Kategorie

Sophisticated cyber actors backed by Iran known as OilRig have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah. "The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comCyber Espionage / Malware37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Multiple security vulnerabilities have been disclosed in the Exim mail transfer agent that, if successfully exploited, could result in information disclosure and remote code execution. The list of flaws, which were reported anonymously way back in June 2022, is as follows - CVE-2023-42114 (CVSS score: 3.7) - Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comEmail Security / Hacking News37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Threat actors are selling a new crypter and loader called ASMCrypt, which has been described as an "evolved version" of another loader malware known as DoubleFinger. "The idea behind this type of malware is to load the final payload without the loading process or the payload itself being detected by AV/EDR, etc.," Kaspersky said in an analysis published this week. DoubleFinger was first THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comMalware / Cyber Threat37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Benešov, Brno, Ostrava, Olomouc, Praha, Kosmonosy, Česká Lípa, Janov. To jsou jen některá města, kde se nemocnice, kliniky nebo další zdravotnická zařízení staly v posledních letech terčem útoků hackerů. V některých případech se organizace zvládly ubránit. Jindy ale kybernetický útok způsobil ...

The North Korea-linked Lazarus Group has been linked to a cyber espionage attack targeting an unnamed aerospace company in Spain in which employees of the firm were approached by the threat actor posing as a recruiter for Meta. "Employees of the targeted company were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable file presenting itself as a coding THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comCyber Espionage / Malware37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Most people are barely thinking about basic cybersecurity, let alone post-quantum cryptography. But the impact of a post-quantum world is coming for them regardless of whether or not it's keeping them up tonight.  Today, many rely on encryption in their daily lives to protect their fundamental digital privacy and security, whether for messaging friends and family, storing files and photos, or The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.comQuantum Computing / Network Security37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Malicious ads served inside Microsoft Bing's artificial intelligence (AI) chatbot are being used to distribute malware when searching for popular tools. The findings come from Malwarebytes, which revealed that unsuspecting users can be tricked into visiting booby-trapped sites and installing malware directly from Bing Chat conversations. Introduced by Microsoft in February 2023, Bing Chat is an THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comArtificial Intelligence / Malware37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Progress Software has released hotfixes for a critical security vulnerability, alongside seven other flaws, in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server manager interface. Tracked as CVE-2023-40044, the flaw has a CVSS score of 10.0, indicating maximum severity. All versions of the software are impacted by the flaw. "In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comServer Security / Vulnerability37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Cisco is warning of attempted exploitation of a security flaw in its IOS Software and IOS XE Software that could permit an authenticated remote attacker to achieve remote code execution on affected systems. The medium-severity vulnerability is tracked as CVE-2023-20109, and has a CVSS score of 6.6. It impacts all versions of the software that have the GDOI or G-IKEv2 protocol enabled. The THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comVulnerability / Network Security37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

A new deceptive campaign has been observed hijacking GitHub accounts and committing malicious code disguised as Dependabot contributions with an aim to steal passwords from developers. "The malicious code exfiltrates the GitHub project's defined secrets to a malicious C2 server and modify any existing javascript files in the attacked project with a web-form password-stealer malware code THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comSupply Chain / Malware37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Cybersecurity agencies from Japan and the U.S. have warned of attacks mounted by a state-backed hacking group from China to stealthily tamper with branch routers and use them as jumping-off points to access the networks of various companies in the two countries. The attacks have been tied to a malicious cyber actor dubbed BlackTech by the U.S. National Security Agency (NSA), Federal Bureau of THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comCyber Espionage / Threat Intel37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

The landscape of browser security has undergone significant changes over the past decade. While Browser Isolation was once considered the gold standard for protecting against browser exploits and malware downloads, it has become increasingly inadequate and insecure in today's SaaS-centric world. The limitations of Browser Isolation, such as degraded browser performance and inability to tackle The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.comBrowser Security / Cybersecurity37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Government and telecom entities have been subjected to a new wave of attacks by a China-linked threat actor tracked as Budworm using an updated malware toolset. The intrusions, targeting a Middle Eastern telecommunications organization and an Asian government, took place in August 2023, with the adversary deploying an improved version of its SysUpdate toolkit, the Symantec Threat Hunter Team, THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comMalware / Cyber Threat37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Introduction

As long as cybercriminals want to make money, they’ll keep making malware, and as long as they keep making malware, we’ll keep analyzing it, publishing reports and providing protection. Last month we covered a wide range of cybercrime topics. For example, we published a private report on a new malware found on underground forums that we call ASMCrypt (related to the DoubleFinger loader). But there’s more going on in the cybercrime landscape, so we also published reports on new versions of the Lumma stealer and Zanubis Android banking trojan. This blog post contains excerpts from those reports.

