Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber campaign. Show all posts
latest news
cyber attack Cyber Attacks Cyber campaign Cyber Scams Fake Updates latest news

New FakeUpdate Cyber Campaign Spreads Updated WarmCookie Backdoor in France

A new wave of cyberattacks is targeting users in France, exploiting fake browser and software update prompts to spread an updated version of the WarmCookie backdoor. The campaign, dubbed “FakeUpdate,” has been linked to the SocGolish threat group, known for using compromised or fake websites to display deceptive update messages for popular applications like Google Chrome, Mozilla Firefox, Microsoft Edge, and Java. 

When users fall for these fake update alerts and click on them, malicious software is installed on their systems instead of a legitimate update. This payload includes tools like info-stealers, remote access trojans (RATs), cryptocurrency drainers, and ransomware. According to researchers from Gen Threat Labs, the WarmCookie backdoor being distributed in this campaign is more advanced than its previous versions. 

Initially discovered by cybersecurity firm eSentire in 2023, WarmCookie is designed to steal data, capture screenshots, run arbitrary commands, and drop additional malicious files. In this latest campaign, it has been updated with new features, such as the ability to run DLLs from a system’s temporary folder and execute PowerShell and EXE files. The infection chain begins when users click on fake update prompts that closely mimic legitimate update notifications. 

Once clicked, a JavaScript file triggers the download of the WarmCookie installer, which bypasses security checks and installs the backdoor. The malware can evade detection through anti-virtual machine (anti-VM) checks, ensuring it’s not being monitored by security analysts before sending system data to its command and control (C2) server. 

While the attackers are primarily using compromised websites to distribute these fake updates, researchers also identified malicious domains designed to look like official update sites, such as “edgeupdate[.]com” and “mozilaupgrade[.]com.” Experts warn that legitimate browsers, including Chrome, Edge, and Firefox, update automatically and do not require users to manually download update files. 

Any pop-up asking users to do so should be viewed with suspicion and avoided.
Read more »
RansomHub
Cyber campaign Cyberattackers CyberCrime cybercriminals Cybersecurity CyberThreat NoName Hackers Ransomaware RansomHub

NoName Hackers Use RansomHub in Recent Cyber Campaigns

 


Despite active attacks by gangs such as the NoName ransomware group, which has targeted small and medium-sized businesses worldwide for the past three years, the group has continued to grow by using custom malware and evolving its attack methods. A recent link pointing to NoName has led to the conclusion that the group is no longer independent, but is now affiliated with RansomHub. As a result of this development, cyber security levels worldwide are in danger, especially for small and medium-sized businesses. 

A new affiliate has now joined extortion group RansomHub, an up-and-coming online criminal extortion group, and its main claim to fame so far has been impersonating LockBit ransomware-as-a-service, which is based out of the Netherlands. It has been well-documented that NoName exploits vulnerabilities that date back many years. 

Over the last three years, it has been well documented that the NoName ransomware gang, also known as CosmicBeetle, has been creating waves worldwide by targeting small and medium-sized businesses. Recent observations have shown that the gang is making use of a new type of malware called RansomHub to carry out its crimes. For gaining access to networks, the gang uses a variety of custom tools, including those from the Spacecolon malware family, which it acquired from cybercriminals. 

A number of the tools that are used to distribute these tools use brute force methods to deploy them and exploit known vulnerabilities such as EternalBlue (CVE-2017-0144) and ZeroLogon (CVE-2020-1473). In recent attacks, the NoName gang has been using the ScRansom ransomware to encrypt documents and digital files, replacing the Scarab encryptor that it had previously used. Additionally, the gang has already begun experimenting with the leaked LockBit 3.0 ransomware builder, creating a similar site for leaking data and issuing similar ransom notes based on the design of the released code. 

A cybersecurity company called ESET has been tracking the activities of the NoName gang since 2023, which is almost four years ago. Even though ScRansom is less sophisticated than other ransomware threats, but still poses a significant threat to the operating system, it has been observed to develop and become more sophisticated over time. Several aspects of ScRansom are complex, including AES-CTR-128 encryption and RSA-1024 decryption, causing problems when decrypting the files sometimes. It has been reported that victims received multiple decryption keys but are still unable to recover all the files they lost. ScRansom allows attackers to take advantage of different speed modes for partial encryption, allowing them flexibility. 

