je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.


Microsoft Edge finally lands on Linux> - 58 min 56 sek zpět
Microsoft has announced the availability of its Microsoft Edge Dev Channel for Linux. While Linux users can begin testing out Microsoft Edge on their systems, security researchers can begin searching for and submitting vulnerabilities to the company's new Microsoft Edge Bounty Program .
Kategorie: Hacking & Security

On the trail of the XMRig miner

Kaspersky Securelist - 2 hodiny 49 min zpět

As protection methods improve, the developers of miners have had to enhance their own creations, often turning to non-trivial solutions. Several such solutions (previously unseen by us) were detected during our analysis of the open source miner XMRig.

How it all began: ransominer

Alongside well-known groups that make money from data theft and ransomware (for example, Maze, which is suspected of the recent attacks on SK Hynix and LG Electronics), many would-be attackers are attracted by the high-profile successes of cybercrime. In terms of technical capabilities, such amateurs lag far behind organized groups and therefore use publicly available ransomware, targeting ordinary users instead of the corporate sector.

The outlays on such attacks are often quite small, so the miscreants have to resort to various stratagems to maximize the payout from each infected machine. For example, in August of this year, we noticed a rather curious infection method: on the victim’s machine, a Trojan (a common one detected by our solutions as Trojan.Win32.Generic) was run, which installed administration programs, added a new user, and opened RDP access to the computer. Next, the ransomware Trojan-Ransom.Win32.Crusis started on the same machine, followed by the loader of the XMRig miner, which then set about mining Monero cryptocurrency.

As a result, the computer would already start earning money for the cybercriminals just as the user saw the ransom note. In addition, RDP access allowed the attackers to manually study the victim’s network and, if desired, spread the ransomware to other nodes.

Details about Trojan files:

  • Mssql — PC Hunter x64 (f6a3d38aa0ae08c3294d6ed26266693f)
  • mssql2 — PC Hunter x86 (f7d94750703f0c1ddd1edd36f6d0371d)
  • exe — nmap-like network scanner (597de376b1f80c06d501415dd973dcec)
  • bat — removes shadow copy
  • bat — creates a new user, adds it to the administrators group, opens the port for RDP access, and starts the Telnet server
  • exe — IOBIT Unlocker (5840aa36b70b7c03c25e5e1266c5835b)
  • EVER\SearchHost.exe — Everything software (8add121fa398ebf83e8b5db8f17b45e0)
  • EVER\1saas\1saas.exe — ransomware Trojan-Ransom.Win32.Crusis (0880430c257ce49d7490099d2a8dd01a)
  • EVER\1saas \LogDelete — miner loader (6ca170ece252721ed6cc3cfa3302d6f0, HEUR:Trojan-Downloader.Win32.Generic)

Batch script systembackup.bat adds a user and opens access via RDP

We decided to use KSN to examine how often XMRig and its modifications get bundled with malware. It emerged that in August 2020 there were more than 5,000 attempts to install it on users’ computers. The parties responsible for its distribution turned out to be the Prometei malware family and a new family called Cliptomaner.

Prometei backdoor

The Prometei family has been known since 2016, but spotted together with XMRig for the first time in February 2020. What’s more, the backdoor was distributed in an unusual way: whereas during ordinary attacks the cybercriminals gain server access through various exploits, this time they used brute-force attacks. Having thus obtained usernames and passwords for computers with MS SQL installed, the attackers used the T-SQL function xp_cmdshell to run several PowerShell scripts and elevated the privileges of the current user by exploiting the CVE-2016-0099 vulnerability. After that, Purple Fox Trojan and Prometei itself were installed on the victim’s machine. The whole attack, starting with the brute-forcing of credentials to connect to the SQL server and ending with the installation of Prometei, was carried out in fully automatic mode.

The installation process is of interest: the .NET executable file, packed into an ELF file using standard .NET Core tools (Apphost), sends information about the infected machine to the C&C server, and then downloads the cryptocurrency miner and its configuration. The versions of the loaders for Windows and Linux differ only slightly: the .NET build for different platforms saved the attackers from having to create a separate loader for Linux and allowed cryptocurrency mining on powerful Windows and Linux servers.

