The malware is attributed with high confidence to the SparklingGoblin threat group, also tracked as Earth Baku, which is believed to be connected to the APT41 cyberespionage group.

Targeting academic sector

The SideWalk Linux backdoor has been observed in the past, initially being tracked as StageClient by security researchers at cybersecurity company ESET.

An early variant of the malware was spotted by researchers at 360 Netlab, the threat intelligence team at Chinese internet security company Qihoo 360, and detailed two years ago in a blog post about the Specter botnet hitting IP cameras.

After analyzing Specter and StageClient, ESET researchers determined that both malware pieces have the same root and are Linux variants of SideWalk.

In 2021, researchers at Trend Micro documented new tools from a cyberespionage campaign attributed to APT41/Earth Baku, including the SideWalk backdoor, which they track as ScrambleCross.

ESET notes in a report today that while SideWalk Linux has been used against multiple targets in the past, their telemetry data shows that the variant they discovered was deployed against only one victim in February 2021, a university in Hong Kong.

“The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations” - ESET

SideWalk for Windows ready for Linux

Looking at the SideWalk variants for Linux and Windows, ESET noticed “striking” similarities in the way they function, the implementation of multiple components, and the payloads dropped on the compromised system.

The researchers say that both variants implemented the ChaCha20 encryption algorithm to “use a counter with an initial value of 0x0B,” something that is particular to SideWalk.

On both Windows and Linux, the malware uses the same five threads, executed simultaneously, for specific tasks:

•  [StageClient::ThreadNetworkReverse] - fetching proxy configurations for alternate connections to the command and control (C2) server

•  [StageClient::ThreadHeartDetect] - close connection to C2 server when commands are not received in the specified time

•  [StageClient::ThreadPollingDriven] - send heartbeat commands to C2 server if there is no info to deliver

•  [StageClient::ThreadBizMsgSend] - check for data to be sent in message queues for all other threads and process it

•  [StageClient::ThreadBizMsgHandler] - check for pending messages from the C2 server

ESET researchers also found that both Linux and Windows variants for SideWalk had the same payload delivered through the dead-drop resolver string hosted in a Google Docs file.

SparkGoblin focused on the same target in the past, compromising the same university in May 2020, during the students’ protests.

String hosted in Google Docs for SideWalk to fetch payload
source: ESET

Another piece of evidence connecting the two SideWalk variants to the same threat actor was that they both used the same encryption key to transport data from the infected machine to the C2 server.

SparklingGoblin has the capabilities to develop malware adapted to its needs, as evidenced by the SideWalk Linux variant. However, the group also has access to implants observed in operations attributed to other Chinese hacking groups.

ESET researchers say that SparklingGoblin has access to the ShadowPad backdoor and Winnti malware.

Source

Install creat a cmd file with:

@echo off
%windir%\system32\reg.exe query "HKU\S-1-5-19" >nul 2>&1 || (
echo /!\ Run as administrator /!\
echo.
echo Press any key to continue ...
pause >nul
exit
)
pushd %~dp0
FWUpdLcl64 -FORCERESET -ALLOWSV -F xxxx.bin
pause

Dubbed Shikitega by the AT&T Alien Labs researchers who discovered it, the malware is delivered through a multistage infection chain using polymorphic encoding. It also abuses legitimate cloud services to host command-and-control servers. These things make detection extremely difficult.

"Threat actors continue to search for ways to deliver malware in new ways to stay under the radar and avoid detection," AT&T Alien Labs researcher Ofer Caspi wrote. "Shikitega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload. In addition, the malware abuses known hosting services to host its command and control servers."

The ultimate objective of the malware isn't clear. It drops the XMRig software for mining the Monero cryptocurrency, so stealthy cryptojacking is one possibility. But Shikitega also downloads and executes a powerful Metasploit package known as Mettle, which bundles capabilities including webcam control, credential stealing, and multiple reverse shells into a package that runs on everything from "the smallest embedded Linux targets to big iron." Mettle's inclusion leaves open the potential that surreptitious Monero mining isn't the sole function.

The main dropper is tiny—an executable file of just 376 bytes.

The polymorphic encoding happens courtesy of the Shikata Ga Nai encoder, a Metasploit module that makes it easy to encode the shellcode delivered in Shikitega payloads. The encoding is combined with a multistage infection chain, in which each link responds to a part of the previous one to download and execute the next one.

"Using the encoder, the malware runs through several decode loops, where one loop decodes the next layer, until the final shellcode payload is decoded and executed," Caspi explained. "The encoder stud is generated based on dynamic instruction substitution and dynamic block ordering. In addition, registers are selected dynamically."

A command server will respond with additional shell commands for the targeted machine to execute, as Caspi documented in the packet capture shown below. The bytes marked in blue are the shell commands that the Shikitega will execute.

The commands and additional files, such as the Mettle package, are automatically executed in memory without being saved to disk. This adds further stealth by making detection through antivirus protection difficult.

To maximize its control over the compromised device, Shikitega exploits two critical escalation of privileges vulnerabilities that give full root access. One bug, tracked as CVE-2021-4034 and colloquially known as PwnKit, lurked in the Linux kernel for 12 years until it was discovered early this year. The other vulnerability is tracked as CVE-2021-3493 and came to light in April 2021. While both vulnerabilities have received patches, the fixes may not be widely installed, particularly on IoT devices.

The post provides file hashes and domains associated with Shikitega that interested parties can use as indicators of a compromise. Given the work the unknown threat actors responsible devoted to the malware's stealth, it wouldn't be surprising if the malware is lurking undetected on some systems.

Source: Ars Technica

https://arstechnica.com/information-technology/2022/09/new-linux-malware-combines-unusual-stealth-with-a-full-suite-of-capabilities/

This tactic is called intermittent encryption, and it consists of encrypting only parts of the targeted files' content, which would still render the data unrecoverable without using a valid decryptor+key.

For example, by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good.

Additionally, because the encryption is milder, automated detection tools that rely on detecting signs of trouble in the form of intense file IO operations are more likely to fail.

"What the cool kids use."

SentinelLabs has posted a report examining a trend started by LockFile in mid-2021 and now adopted by the likes of Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick.

These groups actively promote the presence of intermittent encryption features in their ransomware family to entice affiliates to join the RaaS operation.

"Notably, Qyick features intermittent encryption, which is what the cool kids are using as you read this. Combined with the fact that is written in Go, the speed is unmatched," describes a Qyick advertisement on hacking forums.

Agenda ransomware offers intermittent encryption as an optional and configurable setting. The three possible partial encryption modes are:

• skip-step [skip: N, step: Y] - Encrypt every Y MB of the file, skipping N MB.
• fast [f: N] - Encrypt the first N MB of the file.
• percent [n: N; p:P] - Encrypt every N MB of the file, skipping P MB, where P equals P% of the total file size.

BlackCat's implementation of intermittent encryption also gives operators configuration choices in the form of various byte-skipping patterns.

For example, the malware can encrypt only the first bytes of a file, follow a dot pattern, a percentage of file blocks, and also has an "auto" mode that combines multiple modes for a more tangled result.

The recent emergence of the PLAY ransomware via a high-profile attack against Argentina's Judiciary of Córdoba was also backed by the rapidness of intermittent encryption.

PLAY doesn't give configuration options, but instead, it just breaks the file into 2, 3, or 5 chunks, depending on the file size, and then encrypts every other chunk.

Finally, Black Basta, one of the biggest names in the space at the moment, also doesn't give operators the option to pick among modes, as its strain decides what to do based on the file size.

For small files below 704 bytes in size, it encrypts all content. For files between 704 bytes and 4 KB, it encrypts 64 bytes and skips 192 bytes in between.

If the file size exceeds 4 KB, Black Basta's ransomware reduces the space size of untouched intervals to 128 bytes, while the size of the encrypted portion remains 64 bytes.

Intermittent encryption outlook

Intermittent encryption seems to have significant advantages and virtually no downsides, so security analysts expect more ransomware gangs to adopt this approach shortly.

LockBit's strain is already the quickest out there in terms of encryption speeds, so if the gang adopted the partial encryption technique, the duration of its strikes would be reduced to a couple of minutes.

Of course, encryption is a complex matter, and the implementation of intermittent encryption must be done correctly to ensure that it won't result in easy data recoveries by the victims.

