Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Supply Chain Attack. Show all posts

New Malware 'WordDrone' Targets Taiwan's Drone Industry

 



Reported by: Acronis (TRU) just published a comprehensive investigation that reveals a highly sophisticated malware operation targeting Taiwan's growing drone industry. Dubbed "WordDrone," the malware deploys a version of Microsoft Word from the 1990s to install a persistent backdoor-the kind of threat that puts the security of companies in Taiwan's growing drone industry in real jeopardy. At this stage, one suspects that strategic military and technological positions of Taiwan provide the rationale behind this breach designed to extract critical information. It is during times when investments by the government in drone technology are accelerating.


How WordDrone Operates

A new malware uses the side-loading technique by which it involves a vulnerable version of Microsoft Word 2010. Using a compromised version of Word, attackers loaded three files on the target system: a legitimate copy of the Microsoft Word application, known as winword, a malicious DLL file named wwlib.dll, and an encrypted additional file with a random name.

Then, an unconscious download of the malicious DLL by running the benign Microsoft Word file becomes a delivery method to decrypt and run the real payload of malware. This technique is the exploitation of the weakness within how older versions of Microsoft Word treat DLL files: the malicious DLL can actually masquerade as part of Microsoft Office. Such an approach will make WordDrone virtually impossible for any traditional security tool to detect and block since the files that are infected look legitimate to most detection systems.


Detection Evasion Advanced Tactics

Moreover, many of the malicious DLL files are digitally signed using highly recently expired certificates. This kind of approach, a disguise for legitimacy, many security systems employ to verify software, makes detection much more difficult. This strategy gives WordDrone an advantage bypassing defences based on trusting signed binaries, which makes it rather difficult to detect.

After running it, the threat performs a stage of well-crafted operations. The payload begins with a shellcode stub that unpacks and injects an "install.dll" component creating persistence on the affected system. The install.dll file allows malware to be present even after reboots by various techniques: it can install malware as a background service, schedule it as a recurring task, or inject the next phase of malware execution, and does not need permanent installation.


Persistence and Defense Evasion Techniques

It applies advanced techniques in a way that it stays non-observable and keeps running. Its techniques begin with NTDLL unhooking, which disables the setting of security hooks by monitoring software and re-loads a fresh instance of the NTDLL library so that security tools cannot intervene with that. In addition to that, it keeps the EDR quiet. This scan for active security processes sets up blocking rules within Windows Firewall to dampen the functions of identified security tools, effectively disabling detection capabilities that may raise defences against its presence.


Command-and-Control (C2) Communication for Remote Control

Another advanced feature about WordDrone is the ability to communicate with a C2 server, meaning the attackers can control the malware even after it is installed. The communication schedule is hardcoded within the malware by implementing a bit array that states some active hours in a week. The malware requests from the C2 server additional details or more malicious files during active hours based on such a routine.

WordDrone can function over several communication protocols including TCP, TLS, HTTP, HTTPS, and WebSocket, which all make identification and analysis much more difficult of the malware's network activities. Its use of a custom binary format for its communication makes it even more challenging to intercept or to interpret its network traffic for cybersecurity teams.


Possible Supply Chain Attack and Initial Infection Vector

The entry point of the WordDrone malware is not clear. Initial analysis, however, showed malicious files under a well-known Taiwanese ERP software's folder. That makes it likely that the attackers have also compromised the ERP software as part of a supply chain attack, possibly exposing other organisations that make use of the software in different marketplaces.

The attack by WordDrone on the Taiwanese drone industry is an example of vulnerabilities that sectors of strategic importance have to face. Ongoing vigilance from cybersecurity experts gives caution, as defence and technology-related organisations try to win the technological battle with such persistent threats.


Hackers Slip Backdoor into WordPress Plugins in Latest Supply-Chain Attack

 


Security researchers announced on Monday that there had been a supply chain attack on up to 36,000 WordPress plugins running on a wide range of websites that had been backdoored by unknown hackers. Currently, researchers from security firm Wordfence report that the campaign has affected five plugins as of Monday morning. It has been active since last week. It has been reported that unknown threat actors have recently added malicious functionality to plugin updates on WordPress.org, which is the official site for the free open-source WordPress CMS. This update creates an attacker-controlled administrative account that can be used to control the compromised site, as well as add content designed to boost search results. 

The updates can be installed automatically when the updates are installed. There has been a significant amount of backdooring in WordPress plugins to allow malicious code to be injected which can lead to the creation of rogue administrator accounts which can be used for arbitrary purposes. As Wordfence security researcher Chloe Chamberland pointed out in an alert on Monday, the malware injects itself into the system, attempting to create an administrator user account and sending back that account's details to the attacker's server. 

Further, it appears that the threat actor may also have injected malicious JavaScript into the footers of websites, which appears to be causing SEO spam to be displayed throughout the website. According to Wordfence security researchers, a company that monitors the security of the biggest website builder platforms in the world, five plugins have been poisoned with a poisonous patching function so far. Whenever users patch these WordPress plugins, they are presented with a piece of code that creates a new admin account, which is then used by the attackers to establish the account login credentials. 

The perpetrators of this threat (whose identity has not been revealed yet) thus gain full and unrestricted access to the website in this way. The plugins that have been made available are called Social Warfare, BLAZE Retail Widget, Wrapper Link Elementor, and Contract Form 7 Multi-Step Add-on as well as Just Show Hooks. Combined, these five plugins have been installed 36,000 times. Of these, Social Warfare has the most number of installations at 30,000, far and away the most popular one. As of the time of publication, it was not yet clear how the attackers were able to compromise the patching process for these five plugins, and thus compromise their security.

It was reported that reporters at Ars Technica attempted to get in touch with the plugin developers (some did not even provide contact information on their plugin websites, meaning it was impossible to get in touch with them) but did not receive any response. There has been a sharp rise in the number of supply-chain attacks over the past decade, which has become one of the most effective ways to install malware within a supply chain. The threat actors have been able to achieve significant gains by poisoning the software source code so that by simply running a trusted update or installation file, they can infect large numbers of devices. 

