Information Security News|Cyber Security|Hacking Tutorial https://www.securitynewspaper.com/ Information Security Newspaper|Infosec Articles|Hacking News Mon, 13 Jun 2022 18:21:18 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 https://www.securitynewspaper.com/snews-up/2018/12/news5.png Information Security News|Cyber Security|Hacking Tutorial https://www.securitynewspaper.com/ 32 32 The new version of Hello XD ransomware, developed by Russian hackers, becomes undetectable by using a backdoor https://www.securitynewspaper.com/2022/06/13/the-new-version-of-hello-xd-ransomware-developed-by-russian-hackers-becomes-undetectable-by-using-a-backdoor/ Mon, 13 Jun 2022 18:20:57 +0000 https://www.securitynewspaper.com/?p=25407 Information security specialists reported a notable increase in activity related to the Hello XD ransomware, which has been updated to add much stronger encryption than in its previous versions. ThisRead More →

The post <strong>The new version of Hello XD ransomware, developed by Russian hackers, becomes undetectable by using a backdoor</strong> appeared first on Information Security Newspaper | Hacking News.

]]>
Information security specialists reported a notable increase in activity related to the Hello XD ransomware, which has been updated to add much stronger encryption than in its previous versions. This malware variant was first identified in late 2021, apparently developed from the leaked code of the Babuk ransomware and linked to multiple double extortion campaigns.

Experts at Palo Alto Networks report that the creator of this malware variant developed a new encryptor focused on bypassing detection and changes in the encryption algorithm, which has put Hello XD far ahead of Babuk and other similar malware strains, significantly increasing its effectiveness.

As mentioned by Palo Alto experts, Hello XD was developed by a presumably Russian threat actor identified as X4KME, known for publishing various online tutorials for the implementation of Cobalt Strike for malicious purposes.

Attack process

Unlike other ransomware operations, Hello XD does not use a site on the Tor network to publish victims’ leaked information, but instead carries out a negotiation process through the TOX chat service. In addition, the latest version of the malware adds a still-in-development onion website in the ransom note shown to victims, so it is unknown for what purpose it will be created.

In addition to the new encryptor, the attacker developer of Hello XD included MicroBackdoor, an open-source backdoor that allows hackers to navigate the infected system, execute arbitrary commands and remove any trace of malicious activity. The backdoor executable is encrypted with the WinCrypt API along with the encryption malware payload.

On the other hand, the payload packer has two layers of obfuscation. The malware developer derived the encryptor by modifying UPX, an open-source packager widely used by other malware developers.

The decryption of embedded blobs requires a custom algorithm with unconventional instructions such as XLAT, while API calls in the packager are not obfuscated. Hello XD also changed its encryption algorithm from HC-128 and Curve25519-Dona to Rabbit Cipher and Curve2519-Donna.

Experts believe that the features added to the new version of Hello XD could make it one of the dominant ransomware variants over the next few months, so it’s important for the cybersecurity industry to stay on top of the development received by this malware.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.  

The post <strong>The new version of Hello XD ransomware, developed by Russian hackers, becomes undetectable by using a backdoor</strong> appeared first on Information Security Newspaper | Hacking News.

]]>
Education and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia were being spied on since 2013 https://www.securitynewspaper.com/2022/06/09/education-and-telecommunication-organizations-based-in-singapore-hong-kong-vietnam-cambodia-and-australia-were-being-spied-on-since-2013/ Thu, 09 Jun 2022 22:34:54 +0000 https://www.securitynewspaper.com/?p=25396 Researchers at security firm SentinelLabs report the detection of a new Chinese-speaking hacking group identified as Aoqin Dragon and which has been active since 2013. According to experts, this groupRead More →

The post Education and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia were being spied on since 2013 appeared first on Information Security Newspaper | Hacking News.

]]>
Researchers at security firm SentinelLabs report the detection of a new Chinese-speaking hacking group identified as Aoqin Dragon and which has been active since 2013. According to experts, this group focuses on cyber espionage against the government, educational, and telecommunications companies in Australia, Hong Kong, Singapore, and Vietnam.

The main attack method, employed by this group between 2012 and 2015, involves Microsoft Office documents specially crafted for the exploitation of known vulnerabilities such as CVE-2012-0158 and CVE-2010-3333. This tactic was first detected in 2014, in a phishing campaign associated with the Advanced Persistent Threat (APT) operation known as Naikon.