Cliptomaner miner

Detected in September 2020, Cliptomaner is very similar to its fellows: like them, it not only mines cryptocurrency, but can also substitute cryptowallet addresses in the clipboard. The miner version is selected according to the computer configuration and downloaded from C&C. The malware is distributed under the guise of software for Realtek audio equipment. On the whole, we saw no new techniques, but interestingly Cliptomaner is written entirely in the AutoIT scripting language. Most of the time, families with similar behavior are written in compiled languages, such as C# or C, but in this case the authors opted for a more creative approach, and wrote a lengthy script that selects the required version of the miner and receives cryptowallet addresses from C&C for substitution.

Substituting cryptowallets in the clipboard

Kaspersky security solutions detect the above malicious programs with the following verdicts: HEUR:Trojan.MSIL.Prometei.gen, HEUR:Trojan.Script.Cliptomaner.gen, HEUR:Trojan-Downloader.Win32.Generic, Trojan-Ransom.Win32.Crusis, Trojan.Win64.Agentb, not-a-virus:RiskTool.Win64.XMRigMiner

Indicators of compromise (IoC) Domains


Cryptowallets used for substitution

ETH: 0x795957d9753e854b62C64cF880Ae22c8Ab14991b
ZEC: t1ZbJBqHQyytNYtCpDWFQzqPQ5xKftePPt8
DODGE: DEUjj7mi5N67b6LYZPApyoV8Ek8hdNL1Vy



Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks

Threatpost - 21 Říjen, 2020 - 22:31
The Feds have published a Top 25 exploits list, rife with big names like BlueKeep, Zerologon and other notorious security vulnerabilities.
Kategorie: Hacking & Security

Cisco Warns of Severe DoS Flaws in Network Security Software

Threatpost - 21 Říjen, 2020 - 20:57
The majority of the bugs in Cisco’s Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) software can enable denial of service (DoS) on affected devices.
Kategorie: Hacking & Security

Oracle Kills 402 Bugs in Massive October Patch Update

Threatpost - 21 Říjen, 2020 - 19:21
Over half of Oracle's flaws in its quarterly patch update can be remotely exploitable without authentication; two have CVSS scores of 10 out of 10.
Kategorie: Hacking & Security

New Chrome 0-day Under Active Attacks – Update Your Browser Now

The Hacker News - 21 Říjen, 2020 - 18:27
Attention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today. Google released Chrome version 86.0.4240.111 today to patch several security high-severity issues, including a zero-day vulnerability that has been exploited in the wild by attackers to
Kategorie: Hacking & Security

Egregor Claims Responsibility for Barnes & Noble Attack, Leaks Data

Threatpost - 21 Říjen, 2020 - 17:30
The ransomware gang claims to have bought network access to the bookseller's systems before encrypting the networks and stealing "financial and audit data."
Kategorie: Hacking & Security

Chrome zero-day in the wild – patch now!

Sophos Naked Security - 21 Říjen, 2020 - 16:47
Exploitable bug in Chrome - patch now!

Cybercriminals Step Up Their Game Ahead of U.S. Elections

Threatpost - 21 Říjen, 2020 - 15:48
Ahead of the November U.S. elections, cybercriminals are stepping up their offensive in both attacks against security infrastructure and disinformation campaigns - but this time, social media giants, the government and citizens are more prepared.
Kategorie: Hacking & Security

Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser

Threatpost - 21 Říjen, 2020 - 14:23
The memory-corruption vulnerability exists in the browser’s FreeType font rendering library.
Kategorie: Hacking & Security

Life of Maze ransomware

Kaspersky Securelist - 21 Říjen, 2020 - 12:00

In the past year, Maze ransomware has become one of the most notorious malware families threatening businesses and large organizations. Dozens of organizations have fallen victim to this vile malware, including LG, Southwire, and the City of Pensacola.

The history of this ransomware began in the first half of 2019, and back then it didn’t have any distinct branding – the ransom note included the title “0010 System Failure 0010”, and it was referenced by researchers simply as ‘ChaCha ransomware’.

Ransom note of an early version of Maze/ChaCha ransomware

Shortly afterwards, new versions of this Trojan started calling themselves Maze and using a relevantly named website for the victims instead of the generic email address shown in the screenshot above.

