Tag Archive for: Researchers

Black Basta: Security Researchers Develop Decryptor for Black Basta Ransomware

/in


Representative Image

In a recent breakthrough, security researchers have created a decryptor that exploits a vulnerability in the Black Basta ransomware, enabling victims to recover their files without paying the ransom. The decryptor, named ‘Black Basta Buster,’ was developed by Security Research Labs (SRLabs) and takes advantage of a flaw in the encryption algorithm used by the Black Basta ransomware gang.

According to a report by the BleepingComputer, the vulnerability in Black Basta’s encryption routine allowed victims from November 2022 to the present month to potentially recover their files for free. However, it has been reported that the developers of Black Basta recently addressed the bug in their encryption mechanism, preventing the use of this decryption technique in newer attacks.

Understanding the Black Basta Flaw

SRLabs discovered a weakness in the encryption algorithm employed by Black Basta, which enabled the creation of the ‘Black Basta Buster’ decryptor. The flaw is associated with how the ransomware handles the ChaCha keystream used in XOR encryption.

The decryption process relies on the knowledge of the plaintext of 64 encrypted bytes. The recoverability of a file depends on its size, with files below 5000 bytes deemed irrecoverable. For files ranging from 5000 bytes to 1GB, complete recovery is possible. Files larger than 1GB will lose the first 5000 bytes, but the remainder can be recovered.

Black Basta typically XORs the content of a file using a 64-byte keystream generated using the XChaCha20 algorithm. The flaw lies in the reuse of the same keystream during encryption, resulting in all 64-byte chunks of data containing only zeros being converted to the 64-byte symmetric key. This key can then be extracted and employed to decrypt the entire file.

The decryption process is effective for larger files, such as virtual machine disks, which usually contain numerous ‘zero-byte’ sections. Even if the ransomware damages the Master Boot Record (MBR) or GUID Partition Table (GPT) partition table, tools like “testdisk” can often recover or regenerate these structures.

It’s important to note that while decrypting smaller files may not be feasible, SRLabs suggests that for files lacking large…

Source…

Researchers Reveal “Most Sophisticated” iMessage Exploit Targeting iPhones

/in


Recently, the 37th Chaos Communication Congress took place in Hamburg, Germany. A team of cybersecurity experts, including Boris Larin from Moscow-based security firm Kaspersky, Leonid Bezvershenko, and Georgy Kucherin were part of the congress. They uncovered a series of zero-day vulnerabilities in iPhones, exploited through iMessage. This “Operation Triangulation” presentation marked the first public revelation of these susceptibilities and their exploitation methods.

Beware! Researchers Found iMessage Exploit

Reports claim that the attack, refined in its execution, starts with a seemingly harmless iMessage attachment. After that, the iMessage attachment exploits CVE-2023-41990. It is a vulnerability in an undocumented TrueType font instruction. Moreover, it also triggers a chain of events without any observable signs to the user. The exploit uses advanced techniques, including return/jump-oriented programming and a multi-staged JavaScript exploit, to achieve deep access to the device’s system.

For all those unaware, a “zero-day exploit” is similar to finding a secret way into a computer program or any system that nobody else knows about. In the case of Apple, even the people who made the program do not know about it. It is pertinent to mention here that there is no protection against it yet. The name “zero-day” means that the program makers have had zero days to resolve the problem because they just found out about it.

The researchers also disclosed how the attack exploits the JavaScriptCore debugging feature and an integer overflow vulnerability (CVE-2023-32434) to get read/write access to the entire physical memory of the machine at the user level. This strategy allows the hackers to bypass the Page Protection Layer (PPL).

It’s pertinent to mention that these exploits were patched by Apple’s iOS software updates with iOS and iPadOS 15.7.8 for older devices and 16.6. The presentation also highlighted the exploit’s ability to support older and newer iPhone models, including a Pointer Authentication Code (PAC) bypass for the latest models. The exploit’s sophistication is further evidenced by its use of hardware memory-mapped I/O (MMIO) registers.

PTA…

Source…

Researchers Unveal GuLoader Malware’s Latest Anti-Analysis Techniques

/in


Dec 09, 2023NewsroomMalware / Cyberattack

Anti-Analysis Techniques

Threat hunters have unmasked the latest tricks adopted by a malware strain called GuLoader in an effort to make analysis more challenging.

“While GuLoader’s core functionality hasn’t changed drastically over the past few years, these constant updates in their obfuscation techniques make analyzing GuLoader a time-consuming and resource-intensive process,” Elastic Security Labs researcher Daniel Stepanic said in a report published this week.

First spotted in late 2019, GuLoader (aka CloudEyE) is an advanced shellcode-based malware downloader that’s used to distribute a wide range of payloads, such as information stealers, while incorporating a bevy of sophisticated anti-analysis techniques to dodge traditional security solutions.

A steady stream of open-source reporting into the malware in recent months has revealed the threat actors behind it have continued to improve its ability to bypass existing or new security features alongside other implemented features.

GuLoader is typically spread through phishing campaigns, where victims are tricked into downloading and installing the malware through emails bearing ZIP archives or links containing a Visual Basic Script (VBScript) file.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

Israeli cybersecurity company Check Point, in September 2023, revealed that “GuLoader is now sold under a new name on the same platform as Remcos and is implicitly promoted as a crypter that makes its payload fully undetectable by antiviruses.”

One of the recent changes to the malware is an improvement of an anti-analysis technique first disclosed by CrowdStroke in December 2022 and which is centered around its Vectored Exception Handling (VEH) capability.

It’s worth pointing out that the mechanism was previously detailed by both McAfee Labs and Check Point in May 2023, with the former stating that “GuLoader employs the VEH mainly for obfuscating the execution flow and to slow down the analysis.”

The method “consists of breaking the…

Source…

Researchers Uncover Latest P2PINFECT Botnet Threat

/in


In the digital world, a team of experts from Cado Security Labs recently discovered a stronger version of a troubling cyber threat known as the P2Pinfect botnet. This sneaky software goes after routers, smart devices and other tech gadgets, especially those using a Microprocessor without Interlocked Pipelined Stages (MIPS) architecture.

What makes this botnet scarier is its ability to dodge detection. It is like a cyber ninja that can slip past Virtual Machines (VM) and avoid debuggers. Plus, it is good at hiding its tracks on Linux computers.

The P2Pinfect story started in July 2023 when another group found a bug that attacked Redis servers on both Linux and Windows systems. This bug, written in a programming language called Rust, was like a ninja with a perfect score of 10.0. It could sneak into Redis servers on different operating systems.

Fast forward to September, and Cado Security Labs noticed a massive 600-times increase in P2Pinfect activity. It is like the cyber bad guys hit the turbo button, causing a 12.3% spike in just one week.

But here is the twist. The experts found a new version of P2Pinfect that specifically goes after smaller gadgets with 32-bit MIPS processors. These are like the mini-brains in routers and smart devices. The bug tries to break into them by guessing passwords.

The strange part is that it also likes to mess with something called Redis servers on these gadgets. The experts are scratching their heads because they are not sure why anyone would do this. But if they succeed, these mini-brains could become launching pads for more attacks.

To make matters trickier, the bug tries to cover its tracks by disabling certain features on computers. It is like the cyber bad guys are playing hide and seek.

Source…