Jerry, Author at Safernet

New Saint Bot Malware Downloader Proliferates Via Phishing Emails

Post On: 3 May, 2021 By : Jerry

Anew malware has surfaced in the wild, dubbed Saint Bot. The Saint Bot Malware is deployed via phishing emails and aims to deploy credential stealers and download other malware strains onto target devices. Saint Bot was first spotted in January 2021; however, a surge of reports of infections along with the strain showing new features points to the idea that Saint Bot is under active development and may very well prove to be a major threat in the coming months.

According to cybersecurity researchers at MalwareBytes, Saint Bot has been gaining slow momentum in the cybercrime world. Researchers noted the malware dropping stealers such as Taurus Stealer and other loaders. It has been designed so that it is a suitable launching point for just about any malware strain.

“Saint Bot employs a wide variety of techniques which, although not novel, indicate some level of sophistication considering its relatively new appearance.” researchers said.

The infection chain analyzed by the MalwareBytes begins with a phishing email containing an embedded ZIP file (“bitcoin.zip”) that claims to be a bitcoin wallet when, in fact, it’s a PowerShell script under the guise of .LNK shortcut file. This PowerShell script then downloads the next stage malware, a WindowsUpdate.exe executable, which, in turn, drops a second executable (InstallUtil.exe) that takes care of downloading two more executables named def.exe and putty.exe.

The payloads for Saint Bot, interestingly, are hosted on Discord. This tactic is becoming popular for hackers, who abuse the functionality of legitimate services for Command-&-Control (C&C) communications, security evasion, and to deploy Malware.

“When files are uploaded and stored within the Discord CDN, they can be accessed using the hardcoded CDN URL by any system, regardless of whether Discord has been installed, simply by browsing to the CDN URL where the content is hosted,” researchers from Cisco Talos disclosed in an analysis earlier this week, thus turning software like Discord and Slack into lucrative targets for hosting malicious content.

“Saint Bot is yet another tiny downloader,” researchers said. “It is not as mature as SmokeLoader, but it is quite new and currently actively developed. The author seems to have some knowledge of malware design, which is visible by the wide range of techniques used. Yet, all the deployed techniques are well-known and pretty standard, [and] not showing much creativity so far.”

Saint Bot Malware Analysis

The bulk of this analysis was carried out by researchers at MalwareBytes, notably by Aleksandra “Hasherezade” Doniec.

As mentioned previously in this article, the first step of the attack is via a phishing email purporting to be a bitcoin wallet. The wallet is a decoy, and instead was in fact an obfuscated PowerShell script that would infect the host with Saint Bot. While the majority of cases have used the bitcoin wallet set-up, Hasherezade noted that the same attack targeted government institutions in Georgia recently, acting as a COVID-themed campaign.

One the script is run, the main sample drops another executable in the %TEMP% directory. This then downloads two executables named: def.exe, and putty.exe. It saves them in %TEMP% , and tries to execute them with elevated privileges. If run, the first sample (def.exe) deploys a batch script disabling Windows Defender. The second sample (named putty.exe) is the main malicious component.

The scripts from the “AppData/Local/z_[user]” are used to deploy the main sample. During the first run, the executable injects itself into “EhStorAurhn.exe“. Below we can see the injected implant detected and dropped by HollowsHunter.

Once the implant was injected, it connects to its Command-and-Control server (C&C) and proceeds with its main actions. Observing the network traffic we will find the URL of the malware’s C&C queried repeatedly:

http[:]//update-0019992[.]ru/testcp1/gate.php

Following this URL we can see the related C&C panel, which looks typical for the Saint Bot:

From here, the hackers are able to trigger commands from the C&C, including downloader further malware strains.

Researchers noted the evolution of the code between the current sample and a sample from January. While January’s contains the same C&C, the code is rewritten. It used a mutex “saint2021_NewGeneration” suggesting that this bot went through some major changes since the beginning of this year.

Protection

The Saint Bot Malware is just another example of new malware strains infecting machines globally. Furthermore, it highlights the issue with phishing – The phishing attack vector is still key to a hackers success, and the weakest link in business cybersecurity.

