Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label zero Day vulnerability. Show all posts
zero Day vulnerability
APTs Citrine Sleet CyberCrime Cybersecurity CyberThreat FudModule Rootkit Googlex Chrome lazarus Microsoft ransomware attacks Vulnerabilites and Exploits zero Day vulnerability

Citrine Sleet APT Exploits Chrome Zero-Day Vulnerability for Rootkit Infiltration

 


It is believed that North Korean hackers have been able to use unpatched zero-day in Google Chrome (CVE-2024-7971) to install a rootkit called FudModule after gaining admin privileges by exploiting a kernel vulnerability in Microsoft Windows. An investigation by Microsoft has revealed that a North Korean threat actor exploited a zero-day vulnerability in the Chromium browser that has been tracked as CVE-2024-7971 to conduct a sophisticated cyber operation.  

According to the report, Citrine Sleet, the notorious group behind the attack that targets cryptography sectors in particular, is responsible for the attack. It has been reported that CVE-2024-7971 is a type of confusion vulnerability in the V8 JavaScript and WebAssembly engine that had been impacted in versions of Chrome before 128.0.6613.84. By exploiting this vulnerability, threat actors could gain remote code execution (RCE) access to the sandboxed Chromium renderer process and conduct a remote attack. 

There was a vulnerability that was fixed by Google on August 21, 2024, and users should ensure that they are running the most recent version of Chrome. It is clear from this development that the nation-state adversary is trying to increase its penetration of Windows zero-day exploits in recent months, indicating that they are persistent in their efforts to acquire and introduce oodles of zero-day exploits. 

A Microsoft security researcher found evidence that Citrine Sleet (formerly DEV-0139 and DEV-1222) was responsible for the activity. Citrine Sleet is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736, all of which are associated with Citrine Sleet. There is an assessment that this sub-cluster is part of the Lazarus Group (a.k.a. Diamond Sleet and Hidden Cobra) which is related to Lazarus. 

Several analysts have previously credited the use of AppleJeus malware to a Lazarus subgroup called BlueNoroff (also known as APT38, Nickel Gladstone, and Stardust Chollima), indicating the fact that the threat actors share both toolsets and infrastructure from one subgroup to another. Some cybersecurity vendors maintain track of this North Korean threat group under different names, such as AppleJeus, Labyrinth Chollima, and UNC4736, among others. 

Hidden Cobra is a term used by the U.S. government to describe malicious actors sponsored by the North Korean government collectively as being influenced by the state. It is mostly targeted at financial institutions, with a special focus on cryptocurrency organizations and individuals who are closely associated with the cryptocurrency industry. 

In the past, it has been linked to Bureau 121 of the Reconnaissance General Bureau of North Korea, where it practices intelligence gathering. Moreover, North Korean hackers are also known for using malicious websites that appear to be legitimate cryptocurrency trading platforms to infect prospective victims with fake job applications, weaponized cryptocurrency wallets, and cryptocurrency trading apps designed to steal sensitive information. 

This is the first time UNC4736 malware has been identified in a supply chain attack, for example in March 2023 it attacked the Electron-based desktop client of video conferencing software provider 3CX. Further, they were able to breach the website of Trading Technologies, an automation company for stock market trading, to sneakily push trojanized versions of the X_TRADER software into the system. In a March 2022 report, Google's Threat Analysis Group (TAG) also linked AppleJeus to the compromise of Trading Technologies' website, highlighting AppleJeus as being behind the attack. 

For years, the U.S. government has repeatedly issued warnings about state-sponsored cyberattacks targeting cryptocurrency-related businesses and individuals with AppleJeus malware that is backed by the North Korean government. As a result of the security vulnerability CVE-2024-7971 that was discovered last week, Google patched Chrome's version 8 JavaScript engine and reported it as a type confusion vulnerability. 

In a recent cybersecurity incident report, it was revealed that victims were directed to a domain controlled by the threat group Citrine Sleet, identified as voyagorclub[.]space. The exact method by which victims were lured to this domain remains undetermined, though it is suspected that social engineering tactics were employed. This is consistent with Citrine Sleet’s established modus operandi, which frequently involves manipulating individuals through social engineering to initiate attacks. 

