Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

Researchers at security company Proofpoint and PricewaterhouseCoopers (PWC) said on Tuesday they had identified a cyber espionage campaign that delivers the ScanBox exploitation framework through a malicious fake Australian news site.

The campaign, active from April to June of this year, targeted Australian government agencies, Australian media companies and manufacturers who conduct maintenance on wind turbine fleets in the South China Sea. Proofpoint said the victim profile was similar to a June 2021 TA423 threat that delivered a downloader in DLL format via RTF template injection.

According to the researchers, victims were sent phishing emails that directed them to faked versions of Australian news outlets The Herald Sun and The Australian. Both outlets are part of Rupert Murdoch's media empire.

The faked versions of the outlets' sites included copied and pasted news stories, but lurking deeper in the code was malware. This tactic is similar to one used by TA423 during 2018 elections in Cambodia.

Each target received a slightly different URL that led to the same page, indicating the threat actors may have tracked its victims rather than use a spray and pray method.

Once lured to the site, users were infected with a malicious ScanBox JavaScript payload as a plugin-based modular architecture. The plugin modules included a keylogger, browser identification plugins, browser fingerprints to identify system tech capabilities, peer connection plugins and a check if Kaspersky security tools are installed on the machine.
Scumbags are using a photo from the James Webb Space Telescope to smuggle Windows malware onto victims' computers – albeit in a roundabout way.

The malicious code, written in Go, is hidden in a .jpeg of the stunning first proper image taken by the recently deployed spacecraft.

More specifically, the obfuscated code is Base64-encoded and included in the .jpeg disguised as a certificate. The payload, dubbed GO#WEBBFUSCATOR, was not detected as malicious by antivirus engines in VirusTotal. This is all according to researchers at cybersecurity firm Securonix, who said they spotted and inspected the .jpeg's contents.

The malware "incorporates an equally interesting strategy by leveraging the infamous deep field image taken from the James Webb telescope and obfuscated Golang programming language payloads to infect the target system," Securonix's D. Iuzvyk, T. Peck, and O. Kolesnikov wrote in a report this week.
Three former US government cyber-spies who, among other things, illicitly compromised and snooped on Americans' devices for the United Arab Emirates government have been banned from participating in international arms exports under a deal reached with Uncle Sam.

Per the terms of the agreements, Ryan Adams [PDF], Marc Baier [PDF] and Daniel Gericke [PDF], all three former NSA operatives, will be "debarred," meaning they are prohibited from participating in any activities regulated under the International Traffic in Arms Regulations (ITAR) for three years. After three years, they can submit a request to the State Department to be reinstated if they choose to do so.

But considering the men were charged with providing hacking-for-hire services – getting paid to break into targets' devices and steal data, for instance – to UAE government agencies against US devices and users, it's probably safe to assume that any such request will be swiftly denied.

"Debarment, a fancy word for being prohibited from doing business, can actually be a significant sanction in that it can amount to a death penalty for the companies involved," attorney Bryan Cunningham, an advisory council member at data security firm Theon Technology, told The Register.
A Pakistani parliamentary committee has labelled its own cybersecurity agency "incompetent".

That damning assessment was offered by the nation's Standing Committee on Information Technology and Telecommunication at a Monday meeting convened to brief committee members on the workings of Pakistan's Ministry of Information Technology and Telecommunication.

The Committee's account of the meeting includes the following statement:

The Committee expressed its displeasure on the performance of some departments of the Ministry, especially the performance of the Cyber Security Cell. The Committee directed the Ministry of Information Technology and Telecommunication to address the incompetence of the Cyber Security Cell.

It is unclear if the Committee was referring to a specific failure, or just displeased that several government websites have recently experienced DDoS attacks or that Pakistan experiences high levels of cybercrime.

Pakistani news outlet Techjuice reports that Committee member Baz Baloch used the meeting to allege that the National Board of Revenue – which holds personal information on all citizens – has twice been attacked recently. The Register has been unable to find further evidence of that allegation, but if it is correct the Committee certainly has grounds for complaint.

The timing of the Committee's statement also seems notable, as it came the day before Pakistan Defence Day – an annual commemoration of the nation's armed forces.
Scientists from the National University of Singapore and Yonsei University in the Republic of Korea have developed a device for verifying whether your laptop microphone is secretly recording your conversations.

