Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Trend Micro. Show all posts
Wayne County Michigan
Cyberattack Data Breach double-extortion encryptor FreeBSD servers Interlock ransomware ransomware attacks Trend Micro Wayne County Michigan

Interlock Ransomware: New Threat Targeting FreeBSD Servers and Critical Infrastructure Worldwide

 

The Interlock ransomware operation, launched in late September 2024, is increasingly targeting organizations around the globe. Distinctly, this new threat employs an encryptor specifically designed to attack FreeBSD servers, a relatively uncommon tactic among ransomware groups.

Interlock has already affected six organizations and publicly leaked stolen data after ransoms went unpaid. One prominent victim, Wayne County in Michigan, experienced a cyberattack early in October, adding to the list of affected entities.

Details about Interlock remain limited, with early reports emerging from cybersecurity responder Simo in October. Simo's analysis noted a new backdoor associated with the ransomware, discovered during an investigation on VirusTotal.

Shortly after, MalwareHunterTeam identified a Linux ELF encryptor related to Interlock. Upon further examination, BleepingComputer confirmed that this executable was built specifically for FreeBSD 10.4, though attempts to execute it in a FreeBSD environment failed.

Although ransomware targeting Linux-based VMware ESXi servers is common, an encryptor for FreeBSD is rare. The now-defunct Hive ransomware, disrupted by the FBI in 2023, was the only other known operation with a FreeBSD encryptor.

Trend Micro researchers shared additional samples of the Interlock FreeBSD ELF encryptor and a Windows variant, noting that FreeBSD is often used in critical infrastructure. This likely makes it a strategic target for Interlock, as attacks on these systems can lead to significant service disruptions.

Trend Micro emphasizes that Interlock’s focus on FreeBSD infrastructure allows attackers to disrupt essential services and demand high ransoms, as these systems are integral to many organizations’ operations.

It is important to note that Interlock ransomware is unrelated to any cryptocurrency token of the same name.

While BleepingComputer encountered issues with running the FreeBSD encryptor, they successfully tested the Windows version, which performed actions like clearing event logs and deleting the main binary using rundll32.exe if self-deletion is enabled.

When encrypting files, Interlock appends the .interlock extension and generates a ransom note titled "!README!.txt" in each affected folder. The note explains the encryption, threats, and includes links to a Tor-based negotiation site where victims can communicate with the attackers. Each victim receives a unique ID and email for registration on this negotiation platform.

During attacks, Interlock breaches networks, steals sensitive data, and then deploys the encryptor to lock down files. The data theft supports a double-extortion scheme, with threats to leak data if ransoms—ranging from hundreds of thousands to millions of dollars—are not paid.
Read more »
Trend Micro
Cyber Attacks data security data theft Trend Mirco Digital Infrastructure Digital Security ransomware attacks Trend Micro

Rise in Ransomware Attacks in Southeast Asia Driven by Rapid Digitalization and Security Gaps

 

A wave of ransomware attacks across Southeast Asia during the first half of this year marks just the beginning of a larger trend. Companies and government agencies, particularly in countries like Thailand, Japan, South Korea, Singapore, Taiwan, and Indonesia, have experienced a dramatic rise in cyberattacks, outpacing the rate of ransomware growth in Europe, as shown by data from Trend Micro. 

With incidents like the June attack by the ransomware group Brain Cipher, which disrupted more than 160 Indonesian government agencies, the frequency of such attacks is expected to increase as the region’s economies expand. Many organizations in Southeast Asia are rapidly digitizing their infrastructure, often prioritizing speed over security. Ryan Flores, a senior manager at Trend Micro, points out that the rush to launch digital services often sidelines security measures. 

This rush, combined with a lack of stringent cybersecurity practices, makes organizations in Asia prime targets for cybercriminals. Recent incidents, such as the ransomware attack on a major Vietnamese brokerage in March and malicious code injections in Japan, indicate that cyber attackers are increasingly focusing on this region. Although North America and Europe remain the primary targets for ransomware, the Asia-Pacific region is experiencing a significant surge in attacks. In 2023, ransomware incidents in Asia grew by 85%, according to cybersecurity firm Comparitech. 

Countries like India and Singapore have become major targets, ranking among the top six countries affected by ransomware, based on Sophos’ “State of Ransomware 2024” report. Ransomware groups are especially targeting critical sectors in the Asia-Pacific region. Manufacturing saw the highest number of attacks, followed by government and healthcare sectors. Rebecca Moody of Comparitech suggests that the absence of strict breach notification laws in many Asian countries contributes to underreporting, which in turn reduces the focus on cybersecurity. While ransomware attacks in Asia are increasing, experts like Trend Micro’s Flores believe this rise is not due to targeted efforts but rather the sheer number of potential victims as companies in the region adopt digital tools without adequately upgrading their security. 

Cybercriminals are opportunistic, targeting any vulnerable infrastructure, regardless of its location. National governments in Asia are beginning to take steps to enhance their cybersecurity regulations. For instance, Singapore updated its Cybersecurity Act in May, and Malaysia introduced new legislation requiring cybersecurity service providers to be licensed. However, experts stress that organizations must prioritize basic security practices, such as regular software patching, strong password policies, and multifactor authentication, to mitigate risks effectively.
Read more »
Trend Micro
Africa APT41 Cyber Security Cybersecurity Earth Baku Europe malware Middle East sophisticated attacks Threat actor Trend Micro

China-Backed Earth Baku Broadens Cyber Assaults to Europe, Middle East, and Africa

 

The China-backed threat actor Earth Baku has diversified its targeting footprint beyond the Indo-Pacific region to include Europe, the Middle East, and Africa starting in late 2022. Newly targeted countries include Italy, Germany, the U.A.E., and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecoms, technology, healthcare, and education sectors are among those singled out as part of the intrusion set.

