Tag Archive for: infected

SonicWall devices infected with persistent malware by suspected Chinese hacking campaign: Report

/in


Devices from SonicWall, an American cybersecurity company were found to be infected by persistent malware.

Devices from SonicWall, an American cybersecurity company were found to be infected by persistent malware.
| Photo Credit: Special Arrangement

Devices from SonicWall, an American cybersecurity company that sells internet appliances directed at content control and network security, were found to be infected by persistent malware.

Aimed at gaining privileged access within the appliance, the malware was found to be able to steal hashed credentials from logged-in users which would later be retrieved to be cracked online.

Originating from a suspected Chinese hacking campaign, the attack involves maintaining long-term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance, a blog post from Madiant said.

Attackers used an ELF binary, the TinyShell backdoor, and several bash scripts that point to a deep understanding of the targeted network devices.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

The malware used on SonicWall devices was found to enter the devices through a bash script named firewalld, which is responsible for executing an SQL command to accomplish credential stealing and execution of other components, the post said.

Attackers also made efforts to ensure the malware would persist across firmware updates by running a startup script at boot time along with a secondary script that allowed the malware to persist in case of exit or crash.

While it is unclear what vulnerability was used to compromise devices, the malware or a predecessor of it was likely deployed in 2021 and is believed to have persisted through multiple firmware updates.

“In recent years Chinese attackers have deployed multiple zero-day exploits and malware for a variety of internet-facing network appliances as a route to full enterprise intrusion, and the instance reported here is part of a recent pattern that Mandiant expects to continue in the near term”, the company said in the post.

Source…

Over 155K Minecraft Players Get Infected With Malware / Digital Information World

/in


The rate of growth of the gaming industry has spurred many cyber attackers to use these games as a platform for launching malware campaigns, and it turns out that Minecraft is one of their most popular choices with all things having been considered and taken into account. Over 131,000 Minecraft users on PC were infected with malware, and 26,000 mobile users were also infected which brings the total number of Minecraft players who were attacked by malware past the 150,000 mark.

With all of that having been said and now out of the way, it is important to note that malicious actors seem to be disproportionately targeting players who prefer Minecraft. The second highest number of malware infections belonged to Roblox with just under 39,000, so Minecraft users are over four times likelier to get infected by malware than Roblox players.

In the world of mobile gaming this disparity is even more pronounced. Roblox came in second again, but with only 1,186 infections reported so far. That is only a small fraction of the 26,000 Minecraft players who had malware infiltrate their systems which suggests that playing Minecraft could expose a user to far more cyber attacks than might have been the case otherwise.

Around 90% of the total malware infections seen in mobile games went to Minecraft users, and 76% of all the malware was from the notorious RedLine Stealer malware family. It works by stealing browser data and skimming passwords because of the fact that this is the sort of thing that could potentially end up allowing malicious actors to lock users out of their own accounts.

It should be mentioned that the downloading of so called cracked games might be contributing to this trend. These games are free since they can be downloaded through piracy, and the people who are offering these free downloads often include malware in the source code. This can allow malicious actors to spy on users without them realizing it, and if users started using 2FA more frequently such forms of malware might become less useful to cyber attackers and hackers in the future.

H/T: Securelist

Read next: The smartphone market was at its lowest in the third quarter due to the global economic crisis

Source…

Never-Before-Seen Malware Infected Hundreds Of Linux, Windows Devices

/in


DETROIT – Researchers have revealed a never-before-seen piece of cross-platform malware that has infected a wide range of Linux and Windows devices, including small office routers, FreeBSD boxes, and large enterprise servers.

Black Lotus Labs, the research arm of security firm Lumen, is calling the malware Chaos, a word that repeatedly appears in function names, certificates, and file names it uses.

Chaos emerged no later than April 16, when the first cluster of control servers went live in the wild. From June through mid-July, researchers found hundreds of unique IP addresses representing compromised Chaos devices. Staging servers used to infect new devices have mushroomed in recent months, growing from 39 in May to 93 in August. As of last week, the number reached 111.

Black Lotus has observed interactions with these staging servers from both embedded Linux devices as well as enterprise servers, including one in Europe that was hosting an instance of GitLab. There are more than 100 unique samples in the wild.

To read more, click on ArsTechnica 

Source…

Hacking campaign uses infected James Webb Telescope image

/in


A newly discovered hacking campaign is exploiting an image from the James Webb Telescope to infect targets with malware.

Detailed today by researchers at Securonix Inc. and dubbed “GO#WEBBFUSCATOR,” the campaign leverages a deep field image taken from the telescope and obfuscated Golang programming language payloads to infect a potential victim.

The infection vector starts with a phishing email containing a Microsoft Office attachment containing an external reference hidden inside the document’s metadata which downloads a malicious template file. When the document is opened, the malicious template file is downloaded and saved on the system, initiating the first stage of code execution for the attack.

Eventually, the script downloads a JPEG image that shows the James Webb Telescope deep field image. The image contains malicious Base64 code disguised as an included certificate, which is then decrypted and saved into a built-in Windows executable called “msdllupdate.exe.”

The generated file is a Windows 64-bit executable about 1.7 megabytes in size and employs several obfuscation techniques to hide from antivirus software and to make analysis difficult. “At the time of publication, this particular file is undetected by all antivirus vendors,” the researchers note.

“It’s clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-endpoint detection and response detection methodologies in mind,” the researchers added.

The researchers conclude that the methodology used in the attack chain is interesting. Although the use of Golang is not uncommon, its combination, in this case, with the Certuitil command-line program is much less common.

“This campaign once again proposes the risk inherent in the concept of digital trust and its implications in the field of security,” Paolo Passeri, principal sales engineer at cybersecurity software company Netskope Inc., told SiliconANGLE.

Referencing the growth of remote work, Passeri noted that “users now place more reliance on digital interactions than on human ones, which lowers the level of guard against any content coming from the internet and are no…

Source…