Upon successful redirection to the malicious domain, attackers leveraged a zero-day remote code execution (RCE) vulnerability, identified as CVE-2024-7971. This vulnerability is linked to a type of confusion flaw in Chrome’s V8 JavaScript engine. Google addressed this security issue in a recent patch, highlighting that it allowed attackers to achieve RCE within the sandboxed Chromium renderer process of the victim's browser. Once inside this sandboxed environment, the attackers further escalated their access by exploiting a secondary vulnerability in the Windows kernel. 

The additional vulnerability, CVE-2024-38106, was exploited to escape the browser’s sandbox environment. This kernel vulnerability, which Microsoft had patched in their latest Patch Tuesday release, allowed attackers to gain SYSTEM-level privileges on the compromised system. Following this, the attackers downloaded and activated a highly sophisticated rootkit known as FudModule. This malware, when loaded into memory, enabled direct kernel object manipulation (DKOM), providing attackers with the capability to bypass critical kernel security measures.

The FudModule rootkit is particularly concerning, as it is designed to manipulate kernel-level processes, enabling attackers to establish persistent backdoor access to the compromised system. Through DKOM, the rootkit effectively tampers with core system functions, allowing attackers to evade detection, steal sensitive information, and potentially deploy additional malicious software. Interestingly, the FudModule rootkit has been linked to another North Korean state-sponsored group known as Diamond Sleet, which has utilized this malware since its discovery in October 2022. 

This suggests a potential collaboration between Citrine Sleet and Diamond Sleet or, at the very least, shared access to malicious tools and infrastructure. Furthermore, the rootkit bears similarities to tools used by another notorious hacking group, the Lazarus Group, indicating that FudModule may be part of a broader North Korean cyber-espionage toolkit. Citrine Sleet's attack demonstrates a highly coordinated and multi-faceted approach, beginning with social engineering techniques to lure victims to a compromised domain and culminating in the exploitation of critical vulnerabilities to gain deep control over target systems. 

By leveraging both CVE-2024-7971 and CVE-2024-38106, the attackers were able to bypass multiple layers of security, from browser sandboxing to Windows kernel defences. Microsoft has issued a series of recommendations to help organizations mitigate the risk of such attacks. They stress the importance of maintaining up-to-date software and operating systems, as timely patching is critical to closing vulnerabilities before they can be exploited. 

Additionally, Microsoft advocates for the deployment of security solutions that provide unified visibility across the entire cyberattack chain. Such tools can detect and block attacker tools and post-compromise malicious activity. Lastly, strengthening the configuration of the operating environment is recommended to minimize the likelihood of successful exploitation and post-compromise activity. This incident underscores the evolving nature of cyber threats and highlights the importance of proactive cybersecurity measures to detect, block, and mitigate advanced persistent threats (APTs).
Read more »
zero Day vulnerability
Computer Virus Avast Cyberattack CyberCrime Lazarus Virus Microsoft s Cybersecurity Vulnerabilities and Exploits zero Day vulnerability

Lazarus Group Exploits Microsoft Zero-Day in a Covert Rootkit Assault

 


The North Korean government-backed hackers were able to gain a major victory when Microsoft left a zero-day vulnerability unpatched for six months after learning it was actively exploited for six months. As a result of this, attackers were able to take advantage of existing vulnerabilities, thereby gaining access to sensitive information. Although Microsoft has since patched this vulnerability, the damage had already been done. 

Researchers from the Czech cybersecurity firm Avast discovered a zero-day vulnerability in AppLocker earlier this month, and Microsoft patched the flaw at the beginning of this month. AppLocker is a service that allows administrators to control which applications are allowed to run on their systems. 

APT38, the Lazarus group, is a state-run hacking team operated by the North Korean government. It's tasked with cyberespionage, sabotage, and sometimes even cybercrime to raise money for the regime. Although Lazarus has operated for many years, some researchers believe it is essentially a group of subgroups operating their campaigns and developing specific types of malware for specific targets that they use to accomplish their objectives. 