Website used by a recent version of Maze ransomware

Infection scenarios Mass campaigns

The distribution tactic of the Maze ransomware initially involved infections via exploit kits (namely, Fallout EK and Spelevo EK), as well as via spam with malicious attachments. Below is an example of one of these malicious spam messages containing an MS Word document with a macro that’s intended to download the Maze ransomware payload.

If the recipient opens the attached document, they will be prompted to enable editing mode and then enable the content. If they fall for it, the malicious macro contained inside the document will execute, which in turn will result in the victim’s PC being infected with Maze ransomware.

Tailored approach

In addition to these typical infection vectors, the threat actors behind Maze ransomware started targeting corporations and municipal organizations in order to maximize the amount of money extorted.

The initial compromise mechanism and subsequent tactics vary. Some incidents involved spear-phishing campaigns that installed Cobalt Strike RAT, while in other cases the network breach was the result of exploiting a vulnerable internet-facing service (e.g. Citrix ADC/Netscaler or Pulse Secure VPN). Weak RDP credentials on machines accessible from the internet also pose a threat as the operators of Maze may use this flaw as well.

Privilege escalation, reconnaissance and lateral movement tactics also tend to differ from case to case. During these stages, the use of the following tools has been observed: mimikatz, procdump, Cobalt Strike, Advanced IP Scanner, Bloodhound, PowerSploit, and others.

During these intermediate stages, the threat actors attempt to identify valuable data stored on the servers and workstations in the compromised network. They will then exfiltrate the victim’s confidential files in order to leverage them when negotiating the size of the ransom.

At the final stage of the intrusion, the malicious operators will install the Maze ransomware executable onto all the machines they can access. This results in the encryption of the victim’s valuable data and finalizes the attack.

Data leaks/doxing

Maze ransomware was one of the first ransomware families that threatened to leak the victims’ confidential data if they refused to cooperate.

In fact, this made Maze something of a trendsetter because this approach turned out to be so lucrative for the criminals that it’s now become standard for several notorious ransomware gangs, including REvil/Sodinokibi, DoppelPaymer, JSWorm/Nemty/Nefilim, RagnarLocker, and Snatch.

The authors of the Maze ransomware maintain a website where they list their recent victims and publish a partial or a full dump of the documents they have managed to exfiltrate following a network compromise.

Website with leaked data published by Maze operators

Ransomware cartel

In June 2020, the criminals behind Maze teamed up with two other threat actor groups, LockBit and RagnarLocker, essentially forming a ‘ransomware cartel’. The data stolen by these groups now gets published on the blog maintained by the Maze operators.

It wasn’t just the hosting of exfiltrated documents where the criminals pooled their efforts – apparently they are also sharing their expertise. Maze now uses execution techniques that were previously only used by RagnarLocker.

Brief technical overview

The Maze ransomware is typically distributed as a PE binary (EXE or DLL depending on the specific scenario) which is developed in C/C++ and obfuscated by a custom protector. It employs various tricks to hinder static analysis, including dynamic API function imports, control flow obfuscation using conditional jumps, replacing RET with JMP dword ptr [esp-4], replacing CALL with PUSH + JMP, and several other techniques.

To counter dynamic analysis, this Trojan will also terminate processes typically used by researchers, e.g. procmon, procexp, ida, x32dbg, etc.

The cryptographic scheme used by Maze consists of several levels:

  • To encrypt the content of the victim’s files, the Trojan securely generates unique keys and nonce values to use with the ChaCha stream cipher;
  • The ChaCha keys and nonce values are encrypted by a session public RSA-2048 key which is generated when the malware is launched;
  • The session private RSA-2048 key is encrypted by the master public RSA-2048 key hardcoded in the Trojan’s body.

This scheme is a variation of a more or less typical approach used by developers of modern ransomware. It allows the operators to keep their master private RSA key secret when selling decryptors for each individual victim, and it also ensures that a decryptor purchased by one victim won’t help others.

When executing on a machine, Maze ransomware will also attempt to determine what kind of PC it has infected. It tries to distinguish between different types of system (‘backup server’, ‘domain controller’, ‘standalone server’, etc.). Using this information in the ransom note, the Trojan aims to further scare the victims into thinking that the criminals know everything about the affected network.

Strings that Maze uses to generate the ransom note

Fragment of the procedure that generates the ransom note

How to avoid and prevent

Ransomware is evolving day by day, meaning a reactive approach to avoid and prevent infection is not profitable. The best defense against ransomware is proactive prevention because often it is too late to recover data once they have been encrypted.

