Kategorie

An unspecified government entity in Afghanistan was targeted by a previously undocumented web shell called HrServ in what’s suspected to be an advanced persistent threat (APT) attack. The web shell, a dynamic-link library (DLL) named “hrserv.dll,” exhibits “sophisticated features such as custom encoding methods for client communication and in-memory execution,” Kaspersky security researcher MertNewsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comCyber Attack / Threat Intelligence37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

The maintainers of the open-source file-sharing software ownCloud have warned of three critical security flaws that could be exploited to disclose sensitive information and modify files. A brief description of the vulnerabilities is as follows - Disclosure of sensitive credentials and configuration in containerized deployments impacting graphapi versions from 0.2.0 to 0.3.0. (CVSS score: 10.0) Newsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comData Security / Vulnerability37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

More details have emerged about a malicious Telegram bot called Telekopye that's used by threat actors to pull off large-scale phishing scams. "Telekopye can craft phishing websites, emails, SMS messages, and more," ESET security researcher Radek Jizba said in a new analysis. The threat actors behind the operation – codenamed Neanderthals – are known to run the criminal enterprise as a Newsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comThreat Analysis / Dark Web37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

The title of this article probably sounds like the caption to a meme. Instead, this is an actual problem GitGuardian's engineers had to solve in implementing the mechanisms for their new HasMySecretLeaked service. They wanted to help developers find out if their secrets (passwords, API keys, private keys, cryptographic certificates, etc.) had found their way into public GitHub repositories. How The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.comDeveloper Tools / API Security37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Cybersecurity researchers have shed light on a Rust version of a cross-platform backdoor called SysJoker, which is assessed to have been used by a Hamas-affiliated threat actor to target Israel amid the ongoing war in the region. “Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar Newsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comCyber Attack / Malware37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Cybersecurity researchers are warning of publicly exposed Kubernetes configuration secrets that could put organizations at risk of supply chain attacks. “These encoded Kubernetes configuration secrets were uploaded to public repositories,” Aqua security researchers Yakir Kadkoda and Assaf Morag said in a new research published earlier this week. Some of those impacted include two top blockchain Newsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comCloud security / Data Protection37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan Newsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comMalware / Cyber Espionage37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Delivery- and shipping-themed email messages are being used to deliver a sophisticated malware loader known as WailingCrab. "The malware itself is split into multiple components, including a loader, injector, downloader and backdoor, and successful requests to C2-controlled servers are often necessary to retrieve the next stage," IBM X-Force researchers Charlotte Hammond, Ole Villadsen, and Kat Newsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comMalware / Threat Analysis37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Modern security tools continue to improve in their ability to defend organizations’ networks and endpoints against cybercriminals. But the bad actors still occasionally find a way in. Security teams must be able to stop threats and restore normal operations as quickly as possible. That’s why it’s essential that these teams not only have the right tools but also understand how to effectively The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.comIncident Response / Endpoint Security37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

An active malware campaign is leveraging two zero-day vulnerabilities with remote code execution (RCE) functionality to rope routers and video recorders into a Mirai-based distributed denial-of-service (DDoS) botnet. “The payload targets routers and network video recorder (NVR) devices with default admin credentials and installs Mirai variants when successful,” Akamai said in an advisory Newsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comVulnerability / Cyber Threat37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

In our previous summary of consumer predictions, we delved into tactics that we expected scammers and cybercriminals to use in 2023. As anticipated, they capitalized on major events and cultural crazes, using tricks that ranged from fake Barbie doll deals to exploiting the buzz around long-awaited video game releases, for example, by disguising malware as a cracked Hogwarts Legacy version, a classic move we have seen for years.

Cybercriminals continued targeting gamers’ accounts filled with valuable in-game items or giving access to games on several devices, and often used in-game currency to lure victims to participate in their scams. However, our prediction of continued console shortage spurred by the release of the PS5 VR set by Sony was not fulfilled, as the company announced in January the shortage was over.

