Tag Archive for: cyberattack

FBI Dismantles QakBot Malware, Frees 700,000 Computers, Seizes $8.6 Million

/in /by

A coordinated law enforcement effort codenamed Operation Duck Hunt has felled QakBot, a notorious Windows malware family that’s estimated to have compromised over 700,000 computers globally and facilitated financial fraud as well as ransomware.

To that end, the U.S. Justice Department (DoJ) said the malware is “being deleted from victim computers, preventing it from doing any more harm,” adding it seized more than $8.6 million in cryptocurrency in illicit profits.

The cross-border exercise involved the participation of France, Germany, Latvia, Romania, the Netherlands, the U.K., and the U.S., alongside technical assistance from cybersecurity company Zscaler.

The dismantling has been hailed as “the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals.” No arrests were announced.

QakBot, also known as QBot and Pinkslipbot, started its life as a banking trojan in 2007 before morphing into a general-purpose Swiss Army knife that acts as a distribution center for malicious code on infected machines, including ransomware, unbeknownst to the victims.

Some of the major ransomware families propagated through QakBot comprise Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. QakBot administrators are said to have received fees corresponding to approximately $58 million in ransoms paid by victims between October 2021 and April 2023.

“QakBot was a key enabler within the cyber crime ecosystem, facilitating ransomware attacks and other serious threats,” Will Lyne, head of cyber intelligence at the U.K.’s National Crime Agency (NCA), said in a statement.

The counteroffensive against QakBot follows a similar takedown of Emotet in October 2020, which has since resurfaced following a major disruption to its backend infrastructure.

Typically distributed via phishing emails, the modular malware also comes fitted with command execution and information harvesting capabilities. It has seen constant updates during its lifetime, with the actors (codenamed Gold Lagoon or Mallard Spider) known to take extended breaks each summer before resuming their spamming campaigns.

“The victim computers infected with QakBot malware are part of a botnet (a network of compromised computers), meaning the perpetrators can remotely control all the infected computers in a coordinated manner,” the DoJ said.

The joint effort, according to court documents, enabled access to QakBot infrastructure, thereby making it possible to redirect the botnet traffic to and through servers controlled by the U.S. Federal Bureau of Investigation (FBI) with the ultimate goal of neutralizing the “far-reaching criminal supply chain.”

Specifically, the servers instructed the compromised endpoints to download an uninstaller file that’s designed to untether the machines from the QakBot botnet, effectively preventing additional payloads from being delivered.

QakBot Malware
Image Source: CISA

Secureworks Counter Threat Unit (CTU) said it detected the botnet distributing shellcode to infected devices on August 25, 2023, which “unpacks a custom DLL (dynamic-link library) executable that contains code that can cleanly terminate the running QakBot process on the host” by means of a QPCMD_BOT_SHUTDOWN command.

“The victims [in the U.S.] ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast,” FBI Director Christopher Wray said.

QakBot has demonstrated a higher level of complexity over time, rapidly shifting its tactics in response to new security guardrails. For instance, after Microsoft disabled macros by default in all Office applications, it began abusing OneNote files as an infection vector earlier this year.

The sophistication and adaptability is also evident in the operators’ ability to weaponize a wide range of file formats (e.g., PDF, HTML, and ZIP) in its attack chains. A majority of QakBot’s command-and-control (C2) servers are concentrated in the U.S., the U.K., India, Canada, and France (FR). Its backend infrastructure is located in Russia.

QakBot, like Emotet and IcedID, employs a three-tiered system of servers to control and communicate with the malware installed on infected computers. The primary purpose of the Tier 1 and Tier 2 servers is to forward communications containing encrypted data between QakBot-infected computers and the Tier 3 server which controls the botnet.

As of mid-June 2023, 853 Tier 1 servers (aka supernodes) have been identified in 63 countries, with Tier 2 servers functioning as proxies to conceal the main C2 server. Data gathered by Abuse.ch shows that all QakBot servers are currently offline.

“QakBot is a highly sophisticated banking trojan malware, strategically targeting businesses across different countries,” Zscaler researchers noted in an exhaustive analysis published in late July 2023.

“This elusive threat employs multiple file formats and obfuscation methods within its attack chain, enabling it to evade detection from conventional antivirus engines. Through its experimentation with diverse attack chains, it becomes evident that the threat actor behind QakBot is continuously refining its strategies.”

