PingPull is a RAT (remote access trojan) first documented by Unit 42 last summer in espionage attacks conducted by the Chinese state-sponsored group Gallium, also known as Alloy Taurus. The attacks targeted government and financial organizations in Australia, Russia, Belgium, Malaysia, Vietnam, and the Philippines.

Unit 42 continued to monitor these espionage campaigns and today reports that the Chinese threat actor uses new malware variants against targets in South Africa and Nepal.

PingPull on Linux

The Linux variant of PingPull is an ELF file that only 3 out of 62 anti-virus vendors currently flag as malicious.

Unit 42 was able to determine it's a port of the known Windows malware by noticing similarities in the HTTP communication structure, POST parameters, AES key, and the commands it receives from the threat actor's C2 server.

The commands the C2 sends to the malware are indicated by a single uppercase character in the HTTP parameter, and the payload returns the results to the server via a base64-encoded request.

The parameters and corresponding commands are:

• A – Get the current directory
• B – List folder
• C – Read text file
• D – Write a text file
• E – Delete file or folder
• F – Read binary file, convert to hex
• G – Write binary file, convert to hex
• H – Copy file or folder
• I – Rename a file
• J – Create a Directory
• K – Timestamp file with a specified timestamp in "%04d-%d-%d %d:%d:%d" format
• M – Run command

Unit 42 comments that the command handlers used in PingPull match those observed in another malware named 'China Chopper,' a web shell seen heavily used in attacks against Microsoft Exchange servers.

Sword2023 details

Unit 42 also found a new ELF backdoor that communicated with the same command and control server (C2) as PingPull.

This is a simpler tool with more basic functions like uploading files on the breached system, exfiltrating files, and executing a command with "; echo <random number>\n" appended to it.

The echo command adds random data on the execution log, possibly to make analysis more challenging or obfuscate its activity.

Unit 42 discovered a second Sword2023 sample associated with a different C2 address impersonating the South African military.

The same sample was linked to a Soft Ether VPN address, a product that Gallium is known to use in its operations.

Gallium's C2 map based on malware communication (Unit 42)

 

The cybersecurity firm comments that this isn't a random choice, as in February 2023, South Africa took part in joint military exercises with Russia and China.

In conclusion, Gallium continues to refine its arsenal and broadens its target range using the new Linux variants of PingPull and the newly discovered Sword2023 backdoor.

Organizations must adopt a comprehensive security strategy to effectively counter this sophisticated threat rather than relying solely on static detection methods.

Source

For this hefty price, buyers get a DMG file containing a 64-bit Go-based malware designed to target macOS systems and steal keychain passwords, files from the local filesystem, passwords, cookies, and credit cards stored in browsers.

The malware also attempts to steal data from over 50 cryptocurrency extensions, which have become a popular target for information-stealing malware.

For the price, cybercriminals also get a ready-to-use web panel for easy victim management, a MetaMask brute-forcer, a cryptocurrency checker, a dmg installer, and the ability to receive stolen logs on Telegram.

Atomic's web panel (Cyble)

 

The malware was recently spotted by a Trellix researcher and researchers at Cyble labs, who analyzed a sample of 'Atomic' and reported that the author released a new version on April 25, 2023, so this is an actively developed project.

Latest version of the malware promoted on Telegram (Cyble)

 

At the time of writing, the malicious dmg file goes largely undetected on VirusTotal, where only one out of 59 AV engines flag it as malicious.

As for its distribution, buyers are responsible for setting up their own channels, which may include phishing emails, malvertizing, social media posts, instant messages, black SEO, laced torrents, and more.

Atomic features

The Atomic Stealer boasts a comprehensive array of data-theft features, providing its operators with enhanced opportunities for penetrating deeper into the target system.

Upon executing the malicious dmg file, the malware displays a fake password prompt to obtain the system password, allowing the attacker to gain elevated privileges on the victim's machine.

Stealing the system password (Cyble)

 

This is a requirement for accessing sensitive information, but a future update might also leverage it for changing system settings or installing additional payloads.

After this first compromise, the malware attempts to extract the Keychain password, macOS' built-in password manager that holds WiFi passwords, website logins, credit card data, and other encrypted information.

Extracting the Keychain password (Cyble)

 

Having done the above, Atomic proceeds to extract information from software that runs on the breached macOS machine, including the following:

• Desktop cryptocurrency wallets: Electrum, Binance, Exodus, Atomic
• Cryptocurrency wallet extensions: 50 extensions are targeted in total, including Trust Wallet, Exodus Web3 Wallet, Jaxx Liberty, Coinbase, Guarda, TronLink, Trezor Password Manager, Metamask, Yoroi, and BinanceChain.
• Web browser data: auto-fills, passwords, cookies, and credit cards from Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, and Vivaldi.
• System information: Model name, hardware UUID, RAM size, core count, serial number, and others.

Atomic also gives operators the capability to steal files directly from the victim's 'Desktop' and 'Documents' directories.

However, the malware must request permission to access these files, which creates an opportunity for victims to realize the malicious activity.

Atomic requests permission to access files (Cyble)

 

When stealing data, the malware will pack it all into a ZIP file and then send it to the threat actor's command and control server, which Cyble says is located at "amos-malware[.]ru/sendlog."

Of particular interest, the Trellix security researcher noted that the IP address associated with the Atmos command and control server and its build name are also used by the Raccoon Stealer, potentially linking the two operations.

Exfiltrating the stolen data (Cyble)

 

From there, selected information and the ZIP archive are also sent to the operator's private Telegram channel.

Although macOS isn't at the epicenter of malicious info-stealer activity, like Windows, it is increasingly being targeted by threat actors of all skill levels.

A North Korean APT group recently deployed a novel macOS info-stealer in the 3CX supply chain attack, illustrating that Macs are now a target for even state-sponsored hacking groups.

Source

Minecraft is a popular sandbox game with 140 million monthly active players, which numerous game publishers have attempted to recreate.

The Minecraft-like games hiding adware were downloaded by roughly 35 million Android users worldwide, mainly from the United States, Canada, South Korea, and Brazil.

HiddenAds victim map (McAfee)

 

Those users didn't notice the malicious adware activity conducted in the background, as they could play the games as promised. Furthermore, any possible overheating, increased network data, or battery consumption caused by loading many ads may be perceived as caused by the game.

The adware set was discovered by McAfee's Mobile Research Team, a member of the App Defense Alliance created to protect Google Play from all types of threats.

After reporting and all apps have been reported and subsequently removed from the store now, with the most downloaded apps from this malicious set listed below:

• Block Box Master Diamond – 10 million downloads
• Craft Sword Mini Fun – 5 million downloads
• Block Box Skyland Sword – 5 million downloads
• Craft Monster Crazy Sword – 5 million downloads
• Block Pro Forrest Diamond – 1 million downloads
• Block Game Skyland Forrest – 1 million downloads
• Block Rainbow Sword Dragon – 1 million downloads
• Craft Rainbow Mini Builder – 1 million downloads
• Block Forrest Tree Crazy – 1 million downloads

The most popular of the adware-ridden games (McAfee)

 

The advertisements are loaded in the background once the user launches the game, but nothing is displayed on the game screen.

Network traffic analysis, though, shows the exchange of several questionable packets generated by ad libraries of Google, AppLovin, Unity, and Supersonic, among others.

Suspicious network packets exchanged in the background (McAfee)

 

McAfee reports that the initial network packets on several of the apps share similar structures, using "3.txt" as the path in the form of "https://(random).netlify.app/3.txt," although the domains in each app are different.

Initial packets from three of the set's apps (McAfee)

 

This, in combination with the similar names of the games, suggests a possible connection between them, making it likely that the same author created the apps. However, McAfee does not explicitly mention any definitive links.

While adware apps aren't considered particularly dangerous for users, it can reduce the performance of a mobile device, raise privacy concerns, and even potentially create security loopholes that might expose users to nastier infections.

Android users should check McAfee's report for a complete list of affected apps and manually remove them if they have not been removed already.

Source

Unknown hackers are breaking into the accounts of people who have AT&T email addresses, and using that access to then hack into the victim’s cryptocurrency exchange’s accounts and steal their crypto, TechCrunch has learned.

At the beginning of the month, an anonymous source told TechCrunch that a gang of cybercriminals have found a way to hack into the email addresses of anyone who has an att.net, sbcglobal.net, bellsouth.net and other AT&T email addresses.

According to the tipster, the hackers are able to do that because they have access to a part of AT&T’s internal network, which allows them to create mail keys for any user. Mail keys are unique credentials that AT&T email users can use to log into their accounts using email apps such as Thunderbird or Outlook, but without having to use their passwords.

With a target’s mail key, the hackers can use an email app to log into the target’s account and start resetting passwords for more lucrative services, such as cryptocurrency exchanges. At that point it’s game over for the victim, as the hackers can then reset the victim’s Coinbase or Gemini account password via email.

The tipster provided a list of alleged victims. Two of the victims replied, confirming they have been hacked.

