• ‘TeamTNT’ is using a new harvester that targets a wide spectrum of cloud services and software apps.
• The actors are still targeting Monero wallets and configuration files and are still DDoSing some victims.
• The hacking group that started as an opportunistic actor is now evolving into a serious threat.

‘TeamTNT,’ the hacking group that was mostly occupied with disseminating XMR cryptominers on exposed Dockers last year, is now targeting cloud service credentials. This change in activity was first noticed and reported by researchers at TrendMicro at the beginning of March, and now, the same team has sampled and analyzed a new credential harvester used by the threat actors.

The intruders deploy a rich repertoire to access the network, including the exploitation of vulnerabilities, using stolen passwords or taking advantage of the existence of misconfigurations. From there, they focus on a range of system types depending on what they can find, then perform network reconnaissance, and finally deploy their new credential harvester.

This malware helps TeamTNT steal user IDs and passwords from the following software and services:

• Google Cloud
• Cloudflare
• Amazon Web Services
• Shodan
• Docker
• SSH
• Git
• FileZilla
• Jupyter
• Monero wallet
• SMB clients
• WebDAV
• Ngrok2
• HexChat
• Pidgin
• PostgreSQL

Source: TrendMicro

So, why is TeamTNT interested in stealing cloud service and software app credentials? One very probable reason would be to engage in planting XMR cryptominers in places where they are unlikely to be found and uprooted before making significant amounts of money for the actors. Another would be to resell these credentials to ransomware groups on the dark web. And a third would be to exfiltrate data from cloud-hosted databases and then sell them to phishing actors and scammers.

Source: TrendMicro

TrendMicro points out that the malware actively looks for Monero configuration files and any accessible wallets, so the anonymous crypto remains a key motivation for the actors, or at least that’s what it looks like. When the malware reaches the end of its routine, it attempts to delete itself from the infected system. Still, according to the analysts, this function isn’t implemented properly yet, so it fails.

One more thing to note is that TeamTNT also engages in DDoS attacks once inside a network, as long as they have some form of an RCE to execute it. This is happening through a special IRC bot called ‘TNTbotinger.’ DDoS attacks can help the actors draw the attention of response teams elsewhere, slow down malware detection and clean-up efforts, or even aid extortion efforts.

In general, TeamTNT has evolved into a significant and wide-scope threat now. Their new harvester is an indication that the particular malware authors are serious about their operation and care to take things to the next level.

Source: ‘TeamTNT’ Has a New Credential Harvester Targeting Cloud Services on the Loose

According to info provided by Google's Project Zero team, four Android security vulnerabilities were exploited in the wild as zero-day bugs before being patched earlier this month.

Attacks attempting to exploit these flaws were targeted and impacted a limited number of users based on information shared after this month's Android security updates were published.

"There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation," a recently updated version of the May 2021 Android Security Bulletin reveals.

For 2021, we've surpassed the number of 0-days detected in-the-wild in all of 2020. That's great!https://t.co/o4F74b68Fh

— Maddie Stone (@maddiestone) May 19, 2021

The four Android vulnerabilities impact Qualcomm GPU and Arm Mali GPU Driver components.

Qualcomm and Arm have published further details on each vulnerability via security advisories issued separately [1, 2].

Android users are recommended to install this month's security updates as soon as possible if they are impacted by these issues.

This month's Android security updates also include patches for critical vulnerabilities in the System component that could be exploited by remote attackers using specially crafted files to execute arbitrary malicious code within the context of a privileged process.

Regrettably, users who haven't switched to new devices that still receive monthly security updates might not be able to install these patches.

To put things into perspective, more than 9% of all Android devices are still running Android 8.1 Oreo (released in December 2017), and roughly 19%  Android Pie 9.0 (released in August 2018), according to StatCounter data.

In December, Qualcomm also addressed a high severity security vulnerability in Mobile Station Modem (MSM) chips (including the latest 5G-capable versions) that could allow attackers to access smartphone users' text messages, call history, and listen in on their conversations.

