Tag Archive for: Affairs

RansomExx Ransomware upgrades to Rust programming languageSecurity Affairs

/in


RansomExx ransomware is the last ransomware in order of time to have a version totally written in the Rust programming language.

The operators of the RansomExx ransomware (aka Defray777 and Ransom X) have developed a new variant of their malware, tracked as RansomExx2, that was ported into the Rust programming language.

The move follows the decision of other ransomware gangs, like Hive, Blackcat, and Luna, of rewriting their ransomware into Rust programming language.

The main reason to rewrite malware in Rust is to have lower AV detection rates, compared to malware written in more common languages.

RansomExx2 was developed to target Linux operating system, but experts believe that ransomware operators are already working on a Windows version.

RansomExx operation has been active since 2018, the list of its victims includes government agencies, the computer manufacturer and distributor GIGABYTE, and the Italian luxury brand Zegna. RansomExx is operated by the DefrayX threat actor group (Hive0091), the group also developed the PyXie RAT, Vatet loader, and Defray ransomware strains.

The functionality implemented in RansomExx2 is very similar to previous RansomExx Linux variants.

“RansomExx2 has been completely rewritten using Rust, but otherwise, its functionality is similar to its C++ predecessor. It requires a list of target directories to encrypt to be passed as command line parameters and then encrypts files using AES-256, with RSA used to protect the encryption keys.” reads the analysis published by IBM Security X-Force.

The ransomware iterates through the specified directories, enumerating and encrypting files. The malware encrypts any file greater than or equal to 40 bytes and gives a new file extension to each file.

The RansomExx2 encrypts files using the AES-256 algorithm, it drops a ransom note in each encrypted directory.

ransomexx ransomware

“RansomExx is yet another major ransomware family to switch to Rust in 2022 (following similar efforts with Hive and Blackcat).” concludes the report. “While these latest changes by RansomExx may not represent a significant upgrade in functionality, the switch…

Source…

WIP19, a new Chinese APT targets IT Service Providers and TelcosSecurity Affairs

/in


Chinese-speaking threat actor, tracked as WIP19, is targeting telecommunications and IT service providers in the Middle East and Asia.

SentinelOne researchers uncovered a new threat cluster, tracked as WIP19, which has been targeting telecommunications and IT service providers in the Middle East and Asia.

The experts believe the group operated for cyber espionage purposes and is a Chinese-speaking threat group.

The researchers pointed out that the cluster has some overlap with Operation Shadow Force, but uses new malware and different techniques.

The activity of the group is characterized by the usage of a legitimate, stolen digital certificate issued by a company called DEEPSoft, that was used to sign malicious code in an attempt to avoid detection.

“Almost all operations performed by the threat actor were completed in a “hands-on keyboard” fashion, during an interactive session with compromised machines. This meant the attacker gave up on a stable C2 channel in exchange for stealth.” reads the report published by SentinelOne.

“Our analysis of the backdoors utilized, in conjunction with pivoting on the certificate, suggest portions of the components used by WIP19 were authored by WinEggDrop, a well-known Chinese-speaking malware author who has created tools for a variety of groups and has been active since 2014.”

The researchers noticed that portions of the malicious components used by WIP19 were developed by a Chinese-speaking group tracked as WinEggDrop, who has been active since 2014.

WIP19 also seems to be linked to the Operation Shadow Force group due to similarities in the use of malicious artifact developed by WinEggDrop and tactical overlaps.

“As the toolset itself appears to be shared among several actors, it is unclear whether this is a new iteration of operation “Shadow Force” or simply a different actor utilizing similar TTPs.” continues the report. “The activity we observed, however, represents a more mature actor, utilizing new malware and techniques.”

The researchers linked an implant dubbed “SQLMaggie”, recently described by DCSO CyTec, to this activity.

Source…

Current Affairs 14 October 2022

/in


AffairsCloud YouTube Channel – Click Here

AffairsCloud APP Click Here

Current Affairs 14 October 2022 EnglishWe are here for you to provide the important Recent and Latest Current Affairs 14 October 2022, which have unique updates of Latest Current Affairs 2022 events from all newspapers such as The Hindu, The Economic Times, PIB, Times of India, PTI, Indian Express, Business Standard and all Government official websites.

Our Current Affairs September 2022 events will help you to get more marks in Banking, Insurance, SSC, Railways, UPSC, CLAT and all State Government Exams. Also, try our Latest Current Affairs Quiz and Monthly Current Affairs 2022 PDF which will be a pedestrian to crack your exams.

Read Current Affairs in CareersCloud APP, Course Name – Learn Current Affairs – Free Course – Click Here to Download the APP
We are Hiring – Subject Matter Expert | CA Video Creator | Content Developers(Pondicherry)

Click here for Current Affairs 13 October 2022

NATIONAL AFFAIRS

Cabinet Approval on October 12 2022Cabinet Approval on October 12 2022On October 12, 2022, the Union Cabinet chaired by the Prime Minister (PM) of India Narendra Modi has approved the following proposals which were detailed by Union Minister Anurag Singh Thakur, Ministry of Information and Broadcasting (MIB) during media briefing in New Delhi, Delhi:
i.The Union Cabinet has approved the proposal of Ministry of Petroleum & Natural Gas (MoP&NG) to give one time grant Rs 2200 crore to three Public Sector Undertaking Oil Marketing Companies (PSU OMCs) viz. Indian Oil Corporation Limited (IOCL), Bharat Petroleum Corporation Limited (BPCL) and Hindustan Petroleum Corporation Limited (HPCL).
ii.The Cabinet also gave its nod to disbursement of productivity-linked bonus (PLB) of Rs 1,832.09 crores among 11,27,000 railway employees.  This PLB is equivalent to 78 days, and its maximum limit is capped at Rs 17,951.
iii.The Cabinet also approved the central sector scheme, Prime Minister Development Initiative for North-eastern Region (PM-DevINE), which was announced in the Budget 2022. It was approved for the remaining four years of the 15th Finance Commission from FY23 to FY26 with an allocation of Rs 6,600 crore.
iv.The Cabinet Committee on Economic Affairs (CCEA) chaired by the PM has approved…

Source…

A 15-Year-Old Unpatched Python bug potentially impacts +350K projectsSecurity Affairs

/in


More than 350,000 open source projects can be potentially affected by a 15-Year-Old unpatched Python vulnerability

More than 350,000 open source projects can be potentially affected by an unpatched Python vulnerability, tracked as CVE-2007-4559 (CVSS score: 6.8), that was discovered 15 years ago.

The issue is a Directory traversal vulnerability that resides in the ‘extract’ and ‘extractall’ functions in the tarfile module in Python. A user-assisted remote attacker can trigger the issue to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

“While investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module. Initially we thought we had found a new zero-day vulnerability. As we dug into the issue, we realized this was in fact CVE-2007-4559.” reads the post published by security firm Trellix.”The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR archive.”

The experts pointed out that the issue was underestimated, it initially received a CVSS score of 6.8, however, in most cases an attacker exploit this issue to gain code execution from the file write. Trellix shared a video PoC that shows how to get code execution by exploiting Universal Radio Hacker:

An attacker can exploit the flaw by uploading a specially crafted tarfile that allows escaping the directory that a file is intended to be extracted to and achieve code execution.

“For an attacker to take advantage of this vulnerability they need to add “..” with the separator for the operating system (“/” or “\”) into the file name to escape the directory the file is supposed to be extracted to. Python’s tarfile module lets us do exactly this:” continues the post.

tarfile python flaw.jpg
Crafting a Malicious Archive (Source Trellix)

“The tarfile module lets users add a filter that can be used to…

Source…