Neue Ransomware, Schadsoftware etc.

CryptNet ransomware warning

/in /by

In April 2023, a new ransomware group called CryptNet appeared for the first time, whose activities have now been analyzed by the security analysts of the Zscaler ThreatLabz team. The new group sells their ransomware-as-a-service in underground forums and recruits partners for their criminal activities there.

The analysts now examined the modus operandi of the current campaign, which according to the threat actors steals data from affected companies before decryption in order to reinforce their ransom demands by publishing them on a data leak website.

CryptNet ransomware code is written in .NET and obfuscated with .NET Reactor. The malware uses 256-bit AES in CBC mode and 2048-bit RSA to encrypt files. After removing the obfuscation layer, CryptNet shares many similarities with the Chaos ransomware families and their latest variant called Yashma. Similarities in the code include encryption methods, disabling backup services, and shadow copy deletion. CryptNet appears to be based on Yashma’s code, but has improved file encryption performance.

One of the ransomware’s first actions is to generate an ID, which is added to the ransomware message. It consists of two hard-coded characters followed by 28 pseudo-random numbers and hard-coded characters at the end. In this way, each encrypted system is given a unique decryption ID and the attackers can identify the victim by opening and closing credits. After creating this ID, the actual encryption routine begins. During the encryption process, CryptNet creates a ransom note called RESTORE-FILES-[9 random chars].txt.

CryptNet is a simple but effective ransomware that has taken the popular Chaos and Yashma codebase and increased file encryption efficiency. The code isn’t particularly advanced, but the algorithms and implementation are cryptographically secure. The group claims to be conducting dual blackmail attacks, following the trend of advanced threat actors. Zscaler’s multi-layered cloud security platform detects indicators of CryptNet at different levels under the name Win32.Ransom.CryptNet.

 

(c) it-daily

Improved BlackCat Ransomware Strikes with Lightning Speed and Stealthy Tactics

/in /by

The threat actors behind BlackCat ransomware have come up with an improved variant that prioritizes speed and stealth in an attempt to bypass security guardrails and achieve their goals.

The new version, dubbed Sphynx and announced in February 2023, packs a “number of updated capabilities that strengthen the group’s efforts to evade detection,” IBM Security X-Force said in a new analysis.

The “product” update was first highlighted by vx-underground in April 2023. Trend Micro, last month, detailed a Linux version of Sphynx that’s “focused primarily on its encryption routine.”

BlackCat, also called ALPHV and Noberus, is the first Rust-language-based ransomware strain spotted in the wild. Active since November 2021, it has emerged as a formidable ransomware actor, victimizing more than 350 targets as of May 2023.

The group, like other ransomware-as-a-service (RaaS) offerings, is known to operate a double extortion scheme, deploying custom data exfiltration tools like ExMatter to siphon sensitive data prior to encryption.

Initial access to targeted networks is typically obtained through a network of actors called initial access brokers (IABs), who employ off-the-shelf information stealer malware to harvest legitimate credentials.

BlackCat Ransomware

BlackCat has also been observed to share overlaps with the now-defunct BlackMatter ransomware family, according to Cisco Talos and Kaspersky.

The latest findings provide a window into the ever-evolving cybercrime ecosystem wherein threat actors enhance their tooling and tradecraft to increase the likelihood of a successful compromise, not to mention thwart detection and evade analysis.

Specifically, the Sphynx version of BlackCat incorporates junk code and encrypted strings, while also reworking the command line arguments passed to the binary.

Sphynx also incorporates a loader to decrypt the ransomware payload that, upon execution, performs network discovery activities to hunt for additional systems, deletes volume shadow copies, encrypts files, and finally drops the ransom note.

Despite law enforcement campaigns against cybercrime and ransomware groups, the continuous shift in tactics is proof that BlackCat remains an active threat to organizations and has “no signs of winding down.”

Ransomware
Source: WithSecure

Finnish cybersecurity firm WithSecure, in a recent research, described how the illicit financial proceeds associated with ransomware attacks have led to a “professionalization of cyber crime” and the advent of new supporting underground services.

“Many major ransomware groups are operating a service provider or RaaS model, where they supply tooling and expertise to affiliates, and in return take a cut of the profits,” the company said.

