GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks

Threat hunters have discovered a new Linux malware called GTPDOOR that’s designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges (GRX)

The malware is novel in the fact that it leverages the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications.

GPRS roaming allows subscribers to access their GPRS services while they are beyond the reach of their home mobile network. This is facilitated by means of a GRX that transports the roaming traffic using GTP between the visited and the home Public Land Mobile Network (PLMN).

Security researchers, who discovered two GTPDOOR artifacts uploaded to VirusTotal from China and Italy, said the backdoor is likely linked to a known threat actor tracked as LightBasin (aka UNC1945), which was previously disclosed by CrowdStrike in October 2021 in connection with a series of attacks targeting the telecom sector to steal subscriber information and call metadata.

“When run, the first thing GTPDOOR does is process-name stomps itself – changing its process name to ‘[syslog]’ – disguised as syslog invoked from the kernel,” the researcher said. “It suppresses child signals and then opens a raw socket [that] will allow the implant to receive UDP messages that hit the network interfaces.”

Put differently, GTPDOOR allows a threat actor that already has established persistence on the roaming exchange network to contact a compromised host by sending GTP-C Echo Request messages with a malicious payload.

This magic GTP-C Echo Request message acts as a conduit to transmit a command to be executed on the infected machine and return the results back to the remote host.

GTPDOOR “Can be covertly probed from an external network to elicit a response by sending a TCP packet to any port number,” the researchers noted. “If the implant is active a crafted empty TCP packet is returned along with information if the destination port was open/responding on the host.”

“This implant looks like it is designed to sit on compromised hosts that directly touch the GRX network – these are the systems that communicate to other telecommunication operator networks via the GRX.”

Source – https://thehackernews.com/2024/02/gtpdoor-linux-malware-targets-telecoms.html

Iranian Hackers Target Aviation and Defense Sectors in Middle East

Iranian hackers have been using Microsoft Azure cloud infrastructure in attacks targeting aerospace, aviation, and defense organizations in the Middle East.

As part of a campaign ongoing since at least June 2022, the hacking group, tracked as UNC1549, has been deploying two unique backdoors dubbed MiniBike and MiniBus, to spy on organizations in Israel and the United Arab Emirates (UAE), as well as Albania, India, and Turkey.

The group’s activities overlap with Smoke Sandstorm and Tortoiseshell, a threat actor linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) that previously targeted defense contractors and IT providers.

The potential link between this activity and the Iranian IRGC is noteworthy given the focus on defense-related entities and the recent tensions with Iran in light of the Israel-Hamas war.

In November 2023, it was discovered that the MiniBus backdoor hosted on a fake recruiting website that used the same template as another fake job website employed by UNC1549 in 2022. Like other UNC1549 campaigns, a .NET application was used to deliver the malware.

Throughout the campaign, spear-phishing emails and social media messages were used to distribute links to staged websites containing fake job offers or Israel-Hamas related content.

The websites hosted the MiniBike and MiniBus backdoors, which were designed to establish communication with command-and-control (C&C) infrastructure hosted on Microsoft Azure.

UNC1549 was also seen deploying several evasion techniques to remain under the radar, including the use of domain naming schemes resembling legitimate sites, the use of job-themed lures, and the use of Azure and servers located in the targeted geographies to hide malicious traffic.

In addition to the MiniBike and MiniBus backdoors, the threat actor has employed LightTrail, a tunneling tool based on an open source Socks4a proxy.

Written in C++ and used since at least June 2022, the MiniBike backdoor is usually bundled with a launcher and a legitimate executable (SharePoint, OneDrive, or a fake Hamas-related .NET application).

The MiniBus backdoor is more advanced, but similar in functionality and code base with MiniBike. The main difference between the two is that MiniBus also supports payload execution and has a process enumeration feature.

LightRail shows code similarities with the backdoors, uses the same Azure C&C infrastructure, and has been deployed against the same targets.

Source – https://www.securityweek.com/iranian-hackers-target-aviation-and-defense-sectors-in-middle-east/

New Backdoor Targeting European Officials Linked to Indian Diplomatic Events

A previously undocumented threat actor dubbed SPIKEDWINE has been observed targeting officials in European countries with Indian diplomatic missions using a new backdoor called WINELOADER.

