Understanding Process Injection:

Process injection is a technique often used by cyber attackers to execute malicious code within the memory space of a legitimate process. By doing so, they can evade detection and gain unauthorized access to system resources. Traditionally, this method involves three key steps: allocating memory in the target process, writing the malicious code into this allocated space, and then executing the code to carry out the attack.

The Role of Windows Thread Pools:

Central to this new technique is the exploitation of Windows thread pools. Thread pools in Windows are integral for managing worker threads, which are used to perform various tasks in the background. These pools efficiently manage the execution of multiple threads, reducing the overhead associated with thread creation and destruction. In legitimate scenarios, thread pools enhance the performance and responsiveness of applications. Windows thread pools are a system feature used to manage multiple threads efficiently. These pools allow for the execution of worker threads that perform tasks in the background, optimizing the use of system resources. Thread pools are integral to the Windows operating system and are used by various applications for performing asynchronous tasks.

SafeBreach’s research delves into how these thread pools can be manipulated for malicious purposes. By exploiting the mechanisms that govern thread pool operations, attackers can inject malicious code into other running processes, bypassing traditional security measures. This technique presents a significant challenge to existing EDR solutions, which are typically designed to detect more conventional forms of process injection. Here are some examples of such manipulations:

1. Inserting Malicious Work Items:
   • Attackers can insert malicious work items into the thread pool. These work items are essentially tasks scheduled to be executed by the pool’s worker threads. By inserting a work item that contains malicious code, an attacker can execute this code under the guise of a legitimate process.
2. Hijacking Worker Threads:
   • An attacker might hijack the worker threads of a thread pool. By taking control of these threads, the attacker can redirect their execution flow to execute malicious code. This method can be particularly effective because worker threads are trusted components within the system.
3. Exploiting Timer Queues:
   • Windows thread pools use timer queues to schedule tasks to be executed at specific times. An attacker could exploit these timer queues to schedule the execution of malicious code at a predetermined time, potentially bypassing some time-based security checks.
4. Manipulating I/O Completion Callbacks:
   • Thread pools handle I/O completion callbacks, which are functions called when an I/O operation is completed. By manipulating these callbacks, an attacker can execute arbitrary code in the context of a legitimate I/O completion routine.
5. Abusing Asynchronous Procedure Calls (APCs):
   • While not directly related to thread pools, attackers can use Asynchronous Procedure Calls, which are mechanisms for executing code asynchronously in the context of a particular thread, in conjunction with thread pool manipulation to execute malicious code.
6. Worker Factory Manipulation:
   • The worker factory in a thread pool manages the worker threads. By manipulating the worker factory, attackers can potentially control the creation and management of worker threads, allowing them to execute malicious tasks.
7. Remote TP_TIMER Work Item Insertion:
   • This involves creating a timer object in the thread pool and then manipulating it to execute malicious code. The timer can be set to trigger at specific intervals, executing the malicious code repeatedly.
8. Queue Manipulation:
   • Attackers can manipulate the queues used by thread pools to prioritize or delay certain tasks. By doing so, they can ensure that their malicious tasks are executed at a time when they are most likely to go undetected.

These examples illustrate the versatility and potential stealth of using Windows thread pools for malicious purposes. The exploitation of such integral system components poses a significant challenge to cybersecurity defenses, requiring advanced detection and prevention mechanisms. The following thread pool work items that can be scheduled in Windows. Here’s how each one could potentially be vulnerable to attacks:

1. Worker Factory Start Routine Overwrite: Overwriting the start routine can redirect worker threads to execute malicious code.
2. TP_WORK Insertion: By inserting TP_WORK objects, attackers could run arbitrary code in the context of a thread pool thread.
3. TP_WAIT Insertion: Manipulating wait objects can trigger the execution of malicious code when certain conditions are met.
4. TP_IO Insertion: By intercepting or inserting IO completion objects, attackers could execute code in response to IO operations.
5. TP_ALPC Insertion: Attackers could insert ALPC (Advanced Local Procedure Call) objects to execute code upon message arrival.
6. TP_JOB Insertion: Jobs can be associated with malicious actions, executed when certain job-related events occur.
7. TP_DIRECT Insertion: Direct insertion allows immediate execution of code, which can be abused for running malware.
8. TP_TIMER Insertion: Timers can be used by attackers to schedule the execution of malicious payloads at specific times.

These vulnerabilities generally stem from the fact that thread pools execute callback functions, which attackers may manipulate to point to their code, thus achieving code execution within the context of a legitimate process.

Implications for Endpoint Detection and Response (EDR) Solutions

The research by SafeBreach Labs tested the newly discovered Pool Party variants against five leading EDR solutions: Palo Alto Cortex, SentinelOne EDR, CrowdStrike Falcon, Microsoft Defender For Endpoint, and Cybereason EDR. The result was startling, as none of the tested EDR solutions were able to detect or prevent the Pool Party attack techniques. This underscores the need for ongoing innovation in cybersecurity defense mechanisms to keep pace with evolving threats. The exploitation of Windows thread pools for process injection, as highlighted in the SafeBreach article, has significant implications for Endpoint Detection and Response (EDR) solutions. These implications necessitate a reevaluation and enhancement of current EDR strategies:

