Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

ctg

Greatest Leader
Servers running the open source Asterisk communication software for Digium VoiP services are under attack by hackers who are managing to commandeer the machines to install web shell interfaces that give the attackers covert control, researchers have reported.

Researchers from security firm Palo Alto Networks said they suspect the hackers are gaining access to the on-premises servers by exploiting CVE-2021-45461. The critical remote code-execution flaw was discovered as a zero-day vulnerability late last year, when it was being exploited to execute malicious code on servers running fully updated versions of Rest Phone Apps, aka restapps, which is a VoiP package sold by a company called Sangoma.

The vulnerability resides in FreePBX, the world's most widely used open source software for Internet-based Private Branch Exchange systems, which enable internal and external communications in organizations' private internal telephone networks. CVE-2021-45461 carries a severity rating of 9.8 out of 10 and allows hackers to execute malicious code that takes complete control of servers.

Now, Palo Alto Networks said hackers are targeting the Elastix system used in Digium phones, which is also based on FreePBX. By sending servers specially crafted packets, the threat actors can install web shells, which give them an HTTP-based window for issuing commands that normally should be reserved for authorized admins.

"As of this writing, we have witnessed more than 500,000 unique malware samples of this family over the period spanning from late December 2021 till the end of March 2022," Palo Alto Networks researchers Lee Wei, Yang Ji, Muhammad Umer Khan, and Wenjun Hu wrote. "The malware installs multilayer obfuscated PHP backdoors to the web server's file system, downloads new payloads for execution and schedules recurring tasks to re-infect the host system. Moreover, the malware implants a random junk string to each malware download in an attempt to evade signature defenses based on indicators of compromise (IoCs)."
 

ctg

Greatest Leader
NSO Group's Pegasus spyware was used to target Thai pro-democracy protesters and leaders calling for reforms to the monarchy. "We forensically confirmed that at least 30 individuals were infected with NSO Group's Pegasus spyware," reports Citizen Lab. "The observed infections took place between October 2020 and November 2021." Here's an excerpt from the report: Introduction: Surveillance & Repression in Thailand: The Kingdom of Thailand is a constitutional monarchy with a parliamentary-style government divided into executive, legislative, and judiciary branches. The country has been beset by intense political conflict since 2005, during the government of former Prime Minister Thaksin Shinawatra. Corruption allegations against the regime culminated in a military coup on September 19, 2006 that ousted Thaksin. The military launched another coup on May 22, 2014 and seized power following mass protests against the civilian government led by Thaksin's sister, Yingluck Shinawatra. The junta claimed that the 2014 coup was needed to restore order and called itself the National Council for Peace and Order (NCPO).

Findings: Pegasus Infections in Thailand: On November 23, 2021, Apple began sending notifications to iPhone users targeted by state-backed attacks with mercenary spyware. The recipients included individuals that Apple believes were targeted with NSO Group's FORCEDENTRY exploit. Many Thai civil society members received this warning. Shortly thereafter, multiple recipients of the notification made contact with the Citizen Lab and regional groups. In collaboration with Thai organizations iLaw and DigitalReach, forensic evidence was obtained from notification recipients, and other suspected victims, who consented to participate in a research study with the Citizen Lab. We then performed a technical analysis of forensic artifacts to determine whether these individuals were infected with Pegasus or other spyware. Victims publicly named in this report consented to be identified as such, while others chose to remain anonymous, or have their cases described with limited detail.

Civil Society Pegasus Infections: We have identified at least 30 Pegasus victims among key civil society groups in Thailand, including activists, academics, lawyers, and NGO workers. The infections occurred from October 2020 to November 2021, coinciding with a period of widespread pro-democracy protests, and predominantly targeted key figures in the pro-democracy movement. In numerous cases, multiple members of movements or organizations were infected. Many of the victims included in this report have been repeatedly detained, arrested, and imprisoned for their political activities or criticism of the government. Many of the victims have also been the subject of lese-majeste prosecutions by the Thai government. While many of the infections were detected on the devices of prominent figures, hacking was also observed against individuals who are not publicly involved in the protests. Speculatively, this may reflect the attackers' intent to uncover details about how opposition movements were organized, and may have been prompted by specific financial transactions that would have been known to Thai financial institutions and the government, but not the public.
 

ctg

Greatest Leader
injected-code.png

Despite the efforts to keep CVE-2022-2294 secret, Avast managed to recover the attack code, which exploited a heap overflow in WebRTC to execute malicious shellcode inside a renderer process. The recovery allowed Avast to identify the vulnerability and report it to developers so it could be fixed. The security firm was unable to obtain a separate zero-day exploit that was required so the first exploit could escape Chrome's security sandbox. That means this second zero-day will live to fight another day.