SentinelLabs identified a second hacking method associated with Aoqin Dragon, based on hiding malicious executables in icons of fake antivirus products. After execution, a malware sample was delivered to the affected systems.

Starting in 2018, hackers left these tactics behind to resort to using a removable disk shortcut file; clicking this icon triggers a DLL hijack and loads an encrypted payload to deliver a backdoor. This malware runs under the name “Evernote Tray Application” and is executed at system startup; if any removable drives are detected, a copy of the payload will be created to expand the infection.

SOURCE: SentinelLabs

At least two backdoor variants used by this group have been identified. Known as Mongall, the first backdoor is a DLL injected into memory, protected with encryption and in constant maintenance since its launch in 2013.  This backdoor profiles the host and sends the details to the C&C using an encrypted channel.

Moreover, Heyoka is an open source exfiltration tool that uses spoofed DNS requests to create a two-way communication tunnel. Hackers employ Heyoka by copying files from compromised devices to prevent affected system administrators from detecting malicious activity in its early stages.

Aoqin Dragon is an unusual case, as it managed to go unnoticed for almost ten years. This has been possible due to the continuous evolution of its strategies and the periodic change of tactics, so it is highly likely that this cybercriminal group will change its behavior again in the near future.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Education and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia were being spied on since 2013 appeared first on Information Security Newspaper | Hacking News.

]]>
New rootkit malware for Linux is undetectable and is quickly spreading throughout Latin America. Protect your servers before it’s too late https://www.securitynewspaper.com/2022/06/09/new-rootkit-malware-for-linux-is-undetectable-and-is-quickly-spreading-throughout-latin-america-protect-your-servers-before-its-too-late/ Thu, 09 Jun 2022 16:54:23 +0000 https://www.securitynewspaper.com/?p=25394 BlackBerry ThreatVector researchers detailed the detection of a new malware strain for Linux systems capable of living at the expense of compromised system resources. Dubbed Symbiote, experts say that thisRead More →

The post New rootkit malware for Linux is undetectable and is quickly spreading throughout Latin America. Protect your servers before it’s too late appeared first on Information Security Newspaper | Hacking News.

]]>
BlackBerry ThreatVector researchers detailed the detection of a new malware strain for Linux systems capable of living at the expense of compromised system resources. Dubbed Symbiote, experts say that this strain is highly sophisticated and has a parasitic behavior never seen before, advancing by leaps and bounds throughout Latin America.

The main feature of Symbiote is that it requires infecting other running processes to achieve a successful engagement. Instead of using an executable as any conventional malware variant would, hackers use a shared object (SO) library loaded into running processes through LD_PRELOAD, thus infecting vulnerable systems.

After infecting running processes on the system, Symbiote provides its operators with rootkit functionalities, in addition to remote access and credential collection capabilities.

Origins

Researchers first detected the malware in November 2021, attributing its development to hacking groups against the financial sector in Latin America. By infecting a target system, Symbiote hides any hint of malicious activity, making infections virtually undetectable, even using forensic analysis techniques.

In addition to rootkit tactics, the malware also implants a backdoor in the system so that operators can log in like any user using an encrypted password and thus execute commands with high privileges.  

Another interesting feature about Symbiote is its Berkely Packet Filter (BPF) hook functionality, employed by other malware variants to cover up your C&C communications. However, Symbiote uses BPF to hide malicious network traffic on infected systems.

If an administrator launches any packet capture tool on the affected Linux system, the BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote first adds its bytecode so that it can filter the network traffic it wants to hide.

Evasion tactics

This malware is highly stealthy. According to experts, Symbiote is designed to be loaded through the LD_PRELOAD directive, allowing it to be loaded before any other shared object. Thanks to it loading first, it can hijack imports from other library files uploaded for the application.

Symbiote uses this to hide its presence on the machine by connecting the libc and libpcap functions. The following screenshot shows the various malware evasion tactics:

SOURCE: BlackBerry ThreatVector

Because Symbiote works as a user-level rootkit, it can be difficult to detect an infection. Network telemetry can be used to detect anomalous DNS requests, and security tools such as antivirus must be statically linked to ensure that they are not “infected” by user rootkits. Infection vectors are still unknown, so Linux system administrators should remain vigilant for any hint of infection.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post New rootkit malware for Linux is undetectable and is quickly spreading throughout Latin America. Protect your servers before it’s too late appeared first on Information Security Newspaper | Hacking News.

