Proofpoint riferisce che una nuova campagna malware sfrutta Fogli Google per gestire la backdoor Voldemort, progettata per raccogliere informazioni e fornire payload aggiuntivi.

Gli aggressori si spacciano per autorità fiscali in Europa, Asia e Stati Uniti e hanno già attaccato più di 70 organizzazioni in tutto il mondo. Gli hacker compongono le e-mail di phishing in modo tale che corrispondano alla posizione di una determinata organizzazione (per questo gli aggressori si affidano a fonti aperte). Tali messaggi presumibilmente contengono informazioni fiscali aggiornate e collegamenti a documenti pertinenti.

Secondo il rapporto dei ricercatori, la campagna è iniziata il 5 agosto 2024 e gli hacker hanno già inviato più di 20.000 e-mail (fino a 6.000 al giorno). Gli aggressori prendono di mira settori quali assicurazioni, aerospaziale, trasporti, università, finanza, tecnologia, produzione, sanità, automobilistico, ospitalità, energia, governo, media, telecomunicazioni e così via.

Non è chiaro chi si nasconda dietro questa campagna, ma gli esperti di Proofpoint ritengono che l’obiettivo più probabile degli aggressori sia lo spionaggio informatico.

Facendo clic sul collegamento nell’e-mail, i destinatari vengono indirizzati a una pagina di destinazione ospitata da InfinityFree, che utilizza gli URL della cache AMP di Google per reindirizzare le vittime a una pagina con un pulsante “Fai clic per visualizzare il documento”.

Quando si fa clic sul pulsante, la pagina controlla l’User Agent del browser e, se associato a Windows, reindirizza la vittima all’URI search-ms (Windows Search Protocol), che punta all’URI tunneled di TryCloudflare. Gli utenti non Windows vengono reindirizzati a un URL di Google Drive vuoto che non contiene contenuti dannosi.

Se la vittima interagisce con il file search-ms, Esplora risorse visualizza un file LNK o ZIP mascherato da PDF. L’uso dell’URI search-ms è recentemente diventato popolare nelle campagne di phishing perché un file di questo tipo, ospitato su una condivisione WebDAV/SMB esterna, fa apparire come se fosse nella cartella Download locale, invogliando la vittima ad aprirlo.

Di conseguenza, sul computer della vittima viene eseguito uno script Python da un’altra risorsa WebDAV, che raccoglie informazioni di sistema per compilare un profilo. Allo stesso tempo, viene visualizzato un file PDF progettato per mascherare attività dannose.

Lo script carica anche l’eseguibile Cisco WebEx (CiscoCollabHost.exe) e una DLL dannosa (CiscoSparkLauncher.dll) per caricare Voldemort utilizzando il sideloading DLL.

Voldemort stesso è una backdoor scritta in linguaggio C che supporta un’ampia gamma di comandi e azioni sui file, inclusi il furto, l’inserimento di nuovi payload nel sistema e l’eliminazione dei file.

Una caratteristica distintiva di Voldemort è che il malware utilizza Google Sheet come server di controllo, ricevendo nuovi comandi tramite “Sheets” da eseguire sul dispositivo infetto e utilizzandoli anche come archivio per i dati rubati.

Pertanto, ogni macchina infetta registra i propri dati in specifiche celle di Fogli Google, che possono essere identificate da identificatori univoci come l’UUID, che garantisce l’isolamento e la gestione trasparente dei sistemi compromessi.

Per interagire con Fogli Google, Voldemort utilizza l’API di Google con un ID client integrato, un token di aggiornamento, che vengono archiviati nelle sue impostazioni crittografate.

Come notano gli esperti, questo approccio fornisce al malware un canale di controllo affidabile e altamente disponibile e riduce anche la probabilità che questa attività di rete venga notata dalle soluzioni di sicurezza. Poiché Fogli Google è ampiamente utilizzato nelle aziende, anche il blocco del servizio sembra poco pratico.

L'articolo Il Malware Voldemort sfrutta i Fogli di calcolo Google per Attacchi Globali proviene da il blog della sicurezza informatica.

The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

In Q2 2024:

• Kaspersky solutions blocked over 664 million attacks from various internet sources.
• The web antivirus reacted to 113.5 million unique URLs.
• The file antivirus blocked over 27 million malicious and unwanted objects.
• Almost 86,000 users encountered ransomware attacks.
• Nearly 12% of all ransomware victims whose data was published on DLSs (data leak sites) were affected by the Play ransomware group.
• Nearly 340,000 users faced miner attacks.

Ransomware

Quarterly trends and highlights

Law enforcement successes

In April 2024, a criminal who developed a packer that was allegedly used by the Conti and Lockbit groups to evade antivirus detection was arrested in Kyiv. According to Dutch police, the arrested individual was directly involved in at least one attack using the Conti ransomware in 2021. The criminal has already been charged.

In May, a member of the REvil group, arrested back in October 2021, was sentenced to 13 years in prison and ordered to pay $16 million. The cybercriminal was involved in over 2,500 REvil attacks, resulting in more than $700 million in total damages.

In June, the FBI announced that it had obtained over 7,000 decryption keys for files encrypted by Lockbit ransomware attacks. The Bureau encourages victims to contact the Internet Crime Complaint Center (IC3) at ic3.gov.

According to the UK’s National Crime Agency (NCA) and the US Department of Justice, the Lockbit group amassed up to $1 billion in its attacks from June 2022 to February 2024.

Attacks exploiting vulnerabilities

The CVE-2024-26169 privilege escalation vulnerability, patched by Microsoft in March 2024, was likely exploited in attacks by the Black Basta group. Some evidence suggests that at the time of the exploitation, this vulnerability was still unpatched, making it a zero-day vulnerability.

In June 2024, a massive TellYouThePass ransomware attack was launched, exploiting the CVE-2024-4577 vulnerability in PHP. This attack targeted Windows servers with certain PHP configurations, including those with the default XAMPP stack. The attackers scanned public IP address ranges and automatically infected vulnerable servers, demanding 0.1 BTC as ransom. Although this is a relatively small amount, the scale of the attacks could have yielded substantial profits. In recent years, this method has not been used as frequently due to its cost for attackers, who prefer instead targeted attacks with the hands-on involvement of operators. However, in this case, the attackers employed the time-tested approach.

Most active groups

Here are the most active ransomware groups based on the number of victims added to their DLSs (data leak sites). In Q2 2024, the Play group was the most active, publishing data on 12% of all new ransomware victims. Cactus came in second (7.74%), followed by Ransom Hub (7.50%).

The percentage of victims of a particular group (according to its DLS) among victims of all groups published on all DLSs examined during the reporting period (download)

Number of new modifications

In Q2 2024, we discovered five new ransomware families and 4,456 new ransomware variants.

Number of new ransomware modifications, Q2 2023 – Q2 2024 (download)

Number of users attacked by ransomware Trojans

In Q2 2024, Kaspersky solutions protected 85,819 unique users from ransomware Trojans.

Number of unique users attacked by ransomware Trojans, Q2 2024 (download)

Geography of attacked users

Top 10 countries and territories targeted by ransomware Trojans

*Countries and territories with fewer than 50,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users whose computers were attacked by ransomware Trojans out of all unique Kaspersky product users in that country or territory.

Top 10 most common families of ransomware Trojans

*Statistics are based on detection verdicts by Kaspersky products. The information was provided by Kaspersky users who consented to providing statistical data.
**Unique Kaspersky users attacked by the ransomware Trojan family as a percentage of total users attacked by ransomware Trojans.

Miners

Number of new modifications

In Q2 2024, Kaspersky products detected 36,380 new miner variants.

Number of new miner modifications, Q2 2024 (download)

Number of users attacked by miners

In Q2 2024, we detected attacks using miners on 339,850 unique Kaspersky users worldwide.

Number of unique users attacked by miners, Q2 2024 (download)

Geography of attacked users

Top 10 countries and territories targeted by miners

*Countries and territories with fewer than 50,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users whose computers were attacked by miners out of all unique Kaspersky product users in that country or territory.

Attacks on macOS

In Q2 2024, numerous samples of the spyware Trojan-PSW.OSX.Amos (also known as Cuckoo) were found. This spyware is notable for requesting an administrator password through osascript, displaying a phishing window. Attackers regularly update and repackage this Trojan to avoid detection.

