Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Remote Access Tool. Show all posts

Attackers Employ TeamViewer to Gain Initial Access to Networks

 

Organisations have long utilised TeamViewer software to provide remote aid, collaboration, and access to endpoint devices. Like other authorised remote access technologies, it is often employed by attackers to gain initial access to target systems.

The most recent example is the pair of attempted ransomware deployment incidents that Huntress researchers recently came across. 

Unsuccessful ransomware deployment

The attacks that Huntress detected targeted two separate endpoint devices belonging to Huntress customers. Both incidents had failed attempts to install what seemed to be ransomware based on a leaked builder for LockBit 3.0 ransomware. 

Further investigation revealed that TeamViewer was the initial point of access for the attackers to both endpoints. The logs showed that the same threat actor was responsible for both occurrences, as the attacks originated from an endpoint with the same hostname.

After initially gaining access via TeamViewer, the threat actor used one of the computers for roughly seven minutes, and on the other, the attacker's session lasted for over ten minutes. 

How the attacker may have gained control of the TeamViewer instances in both incidents was not mentioned in Huntress' report. However, Huntress's senior threat intelligence analyst, Harlan Carvey, notes that a few of the TeamViewer logins seem to come from outdated systems. 

"The logs provide no indication of logins for several months or weeks before the threat actor's access," Carvery states. "In other instances, there are several legitimate logins, consistent with prior logins — username, workstation name, etc. — shortly before the threat actor's login.” 

Carvey believes that the threat actor may have been able to purchase access from an initial access broker (IAB) and that the credentials and connection information might have been stolen from other endpoints using a keyboard logger, infostealers, or other techniques. 

There have been other past instances when attackers employed TeamViewer in a similar manner. One was a campaign launched last May by a threat actor who wanted to install the XMRig crypto mining software on systems after gaining initial access through the tool. 

Another instance featured a data exfiltration campaign, which Huntress investigated in December. According to the incident logs, the threat actor established an initial foothold in the victim environment using TeamViewer. Much earlier, in 2020, Kaspersky reported on attacks against industrial control system setups that used remote access tools like RMS and TeamViewer for first access.

Balancing Industrial Secure Remote Access: Essentiality and Risk Concerns

As industries continue to embrace digitalization and remote operations, industrial secure remote access has become an essential component of modern industrial automation systems. The ability to connect to and manage industrial assets remotely brings numerous benefits, such as increased operational efficiency and reduced downtime. However, alongside these advantages, there are growing concerns among firms regarding the associated risks and potential vulnerabilities.

A recent survey conducted by industry analysts sheds light on the concerns and perspectives of industrial organizations regarding secure remote access. According to the survey, 76% of respondents considered secure remote access to be critical for their operations. The ability to monitor, troubleshoot, and maintain industrial systems remotely enhances productivity and enables rapid response to operational issues.

Despite recognizing the importance of secure remote access, many firms express apprehension about the potential risks it poses. The survey reveals that 64% of respondents are concerned about unauthorized access and potential security breaches. Industries dealing with critical infrastructure, such as energy, manufacturing, and transportation, are particularly cautious due to the potential impact of a cyber attack on public safety, operational continuity, and financial stability.

To address these concerns, industrial organizations need to adopt comprehensive security measures and best practices for secure remote access. Firstly, implementing strong authentication protocols, such as multifactor authentication, can significantly reduce the risk of unauthorized access. Secondly, establishing secure virtual private network (VPN) connections and encrypted communication channels ensures data confidentiality and integrity during remote sessions.

Additionally, organizations must prioritize network segmentation to isolate critical industrial assets from the broader network. By implementing a defense-in-depth strategy, organizations can mitigate the impact of a security breach and prevent lateral movement within the network. Regular patching and updating of remote access software, firewalls, and security systems are also crucial to address emerging vulnerabilities and protecting against evolving threats.

Furthermore, employee education and awareness play a vital role in maintaining a secure remote access environment. Training programs can help employees recognize and report suspicious activities, understand the importance of strong passwords, and practice good cybersecurity hygiene. Organizations should also enforce strict access controls, granting remote access privileges only to authorized personnel with a legitimate need.