]]>
8 critical vulnerabilities in GitLab would allow hackers to install backdoors in your code https://www.securitynewspaper.com/2022/06/06/8-critical-vulnerabilities-in-gitlab-would-allow-hackers-to-install-backdoors-in-your-code/ Mon, 06 Jun 2022 17:12:14 +0000 https://www.securitynewspaper.com/?p=25374 In its most recent security release, GitLab announced the launching of GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) versions 15.01, 14.9.4, and 14.9.5. These updates contain important securityRead More →

The post 8 critical vulnerabilities in GitLab would allow hackers to install backdoors in your code appeared first on Information Security Newspaper | Hacking News.

]]>
In its most recent security release, GitLab announced the launching of GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) versions 15.01, 14.9.4, and 14.9.5. These updates contain important security fixes, so users of previous deployments are encouraged to address them as soon as possible to prevent malicious activity.

According to the report, GitLab fixed a total of eight vulnerabilities of all severity ranges, which exploitation would have allowed threat actors to deploy multiple hacking scenarios, including cross-site scripting (XSS), privilege escalation attacks, and even the installation of backdoors in GitLab projects. Detected and addressed flaws are described below, along with their tracking key and score assigned according to the Common Vulnerability Scoring System (CVSS).

Account takeover via SCIM email change: When setting up group SAML SSO, the SCIM feature would allow any owner of a Premium group to invite arbitrary users through their username and email address to subsequently change users’ email addresses through SCIM to a hacker-controlled address and take control of the affected account due to the absence of multi-factor authentication measures. The flaw received a CVSS score of 9.9/10 and was tracked as CVE-2022-1680.

XSS stored in Jira: A store cross-site scripting (XSS) error in Jira would allow threat actors to execute arbitrary JavaScript code in GitLab through specially crafted Jira issues. The flaw was tracked as CVE-2022-1940 and received a CVSS score of 7.7/10.

XSS attack in quick actions: The absence of input validation in quick actions would allow threat actors to exploit an XSS bug by injecting HTML into contact details. The flaw received a CVSS score of 8.7/10 and received the tracking key CVE-2022-1948.

IP allowlist bypassing when using Activation Tokens: Incorrect authorization in GitLab EE would allow threat actors to misuse an activation token from any location, even evading IP address restrictions. The flaw received a CVSS score of 6.5/10 and was tracked as CVE-2022-1935.

IP allowlist bypassing when using Project Deployment Tokens: Improper authorization in GitLab would have allowed malicious hackers using project deployment tokens to access from any location, even with IP address restrictions enabled. The flaw was tracked as CVE-2022-1936 and received a CVSS score of 6.5/10.

Incorrect authorization in Interactive Web Terminal: When the Interactive Web Terminal feature is configured, incorrect authorization would allow users with the Developer role to open terminals in running jobs of other developers, potentially exposing these jobs to hacking scenarios. The vulnerability was tracked as CVE-2022-1944 and received a CVSS score of 5.4/10.

Subgroup members can list members of the parent group: An issue in all versions of GitLab CC/EE would allow a member of the subgroup to access the list of members of their parent group. The vulnerability received a CVSS score of 4.3/10 and was tracked as CVE-2022-1821.

Group member lock bypass: Malicious group maintainers could add new members to a project within their group via REST APIs, even after group owners enable settings to prevent members from being added to projects within the group. The flaw was tracked as CVE-2022-1783 and received a CVSS score of 2.7/10.

GitLab adds that these fixes are part of its effort to maintain the highest security standards and improve the user experience. For more information, users can visit the FAQ section of GitLab, where more detailed descriptions of every single flaw and its corresponding security patches are found.

The code hosting and development service also offers its users to receive security notifications directly in their inbox through their contact page. To receive notifications of new update releases via RSS, GitLab users can subscribe to the GitLab Security Release RSS feed.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post 8 critical vulnerabilities in GitLab would allow hackers to install backdoors in your code appeared first on Information Security Newspaper | Hacking News.

]]>
Popular Python package ctx Python and PHP library were compromised and injected with a backdoor https://www.securitynewspaper.com/2022/05/24/popular-python-package-ctx-python-and-php-library-were-compromised-and-injected-with-a-backdoor/ Tue, 24 May 2022 16:25:02 +0000 https://www.securitynewspaper.com/?p=25318 Researchers report that ctx Python, one of the most popular packages of the Python programming language, would have been compromised by threat actors for the injection of a backdoor impossibleRead More →

The post Popular Python package ctx Python and PHP library were compromised and injected with a backdoor appeared first on Information Security Newspaper | Hacking News.

