The kit uses multiple evasion detection techniques and incorporates several mechanisms to keep non-victims away from its phishing pages.

According to Akamai, whose security researchers discovered the campaign, one of the most interesting features of the kit is a token-based system that ensures each victim is redirected to a unique phishing page URL.

Campaign overview

The campaign spotted by Akamai started in September 2022 and continued throughout October, preying on online shoppers looking for "holiday specials."

The central theme of the phishing emails sent to prospective victims is a chance to win a prize from a reputable brand.

The links in the email don't raise any alarms as they lead to the phishing site after a series of redirections, while URL shorteners conceal most URLs.

Additionally, the attackers abuse legitimate cloud services like Google, AWS, and Azure, abusing their good reputation to bypass protection mechanisms.

Everyone visiting the phishing site wins the promised prize after completing a short survey. In addition, a five-minute timer ensures those taking the survey are infused with a feeling of urgency.

Some impersonated brands include sporting goods firm Dick's, high-end luggage maker Tumi, Delta Airlines, and the wholesale clubs, Sam's Club and Costco.

Phishing email and landing page examples - Source: ScamWatcher

 

To increase the campaign's effectiveness, the phishing actors include fake user testimonials showcasing the received prizes.

Fake user testimonials on the survey pages - Source: Akamai

 

After "winning" the prize, the victim is requested to cover the shipping costs for receiving the prize, for which they need to enter their payment card details.

Of course, there is no prize to be shipped, and the credit card details are stolen by the threat actors to be used for online purchases.

Akamai says roughly 89% of users landing on phishing domains are from the United States and Canada.

Depending on their exact location, the redirection takes them to a different phishing site impersonating locally available brands.

Each victim gets a unique URL

Each phishing email contains a link to a landing page with an anchor (#) usually used to direct a visitor to a specific part of the linked-to page.

In this phishing campaign, the anchor tag represents a token used by JavaScript on the phishing landing to reconstruct a URL to which the target will be redirected.

"The values being after the HTML anchor will not be considered as HTTP parameters and will not be sent to the server, yet this value will be accessible by JavaScript code running on the victim's browser," explains Akamai.

"In the context of a phishing scam, the value placed after the HTML anchor might be ignored or overlooked when scanned by security products that are verifying whether it is malicious or not."

"This value will also be missed if viewed by a traffic inspection tool."

Akamai shared the following image showing how the phishing link anchor is used to create a redirection link.

Redirecting based on anchor token - Source: Akamai

 

Security products and network traffic inspection tools overlook this token, so it doesn't introduce risks for the phishing actors.

Instead, it helps keep unwanted traffic, researchers, analysts, and random visitors away from the phishing landing pages.

Those without a valid token, and browser redirections that don't use JavaScript for their rendering, will fail to access the phishing site.

Apart from filtering non-victims, the tokens can also be used for victim-specific tracking, campaign performance measurement, and more.

In summary, the kit combines almost all known techniques for effectiveness and detection avoidance, making it a potent threat to North Americans.

With the Black Friday and Christmas shopping season approaching, consumers should be extra vigilant when they receive messages about promotions and special offers.

The SEO poisoning attack analyzed by BleepingComputer uses Google's datastudio.google.com subdomain to lend credibility to malicious domains.

Abusing Data Studio to boost warez sites' rankings

BleepingComputer has come across several pages of Google search results flooded with datastudio.google.com links after a concerned reader reported seeing the erratic behavior to us.

These links, rather than representing a legitimate Google Data Studio project, are minisites that host links to pirated content.

Google Data Studio abused to boost SEO rankings of pirate sites (BleepingComputer)

 

For example, one such search result we clicked on, directs users looking to "Download Terrifier 2 (2022)" to bit.ly links that further redirect multiple times to ultimately land on a spammy website.

As evident from the screenshot below, the SEO poisoning campaign uses the keyword stuffing technique which is often considered a form of webspam, to boost rankings of these illicit domains:

A sample Google Data studio website identified within the campaign (BleepingComputer)

 

"FIFA 23 Download Torrent" webpage hosted on Data Studio (BleepingComputer)

 

Clicking on one of these Bit.ly URLs further redirects the user several times before they arrive on a website promoting online surveys, streaming sites of dubious legality and authenticity, and spam:

Destination page the user ultimately lands on is a streaming site (BleepingComputer)

 

Another final destination page promotes an "online test" (BleepingComputer)

 

Introduced in 2016 by Google, Looker Studio (formerly, Google Data Studio) is a web-based business intelligence tool that enables users to transform data into customizable informative reports and dashboard for easy visualization and analysis.

Data Studio can be and has been used to, for example, track and visualize the download counts of open source packages for a given period.

While the legitimate business use cases of Looker Studio are plenty, much like any other web service, it isn't immune from being abused by threat actors looking to host questionable content or manipulating SEO for their illicit domains.

SEO poisoning campaigns spotted in the past have targeted U.S. midterm election keywords, and more recently been seen pushing malware-laced Zoom, TeamViewer, and Visual Studio installers. 

BleepingComputer has reached out to Google in advance of publishing to understand how Google plans on tackling the issue and we are awaiting their response.

The attacks have been observed between March and October 2022 and researchers attributed it to the cyber espionage group Mustang Panda (Bronze President, TA416).

According to Trend Micro researchers, the threat group targeted mostly organizations in Australia, Japan, Taiwan, Myanmar, and the Philippines.

Heatmap of targets in latest campaign (Trend Micro)

 

The Chinese hackers used Google accounts to send their targets email messages with lures that tricked them into downloading custom malware from Google Drive links.

Infection details

In a report today, Trend Micro researchers say that the hackers used messages with geopolitical subjects and that most of them (84%) targeted government/legal organizations.

To bypass security mechanisms, the embedded link points to a Google Drive or Dropbox folder, both legitimate platforms with good reputation that are typically less suspicious.

These links lead to downloading compressed files (RAR, ZIP, JAR) with custom malware strains such as ToneShell, ToneIns, and PubLoad.

Mustang Panda infection process (Trend Micro)

 

"The email's subject might be empty or might have the same name as the malicious archive," explains the report.

Although the hackers used various malware loading routines, the process typically involved DLL side-loading after the victim launched an executable present in the archives. A decoy document is displayed in the foreground to minimize suspicions.

Malware evolution

The three malware strains used in this campaign are PubLoad, ToneIns, and ToneShell.

From the three custom malware pieces used in the campaign, only PubLoad has been previously documented in a Cisco Talos report from May 2022 describing campaigns against European targets.

PubLoad is a stager responsible for creating persistence by adding registry keys and creating scheduled tasks, decrypting shellcode, and handling command and control (C2) communications.

Trend Micro says later versions of PubLoad feature more sophisticated anti-analysis mechanisms, implying that Mustang Panda is actively working on improving the tool.

ToneIns is an installer for ToneShell, the main backdoor used in the recent campaign. It uses obfuscation to evade detection and load ToneShell while also establishing persistence on the compromised system.