Once DevilsTongue got installed, it attempted to elevate its system privileges by installing a Windows driver containing yet another unpatched vulnerability, bringing the number of zero-days exploited in this campaign to at least three. Once the unidentified driver was installed, DevilsTongue would exploit the security flaw to gain access to the kernel, the most sensitive part of any operating system. Security researchers call the technique BYOVD, short for "bring your own vulnerable driver." It allows malware to defeat OS defenses since most drivers automatically have access to an OS kernel.

Avast has reported the flaw to the driver maker, but there's no indication that a patch has been released. As of publication time, only Avast and one other antivirus engine detected the driver exploit.

Since both Google and Microsoft patched CVE-2022-2294 in early July, chances are good that most Chrome and Edge users are already protected. Apple, however, fixed the vulnerability on Wednesday, meaning Safari users should make sure their browsers are up to date.
 

ctg

Greatest Leader
lightning-framework-diagram.png

The software framework has become essential to developing almost all complex software these days. The Django Web framework, for instance, bundles all the libraries, image files, and other components needed to quickly build and deploy web apps, making it a mainstay at companies like Google, Spotify, and Pinterest. Frameworks provide a platform that performs common functions like logging and authentication shared across an app ecosystem.

Last week, researchers from security firm Intezer revealed the Lightning Framework, a modular malware framework for Linux that has gone undocumented until now. Lightning Framework is post-exploit malware, meaning it gets installed after an attacker has already gained access to a targeted machine. Once installed, it can provide some of the same efficiencies and speed to Linux compromises that Django provides for web development.

“It is rare to see such an intricate framework developed for targeting Linux systems,” Ryan Robinson, a security researcher at Intezer, wrote in a post. “Lightning is a modular framework we discovered that has a plethora of capabilities, and the ability to install multiple types of rootkit, as well as the capability to run plugins.”
 

ctg

Greatest Leader
The Infrastructure Investment and Jobs Act, as passed by Congress last November, authorizes $7.5 billion to help meet US President Joe Biden's goal of installing 500,000 stations by 2030. Biden aims to have EVs represent half of all new vehicles being sold in the US by 2030. But as the number of stations increases, the number of vulnerabilities does as well.

For the past several years, hackers have been busy aiming their attacks at electrical system vulnerabilities. In the case of charging stations, some of these soft spots are located inside the stations; some are located inside the equipment that controls connections between the grid and the station; and still, others are inside assets that sit on the grid side of the relationship, and these are mostly owned by utilities. Europe-based wind power companies (Deutsche Windtechnik AG, Enercon GmbH, and Nordex SE) have suffered attacks focused on stopping the flow of electrons, identity theft attacks, and stolen payments. In most cases, the results can be service disruptions affecting customers and revenue reductions for the providers of electrons and/or asset owners.

Hackers perpetually seek out ways to use any and all system vulnerabilities to their maximum advantage. This is a problem for the consumer, just as it is for commercial enterprises. Added to the stresses created by several types of hacker disruptions—physical destruction; electronic jamming; creating a "Denial of Service"—are concerns about weak control systems. From his perch at PlugInAmerica.org, Ron Freund worries that the existing supervisory control and data acquisition hardware is primate.

"It doesn't handle the simple faults gracefully, and is not reliable, much less scalable. But it also is not yet on the Internet, so is inaccessible (for the most part). In fact, it's scary how primitive some of these systems still are," Freund told me.
 

ctg

Greatest Leader
Referring to DSIRF using the work KNOTWEED, Microsoft researchers wrote:

In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED’s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we’ve seen no evidence of browser-based attacks.

The CVE-2022-22047 vulnerability is related to an issue with activation context caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.

CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.

Wednesday’s post also provides detailed indicators of compromise that readers can use to determine if they have been targeted by DSIRF.
 

ctg

Greatest Leader
The advent of public key encryption in the 1970s was a major breakthrough because it allowed parties who had never met to securely trade encrypted material that couldn’t be broken by an adversary. Public key encryption relies on asymmetric keys, with one private key used to decrypt messages and a separate public key for encrypting. Users make their public key widely available. As long as their private key remains secret, the scheme remains secure.

In practice, public key cryptography can often be unwieldy, so many systems rely on key encapsulation mechanisms, which allow parties who have never met before to jointly agree on a symmetric key over a public medium such as the Internet. In contrast to symmetric-key algorithms, key encapsulation mechanisms in use today are easily broken by quantum computers. SIKE, before the new attack, was thought to avoid such vulnerabilities by using a complex mathematical construction known as a supersingular isogeny graph.