A 'ERASE' mode can be also operated to replace the contents of the file with a constant value, thereby ensuring that the contents cannot be recovered. With ScRansom, file encryption is possible across all drives and the operator can decide what file extensions to encrypt, and what folders they want to encrypt. ScRansom kills several processes and services on the Windows host before the encryptor fires. These include Windows Defender, the Volume Shadow Copy service, SVCHost, RDPclip, and LSASS, as well as processes related to VMware tools. There are several encryption schemes used by ScRansom to protect the public key, and one of them is AES-CTR-128 which is combined with RSA-1024 to generate an extra AES key for security reasons. 

As a result of the multi-step process, there are times when errors occur in this process that can lead to the failure of the decryption process. As a result of executing the ransomware on the same device a second time, or in a network with multiple systems running different versions of the virus, new sets of unique keys will be generated for every victim, making the entire decryption process rather difficult to perform. Furthermore, in addition to brute force attacks that are used by the NoName gang to gain access to networks, several other vulnerabilities are exploited by them that are common in SMB environments. CVE-2017-0144 (also known as EternalBlue), CVE-2023-27532 (a vulnerability in Veeam Backup & Replication), CVE-2021-42278 and CVE-2021-42287 (AD privilege escalation vulnerabilities) through noPac, CVE-2022-42475 (a vulnerability in FortiOS SSL-VPN), and CVE-2020-1472 (also known as Zerologon) are some of the vulnerabilities. 

With ScRansom's file encryption capabilities, it can encrypt files on all types of drives, including fixed, remote, removable, and cloud storage, and allows users to personalize the list of file extensions they wish to encrypt. When ESET researchers were investigating a ransomware attack that began with a failed ScRansom deployment in early June, they discovered that the threat actor executed on the same machine less than a week later. 

The EDR killer tool, which provides privilege escalation and the ability to disable security agents by deploying legitimate and vulnerable drivers on targeted computers, was a tool that was released by RansomHub shortly after. The compromised computer was ransomware-encrypted two days later, on June 10, by the hackers who used the RansomHub ransomware. There was an interesting way of extracting the EDR killer described by the researchers, one that was characteristic of CosmicBeetle rather than RansomHub's affiliates. 
 
It was noted that there has been no leak in the past of the RansomHub code and its builder, so ESET researchers were "pretty confident" that CosmicBeetle was enrolled as a new RansomHub affiliate. Even though ESET does not claim to have any affiliation with RansomHub, they do state that the Ransom Encrypter is being actively developed by their engineers.
Read more »
TARK#MULE Cyber Attack Campaign
APT37 cyber attack Cyber Attacks Cyber campaign Korean hackers TARK#MULE Cyber Attack Campaign

TARK#MULE Cyber Attack Campaign Tricking Koreans with U.S. Military-Themed Documents

A relentless cyber attack campaign has been launched, specifically targeting Korean-speaking individuals. The attackers are employing deceptive tactics, using U.S. Military-themed document lures to deceive unsuspecting victims into executing malware on their compromised systems. 

Following the incident, Securonix – a cybersecurity firm – dubbed this sophisticated cyber attack campaign as 'STARK#MULE.' The full extent of the attacks remains undisclosed, leaving uncertainty about the number of victims impacted.  As of now, it remains unclear whether any of the attack attempts have resulted in successful compromises. The situation calls for continued monitoring and vigilance to safeguard potential targets from threats posed by the ongoing campaign. 

According to the report, “these types of attacks are on par with past attacks stemming from typical North Korean groups such as APT37 as South Korea has historically been a primary target of the group, especially its government officials”.  APT37, also known as Nickel Foxcroft, Reaper, Ricochet Chollima, and ScarCruft, is a nation-state actor affiliated with North Korea. Its primary focus lies exclusively on targeting entities within South Korea, particularly those involved in reporting on North Korea and supporting defectors. 

The group has utilized social engineering techniques to initiate phishing attacks, thereby delivering malicious payloads like RokRat onto targeted networks. However, recent developments indicate that adversaries have broadened their offensive capabilities, incorporating various malware families into their tactics. Among the new additions is a Go-based backdoor named AblyGo. 

The campaign exhibits a distinctive strategy, leveraging compromised Korean e-commerce websites for both staging malicious payloads and establishing command-and-control (C2) operations. This clever maneuver aims to evade detection by security solutions installed on targeted systems. 

By utilizing legitimate platforms, the threat actors attempt to fly under the radar and maintain a cloak of stealth during their activities. This innovative approach poses a new challenge for cybersecurity experts in their efforts to protect against evolving threats and reinforces the need for enhanced security measures across digital landscapes. 

