image
Researchers have discovered what they say is the first variant of the Gafgyt botnet family to cloak its activity using the Tor network. Gafgyt, a botnet that was uncovered in 2014, has become infamous for launching large-scale distributed denial-of-service (DDoS) attacks. Researchers first discovered activity from the newest variant, which they call Gafgyt_tor, on Feb. 15. In order to evade detection, Gafgyt_tor uses Tor to hide its command-and-control (C2) communications, and encrypts sensitive strings in the samples. The use of Tor by malware families is nothing new; however, researchers said they haven’t seen Gafgyt leveraging the anonymity network until now. “Compared with other Gafgyt variants, the biggest change of Gafgyt_tor is that the C2 communication is based on Tor, which increases the difficulty of detection and blocking,” said researchers with NetLab 360 on Thursday. “The Tor-based C2 communication mechanism has been seen in other families we have analyzed before… but this is the first time we encountered it in the Gafgyt family.” Gafgyt_tor Botnet: Propagation and New Functionalities The botnet is mainly propagated through weak Telnet passwords – a common issue on internet of things devices – and through exploiting three vulnerabilities. These vulnerabilities include a remote code execution flaw (CVE-2019-16920) in D-Link devices; a remote code execution vulnerability in Liferay enterprise portal software (for which no CVE is available); and a flaw…

Source

image
Researchers have uncovered more custom malware that is being used by the threat group behind the SolarWinds attack. Researchers with Microsoft and FireEye identified three new pieces of malware that the companies said are being used in late-stage activity by the threat actor (previously called Solarigate by Microsoft and now renamed Nobelium; and called UNC2542 by FireEye). The malware families include: A backdoor that’s called GoldMax by Microsoft and called Sunshuttle by FireEye; a dual-purpose malware called Sibot discovered by Microsoft; and a malware called GoldFinder also found by Microsoft. Adversaries were able to use SolarWinds’ Orion network management platform to infect targets by pushing out a custom backdoor called Sunburst via trojanized product updates. Sunburst was delivered to almost 18,000 organizations around the globe, starting last March. With Sunburst embedded, the attackers were then able to pick and choose which organizations to further penetrate, in a sprawling cyberespionage campaign that has hit the U.S. government, tech companies and others hard. Microsoft said that it discovered these latest custom attacker tools lurking in some networks of customer compromised by the SolarWinds attackers. It observed them to be in use from August to September – however, researchers said further analysis revealed these may have been on compromised systems as early as last June. “These tools are new pieces of malware that are unique to this actor,” said Ramin…

Source

image
Maza, a place online for fraudsters and extorters to connect to pull off their operations, has been breached by an unknown attacker, in just the latest in a series of attacks targeting elite Russian-language cybercrime forums. Members are worried that their data is being used by researchers and law enforcement to track down their true identities, a new report from Flashpoint said. These forums are where threat actors can go to access ransomware-as-a-service tools, launder stolen money and even get advice on how to improve their crimes, Flashpoint vice president Thomas Hofmann explained to Threatpost. “Maza is a place where one can connect to trustworthy threat actors, who have been active in the Russian-language underground anywhere between 10 to 20 years,” Hoffman said. “Ultimately, the forum serves the role of a board where one can establish initial contact with respected and trustworthy service providers.” Membership to Maza is by invitation only and comes with a fee, he added. Another Russian-language cybercrime forum called Verified was abruptly resurrected after sitting dormant for some time with unknown administrators and new domains, Flashpoint said. By Feb. 18t, the new forum’s new leadership started deanonymizing Verified’s former operators, raising suspicions among its user base. Another forum, Exploit, reportedly suffered a compromise this week, and a member of the forum warned other users to “be careful with registered emails across multiple forums,” Flashpoint…

Source

image
While controversy over the potential overreach of neighborhood and law-enforcement video surveillance has focused mainly on Ring, an Atlanta-based startup has quietly rolled out its own network of smart surveillance cameras across the country that is again raising questions of privacy and the ire of some advocating it, according to a published report. Flock Safety promises to protect neighborhoods with smart cameras with automated license plate recognition (ALPR) technology that are sold to homeowners associations, businesses or law enforcement and are designed to automatically read vehicle license plates “up to 75 MPH, day & night, up to 75 ft. away,” according to the company’s website. Ostensibly, ALPR—which has been around for years but is gaining new momentum thanks to its integration with smart cameras–is aimed at protecting citizens. However, a published report suggests that Flock may be overstretching its wings and has expanded to do much more than merely provide a virtual neighborhood watch. Vice Motherboard reported Wednesday that Flock has quietly built up an extensive nationwide network of its cameras called TALON that are maintained by law-enforcement and offer up to 500 million scans of vehicles a month, according to one email of a series of Flock emails obtained by the publication. Motherboard said its reporters viewed hundreds of pages of internal police emails from nearly 20 police departments around the country obtained using public records requests…

Source

image
Hot on the heels of Microsoft’s announcement about active cyber-espionage campaigns that are exploiting four serious security vulnerabilities in Microsoft Exchange Server, the U.S. government is mandating patching for the issues. The news comes as security firms report escalating numbers of related campaigns led by sophisticated adversaries against a range of high-value targets, especially in the U.S. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, warning that its partners have observed active exploitation of the bugs in Microsoft Exchange on-premises products, which allow attackers to have “persistent system access and control of an enterprise network.” “CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” reads the March 3 alert. “This determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems and the potential impact of a successful compromise.” Rapidly Spreading Exchange Server Attacks Earlier this week Microsoft said that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server, spurring it to release…