Right now, BlackCat's implementation is the most sophisticated, while that of Qyick remains unknown since malware analysts have not yet analyzed samples of the new RaaS.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/ransomware-gangs-switching-to-new-intermittent-encryption-tactic/

The new attack scenario, shared exclusively with BleepingComputer, illustrates how attackers can string together numerous Microsoft Teams vulnerabilities and flaws to abuse legitimate Microsoft infrastructure to deliver malicious files, commands,

and perform exfiltrating data via GIFs. 

As the data exfiltration is done through Microsoft's own servers, the traffic will be harder to detect by security software that sees it as legitimate Microsoft Team's traffic.

Overall, the attack technique utilizes a variety of Microsoft Teams flaws and vulnerabilities:

• Bypassing Microsoft Teams security controls allows external users to send attachments to Microsoft Teams users.
• Modify sent attachments to have users download files from an external URL rather than the generated SharePoint link.
• Spoof Microsoft teams attachments to appear as harmless files but download a malicious executable or document.
• Insecure URI schemes to allow SMB NTLM hash theft or NTLM Relay attacks.
• Microsoft supports sending HTML base64 encoded GIFs, but does not scan the byte content of those GIFs. This allows malicious commands to be delivered within a normal-looking GIF.
• Microsoft stores Teams messages in a parsable log file, located locally on the victim’s machine, and accessible by a low-privileged user.
• Microsoft servers retrieve GIFs from remote servers, allowing data exfiltration via GIF filenames.

GIFShell - a reverse shell via GIFs

The new attack chain was discovered by cybersecurity consultant and pentester Bobby Rauch, who found numerous vulnerabilities, or flaws, in Microsoft Teams that can be chained together for command execution, data exfiltration, security control bypasses, and phishing attacks.

The main component of this attack is called 'GIFShell,' which allows an attacker to create a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft's own infrastructure.

To create this reverse shell, the attacker must first convince a user to install a malicious stager that executes commands, and uploads command output via a GIF url to a Microsoft Teams web hook.  However, as we know, phishing attacks work well in infecting devices, Rauch came up with a novel phishing attack in Microsoft Teams to aid in this, which we describe in the next section.

GIFShell works by tricking a user into loading a malware executable called the "stager" on their device that will continuously scan the Microsoft Teams logs located at $HOME\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\*.log.

All received messages are saved to these logs and are readable by all Windows user groups, meaning any malware on the device can access them.

Once the stager is in place, a threat actor would create their own Microsoft Teams tenant and contact other Microsoft Teams users outside of their organization. Attackers can easily achieve this as Microsoft allows external communication by default in Microsoft Teams.

To initiate the attack, the threat actor can use Rauch's GIFShell Python script to send a message to a Microsoft Teams user that contains a specially crafted GIF. This legitimate GIF image has been modified to include commands to execute on a target's machine.

When the target receives the message, the message and the GIF will be stored in Microsoft Team’s logs, which the malicious stager monitors.

When the stager detects a message with a GIF, it will extract the base64 encoded commands and execute them on the device. The GIFShell PoC will then take the output of the executed command and convert it to base64 text.

This base64 text is used as the filename for a remote GIF embedded in a Microsoft Teams Survey Card that the stager submits to the attacker's public Microsoft Teams webhook.

As Microsoft Teams renders flash cards for the user, Microsoft's servers will connect back to the attacker's server URL to retrieve the GIF, which is named using the base64 encoded output of the executed command.

The GIFShell server running on the attacker's server will receive this request and automatically decode the filename allowing the attackers to see the output of the command run on the victim's device, as shown below.

For example, a retrieved GIF file named 'dGhlIHVzZXIgaXM6IA0KYm9iYnlyYXVjaDYyNzRcYm9iYnlyYXVJa0K.gif' would decode to the output from the 'whoami' command executed on the infected device:

the user is: 
bobbyrauch6274\bobbyrauIkBáë

The threat actors can continue using the GIFShell server to send more GIFs, with further embedded commands to execute, and continue to receive the output when Microsoft attempts to retrieve the GIFs.

As these requests are made by the Microsoft website, urlp.asm.skype.com, used for regular Microsoft Teams communication, the traffic will be seen as legitimate and not detected by security software.

This allows the GIFShell attack to covertly exfiltrate data by mixing the output of their commands with legitimate Microsoft Teams network communication.

Even worse, as Microsoft Teams runs as a background process, it does not even need to be opened by the user to receive the attacker's commands to execute.

The Microsoft Teams logs folder have also been found accessed by other programs, including business monitoring software, such as Veriato, and potentially malware.

Microsoft acknowledged the research but said it would not be fixed as no security boundaries were bypassed.

"For this case, 72412, while this is great research and the engineering team will endeavor to improve these areas over time, these all are post exploitation and rely on a target already being compromised," Microsoft told Rauch in an email shared with BleepingComputer.

"No security boundary appears to be bypassed.  The product team will review the issue for potential future design changes, but this would not be tracked by the security team."

Abusing Microsoft teams for phishing attacks

As we previously said, the GIFShell attack requires the installation of an executable that executes commands received within the GIFs.

To aid in this, Rauch discovered Microsoft Teams flaws that allowed him to send malicious files to Teams users but spoof them to look as harmless images in phishing attacks.

"This research demonstrates how it is possible to send highly convincing phishing attachments to victims through Microsoft Teams, without any way for a user to pre-screen whether the linked attachment is malicious or not," explains Rauch in his writeup on the phishing method.

As we previously said in our discussion about GIFShell, Microsoft Teams allows Microsoft Teams users to message users in other Tenants by default. 

However, to prevent attackers from using Microsoft Teams in malware phishing attacks, Microsoft does not allow external users to send attachments to members of another tenant.

While playing with attachments in Microsoft Teams, Rauch discovered that when someone sends a file to another user in the same tenant, Microsoft generates a Sharepoint link that is embedded in a JSON POST request to the Teams endpoint.

This JSON message, though, can then be modified to include any download link an attacker wants, even external links. Even worse, when the JSON is sent to a user via Teams' conversation endpoint, it can also be used to send attachments as an external user, bypassing Microsoft Teams' security restrictions.

For example, the JSON below has been modified to show a file name of Christmas_Party_Photo.jpeg but actually delivers a remote Christmas_Party_Photo.jpeg.............exe executable.

When the attachment is rendered in Teams, it is displayed as Christmas_Party_Photo.jpeg, and when highlighting it, it will continue to show that name, as shown below.

However, when the user clicks on the link, the attachment will download the executable from the attacker's server.

In addition to using this Microsoft Teams spoofing phishing attack to send malicious files to external users, attackers can also modify the JSON to use Windows URIs, such as ms-excel:, to automatically launch an application to retrieve a document.

Rauch says this would allow attackers to trick users into connecting to a remote network share, letting threat actors steal NTLM hashes, or local attackers perform an NTLM relay attack to elevate privileges.

"These allowed, potentially unsafe URI schemes, combined with the lack of permissions enforcement and attachment spoofing vulnerabilities, can allow for a One Click RCE via NTLM relay in Microsoft Teams," Rauch explains in his report on the spoofing attack.

Microsoft not immediately fixing bugs

Rauch told BleepingComputer that he disclosed the flaws to Microsoft in May and June of 2022, and despite Microsoft saying they were valid issues, they decided not to fix them immediately.

When BleepingComputer contacted Microsoft about why the bugs were not fixed, we were not surprised by their response regarding the GIFShell attack technique, as it requires the device to already be compromised with malware.

“This type of phishing is important to be aware of and as always, we recommend that users practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.

We’ve assessed the techniques reported by this researcher and have determined that the two mentioned do not meet the bar for an urgent security fix. We’re constantly looking at new ways to better resist phishing to help ensure customer security and may take action in a future release to help mitigate this technique.” – a Microsoft spokesperson. 

However, we were surprised that Microsoft did not consider the ability of external attackers to bypass security controls and send attachments to another tenant as not something that should be immediately fixed.

Furthermore, not immediately fixing the ability to modify JSON attachment cards so that Microsoft Teams recipients could be tricked to download files from remote URLs was also surprising.

However, Microsoft has left the door open to resolving these issues, telling BleepingComputer that they may be serviced in future versions.

"Some lower severity vulnerabilities that don’t pose an immediate risk to customers are not prioritized for an immediate security update, but will be considered for the next version or release of Windows," explained Microsoft in a statement to BleepingComputer.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/gifshell-attack-creates-reverse-shell-using-microsoft-teams-gifs/

On Saturday, the DeadBolt ransomware operation launched a new attack on QNAP devices using a zero-day vulnerability in Photo Station. That same day, QNAP released security updates to fix the vulnerability, urging customers to install the update and not expose their devices on the Internet.