Although we anticipated the arrival of a new social network to shake up the scene, none materialized. Instead, ChatGPT turned out to be the major tech revelation. Recognizing the heightened interest in new tech, cybercriminals cleverly targeted a broader potential audience with a stealer disguised as a ChatGPT desktop app. As ChatGPT went viral, other chatbots powered by generative AI appeared, and these technologies were quickly adopted as assistants in diverse areas including education. Teachers now use tools based on large language models (LLM) to create lesson plans, math word problems, and email to communicate with parents. Students use these tools in their hobbies and homework, and entrust their mental health to ChatGPT-like bots.

Speaking of education, although 2023 saw ransomware attacks against schools, university data breaches, such as those occurring through third-party platforms and traditional back-to-school scams, we have not seen a significant surge in attacks on educational platforms or learning management systems (LMS) so far in 2023, so that prediction was only partially fulfilled. Neither have we seen any significant evolution of gamification in education, which makes the prediction false for now, although we may still see it come true in the long term.

As the initial Metaverse excitement took a backseat to AI, the threat landscape was milder than expected. Yet, metaverse company breach that led to malicious email sent out to its users hinted at ongoing risks. Despite the fact that our predictions regarding Metaverse did not fully materialize in 2023, we reiterate what we said earlier, as we consider this a long-term trend. Mark Zuckerberg’s recent interview in Metaverse revived consumer interest in this topic, potentially luring cyber-troublemakers. We foresee this trend continuing, which will emphasize the need for a decision-making policy on emerging metaverses.

Although we have not seen any cases of cybercriminals targeting mental health apps in 2023, their security was discussed from a variety of perspectives. In March, a mental health startup disclosed that it inadvertently had been exposing personally identifiable information about more than 3 million people to third-party entities. In May, Mozilla published an extensive study on mental health app privacy, demonstrating that there was considerable room for improvement.

As we look to 2024, we believe that the consumer threat landscape will be heavily influenced by political, cultural, and technological events and trends. Below, we share our insights into potential consumer threats in the upcoming year.

Consumer threat predictions for 2024 More charity scams coming

Climate disasters, the pandemic, and numerous military conflicts worldwide are thrusting people into challenging life situations. Charitable foundations and activists step in to provide financial and humanitarian aid. The noble desire to assist those in need becomes a breeding ground for scammers who exploit the generosity of some and the problems of others. According to the United Nations, 2023 marked the year with the highest number of violent conflicts since World War II, and the prospects for resolving many of these remain unclear. Unfortunately, this ambiguity sets the stage for an anticipated increase in charity-related scams in 2024.

Not just threats: collaboration of online stores and charities

Just a few years ago, donations required separate transactions to distinct organizations on different websites. However, the current trend showcases a growing popularity of collaborations between online services and charitable foundations. For instance, when making an online store purchase, rounding up the amount automatically channels the additional funds to a charity. This streamlined donation process both makes donating more accessible and generates higher amounts in aid. It is highly likely that the near future will see an uptick in collaboration between online stores and charitable foundations.

Internet segmentation

Amid growing geopolitical tensions, some web resources have blocked users from certain countries and regions. There are two main reasons for that: political pressure and DDoS attacks. In the first case, website owners residing in certain countries involved in a geopolitical conflict are forced to lock their political opponents out of their content. In the other case, organizations use geofencing to protect their resources from DDoS attacks. Whichever the reason, this leads to the segmentation of the internet, which damages the availability of information. Unfortunately, we expect this trend to continue in 2024, with more websites to be geofenced, which will make searching for information more complicated.

VPN services on the rise

A VPN creates an encrypted tunnel that effectively conceals user traffic from internet service providers and potential snoopers, thus reducing the number of parties that can access user data even on public Wi-Fi. Just a few years ago, the term was mostly understood by tech specialists and enthusiasts. However, with an increase in cyberliteracy, more individuals are now actively seeking ways to protect their personally identifiable information.

Additionally, current international conflicts have heightened national security concerns, which led to growing interest from government organizations and law enforcement agencies in detecting suspicious user data. Cognizant of these measures, individuals may perceive a potential impact on their data privacy and thus turn to robust privacy solutions like VPN.