Trend Micro researchers Ted Lee and Theo Chen, in an analysis published last week, noted that Earth Baku has updated its tools, tactics, and procedures (TTPs) in more recent campaigns. The group utilizes public-facing applications such as IIS servers as entry points for attacks, subsequently deploying sophisticated malware toolsets on the victim's environment. The findings build upon recent reports from Zscaler and Google-owned Mandiant, which also detailed the threat actor's use of malware families like DodgeBox (aka DUSTPAN) and MoonWalk (aka DUSTTRAP). Trend Micro has assigned them the monikers StealthReacher and SneakCross.

Earth Baku, a threat actor associated with APT41, has been known for its use of StealthVector as far back as October 2020. Their attack chains involve the exploitation of public-facing applications to drop the Godzilla web shell, which is then used to deliver follow-on payloads. StealthReacher has been classified as an enhanced version of the StealthVector backdoor loader, responsible for launching SneakCross, a modular implant and a likely successor to ScrambleCross that leverages Google services for its command-and-control (C2) communication.

The attacks are further characterized by the use of other post-exploitation tools such as iox, Rakshasa, and a Virtual Private Network (VPN) service known as Tailscale. Sensitive data exfiltration to the MEGA cloud storage service is accomplished by means of a command-line utility dubbed MEGAcmd. "The group has employed new loaders such as StealthVector and StealthReacher to stealthily launch backdoor components, and added SneakCross as their latest modular backdoor," the researchers stated.

"The persistence of Earth Baku is notable," said the researchers. "Their tactics show a sophisticated understanding of public-facing applications, allowing them to infiltrate various sectors with precision." They further explained that the group's post-exploitation tools are customized to fit specific operational needs, with iox and Rakshasa playing significant roles in maintaining prolonged access and stealth. Tailscale, the VPN service, ensures the attackers can manage their operations without detection, while MEGAcmd allows for efficient data exfiltration.

The continued evolution of Earth Baku's methods, including the introduction of new malware like SneakCross, highlights the growing complexity and threat posed by this actor. The group’s ability to adapt and refine their TTPs makes them a formidable adversary in the cyber landscape.
Read more »
Trend Micro
Cyber Attacks Cybercriminal Tactics LockBit ransomware Ransomware Operation Trend Micro

LockBit Ransomware: Covertly Evolving Towards Next-Gen Threats Amid Takedown Efforts

 

In a significant development, law enforcement dismantled the infrastructure of LockBit ransomware earlier this week, uncovering the clandestine work on a next-generation file encryption malware. Referred to as LockBit-NG-Dev, this emerging threat, likely the precursor to LockBit 4.0, was revealed through a collaborative effort between the UK's National Crime Agency and cybersecurity firm Trend Micro. 

In a departure from its predecessors built in C/C++, LockBit-NG-Dev is a work-in-progress developed in .NET, compiled with CoreRT, and packed with MPRESS. This strategic shift was brought to light as Trend Micro analyzed a sample of the latest LockBit variant capable of operating across multiple systems, indicating a more sophisticated approach to infection. 

Despite lacking some features present in previous versions, such as self-propagation on compromised networks and printing ransom notes on victims' printers, LockBit-NG-Dev appears to be in its final development stages, providing the most anticipated functionalities. Trend Micro's technical analysis reveals the encryptor's support for three encryption modes (using AES+RSA) – "fast," "intermittent," and "full." It includes a custom file or directory exclusion and the ability to randomize file naming to complicate restoration efforts. 

Notably, the malware features a self-delete mechanism that overwrites LockBit's own file contents with null bytes. The discovery of LockBit-NG-Dev is a significant setback for LockBit operators, following law enforcement's Operation Cronos. Even if the gang still controls backup servers, the exposure of the new encryptor's source code poses a formidable challenge for the cybercriminal business. Restoring operations becomes a daunting task when security researchers have knowledge of the encrypting malware's source code. 

This revelation emphasizes the ongoing battle between law enforcement and cybercriminals, underscoring the need for continued vigilance and collaboration to address evolving threats in the ransomware landscape. 

In conclusion, the revelation of LockBit ransomware secretly building a next-gen encryptor serves as a stark reminder of the persistent and adaptive nature of cyber threats. As organizations and cybersecurity professionals work to stay ahead of evolving ransomware tactics, the need for proactive defenses, continuous threat intelligence sharing, and a collective, global response has never been more critical. LockBit's covert evolution reinforces the urgency of fortifying cybersecurity measures to protect against the ever-changing landscape of sophisticated cyber threats.
Read more »
Trend Micro
cryptomining Cyber Threats DarkGate malware malware Malware attacks malware-as-a-service (MaaS). Microsoft Teams Phishing Campaigns QakBot Botnet Ransomware Trend Micro

Compromised Skype Accounts Facilitate DarkGate Malware Spread

 

Cyber attackers wielding the DarkGate malware have utilized compromised Skype accounts as a vector to infiltrate targets between July and September. They accomplished this by dispatching messages with VBA loader script attachments. 

Trend Micro's security researchers, who detected these attacks, noted that this script is responsible for fetching a second-stage AutoIT script. This script, in turn, is tailored to deploy the final DarkGate malware payload.

