Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Windows Defender. Show all posts

Conti Source Code & Everything API Employed by Mimic Ransomware

A new ransomware variant known as Mimic was found by security researchers, and it uses the Windows 'Everything' file search tool's APIs to scan for files that should be encrypted.

The virus has been "deleting shadow copies, terminating several apps and services, and abusing Everything32.dll methods to query target files that are to be encrypted," according to the first observation of it in June 2022.

What is Mimic ransomware?

The ransomware payload for Mimic is contained in a password-protected package that is presented as Everything64.dll and dropped by the executable Mimic along with other components. Additionally, it contains tools for disabling valid sdel binaries and Windows Defender.

Mimic is a flexible strain of ransomware that may use command-line options to target specific files and multi-processor threads to encrypt data more quickly. The victim of a mimic ransomware attack first receives an executable, most likely via email. This executable loads four files onto the target machine, including the primary payload, auxiliary files, and tools to turn off Windows Defender.

The popular Windows filename search engine 'Everything' was created by Voidtools. The tool supports real-time updates and is lightweight and speedy, using few system resources. According to Trend Micro, this combination of several active threads and the way it abuses Everything's APIs enables it to operate with little resource consumption, resulting in a more effective assault and execution.

Although Mimic is a new strain with unknown activity, the developers' use of the Conti builder with the Everything API demonstrates their skill as software engineers and their awareness of how to accomplish their objectives.



Python Libraries Hacked AWS Data and Keys  

 

Sonatype researchers have found malicious Python packages that post your AWS credentials and user characteristics to a publicly accessible endpoint rather than just exploiting sensitive data. Some malicious packages with the Sonatypes are as follows:
  • loglib-modules — seems targeted at coders who are familiar with the authentic "loglib library."
  • pyg-modules — seems aimed at coders who are familiar with the basic "pyg" library.
  • Pygrata:Unknown target, pygrata-utils contains identically noxious code to that found in "loglib-modules." 
  • hkg-sol-utils: Unknown goal 

The anti-ransomware detection technology provided by Sonatype as part of Nexus platform products, such as Nexus Firewall, found these packages. Researchers found these packages to be harmful after further analysis, thus, out of precaution, they reported this to the PyPI security team, so these packages were withdrawn. "This kind of package either has code that reads and phishes your secrets or employs a dependency that does it”, according to an analysis by   Sonatype security researchers Jorge Cardona and Carlos Fernández. 

For instance, the malicious software in the packages "loglib-modules" and "pygrata-utils" enables the programs to gather AWS credentials, network interface data, and environment variables and ship them to a remote location. IAM role details for an EC2 cloud instance are reported to be returned using the URL 'hxxp:/169.254.169[.]254/latest/meta-data/iam/security-credentials/'. 

Unsettlingly, there are hundreds of endpoints holding this data. Since TXT files were not encrypted by any security measures, anyone with access to the internet could essentially access these credentials. It's vital to know that packages like "pygrata" depend on one of the two aforementioned modules rather than containing the code themselves. It is still unknown who the malicious actors are and what propels them. 
 
Users of Nexus Firewall are shielded 

If the stolen credentials posted online on purpose or as a result of bad opsec procedures? There isn't enough information available right now to rule out the possibility that this action is suspect, even if it is valid security testing as per researchers. This finding comes after the report last week of several malicious vendors, including the npm package "flame-vali," which repeatedly tried to disable Windows Defender before releasing a trojan.

The software supply chain will be safeguarded from the start thanks to Nexus Firewall instances that immediately quarantine any suspect components found by automated malware detection systems while a subjective evaluation by a researcher is being prepared.

Microsoft Discreetly Upgrades Defender Antivirus to Patch a Major Flaw

 

Microsoft Defender, a protection software, has recently been updated to fix a severe security concern. The issue, which was traced back to 2014 and impacts Windows 10, lets users exclude some locations from antivirus scanning, in turn allowing malware to be installed. 

Due to a misconfigured registry key, this weakness, which has been present since 2014, allows users to access antivirus security safeguards. As a result, the key HKLM\Software\Microsoft\Windows Defender\Exclusions contains all spaces which aren't scanned by antivirus software. The issue is that the key is quite easy to obtain, as long as the 'Everyone' group has access to it. To change the contents of Windows, users are required to use a command prompt or a small click in the Settings menu. 

On Twitter, security researcher Antonio Cocomazzi says, Microsoft has patched the problem on Windows 10 20H2 PCs after deploying the February 2022 Patch Windows updates. Another researcher, Will Dormann of CERT/CC, validated this information, stating they acquired the privileges to change without installing any updates, implying the change might have been applied by both Windows updates and Microsoft Defender’s cybersecurity updates. 

After determining which directories were assigned to the antivirus block list, attackers might transmit and operate malware from a prohibited folder on an exploited Windows PC without danger of detection and neutralization. The permissions for Windows advanced security setups for Defender restrictions have been modified, with the 'Everyone' group deleted from the Register key's permission. 

  • The Exclusions Register key now has new permissions.
  • Access to Defender exclusions is now blocked.
  • Users with admin credentials are now required to access the database of exclusions through the command prompt or when creating exclusions using the Windows Security setup screen on Windows 10 systems in which this change has already been carried out. 
Microsoft is yet to comment on this problem, which was found as of late and has existed since the introduction of Windows 10. However, it is clear that Redmond's publisher has taken the appropriate steps. Furthermore, administrator rights are now required to view the list of locations blocked by the antivirus.