]]>
Researchers report that ctx Python, one of the most popular packages of the Python programming language, would have been compromised by threat actors for the injection of a backdoor impossible to detect for users.

As reported just a few hours ago, the package received an update version identified as v0.2.6, which attracted attention because ctx Python had not received updates in 8 years.

After the update was reflected in the GitHub repository, some researchers began analyzing the code, finding some exciting features:

This code is specially crafted for when creating a dictionary; all its environment variables are sent to a URL of the Heroku application under attackers’ control.

Experts consider this a clear sign that the current version of the package has been manipulated for malicious purposes and should not be used.

Other versions of a ‘phpass’ fork, published in the Packagist repository, were also manipulated to add this malicious code. PHPass has reportedly been downloaded about 2.5 million times.

According to security researcher Somdev Sangwan, the insertion of this backdoor could be aimed at extracting access credentials for Amazon Web Services (AWS).

The malicious version was released on May 14, so users who installed the package before that date are employing the original version (v0.1.2) and will not be affected by this issue. On the other hand, any installation of ctx Python after May 14 could include malicious code.

About the attack method, specialists mention that the domain name of the original maintainers of ctx Python expired, which would have allowed the attackers to register it again and take control of this package, adding the malicious payload for later distribution.

The official page of the ctx Python project in PyPI has been removed, showing the error ‘Not Found’ to visitors.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Popular Python package ctx Python and PHP library were compromised and injected with a backdoor appeared first on Information Security Newspaper | Hacking News.

]]>
2 critical vulnerabilities in the Linux operating system allow backdoors to be installed with root privileges https://www.securitynewspaper.com/2022/04/27/2-critical-vulnerabilities-in-the-linux-operating-system-allow-backdoors-to-be-installed-with-root-privileges/ Wed, 27 Apr 2022 17:01:38 +0000 https://www.securitynewspaper.com/?p=25174 A Microsoft security report details the finding of a set of vulnerabilities that would allow threat actors to escalate privileges on Linux systems in order to inject ransomware, backdoors, andRead More →

The post 2 critical vulnerabilities in the Linux operating system allow backdoors to be installed with root privileges appeared first on Information Security Newspaper | Hacking News.

]]>
A Microsoft security report details the finding of a set of vulnerabilities that would allow threat actors to escalate privileges on Linux systems in order to inject ransomware, backdoors, and other severe threats. The flaws were identified as Nimbuspwn and their exploitation would trigger access to root privileges on compromised systems.

Nimbuspwn refers to the CVE-2022-29799 and CVE-2022-29800 flaws, which reside in networkd-dispatcher, a component that sends connection state changes on Linux machines. The flaws were discovered during an analysis of messages on the system bus, which led to a review of the code flow for networkd-dispatcher.

Microsoft researcher Jonathan Bar Or mentions that this set of flaws involves issues such as path traversal errors, symbolic link race conditions, and time-of-check-time-to-use (TOCTOU) race conditions. Additionally, during analysis it was observed that the network-dispatcher daemon was running with root privileges at system boot time.

Microsoft discovered that the daemon used a method called “_run_hooks_for_state” to discover and run scripts based on the state of the detected network.

The logic of this method includes returning executable scripts owned by the root user and the root group in the “_run_hooks_for_state” directory. The method executes each script in the above location using subprocess.Popen, while providing custom environment variables.

The execution of “_run_hooks_for_state” is what leads to the appearance of these security problems, as reported by Microsoft. Exploitation of Nimbuspwn would allow a threat actor with reduced privileges on the affected Linux system to escalate their privileges to the root level by sending arbitrary signals.

A description of the steps for a successful exploitation is shown in the following diagram, divided into three attack steps:

Microsoft specifies that successful exploitation requires planting various files on the affected system.

The report concludes by mentioning that there are many environments where the attack is feasible, including Linux Mint because the systemd-networkd service which normally has the bus name “org.freedesktop.Network1” is not started on boot by default. .

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 2 critical vulnerabilities in the Linux operating system allow backdoors to be installed with root privileges appeared first on Information Security Newspaper | Hacking News.