This year, an almost disastrous event occurred when a backdoor was discovered, largely through chance, in the widespread open-source XZ Utils code library a week or so ahead of its general release date, narrowly averting disaster. In addition, there have been many other recent supply-chain attacks that can be found in the media. Researchers are currently working on investigating how and why the malware was uploaded to the plugin channel for downloading on the WordPress site to increase their knowledge about it. Several emailed questions were sent to representatives of WordPress, BLAZE, and Social Warfare, none of whom responded. 

Because there is no contact information on the websites of the developers of the remaining three plugins, it was impossible to connect with the representatives of those developers. As mentioned by the Wordfence researchers, they were first made aware of the attack on Saturday when they received an email from a member of the WordPress plugin review team that mentioned the attack. Based on their analysis of the malicious file, the researchers were able to identify four other plugins that had similar codes that were exposed to the same threat. 

There is generally a perception that WordPress is a secure platform for designing and building websites. However, it is a platform with a vast number of third-party themes and plugins, many of which suffer from poor protection, and/or don't enjoy the same level of maintenance as the platform itself. Consequently, they are considered to be a great entry point for threat actors, due to their unique nature. Moreover, the themes and plugins available for WordPress can be both free-to-use and commercially produced, but the latter are often abandoned or maintained by a single developer or hobbyist. 

There is therefore a strong need for WordPress administrators to use extreme caution when installing third-party additions to their websites. They need to ensure that only the files they intend to use are installed. It is imperative for users to ensure their WordPress plugins are always updated and to remain vigilant for any news regarding vulnerabilities. Individuals who have installed any of the compromised plugins should uninstall them immediately and thoroughly inspect their sites for any newly created admin accounts or unauthorized content. Users who utilize the Wordfence Vulnerability Scanner will be alerted if their site is running any of the affected plugins. 

Furthermore, the Wordfence post advises users to monitor their sites for connections originating from the IP address 94.156.79.8, as well as to check for admin accounts with the usernames "Options" or "PluginAuth."

TeamCity Software Vulnerability Exploited Globally

 


Over the past few days a security breach has transpired, hackers are taking advantage of a significant flaw in TeamCity On-Premises software, allowing them to create unauthorised admin accounts. This flaw, known as CVE-2024-27198, has prompted urgent action from software developer JetBrains, who released an update on March 4 to address the issue.

The gravity of this situation is evident as hackers exploit the vulnerability on an extensive scale, creating hundreds of unauthorised users on instances of TeamCity that have not yet received the essential update. According to LeakIX, a platform specialising in identifying exposed device vulnerabilities, over 1,700 TeamCity servers remain unprotected. Most notably, vulnerable hosts are predominantly found in Germany, the United States, and Russia, with an alarming 1,440 instances already compromised.

On March 5, GreyNoise, a company analysing internet scanning traffic, detected a notable surge in attempts to exploit CVE-2024-27198. The majority of these attempts originated from systems in the United States, particularly those utilising the DigitalOcean hosting infrastructure.

These compromised TeamCity servers are not mere inconveniences; they serve as vital production machines used for building and deploying software. This presents a significant risk of supply-chain attacks, as the compromised servers may contain sensitive information, including crucial credentials for environments where code is deployed, published, or stored.

Rapid7, a prominent cybersecurity company, brought attention to the severity of the situation. The vulnerability, with a critical severity score of 9.8 out of 10, affects all releases up to TeamCity version 2023.11.4. Its nature allows remote, unauthenticated attackers to gain control of a vulnerable server with administrative privileges.

JetBrains responded swiftly to the report by releasing TeamCity version 2023.11.4 on March 4, featuring a fix for CVE-2024-27198. They are urging all TeamCity users to update their instances to the latest version immediately to mitigate the risks associated with this critical vulnerability.

Considering the observed widespread exploitation, administrators of on-premise TeamCity instances are strongly advised to take immediate action in installing the newest release. Failing to do so could leave systems vulnerable to unauthorised access and potential supply-chain attacks, amplifying the urgency of this situation.

The recent discovery of a critical flaw in TeamCity software has far-reaching implications for the global security landscape. Users are urged to act promptly by updating their TeamCity instances to ensure protection against unauthorised access and the looming threat of potential supply-chain attacks. The urgency of this matter cannot be overstated, accentuating the imperative need for immediate action.



Ransomware Distributed Through Mass Exploitation of ConnectWise ScreenConnect

 

Shortly after reports emerged regarding a significant security flaw in the ConnectWise ScreenConnect remote desktop management service, researchers are sounding the alarm about a potential large-scale supply chain attack.

Kyle Hanslovan, CEO of Huntress, expressed concerns about the exploitation of these vulnerabilities, warning that hackers could potentially infiltrate thousands of servers controlling numerous endpoints. He cautioned that this could lead to what might become the most significant cybersecurity incident of 2024. ScreenConnect's functionality, often used by tech support and others for remote authentication, poses a risk of unauthorized access to critical endpoints.

Compounding the issue is the widespread adoption of ScreenConnect by managed service providers (MSPs) to connect with customer environments. This mirrors previous incidents like the Kaseya attacks in 2021, where MSPs were exploited for broader access to downstream systems.

ConnectWise addressed the vulnerabilities without assigning CVEs initially, but subsequent proof-of-concept exploits emerged swiftly. By Tuesday, ConnectWise acknowledged active cyberattacks exploiting these bugs, and by Wednesday, multiple researchers reported increasing cyber activity.

The vulnerabilities now have designated CVEs, including a severe authentication bypass flaw (CVE-2024-1709) and a path traversal issue (CVE-2024-1708) enabling unauthorized file access.

The Shadowserver Foundation reported thousands of vulnerable instances exposed online, primarily in the US, with significant exploitation observed in the wild.