New versions of the LightRiver/LightSpy spyware were also discovered. This Trojan downloads modules from the server with spy and backdoor functionalities. For example, they record the screen or audio, steal browser history, and execute arbitrary console commands.

Top 20 threats to macOS

The percentage of users who encountered a certain malware out of all attacked users of Kaspersky solutions for macOS (download)

The leading active threat continues to be a Trojan capable of downloading adware or other malicious applications. Other common threats include adware and fake “system optimizers” that demand money to “fix” nonexistent issues.

Geography of threats for macOS

Top 10 countries and territories by share of attacked users

*Percentage of unique users encountering macOS threats out of all unique Kaspersky product users in that country or territory.

There has been a slight increase of 0.1–0.2 p.p. in the share of attacked users in Mexico, Hong Kong, the United Kingdom, and India. Conversely, we see a slight decline in Spain, Italy, and Germany.

IoT threat statistics

In the second quarter of 2024, the distribution of attack protocols on devices targeting Kaspersky honeypots was as follows:

Distribution of attacked services by the number of unique IP addresses of the devices carrying out the attacks, Q1–Q2 2024 (download)

The share of attacks using the Telnet protocol continued to grow, reaching 98%.

Distribution of cybercriminal sessions with Kaspersky honeypots, Q1–Q2 2024 (download)

Top 10 threats delivered to IoT devices

Share of a specific threat downloaded to an infected device as a result of a successful attack, out of the total number of downloaded threats (download)

Attacks on IoT honeypots

For SSH protocol attacks, the share of attacks from China and India increased, while activity from South Korea slightly declined.

Telnet attacks from China returned to 2023 levels, while the share from India grew.

Attacks via web resources

The statistics in this section are based on the work of the web antivirus, which protects users at the moment malicious objects are downloaded from a malicious or infected webpage. Cybercriminals intentionally create malicious pages. Web resources with user-created content (such as forums), as well as compromised legitimate sites, can also be infected.

Countries and territories that serve as sources of web-based attacks: Top 10

The following statistics show the distribution of countries and territories that were the sources of internet attacks on users’ computers blocked by Kaspersky products (webpages with redirects to exploits, sites with exploits and other malware, botnet control centers, and so on). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2024, Kaspersky solutions blocked 664,046,455 attacks launched from online resources across the globe. A total of 113,535,455 unique URLs that triggered the web antivirus were recorded.

Distribution of web attack sources by country and territory (Q2 2024) (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of malware infection through the internet faced by user’s computers in different countries and territories, we calculated the share of Kaspersky product users who encountered web antivirus detections during the reporting period for each country and territory. This data indicates the aggressiveness of the environment in which computers operate.

The following statistics are based on the detection verdicts of the web antivirus module, provided by Kaspersky product users who consented to share statistical data.

It’s important to note that only attacks involving malicious objects of the Malware class are included in this ranking. Web antivirus detections for potentially dangerous and unwanted programs, such as RiskTool and adware, were not counted.

*Countries and territories with fewer than 10,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users subjected to web attacks by malicious objects of the Malware class out of all unique Kaspersky product users in that country or territory.

On average during the quarter, 7.38% of the internet users’ computers worldwide were subjected to at least one Malware-category web attack.

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The following statistics are based on detection verdicts from the OAS (on-access scan, scanning when accessing a file) and ODS (on-demand scan, scanning launched by a user) antivirus modules, provided by Kaspersky product users who agreed to share statistical data. These statistics take into account malware found directly on users’ computers or on removable media connected to computers, such as flash drives, camera memory cards, phones, and external hard drives.

In the second quarter of 2024, our file antivirus detected 27,394,168 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users on whose computers file antivirus was triggered during the reporting period. This data reflects the level of infection of personal computers across different countries and territories worldwide.

Note that only attacks involving malicious objects of the Malware class are included in this ranking. Detections of potentially dangerous or unwanted programs such as RiskTool and adware were not counted.

*Countries and territories with fewer than 10,000 Kaspersky users were excluded from the calculations.
**Percentage of unique users on whose computers local Malware-class threats were blocked, out of all unique Kaspersky product users in that country or territory.

On average, 14.2% of users’ computers worldwide encountered at least one local Malware-class threat during the second quarter.

The figure for Russia was 15.68%.

securelist.com/it-threat-evolu…

Quarterly figures

According to Kaspersky Security Network, in Q2 2024:

• 7 million attacks using malware, adware or unwanted mobile software were blocked.
• The most common threat to mobile devices was RiskTool software – 41% of all detected threats.
• A total of 367,418 malicious installation packages were detected, of which:
  
  • 13,013 packages were for mobile banking Trojans;
  • 1,392 packages were for mobile ransomware Trojans.

  
  

Quarterly highlights

The number of malware, adware or unwanted software attacks on mobile devices climbed relative to the same period last year, but dropped against Q1 2024, with 7,697,975 attacks detected.

Number of attacks on users of Kaspersky mobile solutions, Q4 2022 – Q2 2024 (download)

The decrease is due to a sharp drop in the activity of adware apps, mostly from the covert applications of the AdWare.AndroidOS.HiddenAd family, which opens ads on the targeted device.

In April of this year, new versions of Mandrake spyware were discovered. Distributed via Google Play, these apps used sophisticated techniques to hide their malicious functionality: concealing dangerous code in an obfuscated native library; using certificate pinning to detect attempts to track app network traffic; and multiple methods to check for emulated runtime environments, such as sandboxes.

A Mandrake app on Google Play

Also in Q2, the IOBot banking Trojan was found targeting users in Korea. To install an additional malware component with VNC backdoor functionality, the Trojan’s authors use a technique to bypass Android protection against granting extended permissions to apps downloaded from unofficial sources.

Mobile threat statistics

The number of Android malware samples fell against the previous quarter to the Q2 2023 level, totaling 367,418 installation packages.

Number of detected malicious installation packages, Q2 2023 – Q2 2024 (download)

New trends emerged in the distribution of detected Adware and RiskTool packages: the former significantly decreased in number, while the latter increased. Otherwise, the number of detections remains largely the same.

Distribution of detected mobile apps by type, Q1*–Q2 2024 (download)

*Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

Among adware, the number of HiddenAd, BrowserAd and Adlo apps dropped sharply, while the number of RiskTool.AndroidOS.Fakapp apps distributed under the guise of pornographic material rose. These apps collect and forward device information to a server, then open arbitrary URLs sent back in response.

Users attacked by the malware or unwanted software as a percentage* of all targeted users of Kaspersky mobile products, Q1*–Q2 2024 (download)

*The sum may be greater than 100% if the same users encountered more than one type of attack.

Despite the prevalence of RiskTool.AndroidOS.Fakapp installation packages, the number of real users who encountered this family showed no noticeable growth. In other words, attackers released many unique samples, but their distribution was limited.

The main changes in the distribution of the share of attacked users were driven by a fall in the activity of HiddenAd adware and a rise in the activity of two RiskTool apps: Revpn and SpyLoan.

TOP 20 most frequently detected mobile malware programs

Note that the malware rankings below exclude riskware and potentially unwanted software, such as RiskTool or adware.

The generalized cloud verdict DangerousObject.Multi.Generic returned to the top spot, and the cloud AI-delivered verdict DangerousObject.AndroidOS.GenericML also moved up. Also placing highly again were the Fakemoney Trojan, which scams users out of personal data with a promise of easy cash, the pre-installed Dwphon Trojan and modified versions of WhatsApp with built-in Triada modules. The latter include Trojan-Downloader.AndroidOS.Agent.ms.

The Mamont banking Trojan, which steals money by scanning text messages, saw quite a jump in its popularity.

Region-specific malware

This section describes malware whose activity is concentrated in specific countries.

*Country where the malware was most active.
**Unique users who encountered this Trojan modification in the given country as a percentage of all users of Kaspersky mobile solutions targeted by this modification.

Users in Turkey continue to face banking Trojan attacks. At the same time, the list of malware active in the country remains unchanged: the VNC backdoor Tambir, the text message-stealing Trojan BrowBot and Hqwar banking Trojan packers were already mentioned in a past report.

Indonesia still has the largest concentration of UdangaSteal Trojans for stealing text messages. These are often sent to victims under the guise of wedding invitations. Similar to the last quarter, the payment-simulating app FakePay was widespread in Brazil, while users in Thailand ran into the EvilInst Trojan, which sends paid text messages.