AT&T spokesperson Jim Kimberly said that the company “identified the unauthorized creation of secure mail keys, which can be used in some cases to access an email account without needing a password.”

“We have updated our security controls to prevent this activity. As a precaution, we also proactively required a password reset on some email accounts,” the spokesperson said.

AT&T declined to say how many people have been hit in this wave of hacks. But the company, “as a precaution,” has locked some email accounts, forcing their owners to reset their passwords.

“This process wiped out any secure mail keys that had been created,” the spokesperson added.

One victim told TechCrunch that hackers stole $134,000 dollars from his Coinbase account. The second victim said that “it has been happening repeatedly since November 2022 — probably 10 times at this point. I notice it has been done when my Outlook client fails to ‘connect’ and I quickly login to my [AT&T] site and delete their key and create a new one.”

“Very frustrating because it is obvious that the ‘hackers’ have direct access to the database or files containing these customer Outlook keys, and the hackers don’t need to know the user’s AT&T website login to access and change these outlook login keys,” the victim added.

Also, several people with AT&T and other related email addresses said on Reddit that they have been hacked.

“Hello, my email was compromised back in March of this year and I have done everything I can to reset password, security questions, etc but occasionally I’m still getting emails that a secure mail key has been created on my account without my knowledge,” one user wrote. “They would even delete the email notification so I don’t see it but I recently changed to another email for profile updates so they don’t have access. This sounds like someone still has access to my account but how?”

Another person wrote: “I’ve had the same issue for months and just started again, password wasn’t changed but account locked out and a Mail Key keeps being created somehow.”

The tipster claims that the hackers can “reset any” AT&T email account, and that they have made between $15 and $20 million in stolen crypto. (TechCrunch could not independently verify the tipster’s claim.)

TechCrunch has seen a screenshot apparently coming from a Telegram group chat, where one of the hackers claims that the gang “have the entire AT&T employee database,” which allows them to access an internal AT&T portal for employees called OPUS.

“Only thing we are missing is a certificate, which is the last key to accessing the [AT&T] VPN servers,” the hacker wrote in the Telegram channel, according to the screenshot.

The tipster said that the gang now has access to AT&T’s internal VPN.

Kimberly, the AT&T’s spokesperson, denied that the hackers had any access to internal company systems. “There was no intrusion into any system for this exploit. The bad actors used an API access.”

Source

We at PCMag frequently exhort our readers to enable multi-factor authentication (MFA) whenever it’s available. Without MFA, any schmoe who steals, hacks, or guesses your password can access the related account. When MFA is engaged, the password isn’t enough. Getting into the account also requires another factor, like a fingerprint, or a security key.

For your personal accounts, MFA is usually optional, but businesses can require it for access to their internal systems. More companies than ever support MFA, yet 2022 was a terrible year for data breaches. Did MFA fail us?

A presentation at the RSA Conference in San Francisco explored this topic in detail, using prominent examples of data breaches involving MFA. The presenter, Dave Taku, is the Senior Director for Product Management and User Interface at RSA Security, a company whose business includes providing MFA to businesses. (Note that RSA Security is not directly connected with the RSA Conference.)

A Terrible Year for Breaches

Taku led by noting that according to one survey, 78% of organizations were using MFA in 2022, up from 28% in 2017. So why are successful attacks on the rise? He presented a quote from author and philosopher Aldous Huxley for the audience’s consideration: “There is a law of Reversed Effort. The harder we try with the conscious will to do something, the less we shall succeed.”

“Is that what we’re facing? The harder we try with MFA, the less successful we’re becoming at it?” said Taku. “I would argue that in this particular case, maybe that law doesn’t apply. It’s not because MFA is becoming less effective, it’s because the attack surface is increasing.”

Taku discussed three specific attacks involving three different vectors: MFA configuration, the MFA provider, and the MFA user. None attacked the authentication technology directly; rather they circumvented it. “MFA is still your best defense,” said Taku.

Attack on MFA Configuration

In March 2022, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) reported on a state-sponsored attack against an unspecified non-governmental organization. The attackers identified an orphaned account within the organization, one not associated with any individual. With nobody using the account, there was nobody to notice as the attackers brute-forced the account password.

Having acquired the password, the attackers used it to enroll in MFA. With the now-verified account, they gained access to the VPN, and leveraged that into cracking the Domain Controller. The Domain Controller itself required MFA, but the attackers managed to disable the MFA response, which caused the controller to simply skip MFA. Now at the pinnacle of control, the attacking group retained access to the NGO’s network for 10 months.

“Multi-factor authentication needs multi-factor enrollment,” noted Taku. It shouldn’t have been possible to enroll just using a stolen password. He listed numerous possibilities, among them credentials handed out in person, a one-time password, or a PIN sent to the employee’s registered email or mobile.

Attack on the MFA Provider

Also in March 2022, a group dubbed LAPSUS$ hacked multiple companies, among them Microsoft, Nvidia, and authentication provider Okta. The attackers wisely avoided directly challenging Okta, instead working to compromise a subcontractor, Sitel. That attack succeeded in gaining the attacked administrator powers, in part due to modifying a file called DomainAdmins-LastPass. This gave them the ability to reset passwords for Okta customers at over 360 companies.

“I work for RSA, a competitor of Okta,” said Taku, “but I’m not here to bash Okta. Okta did a good job of containment but got a black eye for lack of transparency.”

Taku then delved into a somewhat technical area called risk-based identity intelligence, explaining that “when a user authenticates, it’s more than just presenting a credential.” He noted that it’s important to dynamically validate that the access makes sense and check all available factors to verify the user’s identity.

Attack on the MFA User

The third example breach involved Uber, in September 2022. The hacker obtained an Uber employee’s Active Directory password. “Was it brute force? Social engineering? We don’t know,” said Taku, “but they’ve got the first factor of authentication already.”

“Access was protected by two-factor authentication using mobile push,” continued Taku. “A push notification comes to your phone and says, is this you? Approve or deny.” The hacker triggered the push notification over and over, hoping the user would, through fatigue or error, approve the connection. Taku noted his approval of the term “Prompt Bombing” for this attack.

When that doesn’t work, the attacker calls the victim claiming to be the Uber help desk. “We’re running a test. Can you please approve this time?” said Taku. “It’s just an old-school social engineering attack.” In the end, the attacker gained access to Uber’s cache of reported (but not fixed) bugs, setting up for further attacks.

Taku pointed out that this sort of attack can be foiled by a system that locks the account after so many failed login attempts. He also noted that there are push authentication techniques that force user engagement, such as asking users to tap a particular code in the mobile app. The forced engagement negates the MFA fatigue induced by prompt bombing.

Taku went on to note that FIDO authentication using passkeys can also serve as a form of MFA that’s tough to crack, but he came down on current efforts to make passkeys portable. “Now all I need is your iCloud password and I can download your FIDO keys,” he noted. “It’s great for convenience, terrible for security.”

MFA Is Still the Way

Taku wrapped up with three takeaways for the audience.

• 82% of attacks involve the human element. “We should use invisible authentication enhancements, so we’re not vulnerable to human error,” said Taku.

• “MFA is still your best first line of defense,” he said. “Three high-profile attacks involving MFA, but none of them was a fundamental breach of the underlying MFA technology.”

• Security involves more than just MFA. Taku floated enhancements such as Zero Trust principles, Identity Governance, and securing MFA enrollment

So, there you have it. Multi-Factor Authentication is still the best way for authentication, way better than passwords. Breaches that seem to involve MFA all prove to be techniques for circumventing it.

Source

A new Android malware variant has been found that’s capable of hiding from antivirus programs, stealing sensitive data, and even deploying ransomware (opens in new tab) on the infected endpoints.

Cybersecurity experts from CloudSEK’s Threat Intelligence Research Team discovered the malware, which they dubbed “Daam”.

The malware was communicating with “various Android APK files”, the researchers said, suggesting that this was a “likely source of infection”.

Recording calls

Once deployed on a device, the malware will first try to circumvent security checks on a range of mobile brands. If it successfully manages to hide from antivirus programs, it will try to get highly sensitive permissions, such as the ability to record audio, read history bookmarks, kill background processes, and read call logs.

The malware is also able to record all ongoing calls, both cellular and VoIP ones, and later transmit them to the command & control (C2) server.

Daam is also capable of stealing contacts from the victim's device, as well as pilfering newly added contacts, as well.

In other words, even your WhatsApp calls wouldn’t be safe from eavesdropping, and the files you store on your mobile device could be stolen.

To make matters worse, the malware was also observed to have ransomware capabilities. The researchers are saying Daam is able to encrypt the files on the device using AES algorithms present in the root directory and SD card. It also drops a “readme_now.txt” file - most likely a ransom note.

After the encryption, all other files are deleted from local storage, leaving only the encrypted files with a .enc extension on the device.