The researchers – Soundarya Ramesh, Ghozali Suhariyanto Hadi, Sihun Yang, Mun Choon Chan, and Jun Han – call the device TickTock. That may suit a lab project but would obviously invite a trademark lawsuit from a similarly named social media company were commercialization ever considered.

The mic-monitoring gadget is described in an ArXiv paper titled, "TickTock: Detecting Microphone Status in Laptops Leveraging Electromagnetic Leakage of Clock Signals."

Citing the increase in remote privacy attacks on laptop computers for surveillance, the five co-authors observe that while defenses have been developed for laptop webcams – e.g. a piece of tape, as favored by mark Zuckerberg – there's no analogous sound-blocking barrier to prevent surreptitious listening. Their solution amounts to a side-channel defense.

Laptop makers, they point out, have taken steps to make malware-triggered mic activation more evident or impossible. Apple, for example, has a hardware disconnect for recent laptops that's designed to disable the mic when the lid is shut.

Dell in 2020 added drivers to Linux to provide mic and camera privacy. Both Windows 10 and macOS 12 show visible indicators of mic activation, and third-party privacy software did so previously. And Purism has a hardware kill switch for the mic and camera on its Librem 5 USA phone.

The researchers contend these approaches have shortcomings.

"First, these solutions require users to trust the implementation of the laptop manufacturers or the operating systems, both of which have been compromised by attackers several times in the past or that the manufacturers themselves could be malicious," they state in their paper. "Second, these solutions are incorporated in only a small fraction of devices, hence most current day laptops do not have a way to detect/prevent eavesdropping."
Mikä on tämän päivän käsitys Huawein, HTC:n ym. kiinalaisten kotitalouksien verkkolaitteiden turvallisuudesta? Muistan lukeneeni, että ainakin Huawein reitittimistä oli löydetty/epäilty joitain madonreikiä, joita olisi mahdollista käyttää vakoiluun. Eikä USA taida tänäkään päivänä sallia ainakaan mainittujen kahden valmistamien laitteiden käyttämistä missään julkishallinnon virastoissa.

Ainakaan minulla ei mitään suuria salaisuuksia netissä liiku ja käytän myös VPN:ää koko ajan. Mutta ihan periaateisyistä en halua käyttää epäilyttäviä laitteita. Harmillistahan tässä on se, että oma kokemukseni on, että Huawein 4G-laajakaistamodeemit toimivat harvinaisen hyvin ja ilmeisesti 5G-modeemit myös. Esim. 5G-reitittimissä tarjonta on lähes pelkästään Huaweita ja HTC:ta. 5G-modeemin hankinta kiinnostaisi, mutta taitaa jäädä odottelemaan laajempaa laitetarjontaa.
Mikä on tämän päivän käsitys Huawein, HTC:n ym. kiinalaisten kotitalouksien verkkolaitteiden turvallisuudesta?
No ei se ole ainakaan parantunut viime aikoina. Jos pystyt itse konffaamaan ja päivitykset eivät ole jotain mustia laatikoita. Sniffaamalla sitä ulos menevää dataa selviää reitittääkö se juttuja kiinaan, mutta se on normi kansalaiselle herbreaa.
No ei se ole ainakaan parantunut viime aikoina. Jos pystyt itse konffaamaan ja päivitykset eivät ole jotain mustia laatikoita. Sniffaamalla sitä ulos menevää dataa selviää reitittääkö se juttuja kiinaan, mutta se on normi kansalaiselle herbreaa.
Vaikka ymmärrykseni näistä on ehkä keskivertokansalaista jonkin verran korkeammalla tasolla (eli ei silti kovin korkealla), niin tällaiseen ei omat kyvykkyyteni riitä. Mutta uteliaisuus heräsi, ja saatan opetella. Nyt oli nimittäin pakko ottaa vanha Huawei taas tilapäisesti käyttöön, kun Asus hajosi ennen aikojaan (ja huonosti toimi ennen hajoamistaankin).
  • Tykkää
Reactions: ctg
Chinese scammers have reportedly stolen a whopping $529 million dollars from Indian residents using instant lending apps, lures of part-time jobs, and bogus cryptocurrency trading schemes, according to the cyber crime unit in the state of Uttar Pradesh.

As of last April, the coppers had busted a network of criminals worth around $378 million, but that total did not include the cryptocurrency-related frauds.

