Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Swachh City Platform Suffers Data Breach Leaking 16 Million User Records

The Hacker News - 29 Září, 2022 - 12:12
A threat actor by the name of LeakBase has shared a database containing personal information allegedly affecting 16 million users of Swachh City, an Indian complaint redressal platform. Leaked details include usernames, email addresses, password hashes, mobile numbers, one-time passwords, last logged-in times, and IP addresses, among others, according to a report shared by security firm CloudSEKRavie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Hackers Aid Protests Against Iranian Government with Proxies, Leaks and Hacks

The Hacker News - 29 Září, 2022 - 11:56
Several hacktivist groups are using Telegram and other tools to aid anti-government protests in Iran to bypass regime censorship restrictions amid ongoing unrest in the country following the death of Mahsa Amini in custody. "Key activities are data leaking and selling, including officials' phone numbers and emails, and maps of sensitive locations," Israeli cybersecurity firm Check Point said in Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

The secrets of Schneider Electric’s UMAS protocol

Kaspersky Securelist - 29 Září, 2022 - 10:00

UMAS (Unified Messaging Application Services) is a proprietary Schneider Electric (SE) protocol used to configure and monitor Schneider Electric PLCs. Schneider Electric controllers that use UMAS include Modicon M580 CPU (part numbers BMEP* and BMEH*) and Modicon M340 CPU (part numbers BMXP34*). Controllers are configured and programmed using engineering software – EcoStruxure™ Control Expert (Unity Pro), EcoStruxure™ Process Expert, etc.

In 2020, CVE-2020-28212, a vulnerability affecting this software, was reported, which could be exploited by a remote unauthorized attacker to gain control of a PLC with the privileges of an operator already authenticated on the controller. To address the vulnerability, Schneider Electric developed a new mechanism, Application Password, which should provide protection against unauthorized access to PLCs and unwanted modifications.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism also has flaws. The CVE-2021-22779 vulnerability, identified in the course of the research, could allow a remote attacker to make changes to the PLC, bypassing authentication.

It was established that the UMAS protocol, in its implementation prior to the version in which the CVE-2021-22779 vulnerability was fixed, had significant shortcomings that had a critical effect on the security of control systems based on SE controllers.

By mid-August 2022, Schneider Electric had released an update for the EcoStruxure™ Control Expert software, as well as for Modicon M340 and Modicon M580 PLC firmware, that fixes the vulnerability.

This report describes:

  • the implementation of the UMAS protocol that does not use the Application Password security mechanism;
  • authentication bypass if Application Password is not enabled;
  • the principles on which the Application Password security mechanism is based;
  • mechanisms that can be used to exploit the CVE-2021-22779 vulnerability (authentication bypass where Application Password is configured);
  • operating principles of the updated device reservation mechanism.

A detailed report on the research, Schneider Electric measures designed to fix the authentication bypass vulnerability, and Kaspersky ICS CERT recommendations can be found in the full version of the article published on the Kaspersky ICS CERT website.

Object of research

UMAS (Unified Messaging Application Services) is Schneider Electric’s proprietary protocol used to configure, monitor, collect data and control Schneider Electric industrial controllers.

UMAS is based on a client-server architecture. During the research process, we used the EcoStruxure™ Control Expert PLC configuration software as the client part and a Modicon M340 CPU controller as the server part.

UMAS protocol Network packet structure

UMAS is based on the Modbus/TCP protocol.

Structure of the UMAS protocol

Specifications of the Modbus/TCP protocol include reserved Function Code values that developers can use according to their needs. A complete list of reserved values can be found in the official documentation.

Schneider Electric uses Function Code 90 (0x5A) to define that the value in the Data field is UMAS compliant.

The network packet structure is shown below, using a request to read a memory block (pu_ReadMemoryBlock) on the PLC as an example:

  • Red: Function Code 90 (0x5A)
  • Blue: Session Key 0 (0x00)
  • Green: UMAS Function 20 (0x20)
  • Orange: Data

Network packet structure

Each function includes a certain set of information in the Data field, such as offset from the base memory address, size of the data sent, memory block number, etc. For more details on the functions and session key, see the full version of the article.

Network communication

UMAS also inherits the Modbus client-server architecture. A structural diagram of the communication between the client and the server is provided below.

Communication between the client (EcoStruxure™ Control Expert) and server (PLC)

In a UMAS network packet, Function Code 0x5A is immediately followed by the Session Key.

