Kategorie

Enlarge (credit: Valentina Palladino)

Huawei MateBook systems that are running the company's PCManager software included a driver that would let unprivileged users create processes with superuser privileges. The insecure driver was discovered by Microsoft using some of the new monitoring features added to Windows version 1809 that are monitored by the company's Microsoft Defender Advanced Threat Protection (ATP) service.

First things first: Huawei fixed the driver and published the safe version in early January, so if you're using a Huawei system and have either updated everything or removed the built-in applications entirely, you should be good to go.

The interesting part of the story is how Microsoft found the bad driver in the first place.

Read 10 remaining paragraphs | Comments

Norský konglomerát Norsk Hydro, který před týdnem napadli hackeři, může kvůli útoku přijít o více než 40 milionů dolarů (913 milionů Kč). Útok paralyzoval část aktivit společnosti a podle jejích odhadů uvedení IT systémů do původního stavu potrvá minimálně týdny.

If users have an impacted devices, they need to immediately run a backup of their files and restore their operating system to factory settings, said ASUS

Apple's update for iOS and macOS patches 51 holes, the more serious of which include bugs in Safari, Keychain and FaceTime.

Facebook has introduced a new feature in its platform that has been designed to make it easier for bug bounty hunters to find security flaws in Facebook, Messenger, and Instagram Android applications. Since almost all Facebook-owned apps by default use security mechanisms such as Certificate Pinning to ensure integrity and confidentiality of the traffic, it makes it harder for white hat

It’s hardly news to anyone who follows cyberthreat intelligence that the Lazarus APT group targets financial entities, especially cryptocurrency exchanges. Financial gain remains one of the main goals for Lazarus, with its tactics, techniques, and procedures constantly evolving to avoid detection.

In the middle of 2018, we published our Operation Applejeus research, which highlighted Lazarus’s focus on cryptocurrency exchanges utilizing a fake company with a backdoored product aimed at cryptocurrency businesses. One of the key findings was the group’s new ability to target macOS. Since then Lazarus has been busy expanding its operations for the platform.

Further tracking of their activities targeting the financial sector enabled us to discover a new operation, active since at least November 2018, which utilizes PowerShell to control Windows systems and macOS malware for Apple users.

Infection procedure

Lazarus is a well-organized group, something that can be seen from their malware population: not only have we seen them build redundancy to reserve some malware in case of in-operation hot spare replacement of ‘burnt’ (detected) samples but they also conform to specific internal standards and protocols when developing backdoors. This case is no different. They have developed custom PowerShell scripts that communicate with malicious C2 servers and execute commands from the operator. The C2 server script names are disguised as WordPress (popular blog engine) files as well as those of other popular open source projects. After establishing the malware control session with the server, the functionality provided by the malware includes:

• Set sleep time (delay between C2 interactions)
• Exit malware
• Collect basic host information
• Check malware status
• Show current malware configuration
• Update malware configuration
• Execute system shell command
• Download & Upload files

Lazarus uses different tactics to run its C2 servers: from purchasing servers to using hacked ones. We have seen some legitimate-looking servers that are most likely compromised and used in malicious campaigns. According to server response headers, they are most likely running an old vulnerable instance of Internet Information Services (IIS) 6.0 on Microsoft Windows Server 2003. Another C2 server was probably purchased by Lazarus from a hosting company and used to host macOS and Windows payloads. The geography of the servers varies, from China to the European Union. But why use two different types of servers? The group seems to have a rule (at least in this campaign) to only host malware on rented servers, while hosting C2 scripts for malware communication on compromised servers.

Infrastructure segregation by purpose

The malware was distributed via documents carefully prepared to attract the attention of cryptocurrency professionals. Seeing as how some of the documents were prepared in Korean, we believe that South Korean businesses are a high priority for Lazarus. One document entitled ‘Sample document for business plan evaluation of venture company’ (translated from Korean) looks like this:

Content of weaponized document from Lazarus (4cbd45fe6d65f513447beb4509a9ae3d)

Another macro-weaponized document (e9a6a945803722be1556fd120ee81199) contains a business overview of what seems to be a Chinese technology consulting group named LAFIZ. We couldn’t confirm if it’s a legitimate business or another fake company made up by Lazarus. Their website lafiz[.]link has been parked since 2017.