1. Challenge to Traditional Detection Methods:
   • Traditional EDR solutions often rely on signature-based detection and known behavioral patterns to identify threats. However, the manipulation of Windows thread pools represents a more sophisticated attack vector that may not be easily detected through these conventional methods. This calls for an advancement in detection technologies.
2. Need for Deeper System Monitoring:
   • EDR solutions must now consider deeper system monitoring, particularly focusing on the internals of operating systems like thread pool activities, thread creation, and execution patterns. This level of monitoring can help in identifying anomalies that are indicative of thread pool exploitation.
3. Enhancing Behavioral Analysis Capabilities:
   • EDR systems need to enhance their behavioral analysis capabilities to detect unusual activities that could signify a threat. This includes monitoring for irregularities in thread pool usage, unexpected execution of code within thread pools, and other anomalies that deviate from normal system behavior.
4. Integration of Advanced Heuristics:
   • Integrating advanced heuristics and machine learning algorithms can help EDR solutions become more proactive in detecting new and sophisticated attack methods. These technologies can learn from evolving attack patterns and adapt their detection mechanisms accordingly.
5. Improving Response Strategies:
   • In addition to detection, EDR solutions must improve their response strategies to such threats. This includes automated containment measures, quick eradication of threats, and efficient recovery processes to minimize the impact of an attack.
6. Collaboration and Threat Intelligence Sharing:
   • EDR vendors and cybersecurity experts need to collaborate and share threat intelligence actively. By understanding the latest attack trends and techniques, such as those involving thread pool exploitation, EDR solutions can be better equipped to protect against them.
7. Educating Users and Administrators:
   • EDR solutions should also focus on educating users and system administrators about these new threats. Awareness can play a crucial role in early detection and response to sophisticated attacks.
8. Regular Updates and Patch Management:
   • Continuous updating and patch management are crucial. EDR solutions must ensure that they are updated with the latest threat definitions and that they can identify vulnerabilities in systems that need patching or updates.
9. Zero Trust Approach:
   • Implementing a zero trust approach can be beneficial. EDR solutions should treat every process and thread as a potential threat until verified, ensuring strict access controls and monitoring at all levels.
10. Forensic Capabilities:
    • Enhancing forensic capabilities is essential for post-incident analysis. Understanding how an attack was carried out, including thread pool exploitation, can provide valuable insights for strengthening EDR strategies.

In summary, the exploitation of Windows thread pools for process injection presents a complex challenge for EDR solutions, necessitating a shift towards more advanced, intelligent, and comprehensive cybersecurity strategies.

Mitigation

Mitigating threats that involve the exploitation of Windows thread pools for process injection requires a multi-faceted approach, combining advanced technological solutions with proactive security practices. Here are some potential measures and recommendations:

1. Enhanced Detection Algorithms:
   • Endpoint Detection and Response (EDR) solutions should incorporate advanced algorithms capable of detecting anomalous behaviors associated with thread pool manipulation. This includes unusual activity patterns in worker threads and unexpected changes in thread pool configurations.
2. Deep System Monitoring:
   • Implement deep monitoring of system internals, especially focusing on thread pools and worker thread activities. Monitoring should include the creation of work items, modifications to timer queues, and the execution patterns of threads.
3. Regular Security Audits:
   • Conduct regular security audits of systems to identify potential vulnerabilities. This includes reviewing and updating the configurations of thread pools and ensuring that security patches and updates are applied promptly.
4. Advanced Threat Intelligence:
   • Utilize advanced threat intelligence tools to stay informed about new vulnerabilities and attack techniques involving thread pools. This intelligence can be used to update defensive measures continuously.
5. Employee Training and Awareness:
   • Educate IT staff and employees about the latest cybersecurity threats, including those involving thread pool exploitation. Awareness can help in early detection and prevention of such attacks.
6. Behavioral Analysis and Heuristics:
   • Implement security solutions that use behavioral analysis and heuristics to detect unusual patterns that might indicate thread pool exploitation. This approach can identify attacks that traditional signature-based methods might miss.
7. Zero Trust Architecture:
   • Adopt a zero trust architecture where systems do not automatically trust any entity inside or outside the network. This approach can limit the impact of an attack by restricting access and permissions to essential resources only.
8. Regular Software Updates:
   • Ensure that all software, especially operating systems and security tools, are regularly updated. Updates often include patches for known vulnerabilities that could be exploited.
9. Isolation of Sensitive Processes:
   • Isolate sensitive processes in secure environments to reduce the risk of thread pool manipulation affecting critical operations. This can include using virtual machines or containers for added security.
10. Incident Response Planning:
    • Develop and maintain a robust incident response plan that includes procedures for dealing with thread pool exploitation. This plan should include steps for containment, eradication, recovery, and post-incident analysis.

By implementing these measures, organizations can strengthen their defenses against sophisticated attacks that exploit Windows thread pools, thereby enhancing their overall cybersecurity posture.

The post How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks appeared first on Information Security Newspaper | Hacking News.

The Alarming Emergence of Web Shells in Cyber Warfare

Web shells, a relatively obscure term outside cybersecurity circles, represent a formidable threat in the digital age. They are malicious scripts or programs that hackers deploy on compromised web servers, enabling remote access and control. The discovery of HrServ marks a significant escalation in this digital arms race. Typically, web shells are rudimentary in nature, but HrServ breaks this mold with its advanced capabilities and stealthy operations, setting a new benchmark for cyber threats.