Industrial operations in the present era unquestionably require secure remote access. But businesses' worries about such risks and vulnerabilities must not be discounted. Organizations can strike a balance between the advantages and risks of remote access, ensuring the safety and integrity of their industrial systems in a world that is becoming more interconnected, by implementing strong security measures, adopting best practices, and fostering a culture of cybersecurity awareness.

Hackers Exploit Action1 RMM in Ransomware Attacks

 

Remote Monitoring and Management (RMM) tools are an essential part of IT management, allowing businesses to remotely monitor and manage their IT systems. However, recent reports indicate that hackers increasingly target RMM tools to launch ransomware attacks against businesses.

One RMM tool specifically targeted is Action1, a cloud-based endpoint management platform. Hackers have been exploiting vulnerabilities in the platform to gain unauthorized access to systems and launch ransomware attacks.

According to a tweet by Kostas Tsartsaris, an information security researcher, attackers have been abusing Action1 RMM to deploy Cobalt Strike and other malicious payloads. Cobalt Strike is a powerful penetration testing tool that has been repurposed by hackers for use in ransomware attacks.

Businesses can turn to Digital Forensics and Incident Response (DFIR) services to prevent and respond to such attacks. These services allow businesses to quickly identify and respond to cybersecurity incidents, including ransomware attacks.

In response to the rising threat of ransomware, Action1 has unveiled an AI-based threat-hunting solution. This solution uses machine learning algorithms to detect and respond to potential security threats in real-time.

While RMM tools are essential for IT management, businesses must be aware of the potential security risks associated with them. By implementing robust security measures, such as DFIR services and AI-based threat hunting solutions, businesses can help to protect their systems and data from ransomware attacks and other cyber security threats.

It is important for businesses to remain vigilant and proactive in their approach to cyber security. By staying up-to-date with the latest security trends and implementing best practices, businesses can help to mitigate the risks of cyber-attacks and protect their valuable data.

APT41: Cyberespionage Group Targets Asian Materials Industry


The Chinese-sponsored APT41 cyberespionage group, also known as Blackfly, Barium Bronze Atlas, Double Dragon, Wicked Panda, and Wicked Spider has emerged as one of the most active threat groups since at least 2007. 

The cyber-threat group has recently been targeting two subsidiaries of a major Asian conglomerate, which apparently specializes in materials and composites. The attack follows right after another distinct campaign against the Asian material sector. 

The APT attack was seen utilizing the Winnkit backdoor, Mimikatz, and several tools for credential dumping, screen capture, process hollowing, SQL querying, memory dumping (ForkPlayground), and proxy configuration. 

In one of the instances, Symantec discovered a material research organization in Asia that was being targeted by a previously unidentified threat group named ‘Clasiopa,’ which does not seem to be linked to the APTs. 

It is believed that Clasiopa acquired access to the targeted organization by brute forcing public facing servers and using a variety of post-exploitation tools like Atharvan remote access trojan (RAT), which is a modified version of the Lilith RAT, the Thumbsender hacking tool, and a custom proxy tool. The threat actor, according to Symantec, utilized the backdoors to compile lists of files and exfiltrate them, deleted logs, set a scheduled task to list file names, and verified the IP addresses of the compromised machines in an effort to disable endpoint protections. 

Moreover, it appears that Clasiopa used authorised software from Agile and Domino throughout the attack, but it is still unclear whether the attackers actually deployed the tools or simply abused the existing installations. Apparently Atharvan backdoor is able to download arbitrary files from the server, execute files, and configure communications through the C&C server, all based on the commands received from its operators. 

Adding to this, the Atharvan RAT can terminate or restart programs, send remote commands and PowerShell scripts, as well as terminate and uninstall itself. Further analysis on Atharvan revealed a Hindi mutex and a password, suggesting that Clasiopa could be based in India, although Symantec says that these could be some of the false flags planted by the threat group to muddle with the investigation.  