QakBot has also been one of the most active malware families in the second quarter of 2023, per HP Wolf Security, leveraging as many as 18 unique attack chains and clocking 56 campaigns over the time period, underscoring the e-crime group’s penchant for “quickly permuting their tradecraft to exploit gaps in network defenses.”

 

(c) Thn

Critical Vulnerability Alert: VMware Aria Operations Networks at Risk from Remote Attacks

/in /by

VMware has released software updates to correct two security vulnerabilities in Aria Operations for Networks that could be potentially exploited to bypass authentication and gain remote code execution.

The most severe of the flaws is CVE-2023-34039 (CVSS score: 9.8), which relates to a case of authentication bypass arising as a result of a lack of unique cryptographic key generation.

“A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI,” the company said in an advisory.

ProjectDiscovery researchers Harsh Jaiswal and Rahul Maini have been credited with discovering and reporting the issue.

The second weakness, CVE-2023-20890 (CVSS score: 7.2), is an arbitrary file write vulnerability impacting Aria Operations for Networks that could be abused by an adversary with administrative access to write files to arbitrary locations and achieve remote code execution.

Credited with reporting the bug is Sina Kheirkhah of Summoning Team, who previously uncovered multiple flaws in the same product, including CVE-2023-20887, which came under active exploitation in the wild in June 2023.

The vulnerabilities, which affect VMware Aria Operations Networks versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10, have been addressed in a series of patches released by VMware for each of the versions.

The virtualization services provider said that version 6.11.0 comes with fixes for the two flaws.

Given that security issues in VMware are a lucrative target for threat actors in the past, it’s imperative that users move quickly to update to the latest version to safeguard against potential threats.

 

(c) Thn

Alert: Juniper Firewalls, Openfire, and Apache RocketMQ Under Attack from New Exploits

/in /by

Recently disclosed security flaws impacting Juniper firewalls, Openfire, and Apache RocketMQ servers have come under active exploitation in the wild, according to multiple reports.

The Shadowserver Foundation said that it’s “seeing exploitation attempts from multiple IPs for Juniper J-Web CVE-2023-36844 (& friends) targeting /webauth_operation.php endpoint,” the same day a proof-of-concept (PoC) became available.

The issues, tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, reside in the J-Web component of Junos OS on Juniper SRX and EX Series. They could be chained by an unauthenticated, network-based attacker to execute arbitrary code on susceptible installations.

Patches for the flaw were released on August 17, 2023, a week after which watchTowr Labs published a proof-of-concept (PoC) by combining CVE-2023-36846 and CVE-2023-36845 to execute a PHP file containing malicious shellcode.

Currently, there are more than 8,200 Juniper devices that have their J-Web interfaces exposed to the internet, most of them from South Korea, the U.S., Hong Kong, Indonesia, Turkey, and India.

Kinsing Exploits Openfire Vulnerability

Another vulnerability that has been weaponized by threat actors is CVE-2023-32315, a high-severity path traversal bug in Openfire’s administrative console that could be leveraged for remote code execution.

“This flaw allows an unauthorized user to exploit the unauthenticated Openfire Setup Environment within an established Openfire configuration,” cloud security firm Aqua said.

“As a result, a threat actor gains access to the admin setup files that are typically restricted within the Openfire Admin Console. Next, the threat actor can choose between either adding an admin user to the console or uploading a plugin which will eventually allow full control over the server.”

Threat actors associated with the Kinsing malware botnet have been observed utilizing the flaw to create a new admin user and upload a JAR file, which contains a file named cmd.jsp that acts as a web shell to drop and execute the malware and a cryptocurrency miner.

Aqua said it found 6,419 internet-connected servers with Openfire service running, with a majority of the instances located in China, the U.S., and Brazil.

Apache RocketMQ Vulnerability Targeted by DreamBus Botnet

In a sign that threat actors are always on the lookout for new flaws to exploit, an updated version of the DreamBus botnet malware has been observed taking advantage of a critical-severity remote code execution vulnerability in RocketMQ servers to compromise devices.

CVE-2023-33246, as the issue is cataloged as, is a remote code execution flaw impacting RocketMQ versions 5.1.0 and below that enables an unauthenticated attacker to run commands with the same access level as that of the system user process.

In the attacks detected by Juniper Threat Labs since June 19, 2023, successful exploitation of the flaw paves the way for the deployment of a bash script called “reketed,” which acts as the downloader for the DreamBus botnet from a TOR hidden service.

DreamBus is a Linux-based malware that’s a variant of SystemdMiner and is engineered to mine cryptocurrency on infected systems. Active since early 2019, it’s been known to be propagated by specifically exploiting remote code execution vulnerabilities.