Stumbling Upon ‘HrServ’

The journey to unearthing HrServ began with the routine analysis of suspicious files. Researchers stumbled upon ‘hrserv.dll,’ initially not appearing to deviate from the norm. However, closer inspection revealed its true nature. The web shell exhibited unprecedented features, including custom encoding methods for client communications and the ability to execute commands directly in the system’s memory, a tactic that significantly complicates detection.

Decoding HrServ’s Sophisticated Mechanics

HrServ’s infection chain starts with the creation of a scheduled task named ‘MicrosoftsUpdate,’ which further executes a batch file. This file then facilitates the copying of ‘hrserv.dll’ into the crucial System32 directory, effectively embedding the malware deep within the system. From here, HrServ springs to life, initiating an HTTP server and managing client-server communication with intricate custom encoding, involving Base64 and FNV1A64 hashing algorithms.

The Ingenious GET Parameter Technique

One of the most striking aspects of HrServ is its utilization of a GET parameter technique in its HTTP requests, specifically the parameter ‘cp.’ The GET parameter technique used in the HrServ web shell attack involves using specific parameters in the URL of an HTTP GET request to trigger various functions within the malware. In this case, the parameter named “cp” plays a critical role. Different values of this “cp” parameter lead to different actions being executed by the web shell. For example:

• GET with cp=0: Calls VirtualAlloc, copies a custom decoded NID cookie value, and creates a new thread.
• POST with cp=1: Creates a file and writes the custom decoded POST data to it.
• GET with cp=2: Reads a file using the custom decoded NID cookie value and returns it in the response.
• GET with cp=4 and 7: Returns Outlook Web App HTML data.
• POST with cp=6: Indicates a code execution process, copying decoded POST data to memory and creating a new thread.

This technique allows the malware to perform various actions based on the HTTP request it receives, making it a versatile and dangerous tool for attackers. The use of common parameters like those found in Google services could also help mask the malicious traffic, blending it with legitimate web traffic and making detection more challenging.

Mimicking Google’s Web Traffic Patterns

In a cunning move to evade detection, HrServ’s communication pattern is modeled to mimic Google’s web services. This resemblance is not accidental but a deliberate attempt to blend malicious traffic with legitimate web services, making it a needle in a digital haystack for network monitoring systems.

The Afghan Government Entity: A Sole Victim with Global Implications

Remarkably, the only known victim of HrServ, as per the available data, was a government entity in Afghanistan. This targeted approach hints at the possibility of state-sponsored cyber espionage, although the attribution remains unclear. The implications of such a sophisticated attack extend far beyond a single entity, posing a stark reminder of the vulnerabilities inherent in digital infrastructures worldwide.

Unraveling the Mystery: Who is Behind HrServ?

The origins and affiliations of the HrServ creators remain shrouded in mystery. However, certain clues point towards a non-native English-speaking group, deduced from language patterns and technical intricacies observed in the malware. Moreover, the use of specific parameters akin to those in Google services suggests a high level of sophistication and understanding of global web traffic patterns.

Looking Ahead: A Cybersecurity Challenge for the Future

The discovery of HrServ represents a watershed moment in the ongoing battle between cybercriminals and defenders. Its sophisticated design, evasive techniques, and targeted application signify a new era in cyber threats, one where traditional defense mechanisms may no longer suffice. As cybersecurity experts continue to dissect and understand HrServ, the digital world braces for future challenges, emphasizing the ever-evolving nature of cyber threats and the perpetual need for innovative defense strategies.

The post How hrserver.dll stealthy webshell can mimic Google’s Web Traffic to hide and compromise networks appeared first on Information Security Newspaper | Hacking News.

Here’s a detailed breakdown of the new VM Ransomware tactic adopted by BlackCat, based on discoveries made by Unit 42:

1. Munchkin Utility Introduction:
   • The BlackCat operators announced updates to their toolkit, including a utility named Munchkin.
   • Munchkin facilitates the propagation of BlackCat payloads to remote machines and shares within a victim organization’s network.
   • The use of Munchkin marks a significant evolution in BlackCat’s ransomware-as-a-service (RaaS) business model, making it more potent and elusive to security measures.
2. Customized Alpine VM Usage:
   • Munchkin is unique in its deployment, as it leverages a customized Alpine VM.
   • This VM tactic allows ransomware actors to bypass security solutions, as most security controls on host OS do not have introspection within the embedded virtualized OS.
   • Once the malware is deployed using the VM, it can execute without being interrupted by the security solutions on the host machine.
3. Technical Execution:
   • Munchkin utility is delivered as an ISO file, loaded in a newly installed instance of the VirtualBox virtualization product representing a customized implementation of the Alpine OS.
   • Upon running the operating system, specific commands are executed to change the root password of the VM to one chosen by threat actors, generating a new terminal session via the built-in tmux utility to execute the malware binary named controller. Post execution, it powers the VM off.
   • Within the VM OS, notable files are hosted that play crucial roles in the malware’s operation, such as the Munchkin malware utility, serialized configuration file used by Munchkin, and a template BlackCat malware sample customized by Munchkin at runtime.
4. Escalating Threat:
   • The use of VMs for malware deployment is an escalating trend in the ransomware community.
   • Other ransomware organizations have also been reported to leverage this new tactic, indicating a paradigm shift in how ransomware is deployed and managed across networks.
5. Cybercrime Syndicate ALPHV/BlackCat:
   • The cybercrime syndicate ALPHV, also known as BlackCat, initiated this novel tool deployment.
   • This development underscores the continual evolution of tactics employed by the BlackCat syndicate, marking a significant step in its operational sophistication.
6. Security Implications:
   • The evolvement of BlackCat’s tactics, including the use of VMs, underscores a growing need for enhanced security measures to mitigate such advanced threats.
   • The Unit 42 researchers hope that shedding light on these tactics will motivate further efforts within the information security industry to better defend against this evolving threat.
7. BlackCat’s Evolution:
   • Over time, BlackCat has evolved from using unobfuscated configurations to employing obfuscation mechanisms and command-line parameters for added security, illustrating its dynamic threat landscape.