The adversary used a PDF file in emails that purported to come from the Ambassador of India, inviting diplomatic staff to a wine-tasting event on February 2, 2024.

The PDF document was uploaded to VirusTotal from Latvia on January 30, 2024. That said, there is evidence to suggest that this campaign may have been active at least since July 6, 2023, going by the discovery of another similar PDF file uploaded from the same country.

The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command-and-control (C2) infrastructure.

Central to the novel attack is the PDF file that comes embedded with a malicious link that masquerades as a questionnaire, urging the recipients to fill it out in order to participate. Clicking on the link paves the way for an HTML application (“wine.hta”) that contains obfuscated JavaScript code to retrieve an encoded ZIP archive bearing WINELOADER from the same domain.

The malware is packed with a core module that’s designed to Execute modules from the C2 server, inject itself into another dynamic-link library (DLL), and update the sleep interval between beacon requests.

A notable aspect of the cyber incursions is the use of compromised websites for C2 and hosting intermediate payloads. It’s suspected that the “C2 server only responds to specific types of requests at certain times,” thereby making the attacks more evasive.

Source – https://thehackernews.com/2024/02/new-backdoor-targeting-european.html

Hackers Steal Personal Information From Pharma Giant Cencora

Global pharmaceutical solutions provider Cencora on Tuesday disclosed a cyberattack that resulted in personal information being stolen from its systems.

The data breach was identified on February 21, Cencora said in a filing with the Securities and Exchange Commission (SEC). It’s unclear exactly what type of data has been exfiltrated and who it belongs to, whether it’s employees or customers. 

The company said it has taken steps to contain the incident and an investigation has been launched with the assistance of law enforcement and external cybersecurity experts, but provided no further details. 

Organizations in the healthcare sector, particularly ones that don’t directly provide medical services, are often targeted in ransomware attacks, but no known ransomware group appears to have taken credit for the Cencora breach at the time of writing.

“As of the date of this filing, the incident has not had a material impact on the Company’s operations, and its information systems continue to be operational,” the company said. “The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”

This part of the company’s statement likely comes in response to the SEC’s recently implemented rules, which require public companies to disclose cybersecurity incidents that have a material impact within four days. 

Cencora, until recently known as AmerisourceBergen, is a healthcare provider whose solutions are used by manufacturers, providers and pharmacies to improve product access and supply chain efficiency. 

The company has more than 46,000 employees and is ranked #11 on the Fortune 500 and #24 on the Global Fortune 500, with over $230 billion in annual revenue. This likely makes it a tempting target for profit-driven cybercriminals.

Source – https://www.securityweek.com/hackers-steal-personal-information-from-pharma-giant-cencora/

Malicious AI Models on Hugging Face Backdoor Users’ Machines

At least 100 instances of malicious AI ML models were found on the Hugging Face platform, some of which can execute code on the victim’s machine, giving attackers a persistent backdoor. Hugging Face is a tech firm engaged in artificial intelligence (AI), natural language processing (NLP), and machine learning (ML), providing a platform where communities can collaborate and share models, datasets, and complete applications.

A security team found that roughly a hundred models hosted on the platform feature malicious functionality, posing a significant risk of data breaches and espionage attacks. This happens despite Hugging Face’s security measures, including malware, pickle, and secrets scanning, and scrutinizing the models’ functionality to discover behaviors like unsafe deserialization.

They developed and deployed an advanced scanning system to examine PyTorch and Tensorflow Keras models hosted on Hugging Face, finding one hundred with some form of malicious functionality.

One highlighted case of a PyTorch model that was uploaded recently by a user named “baller423,” and which has since been removed from HuggingFace, contained a payload that gave it the capability to establish a reverse shell to a specified host (210.117.212.93).

The malicious payload used Python’s pickle module’s “__reduce__” method to execute arbitrary code upon loading a PyTorch model file, evading detection by embedding the malicious code within the trusted serialization process.