Australian Hacker Charged for Spyware Creation Used by Pedophiles

An Australian citizen, Wayne Jacob John Keen, age 24, has been accused of allegedly participating in the development and distribution of malware used by pedophiles and domestic violence offenders.

A type of malware, Remote Access Trojan gives hackers complete remote control over an infected device, enabling them to run programs, log keystrokes, exploit files and data, install other programs, take screenshots, and even record video from the webcam. 

The offender is alleged to have developed the remote access trojan (RAT) when he was 15 years old and served as the tool's administrator from 2013 until the government shut it down in 2019.

Malware Execution

In 2019, authorities were able to identify the creator of an IM RAT who goes by the online handle 'Shockwave' as per a cybersecurity firm. Palo Alto Networks reported that it had seen more than 115,000 IM RAT attacks targeted solely at its clients. More than 65,000 samples of the infection were gathered by the security firm.

Advertised as a reliable tool for remote administration, IM RAT has a lifetime license price range of $25 to $100. Its touted features were remote control of Windows servers, remote support, staff monitoring, and remote connections to personal or business computers.

According to the AFP, "The hacker illegally sold the malware to more than 14,500 people in 128 different countries.PayPal users from Australia who purchased IM RAT are identified as respondents on domestic violence orders in a statistically large portion (14.2%) of cases. Additionally, one of these buyers is listed on the Child Sex Offender Register ." 

The federal authorities added that the developer has earned between $300,000 and $400,000 since the business began operating in 2013. These funds mainly were used to pay for food deliveries and buy 'other consumable and disposable products.'

A 42-year-old woman who lives in the same home as the accused is identified by The Guardian as the perpetrator's mother and has also been charged with 'dealing with the proceeds of crime.'

In coordination with more than a dozen European law enforcement agencies, 85 search warrants were issued globally as part of the operation, which resulted in the seizure of 434 devices and the detention of 13 people for utilizing the malware for evil.


 Hazardous Redirect Web Server Evokes Malicious Campaigns On Over 16,500 Sites

 

Parrot is a novel TDS system for online traffic redirection that runs on a few servers hosting over 16,500 sites from government agencies, universities, adult platforms, and personal blogs. The service was apparently also utilized in the context of various cyber-attacks aiming at diverting victims to phishing or sites which result in malware being installed on the systems. Reportedly, all of this is dependent on individual user characteristics such as location, language, operating system, and browser.

TDS services are purchased by threat actors undertaking malicious campaigns to filter incoming traffic and route it to a final destination which serves harmful material. Advertisers and marketers utilize TDS legitimately. Most TDS services are used regularly by professionals in the marketing industry, which is why there are credible reports demonstrating how similar campaigns were executed in the recent past. 

Security analysts working with Avast have revealed that the Parrot has been identified as they recently made assertions about how the campaign was used for FakeUpdate, which delivered update warnings regarding remote access trojans, sometimes known as RATs, using fake browsers. 

Avast threat experts found Parrot TDS, which is presently being utilized for a campaign called FakeUpdate, which distributes remote access trojans (RATs) via phony browser update alerts. The effort appears to have begun in February 2022, however, there have been traces of Parrot activity dating back to October 2021.

"One of the primary differences between Parrot TDS and other TDS is its broad nature and a large number of possible victims," says Avast in the research. "Apart from servers hosting poorly secured CMS sites, such as WordPress sites, the hijacked websites we discovered appear to have nothing in common."

Avast services prevented more than 600,000 of its users from visiting these compromised sites in March 2022 alone, demonstrating the Parrot redirection gateway's huge reach. The majority of the people who were redirected were from Brazil, India, the United States, Singapore, and Indonesia. 

They have been known to accomplish this by redirecting the victim to special URLs with extensive network profiles and meticulously built software. While the TDS may be primarily focused on the RAT initiative, security experts believe some of the impacted servers also serve as hosts for various phishing sites.  