In addition to Lazarus's toolset tools, FudModule has been analyzed by other cybersecurity firms in the past in 2022 and is not new to Lazarus. Essentially, it is an in-user data-only rootkit that is active within the user space, utilizing kernel read/write privileges through the drivers to alter Windows security mechanisms and hinder the detection of other malicious components by security products. 

In August 2023, the security company Avast developed a proof-of-concept exploit for this vulnerability after observing the Lazarus attack and sending it to Microsoft. The vulnerability has been tracked as CVE-2024-21338 and was identified in the Lazarus attack last year. In an updated version of its FudModule rootkit, which ESET first documented in late 2022, Lazarus exploited CVE-2024-21338 to create a read/write kernel primitive, which Avast reports. 

As part of the rootkit, previously, BYOVD attacks were performed using a Dell driver. Avast reported that threat actors had previously established the administrative-to-kernel primitive through BYOVD (Bring Your Own Vulnerable Driver) techniques, which are noisy. However, there seems to be no doubt that this new zero-day exploit has made it easier for kernel-level read/write primitives to be established. 

The issue was discovered in further detail due to a thin line in Microsoft Windows Security that has been left for a very long time, which was the cause of this issue. Since "administrator-to-kernel vulnerabilities are not a security boundary", Microsoft still retains the right to patch them. Furthermore, it is also important to remember that threat actors with administrative privileges have access to the Windows kernel. 

Since this is an open space that attackers can play around with, they take advantage of any vulnerabilities they find to gain access to the kernel.  The threat actors will gain kernel-level access to the OS once they have managed to disrupt the software, conceal infection indicators, and disable kernel-mode telemetry, among other malicious activities once they have gained kernel-level access to the OS. 

In an announcement made by Avast, a cybersecurity vendor that discovered an admin-to-kernel exploit for the bug, the company noted that by weaponizing the kernel flaw, the Lazarus Group could manipulate kernel objects directly in an updated version of their data-only rootkit FudModule by performing direct kernel object manipulation.." 

A rootkit named FudModule has been detected by ESET and AhnLab since October 2022 as capable of disabling the monitoring of all security solutions on infected hosts. As a result of the Bring Your Own Vulnerable Driver (BYOVD) attack, in which an attacker implants a driver with known or unknown flaws to escalate privileges, the security solution is unable to monitor the network. 

There is something important about the latest attack because it goes "beyond BYOVD by exploiting a zero-day vulnerability in a driver that is already installed on the target machine, which is known to be a zero-day vulnerability." It is an appid.sys driver, which plays a crucial role in the functioning of an application control feature in Windows called AppLocker. 

In a study published earlier this week, researchers discovered that Lazarus was spreading malicious open-source software packages to a repository where Python software is hosted, aimed directly at software developers. The researchers report that the malicious packages have been downloaded hundreds of times, according to their findings. 

The South Korean judicial system was also targeted by Lazarus as part of his endeavours. There was a large hack at the Supreme Court of South Korea last year, which was allegedly carried out by the criminal Lazarus group of hackers. Police confiscated servers from the court in February. It is still being investigated whether or not the servers are compromised. 

North Korean hackers, including Lazarus, are said to have hacked more crypto platforms for the first time last year, according to a report by crypto analytics firm Chainalysis. The number of stolen assets reached $1 billion, more than any other year.
Read more »
zero Day vulnerability
CLOP Clop Ransomware Data Evade Detection Extortion MOVEit Ransom Ransomware Safety Security zero Day vulnerability

Clop Ransomware Adopts Torrents for Data Leaks in Effort to Evade Detection

 

The Clop ransomware group has once again adjusted its tactics for extortion, now employing torrents to disseminate stolen information obtained from MOVEit attacks. 

Beginning on May 27th, the Clop ransomware syndicate initiated a series of data theft assaults by exploiting a zero-day vulnerability within the MOVEit Transfer secure file transfer system. Exploiting this flaw enabled the hackers to pilfer data from nearly 600 global organizations, catching them off guard.

