Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label URLs. Show all posts

Hackers Attack HFS Servers to Install Malware and Mine Monero


 

Cybersecurity researchers have identified a wave of attacks targeting outdated versions of the HTTP File Server (HFS) software from Rejetto, aiming to distribute malware and cryptocurrency mining tools. These attacks exploit a critical security flaw known as CVE-2024-23692, which allows hackers to execute arbitrary commands without needing authentication.

CVE-2024-23692 is a high-severity vulnerability discovered by security researcher Arseniy Sharoglazov. It was publicly disclosed in May this year, following a detailed technical report. The flaw is a template injection vulnerability that enables remote attackers to send specially crafted HTTP requests to execute commands on the affected systems. The vulnerability affects HFS versions up to and including 2.3m. In response, Rejetto has issued a warning to users, advising against the use of these versions due to their susceptibility to control by attackers.

Researchers at AhnLab Security Intelligence Center (ASEC) have observed multiple attacks on version 2.3m of HFS. This version remains popular among individuals, small teams, educational institutions, and developers for network file sharing. The attacks likely began after the release of Metasploit modules and proof-of-concept exploits soon after the vulnerability's disclosure.

During these attacks, hackers gather information about the compromised system, install backdoors, and deploy various types of malware. Commands such as "whoami" and "arp" are executed to collect system and user information and identify connected devices. Hackers also add new users to the administrators' group and terminate the HFS process to prevent other threat actors from exploiting the same vulnerability.

In several cases, the XMRig tool, used for mining Monero cryptocurrency, was installed. ASEC researchers attribute one of these attacks to the LemonDuck threat group. Other malware payloads deployed include:

1. XenoRAT: A tool for remote access and control, often used alongside XMRig.

2. Gh0stRAT: Used for remote control and data exfiltration.

3. PlugX: A backdoor associated with Chinese-speaking threat actors, providing persistent access.

4. GoThief: An information stealer that uses Amazon AWS for data exfiltration, capturing screenshots, collecting desktop file information, and sending data to an external command and control server.

AhnLab continues to detect attacks on HFS version 2.3m. Given that the server must be online for file sharing, it remains a lucrative target for hackers. Rejetto recommends users switch to version 0.52.x, which is the latest release despite its lower version number. This version is web-based, requires minimal configuration, and supports HTTPS, dynamic DNS, and administrative panel authentication.

The company has also provided indicators of compromise, including malware hashes, IP addresses of command and control servers, and download URLs for the malware used in these attacks. Users are urged to update their software to the latest version and follow cybersecurity best practices to protect their systems from such vulnerabilities.

By assimilating and addressing these vulnerabilities, users can better secure their systems against these sophisticated attacks.


X's URL Blunder Sparks Security Concerns

 



X, the social media platform formerly known as Twitter, recently grappled with a significant security flaw within its iOS app. The issue involved an automatic alteration of Twitter.com links to X.com links within Xeets, causing widespread concern among users. While the intention behind this change was to maintain brand consistency, the execution resulted in potential security vulnerabilities.

The flaw originated from a feature that indiscriminately replaced any instance of "Twitter" in a URL with "X," regardless of its context. This meant that legitimate URLs containing the word "Twitter" were also affected, leading to situations where users unknowingly promoted malicious websites. For example, a seemingly harmless link like netflitwitter[.]com would be displayed as Netflix.com but actually redirect users to a potentially harmful site.

The implications of this flaw were significant, as it could have facilitated phishing campaigns or distributed malware under the guise of reputable brands such as Netflix or Roblox. Despite the severity of the issue, X chose not to address it publicly, likely in an attempt to mitigate negative attention.

The glitch persisted for at least nine hours, possibly longer, before it was eventually rectified. Subsequent tests confirmed that URLs are now displaying correctly, indicating that the issue has been resolved. However, it's important to note that the auto-change policy does not apply when the domain is written in all caps.

This incident underscores the importance of thorough testing and quality assurance in software development, particularly for platforms with large user bases. It serves as a reminder for users to exercise caution when clicking on links, even if they appear to be from trusted sources.

To better understand how platforms like X operate and maintain user trust, it's essential to consider the broader context of content personalization. Profiles on X are utilised to tailor content presentation, potentially reordering material to better match individual interests. This customization considers users' activity across various platforms, reflecting their interests and characteristics. While content personalization enhances user experience, incidents like the recent security flaw highlight the importance of balancing personalization with user privacy and security concerns.


FTC Warns: QR Codes May Result in Identity Theft


One might want to reconsider before scanning QR codes.

The codes, which are a digital jumble of white and black squares that are frequently used to record URLs, are apparently commonplace; they may as well be seen, for example, on menus at restaurants and retail establishments. The Federal Trade Commission cautioned on Thursday that they could be dangerous for those who aren't cautious.

According to a report by eMarketer, around 94 million US consumers have used QR scanner this year. The number is only increasing, with around 102.6 million anticipated by 2026. 

As per Alvaro Puig, a consumer education specialist with the FTC, QRs are quite popular since there are endless ways to use them.

“Unfortunately, scammers hide harmful links in QR codes to steal personal information,” Puig said.

Why is Stolen Personal Data a Threat? 