A large number of families centered in India made it to the top. Rewardsteal snatches banking data under the pretense of a money giveaway; SmsThief.wk and Agent.ox steal text messages.

Mobile banking Trojans

The number of new unique installation packages for banking Trojans remains at the same level for the third quarter straight.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2023 – Q2 2024 (download)

The total number of Trojan-Banker attacks is still on the rise, meaning that each new banking Trojan released by threat actors is increasingly used in attacks.

TOP 10 mobile bankers

Mobile ransomware Trojans

The number of ransomware installation packages decreased compared to Q1 2024 to roughly the same level as a year ago.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2023 – Q2 2024 (download)

In the distribution of attacks, Rasket and Rkor ransomware dropped out of the top, and Pigetrl also fell. Other top-ranking families became markedly more active, not only percentage-wise, but in terms of absolute numbers.

securelist.com/it-threat-evolu…

Targeted attacks

XZ backdoor: a supply chain attack in the making

On March 29, a message on the Openwall oss-security mailing list announced the discovery of a backdoor in XZ, a compression utility included in many popular Linux distributions. The backdoored library is used by the OpenSSH server process sshd. On a number of systemd-based distributions, including Ubuntu, Debian and RedHat/Fedora Linux, OpenSSH is patched to use systemd features and is therefore dependent on the library (Arch Linux and Gentoo are not affected). The code was inserted in February and March 2024, mostly by Jia Cheong Tan – probably a fictitious identity. We suspect that the goal of the attack was to introduce exclusive remote code execution capabilities into the sshd process by targeting the XZ build process; and then to push the backdoored code out to major Linux distributions as a part of a large-scale supply chain attack.

Timeline of events

2024.01.19 XZ website moved to GitHub pages by new maintainer (jiaT75)
2024.02.15 “build-to-host.m4” is added to .gitignore
2024.02.23 two “test files” containing the stages of the malicious script are introduced
2024.02.24 XZ 5.6.0 is released
2024.02.26 commit in CMakeLists.txt that sabotages the Landlock security feature
2024.03.04 the backdoor leads to issues with Valgrind
2024.03.09 two “test files” are updated, CRC functions are modified, Valgrind issue is “fixed”
2024.03.09 XZ 5.6.1 is released
2024.03.28 bug is discovered, Debian and RedHat notified
2024.03.28 Debian rolls back XZ 5.6.1 to version 5.4.5-0.2
2024.03.29 an email is published on the oss-security mailing list
2024.03.29 RedHat confirms backdoored XZ was shipped in Fedora Rawhide and Fedora Linux 40 beta
2024.03.30 Debian shuts down builds and starts process to rebuild them
2024.04.02 XZ main developer acknowledges backdoor incident

While earlier supply chain attacks we have seen in Node.js, PyPI, FDroid, and the Linux kernel consisted mostly of atomic malicious patches, fake packages and typo-squatted package names, this incident was a multi-stage operation that came close to compromising SSH servers on a global scale.

The backdoor in the liblzma library was introduced at two levels. The source code of the build infrastructure that generated the final packages was modified slightly (by introducing an additional file build-to-host.m4) to extract the next stage script hidden in a test-case file (bad-3-corrupt_lzma2.xz). This script, in turn, extracted a malicious binary component from another test-case file (good-large_compressed.lzma) that was linked to the legitimate library during the compilation process to be shipped to Linux repositories. Major vendors in turn shipped the malicious component in beta and experimental builds. The XZ compromise was assigned the identifier CVE-2024-3094 and the maximum severity level of 10.

The attackers’ initial goal was to hook one of the functions related to RSA key manipulation. In our analysis of the hook process, we focused on the behavior of the backdoor inside OpenSSH, specifically OpenSSH portable version 9.7p1 (the latest version). Our analysis revealed a number of interesting details about the backdoor’s functionality.

• The attacker set an anti-replay feature to prevent possible capture or hijacking of the backdoor communications.
• The author used a custom steganography technique in the x86 code to hide the public key.
• The backdoor hooks the logging function to hide its logs of unauthorized connections to the SSH server.
• The backdoor hooks the password authentication function to allow the attacker to use any username/password to log in to the infected server without any further verification. It does the same with public key authentication.
• The backdoor has remote code execution capabilities that allow the attacker to execute any system command on the infected server.

It’s clear that this is a highly sophisticated threat. The attackers used social engineering to gain long-term access to the development environment and extended it with fake human interactions in plain sight. They have extensive knowledge of the internals of open-source projects such as SSH and libc, as well as expertise in code/script obfuscation used to initiate the infection process. A number of things make this threat unique, including the way the public key information is embedded in the binary code itself, complicating the recovery process, and the meticulous preparation of the operation.

Kaspersky products detect malicious objects associated with the attack as HEUR:Trojan.Script.XZ and Trojan.Shell.XZ. In addition, Kaspersky Endpoint Security for Linux detects malicious code in sshd process memory as MEM:Trojan.Linux.XZ (as part of the Critical Areas Scan task).

For more information, read our initial analysis, incident assessment and in-depth hook analysis.

DuneQuixote campaign targeting the Middle East

In February, we discovered a new malware campaign targeting government entities in the Middle East that we dubbed DuneQuixote. Our investigation uncovered more than 30 DuneQuixote dropper samples being actively used in this campaign. Some were regular droppers, while others were manipulated installer files for a legitimate tool called Total Commander. The droppers carried malicious code to download a backdoor that we dubbed CR4T. While we have only identified two of these implants, we strongly believe that there may be more in the form of completely different malware. The group behind the campaign took steps to prevent collection and analysis of its implants and implemented practical and well-designed evasion techniques in both network communications and the malware code.

The initial dropper is a Windows x64 executable file, written in C/C++, although there are DLL versions of the malware that provide the same functionality. Upon execution, the malware initiates a series of decoy API calls that serve no practical purpose. These calls are primarily string comparison functions that are executed without any conditional jumps based on the comparison results. The strings specified in these functions are snippets of Spanish poetry. These vary from one sample to the next, changing the signature of each sample to evade traditional detection methods.

The primary goal of the CR4T implant is to give attackers access to a console for command line execution on the infected computer. It also facilitates the download, upload and modification of files.

We also discovered a Golang version of the CR4T implant that has similar capabilities to the C version. A notable difference of this version is the ability to create scheduled tasks using the Golang Go-ole library, which uses Windows Component Object Model (COM) object interfaces to interact with the Task Scheduler service.

Through the use of memory-only implants and droppers masquerading as legitimate software that mimics the Total Commander installer, the attackers demonstrate above-average evasion capabilities and techniques. The discovery of both C/C++ and Golang versions of the CR4T implant highlights the adaptability and ingenuity of the threat actor behind this campaign.

ToddyCat: punching holes in your infrastructure

The threat actor ToddyCat predominantly targets government organizations in the Asia-Pacific region, primarily to steal sensitive data. In our previous article, we described the tools the attackers use to collect and exfiltrate files (LoFiSe and PcExter). More recently, we examined how this threat actor maintains constant access to compromised infrastructure, the information they are interested in and the tools they use to extract it.

Our investigation revealed that ToddyCat was stealing data on an industrial scale. To steal large volumes of data, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor the systems they attack.

ToddyCat used several methods to accomplish this. One was to create a reverse SSH tunnel. They launched this using the SSH client from the OpenSSH for Windows toolkit, along with the library required to run it, an OPENSSH private key file, and a script, a.bat, to hide the private key file. The attackers transferred files to the target host via SMB using shared folders.

The threat actor also made use of the server utility (VPN Server) from the SoftEther VPN package for tunneling. This package is an open-source solution developed as part of academic research at the University of Tsukuba, which allows the creation of VPN connections using a variety of popular protocols, such as L2TP/IPsec, OpenVPN, MS-SSTP, L2TPv3, EtherIP and others.

Another way ToddyCat accessed remote infrastructure was by tunneling to a legitimate cloud provider: an application running on the user’s host with access to the local infrastructure can connect to the cloud through a legitimate agent and redirect traffic or execute specific commands.

Ngrok is a lightweight agent that can redirect traffic from endpoints to cloud infrastructure and vice versa. The attackers installed Ngrok on target hosts and used it to redirect command and control (C2) traffic from the cloud infrastructure to a specific port on those hosts.

They also used Krong, a proxy that uses XOR to encrypt the data passing through it, thereby concealing the content of the traffic to avoid detection.

