Tag Archive for: linux

Akira Ransomware Mutates to Target Linux Systems, Adds TTPs

/in


Arika ransomware has continued to evolve since emerging as a threat in March, expanding its reach from initially targeting Windows systems to include Linux servers and employing a growing array of tactics, techniques, and procedures (TTPs).

An in-depth report on Akira from LogPoint breaks down the “highly sophisticated” ransomware, which encrypts victim files, deletes shadow copies, and demands ransom payment for data recovery. 

The infection chain actively targets Cisco ASA VPNs lacking multifactor authentication to exploit the CVE-2023-20269 vulnerability as an entry point.

As of early September, the group had successfully hit 110 victims, focusing on targets in the US and the UK.

British quality-assurance company Intertek was a recent high-profile victim; the group has also targeted manufacturing, professional services, and automotive organizations. 

According to a recent GuidePoint Security’s GRI report, educational organizations have been disproportionately targeted by Akira, representing eight of its 36 observed victims.

The ransomware campaign involves multiple malware samples that carry out various steps, including shadow copy deletion, file search, enumeration, and encryption, when executed.

Akira uses a double-extortion method by stealing personal data, encrypting it, and then extorting money from the victims. If they refuse to pay, the group then threatens to release the data on the Dark Web.

Upon gaining access, the group uses tools including remote desktop apps AnyDesk and RustDesk and encryption and archiving tool WinRAR.

Advanced system information tool and task manager PC Hunter aids the group in laterally moving through the breached systems, along with wmiexc, according to the report.

The group can also disable real-time monitoring to evade detection by Windows Defender, and shadow copies are deleted through PowerShell.  

Ransom note files are dropped into the multiple files across the victim’s system, which contain payment instructions and decryption assistance.  

Anish Bogati security research engineer at Logpoint, says Akira’s use of Windows internal binary (also known as LOLBAS) for execution, retrieving credentials, evading defense, facilitating lateral…

Source…

Supply chain attack spread Linux malware via free download manager site

/in


Linux users have been targeted by a supply chain attack that exploited a download manager website to facilitate Bash stealer deployment from 2020 to 2022, The Hacker News reports.

Threat actors compromised the “freedownloadmanager[.]org” website in January 2020 to redirect to another domain with a malicious Debian package that eventually resulted in the delivery of the crond backdoor and the Bash information-stealing malware, which sought to exfiltrate cloud service credentials, system information, cryptocurrency wallet files, and saved passwords, according to a Kaspersky report.

Detection of the now inactive campaign has been hampered by the absence of the Debian package in some of the targets that downloaded the software.

“While the campaign is currently inactive, this case of Free Download Manager demonstrates that it can be quite difficult to detect ongoing cyberattacks on Linux machines with the naked eye. Thus, it is essential that Linux machines, both desktop and server, are equipped with reliable and efficient security solutions,” said researchers.

Source…

AtlasVPN Linux Zero-Day Disconnects Users, Reveals IP Addresses

/in


A security researcher has published exploit code for AtlasVPN for Linux, which could enable anybody to disconnect a user and reveal their IP address simply by luring them to a website.

AtlasVPN is a “freemium” virtual private network (VPN) service owned by NordVPN. Despite being just 4 years old, according to its website, it’s used by more than 6 million people worldwide.

On Sept. 1, after receiving no response from the vendor, an unidentified researcher (referred to by their Full Disclosure mailing list username, “icudar”) posted exploit code for AtlasVPN Linux to the Full Disclosure mailing list and Reddit. By simply copying and pasting this code to their own site, any odd hacker could disconnect any AtlasVPN user from their private network, and reveal their IP address in the process.

“Since the entire purpose of the VPN is to mask this information, this is a pretty significant problem for users,” says Shawn Surber, senior director of technical account management at Tanium.

How the AtlasVPN Exploit Works

The issue with AtlasVPN’s Linux client boils down to a lack of proper authentication.

“The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication,” icudar wrote in his online posts. “This port can be accessed by ANY program running on the computer, including the browser.”

Surber guesses that “this vulnerability appears to be caused by the assumption that Cross-Origin Resource Sharing (CORS) protection would prevent it.” CORS is a mechanism by which one domain can request resources from another.

As other researchers have pointed out, though, the exploit easily slips past CORS by sending a type of request it does not flag. “CORS is designed to prevent data theft and loading of outside resources. In this scenario, the attack uses a simple command, which slips through the CORS gauntlet and, in this case, turns off the VPN, immediately exposing the user’s IP and therefore general location,” Surber explains.

What This Means for VPN Users

To test the extent of the vulnerability, icudar wrote malicious JavaScript that would request port 8076 and successfully disconnect the VPN, then request…

Source…

In Other News: Hacking Encrypted Linux Computers, Android Fuzzing, Skype Leaking IPs

/in


SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under the radar.

We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.

Each week, we will curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.

Here are this week’s stories

Quickly hitting Enter key to hack an encrypted Linux computer 

Researchers at Pulse Security discovered that an attacker who has physical access to an encrypted Linux system can gain local root access to the computer — bypassing full-disk encryption — by quickly hitting Enter on the keyboard or using a special device to simulate the process. These types of attacks are not new. 

High-severity vulnerability patched in Chrome 

Advertisement. Scroll to continue reading.

A new Chrome 116 update patches a high-severity use-after-free vulnerability. These types of flaws can typically be combined with other bugs for sandbox escapes and remote code execution. The bug bounty for the vulnerability has yet to be determined by Google. 

Google details Android fuzzing efforts

Google has published a blog post detailing its Android fuzzing efforts, including how it finds vulnerabilities, why it continues to invest in fuzzing, challenges, and how others can contribute. 

Top-level domains and DNS issues

Cisco Talos has conducted research into top-level domain (TLDs) and DNS issues, highlighting potential risks related to the .kids TLD, ‘zombified’ DNS name issues related to various country TLDs, as well as problems with second-level TLDs. 

Skype mobile app is leaking IP addresses

The Skype mobile application is leaking IP addresses, according to a report from 404 Media. A hacker can obtain a targeted user’s IP by sending them a link over Skype — the victim does not have to interact with the link. Microsoft has been notified, but the company is not rushing to patch it. 

Rackspace says cost of ransomware attack…

Source…