The cornerstone of SIKE is a protocol called SIDH, short for Supersingular Isogeny Diffie-Hellman. The research paper published over the weekend shows how SIDH is vulnerable to a theorem known as “glue-and-split” developed by mathematician Ernst Kani in 1997, as well as tools devised by fellow mathematicians Everett W. Howe, Franck Leprévost, and Bjorn Poonen in 2000. The new technique builds on what’s known as the “GPST adaptive attack,” described in a 2016 paper. The math behind the latest attack is guaranteed to be impenetrable to most non-mathematicians. Here’s about as close as you’re going to get:

“The attack exploits the fact that SIDH has auxiliary points and that the degree of the secret isogeny is known,” Steven Galbraith, a University of Auckland mathematics professor and the “G” in the GPST adaptive attack, explained in a short writeup on the new attack. “The auxiliary points in SIDH have always been an annoyance and a potential weakness, and they have been exploited for fault attacks, the GPST adaptive attack, torsion point attacks, etc.
jUvpZxX.jpg
 

ctg

Greatest Leader
An anonymous reader quotes a report from Forbes:

According to cyber security firm Volexity, the threat research team has found the North Korean 'SharpTongue' group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn't need your Gmail login credentials at all. Instead, it "directly inspects and exfiltrates data" from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware's internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google Chrome, Microsoft Edge, and a South Korean client called Whale.

The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is "most likely tasked by the North Korean regime with a global intelligence gathering mission." While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often " work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea."

The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn't attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it. The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be. Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VB script that replaces the system preference files. Once that's done and the extension runs quietly in the background, it is tough to detect. The user logs in to their Gmail account from their normal browser on the expected system.


The security researchers recommend "enabling and analyzing PowerShell ScriptBlock logging" to detect whether you've been targeted by this attack, reports Forbes. Additionally, they recommend reviewing installed extensions regularly, especially looking for ones you don't recognize or are not available from the Chrome Web Store.
 

ctg

Greatest Leader
In mid-July, a cyberattack on the Albanian government knocked out state websites and public services for hours. With Russia’s war raging in Ukraine, the Kremlin might seem like the likeliest suspect. But research published on Thursday by the threat intelligence firm Mandiant attributes the attack to Iran. And while Tehran’s espionage operations and digital meddling have shown up all over the world, Mandiant researchers say that a disruptive attack from Iran on a NATO member is a noteworthy escalation.

The digital attacks targeting Albania on July 17 came ahead of the “World Summit of Free Iran,” a conference scheduled to convene in the town of Manëz in western Albania on July 23 and 24. The summit was affiliated with the Iranian opposition group Mujahadeen-e-Khalq, or the People’s Mojahedin Organization of Iran (often abbreviated MEK, PMOI, or MKO). The conference was postponed the day before it was set to begin because of reported, unspecified “terrorist” threats.

Mandiant researchers say that attackers deployed ransomware from the Roadsweep family and may have also utilized a previously unknown backdoor, dubbed Chimneysweep, as well as a new strain of the Zeroclear wiper. Past use of similar malware, the timing of the attacks, other clues from the Roadsweep ransomware note, and activity from actors claiming responsibility for the attacks on Telegram all point to Iran, Mandiant says.
 

ctg

Greatest Leader
Beijing-backed cyberspies used specially crafted phishing emails and six different backdoors to break into and then steal confidential data from military and industrial groups, government agencies and other public institutions, according to Kaspersky researchers.

We're told the security shop's industrial control systems (ICS) response team initially detected a series of targeted attacks back in January that compromised more than a dozen of organizations in several Eastern European countries, including Belarus, Russia, and Ukraine, and Afghanistan.

"The attackers were able to penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking control of systems used to manage security solutions," the team wrote in a report published on Monday.

Kaspersky attributed the attacks "with a high degree of confidence" to Chinese cybercrime gang TA428, which has a history of targeting East Asian and Russian military and research institutes.

The ICS research team identified malware and command-and-control servers based in China, and added that this more recent series of attacks is "highly likely" to be an extension of an ongoing cyberespionage campaign, previously spotted by other research teams.

They also sound very similar to another campaign, dubbed Twisted Panda, carried out by Chinese cyberspies and targeting Russian defense institutes, uncovered by Check Point Research in May.

According to Kaspersky, the miscreants gained access to the enterprise networks via phishing emails, some of which included organization-specific information that wasn't publicly available.