According to local media reports, the scammers promoted their fraud through bulk TXT messages that the police tracked to the Middle Kingdom, with some operators located in Nepal and working under direction by Chinese threat actors. Fake websites and crypto apps were set up to lure in investors.

"The instant loan apps, the part-time job offers and now the crypto trading fraud, all of them are being operated by the same hackers from China. The SMS aggregators are also involved in it," Uttar Pradesh Cyber Crime Superintendent of Police Triveni Singh said, according to Press Trust Of India (PTI).

The crims absconded with funds by first transferring money from the victims to local Indian bank accounts and digital wallets before transferring the cash to Indian crypto currency exchange platform Zebpay and similar international platform Binance.

In April, Singh told PTI the stolen money was ultimately withdrawn in China.
FishPig is a seller of Magento-WordPress integrations. Magento is an open source e-commerce platform used for developing online marketplaces.

Tideswell said the last software commit made to its servers that didn't include the malicious code was made on August 6, making that the earliest possible date the breach likely occurred. Sansec, the security firm that discovered the breach and first reported it, said the intrusion began on or before August 19. Tideswell said FishPig has already "sent emails to everyone who has downloaded anything from in the last 12 weeks alerting them to what's happened."

In a disclosure published after the Sansec advisory went live, FishPig said that the intruders used their access to inject malicious PHP code into a Helper/License.php file that's included in most FishPig extensions. After launching, Rekoobe removes all malware files from disk and runs solely in memory. For further stealth, it hides as a system process that tries to mimic one of the following:

/usr/sbin/cron -f
/sbin/udevd -d
dbus-daemon --system

The backdoor then waits for commands from a server located at Sansec said it hadn't detected follow-up abuse from the server yet. The security firm suspects that the threat actors may plan to sell access to the affected stores in bulk on hacking forums.
If there’s one thing we’ve learned over the years, it’s that if it’s got a silicon chip inside, it could be carrying a virus. Research by one group focused on hiding a trojan inside an AVR Arduino bootloader, proving even our little hobbyist microcontrollers aren’t safe.

The specific aim of the research was to hide a trojan inside the bootloader of an AVR chip itself. This would allow the trojan to remain present on something like a 3D printer even if the main firmware itself was reinstalled. The trojan would still be able to have an effect on the printer’s performance from its dastardly hiding place, but would be more difficult to notice and remove.

The target of the work was the ATmega328P, commonly used in 3D printers, in particular those using the Marlin firmware. For the full technical details, you can dive in and read the research paper for yourself. In basic terms, though, the modified bootloader was able to use the chip’s IVSEL register to allow bootloader execution after boot via interrupt. When an interrupt is called, execution passes to the trojan-infected bootloader’s special code, before then returning to the program’s own interrupt to avoid raising suspicion. The trojan can also execute after the program’s interrupt code too, increasing the flexibility of the attack.

Simply reflashing a program to an affected chip won’t flush out the trojan. The chip instead must have its bootloader specifically rewritten a clean version to remove the offending code.

It’s not a super dangerous hack, overall. Typically, flashing a malicious bootloader would require physical access to the chip. Furthermore, there’s not heaps to be gained by sneaking code onto the average 3D printer out there. However, it’s nonetheless a good example of what bootloaders can really do, and a reminder of what we should all be careful of when operating in security-conscious domains. Stay safe out there!

The record-vying distributed denial-of-service attacks keep coming, with two mitigation services reporting they encountered some of the biggest data bombardments ever by threat actors whose tactics and techniques are constantly evolving.

On Monday, Imperva said it defended a customer against an attack that lasted more than four hours and peaked at more than 3.9 million requests per second (RPS).

In all, the attackers directed 25.3 billion requests at the target with an average rate of 1.8 million RPS. While DDoSes exceeding 1 million RPS are growing increasingly common, they typically come in shorter bursts that measure in seconds or a few minutes at most.
Esimerkki tavallisesta hakkerista vs valtiollinen. Tämä kaveri löytää lyhyen vankilareissun jälkeen itsensä Lontoon infosec markkinoille jonkinlaisena toimijana.

A Thursday night arrest of a 17-year-old in the UK may have led to the capture of one of the biggest video game-related leakers in recent history.