Contents of another weaponized document (e9a6a945803722be1556fd120ee81199)

Based on our telemetry, we found a cryptocurrency exchange company attacked with a malicious document containing the same macro. The document’s content provided information for coin listings with a translation in Korean:

Content of another weaponized document (6a0f3abd05bc75edbfb862739865a4cc)

The payloads show that Lazarus keeps exploring more ways to evade detection to stay under the radar longer. The group builds malware for 32-bit and 64-bit Windows separately to support both platforms and have more variety in terms of compiled code. The Windows payloads distributed from the server (nzssdm[.]com) hosting the Mac malware have a CheckSelf export function, and one of them (668d5b5761755c9d061da74cb21a8b75) has the internal name ‘battle64.dll’. From that point we managed to find additional Windows malware samples containing the CheckSelf export function and an internal name containing the word ‘battle’.

These Windows malware samples were delivered using malicious HWP (Korean Hangul Word Processor format) documents exploiting a known PostScript vulnerability. It should be noted that HWP documents are only popular among Korean users (Hangul Word Processor was developed in South Korea) and we have witnessed several attacks using the same method.

Connection with previous HWP attacks

It’s no secret that Apple products are now very popular among successful internet startups and fintech companies, and this is why the malicious actor built and used macOS malware. While investigating earlier Lazarus incidents, we anticipated this actor would eventually expand its attacks to macOS.

It appears that Lazarus is using the same developers to expand to other platforms, because some of the features have remained consistent as its malware evolves.

Overlap of current campaign and previous hwp-based attack cases

We’d therefore like to ask Windows and macOS users to be more cautious and not fall victim to Lazarus. If you’re part of the booming cryptocurrency or technological startup industry, exercise extra caution when dealing with new third parties or installing software on your systems. It’s best to check new software with an antivirus or at least use popular free virus-scanning services such as VirusTotal. And never ‘Enable Content’ (macro scripting) in Microsoft Office documents received from new or untrusted sources. Avoid being infected by fake or backdoored software from Lazarus – if you need to try out new applications, it’s better do so offline or on an isolated network virtual machine which you can erase with a few clicks. We’ll continue posting on Lazarus’s latest tactics and tricks in our blog. In the meantime, stay safe!

For more details on this and other research, please contact intelreports@kaspersky.com.

File Hashes:

Malicious office document used in real attack
4cbd45fe6d65f513447beb4509a9ae3d 샘플_기술사업계획서(벤처기업평가용).doc
6a0f3abd05bc75edbfb862739865a4cc 문의_Evaluation Table.xls

Testing office document
29a37c6d9fae5664946c6607f351a8dc list.doc
e9a6a945803722be1556fd120ee81199 list.doc
a18bc8bc82bca8245838274907e64631 list.doc

macOS malware
4345798b2a09fc782901e176bd0c69b6

PowerShell script
cb713385655e9af0a2fc10da5c0256f5 test.ps1
e6d5363091e63e35490ad2d76b72e851 test.ps1 – It does not contain URLs.
Da4981df65cc8b5263594bb71a0720a1

Windows executable payload
171b9135540f89bf727b690b9e587a4e wwtm.dat
668d5b5761755c9d061da74cb21a8b75 wwtm.dat
ad3f966d48f18b5e7b23a579a926c7e8

Manuscrypt payload
35e38d023b253c0cd9bd3e16afc362a7
72fe869aa394ef0a62bb8324857770dd
86d3c1b354ce696e454c42d8dc6df1b7
5182e7a2037717f2f9bbf6ba298c48fb

Malicious hwp file
F392492ef5ea1b399b4c0af38810b0d6 일일동향보고_180913.hwp
0316f6067bc02c23c1975d83c659da21 국가핵심인력등록관리제등검토요청(10.16)(김경환변호사).hwp