After creating tunnels on the target hosts using OpenSSH or SoftEther VPN, the threat actor also installed the FRP client, a fast reverse proxy written in Go that allows access from the internet to a local server behind a NAT or firewall.

ToddyCat used various tools to collect data. They used one of the tools, which we named “cuthead” (the name came from the file description field of the sample we found), to search for documents. They used “WAExp”, a WhatsApp data stealer, to search for and collect browser local storage files containing data from the web version of WhatsApp. The attackers also used a tool called “TomBerBil” to steal passwords from browsers.

To protect against such attacks, we recommend that organizations add the resources and IP addresses of cloud services that provide traffic tunneling to the corporate firewall denylist. We also recommend limiting the range of tools administrators can use to remotely access hosts: other tools should either be prohibited or closely monitored as possible indicators of suspicious activity. In addition, employees should avoid storing passwords in browsers, as this helps attackers gain access to sensitive information. Moreover, reusing passwords across services increases the amount of data available to attackers.

Other malware

QakBot attacks with Windows zero-day

In early April we investigated the Windows DWM (Desktop Window Manager) Core Library Elevation of Privilege Vulnerability (CVE-2023-36033), which was previously discovered as a zero-day being exploited in the wild. While searching for samples related to this exploit and attacks using it, we found a curious document uploaded to VirusTotal on April 1. This document caught our attention because it had a descriptive file name indicating that it contained information about a Windows vulnerability.

Inside we found a brief description of a Windows DWM vulnerability and how it could be exploited to gain system privileges – all written in very poor English. The exploitation process described in this document was identical to that used in the previously mentioned zero-day exploit for CVE-2023-36033 – but the vulnerability was different.

The poor quality of the writing, and the fact the document was missing some important details about how to actually trigger the vulnerability, suggested that the vulnerability described was completely made up or was present in code that could not be accessed or controlled by attackers.

However, a quick check revealed that this was a real zero-day vulnerability that could be used to escalate privileges, so we immediately reported our findings to Microsoft. The vulnerability was assigned CVE-2024-30051 and a patch was released as part of Patch Tuesday on May 14.

We also began closely monitoring our statistics for exploits and attacks using this zero-day, and in mid-April we discovered an exploit. We have seen this zero-day used in conjunction with QakBot and other malware, and believe that multiple threat actors have access to it.

Kaspersky products detect the exploitation of CVE-2024-30051 and related malware with the following verdicts:

• PDM:Exploit.Win32.Generic;
• PDM:Trojan.Win32.Generic;
• UDS:DangerousObject.Multi.Generic;
• Win32.Agent.gen;
• Win32.CobaltStrike.gen.

Using the LockBit builder to generate targeted ransomware

Last year, we published our research on the LockBit 3.0 builder. Leaked in 2022, this builder greatly simplified the creation of custom ransomware.

The keygen.exe file generates public and private keys used for encryption and decryption. The builder.exe file generates the variant according to the options set in the config.json file. The whole process is automated by the build.bat script.

The builder also allows attackers to choose exactly what they want to encrypt. If they know enough about the target’s infrastructure, they can create malware tailored to the specific configuration of the target’s network architecture, such as important files, administrative accounts and critical systems.

This has allowed attackers to generate customized versions of this threat to suit their needs, making their attacks more effective.

In February, the international law enforcement task force Operation Cronos gained insight into LockBit’s operations after taking down the group. The operation involved law enforcement agencies from 10 countries. They were able to seize the group’s infrastructure, obtain private decryption keys and create a decryption toolset based on a list of known victim IDs obtained by the authorities. However, just a few days later, the ransomware group announced that it was back in action.

In a recent incident response engagement, we were faced with a ransomware attack that involved a ransomware sample created with the same leaked builder. The attackers were able to find the admin credentials in plain text. They created a custom version of the ransomware that used the account credentials to spread across the network and perform malicious activities, such as killing Windows Defender and deleting Windows Event Logs to encrypt data and cover its tracks. In one of our latest articles, we revisited the LockBit 3.0 builder files and analyzed the steps the attackers took to compromise the network.

Stealers, stealers and more stealers

Stealers are a prominent feature of the threat landscape. They are designed to harvest passwords and other sensitive data from infected computers that can then be used in other attacks, resulting in financial loss to the target. Over the past year we have published a number of public and private reports on newly discovered stealers. We recently wrote reports on Acrid, ScarletStealer and Sys01: the first two are new, the latter has been updated.

Acrid, a new stealer discovered in December 2023, is written in C++ for the 32-bit system, despite the fact that most systems are now 64-bit. Upon closer inspection, it became apparent that the authors had compiled it for a 32-bit environment in order to use the “Heaven’s Gate” technique, which allows 32-bit applications to access the 64-bit space to bypass certain security controls. This malware is designed to steal browser data, local cryptocurrency wallets, files with specific names (wallet.dat, password.docx, etc.) and credentials from installed applications (FTP managers, messengers, etc.). The collected data are zipped and sent to the C2.

Last January, we analyzed a downloader we dubbed “Penguish”. One of the payloads it downloaded was a previously unknown stealer called “ScarletStealer” – an odd stealer, since most of its functionality is contained in other binaries (applications and Chrome extensions) that it downloads. When ScarletStealer is executed, it checks for the presence of cryptocurrencies and crypto wallets by looking for certain folder paths (e.g., %APPDATA%\Roaming\Exodus). If anything is detected, it starts downloading the additional executables using PowerShell. Most ScarletStealer executables are digitally signed. This stealer is very underdeveloped in terms of functionality and contains many bugs, errors, and redundant code. Considering the effort it takes to install the malware through a long chain of downloaders, the last of which is Penguish, it’s strange that it’s not more advanced.

SYS01 (aka Album Stealer and S1deload Stealer), a relatively unknown malware that has been around since at least 2022, has evolved from a C# stealer to a PHP stealer. What hasn’t changed is the infection vector. Users are tricked into downloading a malicious ZIP archive disguised as an adult video via a Facebook page.

The archive contains a legitimate binary that sideloads a malicious DLL. This DLL opens an adult video and executes the next payload, which is a malicious PHP file encoded with ionCube. The executed PHP file calls a script, install.bat, which ultimately executes the next stage by running a PowerShell command. This layer is conveniently named “runalayer” and runs what appears to be the final payload called “Newb”. However, we found a difference between the latest version and the previous publicly disclosed versions of the stealer. The current stealer (Newb) includes functionality to steal Facebook-related data and send stolen browser data to the C2. It also contains backdoor functionality. However, we found that the code that actually collects the browser data sent by Newb is in a different sample named “imageclass”. It is not 100% clear how imageclass was pushed to the system; but looking at the backdoor code of Newb, we concluded with a high degree of certainty that imageclass was later pushed through Newb to the infected machine. The initial ZIP archive also contains another malicious PHP file, include.php: this has similar backdoor functionality to Newb and accepts many of the same commands in the same format.

ShrinkLocker: turning BitLocker into a ransomware utility

During a recent incident response engagement, we discovered ransomware called “ShrinkLocker” that uses BitLocker to encrypt compromised computers. BitLocker is the full-disk encryption utility built into Windows that is designed to prevent data exposure on lost or stolen computers.

ShrinkLocker is implemented as a sophisticated VBScript. If the script detects that it’s running on Windows 2000, XP, 2003 or Vista, it shuts down. However, for later versions of Windows, it runs the appropriate portion of its code for the specific operating system. ShrinkLocker shrinks the computer’s drive partitions by 100MB and uses this slack space to create a boot partition for itself. The malware modifies the registry to configure BitLocker to run with the attacker’s settings. It then disables and removes all default BitLocker protections to prevent key recovery and enables the numeric password protection option. The script then generates this password and initiates encryption of all local drives before sending the password and system information to the attacker’s C2 server. Finally, the malware deletes itself and reboots the system.

If the user tries to use the recovery option while the computer is booting, they will see a message stating that no BitLocker recovery options are available.

ShrinkLocker changes the labels of all system drives to the attacker’s email address instead of leaving a ransom note.

You can read our full analysis of ShrinkLocker here.

securelist.com/it-threat-evolu…

Hans-Christoph Steiner

2024-04-01 07:40:23

Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now

gitlab.com/fdroid/fdroidclient…

Search improvements: Sort based on keyword matching and removed alphabetic sort (!889) · Merge requests · F-Droid / Client · GitLab

The search results are pretty unusable currently. So I've changed it to show apps in this order: App name matches keyword, summary matches keyword, description matches keyword. Also,...