London police forces confirmed their apprehension of an Oxford suspect on a social media channel regularly used for police arrest updates, and it clarified the suspect's age, a vague charge of "suspicion of hacking," and that the investigation was coordinated with the UK's National Crime Agency (NCA) and specifically its National Cyber Crime Unit.

That charge was followed hours later by a report from American freelance journalist Matthew Keys alleging that the arrest revolved squarely around the recent theft and distribution of unreleased assets from British video game studio Rockstar North. This report cites "sources" to claim that the FBI was involved in this investigation and that the data seized also included portions of a massive Uber-related breach. Keys' report, as of press time, has not been corroborated by larger newsrooms in either the US or UK.
Researchers have revealed a never-before-seen piece of cross-platform malware that has infected a wide range of Linux and Windows devices, including small office routers, FreeBSD boxes, and large enterprise servers.

Black Lotus Labs, the research arm of security firm Lumen, is calling the malware Chaos, a word that repeatedly appears in function names, certificates, and file names it uses. Chaos emerged no later than April 16, when the first cluster of control servers went live in the wild. From June through mid-July, researchers found hundreds of unique IP addresses representing compromised Chaos devices. Staging servers used to infect new devices have mushroomed in recent months, growing from 39 in May to 93 in August. As of Tuesday, the number reached 111.

Black Lotus has observed interactions with these staging servers from both embedded Linux devices as well as enterprise servers, including one in Europe that was hosting an instance of GitLab. There are more than 100 unique samples in the wild.

"The potency of the Chaos malware stems from a few factors," Black Lotus Labs researchers wrote in a Wednesday morning blog post. "First, it is designed to work across several architectures, including: ARM, Intel (i386), MIPS and PowerPC—in addition to both Windows and Linux operating systems. Second, unlike largescale ransomware distribution botnets like Emotet that leverage spam to spread and grow, Chaos propagates through known CVEs and brute forced as well as stolen SSH keys."
CVEs refer to the mechanism used to track specific vulnerabilities. Wednesday's report referred to only a few, including CVE-2017-17215 and CVE-2022-30525 affecting firewalls sold by Huawei, and CVE-2022-1388, an extremely severe vulnerability in load balancers, firewalls, and network inspection gear sold by F5. SSH infections using password brute-forcing and stolen keys also allow Chaos to spread from machine to machine inside an infected network.

Chaos also has various capabilities, including enumerating all devices connected to an infected network, running remote shells that allow attackers to execute commands, and loading additional modules. Combined with the ability to run on such a wide range of devices, these capabilities have lead Black Lotus Labs to suspect Chaos "is the work of a cybercriminal actor that is cultivating a network of infected devices to leverage for initial access, DDoS attacks and crypto mining," company researchers said.

Black Lotus Labs believes Chaos is an offshoot of Kaiji, a piece of botnet software for Linux-based AMD and i386 servers for performing DDoS attacks. Since coming into its own, Chaos has gained a host of new features, including modules for new architectures, the ability to run on Windows, and the ability to spread through vulnerability exploitation and SSH key harvesting.

Infected IP addresses indicate that Chaos infections are most heavily concentrated in Europe, with smaller hotspots in North and South America, and Asia Pacific.

"The actors have successfully compromised numerous organizations since June 2022," members of the Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense teams wrote in a post. "Due to the wide use of the platforms and software that ZINC utilizes in this campaign, ZINC could pose a significant threat to individuals and organizations across multiple sectors and regions."

PuTTY is a popular terminal emulator, serial console, and network file transfer application that supports network protocols, including SSH, SCP, Telnet, rlogin, and raw socket connection. Two weeks ago, security firm Mandiant warned that hackers with ties to North Korea had Trojanized it in a campaign that successfully compromised a customer's network. Thursday's post said the same hackers have also weaponized KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software with code that installs the same espionage malware, which Microsoft has named ZetaNile.

Lazarus was once a ragtag band of hackers with only marginal resources and skills. Over the past decade, its prowess has grown considerably. Its attacks on cryptocurrency exchanges over the past five years have generated billions of dollars for the country's weapons of mass destruction programs. They regularly find and exploit zero-day vulnerabilities in heavily fortified apps and use many of the same malware techniques used by other state-sponsored groups.

The group relies primarily on spear phishing as the initial vector into its victims, but they also use other forms of social engineering and website compromises at times. A common theme is for members to target the employees of organizations they want to compromise, often by tricking or coercing them into installing Trojanized software.

