Tag Archive for: backdoor

Why BYOD Is the Favored Ransomware Backdoor

/in


eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

When remote workers connect bring-your-own-device (BYOD) laptops, desktops, tablets, and phones to corporate assets, risk dramatically increases. These devices exist outside of direct corporate management and provide a ransomware gang with unchecked platforms for encrypting data.

Ransomware remains just one of many different threats and as security teams eliminate key vectors of attack, adversaries will shift tactics. Of course, to cause that shift in tactics, first make sure to eliminate the easy access that these ransomware gangs currently enjoy.

Most Compromises Exploit Unmanaged Devices 

Microsoft’s fourth annual Digital Defense Report for 2023 reveals that 80% of all ransomware compromises come from unmanaged devices and that 60% of those attacks use remote encryption. Naturally, this leads to three important questions: What are unmanaged devices? How does remote encryption work? Which unmanaged devices do attackers use?

What Are Unmanaged Devices? 

Unmanaged devices consist of any device that connects to the network, cloud resources, or other assets without corporate-controlled security. Greg Fitzerald, co-founder of Sevco Security, disclosed to eSecurity Planet that their recent State of the Cybersecurity Attack Surface research found “11% of all IT assets are missing endpoint protection.”

Some of this 11% includes the common and recurring problem of overlooked legacy endpoints such as laptops, desktops, and mobile devices. This category also includes routers, switches, and Internet of Things (IoT) devices that can’t install traditional endpoint protection such as antivirus (AV) or endpoint detection and response (EDR) solutions.

BYOD devices deliver another significant source of unmanaged devices unique to our post-pandemic working environment as many remote workers connect to corporate resources using their own devices. According to the National Bureau of Economic Research, 42.8% of American employees work from home part- or full-time, which places an enormous burden on security teams to…

Source…

This new macOS backdoor lets hackers take over your Mac remotely — how to stay safe

/in


Hackers are beefing up their efforts to go after the best MacBooks as security researchers have discovered a brand new macOS backdoor which appears to have ties to another recently identified Mac malware strain.

As reported by SecurityWeek, this new Mac malware has been dubbed SpectralBlur and although it was uploaded to VirusTotal back in August of last year, it remained undetected by the best antivirus software until it recently caught the attention of Proofpoint’s Greg Lesnewich.

In a blog post, Lesnewich explained that SpectralBlur has similar capabilities to other backdoors as it can upload and download files, delete files and hibernate or sleep when given commands from a hacker-controlled command-and-control (C2) server. What is surprising about this new Mac malware strain though is that it shares similarities to the KandyKorn macOS backdoor which was created by the infamous North Korean hacking group Lazarus.

Just like SpectralBlur, KandyKorn is designed to evade detection while providing the hackers behind it with the ability to monitor and control infected Macs. Although different, these two Mac malware strains appear to be built based on the same requirements.

Once installed on a vulnerable Mac, SpectralBlur executes a function that allows it to decrypt and encrypt network traffic to help it avoid being detected. However, it can also erase files after opening them and then overwrite the data they contain with zeros.

Mac malware is on the rise

If you thought your Mac was safe from hackers and malware, I’ve got bad news for you. Cybercriminals may have preferred Windows machines in the past but now that Apple’s computers have seen a surge in popularity over the past few years, they’ve become a much more valuable target.

According to a blog post from the non-profit Objective-See (via The Hacker News), 21 new malware strains designed to target macOS were discovered in 2023 alone. This is a significant increase compared to the previous year when only 13 Mac malware strains were identified.

As such, expect to see even more Mac malware this year as hackers and other cybercriminals have seen firsthand just how valuable it can be targeting Apple’s computers over the best…

Source…

Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea

/in


Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea

Pierluigi Paganini
January 06, 2024

Researchers discovered a macOS backdoor, called SpectralBlur, which shows similarities with a North Korean APT’s malware family.

Security researcher Greg Lesnewich discovered a backdoor, called SpectralBlur, that targets Apple macOS. The backdoor shows similarities with the malware family KANDYKORN (aka SockRacket), which was attributed to the North Korea-linked Lazarus sub-group known as BlueNoroff (aka TA444).

KandyKorn is an advanced implant with a variety of capabilities to monitor, interact with, and avoid detection. It utilizes reflective loading, a direct-memory form of execution that may bypass detections,” notes Elastic Security, which identified and analyzed the threat.” reads the report published by Elastic.

SpectralBlur is not a sophisticated malware, it supports ordinary backdoor capabilities, including uploading/downloading files, running a shell, updating its configuration, deleting files, hibernating or sleeping, based on commands issued from the C2.

“TA444 keeps running fast and furious with these new MacOS malware families. Looking for similar strings lead us to link SpectralBlur and KandyKorn (which were further linked to TA444 after more samples turned up, and eventually, a phishing campaign hit our visibility that pulled down KandyKorn).” concludes Lesnewich. “So knowing your Macho stuff will help track emerging DPRK capability if that is your interest!”

The latest discovery confirms the great interest of North Korea-linked threat actors in developing macOS malware to employ in targeted attacks.

In November 2023, researchers from Jamf Threat Labs discovered a new macOS malware strain dubbed ObjCShellz and attributed it to North Korea-linked APT BlueNoroff.

The experts noticed that the ObjCShellz malware shares similarities with the RustBucket malware campaign associated with the BlueNoroff APT group.

In July 2023, researchers from the Elastic Security Labs spotted a new variant of the RustBucket Apple macOS malware. In April, the security firm Jamf observed the North Korea-linked BlueNoroff APT group using a…

Source…

Cisco Zero-Day Exploited to Implant Malicious Lua Backdoor on Thousands of Devices

/in


Oct 21, 2023NewsroomZero-Day / Vulnerability

Cisco Zero-Day

Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices.

Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 (CVSS score: 10.0) as part of an exploit chain.

“The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination,” Cisco said in an updated advisory published Friday. “This allowed the user to log in with normal user access.”

Cybersecurity

“The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system,” a shortcoming that has been assigned the identifier CVE-2023-20273.

A Cisco spokesperson told The Hacker News that a fix that covers both vulnerabilities has been identified and will be made available to customers starting October 22, 2023. In the interim, it’s recommended to disable the HTTP server feature.

While Cisco had previously mentioned that a now-patched security flaw in the same software (CVE-2021-1435) had been exploited to install the backdoor, the company assessed the vulnerability to be no longer associated with the activity in light of the discovery of the new zero-day.

“An unauthenticated remote actor could exploit these vulnerabilities to take control of an affected system,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. “Specifically, these vulnerabilities allow the actor to create a privileged account that provides complete control over the device.”

Cybersecurity

Successful exploitation of the bugs could allow attackers to gain unfettered remote access to routers and switches, monitor network traffic, inject and redirect network traffic, and use it as a persistent beachhead to the network due to the lack of protection solutions for these devices.

The development comes as more 41,000 Cisco devices running the vulnerable IOS XE software are estimated to have been compromised by threat…

Source…