Those landing sites seem just like a genuine Microsoft login page, prompting visitors to input there login credentials. The best strategy to deal with malicious redirections for web users is to keep an up-to-date internet security solution running at all times. Avast advises administrators of possibly compromised web servers to take the following steps: 

  •  Use an antivirus to scan all files on the webserver. 
  •  Replace all original JavaScript and PHP files on the webserver. 
  •  Use the most recent CMS and plugin versions. 
  •  Look for cron jobs or other automatically executing processes on the webserver. 
  •  Always use unique and strong credentials for all services and accounts, and utilize two-factor authentication whenever possible. 
  • Use some of the security plugins for WordPress and Joomla which are available.

Threat Advert is a New Service Strategy Invented by AsyncRAT

 

AsyncRAT is a Remote Access Tool (RAT) that uses a secure encrypted connection to monitor and control other machines remotely. It is an open platform distributed processing tool but it has the potential to be used intentionally because it includes features like keylogging, remote desktop command, and other functionalities that could destroy the victim's PC. Furthermore, AsyncRAT can be distributed using a variety of methods, including spear-phishing, malvertising, exploit kits, and other means. 

Morphisec has detected a new, advanced campaign distribution that has been successfully eluding the radar of several security providers, thanks to the breach prevention using Moving Target Defense technology.

Potential hackers are spreading AsyncRAT to targeted machines with a simple email phishing method with an Html attachment. AsyncRAT is meant to remotely monitor and manipulate attacked systems through a protected, encrypted connection. This campaign ran for 4 to 5 months, with the lowest detection rates according to VirusTotal. 

Victims received the email notification with an HTML attachment in the manner of a receipt: Receipt-digits>.html in many cases. When the victim opens the receipt, users are sent to a webpage where a user must store a downloaded ISO file. The user believes it is a routine file download that will pass via all port and network security scanning channels. Surprisingly, this is not true. 

The ISO download, in fact, is created within the user's browser by the JavaScript code hidden within the HTML receipt file, rather than being downloaded from a remote server. 

To reduce the possibility of infection by AsyncRAT, users must follow the following steps:
  • Updating antivirus fingerprints and engines is a must. 
  • Enable automatic updates to ensure that the operating system is up to date with the most recent security fixes. 
  • Email addresses should not be made public on the internet. 
  • Don't click email attachments with strange-looking extensions. When opening any email attachment, especially the one from unknown senders, proceed with caution.
  • Exercise caution while opening emails with generic subject lines. 

Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers

 

Researchers have provided a detailed look at a system called DoubleFeature, which is dedicated to logging the various stages of post-exploitation resulting from the Equation Group's deployment of DanderSpritz, a full-featured malware architecture. 

DanderSpritz was discovered on April 14, 2017, when a hacker group known as the Shadow Brokers published a report titled "Lost in Translation" that included the exploit tool and others. EternalBlue, a cyberattack exploit created by the US National Security Agency (NSA) that allowed threat actors to carry out the NotPetya ransomware attack on unpatched Windows PCs, was also included in the leaks. 

The tool is a modular, covert, and fully functioning framework for post-exploitation activities on Windows and Linux that depends on dozens of plugins. One of them is DoubleFeature, which serves as a "diagnostic tool for victim machines carrying DanderSpritz," according to Check Point researchers in a new paper released Monday. 

The Israeli cybersecurity firm added, "DoubleFeature could be used as a sort of Rosetta Stone for better understanding DanderSpritz modules, and systems compromised by them. It's an incident response team's pipe dream." 

DoubleFeature is a Python-based dashboard that doubles as a reporting utility to exfiltrate logging information from an infected system to an attacker-controlled server. It's designed to keep track of the types of tools that could be deployed on a target machine. A specific executable named "DoubleFeatureReader.exe" is used to interpret the output. 

Data Breach Prevention 

Some of the plugins monitored by DoubleFeature include remote access tools called UnitedRake (aka EquationDrug) and PeddleCheap, a stealthy data exfiltration backdoor dubbed StraitBizarre, an espionage platform called KillSuit (aka GrayFish), a persistence toolset named DiveBar, a covert network access driver called FlewAvenue, and a validator implant named MistyVeal that verifies if the compromised system is indeed an authentic victim machine and not a research environment. 

The researchers stated, "Sometimes, the world of high-tier APT tools and the world of ordinary malware can seem like two parallel universes." 