According to Huntress researchers, initial access brokers (IABs) are leveraging these bugs to gain access to various endpoints, intending to sell this access to ransomware groups. There have been instances of ransomware attacks targeting local governments, including endpoints potentially linked to critical systems like 911 services.

Bitdefender researchers corroborated these findings, noting the use of malicious extensions to deploy downloaders capable of installing additional malware.

The US Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities catalog.

Mitigation measures include applying patches released with ScreenConnect version 23.9.8 and monitoring for indicators of compromise (IoCs) as advised by ConnectWise. Additionally, organizations should vigilantly observe their systems for suspicious files and activities.

ConnectWise's actions to revoke licenses for unpatched servers offer some hope, although the severity of the situation remains a concern for anyone running vulnerable versions or failing to patch promptly.

Comcast-Owned Telcom Business 'Xfinity' Suffers Data Breach


Comcast-owned Xfinity has suffered a major data breach, affecting more than 25 million of its customers. 

This intrusion not only demonstrates a risky and expanding practice among hackers, but it has also greatly increased the vulnerability of millions of US-based individuals. In certain cases, the situation is actually a lot worse than one may believe.

According to editor of Scamicide.com, Attorney Steven Weisman, this data breach is significantly dreadful for customers since threat actors were able to access the last four digits of social security numbers of the affected individuals. The first five numbers could easily be figured out by the hackers, as they are based on the owner’s residential address and the location where the card was issued.

“So if a criminal has the last four digits, the first three they can figure out easily, the second set they can get relatively easily, so it puts a lot of people in danger of identity theft,” explained Weisman.

Due to this particular issue of rather uncomplicated identification of social security numbers, the government had started randomizing the numbers in 2011.

Furthermore, these hackers are rather harmful. They introduced their malware in the software that Xfinity bought, rather than really hacking into Xfinity. According to Weisman, they are known as "supply chain" hacks, and their prevalence is significantly on the rise. 

“They put their malware into the legitimate software. A company like Comcast gets some accounting software that they have no reason to think is anyway tainted and bam – the malware is in there and the personal information is stolen,” said Weisman.

In the recent times, these types of data breach are becoming more common. Customers are being asked by Xfinity to check their credit, change their passwords, and sign up for a multi-step verification process after the company announced the incident on its website. Additionally, people ought to routinely check their credit scores and freeze their credit.

About Xfinity

Xfinity is a US-based telecommunications business segment, owned by Comcast Corporation, used in marketing consumer cable television, internet, telephone, and wireless services provided by the company. Xfinty, before being established in 2010 was operating under the common-label of Comcast, where the aforementioned services were marketed.  

Microsoft's Cybersecurity Report 2023

Microsoft recently issued its Digital Defense Report 2023, which offers important insights into the state of cyber threats today and suggests ways to improve defenses against digital attacks. These five key insights illuminate the opportunities and difficulties in the field of cybersecurity and are drawn from the report.

  • Ransomware Emerges as a Pervasive Threat: The report highlights the escalating menace of ransomware attacks, which have become more sophisticated and targeted. The prevalence of these attacks underscores the importance of robust cybersecurity measures. As Microsoft notes, "Defending against ransomware requires a multi-layered approach that includes advanced threat protection, regular data backups, and user education."
  • Supply Chain Vulnerabilities Demand Attention: The digital defense landscape is interconnected, and supply chain vulnerabilities pose a significant risk. The report emphasizes the need for organizations to scrutinize their supply chains for potential weaknesses. Microsoft advises, "Organizations should conduct thorough risk assessments of their supply chains and implement measures such as secure coding practices and software integrity verification."
  • Zero Trust Architecture Gains Prominence: Zero Trust, a security framework that assumes no trust, even within an organization's network, is gaining momentum. The report encourages the adoption of Zero Trust Architecture to bolster defenses against evolving cyber threats. "Implementing Zero Trust principles helps organizations build a more resilient security posture by continuously verifying the identity and security posture of devices, users, and applications," Microsoft suggests
  • AI and Machine Learning Enhance Threat Detection: Leveraging artificial intelligence (AI) and machine learning (ML) is crucial in the fight against cyber threats. The report underscores the effectiveness of these technologies in identifying and mitigating potential risks. Microsoft recommends organizations "leverage AI and ML capabilities to enhance threat detection, response, and recovery efforts."
  • Employee Training as a Cybersecurity Imperative: Human error remains a significant factor in cyber incidents. The report stresses the importance of continuous employee training to bolster the human element of cybersecurity. Microsoft asserts, "Investing in comprehensive cybersecurity awareness programs can empower employees to recognize and respond effectively to potential threats."

Microsoft says, "A resilient cybersecurity strategy is not a destination but a journey that requires continuous adaptation and improvement."An ideal place to start for a firm looking to improve its cybersecurity posture is the Microsoft Digital Defense Report 2023. It is necessary to stay up to date on the current threats to digital assets and take precautionary measures to secure them.






Hugging Face's AI Supply Chain Escapes Near Breach by Hackers

 

A recent report from VentureBeat reveals that HuggingFace, a prominent AI leader specializing in pre-trained models and datasets, narrowly escaped a potential devastating cyberattack on its supply chain. The incident underscores existing vulnerabilities in the rapidly expanding field of generative AI.

Lasso Security researchers conducted a security audit on GitHub and HuggingFace repositories, uncovering more than 1,600 compromised API tokens. These tokens, if exploited, could have granted threat actors the ability to launch an attack with full access, allowing them to manipulate widely-used AI models utilized by millions of downstream applications.

The seriousness of the situation was emphasized by the Lasso research team, stating, "With control over an organization boasting millions of downloads, we now possess the capability to manipulate existing models, potentially turning them into malicious entities."

HuggingFace, known for its open-source Transformers library hosting over 500,000 models, has become a high-value target due to its widespread use in natural language processing, computer vision, and other AI tasks. The potential impact of compromising HuggingFace's data and models could extend across various industries implementing AI.