UMAS network packet structure

Let’s examine the communication between a client and a server (a PLC, also referred to as “device” below) by analyzing a real-world traffic fragment. The screenshot below shows a packet containing the function umas_QueryGetComInfo(0x01) sent from the client (EcoStruxure™ Control Expert) to the server (the PLC).

Structure of the function:
TCP DATA – Modbus Header – 0x5A – session – 01(UMAS function code) – 00(data).

Network packet containing the function umas_QueryGetComInfo(0x01)

The device should send a response to each request received. The screenshot below shows the device’s response to the client’s request:

Server response

The status code is the status of the device’s execution of the function sent to it by the client in the previous request. The value “fe” corresponds to successful execution of the function; “fd” indicates an error. The status code is present in each response sent by the device to thecontaining a function. It is always located immediately after the session key.

Reservation procedure

A “reservation” procedure is required to make changes to a PLC. The procedure acts as authentication. Only one client (e.g., an engineering workstation) can reserve a device at any specific time for configuration or status monitoring. This is required to prevent changes from being made to a device in parallel without coordination.

The screenshot below shows a request from the engineering software to the PLC to perform the device reservation procedure in its basic variant that does not use the Application Password security mechanism.

Device reservation

The umas_QueryTakePLCReservation(0x10) function is used to reserve a device. The request containing this function includes the name of the client reserving the device and a value equal to the length of that name.

CVE-2020-28212: authentication bypass without Application Password

The main issue with the basic reservation mechanism that does not use Application Password is that an attacker can use the session key to send requests and change the device’s configuration.

In firmware versions prior to 2.7 for Modicon M340 devices, the session key has the same value each time the device is reserved, and is equal to “0x01”. This means that attackers can make changes on the device by calling the relevant functions after the device has been reserved by a legitimate user.

The attack workflow is shown in the diagram below:

Remote threat actor attack workflow. Modicon M340 firmware prior to version 2.7, device reserved by an engineer

If the device has not been reserved at the time of an attack, the attacker can use the umas_QueryTakePLCReservation(0x10) function to reserve the device in order to make changes to it.

With Modicon M340 firmware version 2.7 or later, the session key takes a random value after device reservation. However, the session key is one byte in length, which means there are only 256 possible session ID values. This enables a remote unauthorized attacker to brute-force an existing ID of a session between a legitimate user and the PLC.

To carry out this type of attack, a remote attacker needs to send a series of network requests on port 502/TCP of the PLC with different session ID values and look at responses returned by the PLC. If the correct session ID was sent, the attacker will get the status code 0xfe, which means the request was fulfilled successfully. Otherwise, the attacker will get the status code 0xfd.

The operations described above can be implemented using any programming language – an attacker does not have to use EcoStruxure™ Control Expert or any other dedicated software to communicate with the device.

Application Password

To mitigate the CVE-2020-28212 vulnerability, exploitation of which could allow a remote unauthorized attacker to gain control of the PLC with the privileges of an operator already authenticated on the PLC, Schneider Electric developed a new security mechanism that used cryptographic algorithms to compute the session ID and increased the session ID length. Schneider Electric believed implementing this security mechanism would prevent brute-force attacks that could be used to crack single-byte session IDs.

The new mechanism was introduced starting with firmware version 3.01 for Modicon M340 devices. To implement authentication between the client and the device, Application Password needs to be enabled in project settings (“Project & Controller Protection”). The mechanism is designed to provide protection against unauthorized access, unwanted changes, as well as unauthorized downloading or uploading of PLC strategies.

After activating the mechanism using EcoStruxure™ Control Expert, the client needs to enter the password when connecting to a device as part of the reservation procedure. Application Password also makes changes to the reservation mechanism itself.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism was, unfortunately, also flawed. Its main shortcoming is that during the authentication process, all computations are performed on the client side, i.e., on the side of EcoStruxure™ Control Expert engineering software. The vulnerability identified during research, CVE-2021-22779, could allow a remote attacker to bypass authentication and use functions that require reservation to make changes to the PLC.

For more details on the implementation of Application Password and on the security flaws identified by Kaspersky ICS CERT researchers, read the full version of the article published on the Kaspersky ICS CERT website. For more information, you can also contact us at ics-cert@kaspersky.com.

Optus breach – Aussie telco told it will have to pay to replace IDs

Sophos Naked Security - 28 Září, 2022 - 20:55
Licence compromised? Passport number burned? Need a new one? Who's going to pay?

Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems

The Hacker News - 28 Září, 2022 - 16:00
A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet. "Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Cyber Criminals Using Quantum Builder Sold on Dark Web to Deliver Agent Tesla Malware

The Hacker News - 28 Září, 2022 - 14:36
A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT). "This campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to similar attacks in the past," Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar said in a Tuesday write-up. Sold on the dark web for €Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Improve your security posture with Wazuh, a free and open source XDR

The Hacker News - 28 Září, 2022 - 14:15
Organizations struggle to find ways to keep a good security posture. This is because it is difficult to create secure system policies and find the right tools that help achieve a good posture. In many cases, organizations work with tools that do not integrate with each other and are expensive to purchase and maintain. Security posture management is a term used to describe the process of The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.com
Kategorie: Hacking & Security

LibreWolf 105.0.1-1

LinuxSecurity.com - 28 Září, 2022 - 13:00
LibreWolf is an independent ''fork'' of Firefox, with the primary goals of privacy security and user freedom. It is the community run successor to LibreFox.
Kategorie: Hacking & Security

Rust Is Eating into our Systems, and It's a Good Thing

LinuxSecurity.com - 28 Září, 2022 - 13:00
Rust is eating into our systems. The first Rusted drivers are being welded into Linux, while Microsoft's Azure CTO Mark Russinovich said C/C++ '' until now, the systems languages of choice '' should be dropped in favor of Rust henceforth.
Kategorie: Hacking & Security

Hackers Using PowerPoint Mouseover Trick to Infect Systems with Malware

The Hacker News - 28 Září, 2022 - 12:09
The Russian state-sponsored threat actor known as APT28 has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware. The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," cybersecurity firm Cluster25 said in a technical report. "The code execution runs a Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Facebook Shuts Down Covert Political 'Influence Operations' from Russia and China

The Hacker News - 28 Září, 2022 - 10:45
Meta Platforms on Tuesday disclosed it took steps to dismantle two covert influence operations originating from China and Russia for engaging in coordinated inauthentic behavior (CIB) so as to manipulate public debate. While the Chinese operation sets its sights on the U.S. and the Czech Republic, the Russian network primarily targeted Germany, France, Italy, Ukraine and the U.K. with themes Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Prilex: the pricey prickle credit card complex

Kaspersky Securelist - 28 Září, 2022 - 10:00

Prilex is a Brazilian threat actor that has evolved out of ATM-focused malware into modular point-of-sale malware. The group was behind one of the largest attacks on ATMs in the country, infecting and jackpotting more than 1,000 machines, while also cloning in excess of 28,000 credit cards that were used in these ATMs before the big heist. But the criminals’ greed had no limits: they wanted more, and so they achieved it.

Active since 2014, in 2016, the group decided to give up ATM malware and focus all of their attacks on PoS systems, targeting the core of the payment industry. These are criminals with extensive knowledge of the payment market, and EFT software and protocols. They quickly adopted the malware-as-a-service model and expanded their reach abroad, creating a toolset that included backdoors, uploaders and stealers in a modular fashion. Since then, we have been tracking the threat actor’s every move, witnessing the damages and great financial losses they brought upon the payments industry.

The Prilex PoS malware evolved out of a simple memory scraper into very advanced and complex malware, dealing directly with the PIN pad hardware protocol instead of using higher level APIs, doing real-time patching in target software, hooking operating system libraries, messing with replies, communications and ports, and switching from a replay-based attack to generate cryptograms for its GHOST transactions even from credit cards protected with CHIP and PIN technology.

It all started with ATMs during a carnival celebration

During the carnival of 2016, a Brazilian bank realized that their ATMs had been hacked, with all the cash contained in those machines stolen. According to reports from law enforcement agencies, the criminals behind the attack were able to infect more than 1,000 machines belonging to one bank in the same incident, which allowed them to clone 28,000 unique credit cards across Brazil.

The attackers did not have physical access to the machines, but they were able to access the bank’s network by using a DIY device containing a 4G router and a Raspberry PI. By opening a backdoor, they were able to hijack the institution’s wireless connection and target ATMs at will. After obtaining initial network access, the attacker would run a network recognition process to find the IP address of each of the ATMs. With that information in hand, the attackers would launch a lateral movement phase, using default Windows credentials and then installing custom-crafted malware in the desired systems. The backdoor would allow the attacker to empty the ATM socket by launching the malware interface and typing a code supplied by the mastermind, the code being specific to each ATM being hacked.