If you want to learn more about our crimeware reporting service, please contact us at crimewareintel@kaspersky.com.

ASMCrypt

As mentioned in our previous blog post, we monitor many underground forums. On one of them we saw an ad, promoting a new cryptor/loader variant called ASMCrypt. The idea behind this type of malware is to load the final payload without the loading process or the payload itself being detected by AV/EDR, etc. This sounds a lot like the DoubleFinger loader we discussed here.

In fact, after careful analysis, we believe with a high degree of confidence that ASMCrypt is an evolved version of DoubleFinger. However, ASMCrypt works slightly differently and is more of a “front” for the actual service that runs on the TOR network.

So how does it work? First the buyer obtains the ASMCrypt binary, which connects to the malware’s backend service over the TOR network using hardcoded credentials. If everything is okay, the options menu is shown:

The buyer can choose from the following options:

• Stealth or invisible injection method;
• The process the payload should be injected into;
• Folder name for startup persistence;
• Stub type: either the malware itself masquerading as Apple QuickTime, or a legitimate application that sideloads the malicious DLL.

After selecting all the desired options and pressing the build button, the application creates an encrypted blob hidden inside a .png file. This image must be uploaded to an image hosting site. The malicious DLL (or binary) from the last bullet point above is also created and will be distributed by the cybercriminals.

When the malicious DLL is executed on a victim system, it downloads the .png file, decrypts it, loads it into memory and then executes it.

Lumma

The Arkei stealer, written in C++, first appeared in May 2018 and has been forked/rebranded several times over the last couple of years. It has been known as Vidar, Oski, Mars and now Lumma, which has a 46% overlap with Arkei. Over time, the main functionality of all the variants has remained the same: stealing cached files, configuration files and logs from crypto wallets. It can do this by acting as a browser plugin, but it also supports the standalone Binance application.

But first the infection vector. Lumma is distributed via a spoofed website that mimics a legitimate .docx to .pdf site. When a file is uploaded, it is returned with the double extension .pdf.exe.

Lumma itself first appeared on our radar in August 2022, when we detected new samples. Around the same time, cybersecurity enthusiast Fumik0_ tweeted that Lumma was a “fork/refactor” of Mars. Since then, Lumma has undergone a number of changes, some of which we will highlight below:

• We found only one sample (MD5 6b4c224c16e852bdc7ed2001597cde9d) that had the functionality to collect the system process list. The same sample also used a different URL to communicate with the C2 (/winsock instead of /socket.php);
• We also found one sample (MD5 844ab1b8a2db0242a20a6f3bbceedf6b) that appears to be a debugging version. When certain code fragments are reached, a notification is sent to the C2. Again, it uses a different URL (/windbg).
• In a more recent sample (MD5 a09daf5791d8fd4b5843cd38ae37cf97), the attackers changed the User-Agent field to “HTTP/1.1”. It is unclear why this was done;
• While all previous samples, including the three mentioned above, downloaded additional libraries from the C2 for 32-bit systems so that specific browser-related files (e.g. passwords and the like) could be parsed, MD5 5aac51312dfd99bf4e88be482f734c79 simply uploads the entire database to the C2;
• MD5 d1f506b59908e3389c83a3a8e8da3276 has a string encryption algorithm. They are now hex encoded and encrypted with an XOR key (first 4 bytes of the string).
• One of the biggest changes we saw involved MD5 c2a9151e0e9f4175e555cf90300b45c9. This sample supports dynamic configuration files retrieved from the C2. The configuration is Base64 encoded and XORed with the first 32 bytes of the configuration file.

Code snippet of the “debugging” sample

Zanubis

Zanubis, an Android banking trojan, first appeared around August 2022, targeting financial institution and cryptocurrency exchange users in Peru. Zanubis’s main infection path is through impersonating legitimate Peruvian Android applications and then tricking the user into enabling the Accessibility permissions in order to take full control of the device.

We spotted more recent samples of Zanubis  in the wild around April 2023. The malware was disguised as the official Android application for the Peruvian governmental organization SUNAT (Superintendencia Nacional de Aduanas y de Administración Tributaria). We explored the new design and features of the malware, which seemed to have undergone several phases of evolution to reach a new level of sophistication.

