Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Zero-day vulnerability. Show all posts
Zero-day vulnerability
Cleo data breach Clop Ransomware Gang CVE-2024-50623 exploit Data Breach data theft attack ransom payment negotiation Zero-day vulnerability

Clop Ransomware Gang Threatens 66 Companies with Data Leak After Cleo Breach

 

The Clop ransomware gang has intensified its extortion tactics following a data theft attack targeting Cleo software. On its dark web portal, the group revealed that 66 companies have been given 48 hours to meet their ransom demands.

According to Clop, the affected companies are being contacted directly with links to secure chat channels for negotiating ransom payments. Additionally, the hackers have provided email addresses for victims to initiate communication.

A notice on Clop’s data leak site lists partial names of 66 companies that have yet to engage in negotiations. The gang has threatened to reveal the full names of these companies if they continue to ignore the demands, implying that the actual number of affected organizations might be higher.

Clop exploited a zero-day vulnerability in Cleo LexiCom, VLTrader, and Harmony products to access data from compromised networks. This attack marks another significant breach for the ransomware group, known for targeting zero-day flaws in platforms like Accellion FTA, GoAnywhere MFT, and MOVEit Transfer in previous campaigns.

The vulnerability exploited in the Cleo software, tracked as CVE-2024-50623, allows remote attackers to upload and download files without restriction, enabling remote code execution. A fix is available in Cleo Harmony, VLTrader, and LexiCom version 5.8.0.21, but a private advisory warned that hackers have been leveraging the flaw to open reverse shells on affected networks.

Earlier this month, Huntress publicly disclosed the active exploitation of the vulnerability and warned that the vendor’s fix could be bypassed. The researchers also released a proof-of-concept (PoC) to demonstrate their findings. Days later, Clop confirmed to BleepingComputer that it was behind the exploitation of CVE-2024-50623.

The ransomware group announced it would delete data from previous attacks as it shifts focus to the current wave of extortion.

Macnica researcher Yutaka Sejiyama told BleepingComputer:"Even with the incomplete company names that Clop published on its data leak site, it is possible to identify some of the victims by simply cross-checking the hacker's hints with owners of Cleo servers exposed on the public web."

While the total number of companies affected remains unclear, Cleo states that its software serves over 4,000 organizations worldwide.
Read more »
Zero-day vulnerability
Cyber Crime Cyber Hackers CyberCrime Cybersecurity CyberThreat Internet Explorer Microsoft North Korea South Korea Zero-day vulnerability

Cyber Threat Alert for South Korea from North Korean Hackers

 


In a recent cyber-espionage campaign targeted at the United States, North Korean state-linked hacker ScarCruft recently exploited a zero-day vulnerability in Internet Explorer to distribute RokRAT malware to targets nationwide. APT37, or RedEyes as it is sometimes called, is one of the most notorious North Korean state-sponsored hacking groups, and its activities are thought to be aimed at cyber espionage. 

There is typically a focus on human rights activists from South Korea, defectors from the country, and political entities in Europe from this group. An unknown threat actor with ties to North Korea has been observed delivering a previously undocumented backdoor and remote access Trojan (RAT) called VeilShell as part of a campaign targeted at Cambodia and potentially other Southeast Asian countries, including Indonesia, Malaysia, and Thailand. 

Known to Securonix as SHROUDED#SLEEP, the activity is believed to have been carried out by APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft as well as several other names. ScarCruft, also known as APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a state-sponsored cyber-espionage threat group that almost entirely targets South Korean individuals and organizations. 

It uses spear phishing to deliver customized tools via phishing, watering holes, and zero-days for Internet Explorer. It has been reported by AhnLab that APT37 compromised one of the servers of a domestic advertising agency. Hence, the purpose is to push specially crafted 'Toast ads' as a part of an unidentified free software that is widely used by South Koreans. As a result of the CVE-2024-38178 flaw found in the JavaScript 9.dll file (Chakra) of Internet Explorer used for displaying these advertisements, it caused the JavaScript file named 'ad_toast' to trigger remote code execution via CVE-2024-38178 in the JavaScript9.dll file.