Besides enhancing user privacy, VPN also addresses issues like internet segmentation and website geofencing, which are often consequences of geopolitical changes. These practices restrict access to information by location, but certain VPN clients can break through these barriers, allowing broader access to information.

As a result, demand for VPN solutions is expected to see a significant rise globally in the upcoming year.

Security over user comfort to spawn new security issues

In recent years, security concerns have prompted certain countries and territories to ban popular apps. For instance, in May 2023, the Montana governor signed a bill prohibiting all TikTok usage in the state starting in January 2024. This social media app is also banned from government devices in a number of countries worldwide. In Canada, a similar ban on the WeChat messenger was introduced in October.

While the stated goal of this policy is to protect sensitive data, banning popular apps may prove counterproductive. In the absence of TikTok and WeChat, demand for custom mods and unofficial alternatives may increase, likely to be exploited by cybercriminals. Malicious clones of the banned apps may rise to fill the void in 2024. We expect such attacks to become a trend in the near future.

P2E in cybercriminals’ sights

The play-to-earn (P2E) gaming sector, which draws millions of players, involves earning real-world values like cryptocurrency through active participation in games. Given the substantial investment and the appeal of making money in P2E games, cybercriminals are poised to escalate their focus on exploiting this sector. The theft of $620 million worth of crypto from Axie Infinity is indicative, and we anticipate further incidents in the future.

The recent surge in Bitcoin’s rate, coupled with the allure of easy money-making through gaming, might draw increased attention from cybercriminals, positioning P2E players as a prime target. Heightened security measures and player education are imperative to shield the expanding P2E ecosystem from the escalating cyberthreats it faces.

Universal deepfake check tool

The evolution of deepfake technology, once a cause for widespread concern, has progressed significantly. Despite initial attempts to combat this phenomenon, the increasing quality of deepfakes has compelled society to reluctantly acknowledge its existence as a significant cyberthreat, which underscores an urgent need for a quick and reliable means of checking the authenticity of visual content.

This trajectory is anticipated to continue, and in the near future, the potential for a more high-profile incident, linked to major a deepfake campaign involving political figures or celebrities, could stimulate the creation of a universal, user-friendly tool, which would empower individuals to verify the authenticity of any image, video or audio content.

Voice deepfakes on the rise

In addition to already-familiar image deepfakes, voice cloning represents a major development pathway. Highly disruptive attacks, such as the 2020 incident at a UAE bank, have underscored the potential of voice deepfakes as a cybercrime tool.

As demonstrated by OpenAI’s latest presentation on voice assistants, the company’s advances in artificial voice content could contribute to progress. However, the technology could be exploited by fraudsters. Potential exploitation could lead to even more accessible deceptive content being created. A surge in the development of voice fakes is anticipated, and this evolution of deepfake technology is expected to continue.

Scammers go after premieres

As blockbuster movies like Dune: Part Two, Deadpool 3, Joker 2, Gladiator 2, and Avatar 3 move closer to hitting the screens, expect a surge in scams. Hollywood actors’ recent strike may have the pirating of “hot new films” as one of its side-effects, creating an ideal environment for a multitude of phishing sites. These deceptive platforms will claim to offer exclusive access, taking advantage of viewers’ eagerness to watch the highly anticipated releases.

The trend is not limited to film premiers. GTA VI, slated for release in 2024, is poised to be next year’s biggest gaming highlight. Just like GTA V before it, this will be an online game that uses in-game currency, and it will likely attract scammers. Classic schemes that involve pre-order keys and seemingly enticing prices will resurface as the gaming community welcomes the release of this highly awaited title.