The Trojanized PuTTY and KiTTY apps Microsoft observed use a clever mechanism to ensure that only intended targets get infected and that it doesn't inadvertently infect others. The app installers don't execute any malicious code. Instead, the ZetaNile malware gets installed only when the apps connect to a specific IP address and use login credentials the fake recruiters give to targets.
Once they've broken into an IT environment, most intruders need less than five hours to collect and steal sensitive data, according to a SANS Institute survey of more than 300 ethical hackers.

The respondents also proved the old adage that it's not "if" but "when." Even if their initial attack vector fails, almost 38 percent indicated they can break into an environment "more often than not" by repeated attacks.

Most SANS surveys focus on the defenders' perspective – for example asking incident responders how long it took them to detect and respond to a cyberattack. This report, commissioned by offensive security firm Bishop Fox, aimed to "get into the mindset of someone who attacks an organization, and look at those metrics instead," said author Matt Bromiley, digital forensics and incident response instructor at SANS.

"Now obviously, we can't call up all of our favorite hackers in the world – I don't think many countries' intelligence agencies would take that phone call," he told The Register.

So the research team went with the next-best option: the ethical hackers tasked with emulating the adversaries. They asked this group of bug hunters and penetration testers about their favorite attack vectors, the tools they use and their speed.

The bulk of the survey respondents (83.4%) work for companies headquartered in the US. And the largest segment (34.2%) said they worked in cybersecurity, with jobs ranging from security analyst to chief information security officer or VP of security or technology.

Of course, your humble vulture can't verify these respondents are who they claim to be. And the report acknowledges that the respondents, who are generally hired by organizations to "attack" their IT environments, have different motives than what it calls "unsanctioned adversaries" – i.e. the baddies.

There's value in knowing how long it takes an ethical hacker to breach an environment, how quickly they can shift gears, and what their favorite tactics are. Because that can help organizations focus their security investments in areas that will yield the greatest return on investment, Bromiley argued.

"If I have to assume a state of breach, it's going to be the hardest, most lengthy breach you've ever been involved in," he said. "I'm going to make it so tough for you to get in, that you might just stop. Fingers crossed."
The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device.

"This led the team to the roof, where a 'modified DJI Matrice 600' and a 'modified DJI Phantom' series were discovered," Linares explained.

The Phantom drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing, according to Linares. The Matrice drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable.

"During their investigation, they determined that the DJI Phantom drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi," Linares said. "This data was later hard coded into the tools that were deployed with the Matrice."

According to Linares, the tools on the drones were used to target the company's internal Confluence page in order to reach other internal devices using the credentials stored there. The attack, he said, had limited success and is the third cyberattack involving a drone he's seen over the past two years.

"The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios)," Linares told The Register.

"This is the reason why this temporary network unfortunately had limited access in order to login (credentials + MAC security). The attackers were using the attack in order to access an internal IT confluence server that contained other credentials for accessing other resources and storing IT procedures."
Advanced, a managed software provider to the UK National Health Service, has confirmed that customer data was indeed lifted as part of the attack by cyber baddies that has disrupted operations for months

The attack was first noted August 4 when Advanced promptly pulled a portion of its infrastructure offline to contain the spread of infection to other systems. As such, a range of sites hosted for clients were unavailable.

The incident disrupted healthcare customers, forcing NHS 111 medical services operators, for example, to revert back to pen and paper as digital services went AWOL, sources told us at the time.

In an incident update yesterday, Advanced confirmed that the “perpetrators of the attack, who were financially motivated in nature, were able to temporarily obtain a limited amount of information from our environment pertaining to 16 of our Staffplan and Caresys customers.”
Advanced has now informed those customers, as is its legal duty, of the “exfiltrated data.” The company’s incident update says no data was taken from the other products it hosts, and it has “recovered the limited amount of data” that the crooks swiped from the infected systems.

“[W]e believe the likelihood of harm to individuals is low,” it adds. “This is based on our expert threat intelligence vendor's considerable experience with cases of this nature and the fact that there is no evidence to suggest that the data in question exists elsewhere outside our control. We are, however, monitoring the dark web as a belt and braces measure and will let you know immediately in the unlikely event that this position change

As for the entry point? Access was gained via Advanced’s network using legitimate third-party credentials to set up a Remote Desktop session to the Staffplan Citrix server.