There is a deep correlation between the malware that was dropped in this attack and the RokRAT malware, which ScarCruft has been using for years to launch attacks. In essence, RokRATs primary function is to exfiltrate to Yandex cloud instances every 30 minutes file matching 20 extension types (including .doc, .mdb, .xls, .ppt, .txt, .amr) that match these extensions. In addition to keylogging, Keylogger also monitors for changes made to the clipboard and captures screenshots (every three minutes) as well. 

In July 2022, ScarCruft, a North Korean threat actor who operates in North Korean cyberspace, began experimenting with oversized LNK files as a delivery route for RokRAT malware, just a couple of months after Microsoft began blocking macros by default across several Office documents. Check Point has released a new report on its technical analysis of RokRAT that concludes that the malware has not changed significantly over the years, but the deployment method has evolved. RokRAT now uses archives that contain LNK files, resulting in infection chains that move through multiple stages. 

As a result of this round of activity, is another indication of a major trend in the threat landscape, where both APTs, as well as cybercriminals, will try to overcome the restriction on macros coming from untrusted sources. Having made the news in the past few days, a new campaign with the intriguing name "Code on Toast," has raised serious concerns about the vulnerability of software still embedded in widely used systems, even after the retirement of Internet Explorer. According to a joint report by the National Cyber Security Center (NCSC) of South Korea, and AhnLab (ASEC), the incident occurred earlier this year. 

There was a unique way for these malware infections to be spread by using toast pop-up ads as how the campaign was delivered. There is a unique aspect of this campaign that focuses on the way ScarCruft distributes its malware through the use of toast notifications and small pop-ups that appear when antivirus software or free utilities are running. As a result of ScarCruft’s compromise of the server of a domestic ad agency in South Korea, a malicious "toast ad" made by ScarCruft was sent to many South Korean users through a popular, yet unnamed, free piece of software. 

To accomplish ScarCruft’s attack, a zero-day Internet Explorer vulnerability, CVE-2024-38178, with a severity rating of 7.5, must be exploited cleverly. As a consequence of this, Edge users in Internet Explorer mode can potentially execute remote code through a memory corruption bug in the Scripting Engine, which can result in remote code execution. This vulnerability was patched for August 2024 as part of Microsoft's Patch Tuesday update, part of this annual update program. 

By using toast notifications, typically harmless pop-up ads from anti-virus software or utility programs, the group silently delivered malware through a zero-click infection method using a zero-click virus delivery mechanism. As a result, it has become necessary for an attacker to convince a user to click on a URL that has been specially crafted to initiate the execution of malicious code to successfully exploit a vulnerability. 

Having used such advanced techniques, ScarCruft clearly emphasizes the need for South Korea's digital landscape to remain protected from such threats in the future. It is unfortunate that no matter how much effort is put into phasing out outdated systems, security vulnerabilities have caused problems in legacy components like Internet Explorer. Although Microsoft announced it would retire Internet Explorer at the end of 2022, many of the browser's components remain in Windows, or they are being used by third-party products, allowing threat actors to come across new vulnerabilities and exploit them for their purposes. As a result of this campaign, organizations will be reminded of the importance of prioritizing cybersecurity updates and maintaining robust defences against increasingly sophisticated cyber threats backed by governments.
Read more »
Zero-day vulnerability
Cyber Security Cyber Threats Cybersecurity Warning Global Supply-Chain Attack Lazarus hacking group MagicLine4NX Software Security Authentication State-sponsored Hackers Zero-day vulnerability

The Lazarus Hacking Group's Covert Strategy: Utilizing MagicLine4NX Software in a Global Supply-Chain Assault

 

In a joint effort, the National Cyber Security Centre (NCSC) and South Korea's National Intelligence Service (NIS) have issued a serious warning about the activities of the Lazarus hacking group, associated with North Korea. The group is exploiting a zero-day vulnerability found in the widely-used MagicLine4NX software, leading to a series of sophisticated supply-chain attacks affecting various entities globally.