Trend Micro explained that gaining access to the victim's Skype account provided the attacker with the ability to take control of an ongoing messaging thread. This allowed them to manipulate the naming of files to align with the context of the conversation. 

Although the means by which the initial accounts of instant messaging applications were compromised remains unclear, it is theorized to have occurred either through leaked login credentials available on underground forums or as a consequence of a prior breach of the parent organization.

Furthermore, Trend Micro observed instances where DarkGate operators attempted to deliver their malware payload through Microsoft Teams. This occurred in organizations where the service was set up to accept messages from external users. 

Previously, Truesec and MalwareBytes had identified phishing campaigns targeting Microsoft Teams users. These campaigns utilized malicious VBScript to deploy the DarkGate malware. The attackers targeted users via compromised Office 365 accounts outside their respective organizations and leveraged a tool named TeamsPhisher. 

This tool enabled the bypassing of restrictions on incoming files from external sources, enabling the transmission of phishing attachments to Teams users. The ultimate objective remained infiltrating the entire environment. Depending on the specific threat group employing the DarkGate variant, the threats ranged from ransomware to cryptomining.

Trend Micro's telemetry data indicated that DarkGate frequently led to the detection of tools commonly associated with the Black Basta ransomware group.

The proliferation of the DarkGate malware loader for initial access into corporate networks has been on the rise, especially following the dismantling of the Qakbot botnet in August. This was due to international collaborative efforts. 

Prior to the disruption of Qakbot, an individual claiming to be the developer of DarkGate sought to sell subscriptions on a hacking forum, pricing them at up to $100,000 annually. The malware was marketed with an array of features, including a concealed VNC, capabilities to evade Windows Defender, a tool for pilfering browser history, an integrated reverse proxy, a file manager, and a Discord token snatcher.

Subsequent to this announcement, there has been a noticeable surge in reported DarkGate infections via various delivery methods like phishing and malvertising.

This recent upswing in DarkGate activity highlights the escalating influence of this malware-as-a-service (MaaS) operation within the realm of cybercrime. It underscores the unwavering determination of threat actors to persist in their attacks, demonstrating adaptability in tactics and methods despite disruptions and obstacles.
Read more »
Trend Micro
AI Cyber Security Cyber security landscape South Africa Threat risks Trend Micro

The Complex Landscape of Cybersecurity Threats in South Africa


Trend Micro has recently revealed that, in the course of 2023, it has detected over 86 million email threats, nearly four million malicious URLs, and more than 4,000 malicious mobile apps targeted at South African businesses and consumers’ systems.

The revelation comes at a time when South Africa is witnessing consistent complexities in its cybersecurity threat landscape. 

The revelations were made in Trend Micro’s 2023 Midyear Cybersecurity Threat Report, which presents findings gleaned from in-depth telemetry involving millions of business and consumer clients. The research sheds light on both threat actor actions and new trends in criminal tactics, providing security defenders working to outwit crafty cybercriminals with useful advice.

The Developments Made in Ransomware 

In the first half of 2023, Trend Micro was able to block around 15 million malware families, with ransomware posing a significant threat to regional organizations. Notably, only in June were around 2,500 ransomware detections reported. The Midyear Report digs deeply into the evolving strategies used by ransomware groups, including how they have modified tools and methods for more effective data extraction and how their revenue models have changed.

One of the risks arises from the newly discovered ‘Mimic’ ransomware, which cleverly deploys legit search engine tools to locate files for encryption. Apparently, Mimic has certain links with the notorious Conti ransomware group, further indicating the cooperation between these criminal organizations for the sake of lowering costs, expanding their market reach, and engaging in ongoing criminal activity. The report also highlights a change in ransomware groups' priorities, with a specific focus on data exfiltration involving bitcoin theft and corporate email compromise (BEC). 

AI’s Influence on Cybercrime Activities 

Another trend that came to light in 2023 is the growing use of AI by threat actors in conducting cybercrimes. On one hand, South African companies are adopting AI technologies to up their game, and threat actors are also embracing high-end technologies to design more complicated cyber scams. These scams may include virtual kidnapping, where it may use AI for deepfake voice generation to force the victims into paying the ransom amounts.

Additionally, AI tools like ChatGPT have given cybercriminals the ability to automate data collection, create target groups, and recognize weak behaviours, making it simpler to launch harpoon-whaling attacks. These attacks entail the deceptive targeting of executives via emails that are highly tailored, urgently written, and contain details specific to the target. The effort needed to target CEOs has been greatly decreased thanks to the usage of AI, making it simpler to shoot for a big target.

Innovations Expending Threat Risk

Threat actors are continually looking for new ways to attack people as advancements progress. Attackers want to gain access to user account data to enable crimes with the rise of linked cars. Cybercriminals may identify and break into vehicles for theft or other illegal acts after hijacking accounts or acquiring credentials through phishing or malware; they may even target the owner's home location for a break-in while they are away.

The reason behind threat actors’ interest in South Africa is the increased uptake of smart home networks (SHN). Trend Micro found more than 1.5 million inbound SHN attacks in the nation during the first half of 2023. Smaller platforms, such as file transfer services like MOVEit, business communications software like 3CX, and print management software options like PaperCut, have become more vulnerable as a result of these attacks.

Zaheer Ebrahim, Solutions Architect for the Middle East and Africa at Trend Micro further highlights that the unending complexities now seen in hacker tactics pose a severe threat to local businesses. Given the constantly changing world of digital security, he emphasizes the significance of identifying potential risks and threats in order to make wise decisions and proactively build cybersecurity defences.  