"Nation-state actors tend to [maintain] clandestine, gigantic codebases, sporting a huge gamut of features that have been cultivated over decades due to practical need. It turns out we too are still slowly chewing on the 4-year-old leak that revealed DanderSpritz to us, and gaining new insights."

HP Enterprise Suffers Critical Bug, Requests Users To Update

 

Experts had already alarmed that HPE's (Hewlett Packard Enterprise) unpatched Edgeline Infrastructure Manager versions were vulnerable to remote authentication bypass breach. HP is requesting its customers to patch one of the company's top-class application management software that lets hackers launch a remote authentication bypass attack and gain access to customer's cloud infrastructure. The bug with a CVSS score of 9.8, is rated critical. It impacts all variants of HPE's EIM (Edgeline Infrastructure Manager) ahead of variant 1.21. 

The edge computing management suite of HPE, EIM is two years old. Users are advised to immediately install HPE EIM AV1.22 or later updates for bug fixes. In a security bulletin posted recently, HPE Product Security Response Team wrote, “a security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to the execution of arbitrary commands, gaining privileged access, causing a denial of service, and changing the configuration." 

About the bug 

Remote authentication-bypass vulnerability is related to a problem linked to how HPE manages reset passwords for admin accounts. If a user logs in for the first time with a default password for an active administrator account, he is asked to change the password for the account. It is carried out by sending a request to URL redfish/v1/SessionService/ResetPassword/1. But, when the password is changed, a malicious remote hacker can exploit the same URL to change the password for an administrator account. Next, the hacker has to simply log in with the updated admin account password by sending a request to a URL. 

After that, hackers can change the password of the OS root account by sending a request to URL /redfish/v1/AccountService/Accounts/1. "It allows the attacker to SSH to the EIM host as root. SSH stands for Secure Shell or Secure Socket Shell and is a network protocol that is most often used by system administrators for remote command-line requests, system logins, and also for remote command execution," reports threat post. Cybersecurity firm Tenable has also uploaded proof of the attack.

Email Phishing Scam: Scammers Impersonate LogMeIn to Mine Users' Account Credentials


A Boston, Massachusetts based company, LogMeIn that provides software as a service and cloud-based remote connectivity services for collaboration, IT management and customer engagement has fallen prey to the scammers targeting companies' work from home schemes set up due to the ongoing pandemic, the campaign impersonates the remote access tool (RAT) LogMeIn and mines the unsuspecting users' account credentials.

As the number of people working from home increased rapidly, scammers saw it as a golden opportunity to carry out impersonations of remote tools such as Zoom and LogMeIn more blatantly than ever; the first incident being spotted in the month of May confirms the attributions made by the researchers in regard to COVID-19.

In this particular attack, the phishing email appears to be coming from LogMeIn, cautioning the user at the receiving end, of a zero-day exploit present in the LogMeIn Central and LogMeIn Pro- two of the company's products. It goes unsaid that in reality there exists no such vulnerability and victims' are made to follow a link that claims to be LogMein URL but takes the user to a phishing page where they would enter the credentials that would be obtained by the scammers behind the attack. Additionally, the threat actors are also exploiting the security issues that already existed in remote access platforms as a part of this phishing campaign.

While giving further insights, Abnormal Security said “Other collaboration platforms have been under scrutiny for their security as many have become dependent on them to continue their work given the current pandemic,”

“Because of this, frequent updates have become common as many platforms are attempting to remedy the situation. A recipient may be more inclined to update because they have a strong desire to secure their communications.”

In order to avoid being scammed by such phishing campaigns, Ken Liao, vice president of Cybersecurity Strategy at Abnormal, alerted users, "Many of the recent attacks have masqueraded as updates--even more specifically--security updates,"

"As always, users should default to updating applications via the application itself and not via links in emails to prevent not only credential loss but the potential introduction of malware onto their machines."

Company Behind Orcus Malware Fined by Canadian Broadcasting Agency


Orcus Technologies, an organization that sold a remote access trojan (RAT) Orcus has been fined with 115,000 Canadian dollars (Approximately 87,000 US dollars). The fine was imposed by one of Canada's broadcasting agency, Canadian Radio-Television and Telecommunications Commission (CRTC).