The MagicLine4NX software, developed by Dream Security in South Korea, is a crucial joint certificate program for secure logins and digital transactions. Exploiting a vulnerability in this software, cyber actors gained unauthorized access to the intranets of targeted organizations, breaching security authentication systems in the process.

The joint advisory revealed, "Cyber actors utilized the software vulnerabilities to gain unauthorized access to the intranet of a target organization. They exploited the MagicLine4NX security authentication program for initial intrusion and a zero-day vulnerability in network-linked systems to move laterally, accessing sensitive information."

The intricate attack chain began with a watering hole attack, a tactic where hackers compromise websites frequented by specific users. In this case, state-sponsored hackers infiltrated a media outlet's website, embedding malicious scripts into an article. The attack specifically targeted visitors using certain IP ranges. When visitors employed the MagicLine4NX authentication software and accessed the compromised website, the embedded code executed, providing hackers with complete control over the system.

Subsequently, the attackers accessed an internet-side server from a network-connected PC, exploiting system vulnerabilities. They then spread the malicious code to a business-side server via a network-linked system's data synchronization function.

Despite security measures, the threat actors persisted in attempting to infiltrate business PCs with the aim of extracting sensitive information. The malware established a connection to two C2 servers—one serving as a gateway within the network-linked system and the other located externally on the internet. The report noted, "The malicious code attempted to move data from the internal server to the external server but was thwarted by the security policy. Had it succeeded, substantial internal network information might have been compromised."

The warning emphasized the severity of such attacks, citing previous supply chain intrusions by North Korea-linked APT groups. Notably, the Labyrinth Chollima APT targeted VoIP software maker 3CX, leading cybersecurity vendors to detect the popular software as malware. In a separate incident, Microsoft Threat Intelligence researchers exposed a supply chain attack by APT Diamond Sleet (ZINC), affecting over 100 devices across Japan, Taiwan, Canada, and the United States.

As cybersecurity agencies work to contain these threats, the increasing sophistication of these attacks underscores the urgent need for heightened vigilance and robust security measures against supply-chain vulnerabilities.
Read more »
Zero-day vulnerability
Clop Gang CyberCrime IT Support Micorsoft Ransomware Software Vulnerabilities and Exploits Zero-day vulnerability

"Ransomware Alert: Clop Gang Targets Microsoft with Exploits on SysAid Zero-Day Vulnerability"

 


A new vulnerability in SysAid's widely used IT service automation software has been discovered that lets hackers from a notorious ransomware gang exploit their software, says the software maker. As reported by Sasha Shapirov, CEO of SysAid, in a blog post published Wednesday, attackers are exploiting a zero-day vulnerability that affects its Cloud software that is hosted on-premises. 

Zero-day vulnerabilities are defined as vulnerabilities that have no time to be fixed by a vendor- in this case, SysAid- before attackers exploit them in the wild. There have been some limited attacks that have exploited a zero-day vulnerability in Microsoft's SysAid IT support software, tracked as CVE-2023-47246, which was exploited by attackers in recent weeks. 

It has been reported by the IT giant that the attacks have been linked to the Clop ransomware group (also known as Lace Tempest). There was a flaw in the software that the company reported to its software provider, who immediately repaired it. 

A potential vulnerability in SysAid's on-premise software was discovered by its security team on November 2nd, the company reported. An investigation of the issue has been undertaken by the cybersecurity firm Profero, which was engaged by the software firm. It was determined that Profero had found a zero-day vulnerability in the software that had compromised it. 

SysAid offers a comprehensive range of tools for the management of a large range of IT services within an organization, such as IT service monitoring, IT service management, and IT service management performance analysis. 

Among the most notorious aspects of the Clop ransomware is the fact that it exploits zero-day vulnerabilities within widely used software. Among recent examples of downloadable file transfers are MOVEit Transfer, GoAnywhere MFT, and Accellion File Transfer Access. According to a report published on Wednesday by SysAid, CVE-2023-47246 is a path traversal vulnerability that can be exploited to expose users to unauthenticated code execution attacks. 