ToneShell is a standalone backdoor loaded directly in memory, featuring code flow obfuscation through implementation of custom exception handlers.

This also works as an anti-sandbox mechanism, as the backdoor won't execute in a debugging environment.

Data workflow of exception handling in C++ - source: Trend Micro

 

After connecting to the C2, ToneShell sends a package with victim ID data and then waits for new instructions.

These commands allow uploading, downloading, and executing files, creating shells for intranet data exchange, changing sleep configuration, and more.

Mustang Panda activity

Trend Micro says this recent campaign features the same Mustang Panda techniques, tactics, and procedures (TTPs) that Secureworks reported in September 2022.

The latest campaign shows signs of an improved toolset and capability to expand, which increases the Chinese hackers' ability to collect intelligence and breach targets.

Earlier this year, Proofpoint reported that Mustang Panda was focusing its operations in Europe, targeting high-ranking diplomats.

A Secureworks report from around the same time spotted a separate Mustang Panda campaign, this time targeting on Russian officials.

In March 2022, ESET explored Mustang Panda's operations in Southeast Asia, South Europe, and Africa, indicating that the Chinese espionage gang is a global threat despite having short-term bursts of focused activity.

Source

In total, the losses resulting from their attacks amount to more than $11,1 million, stolen by tricking the victims into redirecting bank transfers into the fraudsters' accounts.

To trick the targets into believing the payments were made to legitimate accounts, US DOJ says the attackers spoofed the email addresses of hospitals to request public and private health insurance programs to switch to new bank accounts (controlled by co-conspirators) to send payments for medical services.

"Unwittingly, five state Medicaid programs, two Medicare Administrative Contractors, and two private health insurers allegedly were deceived into making payments to the defendants and their co-conspirators instead of depositing the reimbursement payments into bank accounts belonging to the hospitals," DOJ said in a press release on Friday.

"The defendants and their co-conspirators allegedly laundered the proceeds fraudulently obtained from these health care benefit plans and from other victims by, among other things, withdrawing large amounts of cash, layering them through other accounts they or their co-conspirators opened in the names of false and stolen identities and shell companies, transferring them overseas, and purchasing luxury goods and exotic automobiles."

US DOJ unsealed charges also linked to money laundering and wire fraud schemes against the defendants in multiple states:

• six defendants in the Northern District of Georgia (Patrick Ndong-Bike, Desmond Nkwenya, Cory Smith, Chisom Okonkwo, Olugbenga Abu, Trion Thomas)
• one defendant in the District of South Carolina (Biliamin Fagbewesa)
• one defendant was previously charged in the Northern District of Georgia (Malachi Mullings)
• one previously charged in the Eastern District of Virginia (Sauveur Blanchard)
• a third defendant previously charged in the Northern District of Texas (Adewale Adesanya) has entered a guilty plea and has been sentenced to four years in prison

Their schemes allegedly caused more than $4.7 million in losses to Medicare, Medicaid, and U.S. private health insurers and over $6.4 million in losses to U.S. federal government agencies, private companies, and individuals.

"Millions of American citizens rely on Medicaid, Medicare, and other health care systems for their health care needs," Assistant Director Luis Quesada of the FBI's Criminal Investigative Division added today.

"These subjects utilized complex financial schemes, such as BECs and money laundering, to defraud and undermine health care systems across the United States."

Business email compromise is a $43 billion scam

In May, the FBI said losses due to business email compromise (BEC) scams continue to grow yearly, with a 65% increase in identified global exposed losses between July 2019 and December 2021.

Between June 2016 and July 2019, the FBI's Internet Crime Complaint Center received complaints regarding over 241,000 domestic and international incidents, with a total exposed dollar loss of more than $43.3 billion.

BEC scammers use many tactics—including phishing, social engineering, and hacking—to redirect targets' bank transfers to bank accounts under their control.

While such crooks commonly target businesses, they also attack individuals if they consider the payout worth it. 

Unfortunately, as the FBI revealed, their success rate is also very high because they generally impersonate someone the target trusts, like business partners or company executives.

Things are again looking up for Microsoft in AV-Comparatives' Real-world protection test. Unlike the previous Performance test, which measured the performance impact of an antivirus program, the Real-world test gauges the ability of an anti-malware solution to detect and block real threats. The test also measures the number of false positives, even those that are user-dependent. These are quantified by the FP Score and the higher the score, the worse. User-dependent false positives are assigned half points.

You can view the FP Scores of all the tested products, including Microsoft's which has seven false positives:

Up next, we have the Protection Rate, which measures how many malicious sample test cases were successfully blocked by each product. Out of the total 626 test cases, Defender was able to detect and block 623:

Finally, we have the AV-Comparatives certifications and expectedly, Microsoft received the ADVANCED+ rating. Overall, it looks like ESET did the worst in terms of detections, as it was compromised seven times out of 626. Malwarebytes however got the worst certification, ie, TESTED, due to the highest number of false positives on top of six compromises.

You can view the full report on AV-Comparatives' website.

Microsoft finally gets one past as Defender does great in AV-Comparatives' protection test

"Dtrack allows criminals to upload, download, start or delete files on the victim host," Kaspersky researchers Konstantin Zykov and Jornt van der Wiel said in a report.

The victimology patterns indicate an expansion to Europe and Latin America. Sectors targeted by the malware are education, chemical manufacturing, governmental research centers and policy institutes, IT service providers, utility providers, and telecommunication firms.

Dtrack, also called Valefor and Preft, is the handiwork of Andariel, a subgroup of the Lazarus nation-state threat actor that's publicly tracked by the broader cybersecurity community using the monikers Operation Troy, Silent Chollima, and Stonefly.

Discovered in September 2019, the malware has been previously deployed in a cyber attack aimed at a nuclear power plant in India, with more recent intrusions using Dtrack as part of Maui ransomware attacks.

Industrial cybersecurity company Dragos has since attributed the nuclear facility attack to a threat actor it calls WASSONITE, pointing out the use of Dtrack for remote access to the compromised network.

The latest changes observed by Kaspersky relate to how the implant conceals its presence within a seemingly legitimate program ("NvContainer.exe" or "XColorHexagonCtrlTest.exe") and the use of three layers of encryption and obfuscation designed to make analysis more difficult.

The final payload, upon decryption, is subsequently injected into the Windows File Explorer process ("explorer.exe") using a technique called process hollowing. Chief among the modules downloaded through Dtrack is a keylogger as well as tools to capture screenshots and gather system information.

"The Dtrack backdoor continues to be used actively by the Lazarus group," the researchers concluded. "Modifications in the way the malware is packed show that Lazarus still sees Dtrack as an important asset."

Source

The details, which were shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), come in response to incident response efforts undertaken by the authority from mid-June through mid-July 2022.

"Cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence," CISA noted.

LogShell, aka CVE-2021-44228, is a critical remote code execution flaw in the widely-used Apache Log4j Java-based logging library. It was addressed by the open source project maintainers in December 2021.