Read more »
Windows search tool
API malware Mimic Mimic Attacks Ransomware Trend Micro Windows Windows search tool

Mimic Attacks: Ransomware Hijacking Windows ‘Everything’ Search Tool


Trend Micro has recently revealed details of the new type of ransomware, apparently targeting the APIs ‘Everything’ search tool to attack English and Russian-speaking Windows users. 

The malware was discovered by the security firm researchers in June 2022 and was named ‘Mimic.’ According to the researchers, the malware has been “deleting shadow copies, terminating multiple applications and services, and abusing Everything32.dll functions to query target files that are to be encrypted.” 

The researchers also found that some of the code in Mimic shared similarities with the infamous Conti ransomware, which was leaked in early 2022 following a number of high-profile incidents. 

Mimic Attacks 

Mimic ransomware attack begin with targeted victims receiving executable, most likely via an email, that retrieves four files from the target system, including the main payload, ancillary files, and tools to disable Windows Defender. 

The researchers’ findings reveal that the ransomware attack largely constituted legitimate files, of which one file contains the malicious payloads. Mimic is a sophisticated strain of ransomware that may use command-line options to target specific files and multiple processor threads to encrypt data more rapidly. 

According to Trend Micro, this combination of several active threads and the way it abuses Everything's APIs enable it to operate with minimum resource consumption, leading to a more effective execution and attack. 

What Could be the Solution? 

One of the best measures advised to the companies is by implementing a multilayered approach, which will provide the most efficient security, including data protection, backup and recovery measures. 

Utilizing a range of software that are designed to prevent, mitigate and combat the attacks on personal and business computers will add another layer of protection to the systems. 

Moreover, conducting regular vulnerability assessment and patching those vulnerabilities in the systems as soon as security updates become available will additionally aid in combating potential ransomware attack.  

Read more »
User Privacy
Conti Ransomware Cyber Crime FBI Malicious actor Phishing Attacks Trend Micro User Privacy

FBI: To Install Malware, Hackers are Buying Ad Services

 

The FBI has recommended the citizens to download an ad blocker in order to safeguard themselves from internet security dangers, as cybercriminals use ads to spread ransomware and steal information.  

Trend Micro claims that Royal is the beta version version of the Zeon ransomware that first appeared this year and was linked in August to Conti Team One, one of the organizations responsible for the propagation of the Conti ransomware.

There were three groups of cybercriminals operating behind Conti, one of which switched to Quantum ransomware, another operating the Black Basta, Karakurt, and Blackbyte ransomware families, as well as Royal, and the third being shut down in early 2022, as per a chart that a security expert Vitali Kremez shared in August.

Royal ransomware has been employed in assaults mostly aimed at targets in the US and Brazil, according to Trend Micro. It is typically delivered via callback phishing, tricking victims into downloading remote access software.

The FBI highlighted that these adverts were also used to spoof financial websites, notably exchange platforms for cryptocurrencies.

Businesses employ search engine advertising services to make sure their ads show up at the top of search results with the smallest possible difference between an advertisement and a real internet search result. However, the warning noted that online criminals are also using domains that are similar to legitimate businesses or services to purchase these services for illicit reasons.

How to spot fake advertisements:
  • Prior to clicking an advertisement, check the URL. Look out for typos or unusual suffixes on a link because it will reveal the true URL.
  • If you want to look up businesses, enter the address in the browser's address bar rather than using a search engine like Google. 
  • Try using an ad blocker. These block all advertisements, so you can simply avoid being targeted by fraudulent ads but also fail to see any legitimate ones.
Ad blockers can help consumers avoid misleading adverts, but they can also severely damage their online experience. Many websites depend on advertising, thus some won't let you visit if you are using an ad blocker. When using an ad blocker, be sure to put your preferred websites to the list of the program. This will allow you to see advertising on this site but prevent you from seeing them elsewhere.

To assure the development of strong, safe passwords and keep away of malicious practices, the FBI also advises utilizing a password manager. Another effective strategy for protecting against online attacks is antivirus software.



Read more »
Trojan
cryptomining malware Linux malware RAT Remote Access Trojan Trend Micro Trojan

This Linux-Targeting Malware is Becoming Even More Potent


A trojan software has been added to the capabilities of a cryptomining malware campaign that targets Linux-based devices and cloud computing instances, potentially making attacks more severe. 

This cryptomining campaign, as described by cybersecurity experts at Trend Micro, uses Linux computers' processing power, in order to sneakily compromise Linux servers and mine for Monero. 

Cryptomining attacks are frequently distributed by utilizing common cybersecurity flaws or by being concealed inside cracked software downloads. 

One compromised system is unlikely to generate much profit from cryptomining malware, but attackers infect a vast network of compromised servers and computers to produce as much cryptocurrency as possible, with the related energy bill being unknowingly carried by the victim. 

Because the affected user is unlikely to notice the decrease in system performance unless the machine is pushed to its limit, the attacks usually go unnoticed. Large networks of infected systems can thus generate a consistent income for threat actors, which is why this method has become a prevalent form of malware. 

Remote Access Trojan (RAT) 

Cryptojacking campaign comprises a remote access trojan (RAT) in its attacks – the reason why it stands out from other cyberthreat campaigns. Chaos RAT, a trojan malware is free and open source, and allows threat actors to take charge of any operating system. 

The RAT is downloaded with XMRig miner, which is utilized by threat actors in order to mine cryptocurrency, comprising of a shell script which is used to eliminate competing miners that could have previously been set up on the system. 