Last year, Qualcomm fixed more vulnerabilities impacting the Snapdragon chip Digital Signal Processor (DSP) chip and enabling attackers to take control of smartphones without user interaction and create unremovable malware that can evade detection.

Other bugs that could allow decrypting some WPA2-encrypted wireless network packets, accessing critical data, and two flaws in the Snapdragon SoC WLAN firmware allowing over the air compromise of the modem and the Android kernel were also patched during the last two years.

Source: May Android security updates patch 4 zero-days exploited in the wild

Last week, in a submission to parliament regarding the proposed powers, ACIC made an inaccurate and concerning claim about privacy and information security. ACIC claimed "there is no legitimate reason for a law-abiding member of the community to own or use an encrypted communication platform."

Encrypted communication platforms, including WhatsApp, Signal, Facetime and iMessage, are in common use, allowing users to send messages that can only be read by the intended recipients. There are many legitimate reasons law-abiding people may use them. And surveillance systems, no matter how well-intentioned, may have negative effects and be used for different purposes or by different people than those they were designed for.

How surveillance can go wrong

Surveillance systems often produce unintended effects.

In 1849, the authorities at Tasmania's Port Arthur penal colony built the Separate Prison, intended as a humane and enlightened method of imprisonment. Based on the ideas of Jeremy Bentham's Panopticon, the design emphasized constant surveillance and psychological control rather than corporal punishment. However, many inmates suffered serious psychological problems resulting from the lack of normal communication with others.

From 2006 onwards, Facebook developed a privacy-invading apparatus intended to facilitate making money through targeted advertising. Facebook's system has since been abused by Cambridge Analytica and others for political manipulation, with disastrous consequences for some democracies.

In 2018, Australia's parliament passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Act, with the ostensible purpose of helping police to catch terrorists, pedophiles and other serious criminals. The act gave the Australian Federal Police powers to "add, copy, delete or alter" material on computers. These powers were used the following year to raid the Australian Broadcasting Corporation in connection with a story on alleged war crimes in Afghanistan.

These examples demonstrate two facts about security and surveillance. First, surveillance may be used by people of any moral character. Second, a surveillance mechanism may be used by different people, or may achieve a completely different effect, from its original design.

We therefore need to consider what avoiding, undermining or even outlawing the use of encrypted platforms would mean for law-abiding members of the community.

Encryption limits the power of security agencies

There are already laws that decide who is allowed to listen to communications taking place over a telecommunications network. While such communications are generally protected, law enforcement and national security agencies can be authorized to intercept them.

However, where communications are encrypted, agencies will not automatically be able to retrieve the content of the conversations they intercept. The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 was passed to enable agencies to get assistance to try to maintain their ability to get access to the (unencrypted) content of communications. For example, they can ask that one or more forms of electronic protection be removed.

There are also federal, state and territory laws that can require people to assist law enforcement and national security agencies in accessing (unencrypted) data. There are also numerous proposals to clarify these laws, extend state powers and even to prevent the use of encryption in certain circumstances.

More surveillance power is not always better

While people may hold different views on particular proposals about state powers and encryption, there are some things on which we should all be able to agree.

First, facts matter. If the ACIC is wrong about lawful uses of encryption, its assertion should be withdrawn or discounted.

Second, people need both security and privacy. In fact, privacy can facilitate security (the more people know about you, the easier it is to trick you, track you and/or harm you).

Third, law enforcement and national security agencies need some surveillance powers to do their jobs. Most of the time, this contributes to the social good of public safety.

Fourth, more is not necessarily better when it comes to surveillance powers. We must ask what purpose the powers serve, whether they are reasonably necessary for achieving that purpose, whether they are likely to achieve the purpose, what negative consequences might result, and whether the powers are proportionate.

Lawful use of encrypted communication is common

We can only develop good policy in this area if we have the facts on lawful uses of encryption.