There are a number of recommendations that may help prevent attacks like these:

  1. Keep your OS and applications patched and up to date.
  2. Train all employees on cybersecurity best practices.
  3. Only use secure technology for remote connection in a company local network.
  4. Use endpoint security with behavior detection and automatic file rollback, such asKaspersky Endpoint Security for Business.
  5. Use the latest threat intelligence information to detect an attack quickly, understand what countermeasures are useful, and prevent it from spreading.

Kaspersky products protect against this ransomware, detecting it as Trojan-Ransom.Win32.Maze; it is blocked by Behavior-based Protection as PDM:Trojan.Win32.Generic.

We safeguard our customers with the best Ransomware Protection technologies.

TIP Cloud Sandbox report summary and execution map with mapping on MITRE ATT&CK Framework



Popular Mobile Browsers Found Vulnerable To Address Bar Spoofing Attacks

The Hacker News - 21 Říjen, 2020 - 09:12
Graphic for illustration Cybersecurity researchers on Tuesday disclosed details about an address bar spoofing vulnerability affecting multiple mobile browsers, such as Apple Safari and Opera Touch, leaving the door open for spear-phishing attacks and delivering malware. Other impacted browsers include UCWeb, Yandex Browser, Bolt Browser, and RITS Browser. The flaws were discovered by Pakistani
Kategorie: Hacking & Security

Ransomware Group Makes Splashy $20K Donation to Charities

Threatpost - 20 Říjen, 2020 - 22:36
Cybercriminal gang Darkside sent $20K in donations to charities in a ‘Robin Hood’ effort that’s likely intended to draw attention to future data dumps, according to experts.
Kategorie: Hacking & Security

Adobe Fixes 16 Critical Code-Execution Bugs Across Portfolio

Threatpost - 20 Říjen, 2020 - 20:31
The out-of-band patches follow a lighter-than-usual Patch Tuesday update earlier this month.
Kategorie: Hacking & Security

Rusko odmítá obvinění z hackerských útoků vojenské rozvědky - bezpečnost - 20 Říjen, 2020 - 20:30
Moskva skrze velvyslanectví ve Washingtonu odmítla obvinění z přípravy hackerských útoků na různé cíle po celém světě. Informovala o tom agentura Ria Novosti. USA v pondělí obvinily šestici agentů ruské vojenské rozvědky z kybernetických útoků z minulých let a Británie varovala před kybernetickým napadením olympiády v Tokiu.
Kategorie: Hacking & Security

Russian “government hackers” charged with cybercrimes by the US

Sophos Naked Security - 20 Říjen, 2020 - 19:59
What can we learn from the US DOJ indictments against the "Sandworm Team"?

Facebook: A Top Launching Pad For Phishing Attacks

Threatpost - 20 Říjen, 2020 - 18:54
Amazon, Apple, Netflix, Facebook and WhatsApp are top brands leveraged by cybercriminals in phishing and fraud attacks - including a recent strike on a half-million Facebook users.
Kategorie: Hacking & Security

Pharma Giant Pfizer Leaks Customer Prescription Info, Call Transcripts

Threatpost - 20 Říjen, 2020 - 18:20
Hundreds of medical patients taking cancer drugs, Premarin, Lyrica and more are now vulnerable to phishing, malware and identity fraud.
Kategorie: Hacking & Security

Office 365 OAuth Attack Targets Coinbase Users

Threatpost - 20 Říjen, 2020 - 16:33
Attackers are targeting Microsoft Office 365 users with a Coinbase-themed attack, aiming to take control of their inboxes via OAuth.
Kategorie: Hacking & Security

Windows GravityRAT Malware Now Also Targets macOS and Android Devices

The Hacker News - 20 Říjen, 2020 - 16:02
A Windows-based remote access Trojan believed to be designed by Pakistani hacker groups to infiltrate computers and steal users' data has resurfaced after a two-year span with retooled capabilities to target Android and macOS devices. According to cybersecurity firm Kaspersky, the malware — dubbed "GravityRAT" — now masquerades as legitimate Android and macOS apps to capture device data, contact
Kategorie: Hacking & Security
Syndikovat obsah