^GitLab

Have you ever looked out the window at traffic and seen a giant crane driving alone the road? Have you ever wanted a little 3D printed version you could drive for yourself without the risk of demolishing your neighbors house? Well, [ProfessorBoots] has just the build for you.

The build, inspired by the Liebherr LTM 1300, isn’t just a little RC car that looks like a crane. It’s a real working crane, too! So you can drive this thing around, and you can park it up. Then you can deploy the fully working stabilizer booms like you’re some big construction site hot shot. From there, you can relish in the subtle joy of extending the massive three-foot boom while the necessary counterweight automatically locks itself in place. You can then use the crane to lift and move small objects to your heart’s content.

The video describes how the build works in intimate detail, from the gears and linkages all the way up to the grander assembly. It’s no simple beast either, with ten gearmotors, four servos, and two ESP32s used for control. If you really need to build one for yourself, [ProfessorBoots] sells his plans on his website.

We’ve seen great stuff from [ProfessorBoots] before—he’s come a long way from his skid steer design last year. Video after the break.

youtube.com/embed/faC3Yzz9IqI?…

Thanks to [Hudson Bazemore] for the tip!

hackaday.com/2024/09/03/3d-pri…

Il gruppo hacker di Red Hot Cyber, HackerHood ha scoperto un nuovo 0day sui dispositivi di sicurezza della Zyxel. Questa vulnerabilità di sicurezza è stata scoperta dai ricercatori di sicurezza Alessandro Sgreccia e Manuel Roccon, membri del team di HackerHood, durante le attività di ricerca che svolgono costantemente sugli apparati di Zyxel.

All’interno delle attività di ricerca svolte dal team sugli apparati di Zyxel, è stato individuato ub bug di sicurezza (alcuni sono ancora in gestione dal fornitore) che è stato immediatamente comunicato a Zyxel seguendo le best-practices internazionali della Coordinate Vulnerability Disclosure (CVD).

Le nuove vulnerabilità rilevate su Zyxel

CVE-2024-7203 è una vulnerabilità di iniezione di comandi che colpisce le versioni del firmware (V4.60 – V5.38) dei dispositivi delle serie Zyxel ATP e USG FLEX. Questa falla permette a un attaccante autenticato con privilegi amministrativi di eseguire comandi arbitrari del sistema operativo, sfruttando comandi CLI appositamente costruiti. La vulnerabilità è classificata come ad alta gravità, con un punteggio CVSS di 7.2, indicando un rischio significativo per l’integrità e la riservatezza del sistema.

Puoi trovare maggiori dettagli nell’avviso ufficiale di Zyxel.

Il gruppo hacker di HackerHood

Il gruppo HackerHood, è un gruppo della community di Red Hot Cyber che si è specializzato nelle attività tecnico specialistiche finalizzate all’incentivazione verso la collaborazione attraverso le attività di ethical hacking (penetration test e ricerca 0day), programmazione e malware Analysis.

Uno tra i programmi del gruppo di HackerHood è appunto l’identificazione di bug non documentati (c.d. 0day), dove i membri del team una volta rilevate le vulnerabilità 0day su prodotti di largo consumo, collaborano con i vendor di prodotto per migliorare la sicurezza informatica.

Le attività si svolgono attraverso il processo di Coordinate Vulnerability Disclosure e solo a valle della pubblicazione della fix da parte dei vendor si procede alla disclosure pubblica e alla diffusione di eventuali Proof of Concept (PoC).

Un altro programma di HackerHood è lo svolgimento di attività di penetration test su infrastrutture ICT di aziende italiane che abbracciano politiche di “Responsible disclosure”. Tutto questo consente di dare un contributo al comparto Italia e quindi aiutare le aziende a migliorare la propria sicurezza informatica oltre che incentivare altre persone a fare lo stesso.

Quindi, se sei un analista di sicurezza con skill di ethical hacking o un ricercatore di bug che sposi il Manifesto di HackerHood, potresti essere anche tu un membro di HackerHood. Scrivici quindi alla casella di posta del team: info@hackerhood.it

“Tieni Il Mento Alto. Un Giorno Ci Sarà Di Nuovo La Felicità A Nottingham, Vedrai.” (Robin Hood)

L'articolo HackerHood di RHC scopre un nuovo 0day sui prodotti Zyxel proviene da il blog della sicurezza informatica.

Civil society organisations demand for comprehensive legislation banning spyware throughout the EU, citing widespread misuse and insufficient regulation, in a joint statement.

euractiv.com/section/data-priv…

Gli hacker nordcoreani stanno sfruttando una vulnerabilità zero-day in Google Chrome per ottenere il controllo dei sistemi e prendere il controllo delle risorse crittografiche delle vittime.

Microsoft ha confermato che il gruppo Citrine Sleet (precedentemente DEV-0139) ha utilizzato il CVE-2024-7971 zero-day per iniettare il rootkit FudModule dopo aver ottenuto i privilegi di SYSTEM utilizzando un exploit nel kernel di Windows.

L’obiettivo principale degli attacchi è il settore delle criptovalute, dove gli hacker cercano guadagni finanziari. Il gruppo Citrine Sleet è noto da tempo per i suoi attacchi contro le istituzioni finanziarie, ma soprattutto contro le organizzazioni che operano nel settore delle criptovalute e i loro dipendenti. In precedenza, gli hacker erano associati all’intelligence nordcoreana.

Citrine Sleet (AppleJeus, Labyrinth Chollima, UNC4736) ha ripetutamente utilizzato siti Web falsi mascherati da piattaforme di scambio di criptovalute legittime. Gli hacker hanno infettato i sistemi delle vittime attraverso false domande di lavoro o tramite falsi portafogli e applicazioni commerciali. Ad esempio, nel marzo 2023, UNC4736 ha compromesso la catena di fornitura del software di videoconferenza 3CX, provocando l’hacking del software X_TRADER, progettato per automatizzare il commercio di azioni.

Anche il Google Threat Analysis Group (TAG) ha confermato il collegamento del gruppo AppleJeus con la compromissione del sito web di Trading Technologies. Il governo degli Stati Uniti mette in guardia da anni sui rischi posti dagli hacker nordcoreani che prendono di mira le società di criptovaluta e i loro dipendenti utilizzando il malware AppleJeus.

Una settimana fa, Google ha corretto la vulnerabilità zero-day CVE-2024-7971, nel motore JavaScript V8 utilizzato in Chrome. Il bug consentiva agli aggressori di eseguire codice remoto nella sandbox del browser Chromium, dopodiché gli aggressori potevano utilizzare il browser per scaricare l’exploit CVE-2024-38106 nel kernel di Windows. L’attacco consente agli hacker di ottenere i diritti di SYSTEM e di iniettare in memoria ilrootkit FudModule, che viene utilizzato per manipolare gli oggetti del kernel e aggirare i meccanismi di sicurezza.

Dalla sua scoperta nell’ottobre 2022, il rootkit FudModule è stato utilizzato anche da un altro gruppo di hacker nordcoreano, Diamond Sleet, che utilizza strumenti di attacco e infrastrutture simili. Nell’agosto 2024, Microsoft ha rilasciato un aggiornamento di sicurezza che risolve la vulnerabilità CVE-2024-38193 nel driver AFD.sys, utilizzato anche negli attacchi Diamond Sleet .

L'articolo Lo 0-day di Google Chrome viene sfruttato dagli Hacker Nord-Coreani per Svuotare i Wallett di Criptovaluta proviene da il blog della sicurezza informatica.

È emersa una notizia allarmante nel mondo della sicurezza informatica: un attore malevolo, che si fa chiamare “Satanic”, ha pubblicato su BreachForums un presunto database sottratto all’azienda Galdieri Rent, specializzata nel noleggio di automobili.

La fuga di dati, avvenuta il 2 settembre 2024, ha suscitato preoccupazione sia per la portata delle informazioni esposte che per le potenziali conseguenze per i clienti dell’azienda.

Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come ‘fonte di intelligence’.

Il gruppo Satanic Cloud

The Satanic Cloud è un gruppo di hacker relativamente nuovo ma già noto nel mondo della sicurezza informatica per la sua attività di diffusione di dati sensibili rubati. Questo gruppo ha guadagnato notorietà per aver pubblicato su BreachForums database sottratti da diverse organizzazioni, inclusi enti scolastici di grandi dimensioni come il Los Angeles Unified School District (LAUSD).