It found the same payload connecting to other IP addresses in separate instances, with the evidence suggesting the possibility of its operators being AI researchers rather than hackers. However, their experimentation was still risky and inappropriate.

The analysts deployed a HoneyPot to attract and analyze the activity to determine the operators’ real intentions but were unable to capture any commands during the period of the established connectivity (one day).

Some of the malicious uploads could be part of security research aimed at bypassing security measures on Hugging Face and collecting bug bounties, but since the dangerous models become publicly available, the risk is real and shouldn’t be underestimated.

AI ML models can pose significant security risks, and those haven’t been appreciated or discussed with proper diligence by stakeholders and technology developers.

These findings highlight this problem and call for elevated vigilance and proactive measures to safeguard the ecosystem from malicious actors.

Source – https://www.bleepingcomputer.com/news/security/malicious-ai-models-on-hugging-face-backdoor-users-machines/

European Retailer Pepco hit by Costly Phishing Attack

Pepco Group, a European retailer operating in 21 countries, has reported a phishing attack in its Hungary branch. It resulted in €15.5 million in losses before any potential recovery.

According to the company’s statement, it has been the target of a “sophisticated fraudulent phishing attack.”

“The attack resulted in a loss of approximately €15.5 million in cash before any potential recovery. It is unclear at this stage whether the funds can be recovered, although Pepco is pursuing various efforts through its banking partners and the police,” Pepco said.

The company says that the incident doesn’t appear to involve any customer, supplier, or colleague information or data at this stage.

Pepco is taking “necessary immediate steps to investigate and respond to the incident, to ensure the integrity of its group-wide IT and financial control environment.”

According to Pepco’s website, it now serves over 57 million shoppers monthly from 4,800 stores in 21 countries, offering apparel, household goods, and toys. The company-owned retail brands include Pepco, Poundland, and Dealz.

Pepco assured investors that their financial position is strong.

“The Group maintains a strong balance sheet with access today to over €400 million in available liquidity (from cash and credit facilities) and continues to generate strong cash flow from its operations,” the statement reads.

Irene Coyle, chief operating officer at OSP Cyber Academy, suspects that the incident may have involved business email compromise, which led to the accidental money transfer to fraudsters.

Pepco is currently conducting a group-wide review of all systems and processes to secure its business more robustly and plans to provide further updates “when appropriate.”

Source – https://cybernews.com/news/retailer-pepco-phishing-attack/

FBI Warns U.S. Healthcare Sector of Targeted BlackCat Ransomware Attacks

The U.S. government is warning about the resurgence of BlackCat (aka ALPHV) ransomware attacks targeting the healthcare sector as recently as this month.

“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,” the government said in an updated advisory.

“This is likely in response to the ALPHV/BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”

The alert comes courtesy of the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS).

The BlackCat ransomware operation suffered a major blow late last year after a coordinated law enforcement operation led to the seizure of its dark leak sites. But the takedown turned out to be a failure after the group managed to regain control of the sites and switched to a new TOR data leak portal that continues to remain active to date.

It has also ramped up assaults against critical infrastructure organizations in recent weeks, having claimed responsibility for attacks on Prudential Financial, LoanDepot, Trans-Northern Pipelines, and UnitedHealth Group subsidiary Optum.

The development has prompted the U.S. government to announce financial rewards of up to $15 million for information leading to the identification of key members as well as affiliates of the e-crime group.

BlackCat’s ransomware spree coincides with the return of LockBit after similar disruption efforts led by the U.K. National Crime Agency (NCA) last week. Zscaler ThreatLabz said the ransomware gang has updated its encryptor’s ransom notes with TOR URLs pointing to the new infrastructure.

According to a report from SC Magazine, the threat actors breached Optum’s network by leveraging the recently disclosed critical security flaws in ConnectWise’s ScreenConnect remote desktop and access software.

BlackCat, however, has refuted that it used ConnectWise flaws in its attack against Optum. “For all those cyber intelligence so called expert dumbasses we did not use ConnectWise exploit as our initial access so you should base your reports you tell people on actual facts not kiddi speculations,” it claimed.