]]>
Advance NSA backdoor detected in 245 organizations in 45 countries including China, India and Mexico https://www.securitynewspaper.com/2022/02/24/advance-nsa-backdoor-detected-in-245-organizations-in-45-countries-including-china-india-and-mexico/ Thu, 24 Feb 2022 17:51:04 +0000 https://www.securitynewspaper.com/?p=24917 A recent report points to the detection of Bvp47, a backdoor for Linux systems developed by Equation Group, a group of threat actors allegedly linked to the U.S. National SecurityRead More →

The post Advance NSA backdoor detected in 245 organizations in 45 countries including China, India and Mexico appeared first on Information Security Newspaper | Hacking News.

]]>
A recent report points to the detection of Bvp47, a backdoor for Linux systems developed by Equation Group, a group of threat actors allegedly linked to the U.S. National Security Agency (NSA). Although it was included in the VirusTotal database in 2013, this backdoor is still active and has remained hidden in countless deployments.

The first reports indicated that only an antivirus engine was able to detect a sample of Bvp47, although with the passage of the hours more indicators of compromise have been known, which will considerably improve the detection of this security threat.

The backdoor was first identified by Chinese security firm Pangu Lab, describing it as an advanced development for Linux with remote access capabilities protected through an RSA asymmetric cryptography algorithm, which requires a private key for enablement. This malware would have impacted almost 300 organizations in 45 countries, going unnoticed for almost 10 years.

This private key was found in leaks published by Shadow Brokers hackers, in addition to other hacking tools and zero-day exploits used by Equation Group. The backdoor could also operate on major Linux distributions, including JunOS, FreeBSD, and Solaris.

A subsequent automated analysis seems to confirm the authorship of Bvp47, as it shares multiple features with another backdoor developed by Equation Group. According to Kaspersky experts, this backdoor shares 30% of the code strings with other malware identified in 2018 and available in virusTotal databases.

On the Bvp47 attack, the researchers point out that the threat actors control 3 servers, one responsible for the external attacks and two other internal machines in charge of an email server and a business server.

Attackers establish a connection between the external server and the email server via a TCP SYN packet with a payload of 264 bytes. The email server then connects to the commercial server’s SMB service to perform some sensitive operations, including running PowerShell scripts.

The trading server then connected to the email server for the download of additional files, including the Powershell script and the encrypted data from the second stage. The connection between the internal machines allows the transmission of encrypted data through a specialized protocol.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Advance NSA backdoor detected in 245 organizations in 45 countries including China, India and Mexico appeared first on Information Security Newspaper | Hacking News.

]]>
Squirrelwaffle malware takes control of vulnerable Microsoft Exchange servers to spread banking scam https://www.securitynewspaper.com/2022/02/15/squirrelwaffle-malware-takes-control-of-vulnerable-microsoft-exchange-servers-to-spread-banking-scam/ Wed, 16 Feb 2022 00:06:24 +0000 https://www.securitynewspaper.com/?p=24867 Researchers at security firm Sophos recently reported a hacking campaign related to the ProxyLogon and ProxyShell exploits for the exploitation of an unpatched Microsoft Exchange server. This compromised server wasRead More →

The post Squirrelwaffle malware takes control of vulnerable Microsoft Exchange servers to spread banking scam appeared first on Information Security Newspaper | Hacking News.

]]>
Researchers at security firm Sophos recently reported a hacking campaign related to the ProxyLogon and ProxyShell exploits for the exploitation of an unpatched Microsoft Exchange server. This compromised server was used for the mass distribution of Squirrelwaffle, a malware loader delivered via email threads as a method of deceiving employees in the affected organizations in order to commit electronic fraud.

About Squirrelwaffle, the researchers mention that this is a malware loader distributed as a malicious Microsoft Office document in spam campaigns. This tool allows threat actors to gain access to the victim’s system and facilitates the delivery of malware variants for later attack stages, including phishing and banking fraud.

If a target user opens an email with an infected attachment and enables macros, a Visual Basic script is executed for the Cobalt Strike Beacons download, giving hackers full control of the vulnerable system.

Although this is a well-known hacking variant, Squirrelwaffle’s latest operation stands out on its own merits. While conventional attacks are cut short by applying security updates, the use of email threads in this last incident allowed hackers to maintain the attack persistently, so not even the application of security patches stopped the intrusion.

Using the information contained in these emails, the hackers registered a web domain deceptively similar to a legitimate platform, using a small misspelling to avoid detection. Taking the conversation out of the victim’s email infrastructure allowed the attackers to calmly carry out the rest of the process.