The latest development marks the continued abuse of the Log4j vulnerabilities in VMware Horizon servers by Iranian state-sponsored groups since the start of the year. CISA did not attribute the event to a particular hacking group.

However, a joint advisory released by Australia, Canada, the U.K., and the U.S. in September 2022 pointed fingers at Iran's Islamic Revolutionary Guard Corps (IRGC) for leveraging the shortcoming to carry out post-exploitation activities.

The affected organization, per CISA, is believed to have been breached as early as February 2022 by weaponizing the vulnerability to add a new exclusion rule to Windows Defender that allowlisted the entire C:\ drive.

Doing so made it possible for the adversary to download a PowerShell script without triggering any antivirus scans, which, in turn, retrieved the XMRig cryptocurrency mining software hosted on a remote server in the form of a ZIP archive file.

The initial access further afforded the actors to fetch more payloads such as PsExec, Mimikatz, and Ngrok, in addition to using RDP for lateral movement and disabling Windows Defender on the endpoints.

"The threat actors also changed the password for the local administrator account on several hosts as a backup should the rogue domain administrator account get detected and terminated," CISA noted.

Also detected was an unsuccessful attempt at dumping the Local Security Authority Subsystem Service (LSASS) process using the Windows Task Manager, which was blocked by the antivirus solution deployed in the IT environment.

Microsoft, in a report last month, revealed that cybercriminals are targeting credentials in the LSASS process owing to the fact that it "can store not only a current user's OS credentials but also a domain admin's."

"Dumping LSASS credentials is important for attackers because if they successfully dump domain passwords, they can, for example, then use legitimate tools such as PsExec or Windows Management Instrumentation (WMI) to move laterally across the network," the tech giant said.

Source

The threat actor, dubbed Fangxiao by Cyjax, is said to have registered over 42,000 imposter domains, with initial activity observed in 2017.

"It targets businesses in multiple verticals including retail, banking, travel, and energy," researchers Emily Dennison and Alana Witten said. "Promised financial or physical incentives are used to trick victims into further spreading the campaign via WhatsApp."

Users clicking on a link sent through the messaging app are directed to an actor-controlled site, which, in turn, sends them to a landing domain impersonating a well-known brand, from where the victims are once again taken to sites distributing fraudulent apps and bogus rewards.

These sites prompt the visitors to complete a survey to claim cash prizes, in exchange for which they are asked to forward the message to five groups or 20 friends. The final redirect, however, hinges on the IP address of the victim and the browser's User-Agent string.

More than 400 organizations, including Emirates, Shopee, Unilever, Indomie, Coca-Cola, McDonald's, and Knorr, are being imitated as part of the criminal scheme, the researchers said.

Alternatively, attacks wherein scammy mobile ads are clicked from an Android device have been observed to culminate in the deployment of a mobile trojan called Triada, which was recently spotted propagating via fake WhatsApp apps.

It's not just Triada, as another destination of the campaign is the Google Play Store listing of an app called "App Booster Lite - RAM Booster" (com.app.booster.lite.phonecleaner.batterysaver.cleanmaster), which has over 10 million downloads.

The app, made by a Czechia-based developer known as LocoMind, is described as a "Powerful Phone Booster," "Smart Junk Cleaner," and an "Effective Battery Saver."

Reviews for the app have called out the publisher for showing too many ads, and even point out that they "Arrived here [the Play Store page] from one of those 'your android is damaged x%' ads."

"Our app can't spread viruses," LocoMind responded to the review on October 31, 2022. "Each of our updates is checked by Google Play – they would have removed our app long ago for this reason."

Should the same action be performed from a device running iOS, the victim is redirected to Amazon via an affiliate link, netting the actor a commission for every purchase on the e-commerce platform made during the next 24 hours.

The threat actor's China connections stem from the presence of Mandarin text in a web service associated with aaPanel, a Python-based open source control panel for hosting multiple websites.

Further analysis of the TLS certificates issued to the survey domains in 2021 and 2022 reveals that a bulk of the registrations overlap with the UTC+08:00 time zone, which corresponds to China Standard Time from 9:00 a.m. to 11:00 p.m.

"The operators are experienced in running these kinds of imposter campaigns, willing to be dynamic to achieve their objectives, and technically and logistically capable of scaling to expand their business," the researchers said.

"The Fangxiao campaigns are effective lead generation methods which have been redirected to various domains, from malware, to referral links, to ads and adware."

Source

DLL hijacking is a common attack method that takes advantage of how Dynamic Link Libraries (DLLs) are loaded in Windows.

When a Windows executable is launched, it will search for any DLL dependencies in the Windows search path. However, if a threat actor creates a malicious DLL using the same name as one of the program's required DLLs and stores it in the same folder as the executable, the program would load that malicious DLL instead and infect the computer.

QBot, also known as Qakbot, is a Windows malware that started as a banking trojan but evolved into a full-featured malware dropper. Ransomware gangs, including Black Basta, Egregor, and Prolock, also use the malware to gain initial access to corporate networks.

In July, security researcher ProxyLife discovered that threat actors were exploiting a DLL hijacking vulnerability in the Windows 7 Calculator to install the QBot malware.

This week, ProxyLife told BleepingComputer that attackers have switched to using a DLL hijacking flaw in the Windows 10 Control Panel executable, control.exe.

In a phishing campaign seen by ProxyLife, the threat actors use stolen reply-chain emails to distribute an HTML file attachment that downloads a password-protected ZIP archive with an ISO file inside.

QBot phishing email in new campaign - Source: BleepingComputer

 

The HTML file, named similar to 'RNP_[number]_[number].html, displays an image pretending to be Google Drive and a password for a ZIP archive that is downloaded automatically, as shown below.

HTML attachment on QBot spam emails - Source: BleepingComputer

 

This ZIP archive contains an ISO disk image that, when double-clicked, will automatically open in a new drive letter in Windows 10 and later.

This ISO file contains a Windows Shortcut (.LNK) file, a ‘control.exe’ (Windows 10 Control Panel) executable, and two DLL files named edputil.dll (used for DLL hijack) and msoffice32.dll (QBot malware).

Contents of the ISO image - Source: BleepingComputer

 

The Windows shortcut (.LNK) included in the ISO uses an icon that tries to make it look like a folder.

However, when a user attempts to open this fake folder, the shortcut launches the Windows 10 Control Panel executable, control.exe, which is stored in the ISO file, as shown below.

Windows shortcut that triggers the QBot infection - Source: BleepingComputer

 

When control.exe is launched, it will automatically attempt to load the legitimate edputil.dll DLL, which is located in the C:\Windows\System32 folder. However, it does not check for the DLL in specific folders and will load any DLL with the same name if placed in the same folder as the control.exe executable.

As the threat actors are bundling a malicious edputil.dll DLL in the same folder as control.exe, that malicious DLL will be loaded instead.