On Monday, both InterContinental Hotels Group (IHG) and Los Angeles Unified (LAUSD) school district were hit by ransomware attacks that disrupted the organizations' technical operations.

For IHG, the attack disrupted their online reservation systems; for LAUSD, it impacted the school district's IT systems.

However, even though the cyberattack impacted LAUSD's technology infrastructure, the schools opened as usual for Los Angeles students.

Yesterday, the Vice Society ransomware told BleepingComputer that they were behind the attack on LAUSD and claimed to have stolen 500GB of data.

The responsible ransomware gang came as no surprise, as the FBI, CISA, and MS-ISAC released an advisory on Monday warning of the Vice Society targeting school districts.

We also saw some new ransomware research released this week:

• Ransomware gangs DDoS Cobalt Strike servers with Anti-Putin/Anti-Russia messages.
• A Play ransomware analysis.
• Analysis of a new version of BlackCat.
• A Google report on how ex-Conti members are targeting Ukraine.
• Info on a new Monti ransomware operation.

Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @LawrenceAbrams, @FourOctets, @Ionut_Ilascu, @serghei, @billtoulas, @fwosar, @VK_Intel, @struppigel, @BleepinComputer, @malwrhunterteam, @Seifreed, @DanielGallagher, @demonslay335, @jorntvdw, @PolarToffee, @MsftSecIntel, @CISAgov, @FBI, @pmbureau, @AdvIntel, @pcrisk, @PogoWasRight, @cPeterr, @security_score, and @Intel471Inc.

September 3rd 2022

PLAY Ransomware analysis

This is my analysis for PLAY Ransomware. I’ll be solely focusing on its anti-analysis and encryption features. There are a few other features such as DLL injection and networking that will not be covered in this analysis.

September 5th 2022

QNAP patches zero-day used in new Deadbolt ransomware attacks

QNAP is warning customers of ongoing DeadBolt ransomware attacks that started on Saturday by exploiting a zero-day vulnerability in Photo Station.

New STOP Ransomware variants

PCrisk discovered new STOP ransomware variants that append the .oopu, .oodt, and .oovb extensions.

September 6th 2022

InterContinental Hotels Group cyberattack disrupts booking systems

Leading hospitality company InterContinental Hotels Group PLC (also known as IHG Hotels & Resorts) says its information technology (IT) systems have been disrupted since yesterday after its network was breached.

Second largest U.S. school district LAUSD hit by ransomware

Los Angeles Unified (LAUSD), the second largest school district in the U.S., disclosed that a ransomware attack hit its Information Technology (IT) systems over the weekend.

FBI warns of Vice Society ransomware attacks on school districts

FBI, CISA, and MS-ISAC warned today of U.S. school districts being increasingly targeted by the Vice Society ransomware group, with more attacks expected after the start of the new school year.

TTPs Associated With a New Version of the BlackCat Ransomware

Our Digital Forensics and Incident Response (DFIR) team was engaged in investigating a ransomware infection. We were able to determine that the ransomware involved is a new version of the BlackCat ransomware, based on the fact that the malware added new command line parameters that were not documented before.

September 7th 2022

Google says former Conti ransomware members now attack Ukraine

Google says some former Conti cybercrime gang members, now part of a threat group tracked as UAC-0098, are targeting Ukrainian organizations and European non-governmental organizations (NGOs).

Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages

Someone is flooding Cobalt Strike servers operated by former members of the Conti ransomware gang with anti-Russian messages to disrupt their activity.

New STOP Ransomware variants

PCrisk discovered new STOP ransomware variants that append the .mmpu, .mmvb, and .mmdt extensions.

Bl00dy ransomware sample found

PCrisk found a sample for the new 'Bl00dy Ransomware' based on the Babuk ransomware family that appends the .bl00dy and drops the How To Restore Your Files.txt ransom note.

Bl00dy ransomware was first reported on by DataBreaches.net after the threat actors targeted New York medical practices.

Conti vs. Monti: A Reinvention or Just a Simple Rebranding?

Though there is no iron-clad evidence of Conti rebranding as Monti, Conti source was leaked publicly in March 2022. Consequently, it is possible that anybody could use the publicly available source code to create their own ransomware based on Conti. This could be the case with Monti from our analysis of the disassembled code. Monti's entry point is very similar to Conti's, as seen below. As such, Monti could be a rebrand of Conti or simply a new ransomware variant that has been developed using the leaked source code mentioned above.

September 8th 2022

Microsoft: Iranian hackers encrypt Windows systems using BitLocker

Microsoft says an Iranian state-sponsored threat group it tracks as DEV-0270 (aka Nemesis Kitten) has been abusing the BitLocker Windows feature in attacks to encrypt victims' systems.

New Ballacks Ransomware

PCrisk found a new VoidCrypt variant calling itself 'Ballacks Ransomware' that appends the .ballacks extension and drops a ransom note named ReadthisforDecode.txt.

New DoyUk ransomware

PCrisk found the DoyUk Ransomware that appends the .doyuk extension and drops a ransom note named Restore Your Files.txt.

September 9th 2022

Vice Society claims LAUSD ransomware attack, theft of 500GB of data

The Vice Society gang has claimed the ransomware attack that hit Los Angeles Unified (LAUSD), the second largest school district in the United States, over the weekend.

New MLF ransomware

PCrisk found the new MLF ransomware that appends the .MLF extension.

The Week in Ransomware - September 9th 2022 - Schools under fire

Redmond's threat intelligence teams found that the group is quick to exploit newly disclosed security vulnerabilities and extensively uses living-off-the-land binaries (LOLBINs) in attacks.

This aligns with Microsoft's findings that DEV-0270 uses BitLocker, a data protection feature that provides full volume encryption on devices running Windows 10, Windows 11, or Windows Server 2016 and above.

"DEV-0270 has been seen using setup.bat commands to enable BitLocker encryption, which leads to the hosts becoming inoperable," the Microsoft Security Threat Intelligence explained.

"For workstations, the group uses DiskCryptor, an open-source full disk encryption system for Windows that allows for the encryption of a device's entire hard drive."

The time to ransom (TTR) between the initial access and the ransom note being deployed on locked systems was around two days, and DEV-0270 has been observed demanding victims to pay $8,000 for decryption keys following successful attacks.

Moonlighting for personal gain

Redmond says this is a sub-group of the Iranian-backed Phosphorus cyber-espionage group (aka Charming Kitten and APT35) known for targeting and collecting intelligence from high-profile victims linked to governments, NGOs, and defense organizations worldwide.

DEV-0270 appears to be moonlighting "for personal or company-specific revenue generation," according to a low confidence assessment from Microsoft.

Based on "numerous infrastructure overlaps," Microsoft says the group is being operated by an Iranian company known under two aliases: Secnerd (secnerd[.]ir) and Lifeweb (lifeweb[.]it).

"These organizations are also linked to Najee Technology Hooshmand (ناجی تکنولوژی هوشمند), located in Karaj, Iran," Redmond added.

"The group is typically opportunistic in its targeting: the actor scans the internet to find vulnerable servers and devices, making organizations with vulnerable and discoverable servers and devices susceptible to these attacks."

Since many of DEV-0270's attacks have exploited known vulnerabilities in Exchange (ProxyLogon) or Fortinet (CVE-2018-13379), companies are advised to patch their Internet-facing servers to block exploitation attempts and subsequent ransomware attacks.

Similar malicious activity linked to a threat group Secureworks tracks as COBALT MIRAGE (with elements overlapping the Phosphorus APT group) was reported by SecureWorks' Counter Threat Unit (CTU) in May.

The news about the retrieval was announced during the AxieCon event today, where the hosts highlighted it as a community achievement and the result of a large-scale collaboration between multiple law enforcement authorities and private entities.

This is the first time stolen cryptocurrency has been seized from a North Korean hacking group, and according to a Chainalysis report, which had active involvement in the retrieval, it won't be the last.

"Chainalysis Crypto Incident Response team played a role in these seizures, utilizing advanced tracing techniques to follow stolen funds to cash out points and liaising with law enforcement and industry players to quickly freeze funds," the company reports.

The seized money will gradually move into Axie Infinity's treasury and back to the players' community, but the game's publishers explained this process might take several years.

