Tag: threat | Page 5

Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28’s MooBot Threat

February 28, 2024/in Internet Security

Feb 28, 2024NewsroomFirmware Security / Vulnerability

In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was felled by law enforcement as part of an operation codenamed Dying Ember.

The botnet, named MooBot, is said to have been used by a Russia-linked threat actor known as APT28 to facilitate covert cyber operations and drop custom malware for follow-on exploitation. APT28, affiliated with Russia’s Main Directorate of the General Staff (GRU), is known to be active since at least 2007.

APT28 actors have “used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools,” the authorities said [PDF].

The adversary’s use of EdgeRouters dates back to 2022, with the attacks targeting aerospace and defense, education, energy and utilities, governments, hospitality, manufacturing, oil and gas, retail, technology, and transportation sectors in the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the U.A.E., and the U.S.

MooBot attacks entail targeting routers with default or weak credentials to deploy OpenSSH trojans, with APT28 acquiring this access to deliver bash script and other ELF binaries to collect credentials, proxy network traffic, host phishing pages, and other tooling.

This includes Python scripts to upload account credentials belonging to specifically targeted webmail users, which are collected via cross-site scripting and browser-in-the-browser (BitB) spear-phishing campaigns.

APT28 has also been linked to the exploitation of CVE-2023-23397 (CVSS score: 9.8), a now-patched critical privilege escalation flaw in Microsoft Outlook that could enable the theft of NT LAN Manager (NTLM) hashes and mount a relay attack without requiring any user interaction.

Another tool in its malware arsenal is MASEPIE, a Python backdoor capable of executing arbitrary commands on victim machines utilizing compromised Ubiquiti EdgeRouters as command-and-control (C2) infrastructure.

“With…

Source…

New Malware Poses Serious Threat to Android Users, All Details Here

February 26, 2024/in Computer Security

Updated Feb 26, 2024, 10:18 AM IST

The primary method of spreading this malware is through SMS texts containing shortened URLs.

Recently, cybersecurity experts uncovered an updated version of the Android XLoader malware, which has been attributed to a threat actor known as ‘Roaming Mantis.’ This new variant is particularly concerning as it can self-execute without requiring any interaction from the user. The primary method of spreading this malware is through SMS texts containing shortened URLs. When a user clicks on the link, they are directed to a webpage urging them to download an Android installation file (APK) for a supposed mobile app.

According to a report by BleepingComputer, researchers at McAfee have provided detailed insights into this new iteration of the XLoader malware. One notable feature of this variant is its ability to automatically initiate itself after installation. To deceive users, the malware disguises itself as ‘Chrome’ with an italicized ‘r.’ Upon installation, the app prompts users to grant it continuous background operation and requests permission to be designated as the default SMS app. Notably, prompts are presented in multiple languages including English, French, Japanese, Hindi, and German.

The concerning aspect of this malware lies in its autonomous behaviour, which allows it to engage in malicious activities without the need for user interaction. Among its capabilities is the pilfering of sensitive information such as passwords, text messages, photos, contacts, and hardware details like the device’s IMEI, SIM, and serial number.

To protect your Android device from potential XLoader infections, it is imperative to ensure that Google Play Protect is active. While this service is typically enabled by default on devices that come with preinstalled Google services, there may be instances where users disable it to accommodate certain applications flagged as malicious by the service.

If you have intentionally disabled Google Play Protect and wish to reinstate it, the process is simple. Begin by accessing the Google Play Store on your device. Then, locate and tap on your profile picture positioned at the top right of the screen. From…

Source…

Beware of a new Android threat targeting your photos and texts without even opening them

February 25, 2024/in Mobile Security

Another day, another malware threat is trying to get your data. Well, brace yourself, because there’s a virus that’s been around for a while that’s out there that’s gotten even worse. It’s called XLoader, and it’s after your photos and texts on your Android device. Yes, you heard that right. Your precious memories and messages are in danger of being snatched by this malicious software.

What is malware?

Malware is technically any software that’s designed to disrupt the system of its intended target. With malware, the person or entity behind the attack can gain access to your data, leak sensitive information, block you out, and take control of other aspects of your privacy and security.

MORE: TIPS TO FOLLOW FROM ONE INCREDIBLY COSTLY CONVERSATION WITH CYBERCROOKS

What is the XLoader malware strain?

According to McAfee, the XLoader malware — also known as MoqHao — has been around since 2015, targeting Android users in the U.S., Europe, and Asia. Once it’s on your device (which it’s gotten much better at doing), it’s able to run in the background, taking your sensitive data, whether it be photos, text messages, contact lists, hardware details, and more.

MORE: BEWARE OF NEW ANDROID MALWARE HIDING IN POPULAR APPS

How does XLoader get onto your device?

One of the reasons XLoader is such a major threat is because unlike its previous strains and other malware, it can get on your device that much easier than before. Generally, malware gets onto your device via a phishing scam. However, because people are more skeptical about opening or clicking on suspicious files or links — and because there are integrated apps that help warn you of these files — it’s more difficult for these traditional phishing scams to be effective, but XLoader has gotten clever.

First, you receive a text from an unknown sender

Like ordinary malware, XLoader often spreads through malicious links sent via text messages. This is a unique type of phishing scam known as “smishing.” But, scammers are aware that most people don’t click on texts from people they don’t know. So, another way they attempt to be successful at this is by first gaining access to a phone…

Source…

LockBit Ransomware Threat Persists | MSSP Alert

February 23, 2024/in Computer Security

MSSPs, MSPs and various cybersecurity providers continue to offer analysis and advice in the aftermath of the stunning LockBit ransomware group takedown this week, while urging caution against other ransomware operations seeking the next opportunity to attack.

It’s possible that the threat may not be over yet. Late this week Sophos X-Ops reported through its social media handle that despite the recent law enforcement activity, Sophos X-Ops had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware, built using a leaked malware builder tool. Sophos posted this news in an update to its blog post about the ConnectWise ScreenConnect vulnerabilities.

LockBit Law Enforcement Action

On February 20, the U.S. Justice Department announced that the U.K. National Crime Agency’s (NCA) Cyber Division, working in cooperation with the Federal Bureau of Investigation (FBI) and other international law enforcement partners, seized numerous public-facing websites and servers used by LockBit administrators. The effort dealt a major blow to LockBit threat actors’ ability to attack and encrypt networks and extort victims by threatening to publish stolen data.

The LockBit ransomware variant first appeared around January 2020 and had grown into one of the most active and destructive variants in the world, the Justice Department said. Moreover, LockBit members have executed attacks against more than 2,000 victims in the U.S. and around the world, making at least hundreds of millions of U.S. dollars in ransom demands and receiving over $120 million in ransom payments.

According to Sophos X-Ops’ analysis, over the past four years LockBit has been among the top 10 most reported ransomware infections since 2020. Sophos’ Incident Response team in 2023 found that LockBit accounted for one in five of all ransomware infections.

Chester Wisniewski, field chief technology officer for Sophos, an MSSP Alert MDR Top 40 company, was cautiously optimistic LockBit had been dealt a death blow.

“Much of LockBit’s infrastructure is still online, but I don’t expect them to make a triumphant return,” Wisniewski said. “These groups continually rebrand and…

Source…

Tag Archive for: threat

The primary method of spreading this malware is through SMS texts containing shortened URLs.

What is malware?

What is the XLoader malware strain?

How does XLoader get onto your device?

First, you receive a text from an unknown sender

LockBit Law Enforcement Action