"This could indicate that the attackers did preparatory work in advance (they may have obtained the information in earlier attacks on the same organization or its employees, or on other organizations or individuals associated with the victim organization)," the researchers explained.

Presumably, because these specially-crafted attacks included confidential information about the victim org, it was easier for the attackers to trick some employees into opening the email — and a Microsoft Word document attached to it. The Word doc contained malicious code, which exploited the CVE-2017-11882 vulnerability to deploy PortDoor malware on the infected machine without any additional user activity. For example, the user didn't need to enable macros, as is typical in these types of attacks.

PortDoor malware is a relatively new backdoor believed to be developed by Chinese state-sponsored groups that was also used in a 2021 phishing attack against a Russian-based defense contractor that designs nuclear submarines for the Russian Federation's Navy.

Kaspersky says its team IDed a new version of PortDoor that establishes persistence, then collects information on the infected computer, and can be used to control the system remotely while installing additional malware.

In addition to PortDoor, attackers used six other backdoors to control the infected systems and steal confidential data. Some of these (nccTrojan, Logtu, Cotx, and DNSep) have been previously attributed to TA428. However, a sixth backdoor, dubbed CotScam, is new, according to Kaspersky.
 

ctg

Greatest Leader
cloudflare-phishing-attack-640x223.png

At least two security-sensitive companies—Twilio and Cloudflare—were targeted in a phishing attack by an advanced threat actor who had possession of home phone numbers of not just employees but employees' family members as well.

In the case of Twilio, a San Francisco-based provider of two-factor authentication and communication services, the unknown hackers succeeded in phishing the credentials of an undisclosed number of employees and, from there, gained unauthorized access to the company's internal systems, the company said. The threat actor then used that access to data in an undisclosed number of customer accounts.

Two days after Twilio's disclosure, content delivery network Cloudflare, also headquartered in San Francisco, revealed it had also been targeted in a similar manner. Cloudflare said that three of its employees fell for the phishing scam, but that the company's use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.
When the phishing page was completed by a victim, the credentials were immediately relayed to the attacker via the messaging service Telegram. This real-time relay was important because the phishing page would also prompt for a Time-based One Time Password (TOTP) code.

Presumably, the attacker would receive the credentials in real-time, enter them in a victim company’s actual login page, and, for many organizations that would generate a code sent to the employee via SMS or displayed on a password generator. The employee would then enter the TOTP code on the phishing site, and it too would be relayed to the attacker. The attacker could then, before the TOTP code expired, use it to access the company’s actual login page — defeating most two-factor authentication implementations.

We confirmed that three Cloudflare employees fell for the phishing message and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey. Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems. While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.
 

ctg

Greatest Leader
Cloudflare says it was subject to a similar attack to one made on comms company Twilio last week, but in this case it was thwarted by hardware security keys that are required to access applications and services.

Twilio reported a breach after employees received phishing text messages claiming to be from the company's IT department. These fooled them into logging into a fake web page designed to look like Twilio's own sign-in page, using pretexts such as claiming they needed to change their passwords. The attackers were then able to use credentials supplied by the victims to log into the real site.

According to Cloudflare, it recorded a very similar incident late last month, which could suggest the two attacks may have originated from the same attacker or group.

Detailing the incident on its blog, the content delivery network claimed that no Cloudflare systems were compromised, but said it was "a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached."

In Cloudflare's case, its security team first started receiving reports on July 20 that employees got text messages containing a link to what appeared to be a Cloudflare Okta login page (Cloudflare uses Okta's identity and access management services internally).

Although the incident started late in the evening, Cloudflare said it operates a 24x7 Security Incident Response Team (SIRT), and has trained its employees to report anything that looks suspicious to the SIRT to investigate. The vast majority of reports turn out to be false alarms, but in this case it appears at least 76 company employees received the phishing messages within the space of a single minute.

The sophistication of the attack can be gauged by the fact that the URL in the text messages linked to a domain (cloudflare-okta.com) appeared to be legitimate, and had not been picked up by the company's monitoring systems. Cloudflare has systems to watch for domains being registered with its name and get them shut down, but in this case the domain had been registered less than 40 minutes before the phishing messages were sent, and so it had not yet been detected.

As with the Twilio incident, the fake Cloudflare Okta login page prompted any employee who visited it for their username and password. Alerted by their employees contacting SIRT, Cloudflare was able to analyze the payload of the phishing attack based on the message employees received, as well as what was posted to services like VirusTotal by other companies that had been victims of similar attacks.
 
Top