“These profits have driven the rapid development of a service industry, providing all the tools and services that an up and coming threat group could need, and thanks to cryptocurrency and dark web routing services the many different groups involved are able to anonymously buy and sell services, and access their profits.”

 

(c) Ravie Lakshmanan

Tesla cybersecurity measures fail, hackers win Model 3 at hacking event

/in /by

Tesla has been hacked at the Pwn2Own hacking event, and the hacking group has taken home a Tesla Model 3 and $100,000.

As electric vehicles and their significant amount of integrated software have become more common in everyday life, the security around them has become significantly more critical. In the worst-case scenario, a hacker could not only gain access to a car but could leak user data or even take control of the vehicle. Now, at the Pwn2Own hacking competition, a group of hackers successfully hacked a Tesla Model 3 and won the vehicle along with a $100,000 prize.

The successful hack completed by the group Synactiv was initially reported by the Zero Day Initiative Twitter account, revealing that the group had used a TOCTOU exploit to gain access to the vehicle.

Thanks to the nature of the hacking competition, the details of how the hack was performed have not been made entirely public to avoid a security risk for Tesla owners. Still, the method the hackers used was relatively straightforward.

The TOCTOU (Time-Of-Check Time-Of-Use) exploit involves altering internal files to gain system access. In essence, the hackers are altering the files that a system will check to ensure someone actually should have access. This could, for example, involve changing login credentials to allow yourself access. However, as the name suggests, this is highly time-dependent, as it involves using the discrepancy of time between the system checking the files and a person actually being logged in.

Pwn2Own is one of the most famous hacking events in the world. It involves teams of hackers attempting to gain access to some of the most popular software available on the market. Each group of hackers and security researchers will be given a list of devices and software and a series of objectives to achieve. The first team to navigate through the list gains a cash prize. In this case, for completing this step of the competition quickest, the Synactive team won the Tesla Model 3 that they hacked.

With software becoming ever more interconnected with the vehicles we drive, focusing on keeping that software secure will only become more important as time passes. And with the increasing interconnectedness of these car systems, the consequences of not keeping these systems secure will only become more dire. Hopefully, automakers will take this threat seriously and continue to work to keep their items as safe and secure as possible.

 

(c) William Johnson

Clever Hack Uses YouTube to Back Up Your Data in Google’s Cloud for Free

/in /by

Although the convenience of having your digital documents backed up to the cloud and available everywhere was once a pricey privilege, Google will now enable your digital hoarding for the price of a fancy cup of coffee: 2TB of storage for just $10/month, and even more, if you need. But there’s another way to take advantage of Google’s vast expanse of cloud storage, and it’s completely free.

YouTube’s not only a great way to share videos with the world, it’s also a useful archive tool—assuming you don’t mind your video content being subjected to some aggressive video compression. According to Google, basic YouTube accounts can upload videos that are up to 15 minutes in length. But verified accounts push that limit to videos that are either 12 hours long or 256 GB in size, while the number of videos that can be uploaded every day seems to vary from user to user.

That’s a lot of data being pushed to the cloud without the user being charged, but does it have to be strictly video content? The answer is both yes and no, as YouTuber HistidineDwarf discovered. They created a tool called AKA ISG (Infinite-Storage-Glitch, which you can find on GitHub) that takes a single zip file containing other assorted files and converts it into a video with the data stream completely visualized across frames—but to human eyes, it looks like nothing but monochromatic noise. You can see a sample file uploaded to YouTube below, but those sensitive to flashing lights might not want to hit the play button.

When the uploaded data needs to be retrieved, the video file can be downloaded from YouTube again and decoded. It sounds simple, but there were quite a few challenges to make this happen, including the lingering question of whether or not this violates YouTube’s terms of service. (We’re betting Google will find a way to say it does, so maybe don’t store your only copy of important files this way.)

The biggest challenge was finding a way to prevent the uploaded data stream videos from being corrupted by video compression: a process that strives to shrink file sizes by often discarding or altering fine details in a video—which is exactly what these videos happen to contain. The solution was to ensure the fine details never get too fine or too small to be affected by YouTube’s compression algorithms, and by never using anything smaller than 2×2 blocks of pixels, this technique has managed to avoid corruption so far, but that could easily change with an algorithm tweak.