Once loaded, the malicious edputil.dll DLL infects the device with the QBot malware (msoffice32.dll) using the regsvr32.exe msoffice32.dll command.

By installing QBot through a trusted program like the Windows 10 Control Panel, security software may not flag the malware as malicious, allowing it to evade detection.

QBot will now quietly run in the background, stealing emails for use in phishing attacks and downloading additional payloads such as Brute Ratel or Cobalt Strike.

Brute Ratel and Cobalt Strike are post-exploitation toolkits that threat actors use to gain remote access to corporate networks.

This remote access commonly leads to corporate data theft and ransomware attacks.

Source

The malware was discovered by Fortinet researchers last August when it used SSH brute-forcing to spread on Linux servers.

By tracing its activities, the researchers found that RapperBot has been operational since May 2021, but its exact goals were hard to decipher.

RapperBot campaigns timeline (Fortinet)

 

The recent variant uses a Telnet self-propagation mechanism instead, which is closer to the approach of the original Mirai malware.

Also, the motivation of the current campaign is more apparent, as the DoS commands in the latest variant are tailored for attacks against servers hosting online games.

Lifting the lid on RapperBot

Fortinet analysts could sample the new variant using C2 communication artifacts collected in the previous campaigns, indicating that this aspect of the botnet's operation has not changed.

The analysts noticed the new variant featured several differences, including support for Telnet brute-forcing, using the following commands:

• Register (used by the client)
• Keep-Alive/Do nothing
• Stop all DoS attacks and terminate the client
• Perform a DoS attack
• Stop all DoS attacks
• Restart Telnet brute forcing
• Stop Telnet brute forcing

The malware tries to brute force devices using common weak credentials from a hardcoded list, whereas previously, it fetched a list from the C2.

"To optimize brute forcing efforts, the malware compares the server prompt upon connection to a hardcoded list of strings to identify the possible device and then only tries the known credentials for that device," explains Fortinet.

"Unlike less sophisticated IoT malware, this allows the malware to avoid trying to test a full list of credentials."

After successfully finding credentials, it reports it to the C2 via port 5123 and then attempts to fetch and install the correct version of the primary payload binary for the detected device architecture.

Currently supported architectures are ARM, MIPS, PowerPC, SH4, and SPARC.

Downloading the ARM payload using wget (Fortinet)

 

The DoS capabilities in RapperBot's older variant were so limited and generic that the researchers hypothesized its operators might be more interested in the initial access business.

However, in the latest variant, the true nature of the malware has become apparent with the addition of an extensive set of DoS attack commands like:

• Generic UDP flood
• TCP SYN flood
• TCP ACK flood
• TCP STOMP flood
• UDP SA:MP flood targeting game servers running GTA San Andreas: Multi Player (SA:MP)
• GRE Ethernet flood
• GRE IP flood
• Generic TCP flood

Based on the HTTP DoS methods, the malware appears to be specialized in launching attacks against game servers.

"This campaign adds DoS attacks against the GRE protocol and the UDP protocol used by the Grand Theft Auto: San Andreas Multi Player (SA:MP) mod," reads Fortinet's report.

Likely the same operators

Fortinet believes all detected RapperBot campaigns are orchestrated by the same operators, as newer variants indicate access to the malware's source code.

Moreover, the C2 communication protocol remains unchanged, the list of credentials used for brute forcing attempts has been the same since August 2021, and there have been no signs of campaign overlaps at this time.

To protect your IoT devices from botnet infections, keep the firmware up to date, change default credentials with a strong and unique password, and place them behind a firewall if possible.

The defendants were arrested on November 3, 2022, in Argentina by the country's authorities at the request of U.S. law enforcement.

A day later, Z-Library's clearnet domains (z-lib.org, b-ok.org, and 3lib.net) were seized by the Department of Justice and the FBI, although the fate of the operators was unknown to the public at that time.

Z-Library was one of the world's largest public and free-to-access written content repositories, containing 11 million books and 84 million articles in a massive 220 TB database.

Of the two defendants, Napolsky is burdened by evidence, based on records obtained from Google and Amazon, that he was in control of Z-Library.

"The defendants are alleged to have operated a website for over a decade whose central purpose was providing stolen intellectual property, in violation of copyright laws," said FBI Assistant Director-in-Charge Driscoll.

Z-Library started as a volunteer-run project with no commercial direction. However, at some point, it started offering paid memberships in exchange for premium features.

This means that the platform had financial income from its operation, generated at the expense of work authors and publishers.

Moreover, according to the unsealed court documents, Napolsky used the online advertising platform 'Google Ads' to promote Z-Library to internet users, actively trying to draw more audience for the pirate platform.

The defendants profited illegally off work they stole, often uploading works within mere hours of publication, and in the process victimized authors, publishers, and booksellers. — U.S. Attorney Breon Peace

Z-Library was on the receiving end of multiple geo-blocking orders because of disregarding copyright ownership, distribution, and intellectual property rights.

However, those regional blocks could be bypassed by using specific tools like VPNs or accessing the platform via one of the multiple alternative domains it operated.

As the U.S. DOJ announcement explains, investigators found that Z-Library operated a complex network of 249 interrelated domains, all of which are now seized by the authorities.

Interestingly, Z-Library's Tor site remains available at the time of writing, indicating how challenging it is to track hosting providers and servers keeping onion sites online.

Currently, the two defendants are presumed innocent until the trial, a date for which has not been determined in the U.S. DoJ announcement.

The company warned customers on the Windows message center to upgrade to .NET 6 (LTS) or .NET 7 "as soon as possible" before .NET Core 3.1 (LTS) reaches EOS on December 13, 2022.

As Dominique Whittaker, the Senior Program Manager responsible for .NET Core and .NET Native releases, warned this July, Microsoft will stop providing technical support or servicing updates after EOS.

"We recommend moving to .NET 6 as soon as possible. If you are still using .NET Core 3.1 after the end of support date, you’ll need to update your app to .NET 6 or .NET 7 to remain supported and continue to receive .NET updates," Whittaker said.

While .NET Core 3.1 apps will still run after the EOS is reached in less than a month, they will be exposed to attacks targeting any of the security vulnerabilities patched in .NET Core 6 since its initial release in November 2021.

Whittaker also shared detailed steps on how software vendors and developers can upgrade to .NET 6 (LTS) and how to update their development environment.

"If you’re migrating an app to .NET 6, some breaking changes might affect you. We recommend you to go through the compatibility check," the Microsoft PM added.

.NET release schedule (Microsoft)

 

Those who want to migrate to the latest available release can upgrade to .NET 7, which was released earlier this month on November 8th and will be supported for 18 months.

".NET 7 brings your apps increased performance and new features for C# 11/F# 7, .NET MAUI, ASP.NET Core/Blazor, Web APIs, WinForms, WPF and more," the .NET team said.

"With .NET 7, you can also easily containerize your .NET 7 projects, set up CI/CD workflows in GitHub actions, and achieve cloud-native observability."