The detailed elucidation of the Munchkin utility and its VM Ransomware tactic provides crucial insights into the advancing methodologies of BlackCat and similar ransomware operators. By understanding these evolving tactics, stakeholders in the cybersecurity domain can better prepare and defend against such sophisticated threats.

The FBI and other agencies have released Indicators of Compromise (IOCs) associated with the BlackCat/ALPHV ransomware, a Ransomware-as-a-Service (RaaS) entity, that has reportedly compromised at least 60 entities worldwide​​. While the specific IOCs were mentioned in a Flash report by the FBI.

Indicators of Compromise (IOCs):

The Federal Bureau of Investigation (FBI) has outlined specific indicators of compromise (IOCs) pertaining to the BlackCat/ALPHV ransomware activities. Although the exact details were contained in an FBI Flash report, the overarching concern is the worldwide compromise of at least 60 entities through this Ransomware-as-a-Service (RaaS) model. These IOCs are critical for organizations to identify potential threats and take necessary mitigation steps to prevent or respond to ransomware attacks orchestrated by BlackCat/ALPHV. By understanding and monitoring for these IOCs, organizations can significantly enhance their cybersecurity posture against this evolving threat vector.

It’s advisable for organizations and cybersecurity professionals to review official advisories and reports from the FBI and other cybersecurity agencies to stay updated on the latest IOCs and mitigation strategies concerning BlackCat/ALPHV Ransomware and its new VM Ransomware tactic involving the Munchkin utility.

The IOCs released by authoritative bodies like the FBI provide a crucial roadmap for organizations to assess their networks for potential compromises and to bolster their defenses against the evolving tactics of BlackCat/ALPHV Ransomware, particularly with the introduction of the Munchkin utility and the new VM Ransomware tactic.

The post This new technique allows you to install ransomware and avoid EDR on any system appeared first on Information Security Newspaper | Hacking News.

ToddyCat, an Advanced Persistent Threat (APT) group, has garnered attention for its clandestine cyber-espionage operations, utilizing a sophisticated toolset designed for data theft and exfiltration. The group employs a myriad of techniques to move laterally within networks and conduct espionage operations with a high degree of secrecy and efficiency. This article, incorporating insights from the article and other sources, aims to provide a detailed overview of ToddyCat’s toolset and operational tactics.

Stealth and Sophistication: ToddyCat’s Modus Operandi

ToddyCat employs disposable malware, ensuring no clear code overlaps with known toolsets, thereby enhancing its ability to remain undetected. The malware is designed to steal and exfiltrate data, while the group employs various techniques to move laterally within networks and conduct espionage operations.

Exploitation Techniques and Malware Utilization

• Disposable Malware: Utilized to enhance stealth and evasion capabilities.
• Data Exfiltration: Malware designed to access and extract sensitive information.
• Lateral Movement: Techniques employed to expand reach and access within compromised environments.

Toolset Summary

1. Dropbox Exfiltrator: A tool designed to exfiltrate data, ensuring that stolen information can be securely and covertly transferred to the attackers.
2. LoFiSe: A tool that may be utilized for lateral movement and further exploitation within compromised networks.
3. Pcexter: A tool that may be used to send specific files or data to external servers, facilitating data exfiltration.
4. Dropper: A tool that may be utilized to deploy additional payloads or malware within compromised environments.

Detailed Insights into the Toolset

1. Loaders

• Standard Loaders: ToddyCat utilizes 64-bit libraries, invoked by rundll32.exe or side-loaded with legitimate executable files, to load the Ninja Trojan during the infection phase. Three variants of these loaders have been observed, each differing in aspects like the library loaded by, where the malicious code resides, the loaded file, and the next stage.
• Tailored Loader: A variant of the standard loader, this is customized for specific systems, employing a unique decryption scheme and storing encrypted files in a different location and filename (%CommonApplicationData%\Local\user.key).

2. Ninja Trojan

The Ninja Trojan, a sophisticated malware written in C++, is a potent tool in ToddyCat’s arsenal. It provides functionalities like:

• Managing running processes
• File system management
• Managing multiple reverse shell sessions
• Injecting code into arbitrary processes
• Loading additional modules during runtime
• Proxy functionality to forward TCP packets between the C2 and a remote host

3. LoFiSe

LoFiSe is a component designed to find and collect files of interest on targeted systems. It tracks changes in the file system, filtering files based on size, location, and extension, and collects suitable files for further action.

4. DropBox Uploader

This generic uploader, not exclusive to ToddyCat, is used to exfiltrate stolen documents to DropBox, accepting a DropBox user access token as an argument and uploading files with specific extensions.

5. Pcexter

Pcexter is another uploader used to exfiltrate archive files to Microsoft OneDrive. It is distributed as a DLL file and executed using the DLL side-loading technique.

