Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Crypto Attack. Show all posts

RedTail Cryptominer Exploits Critical Zero-Day in PAN-OS

A new wave of cyberattacks has been reported, leveraging a critical zero-day vulnerability in Palo Alto Networks’ firewall software, PAN-OS. The flaw, identified as CVE-2024-3400 and assigned a maximum CVSS score of 10.0, enables unauthenticated attackers to execute arbitrary code with root privileges, significantly compromising the security of affected systems. 

Researchers from Akamai have observed that the RedTail cryptomining malware is exploiting this vulnerability. The malware is notably sophisticated, exhibiting a deep understanding of cryptomining operations. Unlike typical cryptomining software that uses public mining pools, RedTail’s operators have established private mining pools or proxies. This approach allows for greater control over mining outcomes despite the higher operational and financial costs involved. 

Updated Tools and Techniques: The latest version of RedTail, active since late April, includes several updated tools: 

Encrypted Mining Configuration: This adds a layer of security and obfuscation to the malware's operations. 

Self-Process Debugging: A tactic to evade analysis and hinder detection. Cron Job Integration: Ensures persistence by automatically restarting the malware after the system reboots. 

Usage of RandomX Algorithm: Boosts mining efficiency. Alteration of System Configuration: Employs hugepages to optimize memory usage and performance. 

Akamai's security researchers Ryan Barnett, Stiv Kupchik, and Maxim Zavodchik reported, "There are many glossy cryptominers out there, but seeing one with this level of polish is uncommon. The investments required to run a private cryptomining operation are significant, including staffing, infrastructure, and obfuscation. This sophistication may be indicative of a nation-state–sponsored attack group. For any business, there is ongoing testing and evolution to ensure that the product (in this case, malware) is successful, which is unlikely to be done without some type of substantial financial backing. The malware was likely quite profitable if it garnered this degree of attention from a sophisticated group.” 

It Is Not Done Yet 

The threat actors behind RedTail are not solely dependent on the PAN-OS vulnerability. They also exploit various other vulnerabilities across different platforms and devices, including SSL-VPNs, IoT devices, web applications, and security appliances like Ivanti Connect Secure. 

What You Can Do?

In response to this threat, Akamai advises using the Akamai App & API Protector for enhanced security measures. Organizations should identify and patch all vulnerable Palo Alto devices to mitigate the risk posed by the CVE-2024-3400 flaw. Hardening devices against various types of cyberattacks, including web platform attacks, command injections, and local file inclusion, is recommended.

Cryptocurrency Engineers Targeted by New macOS Malware 'KandyKorn'

 

A newly identified macOS malware called 'KandyKorn' has been discovered in a cyber campaign linked to the North Korean hacking group Lazarus. The targets of this attack are blockchain engineers associated with a cryptocurrency exchange platform.

The attackers are using Discord channels to pose as members of the cryptocurrency community and distribute Python-based modules. These modules initiate a complex KandyKorn infection process.

Elastic Security, the organization that uncovered the attack, has linked it to Lazarus based on similarities with their previous campaigns, including techniques used, network infrastructure, code-signing certificates, and custom detection methods for Lazarus activity. 

The attack starts with social engineering on Discord, where victims are tricked into downloading a malicious ZIP archive named 'Cross-platform Bridges.zip.' This archive contains a Python script ('Main.py') that imports 13 modules, triggering the first payload, 'Watcher.py.' 

Watcher.py downloads and executes another Python script called 'testSpeed.py' and a file named 'FinderTools' from a Google Drive URL. FinderTools then fetches and runs an obfuscated binary named 'SugarLoader,' which appears as both .sld and .log Mach-O executables.

SugarLoader establishes a connection with a command and control server to load the final payload, KandyKorn, into memory.

In the final stage, a loader known as HLoader is used. It impersonates Discord and employs macOS binary code-signing techniques seen in previous Lazarus campaigns. HLoader ensures persistence for SugarLoader by manipulating the real Discord app on the compromised system.

KandyKorn serves as the advanced final-stage payload, allowing Lazarus to access and steal data from the infected computer. It operates discreetly in the background, awaiting commands from the command and control server, and takes steps to minimize its trace on the system.

KandyKorn supports a range of commands, including terminating processes, gathering system information, listing directory contents, uploading and exfiltrating files, securely deleting files, and executing system commands, among others.

The Lazarus group primarily targets the cryptocurrency sector for financial gain, rather than engaging in espionage. The presence of KandyKorn highlights that macOS systems are also vulnerable to Lazarus' attacks, showcasing the group's ability to create sophisticated and inconspicuous malware tailored for Apple computers.