In April, Microsoft also warned developers to migrate their apps away from .NET Framework 4.5.2, 4.6, and 4.6.1 to at least .NET Framework 4.6.2 or later before they reached their EOS on April 26, to continue receiving security updates and technical support.

These three .NET Framework versions were retired after the switch to SHA-2 signing because they were digitally signed with certificates using the legacy and insecure SHA-1 cryptographic hashing algorithm.

However, anti-malware assessment firm AV-TEST found that the performance of Microsoft Defender was pretty mediocre in its latest August 2022 report. This was the first such test conducted on Windows 11 and Defender came in last place as it scored just 16 points. Thankfully for Microsoft, it was not alone here, as PC Matic also got the same score.

You can view the full breakdown of the scores as well as the product certification they received in the images below:

The results are certainly a little surprising since Defender generally did really well on Windows 10. In fact, it often came in first place with the full 18 points. Over on Windows 11 however, it received 5.5 out of 6 in "protection" and 4.5 in "performance". Only in the "usability" category did it manage to get the full 6 out of 6 points. As such, it got the AV-TEST Certified rating whereas previously on Windows 10, it generally received Top Product certification.

According to AV-TEST, Defender saw the biggest impact when copying files, both locally and in a network environment. This is why it scored so low in the performance section of the test, and it is not the first time for Microsoft Defender either, as AV-Comparatives too had discovered similar issues before.

Source: AV-TEST

After all the Windows 11 security touting, Microsoft Defender comes last in AV-TEST's result

The Swiss Federal Office of Justice (FOJ) said Penchukov was arrested last month and is waiting to be extradited to the United States, although he can still appeal FOJ's decision.

"By order of the Federal Office of Justice (FOJ) and based on an extradition request from the USA, a Ukrainian national was arrested in the Canton of Geneva on 23 October 2022 and detained pending extradition," Swiss prosecutors told BleepingComputer.

"The US authorities accuse the prosecuted person of extortion, bank fraud, and identity theft, among other things. During the hearing on 24 October 2022, the person did not consent to his extradition to the USA via a simplified proceeding.

"After completion of the formal extradition procedure, the FOJ has decided to grant his extradition to the USA on 15 November 2022. The decision of the FOJ may be appealed at the Swiss Criminal Federal Court, respectively at the Swiss Supreme Court."

Cybersecurity journalist Brian Krebs first reported that Penchukov was arrested while traveling to Geneva to meet with his wife.

From stealing bank accounts to ransomware

The U.S. Department of Justice first charged Penchukov in 2012, accusing him of being involved in a conspiracy to steal millions of dollars using bank account numbers, passwords, personal identification numbers, and other sensitive info stolen using the notorious Zeus malware.

Multiple sources previously told BleepingComputer that Penchukov was also one of the managers of the Maze and Egregor ransomware operations.

Maze ransomware popularized double-extortion attacks, where the threat actors also stole data and used it as further leverage to pressure victims into paying a ransom. Maze later rebranded to the Egregor and Sekhmet operations to evade law enforcement. 

BleepingComputer was also told that he was among the suspects arrested in January 2021 by Ukrainian police following an international law enforcement operation targeting Egregor ransomware gang members.

However, according to Krebs' report, he was able to evade prosecution with the help of his political connections, including the late son of former Ukrainian President Viktor Yanukovych.

As one of JabberZeus cybercrime ring's leaders, Penchukov managed the stolen banking credentials and the money mules who wired money from the victims' accounts into those controlled by the cybercriminals.

Together with eight other suspects, he was charged with conspiring to participate in "racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft, and multiple counts of bank fraud."

Two of his co-conspirators, Ukrainian nationals Yevhen Kulibaba and Yuriy Konovalenko, pleaded guilty in November 2014 after being extradited from the UK and were sentenced to two years and ten months of incarceration in May 2015.

Source

"In fact, it turns out that this campaign is less like RapperBot than an older campaign that appeared in February and then mysteriously disappeared in the middle of April," Fortinet FortiGuard Labs researchers Joie Salvio and Roy Tay said in a Tuesday report.

RapperBot, which was first documented by the network security firm in August 2022, is known to exclusively brute-force SSH servers configured to accept password authentication.

The nascent malware is heavily inspired by the Mirai botnet, whose source code leaked in October 2016, leading to the rise of several variants.

What's notable about the updated version of RapperBot is its ability to perform Telnet brute-force, in addition to supporting DoS attacks using the Generic Routing Encapsulation (GRE) tunneling protocol as well as UDP floods targeting game servers running Grand Theft Auto: San Andreas.

"The Telnet brute-forcing code is designed primarily for self-propagation and resembles the old Mirai Satori botnet," the researchers said.

This list of hard-coded plaintext credentials, which are default credentials associated with IoT devices, are embedded into the binary as opposed to retrieving it from a command-and-control (C2) server, a behavior that was observed in artifacts detected after July 2022.

A successful break-in is followed by reporting the credentials used back to the C2 server and installing the RapperBot payload on the hacked device.

Fortinet said the malware is designed to only target appliances that run on ARM, MIPS, PowerPC, SH4, and SPARC architectures, and halt its self-propagation mechanism should they be running on Intel chipsets.

What's more, the October 2022 campaign has been found to share overlaps with other operations involving the malware as far back as May 2021, with the Telnet spreader module making its first appearance in August 2021, only to be removed in later samples and reintroduced last month.

"Based on the undeniable similarities between this new campaign and the previously reported RapperBot campaign, it is highly likely that they are being operated by a single threat actor or by different threat actors with access to a privately-shared base source code," the researchers concluded.

Source

"Leaking PII in this manner provides a potential treasure trove for threat actors – either during the reconnaissance phase of the cyber kill chain or extortionware/ransomware campaigns," researchers Ariel Szarf, Doron Karmi, and Lionel Saposnik said in a report shared with The Hacker News.

This includes names, email addresses, phone numbers, dates of birth, marital status, car rental information, and even company logins.

Amazon RDS is a web service that makes it possible to set up relational databases in the Amazon Web Services (AWS) cloud. It offers support for different database engines such as MariaDB, MySQL, Oracle, PostgreSQL, and SQL Server.

The root cause of the leaks stems from a feature called public RDS snapshots, which allows for creating a backup of the entire database environment running in the cloud and can be accessed by all AWS accounts.

"Make sure when sharing a snapshot as public that none of your private information is included in the public snapshot," Amazon cautions in its documentation. "When a snapshot is shared publicly, it gives all AWS accounts permission both to copy the snapshot and to create DB instances from it."

The Israeli company, which carried out the research from September 21, 2022, to October 20, 2022, said it found 810 snapshots that were publicly shared for varying duration, starting from a few hours to weeks, making them ripe for abuse by malicious actors.

Of the 810 snapshots, over 250 of the backups were exposed for 30 days, suggesting that they were likely forgotten.