The malware is being distributed through third-party websites, the researcher said, finding a total of three apps being circulated: Psiphon Client for Android and Windows - a circumvention software for Windows and Android that bypasses paywalls and other censored content; Boulders - a mobile game; and Currency Pro - a currency converter.

As usual, to stay safe, make sure to download apps only from legitimate sources, and to check reviews and user comments before downloading anything.

Source

The new attack was discovered by researchers at Tsinghua University, the University of Maryland, and a computer lab (BUPT) run by the Chinese Ministry of Education and is different than most other side-channel attacks.

Instead of relying on the cache system like many other side-channel attacks, this new attack leverages a flaw in transient execution that makes it possible to extract secret data from user memory space through timing analysis.

The attack works as a side channel to Meltdown, a critical security flaw discovered in 2018, impacting many x86-based microprocessors.

Meltdown exploits a performance optimization feature called “speculative execution” to enable attackers to bypass memory isolation mechanisms to access secrets stored in kernel memory like passwords, encryption keys, and other private data.

Meltdown has been largely mitigated through software patches, microcode updates, and hardware redesigns; however, no solution has addressed the problem 100%, and the latest attack method might work even in fully patched systems depending on hardware, software, and patch configurations.

Transient execution timing attack

The new side-channel attack presented in a technical paper published on Arxiv.org describes a flaw in the change of the EFLAGS register in transient execution, affecting the timing of JCC (jump on condition code) instructions.

The EFLAGS register is a CPU register that holds various flags related to the processor’s state, while the JCC instruction is a CPU instruction that allows conditional branching based on the content of the EFLAGS register.

The attack is carried out in two phases, the first being to trigger transient execution and encode secret data through the EFLAGS register, and the second is to measure the execution time of the KCC instruction to decode the data.

Attack overview (arxiv.org)

 

The experimental data showed that the attack achieved 100% data retrieval (leak) for the Intel i7-6700 and Intel i7-7700 and had some success against the newer Intel i9-10980XE CPU. The experiment was conducted on Ubuntu 22.04 jammy with Linux kernel version 5.15.0.

Pseudocode for timing the transient execution attack (arxiv.org)

 

However, the researchers note that this timing attack isn’t as reliable as cache-state side-channel methods, and to get better results in recent chips, the attack would have to be repeated thousands of times.

“In our experiment, we found that the influence of the EFLAGS register on the execution time of Jcc instruction is not as persistent as the cache state,” reads the part about the evaluation of the experimental data.

“For about 6-9 cycles after the transient execute, the Jcc execute time will not be about to construct a side-channel. Empirically, the attack needs to repeat thousands of times for higher accuracy.”

The researchers admit that the root causes of the attack remain elusive and hypothesize that there’s a buffer in the execution unit of the Intel CPU, which needs time to revert if the execution should be withdrawn, a process that causes a stall if the ensuing instruction depends on the target of the buffer.

However, they still propose some non-trivial mitigations, such as changing the implementation of the JCC instruction to make adversarial execution measuring impossible under any condition, or rewriting the EFLAGS after transient execution to reduce its influence over the JCC instruction.

Source

Microsoft has partnered with organizations around the globe to bring more women into infosec roles, though the devil is in the details.

The move aims to help close the security skills gap, as the demand for people to defend against cyberattacks continues to outpace the supply of trained professionals. And it also addresses the industry's lack of inclusion, especially when it comes to hiring women, according to Microsoft Corporate VP Kate Behncken. 

"We must create more inclusive and supportive learning environments, and we see greater success in building confidence and soft skills among women with cohorts that are majority women," Behncken said in a blog post announcing the new partnerships.

Specifically, the new Redmond partners include:

• WOMCY, a nonprofit focused on growing infosec opportunities for women in the US, Latin America and the Caribbean.
• Women4Cyber, a nonprofit working to increase women in cybersecurity jobs in Europe.
• The UN's International Telecommunications Union, supporting its Women in Cyber Mentorship Program with an emphasis on the Middle East, Africa, and Asia.
• WiCyS, a global organization that seeks to facilitate recruitment, retention and advancement for women in the field.

Additionally, Microsoft says it's partnering at the country and local level with organizations like the Kosciuszko Institute in Poland, which offers a skills and internship program for women, including Ukrainian refugees. The tech giant counts this, and "more than 20" other similarly focused nonprofit organizations among its partners, according to Behncken.

Whether these efforts will work to put a dent in the gender inequality that, as we've pointed out before, has long plagued the industry remains to be seen. We sincerely hope it's more than slick marketing efforts coming out of Redmond, but only time will tell. 

"When I sued Microsoft for gender discrimination in pay and promotions, it was because women are historically hired at lower levels and salaries than men and are promoted at a much slower rate," Luta Security founder and CEO Katie Moussouris told The Register. "Our careers languish despite better education, experience, and performance compared to our male peers. This is still true across every industry."

That said

Historically women were at the forefront of software development, but since the 1980s at least participation has declined sharply.

The industry remains largely an all-boys club, with women making up just a quarter of the cybersecurity workforce as of 2021, and those who are in the 25 percent get paid and promoted less, and leave the workforce faster than their male counterparts. 

(ISC)2's 2022 cybersecurity workforce research found these numbers are slightly better among the under-30 crowd, where women account for 30 percent of the workforce [PDF]. 

But sadly that number drops to 24 percent between the ages of 30 and 38, then down to 13 percent among 39 to 49-year-olds, 12 percent for 50 to 59-year-olds, and 14 percent for the over-60s.  

Simply hiring more women in infosec roles — or into any given industry — isn't sufficient, Moussouris said. "That won't solve the problems of economic injustice. Until we pledge pay transparency and active correction of pay and promotion inequity, all the women joining the workforce will only continue to stagnate and suffer and struggle."

Moussouris called on organizations to take the Pay Equity Now Pledge, and commit to audit for and correct pay and promotion inequity. Additionally, companies can support Penn State Law School's Manglona Lab, named after Moussouris' late mother, which, among other things, does gender equality legal work, she added.

"The gender pay gap isn't projected to close in our lifetimes, with women of color projected to reach pay parity with white men in over 200 years," Moussouris said. "We cannot afford to wait. Little girls born today will not see economic justice until we decide as a society to enforce it."

At Microsoft — one of the largest security vendors globally — women comprised 30.7 percent [PDF] of its core workforce worldwide at the end of 2022. Redmond's annual Diversity and Inclusion report didn't specify how that breaks down specific to Microsoft's security biz. We've requested that info, and will update this article when and if we hear back.

We'll also be keeping an eye on how this year's layoffs affect its D&I breakdown.

Admittedly, Microsoft is beating the industry average when it comes to hiring and retaining women. But as a tech leader, we'd expect it to lead by example, and it's still got a ways to go before its employee base — and infosec team — looks like the larger population it serves.

Source

Bumblebee is a malware loader discovered in April 2022, thought to have been developed by the Conti team as a replacement for the BazarLoader backdoor, used for gaining initial access to networks and conducting ransomware attacks.

In September 2022, a new version of the malware loader was observed in the wild, featuring a stealthier attack chain that used the PowerSploit framework for reflective DLL injection into memory.

Researchers at Secureworks have recently discovered a new campaign using Google advertisements that promote trojanized versions of popular apps to deliver the malware loader to unsuspecting victims.

Hiding in popular apps

One of the campaigns seen by SecureWorks started with a Google ad that promoted a fake Cisco AnyConnect Secure Mobility Client download page created on February 16, 2023, and hosted on an "appcisco[.]com" domain.

"An infection chain that began with a malicious Google Ad sent the user to this fake download page via a compromised WordPress site," explains SecureWorks' report.

Fake Cisco software download portal (Secureworks)

 

This fake landing page promoted a trojanized MSI installer named "cisco-anyconnect-4_9_0195.msi" that installs the BumbleBee malware.

Upon execution, a copy of the legitimate program installer and a deceptively named (cisco2.ps1) PowerShell script is copied to the user's computer.

Files dropped by the malicious MSI (Secureworks)

 

The CiscoSetup.exe is the legitimate installer for AnyConnect, installing the application on the device to avoid suspicion.

However, the PowerScrip script installs the BumbleBee malware and conducts malicious activity on the compromised device.

"The PowerShell script contains a selection of renamed functions copied from the PowerSploit ReflectivePEInjection.ps1 script," explains Secureworks.

"It also contains an encoded Bumblebee malware payload that it reflectively loads into memory."

This means that Bumblebee still uses the same post-exploitation framework module to load the malware into memory without raising any alarms from existing antivirus products.

Secureworks found other software packages with similarly named file pairs like ZoomInstaller.exe and zoom.ps1, ChatGPT.msi and chch.ps1 and CitrixWorkspaceApp.exe and citrix.ps1.

A path to ransomware

Considering that the trojanized software is targeting corporate users, infected devices make candidates for the beginning of ransomware attacks.

Secureworks examined one of the recent Bumblebee attacks closely. They found that the threat actor leveraged their access to the compromised system to move laterally in the network approximately three hours after the initial infection.

