Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Researchers. Show all posts
threat analysis
2.5 million unique IPs Cybersecurity malware PlugX malware server Researchers sinkhole threat analysis

Researchers Successfully Sinkhole PlugX Malware Server, Recording 2.5 Million Unique IPs

 

Researchers successfully seized control of a command and control (C2) server linked to a variant of the PlugX malware, effectively halting its malicious operations. Over the span of six months, more than 2.5 million connections were logged from diverse IP addresses worldwide.

Beginning in September 2023, cybersecurity firm Sekoia took action upon identifying the unique IP address associated with the C2 server. Their efforts resulted in the logging of over 2.4 million unique IP addresses from 170 countries, allowing for comprehensive analysis of the malware's spread and the development of effective countermeasures.

The acquisition of the C2 server's IP address, at the cost of $7, was facilitated by Sekoia's researchers. Following this, they gained shell access to the server and set up a mimicry of the original C2 server's behavior. This enabled the capture of HTTP requests from infected hosts and provided insights into the malware's activities.

The sinkhole operation revealed a daily influx of between 90,000 to 100,000 requests from infected systems, originating from various locations worldwide. Notably, certain countries accounted for a significant portion of the infections, with Nigeria, India, China, and the United States among the most affected.

Despite the challenges posed by the malware's lack of unique identifiers and its ability to spread through various means, Sekoia's researchers identified potential strategic interests, particularly in regions associated with China's Belt and Road Initiative.

To address the widespread infection, Sekoia proposed two strategies for disinfection, urging national cybersecurity teams and law enforcement agencies to collaborate. One approach involves sending self-delete commands supported by PlugX, while the other entails the development and deployment of custom payloads to eradicate the malware from infected systems and USB drives.

While the sinkhole operation effectively neutralized the botnet controlled by PlugX, Sekoia warned of the possibility of its revival by malicious actors with access to the C2 server.

PlugX, initially linked to state-sponsored Chinese operations, has evolved into a widely used tool by various threat actors since its emergence in 2008. Its extensive capabilities and recent wormable features pose significant security risks, necessitating collaborative efforts to mitigate its impact.
Read more »
Researchers
Code Leak Cyber Security Cyberattacks CyberCrime Hotel Check-In Researchers

Room for Error: Hotel Check-In Terminal Flaw Leads to Access Code Leak

 


Ibis Budget hotels in Germany were found to leak hotel room key codes through self-service check-in terminals, and a researcher behind the discovery claims the problem could potentially affect hotels around the world. It would be very easy for anyone to abuse the terminal's security flaw without any technical knowledge or specialized tools, as it is a security flaw that can be exploited by anyone. 

In actuality, an attacker can aggregate a whole lot of room keycodes in just a few minutes as long as a regular customer uses the same machine to check into their room, as long as the attacker is persistent. In addition to speaking with staff at the front desk, hotel guests can also take advantage of self-service check-in terminals. Front desk staff can be unavailable at times for guests to interact with them. 

These terminals offer guests the ability to not only check into their rooms, but they can also search for information about existing bookings as well, which is what Ibis Budget is all about. Based on the company's website, 600 Ibis Budget hotels are operating in 20 different countries around the world. This is an Ibis Budget hotel chain owned by Accor. 

They believe the vulnerability likely affected other hotels as well, as they discovered in late 2023 a security flaw in the self-check-in terminal that was installed at an Ibis Budget hotel in Germany.  Ibis Budget hotel customers can use these kiosks to check in their rooms when there is no staff at the hotel. 

When Accor was notified, Pentagrid was informed that the company had issued patches to the affected devices within a month. Upon entering the booking ID, the terminal displays the associated room number as well as the keypad code that can be used to access the room when the customer is not present. 

The customer then has to enter the keypad code to access the room.    It was discovered by Pentagrid that a list of current bookings could be displayed on the terminal if he entered a series of dashes instead of the booking ID. Pentagrid believes that tapping on a booking will display the room number as well as the keypad access code of the hotel, which remains unchanged during the guest's stay at the hotel, according to Pentagrid. 

There was a chance that an attacker would have been able to gain access to rooms using the exposed access codes. Upon entering the dashes, the booking information displayed the amount of the booking, the room number and the valid room entry code, along with the cost of the booking. The researchers also found a timestamp in the data, which the researchers assumed was the check-in date, which could indicate the length of the guest's stay.

Schobert discovered the issue unintentionally after attending a cybersecurity convention in Hamburg, where he was using a terminal at the Altona Ibis Budget Hotel. The bug is not clear as to whether or not 87 bookings were valid at the time of the audit, as there are 180 rooms at the hotel. It is unclear if it was only 87 bookings that were valid at that time or if the bug was limited to returning less than the entire number of bookings. 