The next step only involved sending malicious emails to the conversation, trying to trick finance employees into making transfers to bank accounts controlled by the hackers. The use of other methods, such as creating more deceptive domains, made this deception almost undetectable, as seen below:

In a supposed follow-up email included in the thread, reference is made to the new bank details and attempts are made to create a sense of urgency in the minds of the attacked employees. In the operation detected by Sophos, threat actors continued to seek to obtain bank transfers sent fake urgent messages.

After days of exerting pressure, the hackers are finally informed that the payment is being processed.

According to Sophos, the theft was about to take place, although one of the financial institutions involved detected signs of electronic fraud and the transfer was interrupted.

This is an even more complex variant of a known attack, so it is necessary to take action on it. To begin with, it is best to apply all the updates available for your system, in addition to applying email security policies that help prevent members of an organization from interacting with malicious content.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Squirrelwaffle malware takes control of vulnerable Microsoft Exchange servers to spread banking scam appeared first on Information Security Newspaper | Hacking News.

]]>
APT group TA2541 has been targeting thousands of organizations across aviation, aerospace, transportation, manufacturing, and defense industries worldwide https://www.securitynewspaper.com/2022/02/15/apt-group-ta2541-has-been-targeting-thousands-of-organizations-across-aviation-aerospace-transportation-manufacturing-and-defense-industries-worldwide/ Tue, 15 Feb 2022 19:39:30 +0000 https://www.securitynewspaper.com/?p=24865 A report by security firm Proofpoint details the finding of a hacking campaign employing phishing and social engineering tactics aimed at distributing a dangerous variant of remote access Trojan (RAT)Read More →

The post APT group TA2541 has been targeting thousands of organizations across aviation, aerospace, transportation, manufacturing, and defense industries worldwide appeared first on Information Security Newspaper | Hacking News.

]]>
A report by security firm Proofpoint details the finding of a hacking campaign employing phishing and social engineering tactics aimed at distributing a dangerous variant of remote access Trojan (RAT) on compromised systems. According to the report, this operation is in charge of TA2541, a hacking group detected in 2017 threatening critical infrastructure in all parts of the world.

Unlike other similar groups, TA2541 does not usually use current events, topics of general interest or false promotions to attract potential victims. Instead, this group draws on topics related to transportation, aviation, commercial flights, tourism, and the airline industry in general. This campaign has been detected in countries in North America, Europe, Asia and the Middle East.

Below we can see an example of the emails sent by these hackers:

Proofpoint researchers detected that the emails used by this group contained a Google Drive URL to redirect affected users to an obfuscated Visual Basic Script (VBS) file; when executed, an executable file is extracted in text hosted on platforms such as Pastetext or GitHub.

Hackers run PowerShell on various Windows processes and query Windows Management Instrumentation (WMI) to search for security products on the affected system and try to disable them. Finally, hackers will collect information from the affected system before installing the RAT.

In addition to Google Drive, threat actors also use Discord links that redirect users to compressed files to AgentTesla or Imminent Monitor. TA2541 has also resorted to delivering attachments in emails that contain embedded executables containing the malicious URL.

VBS files are used to restore persistence with an AsyncRAT payload by adding the VBS file to the home directory pointing to a PowerShell script.

Experts also report that TA2541 has used more than a dozen different malware payloads since its emergence on the cybercriminal scene. Proofpoint has always resorted to commercial malware available for sale on criminal forums or in code repositories. While hackers currently mainly use AsyncRAT, they have also used other variants such as NetWire, Parallax or WSH RAT.

Given the characteristics of the malware variants used by this group, the researchers believe that these campaigns have as their main purpose the collection of information and remote access to infected systems. However, the researchers have not been able to confirm what the real goals of this group are.

This group has been a constant threat for the past few years and is highly likely to remain so in the medium term, so system administrators will need to remain alert to any potential ATTACK attempts related to TA2541.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post APT group TA2541 has been targeting thousands of organizations across aviation, aerospace, transportation, manufacturing, and defense industries worldwide appeared first on Information Security Newspaper | Hacking News.

]]>
Clients using Magento 1 e-commerce platform are getting hacked https://www.securitynewspaper.com/2022/02/10/clients-using-magento-1-e-commerce-platform-are-getting-hacked/ Fri, 11 Feb 2022 00:17:34 +0000 https://www.securitynewspaper.com/?p=24845 In its latest security alert, Adobe asked users of the Magento 1 e-commerce platform to update to the latest available version of Adobe Commerce; this after the company was notifiedRead More →

The post Clients using Magento 1 e-commerce platform are getting hacked appeared first on Information Security Newspaper | Hacking News.

