Thursday, February 2nd, 2023
Cybersecurity Week in Review (3/2/23)
New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers
At least 1,200 Redis database servers worldwide have been corralled into a botnet using an elusive and severe threat dubbed HeadCrab since early September 2021.
The advanced threat actor utilises state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers. A significant concentration of infections has been recorded in China, Malaysia, India, Germany, the U.K., and the U.S. to date. The origins of the threat actor are presently unknown.
The attack is designed to target Redis servers that are exposed to the internet, followed by issuing a SLAVEOF command from another Redis server that’s already under the adversary’s control. In doing so, the rogue “master” server initiates a synchronisation of the newly hacked server to download the malicious payload, which contains the sophisticated HeadCrab malware onto the latter.
While the ultimate end goal of using the memory-resident malware is to hijack the system resources for cryptocurrency mining, it also boasts of numerous other options that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server.
Users are recommended to refrain from exposing Redis servers directly to the internet, disable the “SLAVEOF” feature in their environments if not in use, and configure the servers to only accept connections from trusted hosts.
Source – https://thehackernews.com/2023/02/new-threat-stealthy-headcrab-malware.html
North Korean Hackers Exploit Unpatched Zimbra Devices in ‘No Pineapple’ Campaign
A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems. The incident has been codenamed No Pineapple in reference to an error message that’s used in one of the backdoors.
Targets of the malicious operation included a healthcare research organisation in India, the chemical engineering department of a leading research university, as well as a manufacturer of technology used in the energy, research, defense, and healthcare sectors, suggesting an attempt to breach the supply chain. Roughly 100GB of data is estimated to have been exported by the hacking crew following the compromise of an unnamed customer, with the digital break-in likely taking place in the third quarter of 2022.
The threat actor gained access to the network by exploiting a vulnerable Zimbra mail server at the end of August. The security flaws used for initial access are CVE-2022-27925 and CVE-2022-37042, both of which could be abused to gain remote code execution on the underlying server. This step was succeeded by the installation of web shells and the exploitation of local privilege escalation vulnerability in the Zimbra server (i.e., Pwnkit aka CVE-2021-4034), thereby enabling the threat actor to harvest sensitive mailbox data.
Subsequently, in October 2022, the adversary is said to have carried out lateral movement, reconnaissance, and ultimately deployed backdoors such as Dtrack and an updated version of GREASE.
GREASE, which has been attributed to the handiwork of another North Korea-affiliated threat cluster called Kimsuky, comes with capabilities to create new administrator accounts with remote desktop protocol (RDP) privileges while also skirting firewall rules. Dtrack, on the other hand, has been employed in cyber assaults aimed at a variety of industry verticals, and also in financially motivated attacks involving the use of Maui ransomware.
North Korea-backed hacking groups have had a busy 2022, conducting a series of both espionage-driven and cryptocurrency heists that align with the regime’s strategic priorities. Most recently, the BlueNoroff cluster, also known by the names APT38, Copernicium, Stardust Chollima, and TA444, was connected to wide-ranging credential harvesting attacks aimed at education, financial, government, and healthcare sectors.
Source – https://thehackernews.com/2023/02/north-korean-hackers-exploit-unpatched.html
New DDoS-as-a-Service platform used in recent attacks on hospitals
A new DDoS-as-a-Service (DDoSaaS) platform named ‘Passion’ was seen used in recent attacks by pro-Russian hacktivists against medical institutions in the United States and Europe.
A DDoS (distributed denial of service) attack is when threat actors send many requests and garbage traffic to a target server to overwhelm the server and cause it to stop responding to legitimate requests. DDoSaaS platforms rent their available firepower to those looking to launch disruptive attacks on their targets, absolving them from the need to build their own large botnets or coordinate volunteer action.
Typically, these botnets are built by compromising vulnerable IoT devices such as routers and IP cameras, uniting them under a large swarm that generates malicious requests toward a particular target. Although ‘’Passion’s’’ origins are unknown, the operation has distinctive ties with Russian hacking groups, such as Killnet, MIRAI, Venom, and Anonymous Russia. The Botnet was leveraged during the attacks on January 27th, targeting medical institutions in the USA, Portugal, Spain, Germany, Poland, Finland, Norway, Netherlands, and the United Kingdom as retaliation for sending tanks in support of Ukraine.
The operators of the Passion DDoS platform first promoted their service at the beginning of January 2023, performing several defacements on Japanese and South African organisation sites. The service operates as a subscription, where customers can purchase desirable attack vectors, duration, and intensity. Passion offers the option of ten attack vectors, allowing subscribers to customise their attack as needed and even combine vectors to bypass mitigations implemented by the target.