The downside to the overly-cautious error-proofing is that the file sizes of the videos produced are often four times larger than the original zip file containing the data. So if you’ve got a 1 GB zip, you’ll have to upload as much as 4 GB to YouTube. That could take a sizeable bite out of your internet bandwidth if you’re not lucky enough to have an unlimited data cap. Is it an ideal way to back up your data? Absolutely not, YouTube could delete a video containing all your wedding photos hidden away inside without so much as a warning. But it is completely free, which might make the risk worth it for those always eager to beat the system.

 

(c) Andrew Liszewski

Tesla Hacked Twice at Pwn2Own Exploit Contest

/in /by

Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing at the annual Pwn2Own contest.

Researchers at French offensive hacking shop Synacktiv have demonstrated a pair of successful exploit chains against Tesla’s newest electric car to take top billing at the annual Pwn2Own software exploitation contest.

Pwn2Own organizers confirmed the successful hacks exploited flaws in the Tesla-Gateway and Tesla-Infotainment sub-systems to “fully compromise” a new Tesla Model 3 vehicle.

The first Tesla hack, described as a TOCTOU (time-of-check to time-of-use) race condition, earned the hackers a $100,000 cash prize and ownership of the compromised car.  Synacktiv said the Tesla Model 3 gateway was fully compromised from the ethernet network.

SecurityWeek sources say Tesla security response team was on site at the event and validated the findings.  The company is expected to issue fixes via the vehicle’s self-updating system.

On the second day of the contest in Vancouver, Canada, Synacktiv’s researchers created an exploit chain that used a heap overflow and an out-of-band (OOB) write vulnerability to pop the Tesla-Infotainment system.  The hack was described as “Unconfined Root” and scored the Synacktiv team a $250,000 cash prize.

Tesla Exploits
Image credit: Zero Day Initiative

Because of the complex exploit chains used in the hack, Trend Micro’s Zero Day Initiative (ZDI), the organizers of Pwn2Own, qualified it as first ever Tier2 in award in Pwn2Own. “CONFIRMED! @Synacktiv used a heap overflow & an OOB write to exploit the Infotainment system on the Tesla,” ZDI announced on Twitter. “When they gave us the details, we determined they actually qualified for a Tier 2 award! They win $250,000 and 25 Master of Pwn points. 1st ever Tier 2 award. Stellar work!”.

In total, team Synacktiv won $530,000 and the Tesla Model 3 throughout the three-day hacking competition.

This isn’t the first time Tesla has sought to attract the attention of advanced exploit writers at Pwn2Own. Back in 2019, the company gave away a Tesla Model 3 to a pair of researchers demonstrating successful exploits and this year the organizers plan to raise the level of complexity of what constitutes a successful car-hacking exploit.

This year, the organizers were looking to attract exploits targeting Tesla’s Tuner, Wi-Fi, Bluetooth or Modem components.

 

(c) Ryan Naraine

Pro-Russia hackers are increasingly targeting hospitals, researchers warn

/in /by

Cybersecurity researchers said this week that they have observed the pro-Russia hacking group known as Killnet increasingly launch distributed denial of service (DDoS) attacks targeting healthcare organizations since November.

Killnet was established following Russia’s invasion of Ukraine in February 2022, and spent most of the last year launching DDoS attacks against governments and companies around the world.

While the attacks are mostly a nuisance – knocking websites offline for about an hour in most cases – they have caused concern within the U.S. government, particularly when they are launched at critical infrastructure like airports and hospitals.

ddos killnet microsoftImage: Microsoft

In recent months, the group has focused its attention on the websites of healthcare organizations, launching a campaign in February that targeted hospitals in more than 25 states.

The Cybersecurity and Infrastructure Security Agency (CISA) said less than half of these attacks – which involved routing a deluge of page requests at targeted websites — were successful in knocking sites offline.

On Friday, Microsoft Azure Network Security Team members Amir Dahan and Syed Pasha published an analysis of DDoS attacks on healthcare organizations using their security tools.

