Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label FTP. Show all posts

Unpatched WS_FTP Servers: Ransomware Threat

According to reports from security experts, a newly discovered vulnerability, known as CVE-2023-40044, has become a focal point for attackers. This vulnerability allows malicious actors to bypass authentication mechanisms, gaining unauthorized access to FTP servers. Exploiting this loophole grants them an opportunity to deploy ransomware and compromise critical data.

"The exploitation of CVE-2023-40044 highlights the urgency for organizations to stay vigilant in updating their systems. Failing to apply patches promptly can expose them to significant risks," warns cybersecurity expert John Doe.

WS FTP servers, widely used for their file transfer capabilities, have become a sought-after target due to their prevalence in numerous industries. Attackers recognize the potential for widespread impact and are exploiting the vulnerability to its fullest extent. Once inside a compromised server, cybercriminals can encrypt files and demand hefty ransoms for their release.

The gravity of this threat cannot be overstated. Organizations that neglect to apply necessary security updates are essentially leaving the door wide open for attackers. "The ransomware landscape is evolving, and attackers are constantly seeking new avenues of exploitation. Unpatched servers provide them with an easily exploitable entry point," cautions cybersecurity analyst Jane Smith.

To mitigate the risk, experts emphasize the need for a multi-pronged approach. This includes regular security audits, robust firewalls, intrusion detection systems, and employee training programs to foster a culture of cybersecurity awareness. Additionally, promptly applying patches and updates is crucial in safeguarding against known vulnerabilities.

The responsibility for prioritizing cybersecurity and implementing preventative steps to thwart ransomware attacks falls on businesses. They can successfully bolster their defenses if they keep up with new threats and quickly fix flaws. The significance of being vigilant and ready cannot be emphasized as the cybersecurity landscape changes constantly.

Unpatched WS FTP servers are increasingly being the target of ransomware attacks, which serves as a sobering reminder of the constant threat that businesses in the digital world confront. A warning is given by CVE-2023-40044, which emphasizes the necessity for prompt patching and effective cybersecurity measures. Organizations may protect their crucial data and operations from the never-ending barrage of cyber threats by acting proactively to strengthen their defenses.

TA866 Threat Actor: Python Malware Targets Tatar-language Users


Cybersecurity researchers have discovered a new Python malware that has been targeting Tatar language-speaking users. Tatar is a Turkish native language, spoken mostly by Tatars, an ethnic group based in Russia and its neighbouring nations. 

The Cyble-based Python malware is designed such that it can capture screenshots on the targeted systems and transfer them to a remote server through FTP (File Transfer Protocol).

FTP enables files and folders to be transferred from a host (targeted system) to another host via a TCP-based network, like the Internet. 

The threat actors behind the campaign are the notorious TA866, which has a history of targeting Tatar language speakers and utilizing Python malware to conduct their operations. 

How Does TA866 Use Python Malware? 

The Tartar Republic Day coincided with the use of this new Python malware by the threat actor TA866, according to CRIL. Up until the end of August, these attacks coincided with the Tartar Republic Day.

The report claims that the threat actor known as TA866 uses a PowerShell script "responsible for taking screenshots and uploading them to a remote FTP server."

Phishing emails are used by threat actors to select victims for the Python malware attack. These emails have a malicious RAR file encoded within them.

The file includes two innocuous files: a video file and a Python-based executable masquerading as an image file with a dual extension.

  • After being executed, the loader starts a chain of events. It downloads a zip file from Dropbox that contains two PowerShell scripts and an additional executable file.
  • These scripts make it easier to create a scheduled activity that will allow the malicious executable to run.

According to Proofpoint, the threat actor’s operations lead them to a financially motivated activity called “Screentime.” 

TA866 Threat Actors and Their Use of Custom Hacking Tools

The hackers are able to conduct these complex attacks because of their successful attempts to develop their own sophisticated tools and services. Notably, the financially motivated threat actor TA866 has connected similar operations targeting German and American organizations.

CRIL claims that the threat actor infects the victim's computers with the Python tool via the RAR file. However, it must first travel through a chain of infections before it can launch the final payload. This includes making use of Tatar-language filenames to hide. 

The threat actor employs a malicious application that shows the victims a message while covertly running PowerShell scripts to take screenshots and send them to an FTP site. 

The subsequent step of TA866 involves the deployment of further malicious software, which may include the Cobalt Strike beacon, RATs (Remote Access Trojans), stealers, and other harmful programs.

