Tag: Exploiting | SpinSafe

A sneaky new steganography malware is exploiting Microsoft Word — hundreds of firms around the world hit by attack

April 16, 2024/in Computer Security

Hackers have been observed using steganography to target hundreds of organizations in Latin America with infostealers, remote access trojans (RAT), and more.

The campaign, dubbed SteganoArmor, was discovered by researchers from Positive Technologies.

For those unfamiliar with steganography, it’s a technique of hiding data inside benign files. Hackers use it to hide malware in JPG and similar files, and thus bypass email security solutions.

Infostealers and other malware

As per the researchers, a threat actor dubbed TA558 sent out hundreds of phishing emails, through which they shared Microsoft Word and Excel files.

These files exploit a seven-year-old flaw tracked as CVE-2017-1182. To minimize the chances of the emails being picked up by email security solutions, they were sent from compromised SMTP servers.

If the victim runs the files, they will download a Visual Basic Script (VBS) from the legitimate “paste upon opening the file.ee” service. This script will download a JPG file holding a base-64 encoded payload. This payload will, ultimately, result in the download and installation of one of these malware variants:

AgentTesla, FormBook, Remcos, LokiBot, Guloader, Snake Keylogger, and XWorm. The majority of these are infostealers, with a few RATs and stage-two downloaders. While the attackers do seem to have cast a wide, global net, the majority of the victims are located in Latin America, the researchers added. So far, more than 320 attacks were discovered.

Defending against this attack is relatively easy. First, users should be wary of incoming emails, especially those carrying files and links, as that’s the usual modus operandi of cybercriminal groups. Also, they could patch their Office suite to prevent the malware from exploiting CVE-2017-1182. The patch for this vulnerability has been around for more than half a decade.

TA558 has been around for almost a decade, mostly targeting organizations in the hospitality and tourism industries.

Via BleepingComputer

More from TechRadar Pro

Source…

TheMoon Botnet Resurfaces, Exploiting EoL Devices to Power Criminal Proxy

April 6, 2024/in Internet Security

Mar 29, 2024NewsroomNetwork Security / IoT Security

A botnet previously considered to be rendered inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to fuel a criminal proxy service called Faceless.

“TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024,” the Black Lotus Labs team at Lumen Technologies said.

Faceless, detailed by security journalist Brian Krebs in April 2023, is a malicious residential proxy service that’s offered its anonymity services to other threat actors for a negligible fee that costs less than a dollar per day.

In doing so, it allows the customers to route their malicious traffic through tens of thousands of compromised systems advertised on the service, effectively concealing their true origins.

The Faceless-backed infrastructure has been assessed to be used by operators of malware such as SolarMarker and IcedID to connect to their command-and-control (C2) servers to obfuscate their IP addresses.

That being said, a majority of the bots are used for password spraying and/or data exfiltration, primarily targeting the financial sector, with more than 80% of the infected hosts located in the U.S.

Lumen said it first observed the malicious activity in late 2023, the goal being to breach EoL SOHO routers and IoT devices and deploy an updated version of TheMoon, and ultimately enroll the botnet into Faceless.

The attacks entail dropping a loader that’s responsible for fetching an ELF executable from a C2 server. This includes a worm module that spreads itself to other vulnerable servers and another file called “.sox” that’s used to proxy traffic from the bot to the internet on behalf of a user.

In addition, the malware configures iptables rules to drop incoming TCP traffic on ports 8080 and 80 and allow traffic from three different IP ranges. It also attempts to contact an NTP server from a list of legitimate NTP servers in a likely effort to determine if the infected device has internet connectivity and it is not being run in a sandbox.

The targeting of EoL appliances to fabricate the botnet is no…

Source…

Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

February 18, 2024/in Internet Security

Feb 16, 2024NewsroomRansomware / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities (KEV) catalog, following reports that it’s being likely exploited in Akira ransomware attacks.

The vulnerability in question is CVE-2020-3259 (CVSS score: 7.5), a high-severity information disclosure issue that could allow an attacker to retrieve memory contents on an affected device. It was patched by Cisco as part of updates released in May 2020.

Late last month, cybersecurity firm Truesec said it found evidence suggesting that it has been weaponized by Akira ransomware actors to compromise multiple susceptible Cisco Anyconnect SSL VPN appliances over the past year.

“There is no publicly available exploit code for […] CVE-2020-3259, meaning that a threat actor, such as Akira, exploiting that vulnerability would need to buy or produce exploit code themselves, which requires deep insights into the vulnerability,” security researcher Heresh Zaremand said.

According to Palo Alto Networks Unit 42, Akira is one of the 25 groups with newly established data leak sites in 2023, with the ransomware group publicly claiming nearly 200 victims. First observed in March 2023, the group is believed to share connections with the notorious Conti syndicate based on the fact that the ransom proceeds have been routed to Conti-affiliated wallet addresses.

In the fourth quarter of 2023 alone, the e-crime group listed 49 victims on its data leak portal, putting it behind LockBit (275), Play (110), ALPHV/BlackCat (102), NoEscape (76), 8Base (75), and Black Basta (72).

Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by March 7, 2024, to secure their networks against potential threats.

CVE-2020-3259 is far from the only flaw to be exploited for delivering ransomware. Earlier this month, Arctic Wolf Labs revealed the abuse of CVE-2023-22527 – a recently uncovered shortcoming in Atlassian Confluence Data Center and Confluence Server – to deploy C3RB3R…

Source…

FritzFrog Botnet Strikes Back Exploiting Log4Shell Vulnerability

February 14, 2024/in Internet Security

A new variant of the sophisticated botnet “FritzFrog” has emerged, leveraging the Log4Shell vulnerability for propagation. Despite more than two years passing since the Log4j flaw was discovered, attackers continue to exploit it effectively due to many organizations neglecting to patch their systems. Notably, the botnet appears to target seemingly secure sections of internal networks where patches may be lacking.

Understanding FritzFrog Botnet

Initially identified by Guardicore (now part of Akamai) in August 2020, FritzFrog operates as a peer-to-peer (P2P) botnet, primarily targeting internet-facing servers with weak SSH credentials. The Log4Shell vulnerability (CVE-2021-44228), which gained widespread attention due to its critical nature, is now being exploited by FritzFrog as a secondary infection vector. Unlike its previous strategies that focused on targeting internet-facing servers, this variant takes aim at internal hosts within compromised networks. This shift underscores the importance of comprehensive patch management practices, as even seemingly less vulnerable internal systems can become prime targets for exploitation.

One of the noteworthy enhancements of this variant is that it identifies potential targets with vulnerabilities within the network by analyzing system logs on compromised hosts. This implies that despite patching internet-facing applications, any breach of other endpoints can still leave unpatched internal systems vulnerable to exploitation, facilitating the spread of the malware. Additionally, the malware now exploits the PwnKit vulnerability (CVE-2021-4034) for local privilege escalation, further enhancing its persistence and reach.

Moreover, FritzFrog botnet employs evasion tactics to evade detection, including minimizing its footprint by avoiding file drops to disk whenever possible. By utilizing shared memory locations and executing memory-resident payloads, it maintains a stealthy presence that poses challenges for detection and mitigation efforts.

Conclusion

Akamai, a leading web infrastructure and security company, has dubbed this latest activity as Frog4Shell, highlighting the convergence of FritzFrog’s capabilities with the…

Source…

Tag Archive for: Exploiting

Understanding FritzFrog Botnet

Conclusion