Schobert said the booking references could still be found on discarded printouts even without the exploit by using a series of dashes, which necessitated that greater security controls be placed on the terminals to prevent this. If this issue falls into the wrong hands, the consequences could be quite serious.

Understandably, retrieving keycodes could lead to theft, but being able to target rooms by price may allow an attacker to target the wealthiest guests for the best possible rewards as they may be able to target rooms by price. Aside from theft, there is also the danger of stalking and other creeps abusing guests, which may put their safety at risk. As a result, researchers note that an attacker would have needed to be physically close to the targeted terminal to exploit the vulnerability, as the affected device would have had to be set up to allow self-service, which would be most likely during the nighttime, researchers stated. 
Read more »
Vulnerabilities and Exploits
China Exploit Hacker Groups Ivanti security flaws Researchers Security Vulnerabilities and Exploits

Researchers Uncover Numerous Chinese Hacker Collectives Exploiting Ivanti Security Vulnerabilities

 

Several threat actors with connections to China have been identified as responsible for exploiting three security vulnerabilities affecting Ivanti appliances. These vulnerabilities are identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

Mandiant, a cybersecurity firm, has been monitoring these clusters of threat actors, identifying them under the names UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Among them, UNC3886, a Chinese hacking group, has been previously known for exploiting zero-day bugs in Fortinet and VMware systems to infiltrate networks.

Financially motivated actors have also been observed exploiting CVE-2023-46805 and CVE-2024-21887, likely for cryptocurrency mining purposes.

UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments," Mandiant researchers said

Post-exploitation activities by these threat actors often involve deploying malicious tools such as the Sliver command-and-control framework, WARPWIRE credential stealer variant, and a new backdoor named TERRIBLETEA, which comes with various functionalities like command execution and keylogging.

UNC5330 has been combining CVE-2024-21893 and CVE-2024-21887 to target Ivanti Connect Secure VPN appliances, leveraging custom malware like TONERJAM and PHANTOMNET for further actions. These include reconnaissance, lateral movement, and compromising LDAP bind accounts for higher privileges.

UNC5337, another China-linked group, has been using CVE-2023-46805 and CVE-2024-218 to infiltrate Ivanti devices since January 2024, deploying a custom malware toolset known as SPAWN. This toolset includes components like SPAWNSNAIL, SPAWNMOLE, SPAWNANT, and SPAWNSLOTH, designed for stealthy and persistent backdoor access.

Mandiant assesses with medium confidence that UNC5337 and UNC5221 might be the same group, highlighting the sophistication of their tools aimed at avoiding detection.

UNC5221 has also been associated with various web shells and a Perl-based web shell called ROOTROT, which is embedded into legitimate files to evade detection. Successful deployment of these shells leads to network reconnaissance and lateral movement, potentially compromising vCenter servers with a Golang backdoor named BRICKSTORM.

Finally, UNC5291, likely associated with another group called UNC3236, has been targeting academic, energy, defense, and health sectors, focusing on Citrix Netscaler ADC initially before shifting to Ivanti Connect Secure devices.

These findings emphasize the ongoing threat posed by edge appliances, with threat actors utilizing a combination of zero-day vulnerabilities, open-source tools, and custom backdoors to evade detection and maintain access to networks for extended periods. access to target systems.
Read more »
system spread
AI Worms Cyber Security Data Safety Data Theft Private Data Researchers Security system spread

Researchers Develop AI "Worms" Capable of Inter-System Spread, Enabling Data Theft Along the Way

 

A team of researchers has developed a self-replicating computer worm designed to target AI-powered applications like Gemini Pro, ChatGPT 4.0, and LLaVA. The aim of this project was to showcase the vulnerabilities in AI-enabled systems, particularly how interconnections between generative-AI platforms can facilitate the spread of malware.

The researchers, consisting of Stav Cohen from the Israel Institute of Technology, Ben Nassi from Cornell Tech, and Ron Bitton from Intuit, dubbed their creation 'Morris II', drawing inspiration from the infamous 1988 internet worm.

Their worm was designed with three main objectives. Firstly, it was engineered to replicate itself using adversarial self-replicating prompts, which exploit the AI applications' tendency to output the original prompt, thereby perpetuating the worm. 

Secondly, it aimed to carry out various malicious activities, ranging from data theft to the creation of inflammatory emails for propagandistic purposes. Lastly, it needed the capability to traverse hosts and AI applications to proliferate within the AI ecosystem.

The worm utilizes two primary methods for propagation. The first method targets AI-assisted email applications employing retrieval-augmented generation (RAG), where a poisoned email triggers the generation of a reply containing the worm, subsequently spreading it to other hosts. The second method involves inputs to generative-AI models, prompting them to create outputs that further disseminate the worm to new hosts.

During testing, the worm successfully pilfered sensitive information such as social security numbers and credit card details.