Una delle loro azioni più eclatanti è stata la divulgazione di un vasto set di dati che includeva informazioni personali di oltre 24 milioni di studenti e migliaia di insegnanti e personale scolastico. Questo attacco è stato facilitato da una vulnerabilità nel servizio Amazon Relational Database Service (RDS), dimostrando come il gruppo sia in grado di sfruttare falle in piattaforme cloud per ottenere accesso a dati sensibili. Il leader del gruppo, noto come “Satanic”, ha usato piattaforme come Telegram e BreachForums per diffondere e vendere queste informazioni.

Oltre ai dati scolastici, The Satanic Cloud è stato coinvolto anche in altre operazioni di diffusione di dati rubati, mostrando un interesse crescente per la monetizzazione dei dati attraverso il dark web e altre piattaforme di scambio di dati illeciti​(HackRead, Auth Lab, The 74 Million).

Dettagli della possibile violazione

Secondo il post pubblicato dall’hacker, il database compromesso conterrebbe una quantità significativa di dati sensibili.

In particolare, il database includerebbe informazioni su:

• 100.000 utenti registrati: Con dati personali come ID, nome, cognome, email, numero di telefono, password e indirizzo di residenza.
• 130.000 leads: Potenziali clienti con dati di contatto che potrebbero essere utilizzati per attività di marketing o, peggio, per scopi malevoli.
• 8.000 automobili: Dati dettagliati sui veicoli, che potrebbero comprendere modelli, numeri di targa e altre informazioni specifiche.

Il post dell’hacker, che includeva anche un invito a scaricare il database tramite un link fornito, evidenzia la gravità della situazione. Questi dati, se finissero nelle mani sbagliate, potrebbero essere utilizzati per una vasta gamma di attività illecite, dal furto di identità a truffe mirate.

Conclusione

La presunta violazione del database di Galdieri Rent è un chiaro segnale dell’importanza di adottare misure di sicurezza avanzate per proteggere i dati personali. In un contesto in cui le minacce informatiche sono in costante aumento, le aziende devono essere pronte a difendersi da attacchi sempre più sofisticati. I clienti, d’altra parte, devono essere consapevoli dei rischi e pronti a prendere le precauzioni necessarie per proteggere i propri dati.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

L'articolo Presunta Violazione del Database di Galdieri Rent pubblicato su BreachForums proviene da il blog della sicurezza informatica.

[Scott Yu-Jan] is a big fan of the iPhone’s standby mode. Put the phone on charge horizontally, and it looks all stylish, with sleek widgets and clocks and stuff showing you information you presumably care about. [Scott] enjoyed this so much, in fact, he whipped up a custom charging dock to make the most of it.

The design was a collaboration with artist [Overwork], who mentioned the DN 40 alarm clock created by legendary designer [Dieter Rams]. [Overwork] sent [Scott] a draft inspired by that product, and he printed one up. It featured an integrated MagSafe charger to juice up the iPhone, and pressing into one side of the phone would pop it free. It was cool, but a little clumsy to use.

[Scott] liked the basic concept, but shows us how he iterated upon it to make it even nicer. He added in a wireless charger for AirPods in the back, gave the device adhesive feet, and a big chunky eject button to release the phone when desired.

You can also grab the files to print your own if you so desire! We’ve seen [Scott’s] work before, too, like his neat 3D scanner build. Video after the break.

youtube.com/embed/L3nWw8qSYgk?…

hackaday.com/2024/09/02/buildi…

Benchy is that cute little boat that everyone uses to calibrate their 3D printer. [Emily The Engineer] asked the obvious question—why isn’t it a real working boat? Then she followed through on the execution. Bravo, [Emily]. Bravo.

The full concept is straightforward, but that doesn’t make it any less fun. [Emily] starts by trying to get small Benchys to float, and then steadily steps up the size, solving problems along the way. By the end of it, the big Benchy is printed out of lots of smaller sections that were then assembled into a larger whole. This was achieved with glue and simply using a soldering iron to melt parts together. It’s a common technique used to build giant parts on smaller 3D printers, and it works pretty well.

The basic hull did okay at first, save for some stability problems. Amazingly, though, it was remarkably well sealed against water ingress. It then got a trolling motor, survived a capsizing, and eventually took to the open water with the aid of some additional floatation.

We’ve seen big Benchys before, and we’ve seen fully functional 3D-printed boats before, too. It was about time the two concepts met in reality. Video after the break.

youtube.com/embed/ilIubT7ands?…

hackaday.com/2024/09/02/big-be…

As the name of the channel implies, [BuyItFixIt] likes to pick up cheap gadgets that are listed as broken and try to repair them. It’s a pastime we imagine many Hackaday readers can appreciate, because even if you can’t get a particular device working, you’re sure to at least learn something useful along the way.

But after recently tackling a VTech video baby monitor from eBay, [BuyItFixIt] manages to do both. He starts by opening up the device and going through some general electronics troubleshooting steps. The basics are very much worth following along with if you’ve ever wondered how to approach a repair when you don’t know what the problem is. He checks voltages, makes sure various components are in spec, determines if the chips are talking to each other with the oscilloscope, and even pulls out the thermal camera to see if anything is heating up. But nothing seems out of the ordinary.
The scope uncovers some serial data.
While poking around with the oscilloscope, however, he did notice what looked like the output of a serial debug port. Sure enough, when connected to a USB serial adapter, the camera’s embedded Linux operating system started dumping status messages into the terminal. But before it got too far along in the boot process, it crashed with a file I/O error — which explains why the hardware all seemed to check out fine.

Now that [BuyItFixIt] knew it was a software issue, he started using the tools built into the camera’s bootloader to explore the contents of the device’s flash chip. He uncovered the usual embedded Linux directories, but when he peeked into one of the partitions labeled Vtech_data2, he got a bit of a shock: the device seemed to be holding dozens of videos. This is particularly surprising considering the camera is designed to stream video to the parent unit, and the fact that it could record video internally was never mentioned in the documentation.

While copying the chip’s contents over serial would have been possible, [BuyItFixIt] instead pulled it out and physically dumped the whole thing with a reader. With a bit of Linux-fu, he’s able to mount the chip dump and confirm that the videos in question are of the previous owner’s infant. Yikes. Of course, he promptly deleted the files once he realized what the camera had stored, but it makes us wonder how many cameras like these are holding private video files waiting for a bad actor to uncover them. This is an important reminder of the inherent dangers of tossing away “broken” smart devices.
Dozens of videos featuring the parent and child were still stored on the device.
As for the repair itself, [BuyItFixIt] reasoned that some file — maybe the database of videos — must have been corrupted on the chip, so he took the nuclear option and wiped it all out. He had to use the bootloader commands to recreate the partition table, but once that was done, the firmware seemed to understand that it had been returned to a factory state and was finally able to boot up normally. He’s documented the commands he used to get it back up and running in the hopes he can help out somebody else with a similarly ailing camera.

We can never get enough of this sort of firmware hacking, and the fact that this particular bout opened up with a great real-world example of hardware diagnosis makes it all the better. This is a long video, but one that’s well worth your time to check out. If you’d like to see more repairs from [BuyItFixIt], we’ve got you covered.

youtube.com/embed/eQ9uW95OJ3s?…

hackaday.com/2024/09/02/video-…

Il 25 agosto 2024, il fondatore di Telegram Pavel Durov è stato arrestato in Francia. Le autorità francesi sospettano che Telegram sia stato utilizzato per sostenere varie attività criminali come il traffico di droga, il terrorismo e la criminalità informatica. In particolare, le funzionalità del messenger come “Persone nelle vicinanze” hanno attirato l’attenzione delle forze dell’ordine.

La funzione Persone nelle vicinanze di Telegram consente agli utenti di trovare altre persone e gruppi locali nelle vicinanze utilizzando i dati di geolocalizzazione. Nel corso della sua esistenza, acquisì una reputazione controversa, poiché veniva spesso utilizzato dai criminali per perseguitare e rintracciare le persone.

Inoltre, è stato utilizzato attivamente in strumenti come CCTV (Close-Circuit Telegram Vision), sviluppato da Ivan Glinkin. Questo strumento permetteva di inserire le coordinate e ottenere un elenco di utenti in un raggio massimo di 500 metri, il che lo rendeva conveniente per l’uso per scopi criminali.