The focus of Lasso's audit centered on API tokens, acting as keys for accessing proprietary models and sensitive data. The researchers identified numerous exposed tokens, some providing write access or full admin privileges over private assets. With control over these tokens, attackers could have compromised or stolen AI models and supporting data.

This discovery aligns with three emerging risk areas outlined in OWASP's new Top 10 list for AI security: supply chain attacks, data poisoning, and model theft. As AI continues to integrate into business and government functions, ensuring security throughout the entire supply chain—from data to models to applications—becomes crucial.

Lasso Security recommends that companies like HuggingFace implement automatic scans for exposed API tokens, enforce access controls, and discourage the use of hardcoded tokens in public repositories. Treating individual tokens as identities and securing them through multifactor authentication and zero-trust principles is also advised.

The incident highlights the necessity for continual monitoring to validate security measures for all users of generative AI. Simply being vigilant may not be sufficient to thwart determined efforts by attackers. Robust authentication and implementing least privilege controls, even at the API token level, are essential precautions for maintaining security in the evolving landscape of AI technology.

Increasing Data Security in the Digital Era

Protecting our online profile has become crucial in the current digital era. Keeping up with the most recent technologies and techniques is essential to safeguarding personal data and privacy in light of the constantly changing technological landscape. To assist you in navigating the complicated world of digital security, this article offers a succinct summary of key tools and procedures.

1. Password Managers: Your First Line of Defense

One of the fundamental aspects of online security is having strong, unique passwords for each of your accounts. However, remembering complex passwords for multiple platforms can be a daunting task. This is where password managers step in. They generate and store strong passwords, alleviating the burden of memorization while keeping your accounts secure. CNET's comprehensive guide on the best password managers provides valuable insights into choosing the right one for your needs.

2. The SolarWinds Saga: A Wake-Up Call for Supply Chain Security

The SolarWinds breach of 2020 revealed the audacity and sophistication of supply chain attacks. Wired's in-depth analysis sheds light on the unprecedented scale and intricacy of this cyber intrusion. It serves as a stark reminder that even industry giants are not impervious to such attacks. The incident underscores the critical need for comprehensive security measures, including rigorous vendor assessments and continuous monitoring of software supply chains.

3. Slack: Revolutionizing Communication with Enhanced Security Measures

Communication platforms like Slack have become indispensable in the modern workplace. TechCrunch's coverage of Slack's exit from beta in 2014 highlights the platform's rapid ascent to prominence. As businesses increasingly rely on such tools for collaboration, it's crucial to ensure that they employ robust security features. Encryption, multi-factor authentication, and regular security audits are some of the key measures that platforms like Slack should implement to safeguard sensitive communications.

4. Prioritizing Data Privacy with Cutting-Edge Technologies

In an era where data breaches are almost commonplace, prioritizing data privacy is non-negotiable. IEEE Spectrum's dedicated section on data privacy provides a wealth of resources and insights into the latest technologies and best practices. From 

Unprecedented opportunities and problems come with living in the digital age. In a world where information is becoming more interconnected by the day, people and organizations may protect sensitive data by utilizing the strategies and technologies described in these resources. As you may recall, readiness and alertness are crucial in the field of cybersecurity.

Discovering the Threat from Android TV Backdoors

Android TV streaming boxes are already commonplace in homes all over the world because they provide an easy method to access a wealth of content. A pernicious backdoor that poses a serious risk to user security and privacy, however, is concealed within some of these devices.

Recent investigations have revealed the worrying ubiquity of this backdoor, which permits unauthorized access to critical data. Reputable reports emphasize the severity of this problem, shocking the tech industry.

The backdoor, dubbed 'BADBOX,' has been found in thousands of Android TV boxes, turning them into potential ticking time bombs. It allows cybercriminals to gain unrestricted access to personal data, opening the door to identity theft, financial fraud, and other malicious activities. What's even more alarming is that this backdoor is notoriously difficult to detect and eliminate, as it's deeply embedded in the device's firmware.

Experts warn that these compromised devices are not limited to a specific brand or model. In fact, they are spread across various manufacturers, making it a widespread issue that affects a broad spectrum of users. This has raised concerns about the supply chain integrity of these devices, prompting calls for stricter quality control measures.

The implications of this security breach are far-reaching. Families, individuals, and businesses alike are at risk of falling victim to cyberattacks, putting their sensitive information in the wrong hands. As we increasingly rely on smart technology for convenience and entertainment, the need for robust cybersecurity measures has never been more pressing.

To combat this threat, manufacturers, government agencies, and cybersecurity specialists are working nonstop. Users are being urged to exercise caution and maintain their devices patched with the most recent security updates. Customers are also encouraged to buy equipment from reliable vendors and to exercise caution when contemplating unofficial or off-brand retailers.

The discovery of the Android TV backdoor is a sobering reminder of how rapidly cybersecurity dangers are changing. Our attempts to protect our digital lives must grow at the same rate as technology. We can all work together to create a better and more secure digital future by remaining informed, implementing best practices, and supporting industry-wide initiatives.

VMConnect Supply Chain Attack Persists

 

During the initial weeks of August, the ReversingLabs research team uncovered a malicious supply chain operation, code-named "VMConnect." This nefarious campaign involved the distribution of approximately twenty-four malevolent Python packages through the Python Package Index (PyPI), a widely used open-source repository for Python software. 

These deceptive packages were cleverly designed to mimic well-known open-source Python utilities, including vConnector (a wrapper module for pyVmomi VMware vSphere bindings), eth-tester (a toolkit for testing Ethereum-based applications), and databases (a tool offering asynchronous support for various database systems). In their investigation, the researchers noticed that the perpetrators of this campaign have gone to great lengths to create an aura of authenticity around their actions. 