Chaos RAT has a variety of potent functions, like the ability to download, upload and delete files, take screenshots, access file explorer, as well as open URLs. 

In a blog post, written by Trend Micro researchers David Fisher and Oliveira, stated, “On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor […] However, given the tool's array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security.” 

In order to secure networks and cloud services against cryptomining malware and numerous other cyberattacks, organizations are advised to employ generic best cybersecurity measures, such as timely patching and updating of software and applications, in order to mitigate the risks of vulnerability being exploited in the outdated versions.  

Read more »
Trend Micro
Cyber Attacks Mustang Panda Phishing Attack Trend Micro

Mustang Panda: Chinese Threat Actor Targets Governments Worldwide

Z

The malicious advanced threat actor, Mustang Panda, has allegedly been linked to a spear-phishing attack, that is targeting governments, and academic and research sectors across the globe. 

According to Trend Micro’s report, the primary targets of the phishing attacks, between May and October 2022 included entities of countries of the Asia Pacific region like Myanmar, Australia, The Philippines, Japan, and Taiwan. 

Mustang Panda, also known as Bronze President, Earth Preta, HoneyMyte, or Red Lich, is an espionage threat actor based in China. The group is said to be active since July 2018 and is known for utilizing malware like China Chopper and PlugX in order to obtain data illegally. 

Attributes of the Phishing Attack 

The attacks involve spear-phishing emails and messages distributed via Google accounts. The fraudulent emails enticed target users, deceiving them into downloading malicious custom malware through the Google drive links. 

During the investigation, researchers found that Mustang Panda used messages consisting of geopolitical subjects, with around 84% of the attacks being targeted at governmental/ legal organizations. 

The attached link apparently directed the target users to a Google Drive or Dropbox folder, in order to evade suspicion. Furthermore, the link directed users to download RAR, ZIP, and JAR compressed files that may include malware variants like ToneShell, Tonelns, and Pubload. 

"Earth Preta abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as RAR/ZIP/JAR) and distributed through Google Drive links," says researchers Nick Dai, Vickie Su, and Sunny Lu. 

Although the hackers utilized a variety of malware-loading methods, the process mainly required DLL side-loading once the target ran the executable contained in the archives. 

“In addition, the actors leverage different techniques for evading detection and analysis, like code obfuscation and custom exception handlers. We also found that the senders of the spear-phishing emails and the owners of Google Drive links are the same. Based on the sample documents that were used for luring the victims, we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts,” explained Trend Micro researchers.  "Once the group has infiltrated a targeted victim's systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected scope in the region involved."    

Read more »
Vulnerabilities and Exploits.
Crypto Linux LockBit RaaS Ransomware Attacks. Trend Micro Vulnerabilities and Exploits.

Hackers are Actively Targeting Linux-Based Devices

Ransomware attacks against Linux have accelerated as cybercriminals try to increase their options and take advantage of an operating system that is sometimes neglected when organizations think about security. 

According to Trend Micro, hackers prefer using ransomware-as-a-service (RaaS) techniques because they enable quicker deployment and higher rewards. Additionally, they increasingly focused their attacks on Linux-based computers and employed relatively new ransomware families in high-profile strikes. Operators of ransomware also used both cutting-edge and time-tested strategies to attack cloud environments.

Linux powers significant enterprise IT infrastructure, including servers, making it a target for ransomware gangs. This is especially true when cybersecurity teams may decide to concentrate on protecting Windows networks against cybercrime due to a believed lack of threat to Linux systems compared to Windows.

For instance, LockBit, one of the most widespread and effective ransomware operations in recent memory, now provides the choice of a Linux-based variant that is made to target Linux systems and has been used to carry out assaults in the field.

Hackers are regularly extending the scope of their exploits by focusing on Linux, one of the most potent operating systems utilized in cloud platforms and servers around the world, in addition to upping the ante by utilizing MaaS methods in their attacks.

The RaaS architecture makes it simpler and quicker for cyber criminals to deploy ransomware attacks than traditional ransomware models, even those with limited technical knowledge. According to SPN data, three ransomware families—the infamous LockBit, Conti, and BlackCat families—dominated the RaaS space in terms of detections. BlackCat is a family of ransomware that was developed in the Rust programming language at the end of 2021.

Attackers using ransomware are motivated by money and would jump at new possibilities if they believe they can increase their earnings; it would seem that encrypting Linux systems and demanding payment for the key to open servers and files are becoming more and more common.

According to researchers, as ransomware perpetrators strive to maximize their profits, this strategy will only grow in popularity.

It's not only ransomware entities that are focusing more on Linux, according to Trend Micro, but there has also been a 145% increase in Linux-based cryptocurrency-mining malware attacks, wherein online criminals covertly use the processing power of infected computers and servers to mine for cryptocurrency for their own gain.
Read more »
Trend Micro
Alibaba Amazon Web Services AWS Cisco Talos Crypto Mining Cyber Security Kubernetes Linux TeamTNT Trend Micro

AWS, and Alibaba Cloud was Attacked by Crypto Miners

 

An intel source recently provided Cisco Talos with modified versions of the TeamTNT cybercrime team's infected shell scripts, an earlier version of which was documented by Trend Micro. The malware creator modified these tools after learning that security experts had disclosed the prior version of its scripts. These scripts are intended primarily for Amazon Web Services (AWS), but they might also be used on-premise, in containers, or in other Linux instances. 