It is important that business leaders use proactive phishing protection tools to sure their businesses aren’t affected by malware attacks. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

SolarMarker RAT Pushed On 100,000 Google Sites

Post On: 3 May, 2021 By : Jerry

The SolarMarker RAT is making its way around many websites due to some clever manipulation of Google’s SEO ratings. The attack starts with the potential victim performing a search for business forms such as invoices, questionnaires, and receipts. The attack campaign lays traps for potential victims using Google search redirection and drive-by-download. When a person visits one of the sites they are directed to, the infected site executes a binary disguised as a PDF by clicking on a purported “form.” This will inject the SolarMarker RAT onto their device.

Once the RAT is on the victim’s computer and activated, the threat actors can send commands and upload additional malware to the infected system, such as ransomware, a credential stealer, a banking trojan, or simply use the RAT as a foothold into the victim’s network.

Initial reports and analysis of SolarMarker’s activity came from eSentire earlier this week.

“This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code,” researchers wrote. “Unfortunately, it reveals a glaring blind spot in controls, which allows users to execute untrusted binaries or script files at will.”

Given how difficult it is to master Google’s SEO for many businesses, it is clear that the hackers behind the SolarMarker RAT attacks are using high levels of sophistication in their campaign.

The hackers use common business words as keywords, which dupes Google’s web crawler into believing that the intended content meets conditions for a high page-rank score, which means the malicious sites will appear at the top of user searches, according to the report. This increases the likelihood that victims will be lured to infected sites.

eSentire’s Threat Response Unit (TRU) discovered over 100,000 unique web pages that contain popular business terms/particular keywords: template, invoice, receipt, questionnaire, and resume. In a precursory search, 70,000 unique web pages included the mention of either template or invoice.

“Security leaders and their teams need to know that the threat group behind SolarMarker has gone to a lot of effort to compromise business professionals, spreading a wide net and using many tactics to successfully disguise their traps,” said Spence Hutchinson, manager of threat intelligence for eSentire.

“Once a RAT has been installed on a victim’s computer, the threat actors can upload additional malware to the device, such as a banking trojan, which could be used to hijack the online banking credentials of the organization,” researchers said. Threat actors also could install a credential-stealer in this way, to harvest the employee’s email credentials and launch a business email compromise (BEC) scheme.

“Unfortunately, once a RAT is comfortably installed, the potential fraud activities are numerous,” they noted.

SolarMarker RAT Analysis

This analysis has been provided be eSentire, who have been researching the SolarMarker RAT attacks.

The emerging RAT is written with the .NET software framework, and tracked as Jupyter, Yellow Cockatoo, SolarMarker, and now being tracked as Polazert on twitter. SolarMarker was first observed in early October 2020. Throughout October and November 2020, SolarMarker utilized docx2rtf.exe as a decoy to distract users as the .NET silently installed itself in the background. Red Canary reports SolarMarker changing this decoy application throughout the following months using in September 2020 photodesigner7_x86-64.exe and Expert_PDF.exe in November 2020, while the eSentire continued to see docx2rtf.exe. Researchers have now discovered that the SolarMarker group is using Slim PDF Reader.

SolarMarker RAT captures victims via Google Search redirect. Often, clients are looking for a free version or template of a document. In the latest incident observed by researchers, the victim, who works in the financial industry, was redirected to a Google Sites page controlled by the threat actor with an embedded download button. The download button, hosted at passiondiamond[.]site, is easy to customize. Researchers were able to generate a document named “this is a test” for download.

The decoy program, Slim PDF, serves as an important visual cue for potential victims of SolarMarker but also helps to lower suspicion of malicious intent.

The redirection infrastructure passes through a series of .tk TLDs before landing on the final .ml TLD domain. Upon visiting the infrastructure with a VM, no such redirects are experienced. Upon inspecting the source code of the embedded download button at passiondiamond.site, researchers found an entirely different .tk domain, indicating a possibility that these redirect pathways are dynamic and can be changed for either operational security or delivery efficacy. It’s possible that any number of checks are being performed on the visiting browser and operating system to ensure they are being operated by victims, not security researchers.