Potential Impact and Threat Landscape

The emergence of ToddyCat’s new toolset and its sophisticated TTPs presents a significant threat to organizations, with potential impacts including data breaches, unauthorized access to sensitive information, and network compromise.

Mitigation and Defense Strategies

• Enhanced Monitoring: Implementing monitoring solutions to detect anomalous activities.
• User Education: Ensuring users are educated about potential threats and cybersecurity best practices.
• Regular Patching: Keeping all systems regularly patched and updated.
• Threat Intelligence: Leveraging intelligence to stay abreast of the latest TTPs employed by threat actors.

ToddyCat’s advanced toolset and stealthy operations underscore the evolving and sophisticated nature of cyber threats. Organizations and cybersecurity practitioners must remain vigilant and adopt advanced cybersecurity practices to defend against the sophisticated tools and tactics employed by threat actors like ToddyCat.

The post Guardians of the Hackers Galaxy: Unlock the tool of ToddyCat’s Group appeared first on Information Security Newspaper | Hacking News.

In the intricate landscape of global cybersecurity, Webwyrm malware has surfaced as a formidable adversary, casting its ominous shadow across 50 nations and leaving in its wake over 100,000 compromised victims. This insidious digital menace successfully emulates in excess of 1000 reputable companies globally, with the ensuing potential financial fallout estimated to surpass a staggering $100 million. It is imperative for cybersecurity professionals and organizations alike to comprehend the multifaceted nature of this threat to devise and implement robust defensive strategies effectively.

The Evolutionary Trajectory of Webwyrm

In the dynamic realm of cyber threats, malicious actors incessantly refine their Tactics, Techniques, and Procedures (TTPs), exploiting extant vulnerabilities and augmenting the efficacy of their malicious campaigns. Webwyrm epitomizes this relentless pursuit of evolution, embodying a level of sophistication reminiscent of infamous cyber threats of yore, such as the notorious ‘Blue Whale Challenge.’

Refined Modus Operandi

WebWyrm malware orchestrates a complex, deceptive narrative aimed at duping unsuspecting job seekers into relinquishing their cryptocurrency. Initiating contact predominantly via WhatsApp, the malefactors likely leverage data procured from employment portals to pinpoint and engage individuals predisposed to their deceptive overtures. Prospective victims are enticed with promises of lucrative weekly remuneration, ranging between $1200 and $1500, contingent upon the completion of daily task “packets” or “resets.”

Upon transferring funds into designated cryptocurrency wallets, victims are led to believe that the completion of tasks results in monetary withdrawals from their accounts, which are subsequently returned along with additional commissions. The introduction of “combo tasks” promises substantial financial returns but necessitates a more considerable investment. However, the caveat is that these returns are accessible only upon the sequential completion of all combo tasks, with each task demanding a progressively larger investment.

Campaign Enablers: Technical Insights

WebWyrm’s campaign is characterized by its sophistication, adaptability, and elusive operational framework. The initiative employs dedicated personnel engaging with victims via various platforms, thereby lending an aura of legitimacy and support to their endeavors. The orchestrators have meticulously crafted approximately 6000 counterfeit websites, directing victims to register their accounts. These platforms are expertly designed to mimic legitimate enterprises, with a keen focus on geo-targeting and associated contact numbers reflecting the respective victim’s geographical location.

Moreover, the malefactors astutely navigate the ephemeral nature of their infrastructure, allocating specific IP addresses or Autonomous System Numbers (ASNs) to host counterfeit domains for limited durations. This modus operandi facilitates operational continuity and anonymity, allowing for a swift transition to alternative infrastructure in response to potential threats, thereby effectively circumventing detection mechanisms.

Industries in the Crosshairs

Webwyrm has indiscriminately targeted a plethora of industries, including:

• IT Services
• Software Development
• Mobile App Development
• User Experience Design
• Digital Marketing
• Web Development
• SEO
• E-Commerce

Defensive Countermeasures

Effective defense against Webwyrm necessitates the adoption of several countermeasures:

• Origin Tracing of Malefactors via Employment Portals
• Collaborative Defensive Initiatives
• Deployment of Rapid Response Teams
• Implementation of Domain Blacklisting Protocols
• Asset Seizure
• Launch of Educational Awareness Campaigns

With the incorporation of these enhanced technical insights, it becomes abundantly clear that WebWyrm represents a meticulously orchestrated, sophisticated operation with the singular aim of exploiting job seekers. The nuanced understanding of potential victims, coupled with a highly adaptive and elusive infrastructure, renders this a significant threat warranting coordinated, informed countermeasures to safeguard potential victims. Awareness, education, and the proactive deployment of defense mechanisms are pivotal in mitigating the risks associated with the WebWyrm malware campaign.

The post Silent Predator Unveiled: Decoding WebWyrm Stealthy Malware affecting 50 countries appeared first on Information Security Newspaper | Hacking News.

