Tag Archive for: Deliver

April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell – Threatpost

/in



April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell  Threatpost

Source…

Attackers Are Using Log4Shell Vulnerability to Deliver Backdoors to Virtual Servers

/in



Internet security firm Sophos has released findings on how attackers are using the Log4Shell vulnerability to deliver backdoors and profiling scripts to unpatched VMware Horizon servers, paving the way for persistent access and future ransomware attacks.

A new technical paper, “Horde of Miner Bots and Backdoors Leveraged Log4J to Attack VMware Horizon Servers,” details the tools and techniques used to compromise the servers and deliver three different backdoors and four cryptominers.

The backdoors are possibly delivered by Initial Access Brokers.

Log4Shell is a remote code execution vulnerability in the Java logging component, Apache Log4J, which is embedded in hundreds of software products. It was reported and patched in December 2021. 

“Widely used applications such as VMware Horizon that are exposed to the internet and need to be manually updated, are particularly vulnerable to exploitation at scale,” said Sean Gallagher, senior security researcher at Sophos. “Sophos detections reveal waves of attacks targeting Horizon servers, starting in January, and delivering a range of backdoors and cryptominers to unpatched servers, as well as scripts to collect some device information.

Sophos believes that some of the backdoors may be delivered by Initial Access Brokers looking to secure persistent remote access to a high value target that they can sell on to other attackers, such as ransomware operators.”

The multiple attack payloads Sophos detected using Log4Shell to target vulnerable Horizon servers include:

  • Two legitimate remote monitoring and management tools, Atera agent and Splashtop Streamer, likely intended for malicious use as backdoors
  • The malicious Sliver backdoor 
  • The cryptominers z0Miner, JavaX miner, Jin and Mimu
  • Several PowerShell-based reverse shells that collect device and backup information

Sophos’ analysis revealed that Sliver is sometimes delivered together with Atera and PowerShell profiling scripts and is used to deliver the Jin and Mimu variants of the XMrig Monero miner botnet. 

According to Sophos, the attackers are using several different approaches to infect targets. While some of…

Source…

Attackers bypass Microsoft patch to deliver Formbook malware

/in


Sophos Labs researchers have detected the use of a novel exploit able to bypass a patch for a critical vulnerability (CVE-2021-40444) affecting the Microsoft Office file format.

The attackers took a publicly available proof-of-concept Office exploit and weaponized it to deliver Formbook malware. The attackers then distributed it through spam emails for approximately 36 hours before it disappeared.

From CAB to “CAB-less” exploit to bypass the patch for CVE-2021-40444

The CVE-2021-40444 vulnerability is a critical remote code execution (RCE) vulnerability that attackers can exploit to execute any code or commands on a target machine without the owner’s knowledge. Microsoft released an urgent mitigation followed by a patch in September. A few days later, the company shared how attackers have been exploiting the flaw to deliver custom Cobalt Strike payloads.

Sophos researchers found the 36 hours-campaign featuring the new exploit in late October. They discovered that attackers have reworked the original exploit by placing the malicious Word document inside a specially crafted RAR archive. The newer, “CAB-less” form of the exploit successfully evades the original patch.

CVE-2021-40444 patch bypass

Sophos data shows that the amended exploit was used in the wild for around 36 hours. According to the researchers, the limited lifespan of the updated attack could mean it was a “dry run” experiment that might return in future incidents.

“In theory, this attack approach shouldn’t have worked, but it did,” said Andrew Brandt, principal threat researcher at Sophos.

“The pre-patch versions of the attack involved malicious code packaged into a Microsoft Cabinet file. When Microsoft’s patch closed that loophole, attackers discovered a proof-of-concept that showed how you could bundle the malware into a different compressed file format, a RAR archive. RAR archives have been used before to distribute malicious code, but the process used here was unusually complicated. It likely succeeded only because the patch’s remit was very narrowly defined and because the WinRAR program that users need to open the RAR is very fault tolerant and doesn’t appear to mind if the archive is malformed, for…

Source…

Deliver Amazing: Top 10 Questions Every App Security RFP Should Answer

/in


Cybercriminals are hot on the money trail—and the path is leading straight to unprotected mobile applications in the fintech and banking industries. According to Verizon’s Mobile Security Index 2020 Report, 39 percent of organizations surveyed experienced a security compromise involving a mobile security device in 2020, up from 33 percent in 2019 and 27 percent the previous year.

And it’s not just financial services at risk. Nearly all market sectors are witnessing a rise in cyber attacks, from ecommerce and telehealth to manufacturing and automotive. And applications are increasingly becoming the preferred threat gateway for hackers. Why the global surge? Nearly every organization today is an app company, whether they identify as one or not, because so many of today’s leading businesses are powered by apps. Combine that with the rising value of pilfered app data and we have a recipe for a crisis. Several cybersecurity researchers are quoted as saying that a single PHI record is 10 times more valuable on the dark web than a stolen credit card credential.

With traditional perimeter security ineffective in keeping mobile apps used outside the firewall safe, organizations are turning to solutions that protect the app, rather than the network. These app security solutions can be added to mobile apps to safeguard the data stored in mobile devices and to comply with consumer data privacy regulations, such as GDPR, NY Shield, or CCPA. They also prevent breached applications from becoming a vector to attack resources within the broader corporate infrastructure.

Why App Security Solutions Work

App security solutions work by precluding attackers from reverse engineering mobile apps to find vulnerabilities in the code and exploit them to steal data or access the wider corporate network. They provide protection at three levels:

Code obfuscation prevents static analysis of how the code is structured. 

Environmental checks ensure code is running within a secure and trustworthy environment, blocking attempts to dynamically analyze the way the code operates.

Anti-tamper technology prevents attackers from modifying code within the app to perform malicious activities.

While app security…

Source…