Lazarus laundering effort

As Chainalysis explains, the Korean hackers followed a typical five-stage laundering process laid down below:

• Send stolen Ether to intermediary wallets
• Mix Ether in batches using Tornado Cash
• Swap Ether for Bitcoin
• Mix Bitcoin with batches

The recent sanctions imposed by the U.S. Department of the Treasury on Tornado Cash forced Lazarus to use alternatives for the remaining one-third of the stolen funds, using bridges between blockchains to obscure movements.

Chainalysis was able to track this "chain-hopping" and trace all of the attempted crypto swaps, helping law enforcement authorities freeze and retrieve part of the funds.

Lazarus in law enforcement's crosshairs 

The total financial damage caused by Lazarus' Axie Infinity hack is estimated to be $620 million, so the recovered amount represents only about 5% of that value and 10% of the cryptocurrency amount.

However, the blow for Lazarus is still significant, as it signifies that stolen digital assets aren't easy to move around, launder, and eventually cash out into fiat money.

Since Lazarus is one of the world's most sophisticated and skillful threat actors, the message sent by law enforcement has also rippled across the entire DeFi hacking community.

Chainalysis comments that most of the stolen funds from Axie Infinity remain unspent in cryptocurrency wallets, and the threat actor is running out of reliable options for cashing out.

Hence, the New York-based blockchain analysis firm is confident that more seizures and retrievals will follow in the upcoming years.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/us-recovers-30-million-stolen-from-axie-infinity-by-lazarus-hackers/

Bumblebee was discovered in April, involved in phishing campaigns believed to be orchestrated by the same actors behind BazarLoader and TrickBot, i.e., the Conti syndicate.

As Bumblebee is an evolved loader with advanced anti-analysis and anti-detection features, it was assumed that it would replace other loaders, such as BazarLoader, in initial compromise attacks followed by ransomware deployment.

Bumblebee's distribution rate reached notable levels in the ensuing months, yet the new loader never became dominant in the field.

According to a report by Cyble, based on a finding by threat researcher Max Malyutin, the authors of Bumblebee are preparing a comeback from the summer hiatus of spam operations, using a new execution flow.

Execution from memory

Previously, Bumblebee reached victims via emails carrying password-protected zipped ISO files that contained an LNK (for executing the payload) and a DLL file (the payload).

In the recent attack, Bumblebee replaced the ISO with a VHD (Virtual Hard Disk) file, which, again, contains an LNK shortcut file (Quote).

Instead of executing Bumblebee (DLL) directly, the LNK now executes "imagedata.ps1," which launches a PowerShell window and hides it from the user by abusing the 'ShowWindow' command.

The SP1 script is obfuscated using Base64 and string concatenation to evade AV detection while loading the second stage of the PowerShell loader.

The second stage features the same obfuscation as the first and contains the PowerSploit module to load the 64-bit malware (LdrAddx64.dll) into the memory of the PowerShell process using reflective injection.

"PowerSploit is an open-source post-exploitation framework in which the malware uses a method, Invoke-ReflectivePEInjection, for reflectively loading the DLL into the PowerShell Process," explains Cyble in the report.

"This method validates the embedded file and performs multiple checks to ensure that the file is loaded properly on the executing system."

With the new loading flow, Bumblebee loads from memory and never touches the host's disk, thus minimizing the chances of being detected and stopped by anti-virus tools.

By increasing its stealthiness, Bumblebee becomes a more potent initial access threat and increases its chances of enticing ransomware and malware operators looking for ways to deploy their payloads.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/

WeTransfer is a legitimate file-sharing service that can be used free of charge, so it's a no-cost way to bypass security software that may not raise alerts about the URLs used in emails.

In a new campaign observed by email security firm Cofense, Lampion operators are sending phishing emails from compromised company accounts urging users to download a "Proof of Payment" document from WeTransfer.

The file the targets receive is a ZIP archive containing a VBS (Virtual Basic script) file the victim needs to launch for the attack to begin.

Upon execution, the script initiates a WScript process that creates four VBS files with random naming. The first one is empty, the second has minimal functionality, and the third's only purpose is to launch the fourth script.

Cofense analysts comment that this extra step is unclear, but modular execution approaches are typically preferred for their versatility, allowing easy file swaps.

The fourth script launches a new WScript process that connects to two hardcoded URLs to fetch two DLL files hiding inside password-protected ZIPs. The URLs point to Amazon AWS instances.

The password for the ZIP files is hardcoded in the script, so the archives are extracted without requiring user interaction. The contained DLL payloads are loaded into memory, allowing Lampion to be stealthily executed on compromised systems.

From there, Lampion begins stealing data from the computer, targeting bank accounts by fetching injections from the C2 and overlaying its own login forms on login pages. When users enter their credentials, these fake login forms will be stolen and sent to the attacker.

Lampion revitalized

The Lampion trojan has been around since at least 2019, focusing mainly on Spanish-speaking targets and using compromised servers to host its malicious ZIPs.

In 2021, Lampion was seen abusing cloud services for hosting the malware for the first time, including Google Drive and pCloud.

More recently, in March 2022, Cyware reported an uptick in the trojan's distribution, identifying a hostname link to Bazaar and LockBit operations.

Cyware also reported that Lampion's authors were actively trying to make their malware harder to analyze by adding more obfuscation layers and junk code.

Cofense's latest report indicates that Lampion is an active and stealthy threat, and users should be cautious with unsolicited emails asking them to download files, even from legitimate cloud services.

MOIS is the Iranian government's leading intelligence agency, tasked with coordinating intelligence and counterintelligence efforts, as well as covert actions supporting the Islamic regime's goals beyond the country's borders.

"Since at least 2007, the MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private-sector organizations around the world and across various critical infrastructure sectors," the Treasury Dept's Office of Foreign Assets Control (OFAC) said.

"In July 2022, cyber threat actors assessed to be sponsored by the Government of Iran and MOIS disrupted Albanian government computer systems, forcing the government to suspend online public services for its citizens."

After linking the July cyberattack that targeted Albanian government infrastructure to Iranian threat actors, Albanian Prime Minister Edi Rama announced on Wednesday that the country severed diplomatic ties with Iran and asked all embassy staff to leave within 24 hours.

The U.S. government, NATO, and the U.K. also formally blamed Iran for its reckless cyberattacks against Albania, saying the country would be held accountable for threatening the security of a NATO ally.

"Iran's cyber attack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public," said Brian E. Nelson, the Treasury's Under Secretary for Terrorism and Financial Intelligence today.

"We will not tolerate Iran's increasingly aggressive cyber activities targeting the United States or our allies and partners."

MOIS-controlled threat groups

Earlier this year, U.S. Cyber Command (USCYBERCOM) officially linked the Iranian-backed MuddyWatter threat group to Iran's Ministry of Intelligence and Security (MOIS).

This cyber-espionage group (also known as SeedWorm and TEMP.Zagros) was first spotted in 2017 and is known for focusing its espionage attacks on Middle Eastern entities targeting dissidents and government organizations.

MuddyWater was also linked to attacks against government and defense entities in Central and Southwest Asia and numerous privately-held and public orgs from North America, Europe, and Asia [1, 2, 3].

MOIS is also known for controlling APT39, another cyber espionage group engaging in surveillance operations aligned with Iranian interests since November 2014.

"MOIS carries out cyber espionage and disruptive ransomware attacks on behalf of the Iranian government in parallel with the other Iranian security service the IRGC," John Hultquist, Mandiant's Vice President of Intelligence Analysis, told BleepingComputer.

"These actors have also been involved in ransomware incidents that may have been ultimately designed for disruptive purposes rather than financial gain. Those operations were a template for the Albania attack."

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/us-sanctions-iran-s-ministry-of-intelligence-over-albania-cyberattack/

The American cryptocurrency exchange feels that the U.S. is exceeding its authority by sanctioning an open source privacy technology rather than bad actors.

"In the Tornado Cash action, OFAC did not target the bad actors or the property controlled by those actors; instead, it took the unprecedented step of sanctioning open source technology — a tool legitimately used by many innocent people even if also by some bad actors," reads the Coinbase announcement.

A cryptocurrency mixer is a privacy platform that allows users to deposit funds and withdraw them from a different crypto address after multiple obscuring bounces between the service's nodes, making tracing back to the source more difficult.

Tornado Cash is an open-source and fully decentralized mixer developed and maintained by many volunteers worldwide.

The U.S. Office of Foreign Assets Control (OFAC) sanctioned the Tornado Cash platform on August 8, after a long period of abuse of the project as a money laundering platform, with hackers using it to mix funds snatched from cryptocurrency exchanges, music services, and blockchain platforms.

