image
For about the price of a cup of Starbucks latte, a hacker is renting out a remote access trojan designed to backdoor targeted networks. Dubbed as Dark Crystal RAT (or DCRat), the malware is being peddled online to hackers in Russian by a lone rookie malware writer with a penchant for cut-rate pricing. “DCRat is one of the cheapest commercial RATs we’ve ever come across. The price for this backdoor starts at ($6) for a two-month subscription, and occasionally dips even lower during special promotions,” according to BlackBerry researchers who published their findings on Monday. Capabilities of the RAT include a “stealer/client executable”, a single PHP page, which serves as the command-and-control endpoint and an administrator tool. A Breakdown of DCRat DCRat is, in some ways, amateurish, researchers assert. “There are certainly programming choices in this threat that point to this being a novice malware author,” they wrote. “The administrator tool is a standalone executable written in the JPHP programming language, an obscure implementation of PHP that runs on a Java virtual machine,” BlackBerry wrote. JPHP, they noted, is an easy-to-use language aimed at novice developers of desktop games. “The malware author may have chosen this format because it’s not particularly well-known, or they might have lacked programming skills in other, more mainstream languages.” In another odd quirk, researchers note, is the malware author “implemented a function that displays a randomly…

Source

image
The FBI warned the global cost of business email compromise (BEC) attacks is $43 billion for the time period of June 2016 and December 2021. According to FBI report, 241,206 complaints were lodged by the agency’s Internet Crime Center (IC3). BEC or email account compromise (EAC) are an advanced scamming technique that targets both employees and business and the businesses they work for. Scam include social engineering as a means to compromise a legitimate business or personal email account or to perform an unauthorized transfer of funds. The FBI is also warning that another popular variations of the scam include collecting Personal Identifiable Information (PII) in order to perpetrate additional fraud such as tax-related scams and breaching cryptocurrency wallets. Statistics of BEC/EAC Scams According to IC3, the BEC scam victims have been reported in all 50 states of the US and 177 countries. Additionally, 140 countries received fraudulent transfers. The IC3 revealed that banks located in Thailand and Hong Kong were the primary destination for fraudulent funds, followed by China, Mexico, and Singapore. In the public service announcement by IC3, the losses recorded in the US are much larger in comparison to non-US victims. Between October 2013 and December 2021, a total of 116,401 US victims reported a total loss of $14.8 billion, whereas in the same period 5,260 non-US citizens reported losses of $1.27 billion. The FBI believes that a 65 percent spike in BEC scams between…

Source

image
Can I tell you a secret? Will you keep it between us? You’ve probably said this or heard this when it comes to friends and family. However, do you also know that secret keeping, or lack thereof is one of the biggest issues that businesses face? According to the recent _The State of the Secret Sprawl _from GitGuardian further defines the breadth of business secrets. “A secret can be any sensitive data that we want to keep private. When discussing secrets in the context of software development, secrets generally refer to digital authentication credentials that grant access to services, systems and data. These are most commonly API keys, usernames and passwords, or security certificates. Secrets are what tie together different building blocks of a single application by creating a secure connection between each component. Secrets grant access to the most sensitive systems.” In this podcast with Mackenzie Jackson, developer advocate at GitGuardian, we dive into the report and also the issues that corporations face with public leaks from groups like Lapsus$ and more, along with as ways that developers can keep their code safe. For the full report, click…

Source

image
Apple, Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden on Internet users, but caution that a true passwordless future may still be years away for most websites. Image: Blog.google The tech giants are part of an industry-led effort to replace passwords, which are easily forgotten, frequently stolen by malware and phishing schemes, or leaked and sold online in the wake of corporate data breaches. Apple, Google and Microsoft are some of the more active contributors to a passwordless sign-in standard crafted by the FIDO ("Fast Identity Online") Alliance and the World Wide Web Consortium (W3C), groups that have been working with hundreds of tech companies over the past decade to develop a new login standard that works the same way across multiple browsers and operating systems. According to the FIDO Alliance, users will be able to sign in to websites through the same action that they take multiple times each day to unlock their devices — including a device PIN, or a biometric such as a fingerprint or face scan. "This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes…

Source

image
Credit: Red Canary Wormable malware dubbed Raspberry Robin has been active since last September and is wriggling its way through USB drives onto Windows machines to use Microsoft Standard Installer and other legitimate processes to install malicious files, researchers have found. Researchers at Red Canary Intelligence first began tracking the malicious activity in the fall when it began as a handful of detections with similar characteristics first observed in multiple customers’ environments by Jason Killam from Red Canary’s Detection Engineering team. Once the worm spreads via a USB drive to someone’s machine, the activity relies on msiexec.exe to call out to its infrastructure–which is often comprised of QNAP devices–using HTTP requests that contain a victim’s user and device names, Red Canary’s Lauren Podber and Stef Rand wrote in a blog post published Thursday. Researchers also observed Raspberry Robin use TOR exit nodes as additional command and control (C&C) infrastructure, they wrote. Eventually the worm installs malicious dynamic link library (DLL) files found on the infected USB. While researchers first noticed Raspberry Robin as early as September 2021, most of the activity observed by Red Canary occurred during January of this year, researchers said. Unanswered Questions The team has not yet figured out how or where Raspberry Robin infects external drives to perpetuate its activity, though it’s likely this infection occurs offline or “otherwise outside of our…