The supported attack methods are:
- HTTP Raw
- UAM Browser
- HTTPS Mix
- DNS l4
- Mixamp l4
- OVH-TCP l4
- TCP-Kill l4
A seven-day subscription costs $30, a month costs $120, while a full year sets back threat actors $1,440. Accepted payment methods include Bitcoin, Tether, and the Russian payment service QIWI.
Passion is added to an already flourishing DDoS ecosystem, increasing the problem for organisations worldwide that are the recipients of these attacks.
Source – https://www.bleepingcomputer.com/news/security/new-ddos-as-a-service-platform-used-in-recent-attacks-on-hospitals/
Hackers use new IceBreaker malware to breach gaming companies
Hackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker.
The compromise method relies on tricking customer service agents into opening malicious screenshots the threat actor sends under the guise of a user-facing a problem. Such attacks have been happening since at least September 2022. The group behind them remains unknown, with indistinct clues pointing to their origin. Dialogs examined between the threat actor and the support agents indicate that IceBreaker aren’t native English speakers and purposefully ask to speak with Spanish-speaking agents. However, they were seen speaking other languages too.
To deliver the backdoor, the threat actor contacts the customer support of the target company pretending to be a user having problems logging in or registering for the online service. The hackers convince the support agent to download an image that describes the problem better than they can explain. The researchers say that the image is typically hosted on a fake website that impersonates a legitimate service, although they also saw it delivered from a Dropbox storage.
The links delivered this way lead to a ZIP archive containing malicious a LNK file that fetches the IceBreaker backdoor, or a Visual Basic Script that downloads the Houdini RAT that’s been active since at least 2013. The shortcut contains a command to download an MSI payload from the attacker’s server, install it with no user interaction, and run it with no user interface.
The malicious LNK is the main first-stage payload delivering the IceBreaker malware, while the VBS file is used as a backup, in case the customer support operator is unable to run the shortcut. The malicious shortcut file poses as JPG image and has its extension modified accordingly. The MSI payload it downloads has a very low detection rate on Virus Total, returning only 4 positives out of 60 scans. The MSI package features a large set of decoy files to evade signature-based detection tools and analysis engines. The final layer is a CAB archive extracted onto the victim’s temporary folder, dropping the “Port.exe” payload. This is a C++ 64-bit executable with an unusual overlay, keeping a portion of the data appended to the end of the file. It is believed that this is a way to hide additional resources from security products.
If the targeted entity has not outsourced customer support services to an external provider, the threat actors can use the backdoor to steal account credentials, move laterally in the network, and extend their intrusion.
It’s recommended that companies suspecting a breach with IceBreaker to look for shortcut files created in the startup folder and check for unauthorised execution of the open-source tool tsocks.exe. Monitoring the creation of msiexec.exe processes that receive URLs as parameters could also be an indication of compromise just as the execution of VBS scripts and LNK files from the temporary folder.
Source – https://www.bleepingcomputer.com/news/security/hackers-use-new-icebreaker-malware-to-breach-gaming-companies/
Prilex PoS Malware Evolves to Block Contactless Payments to Steal from NFC Cards
The Brazilian threat actors behind an advanced and modular point-of-sale (PoS) malware known as Prilex have reared their head once again with new updates that allow it to block contactless payment transactions. Three versions of Prilex (06.03.8080, 06.03.8072, and 06.03.8070) have been detected that are capable of targeting NFC-enabled credit cards, taking its criminal scheme a notch higher.
Having evolved out of ATM-focused malware into PoS malware over the years since going operational in 2014, the threat actor steadily incorporated new features that are designed to facilitate credit card fraud, including a technique called GHOST transactions. While contactless payments have taken off in a big way, in part due to the COVID-19 pandemic, the underlying motive behind the new functionality is to disable the feature so as to force the user to insert the card into the PIN pad. To that end, the latest version of Prilex, discovered in November 2022, has been found to implement a rule-based logic to determine whether or not to capture credit card information alongside an option to block NFC-based transactions.
Should such an NFC-based transaction be detected and blocked by the malware installed on the infected PoS terminal, the PIN pad reader displays a fake error message: “Contactless error, insert your card.” This leads the victim to use their physical card by inserting it into the PIN pad reader, effectively permitting the threat actors to commit fraud. Another new feature added to the artifacts is the ability to filter credit cards by segments and craft rules tailored to those tiers.