They tracked all of the attacks from November 18, 2022 to February 17, 2023, observing an increase from 10-20 daily attacks in November to 40-60 attacks each day in February.

“The types of healthcare organizations attacked included pharma and life sciences with 31% of all attacks, hospitals with 26%, healthcare insurance with 16%, and health services and care also with 16%,” they said.

healthcare victims ddos KillnetImage: Microsoft

Killnet typically tried two different methods – creating many different connections and trying to keep them alive for as long as possible to render a website useless, or establish as many new connections as possible over a short amount of time to drain resources.

“KillNet and its affiliated adversaries utilize DDoS attacks as their most common tactic. By using DDoS scripts and stressors, recruiting botnets, and utilizing spoofed attack sources, KillNet could easily disrupt the online presence of websites and apps,” the researchers said.

DDoS protection services like Cloudflare have reported similar trends. Akamai — another firm that offers similar tools — published a report last month that found DDoS incidents in Europe increased significantly in 2022, with more campaigns now involving extortion tactics. The company also warned that DDoS attacks are now increasingly being used as cover for actual intrusions involving ransomware and data theft.

Cloudflare’s Omer Yoachimik told The Record that their research into the Killnet healthcare DDoS campaign indicates that the attacks were being crowdsourced – meaning Killnet operators are reaching out to other groups and individuals that are either using multiple botnets or different attack methods.

CISA also told The Record that DDoS incidents have become a priority issue for them as they seek to protect critical infrastructure.

“Our regional personnel are working closely with our partners on the ground and we encourage all organizations — including state and local governments — to stay vigilant and to take steps to protect themselves,” the spokesperson said, referencing a guide released with the FBI in October about how organizations can reduce the likelihood and impact of DDoS attacks.

The spokesperson added that for much of the past year, CISA has been helping organizations mitigate DDoS attacks, particularly those launched by Killnet. The agency also worked with several tech companies to provide free resources to under-funded organizations that can help them reduce the impact of DDoS attacks.

 

(c) Jonathan Greig

Bitcoin ATM customers hacked by video upload that was actually an app

/in /by

There are plenty of military puns in operating system history.

Unix famously has a whole raft of personnel known as Major Number, who organise the batallions of devices such as disk drives, keyboards and webcams in your system.

Microsoft once struggled with the apparently incompetent General Failure, who was regularly spotted trying to read your DOS disks and failing.

Linux has intermittently has trouble with Colonel Panic, whose appearance is typically followed by lost data, potentially damaged file systems, and an urgent need to turn off the power and reboot your computer.

And a Czech cryptocurrency company doesn’t seem to be getting the sort of reliability you might reasonably expect from a personality called General Bytes.

Actually, General Bytes is the name of the company itself, a business that sadly is no stranger to unwanted intrusions and unauthorised access to cryptocurrency funds.

Once is misfortune

In August 2022, we wrote how General Bytes had fallen victim to a server-side bug in which remote attackers could trick a customer’s ATM server into giving them access to the “set up a brand new system” configuration pages.

If you’ve ever reflashed an iPhone or an Android device, you’ll know that the person who performs the original setup ends up with control over the device, notably because they get to configure the primary user and to choose a brand new lock code or passphrase during the process.

However, you’ll also know that modern mobile phones forcibly wipe the old contents of the device, including all of the old user’s data, before they reinstall and reconfigure the operating system, apps, and system settings.

In other words, you can start again, but you can’t take over where the last user left off, otherwise you could use a system reflash (or a DFU, short for device firmware upgrade, as Apple calls it) to get at the previous owner’s files.

In the General Bytes ATM server, however, the unauthorised access path that got the attackers into the “start from scratch” setup screens didn’t neutralise any data on the infiltrated device first…

…so the crooks could abuse the server’s “set up a new administrative account” process to create an additional admin user on an existing system.

Twice looks like carelessness

Last time, General Bytes suffered what you might call a malwareless attack, where the criminals didn’t implant any malicious code.

The 2022 attack was orchestrated simply through malevolent configuration changes, with the underlying operating system and server software left untouched.

This time, the attackers used a more conventional approach that relied on an implant: malicious software, or malware for short, that was uploaded via a security loophole and then used as what you might call an “alternative control panel”.