The stolen data can be misused by threat actors in a number of ways: According to a separate report by FTC, the identity thieves can use victim’s personal data to illicitly file tax returns in their names and obtain tax refunds, drain their bank accounts, charge their credit cards, open new utility accounts, get medical treatment on their health insurance, and open new utility accounts.

In some cases, criminals cover the legitimate QR codes with their own, in places like parking meters, or even send codes via text messages or emails, luring victims into scanning their codes. 

One of the infamous tactic used by scammers is by creating a sense of urgency in their victims. For example, they might suggest that a product could not  be delivered and you need to reschedule or that you need to change your account password because of suspicious activity.

“A scammer’s QR code could take you to a spoofed site that looks real but isn’t,” Puig wrote. “And if you log in to the spoofed site, the scammers could steal any information you enter. Or the QR code could install malware that steals your information before you realize it.”

How can User Protect Themselves?

According to FTC, some of the measures one can follow to protect themselves from scams are:

  • Inspect URLs before clicking: Even if a URL looks familiar, it is advisable to check for any misspelling or switched letters in order to ensure it is legit. 
  • Do not scan a QR code in a suspicious/unexpected message: This is particularly valid when the text or email demands a quick response. If a user believe this to be a genuine message, it is advisable to get in touch with the business using a reliable channel, such as a working phone number or website. 
  • Protect devices and online accounts: Users are advised to use strong passwords and multifactor authentication and keep their phones’ OS in their latest versions.  

Alert! Large-Scale AiTM Attacks Targeting Enterprise Users

 

A new large-scale phishing effort has been reported that use adversary-in-the-middle (AitM) tactics to circumvent security safeguards and attack business email accounts. 

Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu said in a Tuesday report, "It uses an adversary-in-the-middle (AitM) attack technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services." 

Fintech, lending, insurance, energy, manufacturing, and federal credit union verticals are major objectives in the United States, United Kingdom, New Zealand, and Australia. This is not the first time a phishing attack has been identified. Microsoft revealed this month that over 10,000 businesses had been targeted by AitM tactics to compromise accounts protected by multi-factor authentication since September 2021 (MFA). 

The ongoing campaign, which began in June 2022, starts with an invoice-themed email addressed to targets that include an HTML file with a phishing URL placed within it. Opening the attachment in a web browser takes the email recipient to a phishing website posing as a Microsoft Office login page, but not before fingerprinting the infected system to assess whether the victim is the targeted target. 

AitM phishing attacks go beyond standard phishing tactics aimed to steal credentials from unsuspecting users, primarily when MFA is implemented - a security barrier that prohibits the attacker from login into the account using just the stolen credentials. To get around this, the rogue landing page created using a phishing kit acts as a proxy, capturing and relaying all traffic between the client (i.e., victim) and the email server. 

"The kits intercept the HTML content received from the Microsoft servers, and before relaying it back to the victim, the content is manipulated by the kit in various ways as needed, to make sure the phishing process works," the researchers stated. 

This also includes replacing any links to Microsoft domains with identical connections to the phishing domain to guarantee that the back-and-forth with the phoney website continues throughout the session. According to Zscaler, the attacker manually logged into the account eight minutes after the credential theft, reading emails and verifying the user's personal information. 

Furthermore, compromised email inboxes are often used to send further phishing emails as part of the same campaign to conduct business email compromise (BEC) frauds. The researchers noted, "Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks. With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions."

Hackers are Using LNK Files to Deploy Malicious Payload

 

Earlier this month, researchers at McAfee Labs spotted a sophisticated technique where hackers employed email spam and malicious URLs to deliver LNK files to victims. The files command authentic applications like PowerShell, CMD, and MSHTA to download malicious files. 

LNK files are shortcut files that link to an application or file commonly found on a victim’s desktop or throughout a system and end with an .LNK extension. LNK files can be created by the user or automatically by the Windows operating system. 

To identify the true nature of these files we will go through recently identified Emotet malware. In this particular campaign, the hacker targets the victims’ by manually accessing the attached LNK file. Threat actor replaces the original shortcut icon with that of a .pdf file, so that the unsuspecting victim, once they receive the email attachment, can’t spot the difference with a basic visual inspection. 

But the threat is real. Windows shortcut files can be employed to deploy pretty much any malware onto the target endpoint, and in this case, the Emotet payload is downloaded into the victim’s %TEMP% directory. If successful, the malware will be loaded into memory using “regsvr32.exe”, while the original dropper gets deleted from the %TEMP% directory. 

Precautionary tips 

Emotet is a sophisticated and long-lasting malware that has impacted users globally. Threat Actors are constantly adapting their techniques to stay one step ahead of cybersecurity researchers. McAfee Labs is continuously monitoring the activity of Emotet and has published the guidelines to protect users from malware infection. 

• It is important to note that Emotet is an endpoint threat spread via email, therefore endpoint detection and response (EDR) and antivirus tooling are imperative to disrupting this threat. 

• Don’t keep important files in common locations such as the Desktop, My Documents, etc. 

• Use strong passwords and enforce multi-factor authentication wherever possible. 

• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 

• Use a trusted anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 

• Avoid clicking on untrusted links and email attachments without verifying their authenticity. 

• Conduct regular backup practices and keep those backups offline or in a separate network.