cybersecurity Archives - TuxCare

U.S. Seizes $30 Million Worth of Crypto from North Korean Hackers

Chainalysis, a U.S. company, said it had worked with the FBI to recover more than $30 million in cryptocurrency stolen from online video game maker Axie Infinity by North Korea-linked Lazarus Group, marking the first time digital assets seized by the malicious attacker have been recovered.

The amount recovered is just a percentage of the estimated $600 million that the FBI alleges North Korean hackers stole from the makers of a popular video game that allows users to earn digital currency.

“The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains,” Erin Plante, senior director of investigations at Chainalysis said.

Plante, Chainalysis’ lead investigator said the seizure, which will not be the last, is a significant development for law enforcement, and investigators are working hard to seize the remaining loot.

According to Plante, the chain analysis was involved in the seizures, using “advanced tracking techniques to track stolen funds to withdraw ATMs, and working with law enforcement and industry stakeholders to quickly freeze funds.”

The Lazarus Group had access to five of the nine private keys owned by transaction validators for Ronin Network’s cross-chain bridge. Subsequently, the group facilitated two withdrawal transactions: one for 173,600 Ether (ETH) and the other for $25.5 million Coin USDC, noting that the Lazarus group pocketed these funds using “over 12,000 different crypto addressees to date.” Chainalysis stated the stolen ETH coins were mixed in batches with the popular Tornado Cash mixed service.

The sources for this piece include an article in TheHackerNews.

Bumblebee Malware Offers a new Infection Chain

A new version of the Bumblebee malware loader has been discovered by researchers. The new strain of malware offers a new chain of infection, including the use of a PowerScript framework for stealthy reflective injection of a DLL payload into memory.

Unlike in the past, when it reached victims via e-mails containing password-protected zipped USO files, the new variant uses a VHD (Virtual Hard Disk) file instead of the ISO file. The new VHD file contains a LNK shortcut file.

Instead of running Bumblebee (DLL) directly, the LNK now executes “imageda.ps1,” which starts a PowerShell window and hides it from the user by abusing the ‘ShowWindow’ command. The SP1 script is obfuscated using Base64 and string concatenation to evade AV detection while loading the second stage of the PowerShell loader.

For the second stage of the infection, a similar disguise tactic is used as the first. This tactic includes the PowerShell module which is used to load the 64-bit malware into the memory of the PowerShell process through reflective injection.

“PowerSploit is an open source post-exploitation framework in which the malware uses a method, Invoke-ReflectivePEInjection, for reflectively loading the DLL into the PowerShell Process. This method validates the embedded file and performs multiple checks to ensure that the file is loaded properly on the executing system,” Cyble explains in the report.

The new chain of infection allows Bumblebee to load from memory and never touch the hard drive of the computer, minimizing the chances of being detected and stopped by antivirus tools. Increasing its stealthiness also provides the malware loader with a stronger initial access threat and increases its chances of enticing ransomware and malware operators.

The sources for this piece include an article in BleepingComputer.

Hackers Actively Exploit WordPress Zero-day Flaw

Wordfence, a WordPress security company, has warned of a zero-day WordPress vulnerability that is now being exploited by attackers.

The bug is in a WordPress plugin called BackupBuddy. BackupBuddy is a plugin that allows users to back up their entire WordPress installation from within the dashboard, including theme files, pages, posts, widgets, users, and media files.

According to Wordfence, the vulnerability is rooted in the Local Directory copy function, which is designed to store a local copy of the backups. The vulnerability is the product of an insecure implementation that allows attackers to download arbitrary files to the server.

“This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information,” Wordfence said.

The bug affecting BackupBuddy is tracked as CVE-3022-31474 and has a severity of 7.5. While the bug affects versions 8.5.8.0 to 8.7.4.1, it was fixed in version 8.7. 5, which was released on September 2, 2022.

Wordfence stated that the active exploitation of CVE-2022-31474 began on August 26, 2022. Since then, the platform has been able to block nearly five million attacks, with the majority of intrusions attempting to read files such as /etc/passwd, /wp-config.php,.my.cnf, and .accesshash.

