Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cybersecurity threat. Show all posts
Windows Vulnerability
corporate network breach CRON#TRAP cybersecurity threat Linux VM backdoor malware Phishing Attack QEMU ransomware tactics stealth malware virtual machine attacks Windows Vulnerability

New Phishing Attacks Use Backdoored Linux VMs to Infect Windows Systems

 

A recent phishing campaign, named 'CRON#TRAP,' is targeting Windows systems by deploying a Linux virtual machine with an embedded backdoor, allowing covert access to corporate networks.

While attackers have previously used virtual machines in malicious activities like ransomware and cryptomining, these installations were often done manually after gaining initial access. However, Securonix researchers identified that this new campaign automates the installation of a Linux VM through phishing emails, giving attackers a persistent foothold in corporate environments.

The phishing emails mimic a "OneAmerica survey," including a 285MB ZIP file that sets up a Linux virtual machine with a backdoor once opened. The ZIP archive contains a Windows shortcut labeled "OneAmerica Survey.lnk" and a folder named "data," which houses the QEMU application disguised as "fontdiag.exe."

When executed, the shortcut triggers a PowerShell command, extracting files to the "%UserProfile%\datax" directory and launching "start.bat" to set up a QEMU Linux VM. During installation, a fake server error message in a PNG format is displayed as a decoy, suggesting a broken survey link. This custom VM, called 'PivotBox,' includes a preconfigured backdoor for continuous command-and-control (C2) communication, enabling covert background operations.

The use of QEMU—a legitimate, digitally signed virtualization tool—means Windows security systems often fail to detect these malicious processes within the virtual environment.

The campaign’s backdoor mechanism uses a tool called Chisel for secure tunneling over HTTP and SSH, allowing attackers to maintain contact with the compromised system, even if firewalls are in place. To ensure persistence, the QEMU VM is set to restart on reboot, while SSH keys are uploaded to eliminate re-authentication requirements.

Securonix researchers noted two critical commands: 'get-host-shell,' which opens an interactive shell on the host for command execution, and 'get-host-user,' which checks user privileges. These commands facilitate activities like surveillance, network management, payload deployment, file control, and data exfiltration, enabling attackers to adapt and maximize their impact on target systems.

The CRON#TRAP campaign is not the first instance of QEMU misuse in stealthy attacks. In March 2024, Kaspersky observed a similar tactic, where a lightweight backdoor within a 1MB Kali Linux VM used QEMU to create hidden network interfaces and connect to a remote server.

To mitigate these types of attacks, experts recommend monitoring for processes like 'qemu.exe' in user-accessible folders, blocking QEMU and similar virtualization tools, and disabling virtualization in critical systems’ BIOS configurations.
Read more »
Vectra AI
cloud storage vulnerability Cyber Security cybersecurity threat Google Cloud Document AI malware injection Security flaw Sensitive Data Leak Vectra AI

Security Flaw in Google Cloud Document AI Could Expose Sensitive Data, Experts Warn

 

A critical vulnerability in Google Cloud's Document AI service could have allowed cybercriminals to steal sensitive information from users' cloud storage accounts and even inject malware, cybersecurity experts have warned. 

The flaw was first discovered by researchers at Vectra AI, who reported it to Google in April 2024. Document AI is a suite of machine learning tools that automates the extraction, analysis, and processing of documents, converting unstructured files like invoices and contracts into structured data to streamline workflows.

The issue arose during the batch processing of documents, a feature that automates large-scale document analysis. Instead of using the caller’s permissions, the system relied on broader permissions granted to a "service agent," a Google-managed entity responsible for processing tasks. This created a security gap, allowing a malicious actor with access to a project to potentially retrieve and modify any files stored in the associated Google Cloud Storage buckets.

Vectra AI researchers provided a proof of concept to demonstrate how an attacker could exfiltrate and alter a PDF file before reuploading it to its original location. Although Google released a patch and labelled the issue "fixed" soon after, the researchers criticized the initial fix as inadequate.

In response to further pressure, Google implemented a more comprehensive downgrade in September 2024, addressing the vulnerability by limiting access to impacted projects.
Read more »
Windows zero-day exploit
cybersecurity threat Fudmodule malware Hacking Group Microsoft vulnerability North Korea Vulnerabilities and Exploits Windows zero-day exploit

North Korea Exploited Windows Zero-Day Vulnerability to Install Fudmodule

 

North Korea's Lazarus hacking group has once again exploited a zero-day vulnerability in Microsoft Windows to deploy malware on targeted devices. On August 13, Microsoft addressed this issue with its monthly Patch Tuesday updates, fixing a flaw in the Windows Ancillary Function Driver (Afd.sys) for WinSock, identified as CVE-2024-38193. Security experts strongly recommend applying this update promptly, as Microsoft has confirmed that the vulnerability is actively being exploited.