Most notably, North Korean hacking group 'Lazarus' used Tornado Cash to launder approximately $455 million stolen from Axie Infinity earlier this year.

However, the sanctions imposed on the platform weren't received positively in the blockchain community, as many people were using Tornado to enhance the anonymity of their Ethereum transactions.

As Coinbase's CEO and co-founder Brian Armstrong writes in a blog post, individuals use Tornado to make anonymous donations, protect their security while transacting, and keep their private affairs away from the public.

The transparent nature of blockchains that empowers auditability and verification makes them intrinsically bad for privacy, Armstrong explains, and Tornado served as a critical complement to preserve users' desire for privacy.

Finally, GitHub's removal of Tornado Cash code from its repositories has spread fear among the open-source project developers and threatens to have "a chilling effect on innovation," warns Armstrong.

The lawsuit was filed in the U.S. District Court of the Western District of Texas by six individuals who had their funds trapped in Tornado Cash due to the sanctions.

The litigation requests the court to reverse the sanctions, allowing users to regain access to their funds and giving the community back a tool that will help to preserve their privacy.

Lazarus is a state-backed threat actor known for conducting espionage, data theft, and cryptocurrency stealing campaigns over the past decade. The threat actors are responsible for hundreds of sophisticated attacks internationally.

According to researchers at Cisco Talos, who uncovered the latest operation, Lazarus targeted the energy organizations between February and July 2022, leveraging public VMWare Horizon exploits for initial access.

From there, they used custom malware families like 'VSingle' and 'YamaBot' and a previously unknown remote access trojan (RAT) named 'MagicRAT' that is used to search for and steal data from infected devices.

Symantec's threat hunters analyzed the same campaign in April and ASEC researchers in May. However, Cisco's report goes deeper to unveil many more details about the threat actor's activity.

Multiple attack strategies

Cisco Talos presents several attack strategies that illustrate Lazarus' latest techniques, tactics, and procedures (TTPs) and highlight the versatility of the sophisticated hacking group.

In the first case, the threat actors exploit VMWare servers vulnerable to Log4Shell flaws to run shellcode that establishes a reverse shell for running arbitrary commands on the compromised endpoint.

Since VMWare Horizon runs with high privileges, Lazarus can deactivate Windows Defender via registry key modifications, WMIC, and PowerShell commands before deploying VSingle.

The VSingle backdoor supports advanced network reconnaissance commands, prepares the ground for stealing credentials, creates new admin users on the host, and finally establishes a reverse shell connection with the C2 to fetch plugins that enrich its functionality.

In the second case presented in the report, which concerns a different victim, the initial access and reconnaissance follow similar patterns, but this time, the hackers dropped MagicRAT along with VSingle.

Talos published a separate post on MagicRAT yesterday, detailing all the functions of this previously unseen trojan.

MagicRAT can establish persistence on its own by executing hardcoded commands that create the required scheduled tasks, help in system reconnaissance, and fetch additional malware from C2, like the TigerRAT.

In the third intrusion case, Lazarus deploys YamaBot, a custom malware written in Go, featuring standard RAT capabilities such as:

• List files and directories.
• Send process information to C2.
• Download files from remote locations.
• Execute arbitrary commands on the endpoints.
• Uninstall itself

The Japanese CERT linked YamaBot with Lazarus in July 2022, highlighting its encrypted C2 communication capabilities.

Lazarus attack chain diversification isn’t limited to the final malware payloads but extends to the proxy or reverse tunneling tools and credential harvesting techniques.

In some cases, the hackers employed the Mimikatz and Procdump tools, while in others, they exfiltrated copies of registry hives containing AD credentials.

“In one instance, the attackers tried to obtain Active Directory information on one endpoint via PowerShell cmdlets. However, a day later, the attackers used adfind.exe to extract similar information on the same endpoint,” explains Cisco Talos in the report.

The idea behind these variations is to mix up TTPs and make attribution, detection, and defense more challenging for incident responders.

As highlighted in this report, Lazarus is closely monitored by cybersecurity firms, so they can't afford to become lazy in diversifying their attack chains.

This diversification in attacks is illustrated in the Lazarus hacker's wide range of attacks, including their targeting of IT job seekers, the creation of fake cryptocurrency trading apps, the creation of trojanized development tools, the use of ransomware as decoys, and the massive $620 million theft of cryptocurrency theft from the Ronin bridge.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/

EMGFA is the government agency responsible for the control, planning, and operations of the armed forces of Portugal.

The agency only realized they suffered a cyberattack after hackers posted samples of the stolen material on the dark web, offering to sell the files to interested individuals.

American cyber-intelligence agents noticed the sale of stolen documents and alerted the U.S. embassy in Lisbon, which in turn warned the Portuguese government about the data breach.

Immediately, a team of experts from the National Security Office (GNS) and Portugal’s national cybersecurity center was dispatched to EMGFA to carry out a complete screening of the body’s entire network.

The story came to light by local news organization Diario de Noticias, which claims it has confirmed the validity of the information via unnamed sources close to the ongoing investigations.

These sources told the news outlet that the leaked documents are of “extreme gravity,” so their dissemination might cause a crisis with the country’s credibility in the military alliance.

“It was a cyberattack prolonged in time and undetectable, through bots programmed to detect this type of documents, which were later removed in several stages,” stated one of DN’s sources.

The computers used by EMGFA are air-gapped, but the exfiltration used standard non-secure lines. Hence, the first conclusion of the investigation is that the top military body has broken its operational security rules at some point.

As of today, no official statement has been issued by the Portuguese state on the topic, but the pressure for a briefing by the political opposition is rising following DN’s revelations.

Many members of the parliament expressed their surprise today with the news about classified military documents being sold on the internet and the country’s intelligence services failing to detect such a highly critical breach.

Hence, they requested the chairman of the parliamentary defense committee, Marcos Perestrello, to intercede so that hearings regarding the incident were scheduled as soon as possible.

BleepingComputer has reached out to Portugal’s PM office, the Ministry of Defense, and EMGFA, and we will update this post as soon as we receive a response.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/classified-nato-documents-stolen-from-portugal-now-sold-on-darkweb/

The Google Chrome zero-day (CVE-2022-3075) was patched on September 2nd via an emergency security update after the company was made aware of in-the-wild exploitation.

On Monday, QNAP network-attached storage (NAS) appliance maker warned its customers that it patched a zero-day bug in the widely used Photo Station software, tracked as CVE-2022-27593, and actively exploited in widespread DeadBolt ransomware attacks.

Last but not least, the two critical D-Link security flaws (CVE-2022-28958 and CVE-2022-26258) are being targeted by the Mirai-based Moobot botnet to gain remote code execution and take over unpatched devices.

After being added to CISA's to its Known Exploited Vulnerabilities (KEV) catalog, all Federal Civilian Executive Branch Agencies (FCEB) agencies now must patch their systems against these security bugs exploited in the wild according to a binding operational directive (BOD 22-01) published in November.

The federal agencies were given three weeks, until September 29th, to ensure that exploitation attempts would be blocked.

All U.S. organizations urged to prioritize these security updates

Although DHS' BOD 22-01 only applies to U.S. FCEB agencies, the cybersecurity agency also strongly urges U.S. organizations in the private and public sectors to prioritize patching these bugs.

Taking this advice to heart and applying patches as soon as possible will likely significantly decrease the attack surface attackers could use in attempts to breach their networks.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise," the US cybersecurity agency explained Thursday.

Since this binding directive was issued in November, CISA has added more than 800 security flaws to its catalog of bugs exploited in attacks, requiring federal agencies to patch them on a tighter schedule to block security breaches.

It is strongly recommended that all security professionals and admins review CISA's KEV catalog and patch listed bugs within their environment.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-chrome-d-link-flaws-used-in-attacks/

The experimental extension is based on Google's Manifest V3 for extensions, which changes things significantly for extensions such as uBlock Origin.

From January 2023 on, Google will block extensions that rely on Manifest V2 in Chrome. There is an Enterprise-policy that extends the cut-off date to June 2023. From June 2023 onward, Manifest V2 extensions are no longer supported. Installed extensions will not run anymore and new extensions can't be installed at all in Chrome anymore.

Google claims that Manifest V3 improves privacy by removing capabilities from extensions. Rogue extensions may use the capabilities to spy on users. A side-effect, or so it seems, is that privacy and content blocking extensions may run with limited functionality only. Google, earning most of its revenue from advertising, may benefit from this.