Zanubis is obfuscated with the help of Obfuscapk, a popular obfuscator for Android APK files. After the victim grants Accessibility permissions to the malicious app, thus allowing it to run in the background, the malware uses WebView to load a legitimate SUNAT website used for looking up debts. The intention here is to lead the unsuspecting user to believe that the app is part of the SUNAT ecosystem of services.

Communication with the C2 relies on WebSockets and the library called Socket.IO. The latter allows the malware to establish a persistent connection to the C2, which provides failover options (from WebSockets to HTTP and vice versa). Another advantage is that it provides the C2 with a scalable environment where all new infections by Zanubis can receive commands (also called events) on a massive scale from the C2 if required. Once the malware starts, the implant calls a function to check the connection to the C2. It establishes two connections to the same C2 server, but they perform different types of actions, and the second connection is established only if requested by the C2.

Intentionally, Zanubis doesn’t count with a pre-populated and hardcoded list of applications to target. In recent years, malware developers have tended to add or remove the names of applications from the target list. To set the targeted applications on the implant, the C2 sends the event config_packages. The JSON object sent with the event contains an array specifying the applications that the malware should monitor. The malware parses the list of targeted applications each time an event occurs on the screen, such as an app opening, which the malware detects using the onAccessibilityEvent function. Once an application on the list is found running on the device, Zanubis takes one of two actions, depending on its configuration, to steal the victim’s information: logging events/keys, or recording the screen.

Previously, we mentioned initializing the second connection from the infected device, which provides further options for the C2. After Zanubis establishes this new connection, it sends a VncInit event to the server to inform it that initialization of the second feature set is complete, and it will send information about screen rendering, such as the display size, every second. We can assume that this is a way for the operators to take control of, or backdoor, the infected phone.

An interesting feature in the second set is the bloqueoUpdate event. This is one of the most invasive – and persuasive – actions taken by the malware: it pretends to be an Android update, thus blocking the phone from being used. As the “update” runs, the phone remains unusable to the point that it can’t be locked or unlocked, as the malware monitors those attempts and blocks them.

Fake update locking the user out of the phone

According to our analysis, the targeted applications are banks and financial entities in Peru. This fact, in conjunction with our telemetry data, leads us to determine that Zanubis targets users in that country specifically. The list of targeted applications contains more than 40 package names. The samples of Zanubis collected to date are capable of infecting any Android phone, but they were all written with Spanish as the system language in mind.

Conclusion

Malware is constantly evolving, as is illustrated by the Lumma stealer, which has multiple variations with varying functionality. Zanubis also aspires to become a fully armed banking trojan that could inflict financial losses and steal the personal data of mobile users. This constant change in malicious code and cybercriminal TTPs is a challenge for defense teams. To protect itself, an organization must learn about new threats as soon as they emerge. Intelligence reports can help you stay on top of the latest malicious tools and attacker TTPs. If you’d like to stay up to date on the latest TTPs being used by criminals, or have questions about our private reports, please contact us at crimewareintel@kaspersky.com.

Indicators of compromise (MD5s)

Lumma
6b4c224c16e852bdc7ed2001597cde9d
844ab1b8a2db0242a20a6f3bbceedf6b
a09daf5791d8fd4b5843cd38ae37cf97
5aac51312dfd99bf4e88be482f734c79
d1f506b59908e3389c83a3a8e8da3276
c2a9151e0e9f4175e555cf90300b45c9

Zanubis

054061a4f0c37b0b353580f644eac554
a518eff78ae5a529dc044ed4bbd3c360
41d72de9df70205289c9ae8f3b4f0bcb
9b00a65f117756134fdb9f6ba4cef61d
8d99c2b7cf55cac1ba0035ae265c1ac5
248b2b76b5fb6e35c2d0a8657e080759
a2c115d38b500c5dfd80d6208368ff55

Letos do nabídky bezpečnostních kamer Reolink přibyly novinky s vyšší kvalitou záznamu a několika vychytávkami. Protože jsme už před lety testovali podobnou kameru Reolink s nižším rozlišením, byly jsme zvědaví, jak se technologie posunuly. Původně jsem na test chtěl jen 4K kameru Argus PT ...

Google on Wednesday rolled out fixes to address a new actively exploited zero-day in the Chrome browser. Tracked as CVE-2023-5217, the high-severity vulnerability has been described as a heap-based buffer overflow in the VP8 compression format in libvpx, a free software video codec library from Google and the Alliance for Open Media (AOMedia). Exploitation of such buffer overflow flaws can THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comZero Day / Vulnerability37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Posted by Eugene Liderman and Roger Piqueras Jover

SMS texting is frozen in time.