Domains and IPs

Compromised first stage C2 server
http://bluecreekrobotics[.]com/wp-includes/common.php
http://dev.microcravate[.]com/wp-includes/common.php
http://dev.whatsyourcrunch[.]com/wp-includes/common.php
http://enterpriseheroes.com[.]ng/wp-includes/common.php
http://hrgp.asselsolutions[.]com/wp-includes/common.php
https://baseballcharlemagnelegardeur[.]com/wp-content/languages/common.php
https://bogorcenter[.]com/wp-content/themes/index2.php
https://eventum.cwsdev3.bi[.]com/wp-includes/common.php
https://streamf[.]ru/wp-content/index2.php
https://towingoperations[.]com/chat/chat.php
https://vinhsake[.]com//wp-content/uploads/index2.php
https://www.tangowithcolette[.]com/pages/common.php

Second stage C2 server
http://115.28.160[.]20:443 – Compromised server

Malware hosting server
http://nzssdm[.]com/assets/wwtm.dat – Windows payload distribution URL
http://nzssdm[.]com/assets/mt.dat – Mac payload distribution URL

Apple patched more than 50 flaws in iOS 12.2, including an array of bugs in Webkit and a vulnerability that allows apps to secretly listen to users.

The operating system: the fundamental part of our computing environment. It is the mothership that controls the software and hardware applications that provide the tools of computing. But the operating system is also a security weak point. Just like other software, operating systems have vulnerabilities, and updates like Patch Tuesday are legendary. Operating systems have […]

The post Provably Secure Operating Systems appeared first on Infosec Resources.

Provably Secure Operating Systems was first posted on March 26, 2019 at 8:02 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction When it comes to starting a career in the cybersecurity field, you have many options to choose from, but only one will be the right fit. CyberSeek’s Career Pathway tool is here to help you find it. Regardless of which position you ultimately choose, you can feel confident that cybersecurity is an excellent field […]

The post CyberSeek Career Pathway: Cybersecurity Specialist/Technician (Entry-Level) appeared first on Infosec Resources.

CyberSeek Career Pathway: Cybersecurity Specialist/Technician (Entry-Level) was first posted on March 26, 2019 at 8:01 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

To determine the behavior of a piece of malware, we will develop a script (based on LibVMI functions) that will allow us to trace the Kernel APIs executed by a malware and their arguments. 1. Preparation After choosing the domain name of the machine, create the file containing the dictionary and determine the malware file […]

The post Virtual Machine Introspection in Malware Analysis – Use Case appeared first on Infosec Resources.

Virtual Machine Introspection in Malware Analysis – Use Case was first posted on March 26, 2019 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We help IT and security professionals advance their careers with a full regimen of certifications and skills development training. We also empower all employees with security awareness and training to stay cybersecure at work and home. Founded by smart people […]

The post About Infosec appeared first on Infosec Resources.

About Infosec was first posted on March 26, 2019 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Beware! If you are using UC Browser on your smartphones, you should consider uninstalling it immediately. Why? Because the China-made UC Browser contains a "questionable" ability that could be exploited by remote attackers to automatically download and execute code on your Android devices. Developed by Alibaba-owned UCWeb, UC Browser is one of the most popular mobile browsers, specifically

The agency said it exposed 2.3m people's details in a “major privacy incident” involving a contractor that set up temporary housing.

Dvojice bezpečnostních expertů zabodovala během letošního ročníku hackerské soutěže Pwn2Own. Za úspěšné odhalení zranitelnosti informačního systému automobilu Tesla si odnesla nejen finanční odměnu ve výši 375 tisíc dolarů (v přepočtu asi 8,5 milionů korun), ale též zbrusu nový automobil Model ...

The main disagreement: if consumers will be able to delete their data or whether the law would give companies ways to wiggle out.

A journalist/researcher team got a sensitive database taken down after the vendor responsible failed to acknowledge a problem.

An academic study that analyzed 82,501 apps that were pre-installed on 1,742 Android smartphones sold by 214 vendors concluded that users are woefully unaware of the huge security and privacy-related threats that come from pre-installed applications.

Apple released yesterday iOS version 12.2 that, like never before, includes fixes for a considerable number of security-related issues, including some that are downright disturbing.

Apple on Monday released iOS 12.2 to patch a total of 51 security vulnerabilities in its mobile operating system that affects iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. A majority of vulnerabilities Apple patched this month reside in its web rendering engine WebKit, which is used by many apps and web browsers running on the Apple's operating system. According to

More than one-third of surveyed organizations (36 percent) said they have experienced a security incident because of a remote worker's actions.