Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Alert: 15-year-old Python tarfile Flaw Lurks in 'Over 350,000' Code Projects

LinuxSecurity.com - 23 Září, 2022 - 13:00
Oh cool, a 5,500-day security hole
Kategorie: Hacking & Security

CISA Warns of Hackers Exploiting Recent Zoho ManageEngine Vulnerability

The Hacker News - 23 Září, 2022 - 12:21
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a recently disclosed security flaw in Zoho ManageEngine to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. "Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability which allows for remote code execution," the agency Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Firing Your Entire Cybersecurity Team? Are You Sure?

The Hacker News - 23 Září, 2022 - 12:20
What on earth were they thinking? That's what we – and other security experts – were wondering when content giant Patreon recently dismissed its entire internal cybersecurity team in exchange for outsourced services. Of course, we don't know the true motivations for this move. But, as outsiders looking in, we can guess the cybersecurity implications of the decision would be inescapable for any The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.com
Kategorie: Hacking & Security

Void Balaur Hackers-for-Hire Targeting Russian Businesses and Politics Entities

The Hacker News - 23 Září, 2022 - 11:56
A hack-for-hire group that was first exposed in 2019 has expanded its focus to set its sights on entities with business or political ties to Russia. Dubbed Void Balaur, the cyber mercenary collective has a history of launching cyberattacks against biotechnology and telecom companies since 2015. As many as 3,500 victims have been reported as of November 2021. "Void Balaur [...] primarily dabbles Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Mass email campaign with a pinch of targeted spam

Kaspersky Securelist - 23 Září, 2022 - 10:00

Most mass malicious mailing campaigns are very primitive and hardly diverse, with the content limited to several sentences offering the user to download archives that supposedly contain some urgent bills or unpaid fines. The email messages may contain no signatures or logos, with typos and other errors being fairly common. These mailings may target individual users or large corporations, with no significant differences in message content.

Example of a mass malicious mailing message

Things have started to change recently, though, as spammers began employing techniques that are typical of targeted attacks. In particular, they have been sending emails in the name of real companies, copying the senders’ writing style and signatures.

Customer email with an Easter egg inside

We discovered a noteworthy email message recently. In it, someone posing as a Malaysian prospect and using a fairly odd variety of English, asks the recipient to review some customer requirements and get back with the requested documents. The general format complies with the corporate correspondence standards: there is a logo that belongs to a real company and a signature that features sender details. Overall, the request looks legit, while the linguistic errors easily can be attributed to the sender being a non-native speaker.

The email from the “Malaysian prospect,” with a malicious attachment

The only thing about the email that smells fishy is the sender’s address (newsletter@trade***.com), as “newsletter” is typically used for news, not procurement. Besides, the sender’s domain name is different from the company name in the logo.

In another email, a purported Bulgarian customer inquires about the availability of some products and offers to discuss the details of a deal. The requested products list is said to be in the attachment, as in the previous specimen. The sender’s address, similarly suspicious, belongs to a Greek, not Bulgarian, domain, which apparently has no relation to the company whose name is used by the spammers.

The email from the “Bulgarian customer,” with a malicious attachment

What these two messages have in common is both the mailing scenario and the fact that neither looks generated by a machine. Looking closely at the message headers, we noticed that they shared a structure: a sequence of headers, MSGID format and email client were the same. Besides, the messages originated within a limited range of IP addresses. This suggested that they were part of one massive email campaign.

Comparing the message headers of two malicious emails

Unlike the IP addresses and headers, the content varies. The spammers have been sending malicious archives addressed from a large number of companies, with the “request” text changing as well. This suggests that the operators invested quite some effort into preparations, which is uncharacteristic of this kind of campaigns.

Statistics

From April till August, our systems detected 739,749 messages attributed to the campaign. The email activity peaked in June, with 194,100 detected messages, dropping to 178,510 in July and to 104,991 in August.

Malicious email dynamics, April through August 2022 (download)

Payload: Agent Tesla malware

We studied the contents of the archives attached to the emails, finding it to contain one of two unique files that belong to the same family. It is the widespread Agent Tesla malware, written in .NET and known since 2014. Its main objective is to fetch passwords stored in browsers and other applications, and forward these to the operator. While Agent Tesla most frequently forwards data via email, there are versions that drop the stolen data into a Telegram secret chat, on a website operated by the attackers or on an FTP server. The Agent Tesla version being spread by the campaign at hand is one the latest, capable of ripping password from the following applications.