ATM infected with Prilex ready to dispense money

The malware used in the attack was named Prilex and had been developed from scratch by using privileged information and advanced knowledge of the ATM network. To control the ATMs, Prilex did patch in legitimate software for jackpotting purposes. Besides its capability to perform a jackpot, the malware was also capable of capturing information from magnetic strips on credit and debit cards inserted into the infected ATMs. Afterwards, this valuable information could be used to clone cards and steal further funds from the bank’s clients.

Evolving into PoS malware

Prilex has evolved out of ATM-focused malware into modular point-of-sale malware targeting payment systems developed by Brazilian vendors, the so-called EFT/TEF software. As we noted in 2018, there are many similarities between their ATM and PoS versions. Their first PoS malware was spotted in the wild in October 2016. The first two samples had 2010/2011 as the compilation date, as shown on the graph below. However, we believe that invalid compilation dates were set due to incorrect system date and time settings. In later versions, the timestamps corresponded to the times when the samples were discovered. We also noticed that in the 2022 branch, the developers started using Subversion as the version control system.

Versions of the Prilex PoS malware: 3 new versions in 2022 (download)

As we see on the graph, Prilex was highly active in 2020, but suddenly disappeared in 2021, resurfacing in 2022 with a release of three new variants.

The PoS version of Prilex is coded in Visual Basic, but the stealer module, described in this article, is in p-code. In a nutshell, this is an intermediate step between high-level instructions in a Visual Basic program and the low-level native code executed by a CPU. Visual Basic translates p-code statements into native code at runtime.

A link to the past

Prilex is not the only type of PoS malware to originate in Brazil. We saw a weak link with the old Trojan-Spy.Win32.SPSniffer, which we described in 2010: both families are able to intercept signals from PIN pads, but use different approaches in doing so.

PIN pads are equipped with hardware and security features to ensure that security keys are erased if someone tries to tamper with the device. In fact, the PIN is encrypted in the device upon entry using a variety of encryption schemes and symmetric keys. Most often, this is a triple DES encoder, making it hard to crack the PIN.

There is a problem, though: these devices are always connected to a computer via a USB or serial port, which communicates with the EFT software. Older and outdated PIN pad devices use obsolete and weak cryptography schemes, making it easy for malware to install a USB or serial port sniffer to capture and decrypt the traffic between the PIN pad and the infected system. This is how SPSniffer gets credit card data. Sometimes the traffic is not even encrypted.

SPSniffer: serial port sniffer allowing capture of not-encrypted traffic

The main approach used by Prilex for capturing credit card data is to use a patch in the PoS system libraries, allowing the malware to collect data transmitted by the software. The malware will look for the location of a particular set of executables and libraries in order to apply the patch, thus overwriting the original code. With the patch in place, the malware collects the data from TRACK2, such as the account number and expiration date, in addition to other cardholder information needed to perform fraudulent transactions.

Initial infection vector

Prilex is not a widespread type of malware, as it is not distributed through email spam campaigns. It is highly targeted and is usually delivered through social engineering, e.g., a target business may receive a call from a “technician” who insists that the company needs to update its PoS software. The fake technician may visit the target in person or request the victims to install AnyDesk and provide remote access for the “technician” to install the malware.

Warning from a PoS vendor about Prilex social engineering attacks

Messing with the EMV standard

Brazil began migrating to EMV in 1999, and today, nearly all cards issued in the country are chip enabled. A small Java-based application lives inside the chip and can be easily manipulated in order to create a “golden ticket” card that will be valid in most—if not all—point-of-sale systems. This knowledge has enabled the criminals to upgrade their toolset, allowing them to create their own cards featuring this new technology and keeping them “in the business.”

The initial versions of Prilex were capable of performing the “replay attack,” where, rather than breaking the EMV protocol, they instead took advantage of poor implementations. Since payment operators fail to perform some of the validations required by the EMV standard, criminals can exploit this vulnerability within the process to their benefit.

In this kind of attack, fraudsters push regular magnetic stripe transactions through the card network as EMV purchases, as they are in control of a payment terminal and have the ability to manipulate data fields for transactions put through that terminal. Later they switched to capturing traffic from real EMV-based chip card transactions. The thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.