Details of the vulnerability remained secret to prevent further exploitation by attackers.

“This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd,” said the plugin’s developer, iThemes.

BackupBuddy users are advised to upgrade to the latest version to fix the bug and prevent it from being compromised by attackers. Those who are already compromised should reset the database password, change WordPress Salts, and rotate API keys stored in wp-config.php.

The sources for this piece include an article in TheHackerNews.

Attackers use Watering Hole Attacks to Install ScanBox Keylogger

A China-based threat actor dubbed APT TA423 is carrying out waterhole attacks on domestic Australian organizations and offshore energy companies in the South China Sea to distribute the ScanBox reconnaissance tool to victims.

Waterhole Attack is a cyberattack on a specific organization in which malware is installed on a website that is regularly visited by members of the organization to infect computers used within the organization itself.

In order to successfully carry out their malicious activities, the attackers use the ScanBox framework. ScanBox is a customizable and multifunctional Javascript-based framework that is used by adversaries to carry out and convert reconnaissance operations.

ScanBox keylogger data from “waterholes” are part of a multi-level attack that gives attackers knowledge of potential targets that will help them launch future attacks against organizations.

To execute an attack, the attackers upload the malicious JavaScript to a compromised website where the ScanBox acts as a keylogger, snapping all user-entered activity on the infected website.

TA423 launches its attacks with phishing emails pretending to be from an employee of the “Australian Morning News,” a fictitious organization.

Targets are then advised to visit their “humble news website.” australianmorningnews[.]com. As soon as the target clicks on the link, they are redirected to a website whose contents are copied from actual news websites, and the malware framework is leaked to them.

The primary initial script of a ScanBox keylogger provides a list of information about the target computer, including the operating system, language, and installed version of Adobe Flash. ScanBox also performs an audit for browser extensions, plugins, and components such as WebRTC.

The sources for this piece include an article in ThreatPost.

Prynt Stealer’s Backdoor Steals Data Stolen from Cyberattacks

A backdoor in information stealing malware, Prynt Stealer is used to steal data that is exfiltrated by other cyberattackers, according to Zscaler ThreatLabz researchers.

Already, the malware sells for $100 for a one-month license and $900 for a lifetime subscription, offering attackers tremendous capabilities. These include the ability to log keystrokes, steal credentials from web browsers, and suck data from Discord and Telegram.

Prynt Stealer code comes from two other open source malware families, AsyncRAT and StormKitty. New additions to the malware include a Telegram channel that collects information stolen from other threat actors through a backdoor.

To perform the data exfiltration, Prynt Stealer uses code copied from StormKitty with minor changes. The malware also includes an anti-analysis feature that equips the malware to continuously monitor the victim’s process list for processes such as taskmgr, netstat and wireshark,

As soon as the victim’s process list is detected, the malware blocks the Telegram command and control channels.

The researchers also identified two other variants of the malware written by the author of the malware, Prynt Stealer: WorldWind and DarkEye.

DarkEye is an implant with a free Prynt Stealer builder. The builder is designed to drop and execute a remote access trojan called Loda RAT, an AutoIT-based malware that can access and exfiltrate both system and user information. DarkEye also acts as a keylogger, takes screenshots, starts and terminates processes, and downloads additional malware payloads over a connection to a C2 server.

“While this untrustworthy behavior is nothing new in the world of cybercrime, the victims’ data end up in the hands of multiple threat actors, increasing the risks of one or more large-scale attacks to follow. Note that there are cracked/leaked copies of Prynt Stealer with the same backdoor, which in turn will benefit the malware author even without direct compensation,” write Zscaler ThreatLabz researchers Atinderpal Singh and Brett Stone-Gross.

The sources for this piece include an article in TheHackerNews.

Cyberattacks Targeting Linux Users Skyrockets

Cybersecurity researchers at Trend Micro have identified a 75% leap year-over-year in the number of ransomware attacks targeting Linux users.