  • Browsers: Chrome, Edge, Firefox, Opera, 360 Browser, 7Star, Amigo, Brave, CentBrowser, Chedot, Chromium, Citrio, Cốc Cốc, Comodo Dragon, CoolNovo, Coowon, Elements Browser, Epic Privacy, Iridium Browser, Kometa, Liebao Browser, Orbitum, QIP Surf, Sleipnir 6, Sputnik, Torch Browser, Uran, Vivaldi, Yandex.Browser, QQ Browser, Cyberfox, IceDragon, Pale Moon, SeaMonkey, Waterfox, IceCat, K-Meleon.
  • Email clients: Becky!, Opera Mail, Foxmail, Thunderbird, Claws, Outlook, The Bat!, eM Client, Mailbird, IncrediMail, Postbox, Pocomail
  • FTP/SCP clients: WinSCP, WS_FTP, FTPGetter, SmartFTP, FTP Navigator, Core FTP
  • Databases: MySQL Workbench
  • Virtual network computing clients: RealVNC, TightVNC, TigerVNC, UltraVNC, Windows RDP, cFTP
  • VPN clients: NordVPN, OpenVPN
  • Instant messaging programs: Psi/Psi+, Trillian

Agenta Tesla is also capable of making screenshots, intercepting clipboard contents and logging keystrokes.

Agent Tesla attack geography

Agent Tesla targets users around the world. According to our observations, the malware’s activity from May till August 2022 was the highest in Europe, Asia and Latin America. The largest number of victims (20,941) was recorded in Mexico. It was followed by Spain, with 18,090 users’ devices registering infection attempts, and Germany, where 14,880 users were affected.

Ten most-attacked counties by number of affected users:

Countries/territory Users affected Mexico 20,941 Spain 18,090 Germany 14,880 Turkey 13,326 Russian Federation 12,739 Italy 12,480 Malaysia 10,092 Vietnam 9,760 Brazil 8,851 Portugal 8,739 Conclusion

The spam campaign we discovered is clear proof that cybercriminals can invest significant effort even in mass attacks. The email messages we studied appear to be high-quality imitations of business inquiries by real companies, only given away by the inappropriate sender addresses. In all likelihood, these emails were composed and sent out manually. That said, our systems were detecting more than a hundred thousand of these emails each month, which targeted organizations all around the world.

The payload spread by the attackers is capable of stealing login data from an imposing number of applications. The data may be offered for sale on darkweb forums or used in targeted attacks against organizations. Agent Tesla is notably a long-known stealer, detected by most cybersecurity products. It is assigned the verdict Trojan-PSW.MSIL.Agensla by Kaspersky products.

Indicators of compromise

MD5 hashes of attached archives:

ddc607bb993b94c543c63808bebf682a
862adb87b0b894d450f8914a353e3e9c
a1ae8b0d794af648908e0345204ea192
9d0364e1f625edb286b0d5541bb15357
eee70de3ac0dc902b99ed33408e646c9

MD5 hashes of the executables and details of attackers’ email accounts used for sending and receiving data stolen by the sample:

64011a7871abb873c822b8b99082e8ab
Mail from: info(a)essentialapparatus.co.ke
Password: Info@2018
Mail to: sales1.nuozhongsteel(a)gmail.com
Mail server: mail.essentialapparatus.co.ke:587

b012cb8cfee0062632817d12d43f98b4
Mail from: quality(a)keeprojects.in
Password: quality#@!
Mail to: quality(a)keeprojects.in
Mail server: mail.keeprojects.in:587

Fake Indian Banking Rewards Apps Targeting Android Users with Info-stealing Malware

The Hacker News - 23 Září, 2022 - 09:15
An SMS-based phishing campaign is targeting customers of Indian banks with information-stealing malware that masquerades as a rewards application. The Microsoft 365 Defender Research Team said that the messages contain links that redirect users to a sketchy website that triggers the download of the fake banking rewards app for ICICI Bank. "The malware's RAT capabilities allow the attacker to Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Hackers Using Malicious OAuth Apps to Take Over Email Servers

The Hacker News - 23 Září, 2022 - 07:14
Microsoft on Thursday warned of a consumer-facing attack that made use of rogue OAuth applications deployed on compromised cloud tenants to ultimately seize control of Exchange servers and spread spam. "The threat actor launched credential stuffing attacks against high-risk accounts that didn't have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

S3 Ep101: Uber and LastPass breaches – is 2FA all it’s cracked up to be? [Audio + Text]

Sophos Naked Security - 22 Září, 2022 - 20:42
Latest episode - listen now! Learn why adopting 2FA isn't a reason to relax your other security precautions...