Source

image
In an article I wrote over a year ago called “Securing the New Normal of Network Access,” I presented four access scenarios that modern organizations needed to enable users to stay securely connected and protected in the new normal of a work-from-anywhere world. Of course, “new” is a relative term, as is “normal.” When that article was published, in late 2020, Covid was relatively new, vaccines had not yet been introduced, and many organizations were still working out work-from-home kinks. Today, two years into the pandemic and into the whirlwind digital transformation it helped accelerate, networking advancements may soon leapfrog over the access grid that illustrated my earlier networking model. In this grid, I showed the need to be able to connect users – from within or outside of traditional office environments – to applications and resources – located within traditional datacenters or, increasingly, in the cloud. For my out-to-in scenario, with remote workers accessing on-site networks, for instance, Zero Trust Network Access (ZTNA) represented a vast improvement over the traditional tool many organizations were opting for, vulnerable VPNs. Too many VPNs are still in use, but more organizations are moving to secure remote access to their networks by implementing ZTNA – a positive development. The “Everyone/thing-to-Everyone/thing, Securely” Solution So-called SASE – Secure Access Service Edge – capabilities, such as ZTNA and isolation-powered Secure Web Gateways…

Source

image
Application service provider F5 is warning a critical vulnerability allows unauthenticated hackers with network access to execute arbitrary commands on its BIG-IP systems. The F5 BIG-IP is a combination of software and hardware that is designed around access control, application availability and security solutions. According to F5, the flaw resides in the representational state transfer (REST) interface for the iControl framework which is used to communicate between the F5 devices and users. Threat actors can send undisclosed requests and leverage the flaw to bypass the iControl REST authentication and access the F5 BIG-IP systems, an attacker can execute arbitrary commands, create or delete files or disable servers. “This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” said F5 in an advisory. “There is no data plane exposure; this is a control plane issue only,” they added. A self-IP address is an IP address on a BIG-IP system, that a customer uses to associate with VLAN. The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert and advised users to apply the required updates. Affected Versions The security vulnerability that affects the BIG-IP product version are: 1.0 to 16.1.2 1.0 to 15.1.5 1.0 to 14.1.4 1.0 to 13.1.4 1.0 to 12.1.6 6.1 to 11.6.5 The F5 will not introduce…

Source

image
Cryptocurrency thief Lazarus Group appears to be widening its scope into using ransomware as a way to rip off financial institutions and other targets in the Asia-Pacific (APAC) region, researchers have found. Financial transactions and similarities to previous malware in its source code link a recently emerged ransomware strain called VHD to the North Korean threat actors, also known as Unit 180 or APT35. Financial Attacks Raise Suspicion A significant precursor to linking Lazarus to VHD was an attempt by threat actors in February 2016 to transfer nearly US$1 billion through the SWIFT system towards recipients at other banks, according to the post by Trellix researcher Christian Beek. “The investigation, performed by several U.S. agencies, led to a North Korean actor, dubbed ‘Hidden Cobra,'” he wrote. “Ever since then, the group has been active, compromising numerous victims.” Hidden Cobra, active since 2014, is believed to be the work of Lazarus Group. In 2017, the FBI warned that the group was targeting U.S. businesses with malware- and botnet-related attacks. “Over time we have observed several methods North Korea has used to gain money,” Beek wrote “Although not as frequently observed as other groups, there have also been attempts made to step into the world of ransomware.” Trellix has followed North Korean-linked actors’ attacks on financial institutions—such as global banks, blockchain providers and users from South Korea–over the last few years. Tactics used…

Source

image
Researchers from Cybereason’s Nocturnus Team have uncovered a massive, highly successful, three-year-long campaign of intellectual property theft. The perpetrators were likely able to siphon hundreds of gigabytes worth of “sensitive proprietary information from technology and manufacturing companies mainly in East Asia, Western Europe, and North America,” according to the report released Wednesday. The theft remained completely under the radar from law enforcement. They pulled it off by combining an “arsenal” of malware – including a brand new strain called DEPLOYLOG – into a complex infection chain. A Highly Successful Heist Researchers believe the campaign has been ongoing, traced back to 2019. They said the Winnti began their attacks by exploiting a popular enterprise resource planning (ERP) platform used by their targets. With this foothold they installed web shells – to establish persistence – then began their reconnaissance and credential theft. With a map of the network and privileged credentials, they could move laterally to access sensitive stores of data. All of these are common strategies used by APTs around the world every day. What distinguished Winnti’s attacks was in the details. For one thing, they leveraged multiple vulnerabilities in that undisclosed ERP platform. Some of the vulnerabilities were publicly known, but some were zero-days. The infection chain they crafted from there is of particular note. The researchers called it a “house of cards” – “a…

Source

image
Researchers have discovered a malicious campaign utilizing a never-before-seen technique for quietly planting fileless malware on target machines. The technique involves injecting shellcode directly into Windows event logs. This allows adversaries to use the Windows event logs as a cover for malicious late stage trojans, according to a Kaspersky research report released Wednesday. Researchers uncovered the campaign in February and believe the unidentified adversaries have been active for the past month. “We consider the event logs technique, which we haven’t seen before, the most innovative part of this campaign,” wrote Denis Legezo, senior security researcher with Kaspersky’s Global Research and Analysis Team. The attackers behind the campaign use a series of injection tools and anti-detection technique to deliver the malware payload. “With at least two commercial products in use, plus several types of last-stage RAT and anti-detection wrappers, the actor behind this campaign is quite capable,” Legezo wrote. Fileless Malware Hides in Plain Sight (Event Logs) The first stage of the attack involves the adversary driving targets to a legitimate website and enticing the target to download a compressed .RAR file boobytrapped with the network penetration testing tools called Cobalt Strike and SilentBreak. Both tools are popular among hackers who use them as a vehicle for delivering shellcode to target machines. Cobalt Strike and SilentBreak utilizing separate anti-detection AES…

Source