The experimental extension uBOMinus is compatible with Manifest V3. The minus indicates that it is not as powerful as uBlock Origin. Hill reveals that uBO Minus uses the declarativeNetRequest API exclusively, which Google introduced in Manifest V3 to replace more powerful APIs of Manifest V3.

The extension does not require any extra permissions, including the "read and change all your data on all websites" permission. The consequence of this is that certain features are not supported by it. Hill lists cosmetic filtering, scriplet injections, CSP, redirect and removeparam filters specifically.

The Chrome extension uBO Minus uses the same default filter set as uBlock Origin, but in optimized form to take into account the limitations of Manifest V3.

Chrome users who want to give uBO Minus a try may download and install it from the Chrome Web Store. New versions of uBO Minus will be released alongside the regular uBlock Origin extension for Chromium-based browsers and Firefox.

The extension has a simple interface, which highlights the number of blocked items only.

Closing Words

Chrome users who rely on content blockers may encounter major issues from January 2023 on. Some may want to check out other browsers, either those with built-in content blockers, such as Brave, Vivaldi or Opera, or Firefox, which will continue to support uBlock Origin fully.

Browsers based on Chromium face additional problems once the change lands. While it is in theory possible to alter the code to continue support for Manifest V2, or at least some of the available APIs, browser makers would have to launch their own extension repositories as the Chrome Web Store won't host any Manifest V2 extensions anymore after January 2023.

UBO Minus is the second extension for Chromium-based browsers that relies on Manifest V3 exclusively. AdGuard released AdGuard AdBlocker MV3 recently, which does as well.

Content blocking will be different when Manifest V2 support is dropped. Some users may not notice a difference, if they rely on basic filtering only. Those who subscribe to more filter lists or use multiple privacy extensions that do filter requests, may run into the artificial limitation.

Many Chrome users are probably unaware of the announced changes at this point. Those who know about it, may want to check out other browsers that won't be affected by the change.

Now You: what is your take on this?

uBlock Origin Minus: an experimental Manifest v3 compatible extension

A stealthy new form of malware is targeting Linux systems in attacks that can take full control of infected devices – and it is using this access to install crypto-mining malware.

Dubbed Shikitega, the malware targets endpoints and Internet of Things devices that run on Linux operating systems and has been detailed by cybersecurity researchers at AT&T Alien Labs.

The malware is delivered in a multi-stage infection chain, where each module responds to commands from the previous part of the payload and downloads and executes the next one.

By downloading the payload bit by bit – starting with a module that is just a few hundred bytes – Shikitega can avoid being uncovered by anti-virus software. It also uses a polymorphic encoder to make it more difficult to detect.

Researchers also note that those behind Shikitega appear to abuse legitimate cloud services to host some of their command-and-control servers.

The initial method of infection is still unknown, but the malware gradually downloads more and more modules to provide full functionality, starting with the initial dropper, then going through several stages – including downloading Mettle, a Metasploit offensive security tool, which allows the attacker to deploy a wide range of attacks.

These include taking control of webcams, taking control of processes, executing shell commands, and more. The ability to run shell commands provides the attackers with the ability to further exploit the system – and it appears that this is what they're focused on for now.

The malware downloads and executes further modules that exploit vulnerabilities in Linux, which can be used to achieve persistence and control of the compromised system.

The vulnerabilities are CVE-2021-3493, a validation issue in the Linux kernel that allows attackers to gain elevated privileges, and CVE-2021-4034, a high-severity memory corruption vulnerability in polkit, which is installed by default in Linux distributions.

By exploiting these vulnerabilities, the malware is able to download and execute the final stage of the payload with root privileges, providing the ability to fully control the system.

This final stage of the attack downloads crypto-mining malware, which allows the attackers to exploit the power of infected machines to secretly mine for cryptocurrency – at no cost to themselves. While this appears to be the focus of the attacks for now, the amount of control Shikitega gains over systems means it could be used for more damaging attacks in the future.

And Linux is a useful target for cyber criminals, because it can often be overlooked when businesses think about cybersecurity.

"Threat actors find servers, endpoints and IoT devices based on Linux operating systems more and more valuable and find new ways to deliver their malicious payloads," said Ofer Caspi, malware researcher at Alien Labs.

"Shikitega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload," he added.

A key part of Shikitega's attack process is leveraging known vulnerabilities to help gain full access to Linux systems; this can be prevented by ensuring the appropriate security patches for CVE-2021-3493 and CVE-2021-4034 have been applied, as well as swiftly applying any other updates that are released.

Source

The problem is precisely present in its Performance Tune-up diagnostic tool. In its security bulletin, HP explains the issue:

Privilege escalation in HP Support Assistant

HP Support Assistant uses HP Performance Tune-up as a diagnostic tool. HP Support Assistant uses Fusion to launch HP Performance Tune-up. It is possible for an attacker to exploit the DLL hijacking vulnerability and elevate privileges when Fusion launches the HP Performance Tune-up.

HP has also listed the vulnerable software versions that are to be avoided:

• HP Support Assistant versions earlier than 9.11

   

• Fusion versions earlier than 1.38.2601.0

   

Hence, HP PC owners are advised to download and install the HP Support Assistant version 9.11 from the company's official website here.

Beware: HP Support Assistant found vulnerable to DLL hijacking privilege escalation

For years, we’ve been promised the end of password-based logins. Now the reality of a passwordless future is taking a big leap forward, with the ability to ditch passwords being rolled out for millions of people. When Apple launches iOS 16 on September 12 and macOS Ventura sometime soon, the software will include its password replacement, known as passkeys, for iPhones, iPads, and Macs.

Passkeys allow you to log in to apps and websites, or create new accounts, without having to create, memorize, or store a password. This passkey, which is made up of a cryptographic key pair, replaces your traditional password and is synced across iCloud’s Keychain. It has the potential to eliminate passwords and improve your online security, replacing the insecure passwords and bad habits you probably have now.

Apple’s rollout of passkeys is one of the largest implementations of password-free technology to date and builds on years of work by the FIDO Alliance, an industry group made up of tech’s biggest companies. Apple’s passkeys are its version of the standards created by the FIDO Alliance, meaning they will eventually work with Google, Microsoft, Meta, and Amazon’s systems.

What Is a Passkey?

Using a passkey is similar to using a password. On Apple’s devices, it’s built into the traditional password boxes that websites and apps use to get you to log in. Passkeys act as a unique digital key and can be created for each app or website you use. (The word “passkey” is also being used by Google and Microsoft, with FIDO calling them “multi-device FIDO credentials.”)

If you are new to an app or a website, there’s the potential that you can create a passkey instead of a password from the start. But for services where you already have an account, it’s likely you will need to log in to that existing account using your password and then create a passkey.

Apple’s demonstrations of the technology show a prompt appearing on your devices during the sign-in or account-creation phase. This box will ask whether you would like to “save a passkey” for the account you are using. At this stage, your device will prompt you to use Face ID, Touch ID, or another authentication method to create the passkey.

Once created, the passkey can be stored in iCloud’s Keychain and synced across multiple devices—meaning your passkeys will be available on your iPad and MacBook without any extra work. Passkeys work in Apple’s Safari web browser as well as on its devices. They can also be shared with nearby Apple devices using AirDrop.

As Apple’s passkeys are based on the wider passwordless standards created by the FIDO Alliance, there’s the potential that they can be stored elsewhere, too. For instance, password manager Dashlane has already announced its support for passkeys, claiming it is an “independent and universal solution agnostic of the device or platform.”

While Apple is launching passkeys with iOS 16 and macOS Ventura, there are several caveats to its rollout. First, you need to update your devices to the new operating system. Second is that apps and websites need to support the use of passkeys—they can do this by using the FIDO standards. Ahead of Apple’s updates, it isn’t clear which apps or websites are already supporting passkeys, although Apple first previewed the technology to developers at its developer conference in 2021.

How Do Apple’s Passkeys Work?

Under the hood, Apple’s passkeys are based on the Web Authentication API (WebAuthn), which was developed by the FIDO Alliance and World Wide Web Consortium (WC3). The passkeys themselves use public key cryptography to protect your accounts. As a result, a passkey isn’t something that can (easily) be typed.

When you create a passkey, a pair of related digital keys are created by your system. “These keys are generated by your devices, securely and uniquely, for every account,” Garrett Davidson, an engineer on Apple’s authentication experience team, said in a video about passkeys. One of these keys is public and stored on Apple’s servers, while the other key is a secret key and stays on your device at all times. “The server never learns what your private key is, and your devices keep it safe,” Davidson said.

