Tag: Uncover | Page 2

Researchers Uncover New Data Theft Capabilities

May 28, 2023/in Internet Security

Security researchers have detailed the inner workings of the commercial Android spyware called Predator, which is marketed by the Israeli company Intellexa (previously Cytrox).

Predator was first documented by Google’s Threat Analysis Group (TAG) in May 2022 as part of attacks leveraging five different zero-day flaws in the Chrome web browser and Android.

The spyware, which is delivered by means of another loader component called Alien, is equipped to record audio from phone calls and VoIP-based apps as well as gather contacts and messages, including from Signal, WhatsApp, and Telegram.

Its other functionalities allow it to hide applications and prevent applications from being executed upon rebooting the handset.

“A deep dive into both spyware components indicates that Alien is more than just a loader for Predator and actively sets up the low-level capabilities needed for Predator to spy on its victims,” Cisco Talos said in a technical report.

Spyware like Predator and NSO Group’s Pegasus are carefully delivered as part of highly-targeted attacks by weaponizing what are called zero-click exploit chains that typically require no interaction from the victims and allow for code execution and privilege escalation.

“Predator is an interesting piece of mercenary spyware that has been around since at least 2019, designed to be flexible so that new Python-based modules can be delivered without the need for repeated exploitation, thus making it especially versatile and dangerous,” Talos explained.

Both Predator and Alien are designed to get around security guardrails in Android, with the latter loaded into a core Android process called Zygote to download and launch other spyware modules, counting Predator, from an external server.

It’s currently not clear how Alien is activated on an infected device in the first place. However, it’s suspected to be loaded from shellcode that’s executed by taking advantage of initial-stage exploits.

“Alien is not just a loader but also an executor — its multiple threads will keep reading commands coming from Predator and executing them, providing the spyware with the means to bypass some of the Android framework security features,” the company…

Source…

Researchers Uncover New “RA Group” Ransomware

May 16, 2023/in Internet Security

Threat researchers have discovered another new ransomware actor, this time leveraging Babuk source code in attacks on US and South Korean organizations.

RA Group emerged in April this year, with a dedicated leak site appearing at the end of the month listing exfiltrated data, victim URLs and other information, according to Cisco Talos. The group is also selling exfiltrated data, which is hosted on a Tor site.

Cisco warned that the group is ramping up activity fast, with three US victims and one in South Korea across manufacturing, wealth management, insurance providers and pharmaceuticals sectors.

As is usual for such groups, ransom notes are built into the code and personalized for each victim organization. However, RA Group is unusual in also naming the victim in the executable, the report noted.

Both the debug path and the fact that the ransomware contains the same mutex as Babuk supports Cisco’s assessment that the group is using the Babuk source code, which was leaked back in September 2021.

The executable itself uses curve25519 and eSTREAM cipher hc-128 algorithms, but only partially encrypts files in order to accelerate the process, Cisco said. Once completed, a “.Gagup” extension is applied and all recycle bin and volume shadow copies of data are deleted.

However, RA Group doesn’t encrypt all files and folders, leaving some untouched so that victim organizations can “download the qTox application and contact RA Group operators using the qTox ID provided on the ransom note.”

After analyzing previous ransom notes, Cisco asserted that victims get three days to contact their extorters, after which time RA Group begins to leak their files.

“The victims can confirm the exfiltration of their information by downloading a file using the gofile[.]io link in the ransom note,” it explained.

There is no information thus far on how the group gains initial access or conducts post-intrusion activity.

Source…

Researchers uncover a hardware security vulnerability on Android phones

April 4, 2022/in Computer Security

Could your smartphone be spying on you?

Hopefully not, and if so, not for long, thanks to a team of researchers at the University of Pittsburgh Swanson School of Engineering.

Their recent study found that the Graphics Processing Unit (GPU) in some Android smartphones could be used to eavesdrop on a user’s credentials when the user types these credentials using the smartphone’s on-screen keyboard, making it an effective target for hacking. This hardware security vulnerability exposes a much more serious threat to user’s sensitive personal data, compared to the previous attacks that can only infer the user’s coarse-grained activities, such as the website being visited or the length of the password being typed.

“Our experiments show that our attack can correctly infer a user’s credential inputs, such as their username and password, without requiring any system privilege or causing any noticeable shift in the device’s operations or performance. Users wouldn’t be able to tell when it’s happening,” said Wei Gao, associate professor of electrical and computer engineering, whose lab led the study. “It was important to let manufacturers know that the phone is vulnerable to eavesdropping so that they can make changes to the hardware.”

A phone’s GPU processes all of the images that appear on the screen, including the pop-up animations when a letter of the on-screen keyboard is pressed. The researchers were able to correctly infer which letters or numbers were pressed more than 80 percent of the time, based only on how the GPU produces the displayed keyboard animations.

“If someone were to take advantage of this weakness, they could build a benign application—like a game or other app—and embed malicious code into it that would run silently in the background after it’s installed,” said Gao. “Our experimental version of this attack could successfully target usernames and passwords being entered in online banking, investment, and credit reporting apps and websites, and we…

Source…

Chinese Experts Uncover Details of Equation Group’s Bvp47 Covert Hacking Tool

February 23, 2022/in Internet Security

Researchers from China’s Pangu Lab have disclosed details of a “top-tier” backdoor put to use by the Equation Group, an advanced persistent threat (APT) with alleged ties to the cyber-warfare intelligence-gathering unit of the U.S. National Security Agency (NSA).

Dubbed “Bvp47” owing to numerous references to the string “Bvp” and the numerical value “0x47” used in the encryption algorithm, the backdoor was extracted from Linux systems “during an in-depth forensic investigation of a host in a key domestic department” in 2013.

Pangu Lab codenamed the attacks involving the deployment of Bvp47 “Operation Telescreen,” with the implant featuring an “advanced covert channel behavior based on TCP SYN packets, code obfuscation, system hiding, and self-destruction design.”

The Shadow Broker leaks

Equation Group, dubbed the “crown creator of cyber espionage” by Russian security firm Kaspersky, is the name assigned to a sophisticated adversary that’s been active since at least 2001 and has used previously undisclosed zero-day exploits to “infect victims, retrieve data and hide activity in an outstandingly professional way,” some of which were later incorporated into Stuxnet.

The attacks have targeted a variety of sectors in no less than 42 countries, including governments, telecom, aerospace, energy, nuclear research, oil and gas, military, nanotechnology, Islamic activists and scholars, media, transportation, financial institutions, and companies developing encryption technologies.

The group is believed to be linked to the NSA’s Tailored Access Operations (TAO) unit, while intrusion activities pertaining to a second collective dubbed Longhorn (aka The Lamberts) have been attributed to the U.S. Central Intelligence Agency (CIA).

Equation Group’s malware toolset became public knowledge in 2016 when a group calling itself the Shadow Brokers leaked the entire tranche of exploits used by the elite hacking team, with Kaspersky uncovering code-level similarities between the stolen files and that of samples identified as used by the threat actor.

Bvp47 as a covert backdoor

The incident analyzed by Pangu Lab comprises two internally compromised servers, an email and an enterprise server named V1…

Source…

Tag Archive for: Uncover

The Shadow Broker leaks

Bvp47 as a covert backdoor