As per the information, APT37 has adopted a new tactic, utilizing CHM files in phishing emails to impersonate security communications from financial institutions and insurance companies. The objective is to deceive victims and prompt them to open these malicious files, thereby deploying information-stealing malware and other harmful binaries onto their systems. This observation was made by the AhnLab Security Emergency Response Center (ASEC), shedding light on the threat actor's evolving techniques. 

Using CHM files in disguise poses a significant concern for security teams as they strive to mitigate the risks of cyber-attacks and safeguard sensitive data from sophisticated threat actors. APT37 stands among several North Korean state-sponsored groups that have garnered attention for executing sophisticated cyber attacks aimed at achieving financial theft, as evident from the recent attacks on Alphapo and CoinsPaid. 

Moreover, the group's activities also revolve around gathering intelligence to further the regime's political and national security objectives. This dual focus on financial gains and intelligence acquisition underscores the significance of countering APT37's actions to protect the interests of targeted organizations and safeguard critical national security information from falling into the wrong hands.
Read more »
Security
Backdoor Cyber campaign Cyber Security Data Rootkit Safety Security

Year-long Cyber Campaign Reveals Potent Backdoor and Custom Implant,

 

A new hacking group has targeted the government, aviation, education, and telecom industries in South and Southeast Asia as part of a highly focused campaign that began in mid-2022 and extended into the first quarter of 2023. 

Broadcom Software's Symantec is monitoring the activity under the insect-themed moniker Lancefly, with the attacks employing a "powerful" backdoor called Merdoor. So far, data suggests that the personalized implant was used as early as 2018. Based on the instruments and the victimology pattern, the campaign's ultimate purpose is intelligence gathering.

"The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted," Symantec said in an analysis shared with The Hacker News.

"The attackers in this campaign also have access to an updated version of the ZXShell rootkit."

While the precise initial intrusion vector is unknown, it is believed to have entailed the use of phishing lures, SSH brute-forcing, or the exploitation of internet-exposed servers. The attack chains eventually lead to the distribution of ZXShell and Merdoor, fully-featured malware capable of communicating with an actor-controlled server for more commands and logging keystrokes.

ZXShell, first discovered by Cisco in October 2014, is a rootkit with several functionalities for harvesting sensitive data from affected hosts. In the past, the use of ZXShell has been linked to several Chinese actors such as APT17 (Aurora Panda) and APT27 (aka Budworm or Emissary Panda).

"The source code of this rootkit is publicly available so it may be used by multiple different groups," Symantec said. "The new version of the rootkit used by Lancefly appears to be smaller in size, while it also has additional functions and targets additional antivirus software to disable."

Another Chinese connection is that the ZXShell rootkit is signed by the certificate "Wemade Entertainment Co. Ltd," which Mandiant previously identified as being related to APT41 (aka Winnti) in August 2019.

Lancefly incursions have also been linked to the use of PlugX and its successor ShadowPad, the latter of which has been used by several Chinese state-sponsored entities since 2015. However, it is also known that certificate and tool sharing is common among Chinese state-sponsored groups, making identification to a specific known assault crew challenging.

"While the Merdoor backdoor appears to have been in existence for several years, it appears to only have been used in a small number of attacks in that time period," Symantec noted. "This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar."
Read more »
RedZei
Chinese Students Cyber campaign Cyber Scams Cyber Security Fraudsters RedZei

RedZei Group Targets Chinese Students in U.K.

 


Chinese students studying in the UK have been one of the most common targets of scammers. RedZei (aka RedThief) Group, a Chinese-speaking scammer group that operates online and is becoming more common these days, bypasses all the precautions that users and service providers have taken to prevent scams.  

This is how it works

Chinese students were fooled into paying millions of dollars to avoid deportation as part of a visa scam, according to a report in The Guardian.  According to researchers, this incident is likely to be the result of the RedZei campaign that began in August of last year. 

Redzepi fraudsters carefully selected their victims by researching them, they also sought out a potential victim who was wealthy enough to be a profitable target. Fraudsters would use new pay-as-you-go U.K. phone numbers for each wave of the attack to bypass the phone number-based blocking on each wave. There are several mobile carriers used by the attackers, such as Telia, Three, EE, O2, and Tesco Mobile, with which they move between SIM cards.  


The Use of Voicemail and Other Tricks

As part of the operation, a UK phone number would be used to contact each targeted student once or twice every month. An unusual automated voicemail is left if these calls are not answered. 

Students are being steered into revealing their personal information by voicemails. These voicemails impersonate China Mobile, the Bank of China, and the Chinese embassy to social engineer them into doing so. In addition, there are also voicemail messages that are posed as voicemails from Chinese government officials. 