Protection

Millions of IoT Devices at Risk From NAME:WRECK Exploits

Post On: 3 May, 2021 By : Jerry

Exploits are looming over 100 million IoT devices under threat from 9 newly discovered DNS vulnerabilities, discovered by Forescout Research Labs and JSOF and collectively dubbed NAME:WRECK. The NAME:WRECK exploits affect four well-known TCP/IP stacks, each present in popular IT software and IoT firmware. The exploits impact organizations in multiple sectors, from government to healthcare, manufacturing, and retail, and if successfully exploited by malicious actors in a denial of service (DoS) or remote code execution (RCE) attack, could be used to disrupt or take control of victim networks.

The exploits affect the following four stacks:

FreeBSD: Commonly used in computers, printers, and networking devices found on Device Cloud. It is used on other well-known open source projects such as firewalls and some commercial network appliances.

IPNet: Integrator solution offered by IPNet Solutions, geared for enterprise and telecom markets.

NetX: Common product categories include mobile phones, consumer electronics, and business automation, in devices such as printers, smart clocks, systems-on-a-chip, and energy & power equipment in Industrial Control Systems (ICS).

Nucleus NET: Part of Nucleus RTOS, and deployed in over 3 billion devices. Commonly used in building automation, operational technology, and VoIP, as well as ultrasound machines, storage systems, and critical systems for avionics.

The combination of widespread use of these stacks, together with external exposure of the vulnerable DNS clients, results in a dramatically increased attack surface. Even the most conservative estimates conclude that millions of devices are impacted by NAME:WRECK.

“NAME:WRECK is a significant and widespread set of exploits with the potential for large-scale disruption,” said Daniel dos Santos, research manager at Forescout Research Labs. “Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks and so we encourage all organisations to make sure they have the most up-to-date patches for any devices running across these affected IP stacks.

“Unless urgent action is taken to adequately protect networks and the devices connected to them, it could be just a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or hotel guest safety and security.”

Although FreeBSD, Nucleus NET and NetX have all been patched recently, as with many other exploits affecting deployed IoT devices, NAME:WRECK will inevitably be hard to patch in some instances because nowadays, IoT technology is often deeply embedded in organisational systems, can be hard to manage, and often essentially impossible to patch.

Due to the severity of the exploits, Forescout and JSOF are recommending a series of mitigations:

Users should try to discover and inventory devices running the vulnerable stacks – Forescout has pushed out an open source script that uses active fingerprinting to do this, which is being updated as new developments occur.
Users should enforce segmentation controls and increase network hygiene, restricting external communication paths and isolating vulnerable devices if they cannot be patched.
Users should monitor for patches being dropped by affected device suppliers and devise a remediation plan for affected inventory.
Users should configure affected devices to run on internal DNS servers, and monitor external DNS traffic (successful exploitation would need a malicious DNS server to reply with malicious packets).
Users should monitor all their network traffic for malicious packets trying to exploit known vulnerabilities or zero-days affecting DNS, mDNS and DHCP clients.

NAME:WRECK is the second major set of TCP/IP exploits uncovered by Forescout’s team in the past year as part of a research programme called Project Memoria.

In December 2020, the firm issued a warning over 33 different exploits, referred to as Amnesia33, affecting devices made by over 150 different tech manufacturers. Such was the scale of the Amnesia33 disclosure that it prompted an emergency alert from the US Cyber Security and Infrastructure Security Agency.

NAME:WRECK Exploits Analysis

Much of this analysis has been carried out by Forescout, JSOF, and BleepingComputer.

The researchers analyzing the DNS implementations in the above-mentioned TCP/IP stacks looked at the message compression feature of the protocol. It is not uncommon for DNS response packets to include the same domain name or a part of it more than once, so a compression mechanism exists to reduce the size of DNS messages. Not just DNS resolvers benefit from this encoding as it is present in multicast DNS (mDNS), DHCP clients, and IPv6 router advertisements.