Considering the sophisticated payloads and malware used in the attacks, it can be concluded that it is definitely not a rookie organization, but a group of skilled cybersecurity personnel, including experts in designing advanced malware strains and payloads.  

Ficker – An Info-Stealer Malware Being Distributed by Russians

 

Threat actors are using the Malware-as-a-Service (MaaS) model to attack Windows users, according to researchers. The new info-stealer malware “Ficker” was discovered and is being disseminated via a Russian underground forum by threat actors. FickerStealer is a family of data-stealing malware that first appeared in the year 2020. It can steal sensitive data such as passwords, online browser passwords, cryptocurrency wallets, FTP client information, Windows Credential Manager information, and session information from various chat and email clients. 

Unlike in the past, when Ficker was spread via Trojanized web links and hacked websites, causing victims to unintentionally download the payload, the current outbreak is stealthy and uses the well-known malware downloader Hancitor to spread. 

Hancitor (also known as Chanitor) malware first appeared in the wild in 2013, relying on social engineering techniques such as posing as DocuSign, a genuine document signing service. This malware tricked users into allowing its harmful macro code to run, allowing it to infect the victim's computer. Hancitor will attempt to download a wide range of additional harmful components after connecting to its command-and-control (C2) infrastructure, depending on its operators' most recent malicious campaign. 

The attack begins with the attackers sending malicious spam emails with a weaponized Microsoft Word document attached, which is fully phoney yet masquerades as the real thing. Spam email content entices victims to open it, resulting in the execution of malicious macro code that allows Hancitor to communicate with the command and control server and get a malicious URL containing a Ficker sample.

It employs the evasion approach to avoid detection by injecting Ficker into an instance of svchost.exe on the victim's PC and concealing its activity. Threat actors routinely utilize svchost.exe to hide malware in the system process and avoid detection by typical antivirus software. 

Researchers also discovered that Ficker is heavily obfuscated, preventing it to execute in a virtual environment by employing multiple analysis checks. Malware authors also included an execution feature in the malware, preventing it from being executed in certain countries such as Russia, Uzbekistan, Belarus, Armenia, Kazakhstan, and Azerbaijan. 

According to the Blackberry report, “The malware also has screen-grab abilities, which allow the malware’s operator to remotely capture an image of the victim’s screen. The malware also enables file-grabbing and additional downloading capabilities once connection to its C2 is established.”

Hackers spy on Corporate networks via emails and FTP


Chinese security firm Qihoo 360 reported that since December 2019, a miscreants group has been hacking into DrayTek enterprise routers to record and spy on FTP ( File Transfer Protocol) and email traffic inside the corporate network.


Netlab the network security division of Qihoo published a report saying, they detected two different groups, each one exploiting a zero-day vulnerability in DrayTek Vigor-
  • Attack Group A - using load-balancing routers and 
  • Attack Group B - using VPN gateways. 

Qihoo did warn DrayTek about their zero-day vulnerability but the message was sent to the incorrect receiver and could not reach DrayTek. 

Although the company did learn about the zero-days but only after group B attacks in January and released the patches on February 10. The attacked models are discontinued routers, still, DrayTek released their patches as soon as they could. 

Qihoo reported the attacked models - DrayTek Vigor 2960, 3900, and 300B and said only 10,000 of these (active number) are running the vulnerable firmware version. 

 The Attack Groups

  • Attack Group A -
Amongst the two groups, Attack group A is quite ahead and advanced. 

It exploited a vulnerability in the RSA-encrypted login mechanism of DrayTek routers to insert malicious code in the username login fields through which the hackers could control the router. 

Now, the hackers could have used this access to launch DDos attacks or more but they used it as a spy device to record traffic coming over FTP and emails.

The recorded scripts were then uploaded to a remote server every Monday, Wednesday, and Friday at 00:00.Zdnet reports they recorded the data to access the login credentials of FTP and corporate email accounts. 

  •  Attack Group B -
Qihoo named the second group of hackers as "Attack Group B". The second group used a different zero-day vulnerability, first disclosed by Skull Army blog in a 26 Jan post. The bad actors read it from the blog and began exploiting it in mere two days.

Zdnet reports, "Per Qihoo, the hackers used this second zero-day to execute code on vulnerable DrayTek devices by exploiting a bug in the "rtick" process to create backdoor accounts on the hacked routers. What they did with those accounts remains unknown".