The flaw allows attackers to escalate system privileges through a use-after-free memory management issue, potentially granting them elevated system access, according to Rapid7. The advisory underscores the urgency of this patch, highlighting the low complexity of attacks, lack of required user interaction, and minimal privileges needed for exploitation.

The warning proved accurate, as Avast researchers Luigino Camastra and Martin Milanek, who initially discovered and reported the flaw to Microsoft in June, revealed that Lazarus had been exploiting this vulnerability before the fix was issued. Their primary aim was to install a rootkit named Fudmodule on the affected systems, utilizing the zero-day vulnerability to remain undetected by security software.

Details on the specific organizations targeted and their industries have not been disclosed. However, Lazarus is known for its focus on stealing cryptocurrency to support North Korea’s financially strained regime. The regime also uses its hacking teams to gather intelligence on Western nuclear facilities and defense systems.

This incident is part of a broader pattern of North Korean hacking activities targeting Windows drivers. In February, Microsoft patched another vulnerability, CVE-2024-21338, which Lazarus had used to gain system-level access. This flaw was in the appid.sys AppLocker driver, crucial for controlling application execution on Windows systems. Avast had previously reported this vulnerability, which was actively being exploited by Lazarus to install Fudmodule. The updated version of Fudmodule included enhancements, such as disabling antivirus protections like Microsoft Defender and CrowdStrike Falcon.

The rise of "Bring Your Own Vulnerable Driver" (BYOVD) attacks, where attackers use legitimate but vulnerable drivers to bypass security measures, has been noted. Lazarus has employed this tactic since at least October 2021, using it to infiltrate systems by loading drivers with known vulnerabilities. Other groups have also utilized similar methods, such as Sophos reporting on RansomHub's use of outdated drivers to disable endpoint detection and response tools, and deploying ransomware.

Overall, as Lazarus and similar groups continue to adapt their strategies, the need for vigilance and timely updates is crucial to protect systems from these sophisticated attacks.
Read more »
targeting VMware ESXi systems
Cyber Security cybersecurity threat ESXi environments Linux Security New Linux ransomware Play ransomware variant ransomware attacks ransomware protection targeting VMware ESXi systems

New Linux Play Ransomware Variant Targets VMware ESXi Systems

 

Attacks with a new Play ransomware variant for Linux have been deployed against VMware ESXi systems, most of which have been aimed at the U.S. and at organizations in the manufacturing, professional services, and construction sectors, according to The Hacker News.

Such a novel Play ransomware version was hosted on an IP address that also contained the WinSCP, PsExec, WinRAR, and NetScan tools, as well as the Coroxy backdoor previously leveraged by the ransomware operation, indicating similar functionality, an analysis from Trend Micro revealed. However, additional examination of the payload showed its utilization of a registered domain generation algorithm to bypass detection, a tactic similarly used by the Prolific Puma threat operation. 

"ESXi environments are high-value targets for ransomware attacks due to their critical role in business operations. The efficiency of encrypting numerous VMs simultaneously and the valuable data they hold further elevate their lucrativeness for cybercriminals," said researchers. Cybersecurity researchers have discovered a new Linux variant of a ransomware strain known as Play (aka Balloonfly and PlayCrypt) that's designed to target VMware ESXi environments.

"This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations," Trend Micro researchers said in a report published Friday.

Play, which arrived on the scene in June 2022, is known for its double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment in exchange for a decryption key. According to estimates released by Australia and the U.S., as many as 300 organizations have been victimized by the ransomware group as of October 2023.

Statistics shared by Trend Micro for the first seven months of 2024 show that the U.S. is the country with the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands. Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are some of the top industries affected by the Play ransomware during the time period.

The cybersecurity firm's analysis of a Linux variant of Play comes from a RAR archive file hosted on an IP address (108.61.142[.]190), which also contains other tools identified as utilized in previous attacks such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.

"Though no actual infection has been observed, the command-and-control (C&C) server hosts the common tools that Play ransomware currently uses in its attacks," it said. "This could denote that the Linux variant might employ similar tactics, techniques, and procedures (TTPs)."