Researchers Uncover Years-Long Mobile Spyware Campaign Targeting Uyghurs

The Hacker News - 22 Září, 2022 - 19:03
A new wave of a mobile surveillance campaign has been observed targeting the Uyghur community as part of a long-standing spyware operation active since at least 2015, cybersecurity researchers disclosed Thursday. The intrusions, originally attributed to a threat actor named Scarlet Mimic back in January 2016, is said to have encompassed 20 different variants of the Android malware, which were Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Malicious NPM Package Caught Mimicking Material Tailwind CSS Package

The Hacker News - 22 Září, 2022 - 17:01
A malicious NPM package has been found masquerading as the legitimate software library for Material Tailwind, once again indicating attempts on the part of threat actors to distribute malicious code in open source software repositories. Material Tailwind is a CSS-based framework advertised by its maintainers as an "easy to use components library for Tailwind CSS and Material Design." "The Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Elektrické Volvo EX90 ohlídá, zda neřídíte pod vlivem alkoholu. Může také kompletně převzít kontrolu

Zive.cz - bezpečnost - 22 Září, 2022 - 15:45
Automobilka Volvo oznámila, že 9. listopadu představí svůj nový vlajkový elektromobil. SUV s označením EX90 má nahradit stávající vlajkovou loď XC90 s benzinovým motorem a stát se tak dalším krokem v úplném přechodu značky na elektrický pohon, plánovaném na rok 2030. Novinka poutá pozornost ...
Kategorie: Hacking & Security

IT Security Takeaways from the Wiseasy Hack

The Hacker News - 22 Září, 2022 - 15:12
Last month Tech Crunch reported that payment terminal manufacturer Wiseasy had been hacked. Although Wiseasy might not be well known in North America, their Android-based payment terminals are widely used in the Asia Pacific region and hackers managed to steal passwords for 140,000 payment terminals. How Did the Wiseasy Hack Happen? Wiseasy employees use a cloud-based dashboard for remotely The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.com
Kategorie: Hacking & Security

Business VPNs: Now More Important Than Ever

LinuxSecurity.com - 22 Září, 2022 - 13:00
Cybersecurity threats are on the rise. With the rapid shift of the business environment to digital work, and the growing trends of work-from-home and global workforces, hackers and cybercriminals can have a field day.
Kategorie: Hacking & Security

Researchers Disclose Critical Vulnerability in Oracle Cloud Infrastructure

The Hacker News - 22 Září, 2022 - 12:40
Researchers have disclosed a new severe Oracle Cloud Infrastructure (OCI) vulnerability that could be exploited by users to access the virtual disks of other Oracle customers. "Each virtual disk in Oracle's cloud has a unique identifier called OCID," Shir Tamari, head of research at Wiz, said in a series of tweets. "This identifier is not considered secret, and organizations do not treat it as Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects

The Hacker News - 22 Září, 2022 - 11:17
As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years. The open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, and IT management. The shortcoming, Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Hackers Targeting Unpatched Atlassian Confluence Servers to Deploy Crypto Miners

The Hacker News - 22 Září, 2022 - 08:17
A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations. "If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deploymentRavie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Interested in cybersecurity? Join us for Security SOS Week 2022!

Sophos Naked Security - 21 Září, 2022 - 20:24
Four one-on-one interviews with experts who are passionate about sharing their expertise with the community.

Over 39,000 Unauthenticated Redis Instances Found Exposed on the Internet

The Hacker News - 21 Září, 2022 - 15:38
An unknown attacker targeted tens of thousands of unauthenticated Redis servers exposed on the internet in an attempt to install a cryptocurrency miner. It's not immediately known if all of these hosts were successfully compromised. Nonetheless, it was made possible by means of a "lesser-known technique" designed to trick the servers into writing data to arbitrary files – a case of unauthorized Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Crypto Trading Firm Wintermute Loses $160 Million in Hacking Incident

The Hacker News - 21 Září, 2022 - 14:21
In what's the latest crypto heist to target the decentralized finance (DeFi) space, hackers have stolen digital assets worth around $160 million from crypto trading firm Wintermute. The hack involved a series of unauthorized transactions that transferred USD Coin, Binance USD, Tether USD, Wrapped ETH, and 66 other cryptocurrencies to the attacker's wallet. The company said that its centralized Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Why Zero Trust Should be the Foundation of Your Cybersecurity Ecosystem

The Hacker News - 21 Září, 2022 - 14:00
For cybersecurity professionals, it is a huge challenge to separate the “good guys” from the “villains”. In the past, most cyberattacks could simply be traced to external cybercriminals, cyberterrorists, or rogue nation-states. But not anymore. Threats from within organizations – also known as “insider threats” – are increasing and cybersecurity practitioners are feeling the pain.  Traditional The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.com
Kategorie: Hacking & Security
Syndikovat obsah