People still use and rely on trillions of SMS texts each year to exchange messages with friends, share family photos, and copy two-factor authentication codes to access sensitive data in their bank accounts. It’s hard to believe that at a time where technologies like AI are transforming our world, a forty-year old mobile messaging standard is still so prevalent.

Like any forty-year-old technology, SMS is antiquated compared to its modern counterparts. That’s especially concerning when it comes to security.

The World Has Changed, But SMS Hasn’t Changed With It

According to a recent whitepaper from Dekra, a safety certifications and testing lab, the security shortcomings of SMS can notably lead to:

• SMS Interception: Attackers can intercept SMS messages by exploiting vulnerabilities in mobile carrier networks. This can allow them to read the contents of SMS messages, including sensitive information such as two-factor authentication codes, passwords, and credit card numbers due to the lack of encryption offered by SMS.
• SMS Spoofing: Attackers can spoof SMS messages to launch phishing attacks to make it appear as if they are from a legitimate sender. This can be used to trick users into clicking on malicious links or revealing sensitive information. And because carrier networks have independently developed their approaches to deploying SMS texts over the years, the inability for carriers to exchange reputation signals to help identify fraudulent messages has made it tough to detect spoofed senders distributing potentially malicious messages.

These findings add to the well-established facts about SMS’ weaknesses, lack of encryption chief among them.

Dekra also compared SMS against a modern secure messaging protocol and found it lacked any built-in security functionality.

According to Dekra, SMS users can’t answer ‘yes’ to any of the following basic security questions:

• Confidentiality: Can I trust that no one else can read my SMSs?
• Integrity: Can I trust that the content of the SMS that I receive is not modified?
• Authentication: Can I trust the identity of the sender of the SMS that I receive?

But this isn’t just theoretical: cybercriminals have also caught on to the lack of security protections SMS provides and have repeatedly exploited its weakness. Both novice hackers and advanced threat actor groups (such as UNC3944 / Scattered Spider and APT41 investigated by Mandiant, part of Google Cloud) leverage the security deficiencies in SMS to launch different types of attacks against users and corporations alike.

Malicious cyber attacks that exploit the insecurity of SMS have resulted in identity theft, personal or corporate financial losses, unauthorized access to accounts and services, and worse.

Users Care About Messaging Security and Privacy Now More Than Ever

Both iOS and Android users understand the importance of security and privacy when sending and receiving messages, and now, they want more protection than what SMS can provide.

A new YouGov study examined how device users across platforms think and feel about SMS texting as well as their desire for more security to protect their text messages.

It’s Time to Move on From SMS

The security landscape as it relates to SMS is simple:

• SMS is widely used
• SMS is easily abused because it has so few protections
• Smartphone users across mobile platforms care more about security than ever before

The continued evolution of the mobile ecosystem will depend on users' ability to trust and feel safe, regardless of the phone they may be using. The security of the mobile ecosystem is only as strong as its weakest link and, unfortunately, SMS texting is both a large and weak link in the chain largely because texts between iPhones and Androids revert to SMS.

As a mobile ecosystem, we collectively owe it to all users, across platforms, to enable them to be as safe as possible. It’s a shame that a problem like texting security remains as prominent as it is, particularly when new protocols like RCS are well-established and would drastically improve security for everyone.

Today, most global carriers and over 500 Android device manufacturers already support RCS and RCS is enabled by default on Messages by Google. However, whether the solution is RCS or something else, it’s important that our industry moves towards a solution to a problem that should have been fixed before the smartphone era ever began.

A new threat actor known as AtlasCross has been observed leveraging Red Cross-themed phishing lures to deliver two previously undocumented backdoors named DangerAds and AtlasAgent. NSFOCUS Security Labs described the adversary as having a "high technical level and cautious attack attitude," adding that "the phishing attack activity captured this time is part of the attacker's targeted strike on THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comMalware / Cyber Attack37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

A novel side-channel attack called GPU.zip renders virtually all modern graphics processing units (GPU) vulnerable to information leakage. "This channel exploits an optimization that is data dependent, software transparent, and present in nearly all modern GPUs: graphical data compression," a group of academics from the University of Texas at Austin, Carnegie Mellon University, University of THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comVulnerability / Endpoint Security37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Data security is in the headlines often, and it’s almost never for a positive reason. Major breaches, new ways to hack into an organization’s supposedly secure data, and other threats make the news because well, it’s scary — and expensive.  Data breaches, ransomware and malware attacks, and other cybercrime might be pricey to prevent, but they are even more costly when they occur, with the The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.comData Security / Cyber Attack37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641