The ransomware sample, upon execution, ensures that it's running in an ESXi environment before proceeding to encrypt virtual machine (VM) files, including VM disk, configuration, and metadata files, and appending them with the extension ".PLAY." A ransom note is then dropped in the root directory.

Further analysis has determined that the Play ransomware group is likely using the services and infrastructure peddled by Prolific Puma, which offers an illicit link-shortening service to other cybercriminals to help them evade detection while distributing malware. Specifically, it employs what's called a registered domain generation algorithm (RDGA)
Read more »
STR RAT
Credential Theft cybersecurity threat Java Malware keylogging Malicious Payloads malware Phishing Campaigns Remote Access Trojan STR RAT

STR RAT: A Persistent Remote Access Trojan

 

The STR RAT is a remote access trojan (RAT) written in Java, first detected in 2020. Like other RATs, it allows threat actors full control of an infected machine. STR RAT is capable of keylogging, credential theft, and deploying additional malicious payloads. 

The malware is updated annually, aligning with its renewed use by threat actors. Cofense's analysis from January 2023 to April 2024 reveals that 60% of STR RAT samples are delivered directly via email rather than embedded links.

History of STR RAT

STR RAT resembles a seasonal flu, with yearly updates making it more prominent for short periods. Initially discovered on an antivirus forum in 2020, version 1.2 already featured keylogging, password theft, and backdoor access, along with a fake “.crimson” ransomware module that only renamed files. In 2021, Microsoft Threat Intelligence highlighted STR RAT in phishing campaigns. By 2022, it spoofed the Maersk shipping brand and employed a polyglot file technique, allowing execution as an MSI or Java file. In 2023, version 1.6 used Zelix KlassMaster and Allatori for code obfuscation. In 2024, STR RAT was uploaded to legitimate services like GitHub and AWS, making it harder to detect.

STR RAT steals passwords from Chrome, Firefox, Internet Explorer, and email clients like Outlook, Thunderbird, and Foxmail. Key commands include o-keylogger for logging keystrokes, down-n-exec for file execution, remote-screen for commandeering the computer, and power-shell for PowerShell access.

Current Usage and Impact

Though not as prevalent as other RATs like Remcos, STR RAT showed sustained activity from March to August 2023, likely due to the new version and polyglot file technique. In March 2024, significant activity was noted again, attributed to the use of legitimate services like GitHub and AWS for hosting and delivering the malware. STR RAT is typically delivered via email as an archive containing a .jar file, requiring a Java Runtime Environment (JRE) to execute. These archives may also contain necessary JRE binaries or download them from Maven and GitHub repositories.

Delivery Mechanisms

STR RAT's second most common delivery mechanism is loaders, which reach out to a payload location to download and run the malware. Jar Downloaders, CVE-2017-11882 exploits in Microsoft Office, and Windows Registry File downloaders are commonly used loaders. Additionally, embedded URLs in emails or attached PDFs often lead to the malware hosted on legitimate services like AWS, GitHub, and Discord’s CDN.

Unlike loaders, droppers contain the malware to be deployed. STR RAT's most common dropper is the JavaScript Dropper (JS Dropper), a .js file that executes natively on Windows. JS Droppers are usually attached to emails and contain both the dropper and STR RAT.

Behavior and Capabilities

Upon execution, STR RAT places files, creates persistence, and installs dependencies. It uses geolocator services to geo-fingerprint infected computers and sends system information to its command-and-control (C2) server. The malware also uses legitimate Java libraries for keylogging and database connectivity.

Detection and Hunting

Different versions of STR RAT leave various indicators of compromise (IOCs). After execution, STR RAT copies itself to multiple locations, creates a \lib\ folder with legitimate files, and generates a XXXXlock.file in the user's local home profile. The configuration can be observed through memory analysis, revealing the C2 server, port, and domain.

Persistence

STR RAT can create persistence through Registry Run Keys, Startup Folder entries, or Scheduled Tasks, ensuring the malware runs every time the user logs in. Endpoint detection and response software can monitor specific locations for signs of STR RAT persistence.

Network Traffic

STR RAT communicates with C2 servers using subdomains of free dynamic DNS services and legitimate services like GitHub and Maven. HTTP is used for C2 communications, though the port is not the standard tcp/80.

Legitimate Services

STR RAT reaches out to legitimate services for hosting tools and malware. Indicators of suspicious activity include access to GitHub and Maven repositories in conjunction with other malicious behaviors.