A rapid incident response company, Profero, has been engaged by the company to investigate the attacks and provide technical details of the attack that has been uncovered.  An attacker exploited the zero-day security vulnerability to upload a WAR (Web Application Resource) archive containing a webshell into the webroot of SysAid Tomcat, the web service that manages SysAid's free web applications. 

The threat actors were then able to execute further PowerShell scripts and execute GraceWire malware to dispatch the malware through a legitimate process (e.g. spoolsv.exe, msiexec.exe, svchost.exe) that was already running. A report by Sophos states that the malware loader ('user.exe') makes sure that running processes on the compromised system are not infected with any Sophos security products. 

In a series of posts on X (formerly Twitter) Microsoft's Threat Intelligence team explained that its researchers wanted to describe how the exploit of the SysAid vulnerability could be traced to a hacking group called Lace Tempest, a group better known as Clop ransomware. 

There has been a link between the notorious Russia-linked ransomware gang and mass hacks that exploited a zero-day flaw in the file transfer service MOVEit Transfer, which is used by thousands of organizations across the globe. In terms of the number of organizations and individuals affected, Emsisoft says more than 2,500 organizations have so far been affected. 

On its official website, the company proudly claims to have an extensive customer base that exceeds 5,000 across a staggering 140 countries. These valued customers represent a diverse range of industries, including but not limited to education, government, and healthcare. While the exact number of affected customers remains undisclosed, SysAid has taken a proactive approach to addressing the situation. 

Furthermore, the company has diligently analyzed the incident to provide crucial indicators of compromise that are instrumental in both detecting and preventing future intrusions. These indicators encompass a multitude of valuable information such as filenames and their associated hashes, IP addresses involved in the attack, file paths utilized by the threat actor, and the specific commands employed to either download malware or erase any traces of initial access. By equipping its customers with such comprehensive insights, SysAid aims to enhance their cybersecurity posture and protect their valuable data from potential threats.
Read more »
Zero-day vulnerability
CIOp MOVEit Attacks Cyber Attacks GoAnywhere MFT MoveIt Hack Ransomware Gang Zero-day vulnerability

CIOp Attacks: Ransomware Group Reveal Names of the MOVEit Zero-Day Attack Victims


CIOp ransomware group has revealed names of more than two dozen organizations that are apparently attacked in their campaign via a zero-day vulnerability in the MOVEit managed file transfer (MFT) software.

The ransomware group utilized the MOVEit transfer vulnerability, CVE-2023-34362, to steal data from firms that had been using the product. Despite some evidence indicating that the hackers tested the vulnerability as early as 2021, broad exploitation appears to have begun in late May 2023.

In no time, the attacked were proved to be connected to the CIOp group, that had earlier utilized a zero-day in the GoAnywhere MFT products, stealing data of several firms. The MOVEit zero-day campaign's perpetrators have acknowledged their involvement, and they have given victims until June 14 to contact them in order to stop the release of data taken from their systems. They say they have struck hundreds of targets.

The victims of the attacks include energy giant Shell, as well as firms from various sectors like financial, healthcare, manufacturing, IT, pharmaceutical, and education sectors. A large number of victims include US-based banks and other financial institutions, followed by healthcare organizations. The hackers declared they would not target pediatric healthcare facilities after the breach was discovered.

The first known victims of the attacks included UK-based payroll and HR company Zellis (and its clients British Airways, Aer Lingus, the BBC, and the Boots), the Canadian province of Nova Scotia, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE).

Following the ransomware attacks, the group has not yet leaked any data stolen from these organizations.

The number of businesses that have reported being impacted keeps expanding. In recent days, statements about the incident have been released by Johns Hopkins University and Johns Hopkins Health System, UK media authority Ofcom, and a Missouri state agency.

Moreover, in a report published on Thursday, CNN noted that a number of US federal government organizations were also impacted with the attacks, as per Eric Goldstein who is the executive director for CISA. These agencies include Department of Energy, which is now working on the issue to control the impact of the attack.

However, the ransomware gang claims that their prime motive behind these attacks is to acquire ransoms from businesses and confirms that all the state-related data they may have acquired in the attacks has been deleted.