These include the Chinese Ministry of Industry and Information Technology, the Chinese Embassy in the United Kingdom, and the Chinese Communications Administration. Additionally, courier services such as DHL and Royal Mail can be used to distribute such messages. Aside from these themes, RedZei has also adopted other themes, such as abnormally high NHS number usage and DHL international delivery of parcels. 

Keep yourself as safe as possible

It appears that RedZei started this tremendously profitable campaign in August 2019. The scam was an attempt to deceive Chinese international students by duping them into transferring enormous amounts of money. This was so that they could avoid deportation to save their lives.

If any scam of this nature is suspected by students, they are advised to report it to the university as soon as possible. This will enable them to stay vigilant against such frauds. Moreover, universities can also share information regarding scams that target international students and keep them posted on the same.
Read more »
Microsoft
Cyber Attacks Cyber campaign Digital threats Microsoft

Microsoft Disrupts Bohrium Hackers’ Spear-Phishing Operation

 

The Microsoft Digital Crimes Unit (DCU) recently conducted an operation and has successfully disrupted a spear-phishing operation which was conducted by the Iranian malicious actors. Tracked as Bohrium, the operation was victimizing customers in the U.S., Middle East, and India. 

Amy Hogan-Burney, the General Manager of Microsoft DCU has said that Bohrium targeted organizations from a wide range of industries, including transportation, Tech industries, government, and education. 

The evidence that was reported by Microsoft in court filings, read, “the Iranian hackers have been intentionally accessing and sending malicious software, code, and instructions to the protected computers, operating systems, and computers networks of Microsoft and the customers of Microsoft, without authorization." 

Following the attack, Microsoft has taken down 41 domains that were attacked in this campaign to establish a command and control infrastructure that allowed the hackers to execute malicious tools to help them gain access to targets' systems and exfiltrate stolen information from compromised systems. Also, some of the domains taken down have been used in the past to host and push malware payloads. 

However, Microsoft did not disclose the timeline of this spear-phishing operation. "Bohrium actors create fake social media profiles, often posing as recruiters. Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware..," 

“…This activity was uncovered by Microsoft's Threat Intelligence Center (MSTIC), which tracks the world's nation-state and cybercrime actors so we can better protect our customers,” Hogan-Burney said. 

Microsoft further explained that this action which was taken by the origination is part of a long series of lawsuits against malicious actors who are targeting Microsoft customers worldwide. 

"To date, in 24 lawsuits – five against nation-state actors – we've taken down more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors," Microsoft's Corporate Vice President for Customer Security & Trust Tom Burt said.

Previously, Microsoft has taken down many malicious campaigns including APT28 domains controlled by the ZLoader cybercrime gang and the Iran-backed APT35 (aka Charming Kitten, Phosphorus, or Ajax Security Team) threat actor.
Read more »
LAPSUS$
Cyber campaign Data Breach data steal LAPSUS$

Lapsus$ Targeting SharePoint, VPNs and Virtual Machines

NCC Group on Thursday released a report in which it has described the techniques and tactics of the highly unpredictable Lapsus$ attacks, along with how Lapsus$ attacks are launched and what makes it such a unique group. 

The group currently gave up its operation following the arrests of alleged members in March. The attacks launched by the group remain confusing in both their motives and their methods. The group is known for targeting world-famous companies including Microsoft, Nvidia, Okta, and Samsung. 

According to the report, Lapsus$ used stolen authentication cookies, specifically ones used for SSO applications, to initially get access into targeted systems. With this, the threat actors also scraped Microsoft SharePoint sites used by target organizations to get credentials within technical documentation. 

"Credential harvesting and privileged escalation are key components of the LAPSUS$ breaches we have seen, with the rapid escalation in privileges the LAPSUS$ group has been seen to elevate from a standard user account to an administrative user within a couple of days," the report said. 

Following the report, it has been learned that a major goal of the group is to exploit corporate VPNs, capitalizing on their increased use of them over the last few years. 

"Access to corporate VPNs is a primary focus for this group as it allows the threat actor to directly access key infrastructure which they require to complete their objectives. In our incident response cases, we saw the threat actor leveraging compromised employee email accounts to email helpdesk systems requesting access credentials or support to get access to the corporate VPN," the report further read. 

The Group has grown in just a few months from launching a handful of sensitive attacks that were designed to steal and publish the source code of multiple top-tier technology companies. Sometimes the group is referred to as a ransomware group in reports, however, Lapsus$ is also known for not deploying ransomware in extortion attempts.
Read more »
Subscribe to: Posts (Atom)