Source – https://thehackernews.com/2023/02/prilex-pos-malware-evolves-to-block.html
Circle K US spills partial credit card details, among other sensitive data
A popular chain of convenience stores and gas stations exposed a treasure trove of employee and customer information to the public. Circle K owner Couche-Tard operates around 14,000 stores worldwide, having sold 12 billion litres of gas this past quarter. In the US, it has around 7,000 branded Circle K stations.
On January 12, 2023, an open Circle K US dataset was discovered with tons of sensitive information: partial payment card numbers, full customer loyalty card numbers, purchase data, employee email addresses, phone numbers, and zip codes, among other data. If exploited, the dataset could lead to identity theft, financial fraud, and targeted phishing campaigns, among other criminal activities.
The company’s internal Azure blob storage was found to be exposed to the public. Azure blob storage is typically used to create data lakes for analysis and when building cloud-native and mobile apps. The Circle K Azure blob was found to have been used to store internal information, such as point of sale (POS) terminal transaction logs and tax, employee, and inventory data. Circle K logged detailed information about purchases, including items, their price, date, and timestamps, full loyalty card numbers, partial credit card numbers, and other transactional data.
Although the size of the leak couldn’t be estimated without an intrusive scanning of the whole storage blob it was noted that the dataset held all the transactions from the beginning of 2021, with 5000-6000 transaction files logged daily.
According to an FBI report, over 14,500 convenience stores and nearly 8,000 gas stations were robbed in 2021 alone, making them one of the top targets for crooks.
Source – https://cybernews.com/security/circlek-leak-credit-card-exposed/?
Poser Hackers Impersonate LockBit in SMB Cyberattacks
A recent spate of cyberattacks against small to midsize businesses (SMBs) across Northern Europe was initially believed to be the handiwork of LockBit, but following further investigation, it turns out that a copycat group is using leaked LockBit malware for campaigns of its own.
While not as sophisticated as the LockBit operators themselves, the group were able to encrypt the files of at least one organisation. The LockBit impersonators were able to exploit an unpatched FortiGate firewall, however, the company was able to restore its network from backups and no client workstations were affected during the intrusions.
“Despite not being the true LockBit locker group, these micro-criminals were still able to cause significant damage by encrypting a large number of internal files,” researcher Pierluigi Paganini of Belgium’s Computerland publication added.
Source – https://www.darkreading.com/application-security/poser-hackers-impersonate-lockbit-smb-cyberattacks
Critical VMware RCE Vulnerabilities Targeted by Public Exploit Code
Three security vulnerabilities affecting VMware’s vRealize Log Insight platform now have public exploit code circulating, offering a map for cybercriminals to follow to weaponise them. These include two critical unauthenticated remote code execution (RCE) bugs.
The vRealize Log Insight platform (which is transitioning its name to Aria Operations) provides intelligent log management “for infrastructure and applications in any environment,” according to VMware, offering IT departments access to dashboards and analytics that have visibility across physical, virtual, and cloud environments, including third-party extensibility. Usually loaded onto an appliance, the platform can have highly privileged access to the most sensitive areas of an organisation’s IT footprint.
Gaining access to the Log Insight host provides different possibilities to an attacker, depending on the type of applications that are integrated with it. Often, logs ingested may contain sensitive data from other services and may allow an attack to gather session tokens, API keys, and personally identifiable information. Those keys and sessions may allow the attacker to pivot to other systems and further compromise the environment.
The two critical issues carry severity scores of 9.8 out of 10 on the CVSS scale and could allow an unauthenticated, malicious actor to inject files into the operating system of an impacted appliance which can result in remote code execution. One (CVE-2022-31706) is a directory traversal vulnerability; the other (CVE-2022-31704) is a broken access control vulnerability. The third flaw is a high-severity deserialisation vulnerability (CVE-2022-31710, CVSS 7.5), which could allow an unauthenticated malicious actor to remotely trigger the deserialisation of untrusted data, which could result in a denial of service.
The three bugs were first disclosed last week by the virtualisation giant as part of a cache that also included one other, a medium-severity information-disclosure bug (CVE-2022-31711, CVSS 5.3) that could allow data harvesting without authentication. The latter doesn’t yet have public exploit code, though that could quickly change, particularly given how popular of a target VMware offerings are for cybercriminals.
To protect their organisations, admins are urged to apply VMware’s patches, or apply a published workaround as soon as possible.
Source – https://www.darkreading.com/application-security/critical-vmware-rce-vulnerabilities-targeted-public-exploit-code
10M JD Sports Customers’ Info Exposed in Data Breach
UK sportswear retailer JD Sports is warning some 10 million of its customers that their personal data — including name, billing address, delivery address, email address, phone number, order details, and last four payment card digits — might have been exposed in a recent cyberattack.
