Tag Archive for: backdoor

Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems

/in


Two vulnerabilities discovered earlier this year in Atos Unify products could allow malicious actors to cause disruption and even backdoor the targeted system.

The flaws were found in the unified communications and collaboration solution by researchers at SEC Consult, an Austria-based cybersecurity consulting firm that is part of the Atos Group’s Eviden business.

The vulnerabilities affect the Atos Unify Session Border Controller (SBC), which provides security for unified communications, the Unify OpenScape Branch product for remote offices, and Border Control Function (BCF), which is designed for emergency services.

SEC Consult researchers discovered that the web interface of these products is affected by CVE-2023-36618, which can be exploited by an authenticated attacker with low privileges to execute arbitrary PHP functions and subsequently operating system commands with root privileges.

The second security hole, CVE-2023-36619, can be exploited by an unauthenticated attacker to access and execute certain scripts. An attacker could leverage these scripts to cause a denial-of-service (DoS) condition or change the system’s configuration.

SEC Consult says the vulnerabilities have critical impact, but the vendor has assigned the flaws a ‘high severity’ rating based on their CVSS score.

“Attackers can gain full control (root access) over the appliance, if any low-privileged user credentials are known, and could reconfigure or backdoor the system (e.g. change SIP upstream configuration, etc),” Johannes Greil, head of the SEC Consult Vulnerability Lab, told SecurityWeek.

Advertisement. Scroll to continue reading.

Greil pointed out that the affected web interface is typically not exposed to the internet and a brief Shodan analysis shows there are no systems that are reachable from the web.

The cybersecurity firm this week published an advisory containing technical information, but proof-of-concept (PoC) exploit code has not been made public. 

Atos has released updates that should patch both Unify vulnerabilities. The vendor has also suggested a series of workarounds that can prevent or reduce the risk of exploitation. 

Related: Details Disclosed for Critical SAP…

Source…

Gigabyte Firmware Exposes Millions Of Motherboards To Backdoor Hacking Threat

/in


hero gigabyte backdoor logo

It’s really irritating when you set up a new system and it begins downloading and installing the motherboard vendor’s software without your permission or prompting. This can happen with a lot of different motherboard vendors, but there are secure ways and insecure ways to go about it, and Gigabyte seems to have chosen poorly.

We say that because security platform Eclypsium announced that it had detected “backdoor-like behavior” in Gigabyte systems. The specific behavior is that affected motherboards run internet-connected Windows software dropped from the system firmware to then update said firmware from the internet. The software in question is all completely legitimate in theory, but of course that’s where all kinds of trouble starts.

Because the application runs in the background, invisibly, there’s no way for the user to be aware if the tool has been hijacked by a threat actor. Don’t be confused; there’s not necessarily any problem with your system if you have a Gigabyte motherboard. It’s just that the update tool—which can be disabled from the UEFI setup but is enabled by default—performs very little in the way of security or safety checking.

That means that this innocuous update tool could be downloading a compromised firmware update from anywhere. This kind of “man in the middle” attack is particularly problematic because it’s very sneaky and not obvious to the user. It’s also a huge problem once it’s happened, because it’s very difficult to root out such an exploit as it can simply redownload itself, and prevent the user from flashing a “clean” firmware. This exploit affects nearly all Gigabyte motherboards made in the last few years. You can check this list [PDF] from Eclypsium to see if your board is affected.

For its part, Gigabyte has already released beta BIOS updates for all of its Intel LGA 1700 and AMD Socket AM4 motherboards that are vulnerable to this exploit. The company says that it has “implemented stricter security checks” on the tools, including signature verification and privilege access limitations, both of which should help keep bad guys from getting into your firmware. Updates for other systems, including Intel 400/500-series and AMD’s Socket AM5…

Source…

Domino Backdoor is Lead by FIN7 and Conti Actors – Blogs

/in


A new Domino Backdoor popped out at the beginning of 2023. Since February, a new malware family coined Domino is used for attack on corporations, having Project Nemesis stealer as a final payload. Analysts say that the new backdoor is controlled and developed by ex-TrickBot/Conti actors and hackers related to the FIN7 group.

Who are Conti and FIN7?

First of all, let’s explain why the presence of actors from FIN7 and the ceased Conti gang is so noteworthy. FIN7 is a cybercrime gang that likely operates from Russia and Ukraine. It is also known under the names of Carbanak (after the backdoor they use), ITG14 and ALPHV/BlackCat. They are most notorious for collaborations with widely-known threat actors, like Ruyk and REvil ransomware, and the release of their own ransomware, called ALPHV. It is still running, and had a couple of noteworthy attacks the past year.

ALPHV onionsite
ALPHV onionsite. Gang uses it to publish data leaked from victims that refused to pay the ransom

Conti is a similar and different story simultaneously. They have built their image around an eponymous ransomware sample. Same as FIN7, this group of cybercriminals consists of actors from ex-USSR countries. However, the start of the war in February 2022 led to a quarrel among the group’s top-management and further publication of its source code. That, eventually, led to the group’s dissolution. Previous to these events, Conti was a prolific ransomware gang with a major share on the market.

Their collaboration is an expected thing. Nature abhors a vacuum, so after the gang breakup its members promptly joined other groups, or started new ones. However, the collaboration with other gangs on the creation of brand-new malware is a pretty outstanding case. That may be a great start of a new character on the scene, a new threat actor, or just a powerful boost to the FIN7 gang.

Domino Backdoor Description

Domino is a classic example of a modern backdoor that is capable of malware delivery. It is noticed for spreading a separate malware dropper, coined Domino Loader. The former provides only remote access to the targeted system, while the latter serves for malware deployment. This duo is spotted for being used in a pretty unique…

Source…

Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor

/in


This blog was made possible through contributions from Christopher Caridi. 

IBM Security X-Force recently discovered a new malware family we have called “Domino,” which we assess was created by developers associated with the cybercriminal group that X-Force tracks as ITG14, also known as FIN7. Former members of the Trickbot/Conti syndicate which X-Force tracks as ITG23 have been using Domino since at least late February 2023 to deliver either the Project Nemesis information stealer or more capable backdoors such as Cobalt Strike.

Background

This discovery highlights the intricate nature of cooperation among cybercriminal groups and their members:

  • Since late February 2023, Domino Backdoor campaigns have been observed using the Dave Loader, which we have linked to the Trickbot/Conti syndicate and its former members.
  • Domino’s code shows overlap with the Lizar (aka Tirion, Diceloader) malware family, leading us to suspect that it was created by current or former ITG14 developers.
  • One of Domino’s final payloads is the Project Nemesis infostealer. Project Nemesis was first advertised on the dark web in December 2021, though has been rarely used since then.

Analysis

Ex-Conti Members Deploy Domino in Recent Campaigns

Former members of ITG23 (aka the Trickbot/Conti syndicate) are likely behind recent campaigns using the Dave Loader to load Domino Backdoor and probably collaborated with current or former ITG14 developers to purchase or use the new malware family. X-Force previously assessed that Dave is one of several loaders or crypters developed by members of the Trickbot/Conti group. Although the group has fractured, many of its loaders/crypters — including Dave — have been maintained and continue to be used by factions composed of former Trickbot/Conti members, including Quantum, Royal, BlackBasta, and Zeon.

  • The Dave Loader has been used recently with several Cobalt Strike samples with the watermark “206546002,” which X-Force and other security researchers — here and here — have associated with groups composed of former members of the Trickbot/Conti syndicate, including Quantum and Royal. X-Force observed Dave-loaded Cobalt Strike samples using this watermark in…

Source…