On June 14th, the ransomware group commenced their extortion endeavors by gradually unveiling victims' names on their Tor-based data leak site and eventually making the files public. 

Nevertheless, the use of a Tor site for data leakage had limitations due to sluggish download speeds, which curtailed the potential damage of the leak.

In a bid to overcome these issues, the Clop group established clearweb sites to release stolen data from some of the victims of the MOVEit data theft. However, this approach was susceptible to being dismantled by authorities and companies. In response, the group has turned to torrents as a new method for disseminating the stolen data from the MOVEit breach.

This novel approach was identified by cybersecurity researcher Dominic Alvieri. The Clop ransomware gang has developed torrents for twenty victims, including well-known entities like Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg. 

In the fresh extortion strategy, Clop has established a new Tor site that provides guidance on using torrent clients to download the leaked information. They have also included lists of magnet links for the twenty affected parties.

Torrents leverage peer-to-peer transfers among different users, resulting in faster transfer speeds compared to traditional Tor data leak sites. Testing by BleepingComputer demonstrated improved data transfer speeds, reaching 5.4 Mbps, even when seeded from a single IP address in Russia. 

Additionally, this distribution technique is decentralized, making it difficult for law enforcement to shut down. Even if the original seeder is taken offline, a new device can take over seeding duties.

Should this approach prove effective for Clop, it's likely they will continue to utilize it due to its ease of setup, lack of need for a complex website, and the potential for wider distribution of stolen data, which could place more pressure on victims. 

Coveware has estimated that the Clop gang could amass between $75 million and $100 million in extortion payments. This projection is not solely due to numerous victims paying, but rather a small number of companies being persuaded to pay substantial ransom amounts. Whether the use of torrents will contribute to more payments remains uncertain; however, given the substantial earnings, the outcome may be inconsequential.
Read more »
zero Day vulnerability
Mobile Security Security flaw Security Patch Spyware User Security zero Day vulnerability

Apple Issues Security Updates for Actively Exploited Vulnerabilities in iOS

 

Apple announced a series of patches this week for several of iOS zero-day flaws that have already been used by malicious parties to sneakily install malware and steal user data. Therefore, it is important that you update your phone as soon as you can. 

iOS 16.5.1, which is now available for download if you have an iPhone 8 or newer, fixes a critical security vulnerability that allows hackers to access all of your personal data saved on your iPhone.

This particular vulnerability was discovered in Russia, where thousands of Russian government officials' iPhones were allegedly infected with malware. It's a kernel flaw that allows bad actors to execute arbitrary code with kernel privileges, which means hackers can run whatever code they want on a targeted device. 

According to The Washington Post, the attackers have been sending iMessages with malicious attachments that corrupt and provide access to their targets' iPhones. The latest iOS patch from Apple also addresses a vulnerability in WebKit, the foundation that allows developers to display webpages on Apple devices. Again, it allowed hackers to obtain personal data from users by executing arbitrary code on their target's phone. 

The tech giant stated on the support page for the upgrade that the attacks have only been observed on devices running iOS 15.7 or earlier. Even while this indicates that the company is not aware of any vulnerabilities on iOS devices running newer versions, those systems may still be exposed. Because of this, Apple urges all users to download iOS 16.5.1 even if their iPhone is already shielded from the aforementioned vulnerabilities. 

This security concern is being taken seriously even by American authorities. Federal agencies were asked to download the most recent version by July 13 after the Cybersecurity and Infrastructure Security Agency added the two exploits to its list of known exploited vulnerabilities.

Even if you don't think you're a target for malware, now is a good time to upgrade your device if you have one of the best iPhones. To install iOS 16.5.1 on your device right now, go to Settings, General, and then Software Update.
Read more »
zero Day vulnerability
File Transfer Tool Security Advisory SQL Unpatched Flaws Vulnerabilities and Exploits zero Day vulnerability

Progress Software Advises MOVEit Customers to Patch Third Severe Vulnerability

 

Customers of MOVEit are being urged by Progress Software to update their software in less than a month to address a third severe vulnerability. 

