Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Watering Hole attack. Show all posts

SolarMarker Using Watering Hole Attacks and Fake Chrome Browser Updates, Infects Business Professionals

 

Researchers have uncovered the cyberattack group behind the SolarMarker malware, which is targeting a global tax consulting firm with offices in the United States, Canada, the United Kingdom, and Europe. It is using fake Chrome browser updates as part of watering hole attacks. This is a fresh approach for the group, replacing its previous method of SEO poisoning, also known as spamdexing. 

SolarMarker is a multistage malware that can steal autofill data, saved passwords, and credit card information from victims' browsers. According to an advisory issued on Friday by eSentire's Threat Response Unit (TRU), the threat group was observed exploiting vulnerabilities in a medical equipment manufacturer's website, which was built with the popular open-source content management system WordPress. The victim worked for a tax consulting firm and used Google to look up the manufacturer's name.

"This tricked the employee into downloading and executing SolarMarker, which was disguised as a Chrome update," the advisory noted.

"The fake browser update overlay design is based on what browser the victim is utilizing while visiting the infected website," the advisory added. "Besides Chrome, the user might also receive the fake Firefox or Edge update PHP page."

Considering that the TRU team has only witnessed a single infection of this vector type, it is unclear whether the SolarMarker group is testing new tactics or preparing for a larger campaign. Previous SolarMarker attacks used SEO poisoning to target people who searched online for free templates of popular business documents and business forms.

Increase Employee Awareness by Monitoring Endpoints

The TRU advisory outlines four key steps organisations can take to mitigate the impact of these types of attacks, including increasing employee awareness of automatic browser updates and avoiding downloading files from unknown sites.
 
"Threat actors research the kind of documents businesses look for and try to get in front of them with SEO," the advisory stated. "Only use trusted sources when downloading content from the internet, and avoid free and bundled software."

TRU also recommends more vigilant endpoint monitoring, which will necessitate more frequent rule updates to detect the latest campaigns, as well as enhanced threat-landscape monitoring to strengthen the organization's overall defence posture.

SolarMarker Campaigns Relaunched Following a Dormant Period

The.NET malware was discovered in 2020 and is typically distributed via a PowerShell installer, with data-gathering capabilities and a backdoor.

Sophos Labs discovered a number of active SolarMarker campaigns in October 2021 that followed a common pattern: cybercriminals used SEO techniques to place links to websites with Trojanized content in the search results of several search engines.

Menlo Security previously reported a SolarMarker campaign in October 2021 that used over 2,000 unique search terms to lure users to sites that then dropped malicious PDFs rigged with backdoors.

Hackers Infect macOS with a New Backdoor Known as DazzleSpy

 

A previously unknown cyber-espionage malware targeting Apple's macOS operating system used a Safari web browser exploit as part of a watering hole attack targeting politically engaged, pro-democracy Hong Kong residents. ESET, a Slovak cybersecurity firm, ascribed the infiltration to an actor with "high technical capabilities," noting similarities between the campaign and a similar digital offensive published by Google Threat Analysis Group (TAG) in November 2021. 

Between September 30 and November 4, 2021, the attack chain entailed compromising a legitimate website belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, in order to inject malicious inline frames (aka iframes). Separately, a bogus website called "fightforhk[.]com" was registered to entice liberation activists. The altered code then served as a conduit to load a Mach-O file by exploiting a remote code execution bug in WebKit, which Apple rectified in February 2021. (CVE-2021-1789). 

"The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely," ESET researchers said. It's worth noting that some of the code shows that the vulnerability might have been exploited on iOS and even on PAC-enabled (Pointer Authentication Code) devices like the iPhone XS and newer. 

The exploit uses two primitives to gain memory read and write access: one to leak an object's address (addrof) and the other to generate a bogus JavaScript object from a specified memory address (fakeobj). Using these two functions, the attack constructs two arrays of different kinds that overlap in memory, allowing it to set a value in one that is considered as a pointer when accessed with the other. 

The exploit makes use of a side effect generated by altering an object property to make it accessible via a "getter" function while enumerating the object's properties in JIT-compiled code. The JavaScript engine incorrectly assumes that the property value is cached in an array and is not the result of calling the getter function.

The successful execution of the WebKit remote code execution triggers the execution of the intermediate Mach-O binary, which in turn leverages a now-patched local privilege escalation vulnerability in the kernel component (CVE-2021-30869) to run the next stage malware as the root user. 

While Google TAG's infection sequence resulted in the installation of an implant known as MACMA, the malware transmitted to D100 Radio site visitors was a new macOS backdoor known as DazzleSpy, according to ESET. DazzleSpy is a full-featured backdoor that gives attackers a wide range of capabilities for controlling and exfiltrating files from a compromised computer.

Israeli Spyware Firm Attributed to Watering Hole Attacks on Middle East & UK websites

 

ESET researchers have discovered a new cyber campaign that used Candiru's malware, which is located in Tel Aviv, to target websites and services in various Middle Eastern nations, including Saudi Arabia and Iran. 

Candiru, like NSO Group, distributes malware to government agencies, and the US placed it on trade backlists earlier this month, along with a Russian corporation and a Singapore-based company. The latest offensive utilizes 'watering hole' attacks, in which attackers install malicious code on legitimate websites that the targets are likely to visit. When a user visits the page, the malware infects their computer, allowing attackers to eavesdrop on them or harm them in other ways. 