Orcus Technologies was established in March 2016 by founders John Paul Revesz (also known by the names, Ciriis McGraw, Armada Angelis, among other aliases) and a Germany-based man, Vincent Leo Griebel (also known as Sorzus). Griebel was responsible for developing the malware while Revesz looked after the marketing, sales and support section for the software. The idea behind the operations was to deliver a remote management tool just like widely used TeamViewer and various other remote management applications, as per the investigation carried out by the CRTC in association with the cybercrime division of the Royal Canadian Mounted Police (RCMP).

"Proof got for the duration of the investigation allowed the Leader Compliance and Enforcement Officer (CEO) to conclude that the Orcus RAT was once now not the everyday management instrument Griebel and Revesz claimed, however, was once, if truth be told, a Far-flung Get right of entry to Trojan (RAT), an identified form of malware," as per the CRTC's findings.

The findings further claimed that the duo not only sold and promoted the malware but also assisted malicious actors in getting Orcus RAT installed on users' computers without their consent or knowledge.

In a similar context, last month, Revesz faced criminal charges against him, filed by the RCMP. Earlier in March, this year, the RCMP came up with an arrest warrant at Revesz apartment, meanwhile, there were separate arrest warrants aimed at Orcus RAT customers by Australian Police.

It was around 2016's summer, Orcus RAT starting making headlines in the cybersecurity ecosystem, the RCMP revealed that it started investigating the company behind the malware since July 2016 and have kept a continuous track of the activities revolving around Orcus Technologies since then. Before finally distributing the malware via malspam campaigns, the team behind Orcus announced the malware in a piracy forum in 2016 itself. Then same year also witnessed the publication of an article on the subject reporting the malicious intent of the authors in the month of July. In the wake of the publication which presented enough evidence against the malware, Revesz took to Twitter to defend the Orcus RAT, wherein he claimed that his tool amounts to nothing more than a remote administration application.

As an aftermath of Revenz's weak arguments and the disputes that followed on Twitter, various cybersecurity professionals and organizations filed complaints against the authors of Orcus RAT with corresponding Canadian authorities.

Although the duo is responsible for the creation of the malware and initiating its distribution, the buyers who extended the malicious operations by infecting the victims are equally responsible as the two.

Houdini Worm’s WSH Remote Access Tool (RAT) for Phishing Tactic




A fresh modified version of Houdini Worm is out in the market which goes by the name of WSH Remote Access Tool (RAT) and has commercial banking customers on its radar.


The authors who created the malware released it earlier this June and the HWorm has things tremendously in common with the njRAT and njWorm. (existed in 2013)

WSH RAT uses the legitimate applications that are used to execute scripts on the Windows one of which is Legitimate Windows Script Host.

The malware is being distributed via phishing email campaigns per usual.

The malicious attachment is stuck with the MHT file which is used by the threat operators the very way they use HTML files.

The MTH files contain an “href” link which guides the user to download the malicious .zip archive which releases the original version of WSH RAT.


Researchers report that when WSH RAT’s executed on an endpoint it behaves like an HWorm to the very use of mangled Base64 encoded data.

The WSH RAT uses the very same configuration structure for the above process as HWorm.

It also seeds an exact copy of the HWorm’s configuration including the default variable and WSH RAT command and control server URL structure in similar to that of HWorm.


Firstly WSH Rat communicates with C2 server and then calls out the new URL that releases the three payloads with the .tar.gz extension.
But, it’s actually PE32 executable files and the three payloads act as follows:
·       A Key logger
·       A mail credential viewer
·       A browser credential viewer

These components are extracted from a third party and do not originate from the WSH RAT itself.

The underground price of the WSH RAT was around $50 USD a month with a plethora of features including many automatic startup tactics and remote access, evasion and stealing capabilities.

It’s becoming evident by the hour that by way of simple investment in cheap commands really threatening malware services could be developed and could put any company under jeopardy.