Affected customers placed online orders with JD Sports between November 2018 and October 2020 for items branded JD Sports, Size?, Millets, Blacks, Scotts, and MilletSport, the company said in a statement. JD Sports said while it cannot definitively say whether the data was accessed, the system holding the data was, so as a precaution, JD Sports is notifying and advising impacted customers to remain on the lookout for social engineering scams. JD Sports does not store full payment card details, the retailer said, and there is no evidence that account passwords were compromised.
While disclosure is the right thing to do for the retailer, letting the public as well as potential threat actors know about the breach without first resetting account credentials might in itself attract the wrong kind of attention. Retailers should approach a breach of customer data similar to an internal breach of employees — requiring every customer to reset their account credentials. The official announcement from JD Sports and the news coverage sets the stage for the hackers to start sending out password reset phishing emails to the 10 million customers to harvest their credentials.
In fact, companies like JD Sports should avoid downplaying the significance of a compromise of customer data.
Source – https://www.darkreading.com/attacks-breaches/10m-jd-sports-customers-info-exposed-in-data-breach
Ukraine Hit with New Golang-based ‘SwiftSlicer’ Wiper Malware in Latest Cyber Attack
Ukraine has come under a fresh cyber onslaught from Russia that involved the deployment of a previously undocumented Golang-based data wiper dubbed SwiftSlicer. The attack has been attributed to Sandworm, a nation-state group linked to Military Unit 74455 of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots computer. The overwrites are achieved by using randomly generated byte sequences to fill 4,096 byte-length blocks. The intrusion was discovered on January 25, 2023. Attackers deploy the SwiftSlicer wiper using Group Policy of Active Directory. Once SwiftSlicer malware is executed, it corrupts users files and makes the computer unbootable.
Sandworm, also tracked under the monikers BlackEnergy, Electrum, Iridium, Iron Viking, TeleBots, and Voodoo Bear, has a history of staging disruptive and destructive cyber campaigns targeting organisations worldwide since at least 2007. The sophistication of the threat actor is evidenced by its multiple distinct kill chains, which comprise a wide variety of custom tools such as BlackEnergy, GreyEnergy, Industroyer, NotPetya, Olympic Destroyer, Exaramel, and Cyclops Blink. In 2022 alone, coinciding with Russia’s military invasion of Ukraine, Sandworm has unleashed WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, Prestige, and RansomBoggs against critical infrastructure in Ukraine.
The discovery of SwiftSlicer points to the consistent use of wiper malware variants by the Russian adversarial collective in attacks designed to wreak havoc in Ukraine. It’s further illustrative of the growing adoption of Golang by threat actors, given its native multi-platform support and relative ease of development. The development also comes as the Computer Emergency Response Team of Ukraine (CERT-UA) linked Sandworm to a recent largely unsuccessful cyber-attack on the national news agency Ukrinform.
The intrusion, which is suspected of having been carried out no later than December 7, 2022, entailed the use of five different pieces of data wiping programs, namely CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe targeting Windows, Linux, and FreeBSD systems.
Sandworm is not the only group that has its eyes on Ukraine. Other Russian state-sponsored actors such as APT29, COLDRIVER, and Gamaredon have actively targeted a range of Ukrainian organizations since the onset of the war.
Source – https://thehackernews.com/2023/01/ukraine-hit-with-new-golang-based.html
Smarttech247 Experts warn of big increase in cyberattacks
Businesses are being warned that they need to be prepared for major cyberattacks in 2023. At Smarttech247 we have seen a doubling of nation state-related attacks in the past 12 months. This dramatic increase in incidents is mainly due to the Russian invasion of Ukraine.
“Geopolitical events over the past year have had a profound impact on cybersecurity operations for both private and public organisations across the world,” said Raluca Saceanu, CEO of Smarttech247.
Cyber criminals will continue to find new, innovative ways of breaking into networks and hackers who offer their services for a fee are continually developing their offering.
“We have seen the continuous expansion of cybercrime-for-hire in the form of both ransomware and phishing as a service,” she said.
“The reality is that social engineers constantly advance their tactics and techniques to gain access to systems,” Ms Saceanu added.
She was speaking at the launch of our major cyber security conference which will take place in Dublin in March.
“Zero Day Con” will see leading technology firms, industry experts and government officials gather to share insights on cybersecurity. Speakers will include international experts from the FBI and the US Naval Criminal Investigative Service (NCIS).
Source – https://www.rte.ie/news/business/2023/0123/1350354-experts-warn-of-big-increase-in-cyberattacks/