In plain English: the crooks found a bug that allowed them to install a backdoor so they could get in thereafter without permission.

As General Bytes put it:

The attacker was able to upload his own Java application remotely via the master service interface used by terminals to upload videos and run it using batm user privileges.

We’re not sure why an ATM needs a remote image-and-video upload option, as though it were some sort of community blogging site or social media service…

…but it seems that the Coin ATM Server system does include just such a feature, presumbly so that ads and other special offers can be promoted directly to customers who visit the ATMs.

Uploads that aren’t what they seem

Unfortunately, any server that allows uploads, even if they come from a trusted (or at least an authenticated source) needs to be careful of several things:

  • Uploads need to be written into a staging area where they can’t immediately be read back from outside. This helps to ensure that untrustworthy users can’t turn your server into a temporary delivery system for unauthorised or inappropriate content via a URL that looks legitimate because it has the imprimatur of your brand.
  • Uploads need to be vetted to ensure they match the file types allowed. This helps stop rogue users from booby-trapping your upload area by littering it with scripts or programs that might later end up getting executed on the server rather than simply served up to a subsequent visitor.
  • Uploads need to be saved with the most restrictive access permissions feasible, so that booby-trapped or corrupt files can’t inadverently be executed or even accessed from more secure parts of the system.

General Bytes, it seems, didn’t take these precautions, with the result that the attackers were able to perform a wide range of privacy-busting and cryptocurrency-ripping actions.

The malicious activity apparently included: reading and decrypting authentication codes used to access funds in hot wallets and exchanges; sending funds from hot wallets; downloading userames and password hashes; retrieving customer’s cryptographic keys; turning off 2FA; and accessing event logs.

What to do?

  • If you run General Bytes Coin ATM systems, read the company’s breach report, which tells you how to look for so-called IoCs (indicators of compromise), and what to do while you wait for patches to be published.

Note that the company has confirmed that both standalone Coin ATM Servers and its own cloud-based systems (where you pay General Bytes a 0.5% levy on all transactions in return for them running your servers for you) were affected.

Intriguingly, General Bytes reports that it will be “shuttering its cloud service”, and insisting that “you’ll need to install your own standalone server”. (The report doesn’t give a deadline, but the company is already actively offering migration support.)

In an about-turn that will take the company in the opposite direction to most other contemporary service-oriented companies, General Bytes insists that “it is theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors.”

  • If you have used a General Bytes ATM recently, contact your cryptocurrency exchange or exchanges for advice about what to do, and whether any of your funds are at risk.
  • If you are a programmer looking after an online service, whether it’s self-hosted or cloud-hosted, read and heed our advice above about uploads and upload directories.
  • If you’re a cryptocurrency enthusiast, keep as little of your cryptocoin stash as you can in so-called hot wallets.

Hot wallets are essentially funds that are ready to trade at a moment’s notice (perhaps automatically), and typically require either that you entrust your own cryptographic keys to someone else, or temporarily transfer funds into one or more of their wallets.

 

(c) Paul Ducklin

Hackers are abusing Adobe Acrobat Sign to distribute RedLine malware!

/in /by

Hackers are abusing the Adobe Acrobat Sign online service to attempt to trick users into infecting their machine with RedLine malware.

Adobe Acrobat Sign cloud solution is an electronic signature service that allows users to send, track and manage the electronic signature of documents of various types. Since this service allows the user to send a signature request to anyone, hackers use it to try to trick users.

When a signature request is required, the Acrobat Sign service will generate an email and notify the targeted user via email. As a result, it is Adobe’s service that sends the email directly to the user, and therefore this email is considered legitimate. This will allow it to pass through detection systems since Adobe servers are legitimate, in principle.

According to an analysis published by Avast security researchers, cybercriminals are spreading signature requests via Acrobat Sign. When the user accesses the online document, he is prompted to click on a link that redirects him to another page where a hard-coded CAPTCHA is located . By validating this protection, the user will download a ZIP file that contains the RedLine malware . Inside this ZIP file there are other legitimate files that are not executables.