Gli utenti di Telegram hanno recentemente notato che la funzione Persone nelle vicinanze ha smesso di funzionare. Non è noto se ciò sia dovuto a un problema tecnico o a un’interruzione intenzionale. Vale anche la pena notare che il giorno prima la funzione di visualizzazione del contatore degli utenti attivi per i bot ha smesso di funzionare, il che potrebbe indicare possibili modifiche tecniche o aggiornamenti nel messenger.

Questi sviluppi avvengono in un contesto di crescente pressione su Telegram da parte delle autorità di regolamentazione europee, soprattutto dopo l’approvazione del Digital Services Act (DSA) nel 2023, che ha aumentato il controllo sulle piattaforme digitali e le ha obbligate ad adottare misure più attive per moderare i contenuti.

La disabilitazione della funzione Persone nelle vicinanze potrebbe essere dovuta sia a questa pressione che al recente abuso di questa funzione.

L'articolo La funzione “Persone Vicine” di Telegram è scomparsa in alcune regioni dopo l’arresto di Durov proviene da il blog della sicurezza informatica.

Magic Eye tubes were popular as tuning guides on old-school radio gear. However, the tubes, the 6U5 model in particular, have become rare and remarkably hard to come by of late. When the supply dried up, [Bjørner Sandom] decided to build a digital alternative instead.

The build relies on a small round IPS display, measuring an inch in diameter and with a resolution of 128×115 pixels. One can only presume it’s round but not perfectly so. It was then fitted with a 25mm glass lens in order to give it a richer, deeper look more akin to a real Magic Eye tube. In any case, a STM32F103CBT was selected to drive the display, with the 32-bit ARM processor running at a lovely 72 MHz for fast and smooth updates of the screen.

The screen, controller, and supporting circuitry are all built onto a pair of PCBs and installed in a 3D-printed housing that lives atop a tube base. The idea is that the build is a direct replacement for a real 6U5 tube. The STM32 controller receives the automatic gain control voltage from the radio set it’s installed in, and then drives the screen to behave as a real 6U5 tube would under those conditions.

By virtue of the smart design, smooth updates, and that nifty glass lens, the final product is quite a thing to behold. It really does look quite similar to the genuine article. If you’ve got a beloved old set with a beleagured magic eye, you might find this a project worth replicating. Video after the break.

youtube.com/embed/ghJo8rc5Zvc?…

youtube.com/embed/Q379PuWvB2U?…

hackaday.com/2024/09/02/a-digi…

Do you know Morse code already? Or are you maybe trying to learn so you can be an old school ham? Either way, you could have a lot of fun with [felix]’s great little entry into the 2024 Tiny Games Contest — Morse Quest.

This minimalist text-based adventure game is played entirely in Morse code. That is, the story line, all the clues, and the challenges along the way are presented by a blinking LED. In turn, commands like LOOK, TAKE, and INVENTORY are entered with the slim key on the lower right side. A wee potentiometer allows the player to adjust the blink rate of the LED, so it’s fun for all experience levels. Of course, one could always keep a Morse chart handy.

The brains of this operation is an Arduino Nano, and there’s really not much more to the BOM than that. It runs on a 9 V, so theoretically it could be taken anywhere you want to escape reality for a while. Be sure to check out the demo video after the break.

youtube.com/embed/rrmVYNtu1S4?…

hackaday.com/2024/09/02/2024-t…

Gli specialisti della sicurezza informatica hanno scoperto una vulnerabilità in uno dei principali sistemi di sicurezza del trasporto aereo, che consentiva alle persone non autorizzate di aggirare i controlli di sicurezza dell’aeroporto e ottenere l’accesso alle cabine degli aerei.

I ricercatori Ian Carroll e Sam Curry hanno scoperto una vulnerabilità in FlyCASS, un servizio web di terze parti che alcune compagnie aeree utilizzano per gestire il loro programma Known Crewmember (KCM) e Cockpit Access Security System (CASS). KCM è un progetto TSA che consente ai piloti e agli assistenti di volo di aggirare i controlli di sicurezza, mentre CASS consente ai piloti autorizzati di sedersi nelle cabine degli aerei durante il viaggio.

Il sistema KCM, gestito da ARINC (una filiale di Collins Aerospace), verifica le credenziali dei dipendenti delle compagnie aeree attraverso una piattaforma online dedicata. Per aggirare lo screening, è necessario seguire un processo di verifica, che include la scansione di un codice a barre KCM o l’inserimento di un numero identificativo del dipendente, quindi il controllo incrociato nel database della compagnia aerea.

I ricercatori hanno scoperto che il sistema di registrazione FlyCASS era suscettibile a un problema di SQL injection. Utilizzando questo bug, gli esperti sono riusciti ad accedere al sistema con diritti di amministratore per una determinata compagnia aerea (Air Transport International) e sono stati in grado di modificare i dati dei dipendenti. Così, durante i test, i ricercatori hanno aggiunto al sistema un dipendente fittizio con il nome e cognome “Test TestOnly”, e poi hanno dato a questo account l’accesso a KCM e CASS.

“Chiunque abbia una conoscenza di base delle SQL injection potrebbe andare su questo sito e aggiungere chiunque a KCM e CASS, il che gli ha permesso di aggirare i controlli di sicurezza e ottenere l’accesso alle cabine di pilotaggio degli aerei di linea commerciali”, afferma Carroll.

Rendendosi conto della gravità della situazione, i ricercatori hanno immediatamente segnalato la vulnerabilità alle autorità contattando il Dipartimento per la Sicurezza Nazionale degli Stati Uniti (DHS) il 23 aprile 2024.

Di conseguenza, il DHS ha riconosciuto la gravità della vulnerabilità e ha confermato che FlyCASS era stato disconnesso dal sistema KCM/CASS il 7 maggio 2024 come misura precauzionale. Poco dopo la vulnerabilità in FyCASS è stata risolta. Tuttavia,

Carroll sottolinea inoltre che la vulnerabilità potrebbe portare a violazioni della sicurezza su larga scala, come l’alterazione dei profili dei membri KCM esistenti per aggirare eventuali controlli richiesti per i nuovi membri.

L'articolo Una SQL Injection Espone le Cabine di Pilotaggio! I Ricercatori Scoprono una Minaccia nei Sistemi Aerei proviene da il blog della sicurezza informatica.

Gli hacker stanno abusando di GitHub per distribuire il malware Lumma Stealer, che ruba informazioni. Gli aggressori mascherano il malware sotto false correzioni, che pubblicano nei commenti ai progetti.

Questa campagna è stata scoperta per la prima volta da uno degli autori della libreria teloxide , che ha avvertito su Reddit di aver ricevuto cinque diversi commenti sui suoi problemi su GitHub. Erano tutti mascherati da correzioni, ma in realtà promuovevano malware.

Bleeping Computer riferisce di aver identificato migliaia di commenti simili su una varietà di progetti su GitHub che contenevano correzioni false. Pertanto, gli aggressori invitano le persone a scaricare un archivio protetto da password da mediafire.com o tramite un breve URL su bit.ly, per poi eseguire il file eseguibile in esso contenuto.

Facendo clic su questo collegamento si accede a una pagina di download per il file fix.zip, che contiene diverse DLL e un file eseguibile chiamato x86_64-w64-ranlib.exe. La password per prire l’archivio trovato in tutti i commenti era la stessa: “changeme“.

L’esecuzione del file eseguibile tramite Any.Run ha dimostrato che si tratta di un malware per rubare informazioni: Lumma Stealer.

Lo specialista in sicurezza informatica Nicholas Sherlock riferisce che in soli tre giorni, aggressori sconosciuti hanno pubblicato più di 29.000 commenti su GitHub che distribuisce Lumma.

Ricordiamo che sul sistema della vittima questo malware tenta di rubare cookie, credenziali, password, dati di carte bancarie e cronologia di navigazione da Google Chrome, Microsoft Edge, Mozilla Firefox e altri browser Chromium.

Lumma può anche rubare dati del portafoglio di criptovaluta, chiavi private e file di testo con i nomi seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, parole, wallet.txt, *.txt e * .pdf perché probabilmente contengono chiavi private e password.

Sebbene lo staff di GitHub rimuova i commenti dannosi non appena vengono scoperti, molte persone hanno riferito di essere state colpite da questo attacco.

Si consiglia a chiunque abbia lanciato il malware di cambiare le password di tutti i propri account il prima possibile, impostando una password univoca per ogni sito e di trasferire la criptovaluta su un nuovo portafoglio.