A North Korean state-sponsored threat actor tracked as Diamond Sleet is distributing a trojanized version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers via a supply chain attack. "This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, Newsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comSoftware Supply Chain Attack37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

A new research has uncovered multiple vulnerabilities that could be exploited to bypass Windows Hello authentication on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops. The flaws were discovered by researchers at hardware and software product security and offensive research firm Blackwing Intelligence, who found the weaknesses in the fingerprint sensors from Goodix, Newsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comAuthentication Security / Windows37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

North Korean threat actors have been linked to two campaigns in which they masquerade as both job recruiters and seekers to distribute malware and obtain unauthorized employment with organizations based in the U.S. and other parts of the world. The activity clusters have been codenamed Contagious Interview and Wagemole, respectively, by Palo Alto Networks Unit 42. While the first set of attacks Newsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comCyber Espionage / Social Engineering37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Ambitious Employees Tout New AI Tools, Ignore Serious SaaS Security RisksLike the SaaS shadow IT of the past, AI is placing CISOs and cybersecurity teams in a tough but familiar spot.  Employees are covertly using AI with little regard for established IT and cybersecurity review procedures. Considering ChatGPT’s meteoric rise to 100 million users within 60 days of launch, especially with littleThe Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.comAI Security / SaaS Security37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Introduction

In the course of our routine investigation, we discovered a DLL file, identified as hrserv.dll, which is a previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution. Our analysis of the sample led to the discovery of related variants compiled in 2021, indicating a potential correlation between these separate occurrences of malicious activity.

Initial infection

According to our telemetry data, the PAExec.exe process initiates the creation of a scheduled task on the system named MicrosoftsUpdate (sic), which in turn is designed to execute a .BAT file.

"schtasks" /create /sc DAILY /tn MicrosoftsUpdate /tr "$system32\cmd.exe /c $public\JKNLA.bat $public\hrserv.dll" /ru system /f

The .BAT file accepts the path of a DLL file as an argument. In this instance, the script is provided with the file $public\hrserv.dll, which is then copied to the System32 directory. After this operation, the script configures a service via the system registry and the sc utility. It then activates the newly created service.

HrServ web shell MD5 418657bf50ee32acc633b95bac4943c6 SHA1 cb257e00a1082fc79debf9d1cb469bd250d8e026 SHA256 8043e6c6b5e9e316950ddb7060883de119e54f226ab7a320b743be99b9c10ec5 Link time 2023-Aug-30 08:28:15 File type PE32+ executable (DLL) (console) x86-64, for MS Windows Compiler Microsoft Visual C/C++(2015 v.14.0)

The sequence of operations starts with the registration of a service handler. HrServ then initiates an HTTP server utilizing the HTTP server API for its functionality. It calls the HttpAddUrlToGroup function to register the following URL so that matching requests are routed to the request queue.

http://+:80/FC4B97EB-2965-4A3B-8BAD-B8172DE25520/

Client-server communication uses custom encoding techniques that include Base64 encoding and FNV1A64 hashing algorithms.

Based on the type and information within an HTTP request, specific functions are activated. These functions are distinguished by the GET parameter named cp. In addition, the DLL file utilizes the value of the NID cookie for various purposes. The use of the GET parameter pattern and the cookie value is consistent with practices employed by Google. We suspect that this intentional similarity in naming conventions is intended to disguise these requests in network traffic, making it more challenging to detect such malicious activity.

An example of such a request would be:

&cp=1&client=desktop-gws-wiz-on-focus-serp&xssi=t&hl=en-TW&authuser=0&pq=

Request type cp value Description GET 0 Call VirtualAlloc and copy a custom decoded NID cookie value, then create a new thread. POST 1 Create a file using the custom decoded NID cookie value and write the custom decoded POST data to that file. GET 2 Read a file using the custom decoded NID cookie value and return it as a response by appending it to the end of the “data:image/png;base64” string;
If an error occurs while reading the file, HrServ responds with the string:
data:image/png;base64,c3Dlc+DheRzlKBV2Yh92KS//; GET 4 Return Outlook Web App HTML data. POST 6 Call VirtualAlloc and copy the custom decoded POST data, then create a new thread. GET 7 Return Outlook Web App HTML data [Duplicate]. Code execution

If the cp value in the request is 6, this indicates a code execution process.