When you try to sign in to one of your accounts using a passkey, the website or app’s server sends your device a “challenge,” essentially asking your device to prove that it’s you logging in. The private key, which is stored on your device, is able to answer this challenge and send its response back. This answer is then validated by the public key, which then allows you to log in. “This means the server can be sure that you have the right private key, without knowing what the private key actually is,” Davidson said.

What if I Don’t Use Only Apple Devices?

Because Apple developed its passkeys based on the FIDO Alliance standards, the passkeys can work across devices and on the web. If you try to log in to one of your accounts on a Windows machine, you’ll have to use a slightly different method since your passkeys won’t be stored on that machine. (If they are saved in an external password manager, you would need to log in to that first).

Instead, when you log in to a website in Google Chrome, for example, you will have to use a QR code and your iPhone to help you sign in. The QR code contains a URL that includes single-use encryption keys. Once scanned, your phone and the computer are able to communicate using an end-to-end encrypted network via Bluetooth and share information.

“That means a QR code sent in an email or generated on a fake website won’t work, because a remote attacker won’t be able to receive the Bluetooth advertisement and complete the local exchange,” Davidson said. This process happens between your phone and the web browser—the website you are logging in to isn’t involved.

Aside from Apple, other tech firms are in various stages of rolling out their own passkey technology. Google’s developer pages say it aims to have passkey support available for Android developers “towards the end of 2022.” Microsoft has been using some passwordless login systems for a few years now and says that “in the near future,” people will be able to sign in to a Microsoft account with a passkey from an Apple or Google device.

Are Passkeys Better Than Passwords?

No system is infallible, but the passwords people currently use are one of the biggest security problems with the web. Every year, the most popular passwords people use—according to analysis of data breaches—are topped by “123456789” and “password.” Using weak and repeated passwords is one of the most significant risks to your online life.

There’s wide support for abandoning passwords—the FIDO Alliance involves pretty much every big technology company, and they’re all working on eliminating the password. Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, welcomed the adoption of passwordless technologies in May this year.

“Every passkey is strong. They’re never guessable, reused, or weak,” Apple says in its documentation of passkeys. “To really address password problems, we need to move beyond passwords,” Google says in its own description of passkeys. It claims passkeys will help reduce phishing attacks—people can’t be tricked into sharing their passkeys—and that passkeys are less of a target for hackers as their details aren’t stored on servers.

Despite the enthusiasm for passkeys, passwords are going to be around for a long time yet. Transitioning people from using passwords to a new sign-in method requires them to trust and understand the new system; apps and websites also need to support passkeys. And there are some unanswered questions, such as whether cloud backups from iOS to Android will be compatible. The password isn’t quite dead yet, but it’s getting there.

Apple’s Killing the Password. Here’s Everything You Need to Know

(May require free registration to view)

WT1SHOP was one of the largest criminal marketplaces of PII data commonly used by threat actors to buy credentials for account takeovers, credit cards used for online purchases, and government I.D. cards for identity theft.

"The WT1shop was one of the turnkey account shop selling compromised accounts and personally identifiable information since the Slilpp takedown," AdvIntel CEO Vitali Kremez told BleepingComputer.

"It catered primarily to the carders and fraudsters focused on account takeover activity and offering its service on many underground crime communities."

The representatives of WT1SHOP commonly promoted the marketplace on Russian hacking forums and Reddits that catered to online criminal activity.

Servers and domains seized by law enforcement

Today, the Department of Justice announced that Portuguese authorities seized the WT1SHOP website, and the U.S. seized four Internet domains used to access the criminal marketplace, including wt1shop.net, wt1store.cc, wt1store.com, and wt1store.net.

Other domains used by the website are wt1store.biz, wt1store.me, wt1store.xyz, and wt1store.org, which do not appear to be seized now. However, as the website is seized, visiting any of these domains no longer allows access to the store.

The operation was conducted by the U.S. Attorney's Office of the District of Maryland and the FBI, who said the site sold the personal information of millions of users, including stolen login credentials, bank accounts, credit cards, and scanned government identification, such as passports and driver's licenses.

"Law enforcement's review of WT1SHOP in December 2021 showed that the number of users and sellers on the website had increased to approximately 106,273 users and 94 sellers with a total of approximately 5.85 million credentials available for sale," reads the DOJ announcement.

The Dutch police estimated in June 2020 that the site had $4 million in sales paid in bitcoin.

The DOJ announcement says law enforcement traced the bitcoin payments, email addresses, and admin accounts for WT1SHOP back to Nicolai Colesnicov, age 36, of the Republic of Moldova. Colesnicov is suspected to be the administrator and operator of the criminal marketplace.

Colesnicov is charged with conspiracy and trafficking in unauthorized access devices and faces a maximum sentence of 10 years in federal prison if found guilty.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/us-seizes-wt1shop-market-selling-credit-cards-credentials-and-ids/

UAC-0098 is an initial access broker known for using the IcedID banking trojan to provide ransomware groups with access to compromised systems within enterprise networks.

The company's Threat Analysis Group (TAG), a dedicated team of security experts acting as a defense force for Google users from state-sponsored attacks, started tracking this threat group in April after detecting a phishing campaign that pushed the Conti-linked AnchorMail backdoor.

"In the initial encounter with UAC-0098, 'lackeyBuilder' was observed for the first time. This is a previously undisclosed builder for AnchorMail, one of the private backdoors used by the Conti groups," Google TAG said.

"Since then, the actor consistently used tools and services traditionally employed by cybercrime actors for the purpose of acquiring initial access: IcedID trojan, EtterSilent malicious document builder, and the 'Stolen Image Evidence' social engineering malware distribution service."

This group's attacks were observed between mid-April to mid-June, with frequent changes in its tactics, techniques, and procedures (TTPs), tooling, and lures, while targeting Ukrainian orgs (such as hotel chains) and impersonating the National Cyber Police of Ukraine or representatives of Elon Musk and StarLink.

In subsequent campaigns, UAC-0098 was seen delivering IcedID and Cobalt Strike malicious payloads in phishing attacks targeting Ukrainian organizations and European NGOs.

Links to the Conti cybercrime group

Google TAG says its attribution is based on multiple overlaps between UAC-0098, Trickbot, and the Conti cybercrime group.

"Based on multiple indicators, TAG assesses some members of UAC-0098 are former members of the Conti cybercrime group repurposing their techniques to target Ukraine," Google TAG added.

"TAG assesses UAC-0098 acted as an initial access broker for various ransomware groups including Quantum and Conti, a Russian cybercrime gang known as FIN12 / WIZARD SPIDER.

"UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests."

The threat group's activities detected and revealed today by Google also align with previous reports from IBM Security X-Force and CERT-UA, who also linked attacks on Ukrainian organizations and government entities to the TrickBot and Conti cybercrime gangs.

Conti is still around

The Russian-based Conti gang launched a ransomware operation in 2020, taking the place of the Ryuk ransomware group.

Over time, the gang grew into a cybercrime syndicate, taking over the development of multiple malware operations, including TrickBot and BazarBackdoor.

A Ukrainian security researcher leaked over 170,000 internal chat conversations belonging to the gang, together with the source code for the Conti ransomware encryptor, after Conti sided with Russia following its invasion of Ukraine.

While the group has since shut down the 'Conti' brand, the cybercrime syndicate continues to operate after splitting into smaller cells and infiltrating or taking over other ransomware or cybercrime operations.

Some ransomware gangs infiltrated by Conti members include BlackCat, Hive, AvosLocker, Hello Kitty, and the recently revived Quantum operation.

Other Conti members are now running their own data extortion operations that do not encrypt data, such as BlackByte, Karakurt, and the Bazarcall collective.

The operators of Conti ransomware completed turning off their internal infrastructure in May this year but its members have dispersed to other ransomware gangs, such as Quantum, Hive, and BlackCat.

However, former Conti members continue to use the same Cobalt Strike infrastructure to conduct new attacks under other ransomware operations.

Server flood

Someone is now tracking the TeamServers (C2) used by ransomware actors to control the Cobalt Strike (CS) Beacon payloads on compromised hosts (clients), which allow lateral movement on the network.

When flooding the CS servers, these people are using the username “Stop Putin!” on multiple computers and changing their computer name to various messages, such as “Stop the war!,” “15000+ dead Russian soldiers!,” and “Be a Russian patriot!”

Vitali Kremez, the CEO of cyber intelligence company Advanced Intelligence (AdvIntel), told BleepingComputer that whoever is running these attacks initially targeted at least four Cobalt Strike servers allegedly controlled by ex-Conti members.