Source

image
As Moderna, Pfizer and Johnson & Johnson roll out COVID-19 vaccines cybercriminals are preying on the those hungry to get in line for immunization. Between October and January the average number of COVID-19 vaccine-related spear-phishing attacks grew 26 percent, said Barracuda Networks researchers. At the same time, researchers with Check Point say they have found at least 294 potentially dangerous vaccine-related domains over the last four months. The types of cybercriminal activity varies, from sending malicious emails that purport to be from the Centers for Disease Control and Prevention (CDC), to posting advertisements on underground forums touting vaccine doses for sale. But with the vaccines being rolled out on a widespread basis, these new reports show attackers ramping up their activity on all fronts. The intense emotions spurred by the pandemic – including mass hysteria and anxiety – create a perfect environment for cybercriminals to thrive, said researchers with Barracuda Networks on Thursday: “Capitalizing on fear and uncertainty, the attacks using urgency, social engineering, and other common tactics to lure victims,” they said. Email-Based Attacks: CDC Scam Hunting Microsoft Credentials Researchers pointed to brand impersonation tactics – including many attackers pretending to be the CDC in an attempt to convince email recipients to either click on a malicious attachment or hand over their credentials. Credit: Barracuda Networks “Vaccine-related phishing…

Source

image
Over the past few weeks, three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked. In two of the intrusions, the attackers made off with the forums' user databases, including email and Internet addresses and hashed passwords. Members of all three forums are worried the incidents could serve as a virtual Rosetta Stone for connecting the real-life identities of the same users across multiple crime forums. References to the leaked Mazafaka crime forum database were posted online in the past 48 hours. On Tuesday, someone dumped thousands of usernames, email addresses and obfuscated passwords on the dark web apparently pilfered from Mazafaka (a.k.a. "Maza," "MFclub"), an exclusive crime forum that has for more than a decade played host to some of the most experienced and infamous Russian cyberthieves. At the top of a 35-page PDF leaked online is a private encryption key allegedly used by Maza administrators. The database also includes ICQ numbers for many users. ICQ, also known as "I seek you," was an instant message platform trusted by countless early denizens of these older crime forums before its use fell out of fashion in favor of more private networks, such as Jabber and Telegram. This is notable because ICQ numbers tied to specific accounts often are a reliable data point that security researchers can use to connect multiple accounts to the same user across many forums and different…

Source

image
The mobile application called WiFi Mouse, which allows users to control mouse movements on a PC or Mac with a smartphone or tablet, has an unpatched bug allowing adversaries to hijack desktop computers, according to researcher Christopher Le Roux who found the flaw. Impacted is the Android app’s accompanying WiFi Mouse “server software” that is needed to be installed on a Windows system and allows the mobile app to control a desktop’s mouse movements. The flaw allows an adversary, sharing the same Wi-Fi network, to gain full access to the Windows PC via a communications port opened by the software. WiFi Mouse, published by Necta, is available on Google Play and via Apple’s App Store marketplace under the publisher name Shimeng Wang. The only version tested by Le Roux was the Windows 1.7.8.5 version of WiFi Mouse software running on Windows (Enterprise Build 17763) system. Despite multiple attempts to contact the app developer Necta, the company has not responded to either the researcher’s inquiries or Threatpost’s request for comment. Unclear is whether other versions of the WiFi Mouse desktop software, compatible with Mac, Debian and RPM, are also impacted. Bug’s Impact: Limited to Desktops According to Le Roux’s research, the unpatched bug does not impact the Android mobile phone’s running the WiFi Mouse application. According to the developer’s Google Play marketplace description of WiFi Mouse, the application has been downloaded over 100,000 times. The vulnerability,…

Source

image
Google has fixed a high-severity vulnerability in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the flaw. The vulnerability is one of 47 security fixes that the tech giant rolled out on Tuesday in Chrome 89.0.4389.72, including patches for eight high-severity flaws. “The Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux,” according to Google on Tuesday. “This will roll out over the coming days/weeks.” Google Chrome: Actively-Exploited Security Flaw The actively-exploited vulnerability in question (CVE-2021-21166) stems from the audio component of the browser (which has previously been found to have various security issues in the past). According to Google, the flaw stems from an object lifecycle issue. The object lifecycle is the duration in which a programming language object is valid for use – between the time it is created and destroyed. Beyond Google noting that it “is aware of reports that an exploit for CVE-2021-21166 exists in the wild,” further information about the glitch is unavailable. That’s because “access to bug details and links may be kept restricted until a majority of users are updated with a fix,” according to Google. The flaw was reported by Alison Huffman, with the Microsoft Browser Vulnerability Research team, on Feb. 11. Huffman reported another high-severity flaw that Google fixed in Chrome, which also stemmed from an object lifecycle issue in the…

Source

image
Malaysia Airlines sent out an email to frequent flyer program members assuring them that there’s “no evidence” their personal data has been misused in the wake of a supply-chain attack via a third-party vendor. However, experts think that’s unlikely. And, they say the repercussions could be significant. Malaysia Airlines’ frequent flyer program, Enrich, was breached sometime around March 2010 — and remained exposed until June 2019, leaving thousands of members’ personal data, including name, date of birth, gender, contact information, ID number, status and tier level unprotected, an email sent out to members from the company said. Malaysia Airlines hasn’t released a formal statement, but its official Twitter account @MAS offered some explanation in a Mar. 1 response to a user, linking to news of the breach. “…The data security incident occurred at our third-party IT service provider and not Malaysia Airlines’ computer systems.” the airline’s account responded. “However, the airline is monitoring any suspicious activity concerning its members’ accounts and in constant contact with the affected IT service provider to secure Enrich members’ data and investigate the incident’s scope and causes.” A subsequent tweet from the airline added, “Kindly note that Malaysia Airlines has no evidence that the incident affected any account passwords. We nevertheless encourage members to change their passwords as a precautionary measure.” Threatpost’s requests for comment from Malaysia…

Source