The tools the attackers deployed on the breached environment include the Cobalt Strike pen-test suite, the AnyDesk and DameWare remote access tools, network scanning utilities, an AD database dumper, and a Kerberos credentials stealer.

This arsenal creates an attack profile that makes it very likely that the malware operators are interested in identifying accessible network points, pivoting to other machines, exfiltrating data, and eventually deploying ransomware.

Source

The official Microsoft document explains:

To help you verify the status of speculative execution side-channel mitigations, we published a PowerShell script (SpeculationControl) that can run on your devices. This article explains how to run the SpeculationControl script and what the output means.

Security advisories ADV180002, ADV180012, ADV180018, and ADV190013 cover the following nine vulnerabilities:

• CVE-2017-5715 (branch target injection)

• CVE-2017-5753 (bounds check bypass)
  Note Protection for CVE-2017-5753 (bounds check) does not require additional registry settings or firmware updates.

• CVE-2017-5754 (rogue data cache load)

• CVE-2018-3639 (speculative store bypass)

• CVE-2018-3620 (L1 terminal fault – OS)

• CVE-2018-11091 (Microarchitectural Data Sampling Uncacheable Memory (MDSUM))

• CVE-2018-12126 (Microarchitectural Store Buffer Data Sampling (MSBDS))

• CVE-2018-12127 (Microarchitectural Load Port Data Sampling (MLPDS))

• CVE-2018-12130 (Microarchitectural Fill Buffer Data Sampling (MFBDS))

   

Advisory ADV220002 covers additional Memory-Mapped I/O (MMIO) related vulnerabilities:

• CVE-2022-21123 - Shared Buffer Data Read (SBDR)

• CVE-2022-21125 - Shared Buffer Data Sampling (SBDS)

• CVE-2022-21127 - Special Register Buffer Data Sampling Update (SRBDS Update)

• CVE-2022-21166 - Device Register Partial Write (DRPW)

   

You can find the PowerShell scripts and more details on the official Microsoft support document here (KB4074629).

Microsoft issues PowerShell scripts for multiple Windows 11, Windows 10 security flaws

Decoy Dog helps threat actors evade standard detection methods through strategic domain aging and DNS query dribbling, aiming to establish a good reputation with security vendors before switching to facilitating cybercrime operations.

Researchers from Infoblox discovered the toolkit in early April 2023 as part of its analysis of over 70 billion DNS records daily to look for signs of abnormal or suspicious activity.

Infoblox reports that Decoy Dog’s DNS fingerprint is extremely rare and unique among the 370 million active domains on the internet, making it easier to identify and track.

Hence, the investigation into Decoy Dog’s infrastructure quickly led to the discovery of several C2 (command and control) domains that were linked to the same operation, with most communications from these servers originating from hosts in Russia.

Further investigation revealed that the DNS tunnels on these domains had characteristics that pointed to Pupy RAT, a remote access trojan deployed by the Decoy Dog toolkit.

Pupy RAT is a modular open-source post-exploitation toolkit popular among state-sponsored threat actors for being stealthy (fileless), supporting encrypted C2 communications, and helping them blend their activities with other users of the tool.

The Pupy RAT project supports payloads in all major operating systems, including Windows, macOS, Linux, and Android. Like other RATs, it allows threat actors to execute commands remotely, elevate privileges, steal credentials, and spread laterally through a network.

Less skilled actors do not use Pupy RAT, as deploying the tool with the correct DNS server configuration for C2 communications requires knowledge and expertise.

“This multiple-part (DNS) signature gave us strong confidence that the (correlated) domains were not only using Pupy, but they were all part of Decoy Dog – a large, single toolkit that deployed Pupy in a very specific manner on enterprise or large organizational, non-consumer, devices,” Infoblox revealed in its report.

Furthermore, the analysts discovered a distinct DNS beaconing behavior on all Decoy Dog domains that are configured to follow a particular pattern of periodic but infrequent DNS request generation.

Repeating pattern of Decoy Dog IPv4 resolution (Infoblox)

 

Investigations of the hosting and domain registration details revealed that the Decoy Dog operation had been underway since early April 2022, so it has stayed under the radar for over a year despite the toolkit’s domains showing extreme outliers in analytics.

Timeline of Decoy Dog domain registrations (Infoblox)

 

The discovery of Decoy Dog demonstrates the power of using large-scale data analytics to detect anomalous activity in the vastness of the internet.

"Infoblox has listed Decoy Dog’s domains in its report and added them to its “Suspicious Domains” list to help defenders, security analysts, and targeted organizations protect against this sophisticated threat," explains the InfoBlox researchers.

"The discovery of Decoy Dog, and most importantly, the fact that several seemingly unrelated domains were using the same rare toolkit was a result of this combination of automatic and human processes." 

Because the situation is complex and we have been focused on the DNS aspects of the discovery, we expect more details to come from the industry, in addition to ourselves, in the future."

The company has also shared indicators of compromise on its public GitHub repository, which can be used for manual addition into blocklists.

Source

Hackers—particularly state-sponsored ones focused on espionage and cyberwar, and organized cybercriminals exploiting networks worldwide for profit—are not pets. They wreck businesses, sow chaos, disrupt critical infrastructure, support some of the world's most harmful militaries and dictatorships, and help those governments spy on and oppress innocent people worldwide.

So why, when I write about these organized hacker groups as a cybersecurity reporter, do I find myself referring to them with cute pet names like Fancy Bear, Refined Kitten, and Sea Turtle?

Why, when I interview different cybersecurity firms about a particular unit of Russian military intelligence hackers, do I have to internally translate that this company refers to Fancy Bear as Pawn Storm, while this one calls them Iron Twilight? Why, when I wrote a news piece earlier this week about a North Korea–linked hacking team that has spied on their South Korean neighbors, stolen millions in cryptocurrency to fund the totalitarian regime of Kim Jong-un, and corrupted the software distributed by multiple companies to spread malicious code worldwide, did I find myself referring to them as "the hacker group known as Kimsuky, Emerald Sleet, or Velvet Chollima"? It is all, frankly, a little embarrassing—and to the average reader, lends reporting about cyber conflict about as much gravity as the play-by-play of a Pokémon card game.

A few days ago, Microsoft's cybersecurity division announced it was changing the entire taxonomy of names it uses for the hundreds of hacker groups that it tracks. Instead of its previous system, which gave those organizations the names of elements—a fairly neutral, scientific-sounding system as these things go—it will now give hacker groups two-word names, including in their description a weather-based term indicating what country the hackers are believed to work on behalf of, as well as whether they're state-sponsored or criminal.

That means Phosphorous, an Iranian group that Microsoft reported this week has been targeting US critical infrastructure like seaports, energy companies, and transit systems, now has the less-than-fearsome name Mint Sandstorm. Iridium, Russia's most aggressive and dangerous cyberwar-focused military hacker unit more commonly known as Sandworm—responsible for multiple blackouts in Ukraine and the most destructive malware in history—now has the whimsical title of Seashell Blizzard. Barium, a team of Chinese hackers that's carried out more software-supply-chain attacks than perhaps any group worldwide, is now Brass Typhoon—a phrase that, I confess, I have a hard time separating from flatulence.

Many of the new names sounded so absurd that I actually double-checked Microsoft hadn't published the new labeling system on April 1. Periwinkle Tempest. Pumpkin Sandstorm. Spandex Tempest. Gingham Typhoon. “These names are just really silly,” says Rob Lee, the founder and CEO of industrial-control-system cybersecurity firm Dragos. “I mean, talk about not being taken seriously as a profession.”

Goofiness aside, the new system is counterproductive for actual cybersecurity analysis, Lee argues. Given that Microsoft's threat intelligence is some of the best in the world, analysts and customers across the industry will have to actually revise their databases—and even some of their products—to match Microsoft's new naming scheme, he says. And the revised system now locks in educated guesses about the national loyalties of hackers with no indication of the analysts' degree of confidence in those assessments, Lee adds.f

What if a hacker group thought to be part of a nation’s intelligence agency turns out to be a hacker-for-hire contractor? Or cybercriminals temporarily conscripted to work on behalf of a government? “Assessments change over time,” Lee says. “Like, ‘We told you it was Dirty Mustard and now it’s Swirling Tempest,’ and you’re like, what the fuck?” (Lee’s own firm, Dragos, admittedly gives hacker groups mineral names that are often confusingly similar to Microsoft’s old system. But at least Dragos has never called anyone Gingham Typhoon.)

When I reached out to Microsoft about its new naming scheme, the head of its Threat Intelligence Center, John Lambert, explained the rationale behind the change: Microsoft's new names are more distinct, memorable, and searchable. In contrast to Lee's point about choosing neutral names, the Microsoft team wanted to give customers more context about hackers in the names, Lambert says, immediately identifying their nationality and motive. (Instances that are not yet fully attributed to a known group are given a temporary classifier, he notes.)

Microsoft's team was also just running out of elements—there are, after all, only 118 of them. “We liked weather because it's a pervasive force, it's disruptive, and there's a kindred spirit because the study of weather over time involves improvement in sensors, data, and analysis,” says Lambert. “That's cybersecurity defenders' world, too.” As for the adjectives preceding those meteorological terms—often the real source of the names' inadvertent comedy—they're chosen by analysts from a long list of words. Sometimes they have a semantic or phonetic connection to the hacker group, and sometimes they're random. “There’s some origin story to each one,” Lambert says, “or it could just be a name out of a hat.”

There's a certain, stubborn logic behind the cybersecurity industry's ever-growing sprawl of hacker group handles. When a threat intelligence firm finds evidence of a new team of network intruders, they can't be sure they're seeing the same group that another company has already spotted and labeled, even if they do see familiar malware, victims, and command-and-control infrastructure between the two groups. If your competitor isn't sharing everything they see, it's better to make no assumptions and track the new hackers under your own name. So Sandworm becomes Telebots, and Voodoo Bear, and Hades, and Iron Viking, and Electrum, and—sigh—Seashell Blizzard, as every company's analysts get a different glimpse of the group's anatomy.

But, sprawl aside, did these names have to be quite so on-their-face ridiculous? To some degree, it may be wise to give names to hacker gangs that rob them of their malevolent glamour. Members of the Russian ransomware group EvilCorp, for instance, are not likely to be happy with Microsoft's rebranding them as Manatee Tempest. On the other hand, is it really appropriate to label a group of Iranian hackers that seeks to penetrate crucial elements of US civilian infrastructure Mint Sandstorm, as if they're an exotic flavor of air freshener? (The older name given to them by Crowdstrike, Charming Kitten, is certainly not any better.) Did the Israeli hacker-for-hire mercenaries known as Candiru, who have sold their services to governments targeting journalists and human rights activists, really need to be renamed Caramel Tsunami, a brand befitting a Dunkin’ beverage, and one that's already taken by a strain of cannabis?

Kevin Mandia, one of the original hacker hunters and the founder and CEO of the cybersecurity firm Mandiant, captured this problem in a speech at the Cybersecurity Threat Intelligence Summit in 2018. “I’ve always wondered, how do you get into a boardroom and say, ‘Sir, I know you’re breached. You’re in the headlines. And you were hacked by Fluffy Snuggle Duck,’” Mandia said. “It just doesn’t work.”

Mandia concedes today that in the five years since his Fluffy Snuggle Duck comment, he's become more inured to the silly hacker group names. “I don't care what they're called, I just want to make sure we have the catalog right. Do we have the fingerprints for them, do we have defenses for them?” he says.

In our interview, though, he still seemed to be genuinely tripped up by the labeling scheme of his competitor Crowdstrike, which names hackers after different animals based on their nationality. “Bear is Russia … or is it?” Mandia pondered out loud. “Panda is China. But that’s a bear. I’m confused already.”

Mandia and Lee both dream of a day when a government body—say, the US National Institute of Standards and Technology—comes up with a hacker group naming convention that can be adopted across the industry. But they both also say that companies would never stick to it. Marketing aside, the fog of war in cybersecurity research means analysts at different companies will never be sure they're looking at the same entities—unless they all agree to openly share every scrap of their closely guarded intelligence.

Until then, well, just watch out for Periwinkle Tempest. Last year, Periwinkle Tempest launched crippling ransomware attacks across the entire nation of Costa Rica, leading the country's government to declare a national emergency. Periwinkle Tempest are some of the most dangerous hackers in the world. Periwinkle Tempest. Seriously.

Hacker Group Names Are Now Absurdly Out of Control

(May require free registration to view)

SafeSearch is a feature that filters out explicit content from your search results on Google. It is designed to protect users from unwanted or inappropriate content, such as pornography, violence, or hate speech. However, some users may prefer to turn off SafeSearch for various reasons, such as research, personal preference, or curiosity.

In this blog post, we will show you how to turn off SafeSearch on different devices and browsers.

How to turn off SafeSearch on Google?

Before we proceed, we want to remind you that turning off SafeSearch may expose you to content that you may find offensive, disturbing, or illegal. We do not endorse or recommend turning off SafeSearch, and we are not responsible for any consequences that may arise from doing so. Please use your own discretion and judgment when browsing the web without SafeSearch.

To turn off SafeSearch on your computer, follow these steps:

• Go to www.google.com and click on the Settings icon at the bottom right corner of the page.
• Select Search settings from the menu.
• Under the SafeSearch filters section, uncheck the box that says Turn on SafeSearch.
• Click Save at the bottom of the page.

To turn off SafeSearch on your mobile device, follow these steps:

• Open the Google app on your device and tap on the More icon at the bottom right corner of the screen.
• Tap on Settings and then General.
• Under the Search settings section, tap on SafeSearch filter.
• Select "Show explicit results."
• Tap "Save."

To turn off SafeSearch on your browser, follow these steps:

• Chrome: Go to chrome://settings/searchEngines and click on the three dots next to Google. Select Edit from the menu and delete &safe=active from the URL. Click Save.
• Firefox: Go to about:preferences#search and click on the magnifying glass icon next to Google. Click on Edit Keyword and delete &safe=active from the URL. Click Save.
• Safari: Go to Preferences > Search and uncheck the box that says Enable SafeSearch.
• Edge: Go to Settings > Privacy, search, and services > Address bar and search > Manage search engines and click on the three dots next to Google. Select Edit from the menu and delete &safe=active from the URL. Click Save.

How to turn off SafeSearch on Google?

By far, the biggest news was the discovery of a LockBit Apple Silicon encryptor by MalwareHunterTeam. While quite buggy and needing a lot of development to work correctly, LockBit confirmed to BleepingComputer that it is being actively developed.

Some interesting research on ransomware was also released this week, including:

• Ransomware gangs now abusing the Action1 RMM.
• Ex-Conti members and FIN7 are pushing a Domino malware.
• A technical write-up about Rorschach.
• Play ransomware uses custom data theft and info-stealing malware.
• Trigona is targeting Microsoft SQL servers.
• Process Explorer driver is abused in ransomware attacks.

Finally, we learned about some ransomware attacks, with an NCR outage confirmed to be ransomware and Capita confirming that data was stolen in a cyberattack.

Contributors and those who provided new ransomware information and stories this week include @billtoulas, @fwosar, @BleepinComputer, @LawrenceAbrams, @Ionut_Ilascu, @serghei, @demonslay335, @jorntvdw, @malwrhunterteam, @Seifreed, @AShukuhi, @patrickwardle, @Kostastsale, @BlackBerry, @TrendMicro, @WhichbufferArda, @NCCGroupplc, @BroadcomSW, @IBMSecurity, @AhnLab_man, @SophosXOps, @SentinelOne, @pcrisk, @AlvieriD, @BrettCallow, and @siri_urz.

April 15th 2023

Hackers start abusing Action1 RMM in ransomware attacks

Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.

NCR suffers Aloha POS outage after BlackCat ransomware attack

NCR is suffering an outage on its Aloha point of sale platform after being hit by an ransomware attack claimed by the BlackCat/ALPHV gang.

April 16th 2023

LockBit ransomware encryptors found targeting Mac devices

The LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major ransomware operation to ever specifically target macOS.

The LockBit ransomware (kinda) comes for macOS

In this blog post we’ll tear apart the sample, showing that ultimately, while yes it can indeed run on Apple Silicon, that is basically the extent of it’s impact. Thus macOS users have nothing to worry about …for now!

A technical analysis of the LockBit macOS encryptor

"Brief analysis of #Lockbit 3.0 for macOS ARM M1/M2 It's using simple XOR routine to decrypt all config data. XOR key is static value '57'"

April 17th 2023

Ex-Conti members and FIN7 devs team up to push new Domino malware

Ex-Conti ransomware members have teamed up with the FIN7 threat actors to distribute a new malware family named 'Domino' in attacks on corporate networks.

New Phobos variant

PCrisk found a new Phobos ransomware variant that appends the .sdk extension.

New VoidCrypt ransomware variant

PCrisk found a new VoidCrypt ransomware variant that appends the .Recov extension and drops a ransom note named Dectryption-guide.txt.

New CrossLock ransomware found

S!Ri found a new CrossLock ransomware that appends the .crlk extension and drops the ---CrossLock_readme_To_Decrypt---.txt ransom note.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .coty extension.

April 18th 2023

LockBit for Mac | How Real is the Risk of macOS Ransomware?

On April 16th, Twitter user @malwrhunterteam tweeted details of a sample of the LockBit ransomware compiled for Apple’s macOS arm64 architecture. LockBit claims to be “the oldest ransomware affiliate program on the planet”, and news that one of the major cybercrime outfits in the ransomware landscape was now targeting macOS devices has predictably raised concerns about the ransomware threat on Mac devices.

An Analysis of the BabLock (aka Rorschach) Ransomware

A ransomware called BabLock (aka Rorschach) has recently been making waves due to its sophisticated and fast-moving attack chain that uses subtle yet effective techniques. Although primarily based on LockBit, the ransomware is a hodgepodge of other different ransomware parts pieced together into what we now call BabLock (detected as Ransom.Win64.LOCKBIT.THGOGBB.enc). Note, however, that we do not believe that this ransomware originates from the threat actors behind LockBit, which is now in its third iteration.

New MedusaLocker ransomware variants

PCrisk found new MedusaLocker ransomware variants that append the .skynetlock and .tangem extensions.

April 19th 2023

March 2023 broke ransomware attack records with 459 incidents

March 2023 was the most prolific month recorded by cybersecurity analysts in recent years, measuring 459 attacks, an increase of 91% from the previous month and 62% compared to March 2022.

Play ransomware gang uses custom Shadow Volume Copy data-theft tool

The Play ransomware group has developed two custom tools in .NET, namely Grixba and VSS Copying Tool, which it uses to improve the effectiveness of its cyberattacks.

Microsoft SQL servers hacked to deploy Trigona ransomware

Attackers are hacking into poorly secured and Interned-exposed Microsoft SQL (MS-SQL) servers to deploy Trigona ransomware payloads and encrypt all files.

Fortra shares findings on GoAnywhere MFT zero-day attacks

Fortra has completed its investigation into the exploitation of CVE-2023-0669, a zero-day flaw in the GoAnywhere MFT solution that the Clop ransomware gang exploited to steal data from over a hundred companies.

Ransomware gangs abuse Process Explorer driver to kill security software

Threat actors use a new hacking tool dubbed AuKill to disable Endpoint Detection & Response (EDR) Software on targets' systems before deploying backdoors and ransomware in Bring Your Own Vulnerable Driver (BYOVD) attacks.

April 20th 2023

Capita confirms hackers stole data in recent cyberattack

London-based professional outsourcing giant Capita has published an update on the cyber-incident that impacted it at the start of the month, now admitting that hackers exfiltrated data from its systems.

BlackBit Ransomware Being Distributed in Korea

AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed since September last year.

New MedusaLocker ransomware variant

PCrisk found new MedusaLocker ransomware variant that appends the .attackuk extension.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - April 21st 2023 - Macs in the Crosshairs

Named GhostToken by Astrix Security, the Israeli cybersecurity startup that found and reported it to Google in June 2022, this security flaw was addressed via a global patch that rolled out in early April 2023.

After being authorized and linked to an OAuth token that gives it access to the Google account, malicious apps could be made invisible by attackers after exploiting this vulnerability.

This would hide the app from Google's application management page, the only place where Google users can manage apps connected to their accounts.

"Since this is the only place Google users can see their applications and revoke their access, the exploit makes the malicious app unremovable from the Google account," Astrix Security said.

"The attacker on the other hand, as they please, can unhide their application and use the token to access the victim's account, and then quickly hide the application again to restore its unremovable state. In other words, the attacker holds a 'ghost' token to the victim's account."

To hide malicious apps authorized by the victims, attackers only had to make them enter a 'pending deletion' state by deleting the linked GCP project.

However, after restoring the project, they would be provided with a refresh token that made it possible to retrieve a new access token that could be used to gain access to the victims' data.

These steps could be repeated in a loop, allowing the attackers to delete and restore the GCP project to hide the malicious app each time they needed access to the victim's data.

GhostToken attack flow (Astrix Security)

 

The attack's impact depends on the permissions granted to the malicious apps installed by the victims.

The vulnerability "allows attackers to gain permanent and unremovable access to a victim's Google account by converting an already authorized third-party application into a malicious trojan app, leaving the victim's personal data exposed forever," Astrix Security Research Group said.

"This may include data stored on victim's Google apps, such as Gmail, Drive, Docs, Photos, and Calendar, or Google Cloud Platform's services (BigQuery, Google Compute, etc.)."

Google's patch allows GCP OAuth applications in 'pending deletion' states to appear on the 'Apps with access to your account' page, allowing users to remove them and protect their accounts from hijack attempts.

Astrix advises all Google users to visit their account's app management page and check all authorized third-party apps, ensuring that each of them has only the permissions they require to function.

Source

North Korean-backed threat group linked to the Trading Technologies and 3CX attacks used a trojanized installer for X_Trader software to deploy the VEILEDSIGNAL multi-stage modular backdoor onto victims' systems.

Once installed, the malware could execute malicious shellcode or inject a communication module into Chrome, Firefox, or Edge processes running on compromised systems.

"Initial investigation by Symantec's Threat Hunter Team has, to date, found that among the victims are two critical infrastructure organizations in the energy sector, one in the U.S. and the other in Europe," the company said in a report published today.

"In addition to this, two other organizations involved in financial trading were also breached."

While the Trading Technologies supply chain compromise is the result of a financially motivated campaign, the breach of multiple critical infrastructure organizations is worrisome, seeing that North Korean-backed hacking groups are also known for cyber espionage.

It's very likely that strategic organizations compromised as part of this supply chain attack will also be singled out for subsequent exploitation.

While Symantec didn't name the two energy sector organizations, Symantec Threat Hunter Team Director of Security Response Eric Chien told BleepingComputer that they are "power suppliers generating and supplying energy to the grid."

Wide-ranging supply chain attack

Having breached at least four more entities besides 3CX with the help of the trojanized X_Trader software, it's also highly likely that the North Korean hacking campaign already impacted additional victims yet to be discovered.

"The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed," Symantec added.

"The attackers behind these breaches clearly have a successful template for software supply chain attacks and further, similar attacks cannot be ruled out."

On Thursday, Mandiant linked a North Korean threat group it tracks as UNC4736 to the cascading supply chain attack that hit VoIP company 3CX in March.

UNC4736 is related to the financially motivated North Korean-sponsored Lazarus Group behind Operation AppleJeus [1, 2, 3], previously linked by Google's Threat Analysis Group (TAG) to the compromise of Trading Technologies' website.

Based on attack infrastructure overlap, Mandiant also connected UNC4736 with two APT43 malicious activity clusters tracked as UNC3782 and UNC4469.

Source

There was never a question that it would take years to transition the world away from passwords. The digital authentication technology, though deeply flawed, is pervasive and inveterate. Over the last five years, though, the secure-authentication industry association known as the FIDO Alliance has been making real progress promoting “passkeys,” a password-less alternative for signing into applications and websites. And yet, you probably still use a lot of passwords every day. In fact, you may not have any accounts protected by a passkey at all, despite broad adoption from Microsoft, Google, Apple, and many more.  

At the RSA security conference in San Francisco next week, Christiaan Brand, co-chair of the FIDO2 technical working group and an identity and security product manager at Google, will present a talk on new features and growth in passkey adoption. He also plans to examine the current challenges that passkeys face in countering the inertia passwords have built up over decades—and the long game of slowly grinding down the password's dominance.

“What I want to highlight is how far we’ve come, but which problems still remain unsolved,” Brand says. “Passwords are everywhere, and they are bad, but everyone is accustomed to them. Users don’t want to be surprised, and they don’t like change. So it’s very important to think about passkeys as an augmentation. We need to kind of push users toward the thing that will be easier and more secure."

Over the past year, Brand says, FIDO has made significant progress rolling out features to support its password-less vision. The infrastructure is now in place to back up passkeys so they can sync between devices, get services to prompt users about passkeys rather than always defaulting to username and password, and use Bluetooth-based proximity sensing to share passkey authentication between devices. All three of these points address major usability issues that FIDO publicly set out to improve a year ago.

In practice, though, there are still hurdles, and developing these solutions has taken time. For example, Brand says the new Bluetooth-based proximity-sensing protocol was carefully engineered to avoid the security issues that often plague Bluetooth implementations. The idea was to strip away most of Bluetooth's functionality and exclusively use the protocol for proximity checks rather than any data transfers. This approach has allowed passkeys to bypass many of Bluetooth's quirks and reliability issues when attempting to pair devices.

Developing a coherent “user experience” (UX) for passkeys across different operating systems and web services is an ongoing challenge, though. If you, say, log into your Google account from a Mac using traditional passwords, your credentials still get checked against what Google has on file for your account on one of the company's servers. But the security and phishing-resistant benefits of passkeys come from the fact that they work differently. If you use a passkey to log into your Google account from a Mac, the cryptographic check happens locally and Apple is never directly involved—everything the user experiences during the interaction is facilitated by macOS, not Google.

“If I'm Google implementing passkeys, I cede a lot of control to Apple if my user is on an Apple device, I cede a lot of control to Microsoft if the user is on a Windows device, I cede a lot of UX control to Android and browsers,” Brand says. “So I think we’re in the technology infancy, where all of these different platforms have come up with different UX patterns and UX paradigms. Stitching all of that together is kind of tricky, and that’s probably going to take another nine to 12 months for the industry to support.”

Another big challenge with establishing consistency and continuity will be the long transition to passkeys alone. For the foreseeable future, services must continue to support username and password logins and make sure those systems are as secure and up-to-date as possible while primarily supporting the growth and evolution of passkeys. As password login systems fade from prominence and are neglected, they could produce new types of security exposures in their disrepair.

For now, though, the tech industry is still in the early stages of this long haul transition.

“Part of the problem is that all the stuff that I have in my presentation, we haven’t really seen this put into practice yet,” Brand says. “There are passkey implementations out there, and some folks have dipped their toe in the water, but a lot of the stuff isn’t really in the mainstream consciousness of developers, and certainly not for users. The mass, super-scale adoption is still something that we’re working to make happen.”

Source

Cybersecurity firm Secureworks has discovered a new malware strain digsuising itself as Google Ads, and it’s spreading quickly.

Known as Bumblebee, the malware was initially discovered over a year ago and would typically spread itself via phishing attacks, but Secureworks has warned the actor behind the malicious download is now getting more creative and jumping on a new trend.

In Securework’s recent 2022 State of the Threat report, it discovered in increase in attacks of trojanized software that are being distributed via Google Ads or SEO poisoning, and Bumblebee is just one of many experimenting with this increasingly popular method.

Bumblebee malware via Google Ads

The malware’s reaches are far beyond the search engine, with examples found across many popular business apps like Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Victims installing what they think is legitimate software from the fake download pages then get infected with the malware.

The firm’s Director of Intelligence, Mike McLellan, explained that as many as 1% of online ads contain malicious content. McLellan described the typical scenario during which a victim is attacked: rather than downloading software via a company’s IT team, many remote workers are taking control and heading online themselves, unaware of the potential risks.

The report details the download of a legitimate Cisco AnyConnect VPN installer “which had been modified to contain the Bumblebee malware.” As a result, the threat actor not only got access to the victim’s system, but also deployed additional tools like Cobalt Strike.

McLellan explains that the new findings only go to demonstrate how important it is that companies have strict policies in place for restricting access to web ads and managing privileges on software downloads.

Beyond this, workers are advised to create their own path direct to the legitimate website rather than follow a stream of links or ads - or to entirely remove themselves from the process and request that their company’s IT team takes over.

Source

On April 18 at least six police officers from the National Operations Department (NOA) of the Swedish Police visited the Mullvad VPN office in Gothenburg with a search warrant.

They intended to seize computers with customer data.

In line with our policies such customer data did not exist. We argued they had no reason to expect to find what they were looking for and any seizures would therefore be illegal under Swedish law. After demonstrating that this is indeed how our service works and them consulting the prosecutor they left without taking anything and without any customer information.

If they had taken something that would not have given them access to any customer information.

Mullvad has been operating our VPN service for over 14 years. This is the first time our offices have been visited with a search warrant.

Source

The attacks are part of a persistent and long-running activity tracked under the name Operation Dream Job, ESET said in a new report published today.

The findings are crucial, not least because it marks the first publicly documented example of the adversary using Linux malware as part of this social engineering scheme.

Operation Dream Job, also known as DeathNote or NukeSped, refers to multiple attack waves wherein the group leverages fraudulent job offers as a lure to trick unsuspecting targets into downloading malware. It also exhibits overlaps with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star.

The attack chain discovered by ESET is no different in that it delivers a fake HSBC job offer as a decoy within a ZIP archive file that's then used to launch a Linux backdoor named SimplexTea distributed via an OpenDrive cloud storage account.

While the exact method used to distribute the ZIP file is not known, it's suspected to be either spear-phishing or direct messages on LinkedIn. The backdoor, written in C++, bears similarities to BADCALL, a Windows trojan previously attributed to the group.

Furthermore, ESET said it identified commonalities between artifacts used in the Dream Job campaign and those unearthed as part of the supply chain attack on VoIP software developer 3CX that came to light last month.

This also includes the command-and-control (C2) domain "journalide[.]org," which was listed as one of the four C2 servers used by malware families detected within the 3CX environment.

Indications are that preparations for the supply chain attack had been underway since December 2022, when some of the components were committed to the GitHub code-hosting platform.

The findings not only strengthen the existing link between Lazarus Group and the 3CX compromise, but also demonstrates the threat actor's continued success with staging supply chain attacks since 2020.

Source

The decision may have far reaching consequences for some 1Password customers, as an upgrade to 1Password 8 is required to continue using 1Password directly in the web browser.

1Password 8, released in 2022, introduced a controversial, or hotly debated, change, that enforced cloud storage for user vaults.

The 1Password support page provides the following information on the decision to end support for classic extensions: "In the future, Google will stop supporting Manifest V2 in Chrome. Because of this change, in 2023, the 1Password classic extension for Chrome, Firefox, Edge, and Brave will no longer be supported."

1Password recommends that customers upgrade to 1Password 8, install the new browser extension in the browsers, and uninstall the classic extensions.

The company provides no timeline for end of support. Google postponed the end of Manifest V2 support in Chromium, and thus all browsers that use it as its core, again in April 2023. Google's initial plan was to start the process in January 2023, but it announced in December 2022 that it would postpone this.

Now, Google confirmed that it will give web developers a six months of "heads-up" before it will start the process. In other words: the end of Manifest V2 extensions in Chrome and Chromium does not happen before October 2023.

Some 1Password customers use version 7 of the password manager on their devices. It is the last version that supports Windows versions prior to Windows 10 and 11, and also the last version that does not enforce cloud storage of password vaults.

It is interesting to note that Agile Bits includes the classic extension for Firefox in its end of support message. Mozilla's Firefox web browser will continue to support Manifest V2 next to Manifest V3, which means that the given reason does not apply to the open source browser.

There is one exception. Mac users who run 1Password for Mac may continue to run the extension for Safari, at least for the time being.

The support page offers no solution to customers who do not want their vaults to be pushed to the cloud.

Migration from 1Password to other password management solutions is possible. Other password management solutions include import options for 1Password passwords. Bitwarden and KeePass support it, and 1Password has a support page that explains how password data can be exported.

Now You: which password management solution do you use?

1Password ending support for classic browser extensions

The AI landscape has started to move very, very fast: consumer-facing tools such as Midjourney and ChatGPT are now able to produce incredible image and text results in seconds based on natural language prompts, and we're seeing them get deployed everywhere from web search to children's books.

However, these AI applications are being turned to more nefarious uses, including spreading malware. Take the traditional scam email, for example: It's usually littered with obvious mistakes in its grammar and spelling—mistakes that the latest group of AI models don't make, as noted in a recent advisory report from Europol.

Think about it: A lot of phishing attacks and other security threats rely on social engineering, duping users into revealing passwords, financial information, or other sensitive data. The persuasive, authentic-sounding text required for these scams can now be pumped out quite easily, with no human effort required, and endlessly tweaked and refined for specific audiences.

In the case of ChatGPT, it's important to note first that developer OpenAI has built safeguards into it. Ask it to "write malware" or a "phishing email" and  it will tell you that it's "programmed to follow strict ethical guidelines that prohibit me from engaging in any malicious activities, including writing or assisting with the creation of malware."

ChatGPT won't code malware for you, but it's polite about it.

 OpenAI via David Nield

However, these protections aren't too difficult to get around: ChatGPT can certainly code, and it can certainly compose emails. Even if it doesn't know it's writing malware, it can be prompted into producing something like it. There are already signs that cybercriminals are working to get around the safety measures that have been put in place.

We're not particularly picking on ChatGPT here, but pointing out what's possible once large language models (LLMs) like it are used for more sinister purposes. Indeed, it's not too difficult to imagine criminal organizations developing their own LLMs and similar tools in order to make their scams sound more convincing. And it's not just text either: Audio and video are more difficult to fake, but it's happening as well.

When it comes to your boss asking for a report urgently, or company tech support telling you to install a security patch, or your bank informing you there's a problem you need to respond to—all these potential scams rely on building up trust and sounding genuine, and that's something AI bots are doing very well at. They can produce text, audio, and video that sounds natural and tailored to specific audiences, and they can do it quickly and constantly on demand.

So is there any hope for us mere humans in the wave of these AI-powered threats? Is the only option to give up and accept our fate? Not quite. There are still ways you can minimize your chances of getting scammed by the latest technology, and they aren't so different from the precautions you should already be thinking about.

How to Guard Against AI-powered Scams

There are two types of AI-related security threats to think about. The first involves tools such as ChatGPT or Midjourney being used to get you to install something you shouldn't, like a browser plugin. You could be tricked into paying for a service when you don't need to, perhaps, or using a tool that looks official but isn't.

To avoid falling into these traps, make sure you're up to date with what's happening with AI services like the ones we've mentioned, and always go to the original source first. In the case of ChatGPT for example, there's no officially approved mobile app, and the tool is web-only. The standard rules apply when working with these apps and their spinoffs: Check their history, the reviews associated with them, and the companies behind them, just as you would when installing any new piece of software.

The second type of threat is potentially more dangerous: AI that’s used to create text, audio, or video that sounds convincingly real. The output might even be used to mimic someone you know—like the case of the voice recording purportedly from a chief executive asking for an urgent release of funds, which duped a company employee.

While the technology may have evolved, the same techniques are still being used to try and get you to do something urgently that feels slightly (or very) unusual. Take your time, double-check wherever possible using different methods (a phone call to check an email or vice versa), and watch out for red flags—a time limit on what you're being asked to do, or a task that's out of the ordinary.

Following links you're not expecting from texts and emails is usually not a good idea, especially when you're being asked to log in somewhere. If your bank has apparently got in touch with a message, for example, go to the bank website directly in your browser to log in, rather than following any embedded link.

Keeping your operating systems, apps, and browsers up to date is a must (and this mostly happens automatically now, so there's no excuse). The most recent browsers will protect you against a whole host of phishing and scam attacks, whether the prompt designed to dupe you has been generated by AI or not.

There's no foolproof tool for detecting the presence of AI text, audio, or video at the moment, but there are certain signs to look out for: Think blurring and inconsistencies in pictures, or text that sounds generic and vague. While scammers may have scraped details about your life or your workplace from somewhere, it's unlikely that they know all the ins and outs of your operations.

In short, be cautious and question everything—that was true before the dawn of these new AI services, and it's true now. Like the face-morphing masks of the Mission: Impossible film series (which remain science fiction for now), you need to be absolutely sure that you're dealing with who you think you're dealing with before revealing anything.

How ChatGPT—and Bots Like It—Can Spread Malware

(May require free registration to view)

It seems like it was just yesterday that we told you to update Google Chrome because of a zero-day flaw being exploited. But we promise it wasn’t — it was five days ago.

According to Bleeping Computer(opens in new tab), Google has now updated a second zero-day vulnerability. This is based on an update from Google(opens in new tab) yesterday (April 18) that fixes an exploit for CVE-2023-2136, which is a “high-severity integer overflow” exploit.

Integer overflows are when a computer program performs a calculation that results in an answer larger than the available space. This results in the program providing incorrect numbers, which can cause the program to behave erratically. This is what attackers are able to exploit — the erratic behavior.

This particular vulnerability occurs in Skia, which is an open-source 2D graphics library owned by Google and used in Chrome. Practically, it is used to give Chrome the ability to render “graphics, text, shapes, images, and animations.” So it is a key component of how the web browser operates.

Unfortunately, we don’t know much beyond that in terms of how the exploit works. Google’s standard operating procedure for these bugs is to identify them and fix them. They typically don’t divulge much information about the bug if it is being actively exploited.

The good news is that there is an easy way to keep yourself safe — download the latest update. The Stable Channel Update for Desktop - 112.0.5615.137 fixes CVE-2023-2136 along with seven other fixes and is currently available for Windows and macOS users.

A Linux update is expected to come soon according to Google.

Google’s second zero-day fix in a week

Of course, this isn’t the first time we’ve reported a zero-day flaw on Chrome recently. Last week we reported on exploit CVE-2023-2033, which Google has also subsequently released an update for. 

Again, because this is an actively exploited bug, Google didn’t release many details on the exploit. All we know is that it is a type confusion exploit in the Chrome V8 Javascript engine. These exploits can lead to memory access outside the normal bounds of the program.

While it’s certainly scary to see these exploits found in quick succession, the good news is this is only the second such exploit this year. So hopefully, it is just a weird coincidence that they were found so close together rather than a sign that Chrome is more vulnerable than usual. 

How to keep your browser protected from hackers

The most important thing you can do when these flaws are discovered is to update your browser. Regularly updating your browser won’t keep you necessarily safe from everything, but it will keep you as safe as possible.

 (Image credit: Google)

If you haven’t installed the latest update yet, you should see a bubble next to your profile picture in Chrome. This bubble is color-coded based on how long it has been since the update became available. Green means it's just two days old, orange means it's now a four-day-old update and red means that the update is at least a week old. Don’t let it get to red.

To download the latest version of Chrome, all you need to do is click on the bubble. If you do that, Chrome will install the update the next time you relaunch your browser. 

You can also manually update Chrome. To do this, just click on the three dots next to your profile picture, then click Help and then click About Google Chrome. This takes you to Chrome’s settings page where you can check to see if you’re running the latest version of Chrome.

Keeping your browser up to date is essential to protecting your computer from malware and other viruses. But you also want to install the best antivirus software on your PC or the best Mac antivirus software on your Apple computer to make sure all your bases are covered.

Source

According to NCC Group, which compiled a report based on statistics derived from its observations, the reason last month broke all ransomware attack records was CVE-2023-0669.

This is a vulnerability in Fortra's GoAnywhere MFT secure file transfer tool that the Clop ransomware gang exploited as a zero-day to steal data from 130 companies within ten days.

March 2023 activity continues the upward trend observed by NCC Group since the start of the year (January and February), with the highest number of hack and data leak incidents recorded in the past three years.

Activity spikes

Clop performed 129 recorded attacks last month, topping NCC Group's graph with the most active ransomware gangs for the first time in its operational history.

Clop's CVE-2023-0669 exploitation spree displaced LockBit 3.0, which had 97 recorded attacks, to second place for the second time since September 2021.

Other ransomware groups that had relatively significant activity during March 2023 are Royal ransomware, BlackCat (ALPHV), Bianlian, Play, Blackbasta, Stormous, Medusa, and Ransomhouse.

Threat actors with the most attacks last month (NCC Group)

 

This is not the first time Clop has performed a mass hack that propelled it to the top, as in early 2021, the ransomware group quickly amassed over 100 victims leveraging a zero-day vulnerability in Accellion's legacy File Transfer Appliance (FTA).

Targeted sectors

The most targeted sector in March 2023 was "Industrials," receiving 147 ransomware attacks, accounting for 32% of the recorded attacks.

This sector includes professional and commercial services, machinery, tools, construction, engineering, aerospace & defense, logistics, transport services, and more.

Most targeted sectors by ransomware actors (NCC Group)

 

In second place are "Consumer Cyclicals," encompassing construction supplies, specialty retailers, hotels, automobiles, media & publishing, household goods, etc.

Other sectors that received significant attention from ransomware gangs are "Technology," "Healthcare," "Basic Materials," "Financials," and "Educational Services."

This month's three most active ransomware groups, namely Clop, LockBit, and Royal, primarily targeted companies within the "Industrials" sector. Clop and LockBit also directed a considerable amount of their efforts toward the "Technology" sector.

While these may be the most targeted sectors, it is important to note that ransomware attacks are usually not targeted but rather opportunistic.

Regarding the location of last month's victims, almost half of all attacks (221) breached entities in North America, Europe followed with 126 episodes, and Asia came third with 59 ransomware attacks.

Location of ransomware victims (NCC Group)

 

The recorded activity spike in March 2023 highlights the importance of applying security updates as soon as possible, mitigating potentially unknown security gaps like zero days by implementing additional measures and monitoring network traffic and logs for suspicious activity.

Source

In such attacks, malicious actors drop legitimate drivers signed with a valid certificate and capable of running with kernel privileges on the victims' devices to disable security solutions and take over the system.

This technique is popular among various threat actors, from state-backed hacking groups to financially-motivated ransomware gangs.

The AuKill malware, first spotted by Sophos X-Ops security researchers, drops a vulnerable Windows driver (procexp.sys) next to the one used by Microsoft's Process Explorer v16.32. This is a very popular and legitimate utility that helps collect information on active Windows processes.

To escalate privileges, it first checks if it's already running with SYSTEM privileges, and if not, it impersonates the TrustedInstaller Windows Modules Installer service to escalate to SYSTEM.

To disable security software, AuKill starts several threads to continuously probe and disable security processes and services (and ensure they remain disabled by preventing them from restarting).

So far, multiple AuKill versions have been observed in the wild, some deployed in at least three separate incidents that have led to Medusa Locker and LockBit ransomware infections since the start of the year.

"The tool was used during at least three ransomware incidents since the beginning of 2023 to sabotage the target's protection and deploy the ransomware," Sophos X-Ops said.

"In January and February, attackers deployed Medusa Locker ransomware after using the tool; in February, an attacker used AuKill just prior to deploying Lockbit ransomware."

AuKill timeline (Sophos X-Ops)

 

AuKill is similar to an open-source tool called Backstab, which also uses a Process Explorer driver to disable security solutions running on compromised devices.

Backstab was previously deployed by the LockBit gang in at least one attack observed by Sophos X-Ops while analyzing the cybercrime group's latest malware version, LockBit 3.0 or LockBit Black.

"We have found multiple similarities between the open-source tool Backstab and AuKill," the researchers said.

"Some of these similarities include similar, characteristic debug strings, and nearly identical code flow logic to interact with the driver."

The oldest AuKill sample has a November 2022 compilation timestamp, while the newest was compiled in mid-February when it was also used as part of an attack linked to the LockBit ransomware group.

Source