The researcher says that the messages are flooding the servers at a high rate of about two every second.

As an effect of this large number of pings, TeamServer’s Java application is overloaded and activity is disrupted in a similar way a denial-of-service (DoS) condition would.

Running Cobalt Strike TeamServer from a Java application was possible in versions of the toolkit up to 4.6, released this year in April. In more recent releases, the component runs from an executable image (TeamServerImage).

Kremez says whoever is behind this activity is constantly targeting Cobalt Strike servers believed to be operated by previous Conti ransomware members, resuming the flood whenever a new server is discovered.

Turning the tables on cybercriminals

It is unclear who is behind these messages (it could be anyone from a security researcher, to law enforcement agencies, to a cybercriminal with a grudge for siding with Russia) but it looks like they’re keeping the threat actor busy.

Disrupting ransomware gangs’ activity with denial-of-service has happened before, the LockBit operation being a recent target, allegedly for encrypting systems belonging to digital security company Entrust.

The attack was serious enough for LockBit to shut down its leak sites and start reorganizing its infrastructure. In the meantime, none of the data the gang published was available.

The hackers blamed the DDoS on Entrust since the HTTPS requests came with the message to delete the company’s data.

However, the disruption was temporary and the ransomware actor came online with stronger infrastructure allowing them to keep the stolen data available even when facing distributed denial-of-service (DDoS) attacks.

The cybersecurity firm has collected enough evidence to determine that APT42 is a state-sponsored threat actor who engages in cyberespionage against individuals and organizations of particular interest to the Iranian government.

APT42's first signs of activity date back to seven years ago and revolve around lengthy spear-phishing campaigns that targeted government officials, policymakers, journalists, academics across the globe, and Iranian dissidents.

The hackers' goal is to steal account credentials. However, in many cases, they also deploy a custom Android malware strain capable of tracking victims, accessing the device's storage, and extracting communication data.

Campaigns and targets

According to Mandiant, who discovered the activities of the new hacking group, APT42 has conducted at least 30 operations in 14 countries since 2015. However, this is likely only a small part that surfaced due to operation security mistakes that allowed them to be tracked.

The group switched targets multiple times to match changing intelligence-collection interests. For example, in 2020, APT42 used phishing emails impersonating an Oxford university vaccinologist to target foreign pharmaceuticals.

In 2021, APT42 used compromised email addresses from U.S. media organizations to target victims with fake interview requests, engaging with them for 37 days before striking with a credential harvesting page.

More recently, in February 2022, the hackers impersonated a British news agency to target political science professors in Belgium and the United Arab Emirates.

In most cases, the hackers aimed at credential harvesting by directing their victims to phishing pages made to appear as legitimate login portals.

They either do this by sending shortened links or a PDF attachment containing buttons leading to credential harvesting pages also capable of intercepting MFA codes.

Android malware

The mobile malware strain used in APT42 campaigns helps the threat actor track its most high-interest targets closely, exfiltrating phone calls, SMS inboxes, and room audio recordings daily.

Mandiant says the Android spyware is primarily spread to Iranian targets via SMS texts containing links to a messaging or VPN app that can help bypass government-imposed restrictions.

"The use of Android malware to target individuals of interest to the Iranian government provides APT42 with a productive method of obtaining sensitive information on targets, including movement, contacts, and personal information," comments Mandiant in the technical report.

"The group's proven ability to record phone calls, activate the microphone and record the audio, exfiltrate images and take pictures on command, read SMS messages, and track the victim's GPS location in real-time poses a real-world risk to individual victims of this campaign."

However, Mandiant also reports discovering landing pages for downloading IM apps in Arabic, so threat actors might have deployed the Android malware outside Iran too.

APT42 uses a rich set of lightweight custom malware on Windows systems to establish a foothold and steal credentials that will enable them to escalate privileges and perform reconnaissance on the network.

For lateral movement, the hackers send phishing emails to colleagues of the compromised user. At the same time, presence in newly breached systems is secured by adding scheduled tasks and new Windows registry keys.

Links to ransomware

Mandiant highlights a link between APT42's TTPs and ransomware activity using BitLocker, reported in November 2021 by Microsoft.

"In one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks," described the Microsoft report.

While Microsoft named the threat cluster 'Phosphorus' in its report, Mandiant now says there's enough technical and OSINT evidence to link the attacks to APT42, together with APT35.

Finally, Mandiant has assessed with moderate confidence that APT42 and APT35 are both handles of the IRGC (Islamic Revolutionary Guard Corps), which the U.S. designates as a terrorist organization.

A credential stuffing attack is when threat actors use email addresses/usernames and password combinations obtained from data breaches to attempt to hack into user accounts on other websites.

The success of these attacks relies on the practice of password recycling, where a person uses the same credentials across multiple online platforms.

The credential stuffing attack on The North Face website began on July 26, 2022, but the website's administrators detected the unusual activity on August 11, 2022, and were able to stop it on August 19, 2022.

After investigating the attack, North Face determined that the attackers managed to breach close to 200,000 accounts using valid credentials, potentially accessing the following customer information:

• Full name
• Purchase history
• Billing address
• Shipping address
• Telephone number
• Account creation date
• Gender
• XPLR Pass reward records

Payment details like credit card data are not stored on the website, so the attackers could not access sensitive financial information.

"We do not keep a copy of payment card details on thenorthface.com. We only retain a "token" linked to your payment card, and only our third-party payment card processor keeps payment card details," explains the firm in the breach notification.

"The token cannot be used to initiate a purchase anywhere other than on thenorthface.com."

In response to the security incident, the brand's parent firm, VF Corporation (formerly Vanity Fair Mills), is sending notices of data breach to impacted customers.

Additionally, all user passwords have been reset, and all payment card tokens on accounts accessed by unauthorized intruders were wiped.

Hence, impacted customers with an account on the website will have to enter a new password and re-enter their payment card details to make a purchase.

Of course, affected users are expected to pick a unique, strong (long) password and avoid the comfort of recycling credentials.

Also, if the customers use the same passwords on other online platforms, those should be changed immediately to avoid additional compromises.

Notably, this is the second time The North Face reset passwords following a successful credential stuffing attack, with the previous one dating back to November 2020.

VF Corporation owns several successful brands besides The North Face, like Vans, Timberland, Eastpak, Kipling, Dickies, and Napapijri. However, those don't appear to have been impacted by this or similar attacks.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/200-000-north-face-accounts-hacked-in-credential-stuffing-attack/

As the SSU discovered, this bot army "of almost 7,000 accounts" was used to push content discrediting the Defence Forces of Ukraine, justify Russia's armed aggression, and destabilize Ukraine's social and political situation.

The first one, operated by a 24-year-old native living in the Kyiv region, was used by "representatives of the PR departments of political parties and Russian citizens promoting destructive and provocative material in Ukrainian information space."

To hide his identity, he used forged Ukrainian documents, Russian e-mail services, and virtual phone numbers of Russian and Belarusian mobile operators for verification.

"The organizer rented out or sold 'ready-made' bots to interested parties, accepting payment to a bank card," the SSU said.

The second, from Odessa, spread panic in the region by pushing disinformation and fake news from the front, selling its services to Russian "clients."

During searches at the suspects' homes, in collaboration with the National Police and the Odesa and Kyiv Region Prosecutor's Offices, the SSU seized payment cards linked to bank accounts used to collect client payments and hundreds of mobile SIM cards and USB modems.

The SSU also found and seized computer equipment and mobile phones with evidence of the bot farm operators' unlawful activity.

Russian disinformation efforts

Since the start of the war in Ukraine, Russian threat actors have been involved in disinformation campaigns targeting Ukraine and have invested in Ukraine-based bot farms.

For instance, in March 2022, the SSU also announced it shut down five disinformation bot farms behind more than 100,000 fake social media accounts spreading fake news.

These disinformation networks, operating from Kharkiv, Cherkasy, Ternopil, and Zakarpattia, aimed to discourage Ukrainians and instill panic by pushing false information about the Russian invasion.

Last month, the Ukrainian cyber police took down another massive bot farm of more than 1,000,000 bots that spread disinformation on social networks.

Ukraine's President Volodymyr Zelenskyy has also been targeted in several misinformation campaigns.

Two of them pushed video deepfakes on Facebook and hacked Ukrainian radio stations to spread fake news that Zelenskyy was in critical condition—Russian actors are believed to be behind both.