Based on the nature of the information exposed, adversaries could either steal the data for financial gain or leverage it to get a better grasp of a company's IT environment, which could then act as a stepping stone for covert intelligence gathering efforts.

It's highly recommended that RDS snapshots are not publicly accessible in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. It's also advised to encrypt snapshots where applicable.

Source

DTrack is a modular backdoor featuring a keylogger, a screenshot snapper, a browser history retriever, a running processes snooper, an IP address and network connection information snatcher, and more.

Apart from spying, it can also run commands to perform file operations, fetch additional payloads, steal files and data, and execute processes on the compromised device.

The new malware version doesn't feature many functional or code changes compared to samples analyzed in the past, but it is now deployed far more widely.

A wider distribution

As Kaspersky explains in a report published today, their telemetry shows DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States.

The targeted sectors include government research centers, policy institutes, chemical manufacturers, IT service providers, telecommunication providers, utility service providers, and education.

In the new campaign, Kaspersky has seen DTrack distributed using filenames commonly associated with legitimate executables.

For example, one sample they shared is distributed under the 'NvContainer.exe' file name, which is the same name as a legitimate NVIDIA file.

Kaspersky told BleepingComputer that DTrack continues to be installed by breaching networks using stolen credentials or exploiting Internet-exposed servers, as seen in previous campaigns.

When launched, the malware goes through multiple decryption steps before its final payload is loaded via process hollowing into an "explorer.exe" process, running directly from memory.

Chunk decryption routine (Kaspersky)

 

The only differences to past DTrack variants are it now uses API hashing to load libraries and functions instead of obfuscated strings, and that the number of C2 servers has been cut by half to just three.

Some of the C2 servers uncovered by Kaspersky are “pinkgoat[.]com”, “purewatertokyo[.]com”, “purplebear[.]com”, and “salmonrabbit[.]com.”

DTrack attribution

Kaspersky attributes this activity to the North Korean Lazarus hacking group and claims the threat actors use DTrack whenever they see the potential for financial gains.

In August 2022, the same researchers linked the backdoor to the North Korean hacking group tracked as 'Andariel,' which deployed Maui ransomware in corporate networks in the U.S. and South Korea.

In February 2020, Dragos linked DTrack to a North Korean threat group, 'Wassonite,' which attacked nuclear energy and oil and gas facilities.

Source

The DuckDuckGo for Android app is a privacy-focused web browser, search engine, and data protection utility, downloaded over 10 million times from Google Play. It includes numerous privacy features, including search term anonymity, hidden tracker blocking, email tracker protection, auto-HTTPS, and one-tap browsing history clearing.

The 'App Tracking Protection' aims to increase privacy throughout the entire operating system by blocking third-party tracking scripts in other Android apps installed on the device.

"It's a free feature in the DuckDuckGo Android app that helps block 3rd-party trackers in the apps on your phone (like Google snooping in your weather app) – meaning more comprehensive privacy and less creepy targeting," announced DuckDuckGo today.

Compared to the previous close beta version of the feature, the new version of App Tracking Protection lets Android users see exactly what trackers are blocked and what type of data they are targeting.

The feature is somewhat similar to Apple's 'App Tracking Transparency,' but unlike the Apple feature, DuckDuckGo's system does not depend on the app developers' compliance with user choice.

Blocking all known trackers

DuckDuckGo says Android users have an average of 35 apps installed on their devices, generating between a thousand and 2,000 tracking attempts daily for over 70 tracking companies.

The App Tracking Protection promises to block all these attempts in the background while the users regularly browse the web, play games, or check the weather on their devices.

This blocking also happens without causing a noticeable impact on device performance, something that was improved on the latest version of the app (v5.143.1).

The blocking is based on a constantly updated and growing list of known trackers and is independent of the user's choice in the associated tracking request dialogs usually served within apps.

To activate the new feature, the user has to open the DuckDuckGo app on Android, navigate to Settings → More from DuckDuckGo, and then enable App Tracking Protection, as shown below.

Activating App Tracking Protection - Source: DuckDuckGo

 

The feature works by configuring the DuckDuckGo for Android app as a VPN on the device, which allows the app to filter traffic from other apps and block trackers.

However, unlike a traditional VPN, this does not provide anonymity while browsing the web or connecting to remote devices and is only used locally.

“App Tracking Protection uses a local “VPN connection,” which means that it works its magic right on your smartphone and without sending app data to DuckDuckGo or other remote servers,” explains DuckDuckGo.

Therefore, to enable the feature, DuckDuckGo will request the user allow the VPN connection to be created, which is required for the blocker to function as expected.

From then on, the app will regularly update the user with automatically generated summaries of blocked app trackers to give them an idea of what is happening behind the scenes.

Summary of blocked trackers (DuckDuckGo)

 

Those who want to evaluate how threatening each app is to their privacy can use App Tracking Protection’s real-time view to see what trackers are loaded and blocked.

Blocked trackers on specific apps - (DuckDuckGo)

 

App Tracking Protection is a powerful tool, but users should keep in mind that the feature is still in the beta stage of development.

Therefore, it may cause sites or apps not to function correctly, for some trackers to remain undetected, or lead to performance issues. If you run into any of these issues, you can disable the feature.

Website security firm Sansec warned that almost 40% of Magento 2 websites are being targeted by the attacks, with hacking groups fighting each other over control of an infected site.

These attacks are being used to inject malicious JavaScript code into an online store's website that can cause significant business disruption and massive customer credit card theft during a busy Black Friday and Cyber Monday period.

The trend is expected to continue as we head towards Christmas when online shops are at their most critical and simultaneously most vulnerable time.

Diagram of detected 'TrojanOrders' attacks - Source: Sansec

 

The TrojanOrders attack

 

TrojanOrders is the name of an attack that exploits the critical Magento 2 CVE-2022-24086 vulnerability, allowing unauthenticated attackers to execute code and inject RATs (remote access trojans) on unpatched websites.

Adobe fixed CVE-2022-24086 in February 2022, but Sansec says many Magento sites still need to be patched.

"Sansec estimates that at least a third of all Magento and Adobe Commerce stores have not been patched so far," explains a new report by eCommerce cybersecurity firm SanSec.

When conducting TrojanOrders attacks, hackers typically create an account on the target website and place an order that contains malicious template code in the name, VAT, or other fields.

The appearance of a malicious order on the backend - Source: Sansec

 

For example, the above attack will inject a copy of the 'health_check.php' file on the site, containing a PHP backdoor that can run commands sent via POST requests.

After gaining a foothold on the website, the attackers install a remote access trojan to establish permanent access and the ability to perform more intricate actions.

In many cases observed by Sansec, the attackers scanned for the presence of 'health_check.php' upon compromise to determine if another hacker had already infected the site, and if so, replace the file with their own backdoor.

The attackers ultimately modify the site to include malicious JavaScript that steals customers' information and credit card numbers when purchasing products in the store.

Why is there a surge after so long?