“As part of the installation routine, the malware terminates processes, and eliminates files associated with outdated versions of itself,” security researcher Paul Kimayong said, adding it sets up persistence on the host by means of a cron job.

“However, the presence of a modular bot like the DreamBus malware equipped with the ability to execute bash scripts provides these cybercriminals the potential to diversify their attack repertoire, including the installation of various other forms of malware.”

Exploitation of Cisco ASA SSL VPNs to Deploy Akira Ransomware

The developments come amid cybersecurity firm Rapid7 warning of an uptick in threat activity dating back to March 2023 and targeting Cisco ASA SSL VPN appliances in order to deploy Akira and LockBit ransomware.

While some instances have entailed the use of credential stuffing, activity in others “appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users,” the company said.

Cisco has acknowledged the attacks, noting that the threat actors could also be purchasing stolen credentials from the dark web to infiltrate organizations.

This hypothesis is further bolstered by the fact that an initial access broker referred to as Bassterlord was observed selling a guide on breaking into corporate networks in underground forums earlier this February.

“Notably, the author claimed they had compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination test:test,” Rapid7 said.

“It’s possible that, given the timing of the dark web discussion and the increased threat activity we observed, the manual’s instruction contributed to the uptick in brute force attacks targeting Cisco ASA VPNs.”

The disclosures also arrive as unpatched Citrix NetScaler ADC and Gateway appliances are at heightened risk of opportunistic attacks by ransomware actors who are making use of a critical flaw in the products to drop web shells and other payloads.

 

(c) Thn

Malicious npm Packages Aim to Target Developers for Source Code Theft

/in /by

An unknown threat actor is leveraging malicious npm packages to target developers with an aim to steal source code and configuration files from victim machines, a sign of how threats lurk consistently in open-source repositories.

“The threat actor behind this campaign has been linked to malicious activity dating back to 2021,” software supply chain security firm Checkmarx said in a report shared with The Hacker News. “Since then, they have continuously published malicious packages.”

The latest report is a continuation of the same campaign that Phylum disclosed at the start of the month in which a number of npm modules were engineered to exfiltrate valuable information to a remote server.

The packages, by design, are configured to execute immediately post-installation by means of a postinstall hook defined in the package.json file. It triggers the launch of preinstall.js, which spawns index.js to capture the system metadata as well as harvest source code and secrets from specific directories.

The attack culminates with the script creating a ZIP archive of the data and transmitting it to a predefined FTP server.

A common trait that connects all the packages is the use of “lexi2” as the author in the package.json file, enabling Checkmarx to trace the origins of the activity as far back as 2021.

While the exact goals of the campaign are unclear, the use of package names such as binarium-client, binarium-crm, and rocketrefer suggest that the targeting is geared towards the cryptocurrency sector.

“The cryptocurrency sector remains a hot target, and it’s important to recognize that we’re not just grappling with malicious packages, but also persistent adversaries whose continuous and meticulously planned attacks date back months or even years,” security researcher Yehuda Gelb said.

 

(c) Thn

How to Prevent ChatGPT From Stealing Your Content & Traffic

/in /by

ChatGPT and similar large language models (LLMs) have added further complexity to the ever-growing online threat landscape. Cybercriminals no longer need advanced coding skills to execute fraud and other damaging attacks against online businesses and customers, thanks to bots-as-a-service, residential proxies, CAPTCHA farms, and other easily accessible tools.

Now, the latest technology damaging businesses’ bottom line is ChatGPT.

Not only have ChatGPT, OpenAI, and other LLMs raised ethical issues by training their models on scraped data from across the internet. LLMs are negatively impacting enterprises’ web traffic, which can be extremely damaging to business.

3 Risks Presented by LLMs, ChatGPT, & ChatGPT Plugins

Among the threats ChatGPT and ChatGPT plugins can pose against online businesses, there are three key risks we will focus on:

  1. Content theft (or republishing data without permission from the original source)can hurt the authority, SEO rankings, and perceived value of your original content.
  2. Reduced traffic to your website or app becomes problematic, as users getting answers directly through ChatGPT and its plugins no longer need to find or visit your pages.
  3. Data breaches, or even the accidental broad distribution of sensitive data, are becoming more likely by the second. Not all “public-facing” data is intended to be redistributed or shared outside of the original context, but scrapers do not know the difference. The results can include anything from a loss in competitive advantage to severe damages to your brand reputation.

