Tag Archive for: tracks

Kaspersky tracks Windows zero days to ‘Moses’ exploit author

/in


New research by Kaspersky Lab shows a rise in APT groups leveraging exploits to gain initial foothold in a target network, including recent, high-profile zero-day vulnerabilities in Microsoft Exchange Server as well as Windows.

The security vendor released its APT Trends Report Q2 Thursday, which documented an uptick in certain activity over the last few months. Researchers found that advanced persistent threat (APT) groups  committed several supply chain attacks in recent months. For example, Kaspersky found the Chinese-speaking APT group it tracks as “BountyGlad” compromised a digital certificate authority in February. According to the report, the group demonstrated an increase in “strategic sophistication with this supply-chain attack.” 

However, one of the most significant trends was a shift in tactics. Kaspersky researchers found that while APT groups mainly use social engineering to gain an initial foothold, Q2 saw an increase in using zero days and exploits. Several of the zero-days, including two Windows vulnerabilities that were patched earlier this year, were traced to an exploit developer Kaspersky has dubbed “Moses.”

“Various marks and artifacts left in the exploit mean that we are also highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as “Moses”,” the report said.

Both are Microsoft Windows zero days that received a CVSS score of 7.8 and designated as elevation of privilege vulnerabilities.

Kaspersky had previously identified Moses in its APT Trends Report for Q1. According to the Q2 report, “Moses” appears to make exploits available to several APTs, but so far researchers have only confirmed two groups that have  utilized exploits developed by Moses: Bitter APT and Dark Hotel.

Kaspersky researchers David Emm and Ariel Jungheit told SearchSecurity that they are two distinct groups, and it is unclear why Moses presumably worked with them. However, one of the groups’ targets appears to be known.

“In the case of Bitter APT, our telemetry indicates that the exploits have been used against targets inside Pakistan, though they could have been used against targets inside China also,” Emm and Jungheit…

Source…

City of Trenton Stops Sophisticated Vendor Phishing Scam in Its Tracks

/in


Trenton to Launch Updated Cyber Security Training for Employees

Trenton, N.J. – Mayor W. Reed Gusciora announced today that the City of Trenton will launch updated cybersecurity employee training over the next few weeks after the City successfully stopped a sophisticated phishing scheme that used fake email addresses and URLs to closely mimic official city accounts.

“We’ve heard of an uptick in fraudulent calls and emails against our residents throughout the pandemic,” said Mayor Gusciora. “Looks like City Hall is also a target, and this is just one of several cyber-attacks we’ve had to fend off over the last year. As such, we’re launching updated training modules for City employees to ensure those attacks continue to be unsuccessful in the future.”

The scam, which started targeting Trenton’s Request for Quote (RFQ) process in February, was uncovered by the City’s IT Department, under the direction of CTO Joseph Rivera.

Cyber criminals posing as the City Business Administrator – complete with phony emails and phone numbers – sent fraudulent RFQs to vendors for potentially millions in stolen goods. The CTO was able to track down that a spoof Website was created called “tren0nNJ.org” with an email [email protected] on NameCheap.com.

After notifying vendors of the situation, the City reached out to the U.S. Secret Service Trenton Office, which worked with the City of Trenton IT and Law departments to convince NameCheap.com that fraud had occurred. After a cease-and-desist letter was issued from the City, NameCheap took the appropriate steps to shut down the URL and all affiliated emails. To date, efforts to prevent damage from the scam have been successful, and no losses have been incurred by the City.

Following the scam, the City of Trenton updated its training protocols regarding cybersecurity and will launch an online training module for all employees in the coming weeks.

This event follows another attempted cyberattack in the Spring of 2020, in which a hacker diverted upwards of $982,000 in funds from the City of Trenton in relation to Brit Global Insurance Company. Trenton’s IT Department worked with the company as part of an extensive…

Source…

Malware and ransomware gangs have found this new way to cover their tracks

/in


Theres’s been a huge uptick in the proportion of malware using TLS or the Transport Layer Security to communicate without being spotted, cybersecurity firm Sophos reports. 

While HTTPS helps prevent eavesdropping, man-in-the-middle attacks, and hijackers who try to impersonate a trusted website, the protocol has also offered cover for cybercriminals to privately share information between a website and a command and control server —  hidden from the view of malware hunters. 

“It should come as no surprise, then, that malware operators have also been adopting TLS … to prevent defenders from detecting and stopping deployment of malware and theft of data,” Sophos said.

Malware communications fall into three main categories: downloading more malware, exfiltration of stolen data, or command and control. All these types of communications can take advantage of TLS encryption to evade detection by defenders, the security company said.

According to Sophos, a year ago 24% of malware was using TLS to communicate but today that proportion has risen to 46%. 

Sophos said a large portion of the growth in overall TLS use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS as unwitting storage for malware components, as destinations for stolen data, or even to send commands to botnets and other malware.

It also said it has seen an increase in the use of TLS use in ransomware attacks over the past year, especially in manually-deployed ransomware—in part because of attackers’ use of modular offensive tools that leverage HTTPS. 

“But the vast majority of what we detect day-to-day in malicious TLS traffic is from initial-compromise malware: loaders, droppers and document-based installers reaching back to secured web pages to retrieve their installation packages,” it said.

“We found that while TLS still makes up an average of just over two percent of the overall traffic Sophos classifies as “malware callhome” over a three-month period, 56 percent of the unique C2 servers (identified by DNS host names) that communicated with malware used HTTPS and TLS.”

One dropper it highlights is the…

Source…

Taiwan blames Chinese APTs for hacking campaign. GoldenSpy’s operators are trying to cover their tracks. Vishing attacks spike following Twitter hack. – The CyberWire

/in

Taiwan blames Chinese APTs for hacking campaign. GoldenSpy’s operators are trying to cover their tracks. Vishing attacks spike following Twitter hack.  The CyberWire
“cyber warfare news” – read more