Sansec's analysts believe that there are multiple reasons we are seeing a surge in attacks targeting this vulnerability.

First, a large number of Magento 2 sites remain vulnerable to these attacks, even ten months after the patches became available.

Second, PoC (proof of concept) exploits have been available for a long time, allowing exploit kit authors to incorporate them into their tools and profit by selling them to low-skilled hackers.

These Magento exploits are so abundant they are sold for as low as $2,500, whereas in early 2022, they cost between $20,000 and $30,000.

Magento 2 exploit sale from September 2022 - Source: Sansec

 

Finally, the timing is ideal for these attacks, as websites are seeing increased traffic due to the holiday season, meaning malicious orders and code injections may be more likely to be overlooked.

How to protect your site (and customers)

If you have not applied the security update that addresses CVE-2022-24086, you should do so as soon as possible.

Additionally, scrutinize orders to find signs of a TrojanOrder attack, like template code in order forms or orders submitted by anonymous email accounts using Protonmail, Tutanota, etc.

Finally, use a backend malware scanner to discover potential past infections that have resulted in RAT injections on your site.

Sansec says Magento's official tool, Security Scan, only scrapes the front end, so it can't catch TrojanOrders.

For this reason, the security firm offers one month of free access to its scanner to help administrators clean their sites.

Remember, detecting and removing malware and PHP backdoors will only stop future infections if the Magento 2 patches are applied, so this is still the most crucial step to take.

Source

The attackers compromised the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell (CVE-2021-44228) remote code execution vulnerability.

After deploying the cryptocurrency miner, the Iranian threat actors also set up reverse proxies on compromised servers to maintain persistence within the FCEB agency's network.

"In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence," the joint advisory reads.

The two U.S. federal agencies added that all organizations who haven't yet patched their VMware systems against Log4Shell should assume that they've already been breached and advise them to start hunting for malicious activity within their networks.

CISA warned in June that VMware Horizon and Unified Access Gateway (UAG) servers are still being preyed upon by multiple threat actors, including state-sponsored hacking groups, using Log4Shell exploits.

Log4Shell can be exploited remotely to target vulnerable servers exposed to local or Internet access to move laterally across breached networks to access internal systems that store sensitive data.

Ongoing Log4Shell exploitation by state hackers

After its disclosure in December 2021, multiple threat actors almost immediately began scanning for and exploiting systems left unpatched.

The list of attackers includes state-backed hacking groups from China, Iran, North Korea, and Turkey, as well as access brokers known for their close ties with some ransomware gangs.

CISA also advised organizations with vulnerable VMware servers to assume they were breached and initiate threat-hunting activities.

VMware also urged customers in January to secure their VMware Horizon servers against Log4Shell attack attempts as soon as possible.

Since January, Internet-exposed VMware Horizon servers have been hacked by Chinese-speaking threat actors to deploy Night Sky ransomware, the Lazarus North Korean APT to deploy information stealers, and the Iranian-aligned TunnelVision hacking group to deploy backdoors.

In today's advisory, CISA and the FBI strongly advised organizations to apply recommended mitigations and defensive measures, including:

• Updating affected VMware Horizon and unified access gateway (UAG) systems to the latest version.
• Minimizing your organization's internet-facing attack surface.
• Exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in the CSA.
• Testing your organization's existing security controls against the ATT&CK techniques described in the advisory.

This is a sought-after and massively requested feature that will help protect private communications from anyone sitting between the conversation parties or even legal requests.

Twitter had attempted to prototype an E2EE system back in 2018, naming it "Secret Conversation," but it never materialized as a finished product and was later abandoned.

Recent work on bringing E2EE on Twitter DMs was spotted by mobile researcher Jane Manchun Wong, who found new additions to the source code of Twitter for Android, mentioning "encryption keys" on the platform.

"This number was generated from your encryption keys from this conversation. If it matches the number in the recipient's phone, end-to-end encryption is guaranteed," reads one of the strings in the source code.

Twitter's current owner, Elon Musk, responded to Wong's Tweets with a winking emoji, hinting the feature is indeed under development.

Why Twitter needs E2EE

End-to-end encryption ensures that messages leave the sender in encrypted form and are decrypted on the recipient end to allow reading them.

For this to work, the two parties have to use a cryptographic key pair to encrypt and decrypt the contents of their messages.

In most E2EE implementations, the sender uses the recipient’s digitally signed public key to encrypt their message, and the recipient uses their private key to decrypt it.

In Twitter's case, Wong mentions a "conversation key," so the implemented E2EE method might be "symmetric," meaning that both people in a chat use the same key for encryption and decryption.

The sender’s message is transformed into unreadable ciphertext and remains in this state while in transit, so any intermediaries, like internet service providers, network snoopers, or even Twitter itself, will not be able to read the message contents.

If Twitter introduces E2EE on DMs, users will feel more comfortable about the security and privacy of their communications under even unfortunate circumstances like platform-impacting hacks.

For example, in July 2020, Twitter admitted that hackers who breached employee accounts and accessed administration panels could read the DM inbox of 36 high-profile users, downloading the contents of seven of them.

If Twitter had E2EE at the time, all the hackers would have gotten access to would be unreadable ciphertext, lessening the impact on the compromised users.

Other messaging platforms/apps using E2EE include Signal, Threema, WhatsApp, iMessage, Viber, Element/Matrix, Tox, Keybase, XMPP, Skype, and Wire.

Source

The advice, according to a report by Digiday, was shared in a document that warns marketers of the risks of advertising on the social networking platform recently acquired by business magnate Elon Musk. The document says that the label was given due to the high volume of Twitter executives leaving or being fired, blue checkmark abuse on corporate accounts, and the potential inability for Twitter to comply with their federal consent decree.

If Twitter wants to lose the high-risk label, Twitter needs to meet the following requirements:

• A return to baseline levels of NSFW / toxic conversation on the platform
• Re-population of IT Security, Privacy, Trust & Safety senior staff
• Establishment of internal checks & balances

• Complete transparency on future development plans of community guidelines / content moderation / anything affecting user security or brand safety

• Demonstrated commitment of effective content moderation, enforcing current Twitter Rules (e.g. account impersonation, violative content removal timing, intolerance of hate speech and misinformation)

   

When Elon Musk acquired Twitter, one of the things he immediately did was revamp the Twitter Blue subscription model. According to Musk, Twitter "needs to pay the bills somehow," and they cannot rely entirely on advertisers, so he gave users the power to have a verified checkmark for $8 a month.

Later on, Twitter launched an "Official" tag to help distinguish accounts that have been verified via Twitter Blue and accounts that are verified as official. The tag was killed not even 24 hours since it launched, but was then reinstated after people exploited their verified checkmarks to pretend to be companies and politicians and post inappropriate content. Twitter then paused Twitter Blue to control the impersonations on the platform.

Source: Digiday

Buying ads on Twitter "high-risk," says world's biggest ad company

"These malicious redirects appear to be designed to increase the authority of the attacker's sites for search engines," Sucuri researcher Ben Martin said in a report published last week, calling it a "clever black hat SEO trick."