There are multiple TeamTNT payloads focusing on bitcoin mining, persistence, and lateral movement employing tactics like identifying and installing on with all Kubernetes pods in a local network, in addition to the primary credential stealer scripts. A script containing user credentials for the distribution system server and another with an API key which may allow remote access to a tmate shared login session is also included. Defense evasion functions aimed at defeating Alibaba cloud security technologies are included in some TeamTNT scripts.

When it comes to decision making obtaining credentials, the script looks for them in the following places and APIs: 

  • It attempts to obtain the string 'AWS' from /proc/*/environ from the Linux system environment variables. 
  • Obtaining the string 'AWS' from Docker environment variables with the command $(docker inspect $) (docker ps -q).
  • /home/.aws/credentials and /root/.aws/credentials are the default AWS CLI credential file locations.
While the query itself will not be caught by Cisco Secure Cloud Analytics, the alert "AWS Temporary Token Persistence" will detect later use of these credentials to generate further temporary credentials. Finally, the virus saves any credentials acquired by the preceding functions to the file "/var/tmp/TeamTNT AWS STEALER.txt" and uses cURL to transfer it to the URL http://chimaera[.]cc/in/AWS.php before deleting it. 

No CloudTrail, GuardDuty, or SCA events were generated when the script ran on the target EC2 instance for all network traffic was restricted by the VPC Security Group such as the script could not access TeamTNT's servers. 

The core of the defense impairment functions is directed against Alibaba Cloud Security's numerous agents, how, they also target Tencent Cloud Monitor and third-party BMC Helix Cloud Security, agents. While the bulk of malicious scripts targets AWS Elastic Compute Cloud (EC2) virtual machines, these bots are most typically detected running inside Alibaba Cloud Elastic Compute Service (ECS) or a Tencent Cloud VM. They could theoretically be put on a VM operating on AWS or any other service, but it would be unusual. TeamTNT makes no attempt to disable AWS CloudWatch, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other popular cloud security tools in the United States. 

The Alibaba defense damage routines have been retrieved and saved here from the script Kubernetes root payload 2.sh. Since static analysis of the defense impairment functions is problematic due to the presence of multiple Base64 encoded strings, those functions have been decrypted and placed back into the file ali-defense-impairment-base64-decoded.sh.txt. 

"Cybercriminals who have been exposed by security researchers should update those tools to keep functioning successfully," stated Darin Smith of Talos. 

The serious remote code execution problem in Spring Framework (CVE-2022-22965) has been leveraged to deploy cryptocurrency miners, in yet another example of how threat actors quickly co-opt recently revealed flaws into existing attacks. To deploy the cryptocurrency miners, the exploitation efforts employ a unique web shell, but not before switching off the firewall and disabling other virtual currency miner processes.
Read more »
Trend Micro
Cyber Security Purple Fox Server Trend Micro

Trend Micro Report on Purple Fox’s Server Infrastructure, Briefed

 

Purple Fox primarily focuses on SQL servers, as opposed to conventional computers, for the former's cryptocurrency-mining operations. This is largely attributable to the more effective hardware design – for both CPU and memory – that servers typically possess. To minimize performance problems, the combination of CPU, memory and disc variables on SQL servers must scale with the database-related processes. 

These computers typically have significantly larger computational power than standard desktop computers, and as such, systems are typically outfitted with hardware such as the Intel Xeon line of CPUs, which generates a considerably higher amount of hash-based calculated values (hash rates), trying to make a server more advantageous to coin mining than a typical desktop computer.

Because SQL databases provide many routes for effectively performing operating system commands, Purple Fox has used the most stealthy way of having a binary stored in the SQL server database which can be performed using TSQL commands. 

Purple Fox used CLR Assemblies, a collection of DLLs that can be imported into a SQL Server, inside its infection chain rather than the more common xp cmdshell, which is monitored closely by cybersecurity experts. After importing the DLLs, they can be connected to stored procedures which can be performed using a TSQL script. This vector's impacted editions begin with SQL Server 2008. 

This approach, which by default needs a system administrator role, runs as a SQL Server service account. An intruder can use this mechanism to build a.NET assembly DLL and then it can be imported into the SQL server.

It can also save an assembly in the SQL Server Table, construct a procedure that maps to a CLR technique, and then run the process. Other groups besides Purple Fox have reportedly used the CLR Assemblies technique in the past, like MrbMiner and Lemon Duck. 

The C&C servers that have been utilized throughout the communication methods were compromised servers that are the components of the botnet that hosts Purple Fox's numerous payloads.

Both initial DNS queries are CNAMEs to subdomains within kozow[.]com, a free dynamic domain service supplied by dynu[.]com. This program can be modified via an API to point to different IP addresses - a strategy used by the attacker to change the IP address frequently. 

Researchers recommend the following procedures if anyone detects any suspicious behaviors connected to the Purple Fox botnet on a SQL server to eliminate any malicious leftovers of the infection. 

Examine all SQL Server Stored Procedures and Assemblies for any questionable assemblies that have not been identified by the DBAs. If any of these assemblies are found, they must be removed. 

Perform the following TSQL script to eliminate the following malicious CLR assembly remains that have been placed into the database: 

USE [master] [fscbd] 
GO 
DROP ASSEMBLY 
GO 

Disconnect all unfamiliar accounts and update all passwords on the database server. 

As a precaution, do not disclose publicly exposed port TCP 1433 to an unknown zone. Furthermore, protect the SQL server hosts with well-protected access controls behind a perimeter firewall in a DMZ. 

Establish correct network micro-segmentation and zoning, as well as a zero-trust policy through your network security measures. 