The gang responsible for the ransomware made a statement claiming that it had “successfully compromised all of Sony’s systems.” The RANSOMEDVC ransomware gang has adopted a strategy that is distinct from the traditional approach followed by ransomware, which involves locking the victim’s system, causing disruptions in IT activities, and demanding payment in exchange for the decryption key. The organization has announced its desire to monetize the stolen material, citing Sony’s apparent unwillingness to cooperate with their demands. Instead of demanding a ransom, the group has stated its intention to do so. An examination of the sample data that was made available on the websites maintained by RANSOMEDVC provides very limited insights. Among the materials that have been compromised is a PowerPoint Presentation that is said to have originated from Sony’s Quality Assurance Division, as well as internal screenshots that seem to reveal a Sony workstation, Java files, and other data. For the sake of providing some background, the RANSOMEDVC ransomware gang has been active at least since 2023. They have become notorious for their aggressive methods, which include threatening victims with the disclosure of sensitive data if the ransom demands are not satisfied. These tactics have earned them a lot of notoriety.

Notably, the RANSOMEDVC gang has been tied to a number of high-profile cyberattacks, one of which occurred in September 2023 and targeted the website of the Hawaiian government. Their objectives extend across a wide range of industries, including the medical field, the business world, and the technological sphere. The assertions made by the ransomware gang known as RANSOMEDVC have been made only a few days after the FBI and CISA issued a joint alert about the dangers presented by another ransomware group known as Snatch Ransomware. The severity and breadth of the ransomware threat are both brought into sharper focus by this development.

On the other hand, Sony has been shown to be a valuable target for hackers owing to the fact that it is popular all over the world and has a user base that spans the whole planet. Previously, Sony was the victim of a big and extensive data breach. During this incident, hackers disclosed the personal data and income information of executives and staff working for Sony Group.

In February of 2021, the authorities in the United States of America filed charges against three North Korean hackers in connection with a series of cyberattacks, one of which was their participation in the hacking of Sony Pictures.

Despite this, the recent appearance of the RANSOMEDVC gang highlights the widespread danger that ransomware poses to businesses of all sizes. As a result of this, it is very necessary for companies to have all-encompassing cybersecurity policies in order to protect themselves against attacks of this kind.

The post Sony Corporation hacked by ransomware, PS5 lovers worried appeared first on Information Security Newspaper | Hacking News.

Following the commencement of the DNSpionage operation in 2018-2019 targeting Lebanon and the UAE, OilRig began the HardPass operation in 2019-2020 utilizing LinkedIn to target individuals in the energy and government sectors.

In recent weeks, the experts in charge of cybersecurity at trendmicro have discovered and assessed two campaigns run by the OilRig APT group:

Outer Space (2021)

Juicy Mix (2022)

Due to the operations’ concentration on the Middle East, Israeli organizations were the only ones targeted by these cyberespionage efforts. They gained access to the network by posing as genuine businesses using VBS droppers to plant C# and.NET backdoors and post-compromise data mining tools.

An Overview of the Campaign

Outer Space: It was an OilRig campaign from the year 2021 that employed an Israeli HR website as a command and control server for the Solar backdoor. . Here, with just the most fundamental functionalities, the Solar linked to the SC5k downloader, while the MKG was utilized for data exfiltration from browsers.

OilRig started a new campaign in 2022 called “Juicy Mix.” It targeted Israeli organizations with improved tools, compromised a job site for command and control, and then attacked an Israeli healthcare organization with a Mango backdoor, two hidden browser-data dumpers, and a Credential Manager stealer. Juicy Mix was a hit.

In order to get access to the target system, both attacks used VBS droppers, which were most likely distributed using spear phishing emails.

These droppers distributed Mango, made sure the infection would remain, and linked to the command and control server. Concealing the base64 encoding and basic string deobfuscation that the embedded backdoor employed at the same time was accomplished using these methods.

After inserting the backdoor, the dropper transmits the compromised computer’s name to the command and control server in the form of a base64-encoded POST request. This is done after it has scheduled Mango (or Solar) to run every 14 minutes.

During the Outer Space campaign, OilRig launches Solar, a backdoor that is both simple and flexible. It is able to download and run files, as well as independently exfiltrate prepared data.

Mango, which had previously been known as Solar, has been replaced in Juicy Mix by OilRig’s Mango, which, although having similar features and a workflow, has substantial differences.

In the same way as Solar did, Mango starts an in-memory job that runs every 32 seconds, talks with the C&C server, and carries out orders. Mango, on the other hand, is distinct in that it replaces Solar’s Venus assignment with a whole new exfiltration command.

Post-compromise tools

The following post-compromise tools are included below for your convenience:

Downloader for SampleCheck5000, often known as SC5k

Data scrapers for browsers

Windows Credential Manager stealer

OilRig makes its way from Solar to Mango via implants that function similarly to backdoors. While they do make use of specialized technology for data collecting, they nevertheless rely on more traditional methods to get user information.

The parallels between the first-stage dropper and Saitama, the victimology patterns, and the usage of internet-facing exchange servers as a communication technique were identified in the case of Karkoff, which is how the campaign is connected to APT34.

If anything, the rising number of malicious tools connected with OilRig illustrates the threat actor’s “flexibility” to come up with new malware depending on the targeted environments and the privileges held at a particular stage of the assault. This “flexibility” may be inferred from the fact that the threat actor has created a growing number of harmful tools linked with OilRig.

The post How this Israeli Backdoor written in C#/.NET can be used to hack into any company appeared first on Information Security Newspaper | Hacking News.

During a news conference held on Tuesday to announce the takedown of the botnet, United States Attorney Martin Estrada referred to the investigation as “the most significant technological and financial operation ever led by the Department of Justice against a botnet.” Duck Hunt was headed by the FBI. For one thing, the federal government developed some software that, when installed on computers that were infected with Qbot, would make the virus useless.

