Tag Archive for: attackers

Attackers set up rogue GitHub repos with malware posing as zero-day exploits

/in


Credit: BrownMantis

In an unusual attack campaign, a hacker has been setting up rogue GitHub repositories that claim to host zero-day exploits for popular applications but which instead deliver malware.

The attacker also created fake GitHub and Twitter accounts posing as security researchers and even used real photos of researchers from well-known cybersecurity firms.

“The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware,” researchers from security firm VulnCheck, who found the rogue repositories, said in a report.

“It’s unclear if they have been successful but given that they’ve continued to pursue this avenue of attacks, it seems they believe they will be successful.”

While attacks that target security researchers are not a new development, they are relatively rare and more likely to be the work of advanced persistent threat (APT) groups looking to gain access to sensitive information that researchers have access to.

This was the case with a campaign reported by Google’s Threat Analysis Group in 2021 where a government-backed North Korean entity created a web of fake accounts posing as security researchers on Twitter, Telegram, LinkedIn, and other social media platforms and used them to promote proof-of-concept exploits for existing vulnerabilities that were posted on a blog and in YouTube videos.

How the GitHub fake account campaign works

The fake accounts were used to contact other real researchers and invite them to collaborate. As part of the communication, a Visual Studio project with proof-of-concept exploit code was shared, but this project also included a malicious DLL that deployed malware on the victim’s computer.

Separately, some researchers who visited the blog had their up-to-date systems exploited suggesting the attackers had access to some zero-day exploits.

Source…

Kaspersky says attackers hacked staff iPhones with unknown malware

/in


Image Credits: Wong Yu Liang / Getty Images

The Russian cybersecurity company Kaspersky said that hackers working for a government targeted its employees’ iPhones with unknown malware.

On Monday, Kaspersky announced the alleged cyberattack, and published a technical report analyzing it, where the company admitted its analysis is not yet complete. The company said that the hackers, whom at this point are unknown, delivered the malware with a zero-click exploit via an iMessage attachment, and that all the events happened within a one to three minute timeframe. At this point, it’s unclear if the hackers exploited new vulnerabilities that were unpatched at the time, meaning they were so-called zero-days.

Kaspersky researchers said that they discovered the attack when they noticed “suspicious activity that originated from several iOS-based phones,” while monitoring their own corporate Wi-Fi network.

The company called this alleged hack against its own employees “Operation Triangulation,” and created a logo for it. Neither Kaspersky nor Apple immediately responded to requests for comment.

Kaspersky researchers said they created offline backups of the targeted iPhones and inspected them with a tool developed by Amnesty International called the Mobile Verification Toolkit, or MVT, which allowed them to discover “traces of compromise.” The researchers did not say when they discovered the attack, and said that they found traces of it going as far back as 2019, and that “attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7.”

While the malware was designed to clean up the infected devices and remove traces of itself, “it is possible to reliably identify if the device was compromised,” the researchers wrote.

In the report, the researchers explained step by step how they analyzed the compromised devices, outlining how others can do the same. They did not, however, include many details of what they found using this process.

The researchers said that the presence of “data usage lines mentioning the process named ‘BackupAgent’,” was the most reliable sign that an iPhone was hacked, and that another one of…

Source…

5 Hacks by Dallas Ransomware Attackers

/in


Federal intelligence agencies say that Royal, a Russia-based hacking group, has pulled off more than a dozen ransomware attacks since February. During these attacks, the hackers will infiltrate computer systems of schools, hospitals or municipalities, and lock up all the data until a ransom is paid.

Royal is behind the recent ransomware attack against the city of Dallas. The hack has disrupted services across the board. But the group was busy before this most recent attack, both in and out of Dallas, targeting governments and organizations.

Simon Taylor, founder and CEO of the data backup company HYCU, told the Observer that it’s not a matter of if a ransomware attack will happen, but when, and that local governments should be prepared. “We’re seeing this more and more often. These cities and municipalities are being targeted by ransomware terrorists,” Taylor said. “The severity of an attack like this can be really really extreme.”

Silverstone Circuit
One of the higher-profile attacks was launched last November. When Royal pulls off a hack, the group posts about it on its blog. On Nov. 8, 2022, the group announced that it hacked Silverstone Circuit, one of the most popular racing circuits in the United Kingdom, according to techcrunch.com.

“The end of the the Second World War had left Britain with no major racetrack but plenty of airfields,” the group wrote in its post about the Silverstone Circuit hack. “On Oct. 2, 1948, the Royal Automobile Club hosted the first British Grand Prix at Silverstone, a former RAF base. An estimated 100,000 people flocked to see Luigi Villoresi beat 22 others in his Maserati [on a track] marked by bales, ropes and canvas barriers. Silverstone racing history has begun.”

The group also posted the number of employees in the circuit, 89, and its revenue, $57 million. Another attack, this time in Dallas, would come the same month.

Dallas Central Appraisal District
A Nov. 8, 2022, attack took down the systems, servers, email and website of the Dallas Central Appraisal District (DCAD). The agency is responsible for appraising Dallas County properties for tax purposes. It said at the time that staff was working around the clock to restore…

Source…

Attackers Continue to Leverage Signed Microsoft Drivers

/in


In December of last year, Microsoft worked with SentinelOne, Mandiant, and Sophos to respond to an issue in which drivers certified by Microsoft’s Windows Hardware Developer Program were being used to validate malware.

Unfortunately, the problem hasn’t gone away.

In a recent Mastodon post, security expert Kevin Beaumont observed, “Microsoft are still digitally signing malware kernel drivers, as they can’t identify malware (this comes up over and over again).”

Beaumont provided three examples of remote access trojans that had been verified by Microsoft as legitimate software, adding, “If you have Google’s VirusTotal (Microsoft do) you can run something like this to find them. signature:”Microsoft Windows Hardware Compatibility Publisher” p:5+ tag:signed name:.sys

In response to an email inquiry from eSecurity Planet, a Microsoft spokesperson acknowledged the ongoing issue, stating, “We have suspended the partners’ seller accounts. In addition, Microsoft Defender Antivirus provides blocking detection for these files.”

The essential challenge remains – and Microsoft has only been able to suspend individual offenders.

Microsoft’s Initial Response

In guidance first published on December 13, 2022, the company stated, “Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers.”

Microsoft was notified of the issue by SentinelOne, Mandiant, and Sophos in October 2022, and began an investigation. “This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature,” the company added. “A new attempt at submitting a malicious driver for signing on September 29th, 2022, led to the suspension of the sellers’ accounts in early October.”

Matching the Microsoft spokesperson’s more recent explanation above, the company stated at the time that Windows Security Updates were released revoking the…

Source…