Limit traffic to and from SQL servers. Because these servers serve a specialized purpose, they should only be allowed to interact with other trustworthy hosts. Access to the internet, both inbound and outbound, should be restricted.
Read more »
Trend Micro
Crypto Currency Crypto-Mining Google Play Store Security Researchers Technology Trend Micro

Google Play is Infested with Fake Crypto Mining Apps

 

Google has deleted eight bogus mobile apps from the Play Store that pretend to be bitcoin cloud-mining apps but are actually designed to trick users into paying for pricey subscription services and engaging in other unlawful acts. Although they may have been removed, Trend Micro researchers discovered that when searching Google Play for the keywords "cloud mining," several problematic applications of the same sort remain. 

“Cloud mining introduces both convenience and cybersecurity risks. Because of the simplicity and agility of cloud computing, it is quick and easy to set up a realistic-looking crypto mining service that is really a scam,” said Ioannis Gasparis, a mobile application security researcher at Lookout, in a report released in July. 

These phoney Android apps target those who want to make money online by persuading them to invest in a cloud-mining company. All eight recently removed apps were found to be infected with one of two malwares: FakeMinerPay and FakeMinerAd. 

“These apps were able to fly under the radar because they don’t actually do anything malicious,” said Ioannis Gasparis. “They are simply shells set up to attract users caught up in the cryptocurrency craze and collect money for services that don’t exist. Purchasing goods or services online always requires a certain degree of trust — these scams prove that cryptocurrency is no exception.”

According to Cifer Fang, a researcher at Trend Micro, these malicious apps merely fool victims into watching adverts, make them pay for subscription services with an average monthly charge of $15, and also encourage them to pay for greater mining capabilities without getting anything in return. 

According to Trend Micro's findings, the apps don't actually mine anything; instead, "fake mining activity on the apps' user interface (UI) is carried out via a local mining simulation module that comprises a counter and certain random operations."

“The app called Daily Bitcoin Rewards – Cloud Based Mining System prompts its users to upgrade their crypto-mining capacity by ‘buying’ their favorite mining machines to earn more coins at a faster rate,” Fang noted. 

Two of the phoney crypto mining apps (Bitcoin [BTC] – Pool Mining Cloud Wallet and Bitcoin 2021), according to Trend Micro's analysis, bombarded their users with adverts with the primary purpose of enticing victims to click.
Read more »
Trend Micro
Data Breach data security Data Theft Industrial Facilities ransomware attacks Trend Micro

Industrial Facilities are at Risk of Data Theft and Ransomware Attacks

 

Recently, multinational cybersecurity software company ‘Trend Micro’ has published a new report on cybersecurity in which it has highlighted the growing threats of downtime and sensitive credential theft from ransomware attacks targeting industrial facilities. 

“Industrial Control Systems are incredibly challenging to secure, leaving plenty of gaps in protection that threat actors are exploiting with growing determination,” said Ryan Flores, senior manager of forward-looking threat research for Trend Micro...” 

“…Given the US government is now treating ransomware attacks with the same gravity as terrorism, we hope our latest research will help industrial plant owners to prioritize and refocus their security efforts."

What happens when a threat actor targets your facility? 

In factories and other facilities, there are crucial elements of utility plants that help in monitoring and controlling industrial processes across IT-OT networks called Industrial Control Systems (ICS). However, in any case, when ransomware gets into these systems; it can stop all operations for several days and can heighten the risk of vulnerabilities. 

As per the published report, several different revised versions have been accounted for more than half of the ICS ransomware attacks in 2020 including Ryuk (20%), Nefilim (14.6%), Sodinokibi (13.5%), and LockBit (10.4%). 

Cybersecurity And Infrasture Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), jointly published a report titled ‘The Guide’, which aims at informing and enhancing network defense and reducing exposure to a ransomware attack. The two measures offered are Ransomware Prevention Best Practices and a Ransomware Response Checklist. Moreover, CISA provides various scanning and testing services to help organizations assess, identify and mitigate their exposure to threats, including ransomware, at no expense. 

The National Institute of Standards and Technology (NIST) also provides help against ransomware attacks. It offers help in detecting and responding. It is worth noting that lately, several cybersecurity agencies are coming forward for industries so that they can detect and mitigate future ransomware attacks and numerous guide reports are also being published on ransomware threats.
Read more »
Trend Micro
Bitcoin Colonial Pipeline Cyber Crime Darkside Ransomware Trend Micro

Extortion Emails by Bogus DarkSide Gang Targets Energy and Food Industry

 

In bogus extortion emails sent to firms in the energy and food industries, threat actors impersonate the now-defunct DarkSide Ransomware campaign. The Darkside ransomware attack first hit business networks in August 2020, asking millions of dollars in exchange for a decryptor and a pledge not to reveal stolen data. 

Following the ransomware gang's attack on the Colonial Pipeline, the country's largest petroleum pipeline, the ransomware gang was thrown into the spotlight, with the US government and law enforcement focusing their attention on the group. Because of the heightened scrutiny from law officials, DarkSide abruptly shut down its operations in May for fear of being arrested. 

Trend Micro researchers reveal in a new analysis that a new extortion campaign began in June, with threat actors imitating the DarkSide ransomware group. "Several companies in the energy and food industry have recently received threatening emails supposedly from DarkSide," explains Trend Micro researcher Cedric Pernet. "In this email, the threat actor claims that they have successfully hacked the target's network and gained access to sensitive information, which will be disclosed publicly if a ransom of 100 bitcoins (BTC) is not paid." 