They take the time to establish GitHub repositories, complete with descriptions that appear entirely legitimate, and even incorporate authentic source code. In their latest findings, the team has identified several new packages, each with its own download statistics. Notably, these include 'tablediter,' which has garnered 736 downloads, 'request-plus' with 43 downloads, and 'requestspro' boasting 341 downloads. 

Among these recently uncovered packages, the first one appears to camouflage itself as a tool for table editing. Meanwhile, the other two pose as legitimate versions of the widely-used 'requests' Python library, typically utilized for making HTTP requests. ReversingLabs could not definitively identify the source of the campaign, but some analysts were more confident, attributing the malware to Labyrinth Chollima, a subgroup within the notorious Lazarus Group, a North Korean state-sponsored threat entity. 

Additionally, JPCERT/CC, a respected cybersecurity organization, connected the attack to another Lazarus Group subsidiary known as DangerousPassword. Considering these attributions and the striking code similarities observed between the packages discovered in the VMConnect campaign and those described in JPCERT/CC's research, it strongly implies that the same threat actor is responsible for both attacks. 

What is A supply chain attack? 

A supply chain attack is a cyber assault strategy that depends on an organization's vulnerabilities within its supply chain. The supply chain represents the intricate network of individuals, companies, resources, processes, and technologies involved in creating and distributing a product. This chain encompasses everything from raw material shipment from suppliers to manufacturers, right up to the product's delivery to end-users. 

In targeting a weak link within this supply chain, cyber attackers increase their chances of success, capitalizing on the trust organizations often place in their third-party vendors. These attacks are a subset of island hopping attacks, where threat actors leverage trusted connections to infiltrate their primary targets.

Ransomware's Alarming Surge and Active Adversaries


Ransomware attacks have increased dramatically recently, worrying the cybersecurity community and heralding a new era of cyber threats. The convergence of sophisticated tactics used by hostile actors, as described in numerous reports, highlights the necessity of increased attention and proactive protection tactics.

According to reports, ransomware attacks have increased to previously unheard-of levels, and threat actors are continually modifying their strategies to find weak points. Targets increasingly include crucial infrastructure, the healthcare industry, and even political entities, going beyond traditional industries. Additionally, the demands of the attackers have grown exponentially, with multi-million dollar ransoms becoming distressingly regular.

The Sophos research on an active adversary targeting IT executives provides a window into the daring methods used by cybercriminals. The intricacy of contemporary cyber threats is being demonstrated by this adversary's capacity to influence supply chains and sneak inside businesses. These threats are now part of a larger, well-planned campaign rather than separate instances.

The cyber threat intelligence reports by NCC Group offer priceless insights into the changing strategies used by ransomware operators. These papers emphasize the evolving nature of cyber threats and the necessity for enterprises to stay on top of the situation. Organizations may efficiently enhance their defenses thanks to the comprehensive studies of threat vectors, malware families, and mitigation techniques.

The effects of a successful ransomware assault go beyond monetary losses because of how linked the digital world is becoming. The loss of vital services, the compromising of private information, and the deterioration of public confidence are just a few of the serious repercussions. Organizations need to take a multifaceted strategy for cybersecurity to combat this.

Organizations must first make significant investments in solid security measures, such as frequent software updates, vulnerability analyses, and personnel training. Systems for proactive monitoring and threat detection are essential given the constantly changing strategies used by hackers. Additionally, by keeping offline backups, you may prevent giving in to ransom demands and ensure that data recovery is still possible even during an attack.

Collaboration within the cybersecurity community is equally vital. Sharing threat intelligence and best practices helps fortify collective defenses and pre-empt emerging threats. Government bodies, private enterprises, and security researchers must collaborate to create a united front against cyber threats.

BBC, British Airways Among High Profile Victims in Global Supply-Chain Hack

 

A rising number of organisations, including the BBC, British Airways, Boots, and Aer Lingus, are being impacted by a widespread attack.

Staff members have received warnings that personal information, including social security numbers and, in some circumstances, bank information, may have been stolen.

The hackers used a well-known piece of software as a gateway to access numerous businesses simultaneously. There are no reports of money being taken or requests for ransom.

One of the impacted businesses in the UK is the payroll services provider Zellis, which reported that data from eight of its customer organisations had been stolen. 

Organisations are notifying employees on their own, though it wouldn't give names. The BBC informed the staff via email that the stolen data contained staff ID numbers, dates of birth, residential addresses, and national insurance numbers. 

British Airways employees have been told that some of their bank information may have been stolen. The National Cyber Security Centre of the UK stated that it was keeping an eye on the situation and recommended businesses using the affected software to apply security updates.

The attack was initially made public last week when US business Progress Software said that hackers had discovered a way to access its MOVEit Transfer application. The majority of MOVEit's users are in the US, although the programme is well-known throughout the world for safely moving sensitive files.

When the exploit was found, according to Progress Software, it immediately informed its clients and made a security update available for download. 

A company spokeswoman stated that the company is collaborating with the police to "combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products".

Businesses using MOVEit were advised to download a security patch on Thursday by the US Cybersecurity and Infrastructure Security Agency to prevent further breaches. 

However, security researcher Kevin Beaumont claimed that because many impacted companies had not yet installed the remedy, internet scans revealed that thousands of company datasets may still be exposed.

Experts predicted that instead of extorting money from individuals, cybercriminals would try to do so from businesses. Although no public ransom demands have been made as of yet, it is anticipated that cybercriminals will start emailing impacted firms to demand payment. They'll probably threaten to release the info online for other hackers to browse. 

Victim organisations caution personnel to be alert for any dubious communications that could result in additional cyberattacks. Microsoft stated that it felt the perpetrators were connected to the infamous Cl0p ransomware organisation, which is thought to have its base of operations in Russia, despite the fact that no official attribution had been established.

The US tech giant claimed in a blog post that it was attributing assaults to Lace Tempest, a ransomware operator and owner of the Cl0p extortion website where victim data is exposed. According to the business, the hackers who were behind the attack have previously used similar methods to extort victims and steal data. 