Brazilian cybercriminals have successfully launched replay attacks since at least 2014. As pointed out by Brian Krebs, a small financial institution in New England battled some $120,000 in fraudulent charges from Brazilian stores within less than two days. The bank managed to block $80,000, but the bank’s processor, which approves incoming transactions when the core systems are offline, let through the other $40,000. All of the fraudulent transactions were debit charges. All of them came across MasterCard’s network and appeared to be chip transactions without a PIN to MasterCard’s systems.

Also worth mentioning is the attack against a German bank in 2019, which registered €1.5 million in losses and used the same technique. The Prilex gang claimed responsibility. Judging by the name fields and the functionality of the tool, they probably used the software they are selling in the black market.

To automate attacks using cloned credit cards, Prilex criminals used tools like Xiello, discovered by our telemetry in 2020. This tool allows the cybercriminals to use credit cards in a batch when making fraudulent purchases. It sends the purchase data to credit card acquirers, who then approve or deny the transactions.

Xiello tool used by Prilex to automate transactions

As the payment industry and credit card issuers fixed EMV implementation errors, replay attacks became obsolete and ineffective, pushing the Prilex gang to innovate and adopt other ways of credit card fraud.

From “Replay” to “Ghost”

The latest versions of Prilex show certain differences to previous ones in the way the attack occurs: the group has switched from the replay attacks to fraudulent transactions using cryptograms generated by the victim card during the in-store payment process, referred to by the malware authors as “GHOST transactions.”

In these attacks, the Prilex samples were installed in the system as RAR SFX executables that extracted all required files to the malware directory and executed the installation scripts (VBS files). From the installed files, we can highlight three modules used in the campaign: a backdoor, which is unchanged in this version except for the C2 servers used for communication; a stealer module; and an uploader module.

Prilex methods of maintaining persistence

The stealer module is responsible for intercepting all communications between the point-of-sale software and the PIN pad used for reading the card during the transaction. Once it identifies a running transaction, the malware will intercept and modify the content of the transaction in order to be able to capture the card information and to request new EMV cryptograms to the victim’s card. These cryptograms are then used in the GHOST transactions.

Method used to parse the PIN pad messages sent/received

In order to target a specific process, the criminals will perform an initial screening of the machine—to check if it is an interesting target with enough credit card transactions and to identify the process they will target.

After the process is identified, the malware will move forward to install the hooks needed to intercept the transaction information. As the communication between the PoS software and the card reader happens through the COM port, the malware will install a hook to many Windows APIs inside the targeted process, aiming to monitor and change data as needed. Interestingly enough, instead of allocating memory to the hook procedure, Prilex finds free space within the modules memory, a technique called code cave, making it hard for some security solutions to detect the threat in an infected system.

Hook code added into CloseHandle process

All captured information from the transaction is saved to an encrypted file placed in a directory previously set by the malware configuration. Those files will later be sent to the malware C2 server, allowing the cybercriminals to make transactions through a fraudulent PoS device registered in the name of a fake company.

Captured credit card data that will be later sent to the operator server

The previous version monitored the transaction in order to get the cryptogram, generated by the card for the original transaction, and then to perform a replay attack using the collected cryptogram. In this case, the cryptogram has the same ATC (Application Transaction Counter), allowing the fraudulent transaction to be identified by the reuse of the ATC as well as the fact that the date inside the cryptogram did not match the date when it was submitted, as the fraudulent transactions were submitted at a later point in time.

In GHOST attacks performed by the newer versions of Prilex, it requests new EMV cryptograms after capturing the transaction. These cryptograms will then be used in a fraudulent transaction through one of the cybercrime tools whose output log can be seen below.

[START GHOST] _ 80CA9F17 | 9F1701039000 | 002000800826435643FFFFFFFF | Check PIN 9000 _| 80AE80001D00000000010000000000000000760000008000098620060600B4E5C6EB -> Generate AC 80128000AA5EA486052A8886DE06050A03A4B8009000 -> Generated ARQC [END GHOST]

The table above shows the data collected from the malware. It contains the Authorization Request Cryptogram (ARQC) that was generated by the card and should now be approved by the card issuer. After dissecting the response (80128000AA5EA486052A8886DE06050A03A4B8009000), we have the following information.

Data Field details 80 12 Size of the response: 18 bytes 80 Cryptogram Information Data: ARQC (Authorization Request Cryptogram): go and ask the issuer 00AA ATC: Application Transaction Counter 5EA486052A8886DE Application Cryptogram 06050A03A4B800 Issuer Application Data 9000 Response OK

Multiple application cryptograms are applied to the card, where the amount of the transaction (blue), ATC (green) and the generated cryptogram (red) change for each transaction.

