Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Manufacturing. Show all posts
Windows
Amaday Bot Lumma Stealer malware Malware Campaign Manufacturing Windows

New Malware Campaign Attacks Manufacturing Industry


Lumma Stealer and Amaday Bot Resurface

In a recent multi-stage cyberattack, Cyble Research and Intelligence (CRIL) found an attack campaign hitting the manufacturing industry. The campaign depends upon process injection techniques aimed at delivering malicious payloads like Amaday Bot and Lumma Stealer.

Using a chain of evasive actions, the threat actor (TA) exploits diverse Windows tools and processes to escape standard security checks, which leads to persistent system control and potential data theft. 

About the campaign

CRIL found an advanced multi-level attack campaign that starts with a spear-phishing mail. The email has a link that directs to an LNK file, hidden as a PDF file. When the fake PDF is clicked, it launches a series of commands. The LNK file is hosted on a WebDAV server, making it challenging for security software to trace.

“For instance, one of the malicious links observed in the campaign was hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop. The attack’s effectiveness stems from its ability to exploit the name of a legitimate cloud-based document management system (LogicalDOC), commonly used in manufacturing and engineering industries, to convince targets into opening the file,” reports the Cyber Express.

How the campaign works

After executing the LNK file, it opens ssh.exe, a genuine system utility that can escape security software checks. Via ssh.exe, a PowerShell command is activated to retrieve an extra payload via a remote server from mshta.exe. 

Threat actors use this process to avoid detection via Google’s Accelerated Mobile Pages (AMP) framework merged with a compressed URL. The retrieved payload is a malicious script containing extra hacked commands that gradually deliver the last malicious payload to the target system.

Once the LNK file is executed, it launches ssh.exe, a legitimate system utility that can bypass security software’s detection. Through ssh.exe, a PowerShell command is triggered, which fetches an additional payload from a remote server using mshta.exe. This process is designed to evade detection by using Google’s Accelerated Mobile Pages (AMP) framework combined with a shortened URL. 

The payload fetched is a script that contains additional obfuscated commands that eventually deliver the final malicious payload to the victim’s system. 

CYBLE blog says, “The final payload, which involves the deployment of both Lumma stealer and Amadey bot, highlights the TA’s intent to steal sensitive information and maintain persistent control over compromised systems. Yara and Sigma rules to detect this campaign, are available for download from the linked GitHub repository.”    

Read more »
Manufacturing
Botnet Camera DDOS Attacks Device Vulnerability malware Manufacturing

The Corona Mirai Botnet: Exploiting End-of-Life IP Cameras

The Corona Mirai Botnet: Exploiting End-of-Life IP Cameras

A recent report by Akami experts highlights a troubling trend: the exploitation of a five-year-old zero-day vulnerability in end-of-life IP cameras by the Corona Mirai-based malware botnet. This blog delves into the details of this issue, its implications, and the broader lessons it offers for cybersecurity.

The Vulnerability in AVTECH IP Cameras

The specific target of this malware campaign is AVTECH IP cameras, which have been out of support since 2019. These cameras are no longer receiving security patches, making them prime targets for cybercriminals. The vulnerability in question is a remote code execution (RCE) zero-day, which allows attackers to inject malicious commands into the camera’s firmware via the network. This particular exploit leverages the ‘brightness’ function in the camera’s firmware, a seemingly harmless feature that has become a gateway for malicious activity.

The Corona Mirai-Based Malware Botnet

The Corona Mirai-based malware botnet is a variant of the infamous Mirai botnet, which has been responsible for some of the most significant distributed denial of service (DDoS) attacks in recent history. By exploiting the RCE vulnerability in AVTECH IP cameras, the malware can gain control over these devices, adding them to its botnet. Once compromised, these cameras can be used to launch DDoS attacks, overwhelm networks, and disrupt services.

The Implications of Exploiting End-of-Life Devices

The exploitation of end-of-life devices like AVTECH IP cameras underscores a critical issue in cybersecurity: the risks associated with using outdated and unsupported technology. When manufacturers cease support for a device, it no longer receives security updates, leaving it vulnerable to new threats. In the case of AVTECH IP cameras, the lack of patches for the RCE vulnerability has made them easy targets for cybercriminals.

This situation highlights the importance of regular updates and patches in maintaining the security of devices. It also raises questions about the responsibility of manufacturers to provide long-term support for their products and the need for users to replace outdated technology with more secure alternatives.

Experts Suggest These Steps

  • Ensuring that all devices receive regular updates and patches is crucial in protecting against new vulnerabilities. Users should prioritize devices that are actively supported by manufacturers.
  • Manufacturers should clearly communicate end-of-life policies and provide guidance on replacing outdated devices. Users should be aware of these policies and plan for timely replacements.
  • Implementing network segmentation can help contain the impact of compromised devices. By isolating vulnerable devices from critical systems, organizations can reduce the risk of widespread damage.

Read more »
Subscribe to: Posts (Atom)