L'articolo Lumma Stealer viene distribuito tramite 29.000 commenti su GitHub proviene da il blog della sicurezza informatica.

“Ogni mio nuovo lavoro rappresenta la summa e la sintesi di tutti quelli realizzati prima, evolvendone nuovamente il significato e la portata artistica. Credo che “Strategia Esoterica” abbia comunque una forza molto superiore perché frutto di una trasmutazione molto potente”- Deca @Musica Agorà

iyezine.com/deca-strategia-eso…

Deca - Strategia esoterica

Deca - Strategia esoterica - “Ogni mio nuovo lavoro rappresenta la summa e la sintesi di tutti quelli realizzati prima, evolvendone nuovamente il significato e la portata artistica.

^{Massimo Argo (In Your Eyes ezine)}

What happens when an unfortunate bug ends up in a spider’s web? It gets bitten and wrapped in silk, and becomes a meal. But if the web belongs to an orb-weaver and the bug is a male firefly, it seems the trapped firefly — once bitten — ends up imitating a female’s flash pattern and luring other males to their doom.

Fireflies communicate with flash patterns (something you can experiment with yourself using nothing more than a green LED) and males looking to mate will fly around flashing a multi-pulse pattern with their two light-emitting lanterns. Females will tend to remain in one place and flash single-pulse patterns on their one lantern.

When a male spots a female, they swoop in to mate. Spiders have somehow figured out a way to actively take advantage of this, not just inserting themselves into the process but actively and masterfully manipulating male fireflies, causing them to behave in a way they would normally never do. All with the purpose of subverting firefly behavior for their own benefit.

It all started with an observation that almost all fireflies in webs were male, and careful investigation revealed it’s not just some odd coincidence. When spiders are not present, the male fireflies don’t act any differently. When a spider is present and detects a male firefly, the spider wraps and bites the firefly differently than other insects. It’s unknown exactly what happens, but this somehow results in the male firefly imitating a female’s flash patterns. Males see this and swoop in to mate, but with a rather different outcome than expected.

The research paper contains added details but it’s clear that there is more going on in this process than meets the eye. Spiders are already fascinating creatures (we’ve seen an amazing eye-tracking experiment on jumping spiders) and it’s remarkable to see this sort of bio-hacking going on under our very noses.

hackaday.com/2024/09/02/spider…

Negli ultimi anni, la sicurezza informatica ha subito un’evoluzione rapida per contrastare le minacce sempre più sofisticate. Tuttavia, i cybercriminali continuano a trovare nuove modalità per aggirare le difese implementate dalle organizzazioni.

Un esempio recente è rappresentato dall’utilizzo di driver vulnerabili in attacchi mirati, una tecnica conosciuta come Bring Your Own Vulnerable Driver (BYOVD). In questo contesto, il gruppo di ransomware noto come RansomHub ha sfruttato un driver vulnerabile per disabilitare i sistemi di rilevamento e risposta degli endpoint (EDR) utilizzando uno strumento chiamato EDRKillShifter del quale avevamo parlato recentemente.

Descrizione del Driver Vulnerabile

Il driver utilizzato da RansomHub è TFSysMon (come riportato da Sophos), sviluppato da ThreatFire System Monitor, come dalle analisi svolte dal ricercatore di sicurezza Alex Necula di ACS Data System S.p.A che ha fornito a Red Hot Cyber una anteprima del suo rapporto di analisi.

Questo driver presenta una vulnerabilità critica dovuta alla mancanza di controlli di accesso adeguati in una chiamata IOCTL (0xB4A00404).

L’hash SHA256 del driver è 1c1a4ca2cbac9fe5954763a20aeb82da9b10d028824f42fff071503dcbe15856.

Il problema principale risiede in una subroutine chiamata dalla funzione IOCTL, che utilizza l’API ZwTerminateProcess senza verificare i permessi dell’utente che effettua la chiamata.

Funzionamento di EDRKillShifter

EDRKillShifter è lo strumento impiegato da RansomHub per sfruttare questa vulnerabilità. Esso sfrutta la mancanza di controllo nell’accesso alla funzione sub_1837C del driver, la quale accetta un argomento a1[3] senza verificare se chi invoca la funzione possieda i permessi necessari per terminare un processo. In altre parole, un attore malevolo può invocare il codice IOCTL per terminare in modo improprio un processo EDR, bypassando così le misure di sicurezza.

L’uso di EDRKillShifter da parte di RansomHub rappresenta una minaccia significativa per la sicurezza informatica. La capacità di disabilitare i sistemi EDR consente agli attaccanti di eludere la rilevazione e di eseguire le proprie operazioni malevole senza essere scoperti. In un attacco documentato, RansomHub ha sfruttato questa vulnerabilità per compromettere diversi sistemi, disabilitando con successo 5 su 7 software EDR testati.

POC (Proof of Concept)

In seguito alla scoperta della vulnerabilità nel driver TFSysMon, è stato sviluppato un Proof of Concept (POC) per dimostrare la fattibilità e l’impatto dell’exploit. Questo POC è stato realizzato per testare l’efficacia dell’attacco su diversi software EDR. Durante i test condotti nel mese di maggio, tre mesi prima che RansomHub iniziasse a utilizzare il driver vulnerabile, il POC ha dimostrato la capacità di terminare con successo cinque su sette software EDR testati.

Il POC sfrutta la chiamata IOCTL (0xB4A00404) che, come descritto, invoca la funzione sub_1837C senza eseguire controlli sui permessi. La mancanza di controllo di accesso permette al POC di terminare impropriamente i processi EDR, mostrando chiaramente come un attore malevolo potrebbe sfruttare questa vulnerabilità per disabilitare le difese di sicurezza di un sistema.

Per motivi di sicurezza, il codice del Proof of Concept non è stato pubblicato. Tuttavia, l’esperimento ha fornito prove concrete che questa vulnerabilità rappresenta una seria minaccia per i sistemi di sicurezza aziendali. L’esistenza di strumenti come EDRKillShifter, capaci di sfruttare tali debolezze, richiede che le organizzazioni adottino misure preventive efficaci, come l’aggiornamento regolare dei driver e la verifica della sicurezza delle proprie infrastrutture.

L’esperimento POC sottolinea inoltre l’importanza di una collaborazione continua tra ricercatori di sicurezza e fornitori di software, per identificare e correggere prontamente le vulnerabilità prima che possano essere sfruttate in attacchi reali.

Il POC sviluppato ha dimostrato non solo l’esistenza della vulnerabilità nel driver TFSysMon, ma anche la sua pericolosità se utilizzata da attori malevoli. Questo esperimento ha rafforzato l’importanza di adottare un approccio proattivo nella gestione delle vulnerabilità, includendo test regolari e aggiornamenti tempestivi. La condivisione delle scoperte tra la comunità della sicurezza è cruciale per prevenire attacchi futuri e proteggere le infrastrutture critiche da minacce sempre più sofisticate.

Conclusioni

Il caso di EDRKillShifter utilizzato da RansomHub è un promemoria inquietante della creatività e della persistenza dei cybercriminali. La mancanza di controlli di accesso nei driver al momento può avere conseguenze devastanti, permettendo agli attori malevoli di compromettere i sistemi di sicurezza più avanzati. È fondamentale che le organizzazioni mantengano un approccio proattivo alla sicurezza, includendo la valutazione continua delle vulnerabilità e la pronta applicazione di patch e aggiornamenti per mitigare tali rischi.

Un ringraziamento speciale va ad Alex Necula di ACS Data System S.p.A per aver condotto il Proof of Concept che ha permesso di evidenziare la vulnerabilità critica del driver TFSysMon. Il suo lavoro ha fornito un contributo fondamentale alla comprensione e alla mitigazione di questa minaccia. Senza la sua dedizione e competenza, sarebbe stato più difficile per la comunità della sicurezza riconoscere e affrontare efficacemente questo potenziale vettore d’attacco.

La sua collaborazione e il suo impegno per la sicurezza informatica sono altamente apprezzati e rappresentano un esempio di come il lavoro di un singolo ricercatore possa avere un impatto significativo sulla protezione collettiva contro le minacce informatiche.

L'articolo L’Arma Segreta di RansomHub per disabilitare gli EDR. Il PoC del BYOVD usato da EDRKillShifter proviene da il blog della sicurezza informatica.