According to ESET, the websites targeted were Middle East Eye, a London-based news organisation, and Almasirah, a Yemeni news agency linked to the Houthi rebels battling the Saudis. Websites belonging to the Iranian foreign ministry, Yemen's finance and interior ministries, and Syria's energy ministry, as well as internet service providers in Syria and Yemen, were also targeted by the attackers. 

Sites run by the Italian corporation Piaggio Aerospace, the pro-Iranian militant group Hezbollah, and The Saudi Reality, a Saudi Arabian dissident media website, were among the other targets. The cybercriminals also established a website that appeared like a medical trade show in Germany, as per researchers. ESET estimates that certain visitors to these sites were targeted via a browser exploit, although they were unable to get the vulnerability or the payload. 

ESET researcher Matthieu Faou who uncovered the cyber campaign, stated, "On July 11, 2020, our system notified us that the website of the Iranian embassy in Abu Dhabi had been tainted with malicious JavaScript code. Our curiosity was aroused by the high-profile nature of the targeted website, and in the following weeks we noticed that other websites with connections to the Middle East were also targeted." 

The researchers have detected no activity from this operation since the end of July 2021, when Google, Citizen Lab, and Microsoft released blog articles outlining Candiru's actions - and about the same time that NSO Group became global news.

"The operators appear to be taking a pause, probably in order to retool and make their campaign stealthier," Faou continued. 

Candiru, which has gone by numerous names since its debut in 2014, has a limited amount of information available. Saito Tech Ltd. is the company's current name, and it has several investors in common with NSO Group.  

In July, Citizen Lab and Microsoft researchers stated that more than 100 journalists, politicians, human rights activists, and dissidents in several countries were targeted in a spyware operation that deployed sophisticated 'cyberweapons' created by Candiru, 

Candiru, according to Citizen Lab, offers spyware to governments and authoritarian leaders only, who then use the tools to hijack PCs, Macs, phones, and cloud accounts. Candiru's clients can attempt to breach an infinite number of devices for €16 million (£13.4 million), but they can only actively track 10 devices at a time, according to the Citizen Lab. Buyers may pay an extra €1.5 million (about £1.25 million) to have Candiru monitor an additional 15 victims.

Apple Fixes Critical iOS Flaws; One Under Attack

 

Researchers discovered one significant flaw that could be exploited from the browser, allowing watering-hole assaults. 

On October 25 and 26, Apple released iOS 14.8.1, iPadOS 14.8.1, watchOS 8.1, and tvOS 15.1, fixing 24 CVEs overall. The CVEs are detailed on Apple's security website, and they include various problems in iOS components that, if abused, may result in arbitrary code execution, sometimes with kernel privileges that would allow an intruder to reach the core of the operating system.

In one incident of a memory-corruption issue in IOMobileFrameBuffer for Apple TV, Apple stated that it is "aware of a report that this problem may have been actively exploited ", a "maybe" that researchers substantiated. 

This one is especially concerning because researchers have previously discovered that the issue is exploitable via the browser, making it "ideal for one-click & waterholing mobile attacks," as per the mobile security firm ZecOps earlier this month. 

A watering-hole attack occurs when a threat actor places malware on websites that may attract a target in the hopes that someone may ultimately drop in and become infected. Justifiably, Apple keeps information confidential that may aid further attackers to create damage and attack. This flaw might allow an application to run arbitrary code with kernel privileges. 

Apple stated earlier this year that it would give users a choice: they could either update to iOS 15 as soon as it was available, or they could stay on iOS 14 and get essential security updates until they were ready to upgrade. 

In context with the reason behind the prompt decision, there have been speculations that it had something to do with an "urban mythology" about Apple deliberately slowing down older phones to entice consumers to upgrade. 

Maybe it's simply a popular conspiracy idea, but it's based on legal comeuppance, at least in terms of battery life: In 2017, Apple admitted to slowing down phones in order to prevent outdated batteries from abruptly shutting down devices. In November of last year, the corporation was fined $113 million to resolve an investigation into what was known as iPhone “batterygate.”

New IE8 Zero-day was used in the DOL Watering Hole attack



A Few days ago Alienvault Labs reported U.S Department of Labor website was hacked and redirects to malware page.  In their report, they mentioned the exploit used in the attack was CVE-2012-4792.

After further analysis security researchers have discovered the vulnerability exploited in the cyber attack wasn't CVE-2012-4792 but a new zero-day affecting the Internet Explorer 8.

CVE identifier CVE-2013-1347 has been assigned for this new IE vulnerability. Microsoft noted that Internet Explorer 6, IE7, IE9, and IE10 are not affected by the vulnerability.

"U.S Department of Labor website wasn’t the only entity affected and we can confirm that at least 9 other websites were redirecting to the malicious server at the same time" AlienVault reports.

According to their report, the cyber attack targets the websites belong to several non-profit groups and institutes as well as a big european company that plays on the aerospace, defence and security markets.

Invincea's founder Anup Ghosh told NextGov that the "target of the attack are [Energy Department] folks in a watering hole style attack compromising one federal department to attack another".