Read more »
Zero-day vulnerability
Backdoor Data Leak Vulnerabilities and Exploits Zero-day vulnerability

Atlassian Patches Confluence Zero-day Vulnerabilities

Atlassian issued security updates for a critical zero-day vulnerability in Confluence Server and Data Center, the flaw was exploited in the wild to backdoor web-exposed servers. The zero-day (CVE-2022-26134) vulnerability impacts all versions that support Confluence Server and Data Center, it allows threat actors to access remote code execution on unpatched servers. As the vulnerability was reported as actively exploited bug, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its "Known Exploited Vulnerabilites Catalog". 

It means federal agencies can block all web traffic to Confluence servers on their networks. Atlassian has released patches and asked its customers to update their devices to versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1, that have been patched for this vulnerability. "We strongly recommend upgrading to a fixed version of Confluence as there are several other security fixes included in the fixed versions of Confluence," it says. 

Users who can't upgrade their Confluence installs for now can use temporary workaround and mitigate the CVE-2022-26134 security vulnerability via upgrading few JAR files on their confluence servers. The flaw was discovered by cybersecurity firm Volexity. During investigation, the firm found that zero-day was used to deploy a BEHINDER JSP web shell, it allowed the hackers to perform remote code execution on the servers. Threat actors also used a China Chopper web shell and a file upload software as backups to keep access to the hacked servers. 

Volexity researchers believe that various hackers from China are using CVE-2022-26134 flaws to gain access into web-exposed and unpatched Confluence servers. "The targeted industries/verticals are quite widespread. This is a free-for-all where the exploitation seems coordinated. It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far," said Volexity. 


Read more »
Zoom
Remote Code Execution Vulnerabilities and Exploits Zero Day Zero-day vulnerability Zoom

Zoom Zero-Day Allowed Remote Code Execution, Patch Issued


Video and audio conferencing software, Zoom patched a zero-day vulnerability that was affecting users running old versions of Windows: Windows 7, Windows Server 2008 R2 and earlier. The flaw was detected on Thursday and later published in a blog post by security research organization ACROS Security.

 The vulnerability that was previously unknown, allowed a remote attacker to execute arbitrary code on targeted user’s system on which one of the supported versions of Zoom Client for Windows is installed; in order to set the attack into motion, the attacker manipulates the victim into carrying out some typical action (Opening a received doc. file) and reportedly, there is no security warning displayed to the user as the attack takes place.

 After disclosing the zero-day vulnerability to Zoom, ACROS released a micropatch for its 0patch client in order to safeguard its own clients against attack till the time Zoom came out with an official patch. In the wake of various security flaws, the company halted the production of new features for a while so that the major privacy-related concerns that are threatening user security can be treated with much-needed attention. However, this ‘feature freeze’ period ended very recently i.e., on July 1, last week itself, and the zero-day was detected a few days later.

 In conversation with Threatpost, 0patch’s co-founder, Mitja Kolsek said, “Exploitation requires some social engineering – which is practically always the case with user-side remote code execution vulnerabilities,”

 “While a massive attack is extremely unlikely, a targeted one is conceivable." “Zoom Client features a fairly persistent auto-update functionality that is likely to keep home users updated unless they really don’t want to be,” he wrote.

 “However, enterprise admins often like to keep control of updates and may stay a couple of versions behind, especially if no security bugs were fixed in the latest versions.”

“Zoom takes all reports of potential security vulnerabilities seriously. This morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it,” said Zoom, while addressing the issue initially.

A few days later, on July 10, a fix was released by the company and the officials said, "Zoom addressed this issue, which impacts users running Windows 7 and older, in the 5.1.3 client release on July 10. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.”
Read more »
Zero-day vulnerability
Botnets DDOS Attacks LeetHoxer malware Mirai botnet Moobot Vulnerability management Zero-day vulnerability

LeeHozer and Moobot Have The Same Attack Maneuvers?


Sharing has become a thing with cyber-criminals and their malware mechanisms. Reportedly, LeetHozer botnet was found to have similar attack tactics as that of the Mootbot malware family. Researchers have reasons to think that the party that created the Moobot also could be the ones who created the LeetHozer.