"This latest round of attacks is another reminder of the importance of supply chain security," stated John Shier, from cyber security company Sophos. "While Cl0p has been linked to this active exploitation it is probable that other threat groups are prepared to use this vulnerability as well."

Preinstalled ‘Guerrilla’ Malware Infects Millions of Smartphones Worldwide

 

Security experts have made the alarming discovery that preloaded 'Guerrilla' malware has been disseminated on millions of smartphones globally. Once embedded in the device, this sneaky type of malware grants attackers unrestricted access to private user data, potentially resulting in privacy violations and financial loss.

The Guerrilla malware, also known as the Triada trojan, is one of the most advanced and persistent mobile threats to date. It was first identified by Kaspersky researchers, who found it embedded in the firmware of various Android devices. This preinfection tactic makes it extremely difficult for users to detect and remove the malware, as it resides deep within the device's system files.

The Lemon Group, a notorious cybercriminal organization, is believed to be behind the distribution of these infected smartphones. They capitalize on unsuspecting users who unknowingly purchase devices already compromised with the Guerrilla malware. Once activated, the malware acts as a backdoor, allowing the cybercriminals to remotely control the device, intercept communications, and steal sensitive information such as login credentials, banking details, and personal data.

The implications of this preinfection tactic are profound. Users are left vulnerable, unaware that their devices have been compromised from the moment they start using them. Even performing a factory reset or flashing the firmware does not guarantee the complete removal of the malware, as it can persist in the device's system files.

To make matters worse, many of these infected devices are sold in regions with limited cybersecurity awareness and infrastructure, making it even more challenging to address the issue effectively. The impact extends beyond individual users to businesses and organizations that may unwittingly integrate these compromised devices into their networks, potentially exposing sensitive corporate data to cybercriminals.

The discovery of millions of smartphones distributed with preinstalled Guerrilla malware underscores the urgent need for stronger security measures throughout the supply chain. Smartphone manufacturers must implement rigorous security checks to ensure that their devices are free from malware before they reach the market. Additionally, users should exercise caution when purchasing devices, opting for reputable sellers and performing regular security scans on their devices.

The battle against preinstalled malware requires collaboration between smartphone manufacturers, cybersecurity researchers, and law enforcement agencies. By sharing intelligence and implementing proactive measures, it is possible to mitigate the impact of this growing threat and protect users from the dangers of preinstalled malware.

Guerrilla spyware that comes preinstalled on millions of cellphones poses a serious threat to consumer security and privacy. Users, manufacturers, and the cybersecurity community must all exercise vigilance and be proactive in addressing this sneaky danger due to the clandestine nature of this malware. We can only protect our digital life and maintain the integrity of our cellphones by working together.

Lazarus Group's Deathnote Cluster: A Threat to the Defense Sector


The Lazarus Group, a well-known cybercriminal organization, has pivoted to the defense sector with its Deathnote cluster. The group has previously been linked to cryptocurrency attacks and other malicious activities. However, its latest move into the defense industry marks a significant shift in its operations.

According to reports, the Deathnote campaign began in 2020 and has been active ever since. The group has been using advanced tactics to infiltrate defense companies, particularly those involved in developing military technology. Once inside, the hackers have been stealing sensitive data and intellectual property.

The Lazarus Group's tactics have evolved significantly over the years. In the past, it has relied on spear-phishing attacks and other traditional methods of cyber espionage. However, it has now adopted more sophisticated techniques, such as the use of supply chain attacks and zero-day exploits.

The Deathnote cluster is particularly concerning because of its ability to evade detection. The group has been using a range of techniques to remain hidden, including the use of fake social media profiles and encrypted communication channels. This makes it extremely difficult for companies to identify and mitigate the threat.

One of the key vulnerabilities that the Lazarus Group has been exploiting is the lack of awareness among employees. Many of the attacks have been successful because of simple human error, such as the failure to follow basic security protocols. This highlights the importance of ongoing employee training and education in the fight against cybercrime.

The Lazarus Group's move into the defense sector is a worrying development that highlights the need for greater vigilance when it comes to cybersecurity. Companies must take a proactive approach to protect their systems and data, including using advanced security solutions and regular vulnerability assessments.

In conclusion, the Lazarus Group's Deathnote cluster represents a significant threat to the defense industry and beyond. Its evolving tactics and ability to remain hidden make it a formidable opponent in the fight against cybercrime. It is crucial that companies take the necessary steps to protect themselves and their customers from these types of attacks.

3CX Supply Chain Attack Compromised Cryptocurrency Companies

 

Some of the victims of the 3CX supply chain attack had their systems backdoored with Gopuram malware, with threat actors targeting cryptocurrency companies, particularly with this additional malicious payload. 

In a large-scale supply chain attack, North Korean threat actors known as Lazarus Group compromised VoIP communications company 3CX and infected the company's customers with trojanized versions of its Windows and macOS desktop apps. In this attack, the attackers substituted two DLLs used by the Windows desktop app with malicious versions that would download additional malware, such as an information-stealing trojan, to computers.

Since then, Kaspersky has encountered that the Gopuram backdoor, which has been used by the Lazarus hacking group against cryptocurrency companies since at least 2020, was also deployed as a second-stage payload into the systems of a small number of impacted 3CX customers in the same incident.

Gopuram is a modular backdoor that enables its operators to modify the Windows registry and services, perform file timestomping to avoid detection, inject payloads into already running processes, load unsigned Windows drivers using the open-source Kernel Driver Utility, and perform partial user management on infected devices via the net command.

"The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence. We believe that Gopuram is the main implant and the final payload in the attack chain," Kaspersky researchers said.

In March 2023, the attackers dropped a malevolent library (wlbsctrl.dll) and an encrypted shellcode payload (.TxR.0.regtrans-ms) on the systems of cryptocurrency companies impacted by the 3CX supply chain attack, raising the global number of Gopuram infections.
Kaspersky researchers discovered that the attackers used Gopuram with precision, implementing it on fewer than ten infected machines, implying that the attackers' motivation may be financial and focused on such businesses.