Forescout explains in the report that the feature is also present in many implementations, although some protocols do not officially support compression. This occurs “because of code reuse or a specific understanding of the specifications.”

The researchers note that implementing the compression mechanism has been a tall order, as highlighted by more than a dozen exploits discovered since the year 2000.

Below is a list of the 9 exploits across the four TCP/IP stacks:

CVE-2020-7461 – Boundary error when parsing option 119 data in DHCP packets in dhclient(8). Attacker on the network can send crafted data to DHCP client

CVE-2016-20009 – Stack-based overflow on the message decompression function.

CVE-2020-15795 – DNS domain name label parsing functionality does not properly validate the names in DNS responses. Parsing malformed responses could result in a write past the end of an allocated structure.

CVE-2020-27009 – DNS domain name record decompression functionality does not properly validate the pointer offset values. Parsing malformed responses could result in a write past the end of an allocated structure.

CVE-2020-27736 – DNS domain name label parsing functionality does not properly validate the name in DNS responses. Parsing malformed responses could result in a write past the end of an allocated structure.

CVE-2020-27737 – DNS response parsing functionality does not properly validate various length and counts of the records. Parsing malformed responses could result in a read past the end of an allocated structure

CVE-2020-27738 – DNS domain name record decompression functionality does not properly validate the pointer offset values. Parsing malformed responses could result in a read access past the end of an allocated structure

CVE-2021-25677 – DNS client does not properly randomize DNS transaction ID (TXID) and UDP port Numbers

Unnamed NetX exploit – two functions in the DNS resolver fo not check that the compression pointer does not equal the same offset currently being parsed, potentially leading to an infinite loop

Protection

Against nearly all exploits, the first step is to patch all systems. Following this, users should follow the mitigation steps outlined by Forescout.

When IoT devices are protected, it’s important that individuals, family’s, and business owners take the steps to protect their other device. These steps include using the right tools to ensure they’re protected – One of these tools is SaferNet.

W-2 Phishing Scam Targets 2021 Tax Season

Post On: 3 May, 2021 By : Jerry

Phishing scams are always prevalent, but tax season tends to step things up a few gears. Threat actors are carrying out a new attack campaign, using phishing emails and a TypeForm exploit to try to steal victims’ login credentials. TypeForm is a website that allows users to conduct surveys and create quizzes; it has a legitimate use. Hackers are using exploits within TypeForms framework to create fraudulent login pages as a part of the phishing scam.

A new report by Armorblox details the attack, in which the phishing scam takes advantage of the 2021 tax season by pretending to be a W-2 tax document shared via Microsoft OneDrive.

The phishing scam starts with victims receiving an email purporting to be from OneDrive, where a file named ‘2020_TaxReturn&W2.pdf’ is shared with the user.

Previously, companies sent tax-related correspondence via mail, but in recent times many have switched to email for various documents, such as 1099 and W-2.

It is important to note that the above email does not stand up to any kind of examination by someone trained or educated to keep an eye out for phishing emails. Regardless, this phishing scam has been successful.

If the victim clicks on the link, they are brought to a TypeForm form that includes a blurred out 2020 W-2 tax document pretending to be secured by the Adobe Secure Document service.

The form will request that the visitor enter their email address and password to log in and retrieve the W-2 document.

When entering details, the document will consistently state the details are incorrect, before eventually displaying a message which reads, “Unable to verify your identity”.

ArmorBlox noted this is the heart of the scam; the hackers are using trying to make the user enter all of their password and username combinations they can think of, while harvesting them unbeknownst to the victim.

“It’s likely that the error messages could be a smokescreen for the attackers to gather as many account ID and password combinations as unsuspecting victims are willing to enter in an attempt to brute-force their way to gain access to the W2. In reality, there is no W2 pot of gold at the end of this malicious rainbow,” ArmorBlox explains in their report.

In their own research of this scam, BleepingComputer noted, “TypeForm is not the only legitimate form creation service to be abused by threat actors. Other phishing campaigns have used Google Forms and Canva to steal login credentials. Microsoft Forms is also heavily abused, which has led Microsoft to proactively warn IT admins when they detect phishing campaigns abusing Microsoft Forms in their Active Directory tenants.”