The search engine poisoning technique is designed to promote a "handful of fake low quality Q&A sites" that share similar website-building templates and are operated by the same threat actor.

A notable aspect of the campaign is the ability of the hackers to modify over 100 files per website on average, an approach that contrasts dramatically from other attacks of this kind wherein only a limited number of files are tampered with to reduce footprint and escape detection.

Some of the most commonly infected pages consist of wp-signup.php, wp-cron.php, wp-links-opml.php, wp-settings.php, wp-comments-post.php, wp-mail.php, xmlrpc.php, wp-activate.php, wp-trackback.php, and wp-blog-header.php.

This extensive compromise allows the malware to execute the redirects to websites of the attacker's choice. It's worth pointing out that the redirects don't occur if the wordpress_logged_in cookie is present or if the current page is wp-login.php (i.e., the login page) so as to avoid raising suspicion.

The ultimate goal of the campaign is to "drive more traffic to their fake sites" and "boost the sites' authority using fake search result clicks to make Google rank them better so that they get more real organic search traffic."

The injected code achieves this by initiating a redirect to a PNG image hosted on a domain named "ois[.]is" that, instead of loading an image, takes the website visitor to a Google search result URL of a spam Q&A domain.

It's not immediately clear how the WordPress sites are breached, and Sucuri said it did not notice any obvious plugin flaws being exploited to carry out the campaign.

That said, it's suspected to be a case of brute-forcing the WordPress administrator accounts, making it essential that users enable two-factor authentication and ensure that all software is up-to-date.

Source

Dubbed PCspooF by a group of academics and researchers from the University of Michigan, the University of Pennsylvania, and the NASA Johnson Space Center, the technique is designed to break TTE's security guarantees and induce TTE devices to lose synchronization for up to a second, a behavior that can even lead to uncontrolled maneuvers in spaceflight missions and threaten crew safety.

TTE is one among the networking technologies that's part of what's called a mixed-criticality network wherein traffic with different timing and faults tolerance requirements coexist in the same physical network. This means that both critical devices, which, say, enable vehicle control, and non-critical devices, which are used for monitoring and data collection, share the same network.

An obvious advantage to this approach is the fact that there are lesser weight and power requirements as well as lower development and time costs stemming as a result of relying on just one technology. But this also comes with drawbacks of its own.

"This mixed-criticality approach puts a lot more pressure on the design of the network to provide isolation," Andrew Loveless, the lead author of the study, told The Hacker News. "Now that critical and non-critical items may connect to the same switch, the network protocol and hardware need to do extra work to make sure the critical traffic is always guaranteed to get through successfully and on time."

Credit: European Space Agency

On top of that, while critical devices in the network are subjected to thorough vetting, the non-critical counterparts are not only commercial-off-the-shelf (COTS) devices but also lack the same rigorous process, leading to possible avenues for supply chain compromises that could be weaponized to activate the attack by integrating a rogue third-party component into the system.

This is where a mixed-criticality network helps ensure that even if the COTS device is malicious, it cannot interfere with critical traffic.

"In PCspooF, we uncovered a way for a malicious non-critical device to break this isolation guarantee in a TTE network," Baris Kasikci, an assistant professor in the electrical engineering and computer science department at the University of Michigan, told the publication.

This, in turn, is achieved by using the nefarious device to inject electromagnetic interference (EMI) into a TTE switch over an Ethernet cable, effectively tricking the switch into sending authentic-looking synchronization messages (i.e., protocol control frames or PCFs) and get them accepted by other TTE devices.

Such an "electrical noise" generation circuit can take up as little as 2.5cm × 2.5cm on a single-layer printed circuit board, requiring only minimal power and which can be concealed in a best-effort device and integrated into a TTE system without raising any red flags.

As mitigations, the study recommends using optocouplers or surge protectors to block electromagnetic interference, checking the source MAC addresses to ensure they're authentic, hiding key PCF fields, using a link-layer authentication protocol like IEEE 802.1AE, increasing the number of sync masters, and disabling dangerous state transitions.

The findings show that the use of common hardware in a system engineered to provide strict isolation assurances can sometimes defeat those very protections, the researchers pointed out, adding mixed-criticality software systems should be examined meticulously in a similar manner to ensure the isolation mechanisms are foolproof.

"The TTE protocols are very mature and well-vetted, and many of the most important parts are formally proven," Kasikci said.

"In a way that is what makes our attack interesting – that we were able to figure out how to violate some guarantees of the protocol despite its maturity. But to do that, we had to think outside the box and figure out how to make the hardware behave in a way the protocol does not expect."

Source

The successful compromise of the unnamed certificate authority is potentially serious, because these entities are trusted by browsers and operating systems to certify the identities responsible for a particular server or app. In the event the hackers obtained control of the organization’s infrastructure, they could use it to digitally sign their malware to make it more easily slip past endpoint protections. They might also be able to cryptographically impersonate trusted websites or intercept encrypted data.

While the researchers who discovered the breach found no evidence the certificate infrastructure had been compromised, they said that this campaign was only the latest by a group they call Billbug, which has a documented history of noteworthy hacks dating back to at least 2009.

“The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns,” Symantec researchers wrote. “Billbug also appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past.”

Symantec first documented Billbug in 2018, when company researchers tracked the group under the name Thrip. The group hacked multiple targets, including a satellite communications operator, a geospatial imaging and mapping company, three different telecom operators, and a defense contractor. Of particular concern was the hack on the satellite operator because the attackers “seemed to be particularly interested in the operational side of the company, looking for and infecting computers running software that monitors and controls satellites.” The researchers speculated that the hackers’ motivation may have gone beyond spying to also include disruption.

The researchers eventually traced the hacking activity to computers physically located in China. Besides Southeast Asia, targets were also located in the US.

A little more than a year later, Symantec gathered new information that allowed researchers to determine that Thrip was effectively the same as a longer-existing group known as Billbug or Lotus Blossom. In the 15 months since the first write-up, Billbug had successfully hacked 12 organizations in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam. The victims included military targets, maritime communications, and media and education sectors.

Billbug used a combination of legitimate software and custom malware to burrow into its victims’ networks. Using legitimate software such as PsExec, PowerShell, Mimikatz, WinSCP, and LogMeIn allowed the hacking activities to blend in with normal operations in the compromised environments. The hackers also used the custom-built Catchamas info stealer and backdoors dubbed Hannotog and Sagerunex.

In the more recent campaign targeting the certificate authority and the other organizations, Billbug was back with Hannotog and Sagerunex, but it also used a host of new, legitimate software, including AdFind, Winmail, WinRAR, Ping, Tracert, Route, NBTscan, Certutil, and Port Scanner.

Tuesday’s post includes a host of technical details people can use to determine if they’ve been targeted by Billbug. Symantec is the security arm of Broadcom Software.

Source