To raise awareness about the potential risks posed by such worms, the researchers shared their findings with Google and OpenAI. While Google declined to comment, an OpenAI spokesperson acknowledged the potential exploitability of prompt-injection vulnerabilities resulting from unchecked or unfiltered user inputs.

Instances like these underscore the imperative for increased research, testing, and regulation in the deployment of generative-AI applications.
Read more »
wireless chargers
Academic attacks Cyber Security electromagnetic interference Researchers Security VoltSchemer Vulnerabilities wireless chargers

Researchers Develop 'VoltSchemer' Assaults Aimed at Wireless Charging Systems

 

A team of researchers from the University of Florida, collaborating with CertiK, a Web3 smart contract auditor, have uncovered potential security threats in wireless charging systems. Their research introduces new attack methods, named VoltSchemer, which exploit vulnerabilities in these systems by manipulating power supply voltages.

The VoltSchemer attacks, outlined in a research paper, target weaknesses in wireless charging setups, allowing attackers to disrupt charging devices, tamper with voice assistants, and override safety mechanisms outlined in the Qi standard. Notably, these attacks utilize voltage fluctuations from the power source, requiring no direct modifications to the chargers themselves.

While wireless chargers are generally considered more secure than wired alternatives due to their reliance on near-field magnetic coupling, the researchers argue that they are still susceptible to manipulation. By tampering with power signals, attackers could potentially compromise communication between the charger and the device being charged, leading to malicious actions.

The underlying issue lies in the susceptibility of wireless chargers to electromagnetic interference (EMI) caused by voltage fluctuations. This interference can modulate the power signals transmitted by the charger, enabling attackers to manipulate the magnetic field produced and issue unauthorized commands to connected devices.

In their experiments, the researchers tested the VoltSchemer attacks on nine commercially available wireless chargers, all of which were found to be vulnerable. By inserting a disguised voltage manipulation device, such as a modified power port, between the power adapter and the charger, the researchers successfully executed the attacks.

The consequences of these attacks were significant, with charging smartphones experiencing overheating and devices such as key fobs, USB drives, SSD drives, and NFC cards being permanently damaged or destroyed. The researchers emphasize that the root cause of these vulnerabilities lies in the lack of effective noise suppression in certain frequency bands within wireless charging systems.

Overall, the findings highlight the potential risks associated with wireless charging technologies and underscore the need for improved security measures, especially in high-power systems like electric vehicle (EV) wireless charging.
Read more »
user identification
AirDrop Apple Cyber Security Privacy Concerns Researchers tracking risks user identification

Researchers Claim Apple Was Aware of AirDrop User Identification and Tracking Risks Since 2019

Security researchers had reportedly alerted Apple about vulnerabilities in its AirDrop wireless sharing feature back in 2019. According to these researchers, Chinese authorities recently exploited these vulnerabilities to track users of the AirDrop function. This case has raised concerns about global privacy implications.

The Chinese government allegedly used the compromised AirDrop feature to identify users on the Beijing subway accused of sharing "inappropriate information." The exploit has prompted internet freedom advocates to urge Apple to address the issue promptly and transparently. Pro-democracy activists in Hong Kong have previously used AirDrop, leading to Chinese authorities cracking down on the feature.

Beijing-based Wangshendongjian Technology claimed to have compromised AirDrop, collecting basic identifying information such as device names, email addresses, and phone numbers. Despite Chinese officials presenting this as an effective law enforcement technique, there are calls for Apple to take swift action.

US lawmakers, including Florida Sen. Marco Rubio, have expressed concern about the security of Apple's AirDrop function, calling on the tech giant to act promptly. However, Apple has not responded to requests for comments on the matter.

Researchers from Germany's Technical University of Darmstadt, who identified the flaws in 2019, stated that Apple received their report but did not act on the findings. The researchers proposed a fix in 2021, which Apple has allegedly not implemented.

The Chinese claim has raised alarms among US lawmakers, emphasizing the need for Apple to address security issues promptly. Critics argue that Apple's inaction may be exploited by authoritarian regimes, highlighting the broader implications of tech companies' relationships with such governments.

The Chinese tech firm's exploitation of AirDrop apparently utilized techniques identified by the German researchers in 2019. Experts point out that Apple's failure to add an extra layer of security, known as "salting," allowed the unauthorized access of device-identifying information.

Security experts emphasize that while AirDrop's device-to-device communication is generally secure, users may be vulnerable if they connect with a stranger or accept unsolicited connection requests. The lack of salting in the encryption process makes it easier for unauthorized parties to decipher the exchanged data.

Following the Chinese claim, Senator Ron Wyden criticized Apple for a "blatant failure" to protect users, emphasizing the four-year delay in addressing the security hole in AirDrop. The tech firm behind the AirDrop exploit has a history of collaboration with Chinese law enforcement and security authorities.