Rise in Phishing Scams During the 2021 Tax Season

More than any other, the 2021 tax season has been rife with cybercrime and scams. The delayed start and COVID pandemic have led to fertile soils for hackers trying to make a quick buck from phishing campaigns on unware users.

“It’s like the perfect storm we’re dealing with right now,” said Howard Silverstone, a forensic accountant and a member of the American Institute of Certified Public Accountants’ fraud task force.

Much of the fraud typically involves identity theft, according to tax experts. In such cases, a criminal might steal personal information to file a fake tax return and collect your refund.

Taxpayers may also unwittingly supply personal data to criminals who falsely claim they can help collect stimulus checks, according to the IRS. Congress is aiming to pass a $1.9 trillion Covid relief bill that includes $1,400 stimulus checks by mid-March.

“Thousands of people have lost millions of dollars and their personal information to tax scams,” according to the IRS.

More than 89,000 Americans filed a complaint with the Federal Trade Commission last year reporting tax fraud linked to identity theft, according to the consumer agency. Identity theft was the most reported type of fraud in 2020, the FTC said.

Criminals often reach out via telephone and e-mail to try ripping off unsuspecting victims.

In IRS imposter scams, for example, a con artist may pose as an IRS agent and try to intimidate callers into divulging sensitive information. Phishing scams aim to get data like account information and passwords through bogus websites, texts and emails.

However, the IRS won’t initiate contact taxpayers by email, text message or social media channels to request personal or financial information. The agency also won’t call to demand immediate payment — officials will generally first mail a bill to any taxpayer who owes taxes.

Protection against Phishing Attacks

The key in defending against phishing is always education. Business leaders should ensure employees receive regular cybersecurity training to be able to spot fraudulent emails. There are always occasions when phishing scams are so high-fidelity that they can rarely be spotted by the naked eye, and in this case a number of cybersecurity tools should be available to discern the legitimacy of possible scams. One of these tools is SaferNet.

North Korean-backed Lazarus Group Attack Freighters With New Vyveva Malware

Post On: 3 May, 2021 By : Jerry

North Korean-back Lazarus Group has been using a new malware with backdoor capabilities in an ongoing campaign against South African freighters and logistics companies. The malware, dubbed Vyveva, was first reported on by researchers at ESAT last year. While Vyveva was only found on a handful of freighters by ESAT, it is understood that the malware has infected several ships that have yet to be reported.

The Vyveva malware comes with an extensive toolkit, allowing Lazarus Group operators to harvest and exfiltrate files from infected systems to servers under their control using the Tor anonymous network as a secure communication channel.

Lazarus Group can also use the malware to delivery and execute malicious code on any compromised system on the target network, making propagation a big threat in the campaign.

According to BleepingComputer, Vyveva boasts many other features, including support for timestomping commands, which allows its operators to manipulate any file’s date using metadata from other files on the system or by setting a random date between 2000 and 2004 to hide new or modified files.

“While the backdoor will connect to its command-and-control (C2) server once every three minutes, it also uses watchdogs designed to keep track of newly connected drives or the active user sessions to trigger new C2 connections on a new session or drive events.” BleepingComputer reported.

ESAT noted several similarities between Vyveva and other malware strains developed by Lazarus Group. The use of a fake TLS protocol in network communication, command-line execution chains, and the methods of using encryption and Tor services are all evidence of a Lazarus Group attack.

On the geographic scale of the attack, security researcher Filip Jurčacko said, “Vyveva constitutes yet another addition to Lazarus Group’s extensive malware arsenal. Attacking a company in South Africa also illustrates the broad geographical targeting of this APT group.”

Vyveva Malware Analysis

Much of this analysis was carried out by ESAT, and reported through welivesecurity.

As mentioned, there are a number of similarities between Vyveva and other Lazarus Group Malware strains. This is most notable when compared with the NukeSped remote-access-trojan.