[START GHOST] 80CA9F179F1701039000002000800826435643FFFFFFFF900080AE80001D00000000010000000000000000760000008000098620060600B4E5C6EB80128000AA5EA486052A8886DE06050A03A4B8009000
[END GHOST] [START GHOST] 80CA9F179F1701039000002000800826435643FFFFFFFF900080AE80001D00000000100000000000000000760000008000098620060600E22CB55580128000AB8E988F00ACEE5D4806050A03A4B8009000
[END GHOST] [START GHOST] 80CA9F179F1701039000002000800826435643FFFFFFFF900080AE80001D0000000020000000000000000076000000800009862006060007EBA76480128000AC5E1E75557CC57E1206050A03A4B8009000
[END GHOST] [START GHOST] 80CA9F179F1701039000002000800826435643FFFFFFFF900080AE80001D000000003000000000000000007600000080000986200606002598491680128000ADCF54C11A58083ADB06050A03A4B8009000
[END GHOST]

In a nutshell, this is the entire Prilex scheme:

Prilex: from infection to cashout

Backdoor module

The backdoor has many commands, and aside from memory scanning common to memory scrappers, older (ATM) Prilex versions also featured a command to debug a process and peek into its memory. It is highly likely that this was used to understand target software behavior and perform adjustments on the malware or environment to perform fraudulent transactions. Older versions of Prilex performed patching on specific software libraries, whereas newer samples do not rely on specific software anymore and will instead hook Windows APIs to perform its job.

The Prilex debugger

Here’s a list of commands used in the ATM version of Prilex, which include debugging:

Reboot, SendKeys, ShowForm, Inject, UnInject, HideForm, Recursos, GetZip, SetStartup, PausaProcesso, LiberaProcesso, Debug, SendSnapShot, GetStartup, CapRegion, CapFerro, KillProcess, Shell, Process, GetModules, GetConfig, StartSendScreen, StopSendScreen, ReLogin, StartScan, GetKey, SetConfig, RefreshScreen, Download, TakeRegions, Enviar Arquivo, ScanProcessStart, ScanProcessStop, StartRegiao, StopRegiao, StartDownload, StopDownload.

Even though a new set of commands has been added to the PoS version, we could find some of those from the ATM attack still being used. Numerous available commands are for general use, allowing the criminals to collect information about the infected machine.

Command Description Download Download a file from the remote server Shell Execute a specified command via CMD GetConfig Get the configuration file KillProcess Terminate a process SetStartup Add the process to a startup registry key StartSendScreen Start screen capture StopSendScreen Stop screen capture Uploader Module

This module is responsible for checking the directory specified in the CABPATH parameter in the config file and sending all cab files generated from the stolen transactions to the server; the files are sent through an HTTP POST request. The endpoint used by the module is also mentioned in the uploader configuration file.

[SNDCAB] CABHOST=C2 CABPORT=80 CABPAGE=/upload.php CABPATH=c:\cab

The use of this module indicates a change in the group’s operation structure, since in the previous version, the collected information was sent to a server whose address was hardcoded into the stealer code, and the module used the same protocol as the backdoor. This uploader allows the operator to set the endpoint for the collected information as indicated in the configuration file; judging from the samples analyzed, it is possible to see a different infrastructure involved in the process.

Captured data stored in the uploader C2

Malware-as-a-service

In 2019, a website claiming to be affiliated with Prilex started offering what it said was a malware package created by the group. We have little confidence in these claims: the site could be operated by copycats trying to impersonate the group and catch some money using the reputation Prilex has earned over the years.

This website was still up and running at the time of writing this.

The asking price for what is supposedly a Prilex PoS kit is $3,500.

The website says its owners have worked with Russian cybercriminals in the past, another claim we cannot confirm. Worth mentioning, too, is that our Digital Footprint Intelligence service found citations of a Prilex malware package sold through Telegram chats, in an underground channel, priced between €10,000 and $13,000. We have no way of confirming that what is being offered is the real Prilex malware.

At the same time, Prilex now using Subversion is a clear sign they are working with more than one developer.

Conclusions

The Prilex group has shown a high level of knowledge about credit and debit card transactions, and how software used for payment processing works. This enables the attackers to keep updating their tools in order to find a way to circumvent the authorization policies, allowing them to perform their attacks.