Depending on your business model, your company should consider ways to opt out of having your data used to train LLMs.

3 Most Impacted Industries

The most at-risk industries for ChatGPT-driven damage are those in which data privacy is a top concern, unique content and intellectual property are key differentiators, and ads, eyes, and unique visitors are an important source of revenue. These industries include:

  1. E-Commerce: Product descriptions and pricing models can be key differentiators.
  2. Streaming, Media, & Publishing: All about providing the audience with unique, creative, and entertaining content.
  3. Classified Ads: Pay per click (PPC) advertising revenue can be severely impacted by a decrease in website traffic (as well as other bot issues like click fraud or skewed site analytics due to scrapers).
UPCOMING WEBINAR

Guard Your Brand: Defending Against ChatGPT’s Content Scraping

Worried about ChatGPT scraping your content? Learn how to outsmart AI bots, defend your content, and secure your web traffic.

Join the Session

How ChatGPT Gets Training Data

According to a research paper published by OpenAI, ChatGPT3 was trained on several datasets:

  • Common Crawl
  • WebText2
  • Books1 and Books2
  • Wikipedia

The largest amount of training data comes from Common Crawl, which provides access to web information through an open repository of web crawl data. The Common Crawl crawler bot, also known as CCBot, leverages Apache Nutch to enable developers to build large-scale scrapers.

The most current version of CCBot crawls from Amazon AWS and identifies itself with a user agent of ‘CCBot/2.0’. But businesses who want to allow CCBot should not rely solely on the user agent to identify it, because many bad bots spoof their user agents to disguise themselves as good bots and avoid being blocked.

To allow CCBot on your website, use attributes such as IP ranges or reverse DNS. To block ChatGPT, your website should, at minimum, block traffic from CCBot.

3 Ways to Block CCBot

    1. Robots.txt: Since CCBot respects robots.txt files, you can block it with the following lines of code:

 

User-agent: CCBot
Disallow: /

 

  1. Blocking CCBot User Agent: You can safely block an unwanted bot through user agent. (Not that, in contrast, allowing bot traffic through user agent can be unsafe, easily abused by attackers.)
  2. Bot Management Software: Whether it’s for ChatGPT or a dark web database, the best way to prevent bots from scraping your websites, apps, and APIs is with specialized bot protection that uses machine learning to keep up with evolving threat tactics in real time.

 

 

Scrapers Can Always Find Workarounds

LLMs use scraper bots to gather training data. While blocking CCBot might be effective for blocking ChatGPT scrapers today, there is no telling what the future holds for LLM scrapers. Moving forward, if too many websites block OpenAI (for example) from accessing their content, the developers could decide to stop respecting robots.txt and could stop declaring their crawler identity in the user agent.

Another possibility is OpenAI could use its partnership with Microsoft to access Microsoft Bing’s scraper data, making the situation more challenging for website owners. Bing’s bots identify as Bingbot, but blocking them could cause problems by preventing your site from being indexed on the Bing search engine, resulting in fewer human visitors.

You could face similar issues by blocking Google’s LLM Bard (competitor to ChatGPT). Google is vague about the origin and collection of the public data used to train Bard, but it is possible that Bard is, or will be, trained with data collected by Googlebot scrapers. Like with Bingbot, blocking Googlebot would likely be unwise, impacting how your website gets indexed and how the Google search engine drives traffic to your site. The result could mean a serious drop in visitors.

Using Plugins to Access Live Data

One of the main limits of models like ChatGPT is the lack of access to live data. Since it was trained on a dataset that stops in 2021, it is unable to provide the most relevant, up-to-date information. That’s where plugins come in.

Plugins are used to connect LLMs like ChatGPT to external tools and allow the LLMs to access external data available online, which can include private data and real-time news. Plugins also let users complete actions online (e.g. booking a flight or ordering groceries) through API calls.

Some businesses are developing their own plugins to provide a new way for users to interact with their content/services via ChatGPT. But, depending on your industry, letting users interact with your website through third-party ChatGPT plugins can mean fewer ads seen by your users, as well as lower traffic to your website.

You may also notice that users are less willing to pay for your premium features once your features can be replicated through third-party ChatGPT plugins. For example, an unofficial web client interacting with your site could offer premium features through their UI.

How to Identify ChatGPT Plugin Requests

OpenAI documentation states that requests with a specific user agent HTTP header (with token: “ChatGPT-User”) come from ChatGPT plugins. But the documentation does not state that the disclosed user agent is the only user agent that can be used by plugins when making HTTP requests.

