image
The BazarLoader malware is leveraging worker trust in collaboration tools like Slack and BaseCamp, in email messages with links to malware payloads, researchers said. And in a secondary campaign aimed at consumers, the attackers have added a voice-call element to the attack chain. Join experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above. The BazarLoader downloader, written in C++, has the primary function of downloading and executing additional modules. BazarLoader was first observed in the wild last April – and since then researchers have observed at least six variants, “signaling active and continued development.” It’s been recently seen being used as a staging malware for ransomware, particularly Ryuk. “With a focus on targets in large enterprises, BazarLoader could potentially be used to mount a subsequent ransomware attack,” according to an advisory from Sophos, issued on Thursday. Cyberattackers Abuse Slack and BaseCamp According to researchers at Sophos, in the first campaign spotted, adversaries are targeting employees of large organizations with emails that purport to offer important information related to contracts, customer service, invoices or payroll. “One spam sample even attempted to disguise itself as a notification that the employee had been laid off from their job,” according to Sophos. The links inside the emails are hosted on Slack…

Source

image
A kids’ game called “Jungle Run” that, until recently, was available in the Apple App store, was secretly a cryptocurrency-funded casino set up to scam people out of money. Join experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above. Kosta Eleftheriou, who found the scam, is a tech entrepreneur and founder of the Apple Watch keyboard app FlickType who, it’s worth noting, is currently entangled in anti-trust litigation he filed against Apple in March. He’s also developed a popular cybersecurity side hustle tracking down malicious apps lurking in the iOS store. His latest discovery was that Jungle Run, which was marketed in the App Store as a game for ages 4+, transformed into a crypto-funded casino when he set his VPN to Turkey. He later discovered that the Jungle Run casino also worked when VPNs were set to Italy and Kazakhstan. He mused on Twitter whether it was available everywhere but the U.S. The same developer also had “Magical Forest Puzzle” on the app store, which used the same VPN trick to unlock a different casino. This @AppStore app pretends to be a silly platformer game for children 4+, but if I set my VPN to Turkey and relaunch it becomes an online casino that doesn’t even use Apple’s IAP. 🤯 pic.twitter.com/crnOOF0pNi — Kosta Eleftheriou (@keleftheriou) April 15, 2021 After Eleftheriou went to the press with the discovery and Gizmodo was…

Source

image
The Feds are warning that nation-state actors are once again after U.S. assets, this time in a spate of cyberattacks that exploit five vulnerabilities that affect VPN solutions, collaboration-suite software and virtualization technologies. According to the U.S. National Security Agency (NSA), which issued an alert Thursday, the advanced persistent threat (APT) group known as APT29 (a.k.a. Cozy Bear or The Dukes) is conducting “widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.” The targets include U.S. and allied national-security and government networks, it added. Join experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above. The five bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware (detailed below) that organizations should patch immediately, researchers warned. “Some of these vulnerabilities also have working Metasploit modules and are currently being widely exploited,” said researchers with Cisco Talos, in a related posting on Thursday. “Please note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption…to detect exploitation of these vulnerabilities.” The NSA has linked APT29 to Russia’s Foreign Intelligence Services (SVR)….

Source

image
Recently, the public learned of multiple vulnerabilities (“ProxyLogon”) that impacted Microsoft’s on-premises Exchange Server, a software application used worldwide to manage communications between employees. Since then, many in the security industry have come to realize that attackers knew of these vulnerabilities up to two months before the announcement, based on current reports. In fact, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is advising entities to look for compromise dating back to September 1. Since the disclosure of these vulnerabilities, the severity of this situation has continued to worsen. It’s generally recognized that the number of potentially affected organizations is in the tens of thousands – and that’s only the U.S.-based organizations. Mandiant confirms that the scope of this attack extends beyond the United States and we expect the final tally to be higher than current estimates. It is rare that software so ubiquitous as Exchange Server suffers a quartet of severe, easy-to-exploit vulnerabilities. The gravity of this situation compounds when considering that most organizations using Exchange Server are likely small-to-medium (SMB) businesses with no, or a very small, in-house IT security staff, making it difficult to adequately respond to this situation. It is in this very fog that attackers have created an illegitimate multibillion-dollar industry that takes advantage of unknowing, unsuspecting and oft-uninformed organizations….

Source

image
On Aug. 13, 2020, someone uploaded a suspected malicious file to VirusTotal, a service that scans submitted files against more than five dozen antivirus and security products. Last month, Microsoft and FireEye identified that file as a newly-discovered fourth malware backdoor used in the sprawling SolarWinds supply chain hack. An analysis of the malicious file and other submissions by the same VirusTotal user suggest the account that initially flagged the backdoor as suspicious belongs to IT personnel at the National Telecommunications and Information Administration (NTIA), a division of the U.S. Commerce Department that handles telecommunications and Internet policy. Both Microsoft and FireEye published blog posts on Mar. 4 concerning a new backdoor found on high-value targets that were compromised by the SolarWinds attackers. FireEye refers to the backdoor as "Sunshuttle," whereas Microsoft calls it "GoldMax." FireEye says the Sunshuttle backdoor was named "Lexicon.exe," and had the unique file signatures or "hashes" of "9466c865f7498a35e4e1a8f48ef1dffd" (MD5) and b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8 (SHA-1). "In August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository," FireEye wrote. The "Sunshuttle" or "GoldMax" backdoor, as identified by FireEye and Microsoft, respectively. Image: VirusTotal.com. A search in VirusTotal's malware repository shows that on Aug. 13, 2020 someone…