There are many good reasons for law-abiding citizens to use end-to-end encrypted communication platforms. Parents may send photos or videos of their children to trusted friends or relatives, but prefer not to share them with third parties. The explosion of telehealth during the COVID-19 pandemic has led many patients to clarify that they do not want their consultation with their doctor to be shared with an intermediary such as Facebook or Google (or Huawei or WeChat).

Even the New South Wales iVote online voting system—hardly a standout example of excessive security given that it contained a defect that potentially allowed vote manipulation to take place—advertises the use of end-to-end encryption to protect the privacy of votes in transit. The necessity of privacy to protect a citizen's right to vote without coercion is one of the oldest examples of legal privacy requirements.

Undermining encryption will hurt legitimate users

As law-abiding citizens do have legitimate reasons to rely on end-to-end encryption, we should develop laws and policies around government surveillance accordingly. Any legislation that undermines information security across the board will have an impact on lawful users as well as criminals.

There will likely be significant disagreement in the community about where to go from there. But we have to get the facts right first.

We should not consider legislation to deliberately undermine the communications security of all individuals without acknowledging the potential harm this could cause to law-abiding citizens.

Source

Every hour, a threat actor starts a new scan on the public web for vulnerable systems, moving at a quicker pace than global enterprises when trying to identify serious vulnerabilities on their networks.

The adversaries’ efforts increase significantly when critical vulnerabilities emerge, with new internet-wide scans happening within minutes from the disclosure.

Mind the gap

Attackers are tireless in their quest for new victims and strive to win the race to patched vulnerable systems. While companies strive to identify issues on their networks before it’s too late, they move at a much lower rate.

The data comes from the Palo Alto Networks Cortex Xpanse research team, who between January and March this year monitored scans from 50 million IP addresses of 50 global enterprises, some of them in Fortune 500.

The researchers found that companies take an average of 12 hours to find a new, serious vulnerability. Almost a third of all identified issues related to the Remote Desktop Protocol, a common target for ransomware actors as they can use it to gain admin access to servers.

Misconfigured database servers, zero-day vulnerabilities in critical products from vendors like Microsoft and F5, and insecure remote access (Telnet, SNMP, VNC) complete the list of high-priority flaws.

According to Palo Alto Networks, companies identified one such issue every 12 hours, in stark contrast with the threat actors’ mean time to inventory of just one hour.

In some cases, though, adversaries increased the scan frequency to 15 minutes when news emerged about a remotely exploitable, critical bug in a networking device; and the rate dropped to five minutes after the disclosure of the ProxyLogon bugs in Microsoft Exchange Server and Outlook Web Access (OWA) issues.

Palo Alto Networks recommends security teams look at the following list of services and systems to limit the attack surface.

The researchers note that they compiled the list based on two principles: certain things should not be exposed to the public web (bad protocols, admin portals, VPNs) and secure assets may become vulnerable over time.

1. Remote access services (e.g., RDP, VNC, TeamViewer)
2. Insecure file sharing/exchange services (e.g., SMB, NetBIOS)
3. Unpatched systems vulnerable to public exploit and end-of-life (EOL) systems
4. IT admin system portals 5. Sensitive business operation applications (e.g., Jenkins, Grafana, Tableau)
5. Unencrypted logins and text protocols (e.g., Telnet, SMTP, FTP)
6. Directly exposed Internet of Things (IoT) devices
7. Weak and insecure/deprecated crypto
8. Exposed development infrastructure
9. Insecure or abandoned marketing portals (which tend to run on Adobe Flash)

Why companies fall behind

One explanation for this lag in identifying the risks on the network is a faulty vulnerability management process relying on a database of known vulnerabilities.

The scanners using this database won’t find new issues until the database receives an update, which may come with a delay of hours, or even days. Furthermore, scanners don’t see all devices on the network.

At the other end, attackers take advantage of the cheap cloud computing power that enables them to run internet-wide scans.

Currently, scanning the internet is no longer restricted to well-funded actors. Cloud technology made it possible to set up infrastructure that can “talk” over one port-protocol pair with every device on the public face of the web in just 45 minutes.

Source: Hackers scan for vulnerable devices minutes after bug disclosure