According to the most recent vulnerability, identified as CVE-2023-35708, an unauthenticated attacker may be able acquire escalated privileges and gain entry to the MOVEit Transfer database through a SQL injection bug.

In a warning, Progress states that, “an attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”

Versions of MOVEit Transfer prior to 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3) are affected by the vulnerability.

On June 15, proof-of-concept (PoC) code aimed at exploiting the flaw was made available. Progress quickly responded, noting that the flaw was made public "in a way that did not follow normal industry standards." 

After a zero-day vulnerability was discovered on May 31 and a second severe bug was patched a week later, Progress has now fixed three critical SQL injection flaws in its MOVEit products in around three weeks. CVE-2023-35708 is the most recent of these. 

Security experts discovered evidence indicating that exploitation may have begun two years prior to the initial flaw, CVE-2023-34362, which only began to be widely exploited in late May.

Attacks on the MOVEit zero-day have affected more than 100 organisations. The Cl0p ransomware gang is responsible for the most recent campaign, and it has begun naming some of the victims in public.

The British Broadcasting Corporation, British Airways, Aer Lingus, the Nova Scotia government, the U.S. Department of Energy, the Louisiana Office of Motor Vehicles, the Oregon Department of Transportation, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE) are just a few of the organisations that have been identified as victims to date. 

Austria, France, Germany, Luxembourg, the Netherlands, Switzerland, the United Kingdom, and the United States all have victims. Malwarebytes adds that the majority of the victims are in the US. 

On June 9, CVE-2023-35036, the second vulnerability, was made public; however, it does not seem to have been used in the wild. Even though Progress claims to be unaware of any exploits for CVE-2023-35708, it advises users to install the most recent updates as soon as feasible.

“All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer,” the company added. 

Customers should stop HTTP and HTTPS traffic, limiting access to localhost only, apply the updates that are available (the June 15th patch also fixes the prior vulnerabilities), and then re-enable HTTP and HTTPS traffic to prevent unauthorised access to the MOVEit Transfer environment. 

To fix the issues, Progress has published both DLL drop-in fixes and entire MOVEit Transfer installers. The company's advisory provides more details on how to apply the updates.
Read more »
zero Day vulnerability
Cyber Security GoAnywhere MFT Phishing Attacks Ransomware Attacks. Unauthorized access zero Day vulnerability

Ransomware Attacks Surge in March 2023

According to recent reports, March 2023 saw a record-breaking number of ransomware attacks globally, with a staggering 459 incidents reported. This highlights the increasing prevalence and sophistication of cyber-attacks and the need for robust cybersecurity measures.

Ransomware attacks involve hackers encrypting a victim's data and demanding a ransom payment in exchange for the decryption key. Cybercriminals typically gain access to systems through phishing emails or exploiting vulnerabilities in software.

One such attack in March involved a zero-day vulnerability in the GoAnywhere MFT software used for secure file transfer. Cybersecurity firm Fortra completed an investigation into the incident and confirmed that the vulnerability had been exploited by attackers.

The incident emphasizes the importance of promptly identifying and patching vulnerabilities to prevent cyber attacks. With the increasing use of software and internet-connected devices, cybercriminals have more opportunities to exploit weaknesses.

Cybersecurity experts recommend implementing best practices such as regular security assessments, employee training, and security controls to minimize the risk of cyber attacks. In addition, having an incident response plan in place can help organizations quickly respond to and contain any attacks.

The prevalence of ransomware attacks underscores the importance of investing in robust cybersecurity measures to protect sensitive data and prevent business disruption. Cybersecurity threats are constantly evolving, and organizations must remain vigilant and proactive in their approach to cybersecurity to stay ahead of cybercriminals.

A recent surge in ransomware attacks and the GoAnywhere MFT incident serve as reminders of the vulnerabilities that exist in software and the need for proactive cybersecurity measures. Organizations must prioritize cybersecurity to protect themselves against these evolving threats and prevent potentially catastrophic consequences.