Therefore, as ChatGPT plugins interact with third-party APIs, the APIs can then do any kind of HTTP requests from their own infrastructure. The diagram below shows what happens when a fictitious “Live Sport Plugin” is used with ChatGPT to get an update about a sporting event.

ChatGPT Plugins
  1. ChatGPT triggers the Live Sport Plugin, making a request to the API endpoints based on parameters from the user prompt.
  2. The plugin makes an HTTP request to scrape a sports website to get the latest information about the event.
  3. The information is then passed back to the end user through ChatGPT.

A plugin can actually make a request to a sport API without having to scrape the sports website. In fact, when requests are made directly from the server hosting the plugin API, there is no constraint on the user agent.

How to Block ChatGPT Plugin Requests

In a process similar to blocking ChatGPT’s web scrapers, you can block requests from plugins that declare their presence with the “ChatGPT-User” substring by user agent. But blocking the user agent could also block ChatGPT users with the “browsing” mode activated. And, contrary to what OpenAI documentation might indicate, blocking requests from “ChatGPT-User” does not guarantee that ChatGPT and its plugins can’t reach your data under different user agent tokens.

In fact, ChatGPT plugins can make requests directly from the servers hosting their APIs using any user agent, and even using automated (headless) browsers. Detecting plugins that do not declare their identity in the user agent requires advanced bot detection techniques.

Determining Your Next Steps

Obtaining high-quality datasets of human-generated content will remain of critical importance to LLMs. In the long term, companies like OpenAI (funded partially by Microsoft) and Google may be tempted to use Bingbots and Googlebots to build datasets to train their LLMs. That would make it more difficult for websites to simply opt out of having their data collected, since most online businesses rely heavily on Bing and Google to index their content and drive traffic to their site.

Websites with valuable data will either want to look for ways to monetize the use of their data or opt out of AI model training to avoid losing web traffic and ad revenue to ChatGPT and its plugins. If you wish to opt out, you’ll need advanced bot detection techniques, such as fingerprinting, proxy detection, and behavioral analysis, to stop bots before they can access your data.

Advanced solutions for bot and fraud protection leverage AI and machine learning (ML) to detect and stop unfamiliar bots from the first request, keeping your content safe from LLM scrapers, unknown plugins, and other rapidly evolving AI technologies.

Note: This article is expertly written and contributed by Antoine Vastel, PhD, Head of Research at DataDome.

 

(c) Thn

China-Linked BadBazaar Android Spyware Targeting Signal and Telegram Users

/in /by

Cybersecurity researchers have discovered malicious Android apps for Signal and Telegram distributed via the Google Play Store and Samsung Galaxy Store that are engineered to deliver the BadBazaar spyware on infected devices.

Slovakian company ESET attributed the campaign to a China-linked actor called GREF.

“Most likely active since July 2020 and since July 2022, respectively, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites representing the malicious apps Signal Plus Messenger and FlyGram,” security researcher Lukáš Štefanko said in a new report shared with The Hacker News.

Victims have been primarily detected in Germany, Poland, and the U.S., followed by Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen.

BadBazaar was first documented by Lookout in November 2022 as targeting the Uyghur community in China with seemingly benign Android and iOS apps that, once installed, harvests a wide range of data, including call logs, SMS messages, locations, and others.

The earlier campaign, active since at least 2018, is also notable for the fact that the rogue Android apps were never published to the Play Store. The latest set of apps have since been taken down from Google’s app storefront, but they continue to be available on the Samsung Galaxy Store.

The details of the apps are as follows –

  • Signal Plus Messenger (org.thoughtcrime.securesmsplus) – 100+ downloads since July 2022, also available via signalplus[.]org
  • FlyGram (org.telegram.FlyGram) – 5,000+ downloads since June 2020, also available via flygram[.]org

Beyond these distribution mechanisms, it’s said that potential victims have also been likely tricked into installing the apps from a Uyghur Telegram group focused on sharing Android apps. The group has over 1,300 members.

Both Signal Plus Messenger and FlyGram are designed to collect and exfiltrate sensitive user data, with each app dedicated to also amassing information from the respective apps they mimic: Signal and Telegram.

Spyware

This includes the ability to access Signal PIN and Telegram chat backups should the victim enable a Cloud Sync feature from the trojanized app.

In what’s a novel twist, Signal Plus Messenger represents the first documented case of surveillance of a victim’s Signal communications by covertly linking the compromised device to the attacker’s Signal account without requiring any user interaction.