Apart from ransomware groups, there is also a 145% increase in Linux-based cryptocurrency-mining malware attacks. In this case, the attackers secretly exploit the power of infected computers and servers to mine for cryptocurrency for themselves.

Hackers are generally motivated to target industries where they know there is a high possibility of making money. Therefore, encrypting Linux systems could be lucrative judging by how fast attacks targeting Linux servers are increasing.

One of the identified strategies used by cyberattacks to compromise Linux systems is by exploiting unpatched vulnerabilities. The report identified one of the flaws known as Dirty Pipe.

Dirty Pipe is tracked as CVE-2022-0847 and it affects the Linux kernel from version 5.8 and up which attackers can use to escalate their privileges and run code.

To protect systems from cyberattacks, researchers recommend that all security patches be applied as soon as possible. This will prevent attackers from taking advantage of publicly available exploits.

It is also important that organizations apply multi-factor authentication across the ecosystem. MFA will provide an additional layer of defense and prevent ransomware hackers from conducting lateral movement across the network.

“New and emerging threat groups continue to evolve their business model, focusing their attacks with even greater precision. That’s why it’s essential that organizations get better at mapping, understanding, and protecting their expanding digital attack surface,” said Jon Clay, VP of threat intelligence for Trend Micro.

The sources for this piece include an article in ZDNet.

Samsung Breach Leaks U.S. Customer Data

Samsung has confirmed a cyberattack on the company which led to attackers accessing some vital information belonging to attackers.

The company stated in its data breach notice that the hackers “in some cases” took customer names, contact, and demographic information, date of birth, and product registration information. The company’s notice however indicate that while not every Samsung customer is affected, it remains unknown how much data was stolen in its data breach.

“In late July 2022, an unauthorized third-party acquired information from some of Samsung’s U.S. systems. On or around August 4, 2022, we determined through our ongoing investigation that personal information of certain customers was affected,” the company said in a notice.

The breach did not affect users’ Social Security numbers or credit and debit card numbers and the extent of information leaked for each customer varies.

The tech giant urge customers to be on guard against potential social engineering attempts, avoid clicking on links or operating attachments from unknown senders. Customers are also warned to review their accounts for potentially suspicious activity.

While alerting customers of the breach, Samsung has also shown decisive steps to secure the affected system and engage an outside cybersecurity firm to lead the response efforts.

Samsung action since the flaw was disclosed has raised several questions from experts. Following the disclosure, Samsung published a new privacy policy which many adjudged to be controversial.

According to the new policy, Samsung can use a customer’s “precise geolocation” for marketing and advertising with the user’s consent. The new policy also states how long Samsung stores data that users share from the Quick Share feature. Samsung says it may “collect the contents you share, which will remain available for 3 days.” The reason behind the controversial policy remains unknown.

The sources for this piece include an article in TheHackerNews.

Winter is Coming for CentOS 8

The server environment is complex and if you’re managing thousands of Linux servers, the last thing you want is for an operating system vendor to do something completely unexpected.

That is exactly what Red Hat, the parent company of the CentOS Project, did when it suddenly announced a curtailment of support for CentOS 8 – sending thousands of organizations scrambling for an alternative.

Continue reading “Winter is Coming for CentOS 8”

What does the critical CISA directive mean and how should you respond?

Let’s face it – everyone’s had just about enough. Exploits are everywhere, and it’s almost impossible to deal with the problem to a watertight degree.

Some organizations make a solid effort, deploying cutting-edge vulnerability management solutions and live patching to minimize the impact of vulnerabilities, but many others struggle, and some make no effort at all.

This lack of action creates opportunities for malevolent actors, and the Cybersecurity and Infrastructure Security Agency (CISA) had seen so many successful exploits that it felt it needed to draw a line – forcing the agencies it has authority over to act.

That’s why, on November 3, CISA issued a new directive that compels civilian federal agencies to address 306 critical vulnerabilities that CISA found commonly leads to successful exploits.

Continue reading “What does the critical CISA directive mean and how should you respond?”

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching