A person in the Ministry of Information and Broadcasting (MIB) has confirmed that a letter was sent to Google India last week, asking the company to immediately remove all advertising for these betting platforms, both direct and surrogate. This move is part of the government's crackdown on illegal online gambling in the country.

In a statement to Mint, a senior ministry official said:

“After our last advisory on 3 October, TV channels and OTT players stopped showing surrogate ads of online betting firms, but it was brought to our notice that many such ads are running on YouTube and Google. We have asked Google to stop this immediately."

The government is concerned that many of its citizens are becoming addicted to or losing money to online betting companies that are able to operate in India by not having servers or physical presence in the country. Online betting is banned in many Indian states, but these companies are able to take advantage of the technicality of not being physically present to continue their operations.

The MIB has concluded that these betting sites pose significant risks for consumers, particularly youth and children, in terms of both finances and socio-economic impacts. As such, the government is taking steps to crack down on these illegal betting operations.

According to an estimate by the All India Gaming Federation (AIGF), a total of ₹5,000 crore (approximately $675 million) is being deposited in the accounts of multiple agents of overseas betting companies operating in India every month. However, there is no clarity on where this money is going or how it is being used, according to the lobby group.

This lack of transparency and regulation is a cause for concern, as it raises questions about the legitimacy of these transactions and the potential for illegal activities.

Source: Mint

Indian government asks Google to stop showing ads for overseas betting apps

Nobody is immune to being scammed online—not even the people running the scams. Cybercriminals using hacking forums to buy software exploits and stolen login details keep falling for cons and are getting ripped off thousands of dollars at a time, a new analysis has revealed. And what’s more, when the criminals complain that they are being scammed, they’re also leaving a trail of breadcrumbs of their own personal information that could reveal their real-world identities to police and investigators.

Hackers and cybercriminals often gather on specific forums and marketplaces to do business with each other. They can advertise upcoming work they need help with, sell databases of people’s stolen passwords and credit card information, or tout new security vulnerabilities that can be used to break into people’s devices or systems. However, these deals often don’t go to plan.

The new research, published today by cybersecurity firm Sophos, examines these failed transactions and the complaints people have made about them. “Scammers scamming scammers on criminal forums and marketplaces is much bigger than we originally thought it was,” says Matt Wixey, a researcher with Sophos X-Ops who studied the marketplaces.

Wixey examined three of the most prominent cybercrime forums: the Russian-language forums Exploit and XSS, plus the English-language BreachForums, which replaced RaidForums when it was seized by US law enforcement in April. While the sites operate in slightly different ways, they all have “arbitration” rooms where people who think they’ve been scammed or wronged by other criminals can complain. For instance, if someone purchases malware and it doesn’t work, they may moan to the site’s administrators.

The complaints sometimes lead to people getting their money back, but more often act as a warning for other users, Wixey says. In the past 12 months—the period the research covers—criminals on the forums have lost more than $2.5 million to other scammers, the analysis says. Some people complain about losing as little as $2, while the median scams on each of the sites ranges from $200 to $600, according to the research, which is being presented at the BlackHat Europe security conference.

The scams come in multiple forms. Some are simple, others are more sophisticated. Frequently, there are “rip-and-run” scams, Wixey says, where the buyer doesn’t pay for what they’ve received or the seller gets the money but doesn’t send across what they sold. (These are often known as “rippers.”) Other types of scams involve faked data or security exploits that don’t work: One person on BreachForums claimed a seller tried to send them Facebook data that was already public.

In one extreme incident on the Exploit forum, an account posted a lengthy complaint that they had provided someone with a Windows kernel exploit and hadn’t been paid the $130,000 they had agreed for it. The buyer said they would pay once they had tested the software but never stumped up the cash. “At each stage, he gave different excuses for delaying the payment,” a translated version of the complaint says. 

In some scams, multiple accounts or people appeared to work together, the research says. A user with a good reputation can introduce one person to another. This accomplice then directs the victim to a scam website. In one instance, Wixey says, a user wanted to buy a fake copy of the NFT-focused game Axie Infinity. “They wanted a fake copy of it with the intent of basically siphoning off legitimate user’s funds,” Wixey says. “They bought this fake copy from someone else, and the fake copy contained a backdoor which then stole the stolen cryptocurrency.” The scammer was essentially being scammed through their own scam.

While it shouldn’t be a surprise that criminals often try to con each other—there’s no honor among cybercriminals, after all—the research shows how prevalent it is. In 2017, security firm Digital Shadows pointed out a database that had been created to name and shame known rippers. Similarly, in 2021, the firm found that some administrators on cybercrime forums are scamming their own customers. In the past decade, there have been thousands of complaints about criminals scamming each other, according to threat intelligence firm Analyst1. Meanwhile, a previous analysis from TrendMicro concluded that while forums and marketplaces have rules, they don’t deter scammers. “The perpetrators are typically those who go for quick profits over reputation,” the firm’s 2019 research says.

Arguably, the most organized scam that Sophos’ Wixey spotted stemmed from an investigation into the Genesis marketplace, which has been online since 2017 and sells hotel login details, cookies, and access to data from compromised systems. When researching Genesis, Sophos discovered a faked version of the website appearing high in Google’s search results. “This is a really bizarre case,” Wixey says. “It was a really basic WordPress template and it asked for money, whereas the real Genesis is invitation only.”

As well as not looking like the official Genesis market, the faked version showed other weird behaviors: It linked out to another cybercrime website, the Bitcoin address people could make payments to changed when someone clicked the copy and paste button on the website, and it was also being advertised on Reddit. These signs, Wixey says, hinted the fake could be a “coordinated” effort. Armed with details from the fake Genesis website—including portions of the text and cryptocurrency addresses—the researchers discovered 20 websites that all appear to be connected and run by the same group or individual. The websites all look the same and were registered between August 2021 and June 2022—eight of them are still live. 

Almost all of these websites, Wixey says, imitate defunct criminal marketplaces and try to get people to pay to access them. The scam appears to work, too. The researcher says the Bitcoin addresses the scam sites pay into have collectively received $132,000, although he is cautious to say the money may all have come from the false websites. Sophos appeared to find one threat user who may be behind the sites—an actor going by the handle “waltcranston.” Among several pieces of information linking the handle to the sites, someone with the username claimed to have created the fake marketplaces on another forum.

Despite not being able to fully confirm that waltcranston is behind the network of fake sites, Wixey says that criminals complaining about being scammed and trying to resolve their disputes through arbitration can be a potential rich source of intelligence for investigators. 

Because those complaining about scams need to post evidence to back up their claims, they often share screenshots containing more personal information than they may have intended. Sophos says it saw a “treasure trove” of data, including cryptocurrency addresses, transaction IDs, email addresses, victims’ names, some malware source code, and other information. All these details may help to uncover more information about the people behind the usernames or provide clues about how they operate.

In one scamming complaint, a user shared a screenshot that showed someone’s Telegram usernames, email addresses, Jabber chat names, plus Skype and Discord usernames. In others, IP addresses and countries where users may be situated are displayed. Screenshots reveal the software people use, as well as the websites they visit and details about their computer setup. In some instances, Wixey saw details of victims that the cybercriminals had targeted.

Criminals, by the nature of what they’re doing, are usually very cautious about sharing anything that may identify them. Real names are not used; they often will use anonymization services such as Tor. “They typically employ pretty good operational security, but with scam reports, that’s not so much the case,” Wixey says. “So much of this stuff is just not available anywhere else on these marketplaces.” Going forward, the data could prove a useful tool for tracking down some of the criminals. “It’s certainly a starting point,” Wixey says.

Scammers Are Scamming Other Scammers Out of Millions of Dollars

(May require free registration to view)

Microsoft's Security Threat Intelligence Center (MSTIC) is tracking the activity under the name DEV-0139, and builds upon a recent report from Volexity that attributed the same set of attacks to North Korea's Lazarus Group.

"DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members," the tech giant said.

The adversary subsequently impersonated another cryptocurrency investment company and invited the victim to join a different Telegram chat group under the pretext of asking for feedback on the trading fee structure used by exchange platforms across VIP tiers.

It's worth pointing out that the VIP program is designed to reward high-volume traders with exclusive trading fee incentives and discounts based on the activity in the past 30 days.

This attack chain notably dovetails with Volexity's analysis of an October 2022 campaign, wherein the threat actor pivoted from using MSI installer files to a weaponized Microsoft Excel document displaying the supposed cryptocurrency coin rates.

Microsoft described the document as containing likely accurate data to increase the likelihood of success of the campaign, suggesting that DEV-0139 is well versed in the inner workings of the crypto industry.

The malware-laced Excel file, for its part, is tasked with executing a malicious macro that's used to stealthily drop and execute a second Excel worksheet, which, in turn, includes a macro that downloads a PNG image file hosted on OpenDrive.

This image file contains three executables, each of which is used to launch the next-stage payload, ultimately paving the way for a backdoor that lets the threat actor remotely access the infected system.

Furthermore, the fee structure spreadsheet is password-protected in a bid to convince the target into enabling macros, thereby initiating the malicious actions. A metadata analysis of the file shows that it was created on October 14, 2022 by a user named Wolf.

DEV-0139 has also been linked to an alternative attack sequence in which an MSI package for a fake application named "CryptoDashboardV2" is delivered in place of a malicious Excel document to deploy the same implant.

The backdoor mainly enables remote access to the host by gathering information from the targeted system and connecting to a command-and-control (C2) server to receive additional commands.

"The cryptocurrency market remains a field of interest for threat actors," Microsoft said. "Targeted users are identified through trusted channels to increase the chance of success."

In recent years, Telegram has not only witnessed widespread adoption in the cryptocurrency industry, but also been co-opted by threat actors looking to discuss zero-day vulnerabilities, offer stolen data, and market their services through the popular messaging platform.

"With users losing confidence in the anonymity offered by forums, illicit marketplaces are increasingly turning to Telegram," Positive Technologies disclosed in a new study of 323 public Telegram channels and groups with over one million subscribers in total.

"The number of unique cyberattacks is constantly growing, and the market for cybercriminal services is expanding and moving into ordinary social media and messaging apps, thereby significantly lowering the entry threshold for cybercriminals."

Source

Recorded Future attributed the new infrastructure to a threat activity group it tracks under the name TAG-53, and is broadly known by the cybersecurity community as Blue Callisto, Callisto, COLDRIVER, SEABORGIUM, and TA446.

"Based on historical public reporting on overlapping TAG-53 campaigns, it is likely that this credential harvesting activity is enabled in part through phishing," Recorded Future's Insikt Group said in a report published this week.

The cybersecurity firm said it discovered 38 domains, nine of which contained references to companies like UMO Poland, Sangrail LTD, DTGruelle, Blue Sky Network, the Commission for International Justice and Accountability (CIJA), and the Russian Ministry of Internal Affairs.

It's suspected that the themed domains are likely an attempt on part of the adversary to masquerade as authentic parties in social engineering campaigns.

"Notably, a consistent trend has emerged regarding the use of specifically tailored infrastructure by TAG-53 highlighting the long-term use of similar techniques for their strategic campaigns," the researchers said.

The development comes nearly four months after Microsoft disclosed that it took steps to disrupt phishing and credential theft attacks mounted by the group with the goal of breaching defense and intelligence consulting companies as well as NGOs, think tanks, and higher education entities in the U.K. and the U.S.

Enterprise security company Proofpoint has further called out the group for its sophisticated impersonation tactics to deliver rogue phishing links.

Terms used in TAG-53 linked domains

Additionally, the threat actor has been attributed with low confidence to a spear-phishing operation targeting Ukraine's Ministry of Defence, which coincided with the onset of Russia's military invasion of the country earlier this March.

SEKOIA.IO, in a separate write-up, corroborated the findings, uncovering a total of 87 domains, with two of them alluding to private sector companies Emcompass and BotGuard. Also targeted were four NGOs involved in Ukraine crisis relief.

One of those attacks involved email communications between the NGO and the attacker using a spoofed email address mimicking a trusted source, followed by sending a malicious PDF containing a phishing link in an attempt to evade detection from email gateways.

"The email exchange shows that the attacker did not include the malicious payload in the first email, but waited to get an answer to build a relationship and avoid suspicion before sending the payload to the victim," the cybersecurity company explained.

The use of typosquatted Russian ministry domains further adds weight to Microsoft's assessment that SEABORGIUM targets former intelligence officials, experts in Russian affairs, and Russian citizens abroad.

SEKOIA.IO also characterized the targeting of CIJA as an intelligence gathering mission designed to amass "war crime-related evidence and/or international justice procedures, likely to anticipate and build counter narrative on future accusations."

The disclosures arrive as threat intelligence firm Lupovis revealed that Russian threat actors have compromised the IT environments belonging to several companies in the U.K., the U.S., France, Brazil, South Africa, and are "rerouting through their networks" to launch attacks against Ukraine.

Microsoft, in the meanwhile, has warned of "potential Russian attack in the digital domain over the course of this winter," pointing out Moscow's "multi-pronged hybrid technology approach" of conducting cyber strikes against civilian infrastructure and influence operations seeking to fuel discord in Europe.

Source

New Musk followers are being added to a "Deal of the Year" list on Twitter that lures them into depositing small crypto amounts into the attackers' wallet with the false promise of receiving up to 5000 Bitcoin in return.

Fake Elon: '1000 new followers' get '5000 BTC'

Twitter accounts following Elon Musk, Tesla, SpaceX and related accounts are being targeted in a crypto giveaway scam dubbed 'Freedom Giveaway,' BleepingComputer has discovered.

I gave @elonmusk a follow today to keep up to date with Twitter news. Within a few hours of doing so, I received this mysterious notification:

Suspicious notification targeting new Elon Musk followers (BleepingComputer)

 

A pseudonymous account with Twitter logo set as its profile pic had added me to a Twitter list called 'Deal of the Year.'

For most Twitter accounts, including Musk's, the list of their followers is public and can be monitored by anyone including bots and threat actors for nefarious purposes. 

On mobile, this is how the 'Deal of the Year' list looks like:

Twitter 'Deal of the Year' list is a scam (BleepingComputer)

 

As of today, the list has 155 members added by its admin (the threat actor), and these accounts when reviewed by BleepingComputer were seen following Elon Musk, Tesla, SpaceX and related organizations on Twitter.

Notice the header image at the top.

The banner appears to be an actual tweet from Elon Musk's official account promising free crypto to "1000 new followers" chosen randomly.

That is until you notice the real user name behind the scam account i.e., '@CroweYoshiko' placed right beneath the list name, 'Deal of the Year' with its profile pic (Twitter logo) lending some credibility to it.

The advertised URL, freedomgiveaway.net is also convincing, given Mr. Musk is a self-described free speech absolutist, frequently tweets about 'freedom' of speech [1, 2], and has taken controversial steps to steer Twitter in that direction.

Bogus quiz asks you for BTC address

On the freedomgiveaway.net website, users are greeted with a prompt to confirm that they "are over the age of 18 years," and further presented with bogus quiz questions on Tesla, StarLink, and Musk. The answers to these are largely public knowledge.

Bogus quiz presented by 'Freedom Giveaway' website (BleepingComputer)

 

On answering the 3-4 questions, correctly or not, users are presented with a screen instructing them to key in their Bitcoin wallet address. Regardless of whether you select Ethereum, Bitcoin, Binance Coin, or "I don't use cryptocurrency," the website will still prompt you for a BTC address.

The website promises that your wallet will be credited with 5000 BTC, but first you must deposit a small amount—from 0.02 BTC to 1 BTC.

The false pretense is, the amount sent by the unsuspecting victim will be "multiplied" by 5-10 times with the large sum being credited back to the victim's wallet.

'Freedom Giveaway' asks you for your Bitcoin (BTC) wallet address (BleepingComputer)

 

The attacker's advertised Bitcoin address is:

As with any crypto giveaway scam, the victim ends up sending the funds to the attacker's wallet but never receives any amount back.

To make itself appear more legitimate, the website is flooded with inauthentic comments praising Musk and the giveaway. Many of these are likely posted by bots or fake users: 

Fake reviews on FreedomGiveaway.net scam site (BleepingComputer)

 

A September report by cybersecurity firm Group-IB revealed the number of crypto giveaway scam domains had tripled this year.

In May, an investigation by McAfee and BleepingComputer found fake crypto giveaways had stolen millions from victims by reusing Elon Musk's Ark Invest YouTube videos to lure victims towards fake, scam domains.

At the time of writing, the wallet used by the 'Freedom Giveaway' scam shows a $0.00 balance indicating no one has fallen for the scam yet. But the scam might be too new, and given some of its convincing elements, BleepingComputer feels warning about the scam is in public interest.

Twitter accounts following famous personalities should be wary of suspicious messages and notifications heading their way.

Source

According to a report by the cyber-intelligence company Group-IB, 'CryptosLabs' is one of the most well-organized crime groups of its kind, featuring kingpins, sales agents, developers, and call-center operators.

The crime group uses its own scam kit to set up websites that impersonate over 40 well-known European companies engaged in fin-tech, cryptocurrency and NFT investments, asset management, and banking services.

Group-IB mapped the CryptosLabs network of malicious domains, reporting over 300 websites hosted on 70 servers.

These websites are used in "pig butchering" scams, tricking victims into believing they are making investment profits, prolonging the defrauding period, and the potential financial gains for the scammers.

Pigs get slaughtered

The CryptosLabs investment scam targets French-speaking internet users, luring them into the fake investment sites via malicious advertising on Google Ads and social media platforms and posts on social media and investment sites.

The posts and ads promote investment opportunities that guarantee high returns at virtually no risk of losing your money.

When victims click on the ads, they are taken to a landing page where they are prompted to enter their details. Call-center operators then use these details for follow-up contact.

One of the landing pages used in CryptosLabs campaigns (Group-IB)

 

At this stage, the call-center agent provides the victim with credentials to access the fraudulent investment platform.

The 300 sites used in this scam feature different templates but similar JavaScipt code and files, which indicates the same group is behind all of them.

When the victim first logs in, they deposit between €200 and €300 ($315) on a virtual balance. The victim then witnesses their investment grow exponentially and quickly, with the rise being reflected in falsified performance charts.

Fake investment platform (Group-IB)

 

The CryptosLabs scam kit, used to automate the deployment of these websites, also includes a CRM platform that allows operators to get an overview of their campaigns, view victim profiles, and communicate with them via IP telephony or chat.

The CRM leads panel (Group-IB)

 

With the victims seeing a quick rise in profits, the scammers utilize other social engineering tactics to trick the victim into investing even more money.

The victims (the "Pigs") continue to invest more until they realize they cannot withdraw any funds even when paying the "release fees," which is just a final money grab.

This is when the scam ends, with the victim losing significant amounts of money in the process, hence the name "Pig Butchering."

"The Group-IB team is aware of at least 20 victims from France who signed up with the same trading platforms and collectively handed over €280,000 to the scammers," comments Group-IB analyst Anthony Abihssira.

"Based on Group-IB's rough estimates, CryptosLabs's all-time earnings could be as high as €480 million."

Group-IB has informed the impersonated brands of the scam sites and shared its findings with the law enforcement authorities in France, but the CryptosLabs campaigns are still underway.

To minimize the chances of losing money to investment scams, treat promises about guaranteed returns as a red flag and verify the legitimacy of the investment platforms before depositing any money.

Source

Google TAG was made aware of this recent attack on October 31 when multiple VirusTotal submitters from South Korea uploaded a malicious Microsoft Office document named "221031 Seoul Yongsan Itaewon accident response situation (06:00).docx."

Once opened on the victims' devices, the document would deliver an unknown payload after downloading a rich text file (RTF) remote template that would render remote HTML using Internet Explorer.

Loading the HTML content that delivered the exploit remotely allows the attackers to exploit the IE zero-day even if the targets weren't using it as their default web browser.

The vulnerability (tracked as CVE-2022-41128) is due to a weakness in the JavaScript engine of Internet Explorer, which allows threat actors who successfully exploit it to execute arbitrary code when rendering a maliciously crafted website.

Microsoft patched it during last month's Patch Tuesday, on November 8, five days after assigning it a CVE ID following a report from TAG received on October 31.

Malicious Office document used as lure by APT37 hackers (Google TAG)

No information on malware pushed to victims' devices

While Google TAG couldn't analyze the final malicious payload distributed by the North Korean hackers on their South Korean targets' computers, the threat actors are known for deploying a wide range of malware in their attacks.

"Although we did not recover a final payload for this campaign, we've previously observed the same group deliver a variety of implants like ROKRAT, BLUELIGHT, and DOLPHIN," Google TAG's Clement Lecigne and Benoit Stevens said.

"APT37 implants typically abuse legitimate cloud services as a C2 channel and offer capabilities typical of most backdoors."

APT37 has been active for roughly a decade, since at least 2012, and was previously linked to the North Korean government with high confidence by FireEye.

The threat group is known for focusing its attacks on individuals of interest to the North Korean regime, including dissidents, diplomats, journalists, human rights activists, and government employees.

The Microsoft Security Threat Intelligence team has published a new report outlining the details of a new threat to cryptocurrency investment companies that is targeting them via Telegram. Microsoft is referring to the new threat actor as DEV-0139. The says:

“DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms.”

This marks an escalation of the common phishing-type scams that see malicious actors trying to trick unsuspecting victims into clicking links to infected sites or downloading malicious files. In this instance, through exhibiting a broader knowledge of the crypto industry, DEV-0139 has been able to gain the trust of representatives from crypto investment companies and trick them into acting against their own interests.

Once contact has been established and trust gained, DEV-0139 pushes victims to download a “weaponized Excel file” called OKX Binance & Huobi VIP fee comparision.xls. Although this file does contain information and tables that look reputable, it also initiates a string of events that lead to the opening of backdoors that give DEV-0139 remote access to the machine.

Microsoft has not attributed this attack to any specific actor or group, instead focusing on the identifier DEV-0139. However, according to a report by BleepingComputer, threat intelligence firm Volexity has published similar findings to Microsoft and connects the threat actor to the North Korean Lazarus Threat Group. The report goes on to say that this group is also thought to be responsible for other big attacks such as the WannaCry ransomware attack of 2017.

This story highlights just how important it is to be careful when interacting online and when clicking links or downloading files. Phishing scams are becoming increasingly prevalent and dangerous, which is why we recommend familiarising yourselves with the tell-tale signs of phishing scams as shown in this infographic looking at scam emails and correspondences.

Source

The international human rights non-governmental organization (NGO) says it first detected the breach on October 5, when it spotted suspicious activity on its IT infrastructure. 

After detecting the attack, the NGO hired the services of cybersecurity firm Secureworks to investigate the attack and secure its systems.

"The investigation's preliminary results indicate that a digital security breach was perpetrated using tools and techniques associated with specific advanced persistent threat groups (APTs)," Amnesty International Canada said.

"Forensic experts with leading international cyber-security firm Secureworks later established that 'a threat group sponsored or tasked by the Chinese state' was likely behind the attack."

The attack was linked to a suspected Chinese threat group based on the attackers' tactics, techniques, and procedures (TTPs) and the information they targeted, all consistent with Chinese state hackers' known behavior and tools.

No evidence of data exfiltration

Secureworks' investigation is yet to unearth evidence showing whether the attackers exfiltrated donor or membership data.

The NGO reported the security breach to relevant law enforcement authorities and notified staff, donors, and other stakeholders about the incident.

"This case of cyberespionage speaks to the increasingly dangerous context which activists, journalists, and civil society alike must navigate today," Secretary General of Amnesty International Canada Ketty Nivyabandi said.

"Our work to investigate and denounce these acts has never been more critical and relevant. We will continue to shine a light on human rights violations wherever they occur and to denounce the use of digital surveillance by governments to stifle human rights."

The attack comes as no surprise, given Amnesty International's reports and commentary on the Chinese government's ongoing abuse of human rights.

The STAR Labs team was the first to successfully exploit a zero-day on Samsung's flagship device by executing their improper input validation attack on their third attempt, earning $50,000 and 5 Master of Pwn points.

Another contestant, Chim, also demoed a successful exploit targeting the Samsung Galaxy S22 and was able to execute an improper input validation attack earning $25,000 (50% of the prize for the second round of targeting the same device) and 5 Master of Pwn points.

"The first winner on each target will receive the full cash award and the devices under test," the competition's organizers explain.

"For the second and subsequent rounds on each target, all other winners will receive 50% of the prize package, however, they will still earn the full Master of Pwn points."

According to the contest's rules, in both cases, the Galaxy S22 devices ran the latest version of the Android operating system with all available updates installed.

During this first day of the competition, contestants have also successfully demoed exploits targeting zero-day bugs in printers and routers from multiple vendors, including Canon, Mikrotik, NETGEAR, TP-Link, Lexmark, Synology, and HP.

Contest extended to four days

At Pwn2Own Toronto, security researchers can target mobile phones, home automation hubs, printers, wireless routers, network-attached storage, smart speakers, and other devices, all of them up to date and in their default configuration.

They can win the highest rewards in the mobile phone category, with cash prizes of up to $200,000 for hacking Google Pixel 6 and Apple iPhone 13 smartphones.

Hacking Google and Apple devices also can provide $50,000 bonuses if the exploits execute with kernel-level privilege, bringing the maximum award for a single challenge to a total of $250,000 for a full exploit chain with kernel-level access.

Pwn2Own Toronto's consumer-focused event has been extended to four days (between December 6th and December 8th) after 26 teams and contestants have registered to exploit 66 targets across all categories.

You can find the complete schedule of the competition contest here. The full schedule for Pwn2Own Toronto 2022's first day and the results for each challenge are listed here.

On the second day of the competition, the Samsung Galaxy S22 will once again be put to the test by hackers at vulnerability research firm Interrupt Labs.

Meta needs explicit user consent to run personalized ads, EU watchdog rules

Amazon ad verification program buys access to your phone’s soul for $2 a month

The flaws were discovered by Eclypsium in August 2022 and could enable attackers, under certain conditions, to execute code, bypass authentication, and perform user enumeration.

The researchers discovered the flaws after examining leaked proprietary code of American Megatrends, specifically, the MegaRAC BMC firmware.

MegaRAC BMC is a solution for complete “out-of-band” and “lights-out” remote system management, allowing admins to troubleshoot servers remotely as if standing in front of the device.

MegaRAC BMC firmware is used by at least 15 server manufacturers, including AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.

Vulnerability details

The three vulnerabilities discovered by Eclypsium and reported to American Megatrends and impacted vendors are the following:

• CVE-2022-40259: Arbitrary code execution flaw via Redfish API due to improper exposure of commands to the user. (CVSS v3.1 score: 9.9 “critical”)
• CVE-2022-40242: Default credentials for sysadmin user, allowing attackers to establish administrative shell. (CVSS v3.1 score: 8.3 “high”)
• CVE-2022-2827: Request manipulation flaw allowing an attacker to enumerate usernames and determine if an account exists. (CVSS v3.1 score: 7.5 “high”)

The most severe of the three flaws, CVE-2022-40259, requires prior access to at least a low-privileged account to perform the API callback.

“The only complication is the attack sits in the path parameter, but it is not URLdecoded by the framework, so the exploit needs to be crafted specially to both be valid per URL and valid per bash shell command,” says Eclypisum.

For the exploitation of CVE-2022-40242, the only prerequisite for the attacker is to have remote access to the device.

Impact

The first two flaws are very severe due to giving attackers access to an administrative shell without requiring further escalation.

The vulnerabilities could cause data manipulation, data breaches, service outage, business interruption, and more if successfully leveraged.

The third flaw doesn’t have a significant direct security impact, as knowing what accounts exist on the target isn’t enough to cause any damage.

However, it would open the way to brute-forcing passwords or performing credential-stuffing attacks.

“As data centers tend to standardize on specific hardware platforms, any BMC-level vulnerability would most likely apply to large numbers of devices and could potentially affect an entire data center and the services that it delivers,” comments Eclypsium in the report.

System admins are recommended to disable remote administration options and add remote authentication steps where possible.

Additionally, admins should minimize the external exposure of server management interfaces like Redfish and ensure that the latest available firmware updates are installed on all systems.

"Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies," the company's Security Threat Intelligence team revealed.

"DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members."

On October 19, attackers with broad knowledge of the crypto investment industry invited at least one target (posing as representatives of other crypto asset management firms) to another Telegram group, where they asked for feedback on cryptocurrency exchange platforms' fee structure.

After gaining their targets' trust, the threat actors sent them malicious Excel spreadsheets named "OKX Binance & Huobi VIP fee comparision.xls" with a data comparison (likely accurate to increase credibility) between the VIP fee structures of crypto exchange companies.

Malicious Excel sheet (BleepingComputer)

 

Once the victim opens the document and enables macros, a second worksheet embedded in the file will download and parse a PNG file to extract a malicious DLL, an XOR-encoded backdoor, and a legitimate Windows executable later used to sideload the DLL.

This DLL will decrypt and load the backdoor, providing the attackers with remote access to the victim's compromised system.

"The main sheet in the Excel file is protected with the password dragon to encourage the target to enable the macros," Microsoft explained. 

"The sheet is then unprotected after installing and running the other Excel file stored in Base64. This is likely used to trick the user to enable macros and not raise suspicion."

DEV-0139 has also delivered a second payload as part of this campaign, an MSI package for a CryptoDashboardV2 app, suggesting that they're also behind other attacks using the same technique to push custom payloads.

Attack overview (Microsoft)

 

While Microsoft has not attributed this attack to a specific group and instead chose to link it to the DEV-0139 cluster of threat activity, threat intelligence firm Volexity has also published its own findings on this attack over the weekend, connecting it to the North Korean Lazarus threat group.

According to Volexity, the North Korean hackers used the malicious crypto-exchange fee comparison spreadsheet to drop the AppleJeus malware Lazarus has previously used in cryptocurrency hijacking and digital asset theft operations.

Volexity also observed Lazarus using a website clone for the HaasOnline automated cryptocurrency trading platform to distribute a trojanized BloxHolder app which would instead deploy AppleJeus malware bundled within the QTBitcoinTrader app.

Microsoft says it notified customers who have been compromised or targeted in these attacks and shared the information needed to secure their accounts.

The Lazarus Group is a hacking group operating out of North Korea that has been active for over a decade, since at least 2009.

Its operatives are known for attacks on high-profile targets worldwide, including banks, media organizations, and government agencies.

The group is thought to be responsible for high-profile cyber attacks, including the 2014 Sony Pictures hack and the WannaCry ransomware attack of 2017. 

Source

"As you know, on Friday, December 2nd, 2022, we became aware of suspicious activity and immediately took proactive measures to isolate the Hosted Exchange environment to contain the incident," the company said in an update to the initial incident report.

"We have since determined this suspicious activity was the result of a ransomware incident."

Rackspace says that the investigation, led by a cyber defense firm and its own internal security team, is in its early stages with no info on "what, if any, data was affected."

The cloud service provider says it will notify customers if it finds evidence that the attackers gained access to their sensitive information.

"Based on the investigation to date, Rackspace Technology believes that this incident was isolated to its Hosted Exchange business," the company added in a press release.

"Rackspace Technology's other products and services are fully operational, and the company has not experienced an impact to its Email product line and platform."

The company also revealed in today's press release and in an 8-K SEC filing that it expects a loss of revenue due to the ransomware attack's impact on its $30 million Hosted Exchange business.

"Although Rackspace Technology is in the early stages of assessing this incident, the incident has caused and may continue to cause an interruption in its Hosted Exchange business and may result in a loss of revenue for the Hosted Exchange business, which generates approximately $30 million of annual revenue in the Apps & Cross Platform segment," the company said.

"In addition, Rackspace Technology may have incremental costs associated with its response to the incident."

Rackspace's outage still affects all services in its Hosted Exchange environment, including MAPI/RPC, POP, IMAP, SMTP, and ActiveSync, as well as the Outlook Web Access (OWA) interface that provides access to online email management.

Today's announcement comes four days after the company initially acknowledged the outage on its status page, on Friday night, at 02:49 AM EST.

Rackspace revealed the actual cause of the outage twenty-four hours later, describing it as a security incident "isolated to a portion of our Hosted Exchange platform" that forced it to shut down and disconnect the Hosted Exchange environment.

The company confirmed today some of its customer's concerns, who suspected, due to the limited information, that the outage might be the result of a malware or ransomware attack.

Starting Friday evening, Rackspace has been providing affected customers with Microsoft Exchange Plan 1 licenses and detailed instructions on how to migrate their email to Microsoft 365 until the outage is addressed (info on activating the free licenses and migrating users' mailboxes to Microsoft 365 is available in Rackspace's incident report). 

The company also provides a temporary solution for customers during the migration to Microsoft 365: a forwarding option that will automatically route all mail sent to a Hosted Exchange user to an external email address.

"At this time, we are unable to provide a timeline for restoration of the Hosted Exchange environment. We are working to provide customers with archives of inboxes where available, to eventually import over to Microsoft 365," Rackspace added in today's update.

"The end objective of this campaign appears to be to gain access to mobile carrier networks and, as evidenced in two investigations, perform SIM swapping activity," CrowdStrike researcher Tim Parisi said in an analysis published last week.

The financially motivated attacks have been attributed by the cybersecurity company to an actor tracked as Scattered Spider.

Initial access to the target environment is said to be undertaken through a variety of methods ranging from social engineering using phone calls and messages sent via Telegram to impersonate IT personnel.

This technique is leveraged to direct victims to a credential harvesting site or trick them into installing commercial remote monitoring and management (RMM) tools like Zoho Assist and Getscreen.me.

Should the target accounts be secured by two-factor authentication (2FA), the threat actor either convinced the victim into sharing the one-time password or employed a technique called prompt bombing, which was put to use in the recent breaches of Cisco and Uber.

In an alternative infection chain observed by CrowdStrike, a user's stolen credentials previously obtained through unknown means were used by the adversary to authenticate to the organization's Azure tenant.

Another instance involved the exploitation of a critical remote code execution bug in ForgeRock OpenAM access management solution (CVE-2021-35464) that came under active exploitation last year.

Many of the attacks also involved Scattered Spider gaining access to the compromised entity's multi-factor authentication (MFA) console to enroll their own devices for persistent remote access through legitimate remote access tools to avoid raising red flags.

Initial access and persistence steps are followed by reconnaissance of Windows, Linux, Google Workspace, Azure Active Directory, Microsoft 365, and AWS environments as well as conducting lateral movement, while also downloading additional tools to exfiltrate VPN and MFA enrollment data in select cases.

"These campaigns are extremely persistent and brazen," Parisi noted. "Once the adversary is contained or operations are disrupted, they immediately move to target other organizations within the telecom and BPO sectors."

Source

"At present, the VTB technological infrastructure is under unprecedented cyberattack from abroad," stated a VTB spokesperson to TASS (translated).

"It is not only the largest cyberattack recorded this year, but in the entire history of the bank."

The bank says its internal analysis indicates the DDoS attack was planned and orchestrated with the specific purpose of causing inconvenience to its customers by disrupting its banking services.

At this time, VTB's online portals are offline, but the institute says all core banking services operate normally. 

Moreover, VTB says customer data are protected as it's stored in the internal perimeter of its infrastructure, which the attackers have not breached.

The bank says it has identified that most malicious DDoS requests originate from outside the country. However, there are several Russian IP addresses involved in the attack too.

This means that foreign actors either use local proxies for the attacks or have managed to recruit local dissidents in their DDoS campaign.

Information about these IP addresses has been relayed to the Russian law enforcement authorities for criminal investigation.

VTB is 61% state-owned, with the Ministry of Finance and Ministry of Economic Development having a share in the group, so these attacks have a political hue, being an indirect blow to the Russian government.

'IT Army of Ukraine' claims attack

The pro-Ukraine hacktivist group, 'IT Army of Ukraine,' has claimed responsibility for the DDoS attacks against VTB, announcing the campaign on Telegram at the end of November.

Hacktivists announcing VTB as the target
(BleepingComputer)

 

The particular group of hacktivists was formed with the official blessing of the Ukrainian government in February 2022, attempting to strengthen the country’s cyber front.

Notable service disruptions caused by the ‘IT Army of Ukraine’ include an outage in the portal used by vodka producers and distributors and the downing of the sites of Rostec, a leading Russian aerospace and defense conglomerate.

The pro-Ukraine hacktivists have been very active in November, targeting over 900 Russian entities, including stores selling military equipment and drones, the Central Bank of Russia, the National Center for the Development of Artificial Intelligence, and Alfa Bank.

The first signs of disruption on VTB came on December 1, 2022, when the hacktivists posted complaints about VTB customers on social media that the bank tried to play down.

Follow-up to showcase disruption in VTB
(BleepingComputer)

 

With the bank's service disruption more evident now, as the websites and mobile apps are no longer available, VTB had to publicly admit it is fighting a DDoS attack.

Source

The flaw (tracked as CVE-2022-4262) was patched as an actively exploited zero-day bug in the Google Chrome web browser on Friday for Windows, Mac, and Linux users.

In a security advisory published right before the weekend, Google said it "is aware of reports that an exploit for CVE-2022-4262 exists in the wild."

This is the ninth Chrome zero-day exploited in the wild that Google has patched since the start of the year.

The bug is caused by a high-severity type confusion weakness in the Chromium V8 JavaScript engine reported by Clement Lecigne of Google's Threat Analysis Group.

Although type confusion flaws would generally lead to browser crashes following successful exploitation by reading or writing memory out of buffer bounds, attackers can also exploit them for arbitrary code execution.

While the company said it detected attacks exploiting this zero-day, it is yet to share technical details or information regarding these incidents likely to allow the security update to roll out to all impacted systems and provide users with enough time to upgrade their browsers before more attackers develop their own CVE-2022-4262 exploits.

Federal agencies ordered to patch within the next three weeks

According to a November 2021 binding operational directive (BOD 22-01), all Federal Civilian Executive Branch Agencies (FCEB) agencies now must patch their systems against this bug according to the timeline provided by CISA.

They were given three weeks, until December 26th, to patch all vulnerable Chrome installations on their systems to ensure that ongoing exploitation attempts would be blocked.

Even though the BOD 22-01 directive only applies to US FCEB agencies, the DHS cybersecurity agency also strongly urged all U.S. organizations from both private and public sectors to prioritize patching this actively exploited bug.

Taking this advice to heart would help decrease the attack surface threat actors can exploit in attempts to breach the agencies' networks.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise," the U.S. cybersecurity agency explained.

Since the binding directive was issued, CISA has added hundreds of security bugs to its catalog of known exploited vulnerabilities, ordering U.S. federal agencies to patch them as soon as possible to block potential security breaches.

Redmond said in a report published over the weekend that it observed a pattern of targeted attacks on infrastructure in Ukraine by the Russian military intelligence threat group Sandworm in association with missile strikes.

The attacks have been accompanied by a propaganda campaign to undermine Western support (from the U.S., EU, and NATO) for Ukraine.

Russian propaganda has also sought to undermine European support for Ukraine and sow discord, with the end goal of disrupting the supply of aid and weaponry to Ukraine.

These attacks are expected to continue and could extend beyond Ukraine's borders to target countries and companies providing the country with vital supplies.

Microsoft says that Europe should be prepared for "several lines of potential Russian attack in the digital domain over the course of this winter."

"We believe these recent trends suggest that the world should be prepared for several lines of potential Russian attack in the digital domain over the course of this winter," the company said.

"Russia will seek to exploit cracks in popular support for Ukraine to undermine coalitions essential to Ukraine's resilience, hoping to impair the humanitarian and military aid flowing to the region.

"We should also be prepared for cyber-enabled influence operations that target Europe to be conducted in parallel with cyberthreat activity."

Sandworm is a group of elite Russian hackers that have been active for at least two decades, previously linked to malicious campaigns leading to the Ukrainian blackouts of 2015 and 2016 [1, 2, 3], the KillDisk wiper attacks targeting Ukrainian banks,

and the NotPetya ransomware.

Russian threat actors target Ukraine and NATO allies

This report comes after Microsoft warned in June that Russian intelligence agencies (including the GRU, SVR, and FSB) have stepped up cyberattacks against governments of countries that have been helping Ukraine after Russia's invasion, attempting to breach entities in dozens of countries worldwide.

The vast majority of the attacks were primarily focused on obtaining sensitive info from governments of countries playing crucial roles in NATO's and the West's response to Russia's war.

Recent ransomware attacks targeting Ukraine in late November have also been linked to the Sandworm Russian military hackers.

Slovak software company ESET who first spotted the wave of attacks, said at the time the ransomware they named RansomBoggs had been found on the networks of multiple Ukrainian organizations.

Microsoft also said Sandworm was behind Prestige ransomware attacks targeting the supply chain by attacking transportation and logistics companies in Ukraine and Poland starting in October.

In late March, the Google Threat Analysis Group (TAG) observed phishing attacks on NATO and European military entities coordinated by the COLDRIVER Russian-based threat group.

Another Google TAG report from March with even more details on malicious activity linked to Russia's war in Ukraine exposed Russian, Chinese, and Belarus state hackers' efforts to compromise Ukrainian and European orgs and officials.

Source

The campaign was spotted by Crowdstrike, who says the attacks started in June 2022 and are still ongoing, with the security researchers able to identify five distinct intrusions.

The attacks have been attributed with low confidence to hackers tracked as 'Scattered Spider,' who demonstrate persistence in maintaining access, reversing mitigations, evading detection, and pivoting to other valid targets if thwarted.

The campaign's ultimate goal is to breach telecom network systems, access subscriber information, and conduct operations such as SIM swapping.

Five intrusion events attributed to Scattered Spider (Crowdstrike)

Campaign details

The threat actors gain initial access to corporate networks using a variety of social engineering tactics.

These tactics include calling employees and impersonating IT staff to harvest credentials or using Telegram and SMS messages to redirect targets to custom-crafted phishing sites that feature the company's logo.

If MFA protected the target accounts, the attackers either employed push-notification MFA fatigue tactics or engaged in social engineering to get the codes from the victims.

In one case, the adversaries exploited CVE-2021-35464, a flaw in the ForgeRock AM server, to run code and elevate their privileges on an AWS instance.

"Leveraging AWS Instance Roles to assume or elevate privileges from the Apache Tomcat user, the adversary would request and assume permissions of an instance role using a compromised AWS token," explains Crowdstrike.

Curl command for privilege escalation in AWS using the LinPEAS tool (Crowdstrike)

 

Once the hackers gain access to a system, they attempt to add their own devices to the list of trusted MFA (multi-factor authentication) devices using the compromised user account.

Crowdstrike noticed the hackers using the following utilities and remote monitoring and management (RMM) tools in their campaigns:

• AnyDesk
• BeAnywhere
• Domotz
• DWservice
• Fixme.it
• Fleetdeck.io
• Itarian Endpoint Manager
• Level.io
• Logmein
• ManageEngine
• N-Able
• Pulseway
• Rport
• Rsocx
• ScreenConnect
• SSH RevShell and RDP Tunnelling via SSH
• Teamviewer
• TrendMicro Basecamp
• Sorillus
• ZeroTier

Many of the above are legitimate software commonly found in corporate networks and hence unlikely to generate alerts on security tools.

In intrusions observed by Crowdstrike, the adversaries were relentless in their attempts to maintain access to a breached network, even after being detected.

"In multiple investigations, CrowdStrike observed the adversary become even more active, setting up additional persistence mechanisms, i.e. VPN access and/or multiple RMM tools, if mitigation measures are slowly implemented," warned CrowdStrike.

"And in multiple instances, the adversary reverted some of the mitigation measures by re-enabling accounts previously disabled by the victim organization."

In all intrusions observed by Crowdstrike, the adversaries used various VPNs and ISPs to access the victimized organization's Google Workspace environment.

To move laterally, the threat actors extracted various types of reconnaissance information, downloaded user lists from breached tenants, abused WMI, and performed SSH tunneling and domain replication.

Crowdstrike has shared an extensive list of indicators of compromise (IoCs) for this activity at the bottom of the report, which is vital for defenders to note as the threat actor uses the same tools and IP addresses across different intrusions.

Source

According to Richard Delepierre, the co-chairman of the hospital's supervisory board, the attackers behind this ransomware incident have already demanded a ransom.

"A ransom, the amount of which I do not know, has been requested but we do not intend to pay it," Delepierre said per an RFI report.

Currently, the hospital only accepts walk-ins and consultations as it had to partially cancel operations. It was also forced to transfer six patients from its neonatal and intensive care units to other healthcare facilities, according to France's Minister of Health and Prevention François Braun.

"Taking the health of the French hostage is inadmissible. I was this evening with @jnbarrot with the teams of the André-Mignot hospital, victim of a cyberattack," Braun said on Sunday.

"All our means are deployed alongside the professionals mobilized to ensure the care of patients."

The Ile-de-France Regional Health Agency (ARS) advised patients with already scheduled consultations or planned interventions (e.g., surgery, chemotherapy, radiotherapy) to reach out to their doctor or the department they were assigned, who will redirect them to an available treatment unit.

The cyberattack is now being investigated by ANSSI and the Paris prosecutor's office, which has also opened a preliminary investigation into hacking state data and attempted extortion after the André-Mignot hospital filed a formal complaint on Sunday.

"To date, no other health facility in the region has been impacted by this cyberattack on which investigations are continuing by the National Authority for Security and Defense of Information Systems (ANSSI)," ARS added.

While the ransomware operation behind the attack on the André-Mignot hospital remains unknown, multiple gangs are known for targeting healthcare organizations.

U.S. federal authorities have previously warned of threat actors deploying Maui and Zeppelin ransomware payloads in attacks against Healthcare and Public Health (HPH) organizations.

Another joint advisory warned in October that a cybercrime group known as Daixin Team was targeting the HPH sector in ongoing ransomware attacks.

In November, the U.S. Department of Health and Human Services (HHS) also alerted the country's healthcare organizations that they're being targeted in Venus ransomware attacks known to have made dozens of victims worldwide since mid-August 2022.

The FBI said the notorious Hive ransomware gang also attacks healthcare entities and estimated the group collected roughly $100 million from its victims since June 2021.

A Bring Your Own Filesystem attack is when threat actors create a malicious filesystem on their own devices that contain a standard set of tools used to conduct attacks. 

This file system is then downloaded and mounted on compromised machines, providing a preconfigured toolkit that can be used to compromise a Linux system further.

"First, threat actors build a malicious filesystem which will be deployed. This malicious filesystem includes everything that the operation needs to succeed," explains a new report by Sysdig.

"Doing this preparation at this early stage allows all of the tools to be downloaded, configured, or installed on the attacker's own system far from the prying eyes of detection tools."

Sysdig says the attacks typically lead to cryptocurrency mining, although more harmful scenarios are possible.

The researchers also warn about how easy this novel technique could make scaling malicious operations against Linux endpoints of all kinds.

Abusing the Linux PRoot utility

PRoot is an open-source utility that combines the 'chroot', 'mount --bind', and 'binfmt_misc' commands, allowing users to set up an isolated root filesystem within Linux.

By default, the PRoot processes are confined within the guest filesystem; however, QEMU emulation can be used to mix host and guest programs execution.

Additionally, programs from within the guest filesystem can use the built-in mount/bind mechanism to access files and directories from the host system.

The attacks seen by Sysdig use PRoot to deploy a malicious filesystem on already compromised systems that include network scanning tools like "masscan" and "nmap," the XMRig cryptominer, and their configuration files.

The filesystem contains everything required for the attack, neatly packaged in a Gzip-compressed tar file with all the necessary dependencies, dropped directly from trusted cloud hosting services like DropBox.

The malicious guest filesystem (Sysdig)

 

As PRoot is statically compiled and doesn't require any dependencies, threat actors simply download the precompiled binary from GitLab, and execute it against the attacker's downloaded and extracted filesystem to mount it.

In most cases seen by Sysdig, the attackers unpacked the filesystem on '/tmp/Proot/' and then activated the XMRig cryptominer.

"Any dependencies or configurations are also included in the filesystem, so the attacker does not need to run any additional setup commands," explains Sysdig

"The attacker launches PRoot, points it at the unpacked malicious filesystem, and specifies the XMRig binary to execute."

Launching XMRig on the guest filesystem to mine using host's GPU (Sysdig)

 

As Sysdig highlights in the report, the threat actors could easily use PRoot to download other payloads besides XMRig, potentially causing more severe damage to the breached system.

The presence of "mascan" on the malicious filesystem implies an aggressive stance by the attackers, likely indicating they plan on breaching other systems from the compromised machine.

Streamlining attacks

The abuse of PRoot by hackers makes these post-exploitation attacks platform and distribution-agnostic, increasing the chances of success and the threat actors' stealthiness.

Moreover, pre-configured PRoot filesystems allow attackers to use a toolkit across many OS configurations without having to port their malware to the targeted architecture or include dependencies and build tools.

"Using PRoot, there is little regard or concern for the target’s architecture or distribution since the tool smoothes out the attack struggles often associated with executable compatibility, environment setup, and malware and/or miner execution,"

explains Sysdig.

"It allows attackers to get closer to the philosophy of “write once, run everywhere,” which is a long sought-after goal."

Attacks backed by PRoot make the environment setup irrelevant for the hackers, enabling them to scale up their malicious operations quickly.

Source

The flaws were discovered by Eclypsium in August 2022 and could enable attackers, under certain conditions, to execute code, bypass authentication, and perform user enumeration.

The researchers discovered the flaws after examining leaked proprietary code of American Megatrends, specifically, the MegaRAC BMC firmware.

MegaRAC BMC is a solution for complete “out-of-band” and “lights-out” remote system management, allowing admins to troubleshoot servers remotely as if standing in front of the device.

MegaRAC BMC firmware is used by at least 15 server manufacturers, including AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.

Vulnerability details

The three vulnerabilities discovered by Eclypsium and reported to American Megatrends and impacted vendors are the following:

• CVE-2022-40259: Arbitrary code execution flaw via Redfish API due to improper exposure of commands to the user. (CVSS v3.1 score: 9.9 “critical”)
• CVE-2022-40242: Default credentials for sysadmin user, allowing attackers to establish administrative shell. (CVSS v3.1 score: 8.3 “high”)
• CVE-2022-2827: Request manipulation flaw allowing an attacker to enumerate usernames and determine if an account exists. (CVSS v3.1 score: 7.5 “high”)

The most severe of the three flaws, CVE-2022-40259, requires prior access to at least a low-privileged account to perform the API callback.

“The only complication is the attack sits in the path parameter, but it is not URLdecoded by the framework, so the exploit needs to be crafted specially to both be valid per URL and valid per bash shell command,” says Eclypisum.

For the exploitation of CVE-2022-40242, the only prerequisite for the attacker is to have remote access to the device.

Impact

The first two flaws are very severe due to giving attackers access to an administrative shell without requiring further escalation.

The vulnerabilities could cause data manipulation, data breaches, service outage, business interruption, and more if successfully leveraged.

The third flaw doesn’t have a significant direct security impact, as knowing what accounts exist on the target isn’t enough to cause any damage.

However, it would open the way to brute-forcing passwords or performing credential-stuffing attacks.

“As data centers tend to standardize on specific hardware platforms, any BMC-level vulnerability would most likely apply to large numbers of devices and could potentially affect an entire data center and the services that it delivers,” comments Eclypsium in the report.

System admins are recommended to disable remote administration options and add remote authentication steps where possible.

Additionally, admins should minimize the external exposure of server management interfaces like Redfish and ensure that the latest available firmware updates are installed on all systems.

According to a joint FBI and CISA report from February 2021, AppleJeus has been in circulation since at least 2018, used by Lazarus in cryptocurrency hijacking and digital asset theft operations.

A new report by Volexity has identified new, fake crypto programs and AppleJeus activity, with signs of evolution in the malware's infection chain and abilities.

New BloxHolder campaign

The new campaign attributed to Lazarus started in June 2022 and was active until at least October 2022.

In this campaign, the threat actors used the "bloxholder[.]com" domain, a clone of the HaasOnline automated cryptocurrency trading platform.

Legitimate (left) and clone website (right) (Volexity)

 

This website distributed a 12.7MB Windows MSI installer that pretended to be the BloxHolder app. However, in reality, it was the AppleJeus malware bundled with the QTBitcoinTrader app.

In October 2022, the hacking group evolved their campaign to use Microsoft Office documents instead of the MSI installer to distribute the malware.

The 214KB document was named 'OKX Binance & Huobi VIP fee comparision.xls' and contained a macro that creates three files on a target's computer.

Volexity couldn't retrieve the final payload from this later infection chain, but they noticed similarities in the DLL sideloading mechanism found in the previously used MSI installer attacks, so they're confident it's the same campaign.

Upon installation through the MSI infection chain, AppleJeus will create a scheduled task and drop additional files in the folder "%APPDATA%\Roaming\Bloxholder\".

Next, the malware will collect the MAC address, computer name, and OS version and send it to the C2 via a POST request, likely to identify if it's running on a virtual machine or sandbox.

One novel element in recent campaigns is chained DLL sideloading to load the malware from within a trusted process, evading AV detection.

"Specifically, "CameraSettingsUIHost.exe" loads the "dui70.dll" file from the "System32" directory, which then causes the loading of the malicious "DUser.dll" file from the application's directory into the "CameraSettingsUIHost.exe" process," explains Volexity.

"The "dui70.dll" file is the "Windows DirectUI Engine" and is normally installed as part of the operating system."

Chained DLL sideloading (Volexity)

 

Volexity says the reason Lazarus opted for chained DLL sideloading is unclear but might be to impede malware analysis.

Another new characteristic in recent AppleJeus samples is that all its strings and API calls are now obfuscated using a custom algorithm, making them stealthier against security products.

Although Lazarus' focus on cryptocurrency assets is well documented, the North Korean hackers remain fixed on their goal to steal digital money, constantly refreshing themes and improving tools to stay as stealthy as possible.

Who is the Lazarus Group

The Lazarus Group (also tracked as ZINC) is a North Korean hacking group that has been active since at least 2009.

The group gained notoriety after hacking Sony Films in Operation Blockbuster and the 2017 global WannaCry ransomware campaign that encrypted businesses worldwide.

Google discovered in January 2021 that Lazarus was creating fake online personas to target security researchers in social engineering attacks that installed backdoors on their devices. A second attack using this tactic was discovered in March 2021.

The U.S. government sanctioned the Lazarus hacking group in September 2019 and now offers a reward of up to $5 million for information that can disrupt their activities.

More recent attacks have turned to the spreading of trojanized cryptocurrency wallets and trading apps that steal people's private keys and drain their crypto assets.

In April, the U.S. government linked the Lazarus group to a cyberattack on Axie Infinity that allowed them to steal over $617 million worth of Ethereum and USDC tokens.

It was later revealed that the Axie Infinity hack was made possible due to a phishing attack containing a malicious PDF file pretending to be a job offer sent to one of the company's engineers.

The funds were stolen following a January 2018 SIM swap attack that allowed Truglia's co-conspirators to hijack Terpin's phone number and fraudulently transfer roughly $23.8 million in cryptocurrency from his crypto wallet to an online account under Truglia's control.

According to the indictment, the defendant "agreed to convert the stolen cryptocurrency into Bitcoin, another form of cryptocurrency, and then transfer the Bitcoin to other Scheme Participants, while keeping a portion as payment for his services."

In all, Truglia kept at least approximately $673,000 of the stolen funds to assist the other fraudsters in collecting and dividing the illegally obtained funds among them.

The 25-year-old was ordered to pay a total of $20,379,007 to Terpin within the next 60 days, until January 30, 2023.

The restitution order says $12.1 million is due to be paid before December 31, and $8,279 million is payable on or before January 30.

"Nicholas Truglia and his associates stole a staggering amount of cryptocurrency from the victim through a complex SIM swap scheme," U.S. Attorney Damian Williams said.

"Nevertheless, today's sentencing goes to show that no matter how sophisticated the crime is, this Office will continue to successfully prosecute those who choose to defraud others."

In addition to the prison term, Truglia was sentenced to three years of supervised release and was ordered to forfeit $983,010.72.

Ellis Pinsky, the SIM swap gang's suspected 15-year-old leader (at the time), reached a deal with Terpin in November and was ordered to pay the investor $22 million.

Increasing number of SIM swapping attacks

SIM swapping (aka SIM hijacking, SIM jacking, or SIM splitting) enables criminals to take control of a target's phone number with the help of bribed employees or by convincing their mobile carriers to swap the number to an attacker-controlled SIM card using social engineering.

In early February, the FBI warned that criminals had escalated SIM swap attacks to steal millions from unsuspecting victims by hijacking their phone numbers.

The warning followed an FCC announcement that it started working on new legislation that would pull the brake on SIM-swapping attacks.

FCC's move is the result of an increasing wave of consumer complaints regarding significant distress and financial harm from SIM hijacking attacks and port-out fraud.

"From January 2018 to December 2020, the FBI Internet Crime Complaint Center (IC3) received 320 complaints related to SIM swapping incidents with adjusted losses of approximately $12 million," the FBI said,

"In 2021, IC3 received 1,611 SIM swapping complaints with adjusted losses of more than $68 million."

The FTC provides guidance on protecting against SIM-swapping. The three major U.S. mobile carriers also advise customers to set up a PIN code on their accounts (Verizon, T-Mobile, AT&T) to block social engineering attacks targeting customer service.

Source