ESAT have found three of the multiple components comprising Vyveva – its installer, loader and backdoor. The installer is the earliest chronological stage found and since it expects other components to be already present on the machine, it suggests the existence of an earlier, unknown stage – a dropper. The loader serves to decrypt the backdoor using a simple XOR decryption algorithm.

The installer creates a service that ensures the persistence of the backdoor, as well as storing the backdoor configuration in the registry. The malware aims to create legitimate-looking services by taking combinations of words from existing services randomly selected.

The installer will first set the configuration infection ID, which is unique for each victim. This is also stored in the registry, along with a configuration for the encrypted C&C servers.

The backdoor is Vyveva’s main component. It connects to the C&C and executes commands from Lazarus Group, featuring 23 different commands. Most of them are ordinary commands for file and process operations or information gathering, but there is also a less common command for file timestomping.

The configuration of the backdoor, which is initially set by the installer, is read from the registry value. When the configuration is modified by a C&C command, the value stored in the registry is updated.

Lazarus Group; Veteran Threat Actors

Lazarus Group first came into the public spotlight when they carried out Operation Troy, which ran between 2009 and 2012.

Operation Troy was a series of distributed denial-of-service (DDos) attacks targeting government establishments in Seoul, South Korea.

Lazarus Group made the news again, identifying themselves as ‘Guardians of Peace’, in November 2014 for carrying out the Sony Pictures hack. During the attack, confidential data of many Sony Pictures employees were released, and initially circulated on Reddit. This attack is notable in the history of Lazarus Group; it was carried out in a sophisticated and complex manner, showing the group were now developing their skills rapidly.

Lazarus Group have also been responsible for a number of digital bank-heists; and the amount seized is believed to be at least $97 million.

The WannaCry ransomware attack of 2017, which saw a number of healthcare systems including the NHS in the UK brought to a halt, is believed but not confirmed to have been carried out by Lazarus Group.

Recently, Lazarus Group are involved in a number of additional attacks, notable the late-2020 pharmaceutical company attacks. By using spear-phishing methods, members of Lazarus Group acted as health officials and reached out to a number of pharmaceutical companies. Once trust was gained, Lazarus Group sent a number of malicious links to the companies. It is unconfirmed what the goal of the attack was, but it is suspected that they were looking to sell data for profit, extort the companies and their employees, and give foreign entities access to proprietary COVID-19 Research.

Protection

Organizations like Lazarus Group show that there are few industries that malware cannot affect. Business owners should be vigilant in their cybersecurity suite and use proactive tools in the fight against malware. One of these tools is SaferNet.

REvil Ransomware New Update Allows it to Encrypt in Safe Mode

Post On: 3 May, 2021 By : Jerry

Evil Ransomware, already a major threat in the world of cybersecurity, has gotten a new update to give it extra fangs. In March, the Ransomware was developed further to give it the ability to encrypt in safe mode. This mode can be enabled using the -smode command-line argument, which would reboot the device into Safe Mode, where it would perform the encryption of files. However, the ransomware required someone to manually login to Windows Safe mode before the encryption would start, which could raise red flags. This week, another update came for REvil. This time, the ransomware was able to change the login credentials and cause an automatic re-log after restarting, fully automating the infection process.

It is believed that these features were added to REvil Ransomware in order to evade detection by the hosts cybersecurity software. Furthermore, it would shut down backup software, database servers, or mail servers to have greater success when encrypting files.

The updates were reported on and analysed by security researcher R3MRUM.

REvil, upon infection, will edit several settings within the Windows Registry. Specifically, it sets the auto-login to “1”, the default user name to the account name, and the password to “DTrump4ever”.

It is unknown if all samples of REvil Ransomware will use this password, however at least two uploaded to VirusTotal have it enabled.

REvil has been at the forefront of ransomware attacks for a long time, and this update will ensure it remains there. The gang grew more aggressive in recent attacks; when victims refused to pay, they called journalists to report the companies breach. There have also been several reports since the start of 2021 of the gang threatening victims with DDOS attacks if they don’t pay up.