Over years of activity, the group has changed its attack techniques a lot. However, it has always abused processes relating to PoS software to intercept and modify communications with the PIN pad. Considering that, we strongly suggest that PoS software developers implement self-protection techniques in their modules, such as the protection available through our Kaspersky SDK, aiming to prevent malicious code from tampering with the transactions managed by those modules. To credit card acquirers and issuers, we recommend avoiding “security by obscurity”: do not underestimate the fraudster. All EMV validations must be implemented!

Prilex’s success is the greatest motivator for new families to emerge as fast-evolving and more complex malware with a major impact on the payment chain.

To financial institutions who fell victims to this kind of fraud, we recommend our Kaspersky Threat Attribution Engine to help IR teams with finding and detecting Prilex files in attacked environments.

The Prilex family is detected by all Kaspersky products as HEUR:Trojan.Win32.Prilex and HEUR:Trojan.Win64.Prilex. More details about the threat and a full analysis is available to customers of our Threat Intelligence Reports. With any requests about our private reports, please contact crimewareintel@kaspersky.com.

Critical WhatsApp Bugs Could Have Let Attackers Hack Devices Remotely

The Hacker News - 28 Září, 2022 - 07:03
WhatsApp has released security updates to address two flaws in its messaging app for Android and iOS that could lead to remote code execution on vulnerable devices. One of them concerns CVE-2022-36934 (CVSS score: 9.8), a critical integer overflow vulnerability in WhatsApp that results in the execution of arbitrary code simply by establishing a video call. The issue impacts the WhatsApp and Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

WhatsApp “zero-day exploit” news scare – what you need to know

Sophos Naked Security - 27 Září, 2022 - 20:51
Is WhatsApp currently under active attack by cybercriminals? Is this a clear and current danger? How worried should WhatsApp users be?

Ukraine Says Russia Planning Massive Cyberattacks on its Critical Infrastructures

The Hacker News - 27 Září, 2022 - 15:54
The Ukrainian government on Monday warned of "massive cyberattacks" by Russia targeting critical infrastructure facilities located in the country and that of its allies. The attacks are said to be targeting the energy sector, the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) said. "By the cyberattacks, the enemy will try to increase the effect of missile strikes onRavie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

New NullMixer Malware Campaign Stealing Users' Payment Data and Credentials

The Hacker News - 27 Září, 2022 - 15:19
Cybercriminals are continuing to prey on users searching for cracked software by directing them to fraudulent websites hosting weaponized installers that deploy malware called NullMixer on compromised systems. "When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine," cybersecurity firm Kaspersky said in a Monday report. "It drops a wide varietyRavie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Experts Uncover 85 Apps with 13 Million Downloads Involved in Ad Fraud Scheme

The Hacker News - 27 Září, 2022 - 14:04
As many as 75 apps on Google Play and 10 on Apple App Store have been discovered engaging in ad fraud as part of an ongoing campaign that commenced in 2019. The latest iteration, dubbed Scylla by Online fraud-prevention firm HUMAN Security, follows similar attack waves in August 2019 and late 2020 that go by the codename Poseidon and Charybdis, respectively. Prior to their removal from the app Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Why Continuous Security Testing is a Must for Organizations Today

The Hacker News - 27 Září, 2022 - 13:39
The global cybersecurity market is flourishing. Experts at Gartner predict that the end-user spending for the information security and risk management market will grow from $172.5 billion in 2022 to $267.3 billion in 2026.  One big area of spending includes the art of putting cybersecurity defenses under pressure, commonly known as security testing. MarketsandMarkets forecasts the global The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.com
Kategorie: Hacking & Security

North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs

The Hacker News - 27 Září, 2022 - 11:46
The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system. In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto[.]com have been used to mount the attacks. The Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Heslo do Poznámkového bloku neukládejte. Windows 11 lépe chrání firmy před phishingem

Zive.cz - bezpečnost - 27 Září, 2022 - 08:45
Jak se ukázalo, nedávno vydané Windows 11 22H2 oproti předchozím vydáním operačního systému poskytují lepší ochranu proti phishingu, se kterou cílí na podniky. Jedná se o tři bezpečnostní prvky: pochybné spojení, použití jednoho hesla pro více účtů, ukládání hesla do nezabezpečené ...
Kategorie: Hacking & Security
Syndikovat obsah