]]>
In its latest security alert, Adobe asked users of the Magento 1 e-commerce platform to update to the latest available version of Adobe Commerce; this after the company was notified of the attack against more than 500 online stores using this software.

This wave of attacks was reported this week by security firm Sansec, which released a report revealing that hundreds of stores were compromised by a skimming tool loaded from the domain naturalfreshmall.com.

The company asked victims to contact their support area to find a common entry point and protect other traders against a potential new attack. Adobe also mentions that the first stage of investigation has already been completed, so it is known that the attackers used a combination of SQL injection and PHP object injection (POI) to take control of the vulnerable software.

It is important to remember that Adobe has stopped supporting Magento software, although this has not been an impediment for thousands of e-commerce websites to continue using it.

By analyzing one of the intrusions in detail, the researchers found that the attackers left 19 backdoors on the target system, so they recommended victims use a malware scanning solution to identify all instances of malicious files or compromised Magento code.

Since its launch, Magento has created constant problems for Adobe and its thousands of users. At the end of 2021, cybersecurity specialists reported that more than 4,000 online stores would have been compromised by hacking groups exploiting known vulnerabilities in Magento, which would have represented losses of hundreds of thousands of dollars.

In addition, in 2020 Sansec also reported hundreds of attacks against Magento online stores, while by then Adobe already foresaw massive attacks against Magento 1.x implementations, although they were confident that versions 2.x could be considered safe.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Clients using Magento 1 e-commerce platform are getting hacked appeared first on Information Security Newspaper | Hacking News.

]]>
Hackers are mailing ransomware-infected USB devices to employees of hundreds of companies to take control of their networks https://www.securitynewspaper.com/2022/01/10/hackers-are-mailing-ransomware-infected-usb-devices-to-employees-of-hundreds-of-companies-to-take-control-of-their-networks/ Mon, 10 Jan 2022 18:52:28 +0000 https://www.securitynewspaper.com/?p=24685 In its latest alert, the Federal Bureau of Investigation (FBI) mentions that the financially motivated cybercriminal group known as FIN7 has been attacking the U.S. defense industry, sending malicious USBRead More →

The post Hackers are mailing ransomware-infected USB devices to employees of hundreds of companies to take control of their networks appeared first on Information Security Newspaper | Hacking News.

]]>
In its latest alert, the Federal Bureau of Investigation (FBI) mentions that the financially motivated cybercriminal group known as FIN7 has been attacking the U.S. defense industry, sending malicious USB devices with the LilyGO logo to some employees; these devices are loaded with a powerful ransomware variant.

The cybercriminals reportedly used the U.S. Postal Service (USPS) and the United Parcel Service (UPS) network to ship BadUSB or Bad Beetle USB devices, used to obtain an entry point to potentially affected organizations.

The agency details how the attackers of the attack posed as members of Amazon and the U.S. Department of Health and Human Services (HHS), tricking affected users into opening the packages and connecting these devices to their work computers.

To get users to connect the USB device, hackers pretend they contain government files on COVID-19 measures, or fake gift cards for online services.

SOURCE: Trustwave

When victims connect these devices to their computers, the affected computer is registered as a Human Interface Device (HID) keyboard, which will allow the device to work even with the unused malicious USB devices. Once this configuration is done, hackers inject keystrokes to install malware payloads.

As mentioned above, the main goal of this campaign is to inject various ransomware variants into the affected systems. To do this, hackers use tools such as Metsploit, Cobalt Strike, the Griffon backdoor and some PoweShell scripts, in addition to ransomware variants such as BlackMatter and REvil. At the moment the real scope of the attack is unknown, although it is not ruled out that there are hundreds of organizations affected.

This report comes after the FBI detailed an operation in which FIN7 posed as Best Buy to send similar packages with malicious flash drives through USPS to hotels, restaurants and retailers. Reports of such attackers began to emerge in February 2020, stretching for nearly two years.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Hackers are mailing ransomware-infected USB devices to employees of hundreds of companies to take control of their networks appeared first on Information Security Newspaper | Hacking News.