Source

image
Google Project Zero will now give organizations a 30-day grace period to patch zero-day flaws it discovers in a new disclosure policy revealed this week aimed at speeding up the time it takes for patches to be adopted. Known for discovering a number of high-profile zero days—in Google’s own products as well as those found in rival Apple’s software—Project Zero last year began revealing the technical details of flaws its researchers discovered 90 days after the initial vulnerability report. However, now research group is changing this tactic slightly, saying it will delay disclosure of the technical details of the vulnerability until 30 days after a patch is issued if that patch is created within the 90-day period, according to a blog post by Project Zero’s Tim Willis posted Thursday. “Vendors will now have 90 days for patch development, and an additional 30 days for patch adoption,” he wrote. Moving to this so-called “90+30 model” will allow researchers and the industry as a whole to “decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks,” Willis explained. However, technical details of vulnerabilities that remained unpatched during the 90-day period after Project Zero discovers them still will be disclosed immediately after that grace period is up, according to the post. Project Zero…

Source

image
President Biden is putting the final details on a plan to encourage American electric utilities to strengthen their cybersecurity protections against hackers in the next 100 days, amid increasing cyberattacks. The White House push to boost electrical grid security comes in the wake of a report that a full quarter of the 1,500 utilities across North America were infected with the SolarWinds malware, now formally attributed to Russian state actors. There was no evidence the so called “back door” was used by the threat actors to breach any electrical grids, according to The Intercept, which added that it’s impossible to know how deep these attacks went into the industrial control systems (ICS). And meanwhile, recent publicized attacks on the Kansas and Florida water utilities have raised alarm bells. Against this backdrop, a six-page draft of the plan was created by the National Security Council and described to Bloomberg News, which reported that the government will offer incentives to utilities to install monitoring software to spot hackers and then report any suspicious activity to the federal government to coordinate a response. The plan also asks utilities to identify sites which are particularly sensitive to attack and would have the most catastrophic impact, Bloomberg reported. It will also give the Energy Department the ability to expand its current classified program to flag power-grid vulnerabilities which could be exploited by attackers. Power-Grid Cybersecurity…

Source

image
Several variants of the Gafgyt Linux-based botnet malware family have incorporated code from the infamous Mirai botnet, researchers have discovered. Gafgyt (a.k.a. Bashlite) is a botnet that was first uncovered in 2014. It targets vulnerable internet of things (IoT) devices like Huawei routers, Realtek routers and ASUS devices, which it then uses to launch large-scale distributed denial-of-service (DDoS) attacks. It also often uses known vulnerabilities such as CVE-2017-17215 and CVE-2018-10561 to download next-stage payloads to infected devices. The latest variants have now incorporated several Mirai-based modules, according to research from Uptycs released Thursday, along with new exploits. Mirai variants and its code re-use have become more voluminous since the source code for the IoT botnet was released in October 2016. The capabilities nicked from Mirai include various methods to carry out DDoS attacks, according to the research: HTTP flooding, in which the botnet sends a large number of HTTP requests to a targeted server to overwhelm it; UDP flooding, where the botnet sends several UDP packets to a victim server as a means of exhausting it; Various TCP flood attacks, which exploit a normal three-way TCP handshake the victim server receives a heavy number of requests, resulting in the server becoming unresponsive; And an STD module, which sends a random string (from a hardcoded array of strings) to a particular IP address. Code comparison for the HTTP DDoS module…

Source

image
Cryptojacking can be added to the list of threats that face any unpatched Exchange servers that remain vulnerable to the now-infamous ProxyLogon exploit, new research has found. Researchers discovered the threat actors using Exchange servers compromised using the highly publicized exploit chain—which suffered a barrage of attacks from advanced persistent threat (APT) groups to infect systems with everything from ransomware to webshells—to host Monero cryptomining malware, according to a report posted online this week by SophosLabs. “An unknown attacker has been attempting to leverage what’s now known as the ProxyLogon exploit to foist a malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server,” Sophos principal researcher Andrew Brandt wrote in the report. Researchers were inspecting telemetry when they discovered what they deemed an “unusual attack” targeting the customer’s Exchange server. Sophos researchers Fraser Howard and Simon Porter were instrumental in the discovery and analysis of the novel threat, Brandt acknowledged. Researchers said they detected the executables associated with this attack as Mal/Inject-GV and XMR-Stak Miner (PUA), according to the report. Researchers published a list of indicators of compromise on the SophosLabs GitHub page to help organizations recognize if they’ve been attacked in this way. How It Works The attack as observed by researchers began with a PowerShell command to retrieve…

Source

image
A vulnerability in one of the Go libraries that Kubernetes is based on could lead to denial of service (DoS) for the CRI-O and Podman container engines. The bug (CVE-2021-20291) affects the Go library called “containers/storage.” According to Aviv Sasson, the security researcher at Palo Alto’s Unit 42 team who found the flaw, it can be triggered by placing a malicious image inside a registry; the DoS condition is created when that image is pulled from the registry by an unsuspecting user. “Through this vulnerability, malicious actors could jeopardize any containerized infrastructure that relies on these vulnerable container engines, including Kubernetes and OpenShift,” Sasson said in a Wednesday posting. CRI-O and Podman are container images, similar to Docker, that are used to perform actions and manage containers in the cloud. The containers/storage library is used by CRI-O and Podman to handle storage and download of container images. When the vulnerability is triggered, CRI-O fails to pull new images, start any new containers (even if they are already pulled), retrieve local images lists or kill containers, according to the researcher. Podman meanwhile will fail to pull new images, retrieve running pods, start new containers (even if they are already pulled), exec into containers, retrieve existing images or kill existing containers, he said. The impact could be fairly wide: “As of Kubernetes v1.20, Docker is deprecated and the only container engines supported are CRI-O…

Source