Read more »
zero Day vulnerability
Android Cyber Security NSO Group Pegasus zero Day vulnerability

A spyware Rival Intellexa Challenges NSO Group

The Pegasus creator NSO Group is now facing competition from a little-known spyware company called Intellexa, which is charging $8 million for its services to hack into Android and iOS devices. 

Vx-underground, a distributor of malware source code, discovered documents that represented a proposal from Intellexa, a company that provides services like Android and iOS device exploits. On Wednesday, it shared several screenshots of documents that appeared to be part of an Intellexa business proposal on Twitter.

Europe is the base of Intellexa, which has six locations and R&D facilities there. According to a statement on the company's website, "We help law enforcement and intelligence organizations across the world reduce the digital gap with many and diverse solutions, all integrated with our unique and best-in-class Nebula platform."

A Greek politician was the target of Intellexa, a Cytrox iPhone predator spyware program, according to a Citizen Lab study from last year.

The Intellexa Alliance, which Citizen Lab defined as "a marketing term for a range of mercenary surveillance companies that emerged in 2019," included Cytrox, according to Citizen Lab.

Spyware threat 

The product specifically focuses on remote, one-click browser-based exploits that let users inject a payload into iOS or Android mobile devices. According to the brief explanation, in order for the exploit to be used, the victim must click on a link.

The docs, "classified as proprietary and confidential," according to Security Week, confirmed that the exploits should function on iOS 15.4.1 and the most recent Android 12 upgrade." The fact that Apple released iOS 15.4.1 in March indicates that the offer is current.

The deal gives a "magazine of 100 active infections" in addition to 10 concurrent infections for iOS and Android devices. A sample list of Android devices that an attack would allegedly be effective against is also displayed in the stolen documents.

Last year, Apple sued NSO Group to prevent the business from using its products and services. It implies that the offer is relatively new. Since then, three security patches for the mobile operating system have been released.

This indicates that Apple might have addressed one or more of the zero-day vulnerabilities utilized by the Intellexa iOS attack, but it's also feasible that the exploits provided by these kinds of businesses could stay unpatched for a considerable amount of time.

The buyer would actually receive considerably more for the $8 million, despite the fact that some have claimed that this is the cost of an iOS hack. The offer is for a whole platform with a 12-month guarantee and the ability to evaluate the data obtained by the exploits.

The documents are undated, but according to vx-underground, the screenshots were published on the hacker forum XSS in Russian on July 14. While there is a wealth of technical knowledge available about the exploits provided by spyware companies, nothing is known regarding the prices they charge clients.

According to a 2019 estimate from India's Economic Times, a Pegasus license costs about $7-8 million each year. Additionally, it is well-known that brokers of exploits are willing to pay up to $2 million for fully automated iOS and Android flaws.



Read more »
zero Day vulnerability
Cyber Attacks data vulnerabilities social media vulnerabilities Twitter zero Day vulnerability

Twitter 5.4 Million Users Data is Up For Sale For $30,000

 

A Vulnerability in Twitter’s databases that allowed hackers group access to the personal data of 5.4 million Twitter users, has been patched. The report analysis said that the stolen data is up for sale at a $30,000 price. 

On Friday Twitter reported that a team of researchers has found that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform. 

“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability,” Twitter reported.

In January 2020, various cyber security news platforms published a story on Twitter’s vulnerability that allowed hackers and other malicious actors to access sensitive data including phone numbers and email addresses of millions of users, leaving it susceptible to being accessed by anyone. 

What's even more threatening is that the data details could be accessed even if a user had enabled privacy settings to hide these details publicly. 

"As a result of the vulnerability, if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any," the company said in an advisory. 

When vulnerabilities in the system are not discovered by the software or hardware manufacturer remain, they remain a potentially hazardous threat. In most incidents, zero-day vulnerabilities are noticed by security experts like white-hat hackers, and security analysts inside tech companies. The essential thing to be noted about a zero-day is that there is no patch or update yet created for it, so long as it remains zero-day. 

Twitter said that the company has started notifying users affected by the attack and urging its users to turn on two-factor authentication to protect data against unauthorized logins. 
Read more »
Subscribe to: Posts (Atom)