“BadBazaar, the malware responsible for the spying, bypasses the usual QR code scan and user click process by receiving the necessary URI from its [command-and-control] server, and directly triggering the necessary action when the Link device button is clicked,” Štefanko explained.

“This enables the malware to secretly link the victim’s smartphone to the attacker’s device, allowing them to spy on Signal communications without the victim’s knowledge.”

FlyGram, for its part, also implements a feature called SSL pinning to evade analysis by embedding the certificate within the APK file such that only encrypted communication with the predefined certificate is allowed, thereby making it challenging to intercept and analyze the network traffic between the app and its server.

An examination of the app Cloud Sync feature has further revealed that every user who registers for the service is assigned a distinct ID that’s sequentially incremented. It’s estimated that 13,953 users (including ESET) installed FlyGram and activated the Cloud Sync feature.

ESET said it’s continuing to track GREF as a separate cluster despite prior open-source reporting connecting the group to APT15, citing lack of definitive evidence.

“BadBazaar’s main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to conduct espionage on Signal messages by secretly linking the victim’s Signal Plus Messenger app to the attacker’s device,” Štefanko said.

 

(c) Thn

MMRat Android Trojan Executes Remote Financial Fraud Through Accessibility Feature

/in /by

A previously undocumented Android banking trojan dubbed MMRat has been observed targeting mobile users in Southeast Asia since late June 2023 to remotely commandeer the devices and perform financial fraud.

“The malware, named after its distinctive package name com.mm.user, can capture user input and screen content, and can also remotely control victim devices through various techniques, enabling its operators to carry out bank fraud on the victim’s device,” Trend Micro said.

What makes MMRat stand apart from others of its kind is the use of a customized command-and-control (C2) protocol based on protocol buffers (aka protobuf) to efficiently transfer large volumes of data from compromised handsets, demonstrating the growing sophistication of Android malware.

Possible targets based on the language used in the phishing pages include Indonesia, Vietnam, Singapore, and the Philippines.

The entry point of the attacks is a network of phishing sites that mimic official app stores, although how victims are directed to these links is presently unknown. MMRat typically masquerades as an official government or a dating app.

Once installed, the app leans heavily on Android accessibility service and MediaProjection API, both of which have been leveraged by another Android financial trojan called SpyNote, to carry out its activities. The malware is also capable of abusing its accessibility permissions to grant itself other permissions and modify settings.

Android Banking Malware

It further sets up persistence to survive between reboots and initiates communications with a remote server to await instructions and exfiltrate the results of the execution of those commands back to it. The trojan employs different combinations of ports and protocols for functions such as data exfiltration, video streaming, and C2 control.

MMRat possesses the ability to collect a broad range of device data and personal information, including signal strength, screen status, and battery stats, installed applications, and contact lists. It’s suspected that the threat actor uses the details to carry out some sort of victim profiling before moving to the next stage.

Some of the other features of MMRat encompass recording real-time screen content and capturing the lock screen pattern so as to allow the threat actor to remotely gain access to the victim’s device when it is locked and not actively in use.

“The MMRat malware abuses the Accessibility service to remotely control the victim’s device, performing actions such as gestures, unlocking screens, and inputting text, among others,” Trend Micro said.

“This can be used by threat actors — in conjunction with stolen credentials — to perform bank fraud.”

The attacks end with MMRat deleting itself upon receiving the C2 command UNINSTALL_APP, which typically takes place after a successful fraudulent transaction, effectively removing all traces of infection from the device.

To mitigate threats posed by such potent malware, it’s recommended that users only download apps from official sources, scrutinize app reviews, and check the permissions an app requests for access to before usage.

 

(c) Thn

Hackers Can Exploit Windows Container Isolation Framework to Bypass Endpoint Security

/in /by

New findings show that malicious actors could leverage a sneaky malware detection evasion technique and bypass endpoint security solutions by manipulating the Windows Container Isolation Framework.

The findings were presented by Deep Instinct security researcher Daniel Avinoam at the DEF CON security conference held earlier this month.

Microsoft’s container architecture (and by extension, Windows Sandbox) uses what’s called a dynamically generated image to separate the file system from each container to the host and at the same time avoid duplication of system files.

It’s nothing but an “operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host,” thereby bringing down the overall size for a full OS.

“The result is images that contain ‘ghost files,’ which store no actual data but point to a different volume on the system,” Avinoam said in a report shared with The Hacker News. “It was at this point that the idea struck me — what if we can use this redirection mechanism to obfuscate our file system operations and confuse security products?”