Per researchers, the LeetHozer botnet has been counting on other kinds of malware for a little bit of sharing here and there. Per sources, it has in the past used the loader and reporter system that the Mirai uses.

Apparently, despite using the same mechanisms as Mirai the LeetHoxer threat was a little different. According to researchers, other Mirai variations too were altered including the encryption procedure, the bot program, and the command and control protocol. The unique "string and downloader" too were revealed to be of the same kind as Mirai.

Per reports, the botnet was noticed when it was found to be manipulating a vulnerability in the “telenet service” of a device. It made use of the default password to get access to the device. Once the device got infected the LeetHozer sent the information of the device to its reporter mechanism which then got to the command and control server and then finally the instructions for the Denial-of-Service attack were received.

The history of various attacks has it that Moobot has been a part of quite a lot of attacks ever since it first surfaced last year. According to researchers, several threat actors have made use of it to exploit zero-day vulnerabilities. It was discovered by the researchers while it was manipulating a zero-day vulnerability in fiber routers, reports mention. It hence is needless to say that one of the major attack tactics of the Moobot is exploiting any zero-day flaw it could get it claws into.

There are numerous ways in which an organization can create a barricade against any such attacks. The cyber and technological security personnel could design a response plan and a contingency plan especially against DDoS attacks, the systems should be backed up at all times, and configuration could be done in a way that as soon as the network is attacked the back-up kicks in. Also, researchers suggest that Artificial Intelligence could prove to be a very lucrative solution for such problems.

Read more »
Zero-day vulnerability
Botnets CCTV cameras DVR Internet of Things LILIN malware Security Zero-day vulnerability

Three Botnets Abuse Zero-Day Vulnerabilities in LILIN's DVRs!


Not of late, LILIN recorders were found to be vulnerable. Reportedly, botnet operators were behind the zero-day vulnerabilities that were exploited in the Digital Video Recorders (DVRs ) that the vendor is well known for.

Sources mention that the exploitation of the zero-day vulnerabilities had been a continuous thing for almost half a year and the vendor was unaware. Nevertheless, they rolled out a patch in February 2020.

Digital Video Recorders are electronic devices that collect video feeds from local CCTV/IP cameras systems and store them on different mass storage devices like SD cards, USB flash drives, disk drives, etc.

DVRs are a huge deal today given they are a major element for the security cameras that are used almost everywhere in these times.

With CCTV cameras raging, attacks especially designed for them have also risen equally. Malware botnets and other hacker operations have been targeting these widely used DVRs for quite some time now.

Per sources, the non-revised and out of date firmware stands to be the reason for these devices being hacked. Especially, the DVRs with default credentials are exploited to kick off DDoS and other IoT attacks.
Sources mention that security researchers found LILIN’s DVRs too were being exploited for almost half a year, since August last year by three botnets.


The vulnerability in the “NTPUpdate”, sources mention, allows attackers to inject and control the system’s commands. Via one of the ‘hardcoded credentials’ (root/icatch99 & report/8Jg0SR8K50) the attacker stands a chance to retrieve and alter a DVR’s config file, and later control commands on the device after the File Transfer Protocol (FTP) server configuration is regularly matched.

Per sources, the first botnet behind the zero-day vulnerability was the “Chalubo botnet” with a motive of exploiting the NTPUdate of the LILIN DVRs. The other two were employed by the “FBot botnet”

Reportedly, a couple of weeks after the previous attacks of the FBot, the Moobot botnet also tried its luck and succeeded on the second zero-day vulnerability.

There is no knowing as to what the exact motive was behind hacking the LILIN DVRs. Nevertheless, there has been a history of DDoS attacks, re-routing traffic, and proxy networks.

As it happens there are, per sources, over 5,000 LILIN DVRs that exist today thus making it quite a hefty task to update all of them immediately. But it’s a relief to know that the first step has been taken. There’s not much to worry about now given LILIN has released a firmware update along with solutions for mitigation.

Read more »
Subscribe to: Posts (Atom)