By understanding STR RAT's history, capabilities, and delivery mechanisms, cybersecurity professionals can better detect and defend against this persistent threat.
Read more »
zero-day exploit
cryptomining malware cybersecurity threat edge devices malware PAN-OS vulnerability RedTail malware zero-day exploit

RedTail Cryptomining Malware Exploits Zero-Day Vulnerability in PAN-OS

 

Cryptomining malware, potentially of North Korean origin, is targeting edge devices, including a zero-day vulnerability in Palo Alto Networks' custom operating system that the company quickly patched in April. Researchers from Akamai identified the malware, dubbed RedTail due to its hidden "redtail" file name, indicating a sophisticated understanding of cryptomining.

The threat actors behind RedTail are likely operating their own mining pools or pool proxies instead of using public ones, aiming for greater control over mining outcomes despite the increased operational and financial costs of maintaining a private server. Akamai researchers noted that the hackers are using the newer RandomX algorithm for better efficiency and modifying the operating system configuration to use larger memory blocks, known as hugepages, to boost performance.

The use of private mining pools is a tactic reminiscent of North Korea's Lazarus Group, although Akamai has not directly attributed RedTail to any specific group. North Korea is known for its for-profit hacking operations, which include extensive cryptocurrency theft and other methods to evade sanctions (see: US FBI Busts North Korean IT Worker Employment Scams).

Initially spotted earlier this year, the RedTail malware has evolved to incorporate anti-research techniques, making it more difficult for security researchers to analyze and mitigate the threat. Akamai reports that the malware's operators quickly exploited the PAN-OS vulnerability, tracked as CVE-2024-3400, which allows attackers to create an arbitrary file enabling command execution with root user privileges (see: Likely State Hackers Exploiting Palo Alto Firewall Zero-Day).

Other notable targets include TP-Link routers, the China-origin content management system ThinkPHP, and Ivanti Connect Secure. Security researchers warn that advanced hackers, including state-sponsored threat actors, are increasingly focusing on edge devices due to their inconsistent endpoint detection and the proprietary software that complicates forensic analysis.
Read more »
Software Developers
bogus npm packages cybersecurity threat malware malware installation Safety social engineering campaign Software Developers

Fraudulent npm Packages Deceive Software Developers into Malware Installation

 

A new cyber threat dubbed DEV#POPPER is currently underway, targeting software developers with deceitful npm packages disguised as job interview opportunities, aiming to dupe them into downloading a Python backdoor. Securonix, a cybersecurity firm, has been monitoring this activity and has associated it with North Korean threat actors.

In this scheme, developers are approached for fake job interviews where they are instructed to execute tasks that involve downloading and running software from seemingly legitimate sources like GitHub. However, the software actually contains a malicious payload in the form of a Node JS script, which compromises the developer's system upon execution. The individuals involved in tracking this activity, namely Den Iuzvyk, Tim Peck, and Oleg Kolesnikov, have shed light on this fraudulent practice.

This campaign came to light in late November 2023 when Palo Alto Networks Unit 42 revealed an operation known as Contagious Interview. Here, threat actors pose as potential employers to entice software developers into installing malware such as BeaverTail and InvisibleFerret during the interview process. Moreover, in February of the following year, Phylum, a software supply chain security firm, uncovered similar malicious packages on the npm registry delivering the same malware families to extract sensitive information from compromised developer systems.

It's important to distinguish Contagious Interview from Operation Dream Job, associated with the Lazarus Group from North Korea. While the former targets developers primarily through fake identities on freelance job portals and utilizes developer tools and npm packages leading to malware distribution, the latter involves sending malicious files disguised as job offers to unsuspecting professionals across various sectors.

Securonix outlined the attack chain, which begins with a ZIP archive hosted on GitHub sent to the target as part of the interview process. Within this archive lies a seemingly harmless npm module containing a malicious JavaScript file, BeaverTail, which acts as an information stealer and a loader for a Python backdoor named InvisibleFerret retrieved from a remote server. This backdoor is capable of various malicious activities, including command execution, file enumeration, exfiltration, clipboard monitoring, and keystroke logging.