• Initially, it extracts the value of the NID cookie and applies its custom decoding technique
• It writes this decoded value to the specified registry path, denoted as “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore\RemoteFile”
• The custom-decoded POST data is then copied to the memory, after which a new thread is created and the process enters a sleep state.

In a particular observed scenario, the cp value is unknown. A multifunctional implant is activated in the system memory. The implant creates a file in the directory “%temp%”, retrieves information from the registry, performs some actions based on this information, and records the output of these actions in the created file. As a result, the registry and the temporary file are used as a communication channel between the implant and HrServ.

Available commands of the memory implant

Based on our telemetry data, after successfully establishing a foothold and placing the memory implant in the system memory, the next actions are to erase the previously existing traces by deleting the scheduled “MicrosoftsUpdate” job and both the initial DLL and batch files:

schtasks /delete /tn MicrosoftsUpdate /f cmd /c "del /f/s/q $public\hrserv.dll & del /f/s/q $public\JKNLA.bat"

Older variants

We have also discovered earlier, differently named variants of HrServ. These DLL files date back to early 2021. They also use the custom encoding algorithm and behave the same way after a file read error. However, there are subtle differences.

• The web shell URL of these older variants differs from the current one:
  https://+:443/owa/MSExchangeService.svc
• These samples exhibit a distinct behavior by creating a process and retrieving its output through a pipe, as opposed to allocating a memory section and creating a thread from it.

Victims

The only known victim according to our telemetry is a government entity in Afghanistan.

Attribution

The TTPs analyzed in this investigation are not associated with any known threat actors we are tracking, but there are a few things that we observed:

• the GET parameters used in the hrserv.dll file, which is used to mimic Google services, include “hl”. This specifies the host language of the user interface. Although this parameter has no functionality within the attack vector, the assigned value “en-TW” specifies that the Google search interface should be displayed in English, but the search results should be displayed in Traditional Chinese:
  &cp=1&client=desktop-gws-wiz-on-focus-serp&xssi=t&hl=en-TW&authuser=0&pq=
• the samples include help strings for specific conditions, in English. We saw multiple typos that suggest the actor behind the samples is not a native English speaker.

An error message with a typo

Conclusion

The analyzed sample represents a capable web shell. Based on the compile timestamps, its origins date back to at least 2021. This sophisticated malware variant exhibits the ability to initiate in-memory executions. In the observed scenario, communication is established through registry manipulations and temporary files.

Notably, the web shell and memory implant use different strings for specific conditions. In addition, the memory implant features a meticulously crafted help message. Considering these factors, the malware’s characteristics are more consistent with financially motivated malicious activity. However, its operational methodology exhibits similarities with APT behavior. Despite the malware’s prolonged activity over several years, multiple instances involving these samples have not been documented. Our efforts are ongoing as we continue to monitor related activity, with the goal of unraveling the mystery in future investigations.

Indicators of compromise File hashes

b9b7f16ed28140c5fcfab026078f4e2e
418657bf50ee32acc633b95bac4943c6
d0fe27865ab271963e27973e81b77bae
890fe3f9c7009c23329f9a284ec2a61b

The macOS information stealer known as Atomic is now being delivered to target via a bogus web browser update chain tracked as ClearFake. "This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system," Malwarebytes' Jérôme Segura said in a Tuesday analysis. Atomic Newsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comSEO poisoning / Malware Analysis37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Multiple threat actors, including LockBit ransomware affiliates, are actively exploiting a recently disclosed critical security flaw in Citrix NetScaler application delivery control (ADC) and Gateway appliances to obtain initial access to target environments. The joint advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Newsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comThreat Analysis / Vulnerability37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

The ransomware strain known as Play is now being offered to other threat actors "as a service," new evidence unearthed by Adlumin has revealed. "The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it," the Newsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comRansomware-as-a-service37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers. "ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR," G Data malware analyst Anna Lvova said in a Monday analysis.Newsroomhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comMalware Threat / Data Privacy37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641