Law enforcement agencies in the United States and other countries have worked together over the last three days to confiscate 52 servers that were being used to sustain the QBot network. With assistance from France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia, these agencies were successful in “preventing Qakbot from resurrecting to cause further additional harm,” as stated in the report.

The malware known as Qakbot is a classic example of a Windows-based botnet. Its operators trick people – typically through email attachments or malicious Microsoft Office documents – into downloading and running the software. Once installed, the software has the ability to retrieve and run additional payloads from remote servers. Additionally, the software communicates with remote servers to receive its orders to carry out. It may be used to backdoor affected machines, steal their passwords and record their keystrokes, drain payments from online bank accounts, and more. It is a Swiss Army knife of malicious programs.

According to an application for a seizure request that was made public by the Department of Justice, the FBI was able to acquire access to the Qakbot admin computers. This access assisted law enforcement in mapping out the server architecture that was employed in the operation of the botnet.

The Federal Bureau of study (FBI) came to the conclusion, based on their study, that the Qakbot botnet made use of Tier-1, Tier-2, and Tier-3 command and control servers. These servers are employed to send orders for devices to carry out, install malware upgrades, and download more partner payloads.

The Tier-1 servers are infected devices that have a “supernode” module loaded on them. These servers are a component of the command and control infrastructure of the botnet, and some of the victims are situated in the United States of America. Tier-2 servers are likewise command and control servers, however they are operated by Qakbot operators, often from leased servers located outside of the United States of America.

According to the information provided by the FBI, the Tier-1 and Tier-2 servers are both used in order to transmit encrypted contact with the Tier-3 servers.

These Tier-3 servers serves as the major command and control servers for the botnet, which allows them to provide new orders for infected computers to carry out, new malicious software modules for infected computers to download, and malware for infected computers to install from the botnet’s partners, such as ransomware gangs.

Infected devices carrying the Qakbot malware would, on average, interact with a built-in list of Tier-1 servers once every one to four minutes in order to establish encrypted contact with a Tier-3 server and receive encrypted orders to carry out or new payloads to download and install.

In spite of this, the FBI was able to get the encryption keys that were used to interact with these servers when they compromised the infrastructure of the Qakbot and the devices used by its administrators.

Using these keys, the FBI contacted each Tier-1 server and instructed it to replace the “supernode” module previously installed by Qakbot with one that was developed by law enforcement. This was done using an infected device that was under their control and which they had infected.

The new FBI-controlled supernode module employed new encryption keys that the Qakbot operators did not have access to. As a result, the Qakbot operators were essentially locked out of their own command and control infrastructure since they were unable to interact in any manner with the Tier-1 servers.

After this, the FBI developed a bespoke Windows DLL (f that served as a removal tool and was sent to affected devices through the compromised Tier-1 servers.

This custom DLL file, according to an analysis of the FBI module conducted by SecureWorks, delivered the QPCMD_BOT_SHUTDOWN command to the Qakbot malware that was executing on compromised devices. This causes the malware process to cease functioning.

According to the Federal Bureau of Investigation (FBI), a court gave permission for this Qakbot removal program to be developed with the express purpose of only uninstalling the virus from machines that were already infected. In addition, since the virus can only function when it is loaded into memory, the anti-malware application did not read or write anything to the hard drive throughout its operation.

The FBI is currently unaware of the overall number of devices that have been cleaned in this fashion; however, given that the process began over the weekend, they anticipate that more devices will be cleansed when they reconnect to the hijacked Qakbot infrastructure.

The post How FBI remotely deleted QBot malware from 700K computers worldwide appeared first on Information Security Newspaper | Hacking News.

The research was conducted by Aqua, which found that over the course of two years, its Tomcat server honeypots were subjected to more than 800 attacks, 96% of which were connected to the Mirai botnet. The results may be attributed to Aqua. 20% of these attack attempts, or 152, included the usage of a web shell script termed “neww” that came from 24 different IP addresses, with 68% of them coming from a single IP address (104.248.157[.]218). These attacks were unsuccessful.

A brute force attack was carried out by the threat actor against the scanned Tomcat servers in order to acquire access to the web application management using a variety of different credential combinations.

After successfully gaining entrance, threat actors will install a WAR file containing a web shell called ‘cmd.jsp’ on the Tomcat server that has been hacked. This will allow for remote command execution.

The “downloading and running” of the “neww” shell script is an integral part of the whole attack chain. The “rm -rf” command is then used to remove the script once it has been executed. The software then retrieves 12 binary files that are customized to the architecture of the system that is being attacked.

While all of these components work together to expedite the web app deployment on compromised Tomcat servers in an effective manner.

The last step of the malware is a variation of the Mirai botnet that uses infected systems for the purpose of coordinating distributed denial-of-service (DDoS) assaults.

Threat actor infiltrates web app manager by using legitimate credentials, uploads disguised web shell in WAR file, remotely executes commands, and starts the attack.The statistics shed light on the profitable expansion of cryptocurrency mining, which is projected to have a 399% increase and 332 million cryptojacking assaults worldwide in H1 2023.

Recommendation
In order to protect against attacks of this kind, specialists in the field of cybersecurity suggested the following measures:

Make sure that each of your environments has the appropriate configuration.
Be careful to do regular scans of your servers to look for any dangers.
Cloud-native tools that scan for vulnerabilities and misconfigurations should be made available to your development, DevOps, and security teams so that they can better do their jobs.
It is imperative that you use runtime detection and response technologies.