This is where the Windows Container Isolation FS (wcifs.sys) minifilter driver comes into play. The driver’s main purpose is to take care of the file system separation between Windows containers and their host.

The driver handles the ghost files redirection by parsing their attached reparse points and the associated reparse tags which uniquely identify the owner, i.e., the implementer of the file system filter driver that performs additional filter-defined processing on a file during I/O operations.

Two such reparse tag data structures used by the Windows Container Isolation filter, according to Microsoft, are IO_REPARSE_TAG_WCI_1 and IO_REPARSE_TAG_WCI_LINK_1.

The idea, in a nutshell, is to have the current process running inside a fabricated container and leverage the minifilter driver to handle I/O requests such that it can create, read, write, and delete files on the file system without alerting security software.

Windows Container Isolation Framework
Source: Microsoft

It’s worth pointing out at this stage that a minifilter attaches to the file system stack indirectly, by registering with the filter manager for the I/O operations that it chooses to filter. Each minifilter is allocated a Microsoft-assigned “integer” altitude value based on filter requirements and load order group.

The wcifs.sys driver occupies an altitude range of 180000-189999 (specifically 189900), while antivirus filters, including those from third-parties, function at an altitude range of 320000-329999. As a result, various file operations can be performed without getting their callbacks triggered.

“Because we can override files using the IO_REPARSE_TAG_WCI_1 reparse tag without the detection of antivirus drivers, their detection algorithm will not receive the whole picture and thus will not trigger,” Avinoam explained.

That having said, pulling off the attack requires administrative permissions to communicate with the wcifs.sys driver and it cannot be used to override files on the host system.

The disclosure comes as the cybersecurity company demonstrated a stealthy technique called NoFilter that abuses the Windows Filtering Platform (WFP) to elevate a user’s privileges to that of SYSTEM and potentially execute malicious code.

The attacks allow the use of WFP to duplicate access tokens for another process, trigger an IPSec connection and leverage the Print Spooler service to insert a SYSTEM token into the table, and make it possible to obtain the token of another user logged into the compromised system for lateral movement.

 

(c) Thn

Earth Estries’ Espionage Campaign Targets Governments and Tech Titans Across Continents

/in /by

A hacking outfit nicknamed Earth Estries has been attributed to a new, ongoing cyber espionage campaign targeting government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S.

“The threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyber espionage and illicit activities,” Trend Micro researchers Ted Lee, Lenart Bermejo, Hara Hiroaki, Leon M Chang, and Gilbert Sison said.

Active since at least 2020, Earth Estries is said to share tactical overlaps with another nation-state group tracked as FamousSparrow, which was first exposed by ESET in 2021 as exploiting ProxyLogon flaws in Microsoft Exchange Server to penetrate hospitality, government, engineering, and legal sectors.

It’s worth pointing out that commonalities have also been unearthed between FamousSparrow and UNC4841, a categorized activity cluster held responsible for the weaponization of a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances.

Attack chains documented by Trend Micro show that the adversary is leveraging Cobalt Strike to conduct post-exploitation of compromised environments, following which it moves quickly to deploy additional malware and broaden the foothold.

Earth Estries

The adversary has been observed employing an arsenal of backdoors and hacking tools, including backdoors, browser data stealers, and port scanners to enhance data collection.

This encompasses Zingdoor, a Go-based implant to capture system information, enumerate and manage files, and run arbitrary commands; TrillClient, a custom stealer written in Go to siphon data from web browsers; and HemiGate, a backdoor that can log keystrokes, take screenshots, perform file operations, and monitor processes.

Further lending legitimacy to the adversary’s espionage motives is its proclivity towards regularly cleaning and redeploying its backdoors on the infected host in an attempt to reduce the risk of exposure and detection.

Earth Estries

“Earth Estries relies heavily on DLL side-loading to load various tools within its arsenal,” the researchers said. “To leave as little footprint as possible, they use PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism.”

Another significant aspect of the modus operandi is the abuse of public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen data. A majority of the command-and-control (C2) servers are located in the U.S., India, Australia, Canada, China, Japan, Finland, South Africa, and the U.K.

“By compromising internal servers and valid accounts, the threat actors can perform lateral movement within the victim’s network and carry out their malicious activities covertly,” the researchers said. “They also use techniques like PowerShell downgrade attacks and novel DLL side-loading combinations to evade detection.”

 

(c) Thn

LockBit 3.0 Ransomware Builder Leak Gives Rise to Hundreds of New Variants

/in /by

The leak of the LockBit 3.0 ransomware builder last year has led to threat actors abusing the tool to spawn new variants.