"As for the victims in our telemetry, installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France," Kaspersky experts added.

"As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision. We additionally observed that the attackers have a specific interest in cryptocurrency companies."

3CX has confirmed that its 3CXDesktopApp Electron-based desktop client was compromised and infected with malware one day after news of the attack broke on March 29 and more than a week after multiple customers reported alerts that the software was being flagged as malicious by security software.

Customers are now advised to uninstall the Electron desktop app from all Windows and macOS systems (a script for mass uninstalling the app across networks is available here) and to use the progressive web application (PWA) Web Client App instead. A group of security researchers has created and released a web-based tool to determine whether a specific IP address has been impacted by the March 2023 supply chain attack against 3CX.

"Identification of potentially impacted parties is based on lists of IP addresses that were interacting with malicious infrastructure," the development team explains.

According to BleepingComputer, the threat actors behind the incident (now tracked as CVE-2023-29059) exploited a 10-year-old Windows vulnerability (CVE-2013-3900) to make it appear that the malicious DLLs used to drop additional payloads were legitimately signed.

The same flaw has been used to infect Windows computers with Zloader banking malware, which is capable of stealing user credentials and personal data. According to 3CX, its 3CX Phone System is used by over 600,000 businesses worldwide and has over 12 million daily users.

Customers include American Express, Coca-Cola, McDonald's, Air France, IKEA, the United Kingdom's National Health Service, and several automakers, including BMW, Honda, Toyota, and Mercedes-Benz.

Supply Chain Attack Targets 3CX App: What You Need to Know

A recently discovered supply chain attack has targeted the 3CX desktop app, compromising the security of thousands of users. According to reports, the attackers exploited a 10-year-old Windows bug that had an opt-in fix to gain access to the 3CX software.

The attack was first reported by Bleeping Computer, which noted that the malware had been distributed through an update to the 3CX app. The malware allowed the attackers to steal sensitive data and execute arbitrary code on the affected systems.

As The Hacker News reported, the attack was highly targeted, with the attackers seeking to compromise specific organizations. The attack has been linked to the APT27 group, which is believed to have links to the Chinese government.

The 3CX app is widely used by businesses and organizations for VoIP communication, and the attack has raised concerns about the security of supply chains. As a TechTarget article pointed out, "Supply chain attacks have become a go-to tactic for cybercriminals seeking to gain access to highly secured environments."

The attack on the 3CX app serves as a reminder of the importance of supply chain security. As a cybersecurity expert, Dr. Kevin Curran noted, "Organizations must vet their suppliers and ensure that they are following secure coding practices."

The incident also highlights the importance of patch management, as the 10-year-old Windows bug exploited by the attackers had an opt-in fix. In this regard, Dr. Curran emphasized, "Organizations must ensure that all software and systems are regularly updated and patched to prevent known vulnerabilities from being exploited."

The supply chain attack on the 3CX app, in conclusion, serves as a clear reminder of the importance of strong supply chain security and efficient patch management. Organizations must be cautious and take preventive action to safeguard their systems and data as the possibility of supply chain assaults increases.

Netherlands Restricts Key Tech Exports in US-China Chip Battle

According to sources, the Netherlands government would impose export limits on the nation's most cutting-edge microprocessor technology in order to safeguard national security.

Products manufactured by ASML, a significant company in the worldwide semiconductor supply chain, will be subject to the embargo. China has filed a formal complaint about the action in response.

The administration of US President Joe Biden has put restrictions on semiconductor exports to its chief superpower rival in an effort to halt the development of cutting-edge technology that might be employed in military modernization and human rights abuses as geopolitical tensions between the US and China increase. The US has also pressed its international allies to follow suit.

The Dutch trade minister, Ms. Schreinemacher, said that the Dutch government had taken into account the technological changes and geopolitical environment, but did not specifically mention China or ASML. To export technology, including the most modern Deep Ultra Violet (DUV) immersion lithography and deposition, enterprises would now need to apply for licenses.

The firm stated that it "does not expect these steps to have a major impact on our financial projection that we have released for 2023 or for our longer-term scenarios as indicated during our Investor Day in November last year."

No matter where in the globe the chips were produced, Washington stated in October that it would want licenses from businesses exporting them to China using US equipment or software.

The US position on semiconductors has drawn criticism from South Korea's trade ministry this week. The South Korean government shall make it abundantly clear that the terms of the Chips Act may increase economic uncertainty, undermine companies' management and intellectual property rights, and lessen the allure of investing in the United States. 


Data Breached on Toyota Supplier Portal

Eaton Zveare, a US-based researcher proactively informed Toyota of the breach found in the Global Supplier Preparation Information Management System (GSPIMS) of the corporation.

According to Zveare, the problem stemmed from installing JWT, or JSON Web Token, authentication that could have given anyone with a working email address access to any account.

JWT is a session token that is created when a user logs onto a website and is used to verify the user's access to secure APIs or portions of the website. The automaker's web platform, known as GSPIMS, enables remote login and management of the company's global supply chain for employees and suppliers.

The researcher could predict an email address by scanning the internet for Toyota personnel who might be involved in the incident. Corporate Toyota email addresses are simple to guess because they use the format firstname.lastname@toyota.com.

Then, Zveare created a legitimate JWT using that email address and utilized it to access the GSPIMS. He used the same way to access a system administrator account he found after performing some portal reconnaissance.

The company avoided a potentially disastrous leak thanks to Zveare's effective disclosure practices, yet the reward for disclosing this vital issue was $0.Despite following the rules of disclosure and rescuing the company from a potentially disastrous leak, It acts as a strong deterrent to investing more time and energy in investigating the infrastructure security of Toyota, he adds. Due to this, similar, exploitable application weaknesses can go unnoticed—at least by 'white hat' researchers like Zveare.