The email campaign began on June 4 and has been targeting a few targets every day since then. Threatening emails were sent to the generic email accounts of a few firms. For each target, the Bitcoin wallet at the bottom of the email is the same. None of the aforementioned wallets have received or sent any Bitcoin payments. There has been no actual attack linked to the emails, and no new targets have been discovered. 

The researchers discovered that the same attacker had filled contact forms on many companies' websites in addition to sending targeted emails to them. The content of the web forms was identical to the text of the emails. They were able to obtain the sender's IP address, 205[.]185[.]127[.]35, which is a Tor network exit node. 

The threat actor appears to be exclusively interested in the energy (oil, gas, and/or petroleum) and food businesses, based on the telemetry data; in fact, all of their targets are in these industries. The campaign had the most impact on Japan, followed by Australia, the United States, Argentina, Canada, and India. China, Colombia, Mexico, the Netherlands, Thailand, and the United Kingdom are among the other countries affected.
Read more »
Vulnerabilities and Exploits
Security Trend Micro Updates User Data Vulnerabilities and Exploits

Trend Micro Flaw Being Actively Exploited

 

The cybersecurity firm Trend Micro disclosed that the threat actors are once again using security solutions as attack vectors and this time attackers are deliberately leveraging a vulnerability in its antivirus solutions, identified as CVE-2020-24557, to gain admin rights on Windows systems. 

Apex One and OfficeScan XG enterprise security products are affected by the CVE-2020-24557 vulnerability. The issue resides in the logic that controls access to the Misc folder, it could be manipulated by an attacker to escalate privileges and execute code in the context of SYSTEM. An attacker may use the bug to exploit a specific product folder to temporarily disable protection, abuse a specific Windows feature, and gain privilege escalation, according to experts. 

According to the advisory published by Tenable, “A vulnerability in Trend Micro Apex One on Microsoft Windows may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function and attain privilege escalation. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.” 

Microsoft researcher Christopher Vella reported the flaw to Trend Micro via the Zero-Day Initiative programme in 2020, and the security firm addressed it in August 2020. Now, the security company has updated its security warning, acknowledging that the bug is being actively exploited in the wild by attackers and urging customers to install security updates. 

“Known vulnerabilities in Apex One, Apex One SaaS and OfficeScan agents could elevate privileges, allow an attacker to manipulate certain product folders to temporarily disable security features or to temporarily disable certain Windows features. It may be abused.” states the update published. 

JPCert also issued a warning about the above vulnerability, which has affected the following items and versions: 
– Trend Micro Apex One 2019 before Build 8422 
– Trend Micro Apex One as a Service prior to Build 202008 
– OfficeScan prior to XG SP1 Build 5702

In the advisory published by the JPCert, it stated “Since the vulnerability is already being exploited in the wild, the users of the affected products are recommended to update the affected system to the latest version as soon as possible. Please refer to the information provided by Trend Micro.” 

“We have confirmed attacks that exploit known vulnerabilities in the following products. Each patch that has already been released supports it, so if you have not applied it, please apply it as soon as possible.” stated the cybersecurity firm. 

Other vulnerabilities in the Apex One and OfficeScan XG security products, such as CVE-2019-18187, CVE-2020-8467, and CVE-2020-8468 have previously been revealed and some of them have been exploited by nation-state actors in real-world attacks.
Read more »
Vulnerabilities and Exploits
Google Play Store iOS ShareIt Trend Micro Vulnerabilities and Exploits

Trend Micro Detects Vulnerabilities in The SHAREit Program

 

In the SHAREit program, Trend Micro has found several vulnerabilities. The bugs may be exploited by extracting sensitive data from users, and by using malicious code or programs to run arbitrary code with the ShareIt permissions. It can also contribute to remote execution code (RCE). In the past, the software was often associated with bugs that used to download and abuse users' files. While the app allows for the upload and update of file types like the Android Package (APK), there are most definitely accidentally unconsidered bugs correlated with these functions. 

SHAREit is one of the best-known applications in the Google Play Store. Users can download and distribute files and share them with others using this app. SHAREit was also one of 60 Chinese apps barred late last year in India. Notably, more than one billion times the Android application has been downloaded. 

The vulnerabilities can be used to execute malicious code for the SHAREit program on smartphones. The key cause of safety deficiencies is the lack of appropriate controls on who can access the code of the program.

Echo Duan, a mobile threats analyst for security firm Trend Micro, reported that malicious applications installed on a computer and user or attackers executing a personal network attack can be able to distribute malicious instructions to the SHAREit app and hijack its legal code-execution functionality, override local files on the app, or install applications from third parties without user knowledge.

The app is also susceptible to so-called Man-in-the-Disk Attacks, a form of vulnerability first identified by Check Point in 2018 that focuses on uncertain storage of insecure app assets in the storage capacity of the phone shared with other applications [in which attackers can erase, edit, or substitute them]. 

"We reported these vulnerabilities to the vendor, who has not responded yet," Duan said today. "We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data," he added, it will also be impossible to track attacks from the viewpoint of a defender.

On their website, SHAREit developers say that 1.8 billion people in over 200 countries around the world use their software. The iOS app for SHAREit does not have any influence on it and runs on another codebase. Though the software was last updated in its Play Store list on February 9, 2021, a fix for revealed vulnerabilities has been not listed in the update's changelog. At the time of publication, the software is still usable for download.

For software makers, businesses, and consumers alike, security should be a top priority. Trend Micro suggests that operating devices and applications themselves should be frequently upgraded and modified for secure mobile app use.
Read more »
Subscribe to: Posts (Atom)