Russian cybersecurity company Kaspersky said it detected a ransomware intrusion that deployed a version of LockBit but with a markedly different ransom demand procedure.

“The attacker behind this incident decided to use a different ransom note with a headline related to a previously unknown group, called NATIONAL HAZARD AGENCY,” security researchers Eduardo Ovalle and Francesco Figurelli said.

The revamped ransom note directly specified the amount to be paid to obtain the decryption keys, and directed communications to a Tox service and email, unlike the LockBit group, which doesn’t mention the amount and uses its own communication and negotiation platform.

NATIONAL HAZARD AGENCY is far from the only cybercrime gang to use the leaked LockBit 3.0 builder. Some of the other threat actors known to leverage it include Bl00dy and Buhti.

Kaspersky noted it detected a total of 396 distinct LockBit samples in its telemetry, of which 312 artifacts were created using the leaked builders. As many as 77 samples make no reference to “LockBit” in the ransom note.

“Many of the detected parameters correspond to the default configuration of the builder, only some contain minor changes,” the researchers said. “This indicates the samples were likely developed for urgent needs or possibly by lazy actors.”

The disclosure comes as Netenrich delved into a ransomware strain called ADHUBLLKA that has rebranded several times since 2019 (BIT, LOLKEK, OBZ, U2K, and TZW), while targeting individuals and small businesses in exchange for meager payouts in the range of $800 to $1,600 from each victim.

Although each of these iterations come with slight modifications to encryption schemes, ransom notes, and communication methods, a closer inspection has tied them all back to ADHUBLLKA owing to source code and infrastructure similarities.

“When a ransomware is successful out in the wild, it is common to see cybercriminals use the same ransomware samples — slightly tweaking their codebase — to pilot other projects,” security researcher Rakesh Krishnan said.

“For example, they may change the encryption scheme, ransom notes, or command-and-control (C2) communication channels and then rebrand themselves as a ‘new’ ransomware.”

Ransomware remains an actively evolving ecosystem, witnessing frequent shifts in tactics and targeting to increasingly focus on Linux environments using families such as TrigonaMonti, and Akira, the latter of which shares links to Conti-affiliated threat actors.

LockBit 3.0 Ransomware Builder

Akira has also been linked to attacks weaponizing Cisco VPN products as an attack vector to gain unauthorized access to enterprise networks. Cisco has since acknowledged that the threat actors are targeting Cisco VPNs that are not configured for multi-factor authentication.

“The attackers often focus on the absence of or known vulnerabilities in multi-factor authentication (MFA) and known vulnerabilities in VPN software,” the networking equipment major said.

“Once the attackers have obtained a foothold into a target network, they try to extract credentials through LSASS (Local Security Authority Subsystem Service) dumps to facilitate further movement within the network and elevate privileges if needed.”

The development also comes amid a record surge in ransomware attacks, with the Cl0p ransomware group having breached 1,000 known organizations by exploiting flaws in MOVEit Transfer app to gain initial access and encrypt targeted networks.

U.S.-based entities account for 83.9% of the corporate victims, followed by Germany (3.6%), Canada (2.6%), and the U.K. (2.1%). More than 60 million individuals are said to have been impacted by the mass-exploitation campaign that began in May 2023.

However, the blast radius of the supply chain ransomware attack is likely to be much higher. Estimates show that the threat actors are expected to net illicit profits in the range of $75 million to $100 million from their endeavors.

“While the MOVEit campaign may end up impacting over 1,000 companies directly, and an order of magnitude more indirectly, a very very small percentage of victims bothered trying to negotiate, let alone contemplated paying,” Coveware said.

“Those that did pay, paid substantially more than prior CloP campaigns, and several times more than the global Average Ransom Amount of $740,144 (+126% from Q1 2023).”

What’s more, according to Sophos 2023 Active Adversary Report, the median dwell time for ransomware incidents dropped from nine days in 2022 to five days in the first half of 2023, indicating that “ransomware gangs are moving faster than ever.”

In contrast, the median dwell time for non-ransomware incidents increased from 11 to 13 days. The maximum dwell time observed during the time period was 112 days.

“In 81% of ransomware attacks, the final payload was launched outside of traditional working hours, and for those that were deployed during business hours, only five happened on a weekday,” the cybersecurity company said. “Nearly half (43%) of ransomware attacks were detected on either Friday or Saturday.”

 

(c) Thn