Tag Archive for: hackers

Vulnerability Researchers Hit by North Korean Hackers

/in


Application Security
,
Containerization & Sandboxing
,
Cybercrime

Google Warns Social Engineering Attacks Have Been Backdooring Researchers’ Systems

Mathew J. Schwartz (euroinfosec) •
January 26, 2021    

Vulnerability Researchers Hit by North Korean Hackers
Tweets used by attackers to demonstrate previous “exploits” they’d discovered (Source: Google)

North Korean hackers have been “targeting security researchers working on vulnerability research and development at different companies and organizations” to trick them into installing backdoored software.

See Also: Rapid Digitization and Risk: A Roundtable Preview


So warns Google’s Threat Analysis Group in a Monday blog post detailing what it says is a months-long attack campaign that has already notched up multiple victims.


The campaign traces to “a government-backed entity based in North Korea,” which has used a variety of techniques to trick researchers, Google warns. “We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted…

Source…

Suspected Russian Hackers Targeted Cyber Firm Malwarebytes

/in


(Bloomberg) — Suspected Russian hackers targeted the cybersecurity company Malwarebytes Inc. in the course of a sprawling cyber-attack that breached U.S. government agencies and companies.



a close up of a computer keyboard: A person uses a laptop computer with illuminated English and Russian Cyrillic character keys in this arranged photograph in Moscow, Russia, on Thursday, March 14, 2019. Russian internet trolls appear to be shifting strategy in their efforts to disrupt the 2020 U.S. elections, promoting politically divisive messages through phony social media accounts instead of creating propaganda themselves, cybersecurity experts say.

© Bloomberg
A person uses a laptop computer with illuminated English and Russian Cyrillic character keys in this arranged photograph in Moscow, Russia, on Thursday, March 14, 2019. Russian internet trolls appear to be shifting strategy in their efforts to disrupt the 2020 U.S. elections, promoting politically divisive messages through phony social media accounts instead of creating propaganda themselves, cybersecurity experts say.

The attacker abused “applications with privileged access to Microsoft Office 365 and Azure environments,” according to a Tuesday blog post by Chief Executive Officer Marcin Kleczynski. He said the attack was part of the same hacking campaign that has utilized infected software from SolarWinds Corp. to target other organizations.

Loading...

Load Error

“After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments,” Kleczynski wrote.

U.S. intelligence agencies and the FBI have said the recent hacking campaign — which was found and disclosed by the cybersecurity firm FireEye Inc. in December — was likely undertaken by Russia. In many instances, attackers broke into systems through a compromised version of widely used software from Texas-based SolarWinds Corp.

However, analysts have said that SolarWinds’s software wasn’t the only method the suspected Russian hackers used to breach networks. On Tuesday, the firm Symantec discovered a new form of malware used in the attack that wasn’t delivered through SolarWinds, suggesting the hack could be broader than previously understood. The firm CrowdStrike Inc. said the hackers had attempted to break into their networks by compromising a third-party vendor that resells Microsoft services. If a reseller is breached and has access to a client’s credentials, the attacker could then hack into the client’s networks.

On Dec. 15,…

Source…

SolarWinds hackers used 7-Zip code to hide Raindrop Cobalt Strike loader

/in


The ongoing analysis of the SolarWinds supply-chain attack uncovered a fourth malicious tool that researchers call Raindrop and was used for distribution across computers on the victim network.

The hackers used Raindrop to deliver a Cobalt Strike beacon to select victims that were of interest and which had already been compromised through the trojanized SolarWinds Orion update.

There are currently four pieces of malware identified in the SolarWinds cyberattack, believed to be the work of a Russian threat actor:

  • Sunspot, the initial malware used to inject backdoors into the Orion platform builds
  • Sunburst (Solorigate), the malware planted in Orion updates distributed to thousands of SolarWinds customers
  •  Teardrop post-exploitation tool delivered by Sunburst on select victims deploy customized Cobalt Strike beacons
  • Raindrop, the newly uncovered malware that is similar to Teardrop

Disguised as 7-Zip file to load Cobalt Strike

Symantec researchers found the new Raindrop malware on machines compromised through the SolarWinds cyberattack. They noticed that it fulfills the same function as Teardrop but it is different as far as the deployment mechanism is concerned, as well as at the code level..

 

To hide the malicious functionality, the hackers used a modified version of the 7-Zip source code to compile Raindrop as a DLL file. The 7-Zip code only acts as a cover as it is not used in any way.

In one victim that installed the trojanized Orion platform in early July 2020, Symantec found that teardrop came the very next day via Sunburst. Raindrop appeared 11 days later on another host in the organization where malicious activity had not been observed, the researchers say.

How Raindrop ended up on a victim network is a mystery for now. Symantec saw no evidence of Sunburst delivering Raindrop directly, yet it was present “elsewhere on networks where at least one computer has already been compromised by Sunburst.”

On another victim network, Raindrop landed in May 2020. A few days later, PowerShell commands were executed in an attempt to spread the malware on other systems. Cybersecurity company Volexity investigating SolarWinds cyberattacks also reported that the hackers…

Source…

Hackers abusing this perfectly innocent Windows 10 feature to infect machines

/in


News Highlights: Hackers abusing this perfectly innocent Windows 10 feature to infect machines.

The Windows Finger command used to display information about users on a remote computer is exploited by cyber attackers to infect Windows 10 devices with malware. It has been discovered that the command can be abused to download the MineBridge malware onto an unsuspecting victim’s device.

Bleeping Computer reports that security researcher Kirk Sayre has identified a new phishing campaign using the Finger Command. The campaign involves sending a job resume of an alleged candidate.

When a victim then clicks to edit the document, a macro is run that uses the finger command to download a Base64-encoded certificate that is essentially a malware executable. The downloader then uses DLL hijacking to sideload the MineBridge malware.

The finger of blame

The MineBridge malware was first identified a year ago by FireEye security researchers, with the campaign initially targeting financial services companies in the US. At the time a phishing campaign with a …

Read more from source

  • Check the latest Hacking news updates and information.
  • Please share this news Hackers abusing this perfectly innocent Windows 10 feature to infect machines with your friends and family to support us your one share helps us a lot.
  • Follow us on Facebook and Twitter if you need more updates like this.

Source…