Another important detail, on the size of the RedLine executable contained in this ZIP file. Here is what Avast says: ” One of the characteristics of the two variants of Redline that these cybercriminals used in these attacks is that they artificially increased the size of the Trojan to more than 400 MB.” It is quite possible that this is a trick used by cybercriminals in hopes of circumventing some anti-virus engines : a large file could be treated differently than a light file that would be quick to scan.

As a reminder, this malware is known to steal identifiers and the contents of cryptocurrency wallets on infected computers.

So far, Avast has detected a few use cases for this method and it doesn’t seem to be widely used, but beware as always: ” This misuse of Adobe Acrobat Sign to distribute malware is new technique used by attackers and targeting a specific victim. Our team has not yet detected any other attacks using this technique, but we are concerned that it will become a popular choice for cybercriminals in the near future. “

 

(c) Florian Burnel 

Hackers steal $197 million in crypto in Euler Finance attack

/in /by

Lending protocol Euler Finance was hit by a cryptocurrency flash loan attack on Sunday, with the threat actor stealing $197 million in multiple digital assets.

The cryptocurrency theft involved multiple tokens, including $8.75 million worth of DAI, $18.5 million in WBTC, $33.85 million in USDC, and $135.8 million in stETH.

The attackers ETH wallet used to store the stolen funds is being tracked, so it will be challenging for the perpetrator to move the stolen funds around and convert them to a usable form.

However, Elliptic reports that the threat actors are already laundering the proceeds through the sanctioned cryptocurrency mixer Tornado Cash.

The startup behind Euler Finance, UK-based Euler Labs, shared a brief statement on Twitter, saying that they are currently engaging with security professionals and law enforcement agencies and will release more information when ready.

The attack caused the Euler (EUL) token value to drop by 44.2% overnight, going from $6.56 to $3.37 when writing this.

Flash loan attacks exploit a vulnerability in a lending protocol to borrow a large sum of money without having to return its value to the service.

The attackers use an exploit that allows them to manipulate the price of a token or asset on the platform during the few seconds that they hold the lent amount, so when the trade is complete, they are left with a massive profit.

A similar flash loan attack targeted the Beanstalk DeFi platform in April 2022, when threat actors stole $182 million in assets.

Blockchain security and analytics company PeckShield reported that the hack of Euler was made possible due to the flawed logic in its donation and liquidation system.

More specifically, the function “donateToReserves” did not verify that the attacker was donating an over-collateralized sum, and the liquidation system did not correctly verify the conversion rate from the borrowed to the collateral asset.

Euler code flaw

These flaws allowed the attackers to manipulate the conversion rate to profit from the liquidation process.

PeckShield says the attack involved two hackers, a borrower and a liquidator, working in coordination to perform the required actions illustrated in the below diagram.

Attack steps performed by the hackers

DeFi hacks have been rising in the past couple of years, with hackers abandoning their efforts to attack exchanges and shifting their focus to the rapid exploitation of logic flaws in crypto lending platform’s smart contracts.

These attacks are so devastating that they can derail overnight a healthy and prosperous company that has already undergone multiple security audits.

 

(c) Bill Toulas

Attack on Acronis – Hacker released 12 gigabytes of data

/in /by

Acronis has been the victim of a cyber attack. A hacker published 12 gigabytes of data in the so-called Breached Forum. The company launched an investigation.

The Swiss cybersecurity and storage company Acronis has been the victim of a cyber attack. As “The Register” reports,  a hacker named Kernelware stole 12 gigabytes of data and published them on the Breached forum.

The leaked data includes certificate data, various logs, scripts, configurations and screenshots. Kernelware is also said to be responsible for the Acer leak, in which over 150 gigabytes of data were stolen. Here you can read more about it. 

Kernelware’s motivation was to exploit Acronis’ “weak security” and expose the company, as stated in a separate statement in the Breached Forum. 

Meanwhile, Acronis CISO Kevin Reed published a statement on LinkedIn about the incident. A single customer was affected by the attack, whose credentials for uploading diagnostic data to Acronis were stolen. Account access has now been blocked and an investigation is underway. According to Reed, no other Arconis systems or credentials are affected. 

 

 

(c) Calvin Lampert and lha