The post New attack technique to hack Apache Tomcat Servers appeared first on Information Security Newspaper | Hacking News.

Although it has a number of alterations in comparison to the malware’s initial form, the BlackLotus UEFI bootkit’s original source code has been made available to the public on GitHub.

The ‘Baton Drop’ exploit that targets CVE-2022-21894 has been removed from the BlackLotus source code that was released on GitHub on Wednesday. Additionally, the BlackLotus source code now employs the bootlicker UEFI firmware rootkit, although it still retains the majority of the original code.

The fact that the bootkit’s source code is available to the public poses a considerable danger, primarily because it may be paired with newly discovered vulnerabilities to open up previously undiscovered entry points for attacks. BlackLotus was able to utilize the attack despite the fact that CVE-2022-21894 had been fixed the previous year. This was possible because the vulnerable binaries had not been put to the UEFI revocation list. This demonstrates how even vulnerabilities that have been patched may still present long-term, industry-wide supply chain impact.

However, since the source code was leaked, it is now very easy for threat actors to combine the bootkit with new bootloader vulnerabilities, whether they are known or undiscovered. The methods used by the bootkit are no longer cutting edge.

Be careful to adhere to the extensive mitigation guidance that the NSA issued a month ago in order to protect your computers against the BlackLotus UEFI bootkit attack.

Because the source code of the bootkit is now freely accessible, it is feasible that skilled malware writers may design more powerful variations that are able to circumvent both currently available countermeasures and those that will be developed in the future.

The post This free UEFI malware code can hack Windows machine forever, even if hard disk is removed appeared first on Information Security Newspaper | Hacking News.

The goal of Scarleteel is to gain persistence in a vulnerable Kubernetes workload in order to elevate cloud privileges and ultimately cause financial damage through crypto-jacking as well as theft of intellectual property. A single vulnerable web application, or in the case of Scarleteel, a Jupyter Notebook, can lead to the complete compromise of an Amazon Web Services account.

The scripts that were utilized in the attacks to steal information seemed to be aware that they were running in a container that was hosted by Fargate, since they carried out the appropriate instructions to gather credentials.

Their scripts communicate with a variety of services in order to collect information about the environment. After that, they proceed with their attack by using tools that are targeted for certain services (for example, peirates in Kubernetes pods or pacu after gaining AWS credentials). Popular open source attack tools like as Pacu and Peirates are frequently used by penetration testers and red teams in order to evaluate the level of security provided by current cloud and Kubernetes architecture. As a post-exploitation enumeration tool, Pacu was used in the Scarleteel attack. This allowed the attacker to quickly analyze the victim’s AWS account for more than 20 existing privilege escalation avenues. Peirates, on the other hand, provides attackers with an all-in-one command line interface that enables them to carry out Kubernetes attacks such as acquiring persistence via a reverse shell, performing lateral movement, or stealing cloud IAM credentials.

To avoid being discovered, Scarleteel used a cutting-edge method of exfiltration as well. It decided to use shell built-ins instead of the more popular command-line tools such as “curl” or “wget,” which is a stealthier approach to evade cloudtrail logs. Because Scarleteel employs shell built-ins to execute network external calls to IP addresses controlled by the attacker, the attack will look “normal” to most simple security monitoring solutions that make use of pre-built signatures. The malicious actor also utilized the compromised AWS Command Line Interface (CLI) to download and run Pandora, a piece of malware that is a part of the Mirai Botnet and that mainly targets internet-connected IoT devices in order to carry out large-scale DDoS operations. Before you can make your environment more resistant to an entity such as ScarletEel, you will first need to take certain precautions to stop potential attackers from getting inside. However, if they still manage to accomplish so despite your best efforts, you will need to put in place reliable runtime security. This is because the attackers are becoming more smart.

The post How cyber criminals are hacking into AWS Fargate, EKS & evading cloudtrail logs detection appeared first on Information Security Newspaper | Hacking News.

The company confirmed, they have remedied all of the identified vulnerabilities in the system and utilize MOVEit for our file transfer needs. As soon as they became aware of this situation, they took prompt action to safeguard their ecosystem and assess the implications of any possible fallout. They have verified that there was no effect to our essential information technology systems or  services, and that no data pertaining to either customers or partners was made public. Unfortunately, certain employees and contingent workers of Gen had some of their personal information compromised, which includes information such as their names, corporate email addresses, employee ID numbers, and in a few isolated instances, their home addresses and birth dates. They immediately began an investigation into the breadth of the problem, and consequently have informed the appropriate data protection agencies as well as our workers whose personal information may have been compromised.

Independently, we were able to confirm that the dark website operated by Cl0p included a listing of Norton Life Lock as one of the group’s more recent victims. On the website, Cl0p writes the following about Norton: “The company doesn’t care about its customers, it ignored their security!!!”

MOVEit zero-day revelation led to the discovery of two other critical-severity SQL injection issues in the MFT program. These bugs were designated as CVE-2023-35036 and CVE-2023-35708 respectively.

Progress Software has recommended users to deploy updates for them as soon as possible, even though none of them has been exploited in attacks to this far. This is to prevent unauthorized access to the MOVEit Transfer environment.

The post Cyber security company Norton Lifelock, becomes victim of ransomware, who will protect the customers? appeared first on Information Security Newspaper | Hacking News.