The flaws, which allow for remote code execution on susceptible systems, have been weaponized by the Black Basta and Bl00dy ransomware gangs as well as by other threat actors to deliver Cobalt Strike Beacons, XWorm, and remote management tools like Atera, Syncro, and even another ScreenConnect client.

The mass exploitation of the two vulnerabilities has also been complemented by adversaries exploiting ScreenConnect and deploying a new Windows variant of KrustyLoader, which was previously spotted as part of a campaign targeting critical vulnerabilities in Ivanti Connect Secure appliances.

No less than 3,400 exposed potentially vulnerable ScreenConnect hosts online, with a majority of them located in the U.S., Canada, the U.K., Australia, Germany, France, India, the Netherlands, Turkey, and Ireland.

The findings come as ransomware groups like RansomHouse, Rhysida, and a Phobos variant called Backmydata have continued to compromise various organizations in the U.S., U.K., Europe, and the Middle East.

In a sign that these cybercrime groups are shifting to more nuanced and sophisticated tactics, RansomHouse has been found utilizing a custom tool dubbed MrAgent to deploy the file-encrypting malware at scale.

Another significant tactic adopted by some ransomware groups is the sale of direct network access as a new monetization method via their own blogs, on Telegram channels, or data leak websites, KELA said.

It also follows the public release of a Linux-specific, C-based ransomware threat known as Kryptina, which surfaced in December 2023 on underground forums and has since been made available for free on BreachForums by its creator.

Source – https://thehackernews.com/2024/02/fbi-warns-us-healthcare-sector-of.html

Rhysida Ransomware Wants $3.6 Million for Children’s Stolen Data

The Rhysida ransomware gang has claimed the cyberattack on Lurie Children’s Hospital in Chicago at the start of the month. Lurie is a leading pediatric acute care institution in the U.S. that provides care to over 200,000 children annually.

The cyberattack forced the healthcare provider to take its IT systems offline and postpone medical care in some cases. Email, phone, access to MyChart, and on-premises internet were all impacted. Ultrasound and CT scan results were rendered unavailable, patient service prioritization systems were taken down, and doctors were forced to switch to pen and paper for prescriptions.

Today, the Rhysida ransomware gang has listed Lurie Children’s on its extortion portal on the dark web, claiming to have stolen 600 GB of data from the hospital. Rhysida ransomware now offers to sell the stolen data for 60 BTC ($3,700,000) to a single buyer.

The deadline was set to seven days, after which the data will either be sold to multiple threat actors at a lower price or leaked for free on Rhysida’s platform.

As per the latest status update from Lurie Children’s on February 22, 2024, effort to restore the IT system is ongoing, and service disruptions still impact some operational segments.

Parents are advised to bring a print of their insurance card to their appointments along with their children’s medication bottles, as the health records system that logs this data is apparently still offline.

MyChart remains unavailable, and wait times are longer than usual as prescription preparation is still done by hand. Some procedures and appointments may be canceled and rescheduled as things are moved around to accommodate urgent care cases.

As the payment systems are also impacted, the timeframe for covering medical bills has been extended for as long as the outage lasts. Also, the hospital currently does not charge no-show fees for appointments.

The Rhysida ransomware gang has had a misstep recently when Korean researchers published the full details of a flaw in their encryptor which could be leveraged for decrypting files without paying a ransom.

Judging from the lengthy disruption at Lurie Children’s, the decryptor that law enforcement used for many months privately may not work in the threat group’s most recent attacks.

Furthermore, should Rhysida’s claims of data exfiltration prove accurate, it means that the sensitive medical information of a large number of children has been irreversibly compromised by cybercriminals.

Source – https://www.bleepingcomputer.com/news/security/rhysida-ransomware-wants-36-million-for-childrens-stolen-data/

Cybercriminals Obtain Data of 2M Customers Leaked by Delivery Company

The delivery company has leaked information about deliveries and the home addresses of millions of its customers.

On January 15th, researchers discovered a publicly accessible Google Cloud Storage Bucket belonging to Paxel, an Indonesian shipping company. Paxel provides local and intercity delivery services, smart lockers, bulk delivery, snack stores, and waste treatment services.