The intentional disclosure of the exploit by Chinese officials may serve various motives, including discouraging dissidents from using AirDrop. Experts suggest that Apple may now face challenges in fixing the issue due to potential retaliation from Chinese authorities, given the company's significant presence in the Chinese market. The hack revelation could also provide China with leverage to compel Apple's cooperation with security or intelligence demands.
Read more »
Researchers
Analysis Cyber Attacks Cyber Data Cyber Safety Cyber Security Data Researchers

A Few Cybercriminals Account for All Email Extortion Attacks, New Research Reveals

 

New research conducted by Barracuda Networks, in collaboration with Columbia University, has revealed that a surprisingly small group of cybercriminals is responsible for the majority of email extortion attempts worldwide. The study examined over 300,000 flagged emails, identified as extortion attacks by the company's AI detectors, over a one-year period.

To estimate the findings, the researchers traced the bitcoin wallet addresses provided in the emails, as cybercriminals often prefer this method of payment due to the anonymity and ease of transactions in the cryptocurrency realm.

However, the number of bitcoin addresses doesn't necessarily indicate the exact number of attackers. According to Columbia Master's student Zixi (Claire) Wang, who authored the report, the actual number of attackers is likely even fewer than 100, as attackers often use multiple bitcoin addresses.

The monetary demands in these email attacks were relatively low, with approximately a quarter of the emails requesting less than $1,000 and over 90% asking for less than $2,000. Wang speculates that cybercriminals opt for smaller amounts to avoid raising suspicion with victims' banks or tax authorities, and victims are more likely to comply with lower demands without investigating the legitimacy of the threat.

The researchers also observed that Bitcoin was the sole cryptocurrency used by the attackers in their dataset. Wang suggests this is because Bitcoin offers a high level of anonymity, allowing anyone to generate numerous wallet addresses.

The common scams employed by the attackers involved claims of possessing compromising photos or videos obtained by hacking the target's device camera. These threats aimed to extort money from victims under the threat of releasing the alleged content. However, the research revealed that the majority of attackers were bluffing and had no such incriminating material or infected the target systems with malware.

The silver lining in this research is that the small number of perpetrators worldwide could be advantageous for law enforcement efforts. Wang believes that tracking down even a few of these attackers could significantly disrupt this cyber threat.

Furthermore, given the similarity in tactics and templates used by extortion attackers, Wang suggests that email security vendors could block a substantial portion of these attacks using relatively simple detectors. This could provide an additional layer of protection against such cyber threats.
Read more »
Security
Cyber Spy Data Government Hackers malware Network Researchers Safety Security

Cyberspies Drop New Infostealer Malware on Govt Networks in Asia

 

Security researchers have discovered new cyber-espionage activity targeting Asian governments, as well as state-owned aerospace and defence companies, telecom companies, and IT organisations.
The threat group behind this action is a different cluster earlier associated with the "ShadowPad" RAT (remote access trojan) (remote access trojan). In recent campaigns, the threat actor used a much broader set of tools.

As per a report by Symantec's Threat Hunter team that dives into the activity, the intelligence-gathering attacks have been underway since at least early 2021 and are still ongoing. The current campaign appears to be almost entirely focused on Asian governments or public entities, such as:
  • Head of government/Prime Minister's office
  • Government institutions linked to finance
  • Government-owned aerospace and defense companies
  • State-owned telecoms companies
  • State-owned IT organizations
  • State-owned media companies
Symantec uses an example of an April 2022 attack to demonstrate how the espionage group breaches its government targets. The attack starts with the installation of a malicious DLL that is side-loaded by launching the executable of a legitimate application in order to load a.dat file.

The legitimate application abused by the hackers, in this case, was an 11-year-old Bitdefender Crash Handler executable. The initial.dat payload contains encrypted shellcode that can be used to directly execute commands or additional payloads from memory.

The threat actors installed ProcDump three days after gaining backdoor access to steal user credentials from the Local Security Authority Server Service (LSASS). The LadonGo penetration testing framework was side-loaded via DLL hijacking on the same day and used for network reconnaissance.

The attackers returned to the compromised machine two weeks later to install Mimikatz, a popular credential stealing tool.
Furthermore, the hackers attempted to elevate their privileges by exploiting CVE-2020-1472 (Netlogon) against two computers on the same network.

To load payloads on additional computers in the network, the attackers used PsExec to execute Crash Handler and the DLL order hijacking trick. A month after the intrusion, the threat actors gained access to the active directory server and mounted a snapshot to access user credentials and log files.

Finally, Symantec observed the use of Fscan to attempt CVE-2021-26855 (Proxylogon) exploitation against Exchange Servers in the compromised network.
Read more »
Subscribe to: Posts (Atom)