This development underscores the ongoing efforts of North Korean threat actors to refine their cyber attack techniques, continuously updating their methods to evade detection and maximize their gains. Maintaining a security-focused mindset, especially during high-pressure situations like job interviews, is crucial in mitigating such social engineering attacks, as highlighted by Securonix researchers. The attackers exploit the vulnerability and distraction of individuals during these situations, emphasizing the need for vigilance and caution.
Read more »
session cookie vulnerability
Cybercriminal Tactics cybersecurity threat data security risks Google cookie restoration LummaC2 malware exploit online account hijack session cookie vulnerability

Malware Developer Claims Ability to Reactivate Expired Google Authentication Cookies

 

The Lumma information-stealer malware, known as 'LummaC2,' is reportedly touting a novel functionality that claims to enable cybercriminals to revive expired Google cookies, potentially allowing them to take control of Google accounts. Session cookies, specialized web cookies facilitating automatic login during a browsing session, typically have a limited lifespan for security reasons. This measure prevents misuse in case the cookies are stolen, as possessing them grants access to the account.

The discovery of this feature came to light when Alon Gal from Hudson Rock identified a forum post by the malware's developers on November 14. The post announced an update boasting the "ability to restore dead cookies using a key from restore files (applies only to Google cookies)." Intriguingly, this capability was restricted to subscribers of Lumma's highest-tier "Corporate" plan, priced at $1,000 per month.

The forum post specified that each key could be utilized twice, allowing for a single instance of cookie restoration. While seemingly limiting, this still poses a significant threat, particularly for organizations adhering to robust security practices.

The introduction of this purported feature in recent Lumma releases is awaiting validation by security experts and Google. The uncertainty surrounds whether the functionality performs as claimed. It's noteworthy that another malware, Rhadamanthys, announced a similar capability in a recent update, hinting at a potential security vulnerability exploited by these malicious actors.

Efforts to obtain a comment from Google regarding the possibility of a session cookie vulnerability have been met with silence. Lumma's developers released an update shortly after being contacted by BleepingComputer, positioning it as an additional fix to circumvent new restrictions imposed by Google to hinder cookie restoration.

Despite attempts to glean insights directly from Lumma's operators, they remained tight-lipped about the workings of the feature. When confronted with Rhadamanthys' similar functionality, Lumma's representative asserted that their competitors had imitated the feature without understanding its intricacies.

If the claims about information-stealers restoring expired Google cookies are accurate, users may be powerless to safeguard their accounts until Google issues a fix. Precautions advised include steering clear of torrent files and executables from dubious sources, as well as being cautious with Google Search results.
Read more »
XLoader
Apple Apple MacOS Apps cybersecurity threat Data Data Safety data security iOS MacOS Malware malware OfficeNote productivity app Productivity Apps Safety Security XLoader

XLoader macOS Malware Variant Disguised as 'OfficeNote' Productivity App

 

A fresh variant of the Apple macOS malware known as XLoader has emerged, disguising its malicious intent through an office productivity app named "OfficeNote," according to cybersecurity experts from SentinelOne. 

In an analysis released on Monday, researchers Dinesh Devadoss and Phil Stokes revealed that the new form of XLoader is packaged within a regular Apple disk image, named OfficeNote.dmg. The application it contains bears the developer signature "MAIT JAKHU (54YDV8NU9C)."

XLoader, initially spotted in 2020, is categorized as an information stealer and keylogger that operates under the malware-as-a-service (MaaS) model. 

It follows in the footsteps of Formbook. While a macOS variant of XLoader emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file, its execution was limited by the absence of the Java Runtime Environment in modern macOS installs.

To circumvent this constraint, the latest version of XLoader employs programming languages like C and Objective C. The disk image file carrying the malware was signed on July 17, 2023, a signature that has since been revoked by Apple.

SentinelOne reported discovering multiple instances of the malicious artifact on VirusTotal throughout July 2023, indicating a wide-reaching campaign. The researchers noted that the malware is advertised for rent on criminal forums, with the macOS version priced at $199 per month or $299 for three months.

Interestingly, this pricing is steeper than that of the Windows versions of XLoader, which are available for $59 per month or $129 for three months.

Once initiated, the seemingly harmless OfficeNote app displays an error message claiming it cannot be opened due to a missing original item. In reality, it surreptitiously installs a Launch Agent in the background to ensure its persistence.

XLoader's functionality centers around the collection of clipboard data and information stored within directories associated with web browsers like Google Chrome and Mozilla Firefox. However, Safari appears to be exempt from its targeting. 

Additionally, the malware is engineered to introduce sleep commands, delaying its execution and evading detection by both manual and automated security measures.

"XLoader continues to present a threat to macOS users and businesses," the researchers concluded.

"This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise."
Read more »
Subscribe to: Posts (Atom)