]]>
How to perform digital forensics of malicious PDF files? Easily checking if a PDF document has malware or backdoors https://www.securitynewspaper.com/2021/12/04/how-to-perform-digital-forensics-of-malicious-pdf-files-easily-checking-if-a-pdf-document-has-malware-or-backdoors/ Sat, 04 Dec 2021 17:20:00 +0000 https://www.securitynewspaper.com/?p=24531 The PDF format has become one of the most popular ways to view files, as this format is compatible with all kinds of technological devices, including desktop computers, laptops, electronicRead More →

The post How to perform digital forensics of malicious PDF files? Easily checking if a PDF document has malware or backdoors appeared first on Information Security Newspaper | Hacking News.

]]>
The PDF format has become one of the most popular ways to view files, as this format is compatible with all kinds of technological devices, including desktop computers, laptops, electronic tablets and smartphones. Because of this universal presence, threat actors began using these documents to deliver malware and easily deploy other attack variants.

This time, specialists from the International Institute of Cyber Security (IICS) will show you how to apply digital forensics to analyze PDF documents and determine if they are compromised with any variant of malicious content.

Before keep going, it is worth recalling that the attack chain via PDF usually begins by sending malicious documents via email. When these documents are opened on the affected system, in most cases JavaScript code is executed in the background capable of exploiting vulnerabilities in tools such as Adobe PDF Reader or storing executable files for later attack stages.

PDF documents, whether legitimate or malicious, have 4 main elements, mention digital forensics experts:

  • Header: Contains information about the version of the document and other general data
  • Body: Refers to the objects of the document. this element consists of flows that are used to store data
  • Cross-reference table: pointing to each object
  • Trailer: Element pointing to the cross-reference table

Now that we know the essential information about an attack via PDF documents, we will be able to review each way to analyze these elements.

PDF scanning using PDFiD

PDFiD is a component of Didier Stevens Suite capable of scanning PDF documents using a string list to detect JavaScript elements, embedded files, actions when opening files, and counting specific lines in a document.

In this example, we can see that PDFiD detected various objects, flows, JavaScript code, and OpenAction elements in the Report.pdf file. According to digital forensics experts, the presence of these elements suggests that the analyzed file contains JavaScript or Flash scripts. The /Embedded element indicates the presence of other formats within PDFs, while the /OpenAction, AA, and /Acroform elements initiate automatic actions when opening the file.

View the contents of PDF objects

We already know that there is JavaScript code inside the parsed PDF file. This will be the starting point of the research; to find an indirect JavaScript object, run the pdf-parser.py tool.

Based on the result of these scans, the hidden JavaScript code will execute the malware every time the file is opened, so the next step is to extract the malicious payload.

Extracting embedded files using Peepdf

This is a Python tool that contains all the necessary components for the validation and analysis of PDF files, mentioned digital forensics experts. To take full advantage of its capabilities enter the peepdf – i file_name.pdf command. The -i function will enable the interactive mode of the script:

To find more features, enter the –help command:

The scan result indicates that there is a file embedded in object 14. A closer inspection of this object allows you to see that it points to object 15; in turn, object 15 points to object 16. Finally, there are indications of the presence of a malicious file on object 17.

According to the content of the PDF, there is only one sequence in it, which also points to object 17. Therefore, object 17 is a sequence with an embedded file.

Stream 17 contains a file signature that begins with MZ and a hexadecimal value that begins with 4d 5a. According to digital forensics experts, these are signs that point to an executable file.

Next, we will save the sequence as a virus.exe executable.      

Behavioral analysis

Run the file in sup-tuals-tion using a 32-bit Windows 7 system.

As you can see from the Process Explorer window, virus.exe created two suspicious processes (zedeogm.exe, cmd.exe) that were interrupted after starting.

According to Process Monitor, the zedeogm.exe file was saved within running processes. Then he changed the rules set in Windows Firewall. The next step was to run the WinMail.exe file; after that, the program launched cmd.exe to run the tmpd849fc4d.bat file and stop the process.

Conclusion

The use of digital forensics techniques for the analysis of PDF documents can be essential to avoid interacting with malicious content. Together with other preventive measures, this practice can close one of the main vectors of threats today.

Other recommended measures to prevent this threat include:

  • Verify the sender of a spam email
  • Ignore links or attachments in unsolicited emails
  • Keep your antivirus tools always up to date
  • Check for typos, very common in malicious emails

As usual, we remind you that this material was prepared for informational purposes only and should not be taken as a call to action. IICS is not responsible for the misuse that may occur to the information contained herein.

To learn more about information security risks, malware variants, digital forensics, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to perform digital forensics of malicious PDF files? Easily checking if a PDF document has malware or backdoors appeared first on Information Security Newspaper | Hacking News.

]]>