multiple payloads. It included built-in stealer, clipper, and miner capabilities in addition to its primary botnet activity. 

The LilithBot multipurpose malware bot was discovered by Zscaler's ThreatLabz threat research team in July 2022 and was being offered as a subscription by the Eternity organization. In this campaign, the threat actor adds the user to its botnet and then steals files and user data by sending it via the Tor network to a command-and-control (C2) server. The malware in this campaign performs the functions of a stealer, miner, clipper, and botnet while using false certificates to avoid detection.

This malware-as-a-service (MaaS) is unusual because, in addition to using a Telegram channel to share updates on the latest features, it also uses a Telegram Bot to let customers create the binary. Common cryptocurrencies accepted by Eternity for payments include BTC, ETH, XMR, USDT, LTC, DASH, ZEC, and DOGE. Eternity often conducts business via Telegram.

If the buyer requests it, hackers will construct viruses with add-on functionality and offer customized viruses. The infection costs from $90 and $470 in USD. The Eternity Telegram channel demonstrates the frequent upgrades and improvements the team makes to its services.

The Eternity gang frequently refers users to a dedicated Tor link where a detailed description of their various viruses and their features may be found. The Tor link takes you to the homepage, where you can learn more about the different products and modules you may buy. The targeted user's files and documents are encrypted by the malware. A specific video explaining how to create the ransomware payload is available on the Tor page. Their Ransomware is the most expensive item on sale. For yearly membership, Eternity Stealer costs $260.
  • Eternity Miner as a yearly subscription costs $90.
  • Eternity Miner ($90 )as an annual subscription 
  • Eternity Clipper ($110 )
  • Eternity Ransomware ($490)
  • Eternity Worm ($390)
  • Eternity DDoS Bot (N/A) 

It is adaptable to the unique needs of clients and can constantly be updated at no further cost. They also provide their clients with numerous additional discounts and perks.

It is possible that the organization is still carrying out these tasks as the LilithBot malware has developed, but doing so in more complex ways, for as by completing them dynamically, encrypting the tasks like other areas of code, or employing other cutting-edge strategies.

The 'Microsoft Code Signing PCA' certificate authority issues a valid Microsoft-signed file, and it will also show a countersignature from Verisign. But as research is seen, LilithBot's bogus certificates lack a countersignature and appear to have been granted by the unverified Microsoft Code Signing PCA 2011.

Read more »
Subscribe to: Posts (Atom)