An administrator of the GSPIMS system has access to private data such as secret documents, project schedules, vendor rankings, and customer data for 14,000 users. To allow this option, it appears that the code that creates the JWT based on email address was developed; nevertheless, this backdoor into the network was also created.


Supply Chain Attacks Induced More Data Breaches than Malware

 

As reported by the Identity Theft Resource Center, the first half of 2022 saw fewer compromises reported, owing in part to Russian-based cybercriminals being distracted by the war in Ukraine and volatility in cryptocurrency markets. 

However, data compromises rose substantially in the second half of 2022. The number of victims (422.1 million) has increased by 41.5% since 2021. For the sixth year in a row, the estimated number of data compromise victims fell in 11 of the 12 months of 2022. This trend was reversed when it was revealed that the personal information of 221 million Twitter users was available in illegal identity marketplaces. 

Other discoveries

Data breach alerts suddenly lacked details, putting individuals and businesses at risk and creating uncertainty about the number of data breaches and victims. In 2022, the most common type of cyberattack leading to a data breach was "not specified," followed by phishing and ransomware. 34% of data breach notices included information about the victim and the attack vector.

Cyberattacks continue to be the leading cause of data breaches. In 2022, the number of data breaches caused by supply chain attacks surpassed compromises caused by malware. Malware is frequently regarded as the heart of most cyberattacks. However, supply chain attacks outnumbered malware-based attacks by 40% in 2022.

According to the report, supply chain attacks targeting 1,743 entities affected more than 10 million people. In comparison, 4.3 million people were affected by 70 malware-based cyberattacks.
The good news about data compromises in 2022

The statistics for 2022 comprise some encouraging news. When compared to the previous high point in 2020, the number of data breaches and exposures linked to unprotected cloud databases decreased by 75% in 2022. Physical attacks also continued their multi-year decline, dropping to 46 out of 1,802 compromises.

“While we did not set a record for the number of data compromises in the U.S. last year, we came close,” said Eva Velasquez, CEO of the Identity Theft Resource Center.

Velasquez added, “These compromises impacted at least 422 million people. These numbers are only estimates because data breach notices are increasingly issued with less information. This has resulted in less reliable data that impairs consumers, businesses and government entities from making informed decisions about the risk of a data compromise and the actions to take if impacted by one. People are largely unable to protect themselves from the harmful effects of data compromises, fueling an epidemic – a “scamdemic” of identity fraud committed with compromised or stolen information.” 

SOCs Face Stern Test in 2023 as Hackers Target Governments and the Media

 

The number of incidents in the government and mass media segments will increase this year, according to Kaspersky research experts' predictions for challenges in Security Operation Centers (SOCs) in 2023. SOCs in these and other industries, as well as supply chain attacks via telecommunications providers, are likely to face more recurring targeted attacks. More initial compromises through public-facing applications will be another threat to SOCs. Data destruction may occur in organisations that are threatened by ransomware attacks. 

Repeated targeted attacks by state-sponsored hackers 

The average number of incidents in the mass media sector doubled from 263 in 2021 to 561 in 2022, according to Kaspersky experts. Numerous high-profile incidents occurred over the course of the past year, one of which was when Iranian state TV broadcasting was halted due to hacker activity while the nation was in the midst of protests. Similar DDoS attacks to those that occurred in the Czech Republic also targeted media outlets. Among the 13 other analysed segments, such as industrial, food, development, financial, and others, mass media emerged as the top target for cybercriminals, following the government sector, where the average number of incidents increased by 36% in 2022. 

2023 will see a continuation of this growth along with routine targeted attacks by state-sponsored actors. While this is typically relevant for governmental organisations, the mass media sector has come under increased attack during global conflicts that are frequently accompanied by information warfare and in which the media invariably play a significant role. 

“Large businesses and government agencies have always been targets of cybercriminals and state-sponsored actors, but geopolitical turbulence increased attackers’ motivations and enlivened hacktivism, which cybersecurity specialists have not regularly encountered until 2022,” stated Sergey Soldatov, head of security operation center (SOC) at Kaspersky. “The new wave of politically-motivated attacks is especially relevant for the government and mass media sectors. To effectively protect a company, it’s necessary to implement a comprehensive threat detection and remediation provided through Managed Detection and Response services.” 

Supply chain assault 

Attacks on telecommunications firms by perpetrators could lead to an increase in supply chain strikes in 2023. The telecom sector experienced a disproportionate number of high severity incidents in 2021 for the first time. Although the average proportion of high severity incidents decreased in 2022 (from 79 per 10,000 systems monitored in 2021 to about 12 in 2022), these businesses continue to be prime targets for cybercriminals. 

Ransomware destroyers 

In 2022, Kasperksy noticed a new ransomware trend that will persist in 2023: ransomware actors will both encrypt and destroy corporate data. This is pertinent to organisations that experience politically motivated attacks. More initial compromises through applications with a public facing pose a threat to SOCs. Compared to phishing, penetration from the perimeter requires less preparation, and outdated vulnerabilities are still available. 

Mitigation tips

Kaspersky researchers advise taking the following precautions to guard against the pertinent threats: 

  • Keep all of your devices' software updated to stop hackers from breaking into your network by taking advantage of flaws. Patches for fresh vulnerabilities should be applied as soon as possible. Threat actors are no longer able to exploit the vulnerability once it has been downloaded. 
  • High-profile attacks can be defended against with dedicated services. Before the intruders succeed in their objectives, the Kaspersky Managed Detection and Response service can assist in locating and stopping intrusions in their early stages. If an incident occurs, Kaspersky Incident Response service will assist you in responding and reducing the effects. In particular, locate the compromised nodes and safeguard the infrastructure from future intrusions. 
  • Utilize the most recent Threat Intelligence data to keep abreast of the TTPs that threat actors are actually employing. 
  • Select a trustworthy endpoint security product with behavior-based detection and anomaly control features, like Kaspersky Endpoint Security for Business, for efficient defence against known and unknowable threats.