REvil Ransomware: A Storied History

REvil is a Ransomware-as-a-Service (RaaS), meaning it can be sold on a subscription basis and is usable by just about anybody. In the last 12 months, it has extorted large amounts of money for corporations and individuals. According to researchers, it is the most widespread ransomware strain. Groups using have a knack for shaking down businesses that don’t meet their demands, often through threats or leaking dating.

REvil, also known as Sodinokibi, first appeared in April 2019 and rose to prominence after another RaaS gang called GandCrab shut down its service. In the early days of REvil, researchers and security firms identified it as a strain of GandCrab, or at least established multiple links between the two. An alleged member of the group, using the handle Unknown, confirmed in an interview that the ransomware was not a new creation and that it was built on top of an older codebase that the group acquired.

The group behind REvil Ransomware and other groups selling RaaS often do so on a commission basis. Usually, this means a cut of between 20% and 30% of the money earned through infecting victims with ransomware.

In 2020, the IBM Security X-Force Incident Response reported that 1 in 3 Ransomware infections were caused by REvil.

In February, the REvil ransomware operation posted a job notice where they were looking to recruit people to perform DDoS attacks and use VOIP calls to contact victims and their partners.

In March, a security researcher known as 3xp0rt discovered that REvil has announced that they were introducing new tactics that affiliates can use to exert even more pressure on victims.

These new tactics include a free service where the threat actors, or affiliated partners, will perform voice-scrambled VOIP calls to the media and victim’s business partners with information about the attack. The ransomware gang is likely assuming that warning businesses that their data may have been exposed in an attack on of their partners, will create further pressure for the victim to pay.

REvil is also providing a paid service that allows affiliates to perform Layer 3 and Layer 7 DDoS attacks against a company for maximum pressure. A Layer 3 attack is commonly used to take down the company’s Internet connection. In contrast, threat actors would use a Layer 7 attack to take down a publicly accessible application, such as a web server.

Protection

For threats like REvil, it is important to have a proactive approach, rather than reactive. Reactive cybersecurity is effectively useless against threats like this, when a device can be rebooted in safe mode immediately. It is critical that business leaders use proactive tools like SaferNet to ensure their businesses are protected.

SAP Exploits Used in Active Cyberattack Causing Widespread Infections

Post On: 2 May, 2021 By : Jerry

Exploits are being used against software-solutions giant SAP in an ongoing cyberattack, causing major disruption in the companies products and services, which could lead to unsecured applications. Hackers are carrying out a coordinated number of attacks on systems, according to a joint report by SAP and security researchers at Onapsis. Some of these attacks include the theft of sensitive data, financial fraud, disruption of mission-critical infrastructure, and the deployment of malware such as ransomware.

SAP is a German multinational corporation based in Baden-Württemberg that develops enterprise software to manage business operations and customer relations. The company is especially known for its enterprise resource planning (ERP) software, customer relationship management (CRM) software, and supply-chain management. SAP is the largest non-American software company by revenue as well as the world’s third-largest publicly-traded software company by revenue.

In their report, SAP noted that the attacks using the exploits could have far-reaching consequences.

“These are the applications that 92 percent of the Forbes Global 2000 have standardized on SAP to power their operations and fuel the global economy,” the alert noted. “With more than 400,000 organizations using SAP, 77 percent of the world’s transactional revenue touches an SAP system. These organizations include the vast majority of pharmaceutical, critical infrastructure and utility companies, food distributors, defense and many more.”

Government agencies should be especially wary of the exploits.

“SAP systems are a prominent attack vector for bad actors,” Kevin Dunne, president at Pathlock stated. “Most federal agencies are running on SAP, as it has become the industry standard for government entities. However, these SAP implementations are often on-premise, and managed by the government entities themselves due to security concerns. These systems then become increasingly vulnerable when updates and patches are not applied in a timely fashion, leaving them wide open for interested hackers.”

Exploits Used in the SAP Cyberattack

The hackers are brute-forcing high-privilege SAP user accounts, as well as exploiting known bugs, including CVE-2020-6287, CVE-2020-6207, CVE-2018-2380, CVE-2016-9563, CVE-2016-3976, and CVE-2010-5326.