The open bucket contained multiple MySQL and MongoDB database backups from 2023. The databases contained a tremendous amount of personal data related to the deliveries of 2 million people, including highly sensitive information such as home addresses and signatures.

The databases also contained Paxel account balances, pictures of delivered parcels, and private messages between the company’s staff and the parcels’ receivers.

Full list of leaked data:

• Customers’ names
• Phone numbers
• Email addresses
• Home addresses
• Dates of birth
• Signatures
• Usernames
• Passwords hashed with bcrypt hashing algorithm
• Customers’ phone models
• MAC address information
• Amount of on-platform credit
• List of orders
• Names of ordered products
• Amounts spent on orders
• Chat messages between Paxel’s staff and the customers
• Pictures of delivered packages
• Codes used for retrieving orders in pick-up point lockers

The leaked data has already been exploited by threat actors, with researchers finding that backups were shared on a hacker forum in July 2023. It shows that the company failed to identify the leak for more than six months after malicious actors got hold of the data.

Malicious actors could use the immense amount of leaked data for spam, phishing attacks, doxxing, fraud, or identity theft, especially as customer signatures were leaked.

It’s not the first time that the Jakarta-based company has leaked customers’ data. In 2020, over 800,000 of Paxel’s users were affected by a data leak. The company has not publicly disclosed the data leak.

The leak has not put customer deliveries at threat, as the leaked data was from 2023 and not in real-time. Nonetheless, the databases did include accounts of Paxel’s administrators and employees, which could potentially empower attackers to target the company’s internal systems.

The takeover of internal systems could result in exfiltrating more up-to-date or sensitive information, launching malicious payloads, or injecting malicious code into the company’s systems and putting its users at risk.

The leaked databases also contained hashed passwords, which could be used for account takeovers or credential-stuffing attacks. Although the hashing algorithm currently employed is robust, many threat actors adopt a strategy of ‘save now, crack later.’ This means that even though hashed passwords are not immediately crackable, they still represent a potential threat in the future.

Source – https://cybernews.com/security/paxel-delivery-customer-data-leak/

Steel Giant ThyssenKrupp Confirms Cyberattack on Automotive Division

Steel giant ThyssenKrupp confirms that hackers breached systems in its Automotive division last week, forcing them to shut down IT systems as part of its response and containment effort.

ThyssenKrupp AG is one of the world’s largest steel producers, employing over 100,000 personnel and having an annual revenue of over $44.4 billion (2022).

The firm is a crucial component of the global supply chain of products that use steel as a material across various sectors, including machinery, automotive, elevators and escalators, industrial engineering, renewable energy, and construction.

In a statement, ThyssenKrupp says it suffered a cyberattack last week, impacting its automotive body production division.

“Our ThyssenKrupp Automotive Body Solutions business unit recorded unauthorized access to its IT infrastructure last week,” stated a ThyssenKrupp spokesperson.

“The IT security team at Automotive Body Solutions recognized the incident at an early stage and has since worked with the ThyssenKrupp Group’s IT security team to contain the threat.”

“To this end, various security measures were taken and certain applications and systems were temporarily taken offline.”

ThyssenKrupp has clarified that no other business units or segments have been impacted by the cyberattack, which was contained in the automotive division.

The firm also said that the situation is under control, and they are working on gradually returning to normal operations.

German news outlet Saarbruecker Zeitung, which first disclosed the attack last Friday, reports that ThyssenKrupp’s Saarland-based plant, employing over a thousand specialists, was directly impacted by the attack.

The facility is involved in steel production and processing, as well as research and development, including collaborations with industry partners, research institutions, and universities.

Holding such a prominent role in the global economy, ThyssenKrupp has found itself in hackers’ crosshairs multiple times, including in 2022, 2020, 2016, and 2013, with most cases aimed at espionage and operational disruption.

At the time of writing, no major ransomware groups or other threat actors had assumed responsibility for the attack at ThyssenKrupp, so the type of breach remains unknown.

Source – https://www.bleepingcomputer.com/news/security/steel-giant-thyssenkrupp-confirms-cyberattack-on-automotive-division/

Smarttech247