Though their identity is not known, Onapsis has stated the hackers are “advanced threat actors,”, given how quickly they’ve been able to develop attacks based on the exploits.

There is “conclusive evidence that cyberattackers are actively targeting and exploiting unsecured SAP applications, through a varied set of techniques, tools and procedures and clear indications of sophisticated knowledge of mission-critical applications,” the alert reads. “The window for defenders is significantly smaller than previously thought, with examples of SAP vulnerabilities being weaponized in less than 72 hours since the release of patches, and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.”

The most notable issues are as follows:

CVE-2020-6287 – This exploit is highly critical. It is remotely exploitable, and exploitable through HTTP(s) protocols. No privileges are required (pre-auth) to exploit the vulnerability. CVE-2020-6287 allows for creation of high-privileged application-level SAP users. Because of these characteristics, CISA released an alert on the same day the patch was released. Onapsis was able to record consistent active scanning as well as exploitation (333 instances, coming from 74 distinct IP addresses) for the RECON vulnerability since the public release of the patch and exploits. This activity has increased over time and continues today. Of all exploits, this is the most serious.

CVE-2020-6207 – This exploit affects SAP Solution Manager (SolMan), a central component of every SAP installation. Solution Manager is the equivalent of Microsoft Active Directory for Windows-based platforms: if an organization’s Solution Manager is compromised, an attacker would have complete administrative control over all interconnected SAP applications in the environment.

CVE-2018-2380 – If the SAP application is not properly patched, this vulnerability can be used to escalate privileges and execute OS Commands, eventually accessing the underlying database and moving laterally across other servers. Onapsis researchers identified 34 exploitation attempts sourced from 10 distinct IPs with the intent to execute OS commands in the underlying operating system.

CVE-2016-9563 – This is an exploit affecting the BC-BMT-BPM-DSK component of SAP NetWeaver AS JAVA 7.5 exploitable by remote (low privileged) authenticated attackers. A successful exploit of this vulnerability could result in Denial-of-Service (DoS) type attacks through XML Entity expansion or similar methodology, resulting in loss of availability. Furthermore, this exploit could allow an attacker to gain unauthorized access, resulting in a loss of confidentiality.

CVE-2016-3976 – This vulnerability allows remote attackers to read arbitrary files via directory traversal sequences, resulting in unauthorized disclosure of information. This vulnerability may also allow for arbitrary access to OS resources potentially leading to a privilege escalation situation.

CVE-2010-5326 – This is a critical vulnerability that affected many unsecured SAP applications. By leveraging this vulnerability, threat actors can execute OS commands without authentication and access the application as well as the application’s database, effectively gaining full and unaudited control of the SAP business information and processes.

After initial access, Onapsis observed threat actors using the exploits to establish persistence, for privilege escalation, evasion and, ultimately, complete control of SAP systems, including financial, human capital management and supply-chain applications.

“Additionally, attempts at chaining vulnerabilities to achieve privilege escalation for OS-level access were observed, expanding potential impact beyond SAP systems and applications,” according to the analysis.

According to the report, on a number of occasions, threat actors were observed combining exploits from Group 1 and Group 2 to achieve access to the SAP application and to gain access to the operating system. Additionally, exploits in Group 4 were seen in combination with an initial access that could be obtained through exploits in Group 1 (Application Level access) or Group 3 (OS Level access).

Interestingly, the cyberattackers in some cases are patching the exploited vulnerabilities after they’ve gained access to a victim’s environment, Onapsis said.

“This action illustrates the threat actors’ advanced domain knowledge of SAP applications, access to the manufacturer’s patches and their ability to reconfigure these systems,” according to the firm. “This technique is often used by threat actors to deploy backdoors on seemingly patched systems to maintain persistence or to evade detection.”

Protection

Against vulnerabilities like the SAP exploits, the first action in securing systems should always be to patch them. Unpatched systems are the root cause of many cyberattacks, especially against businesses.

Beyond patching, business owners should have proactive attitude with regards to cybersecurity, which includes using the best tools for the job. One of the these tools is SaferNet.

More_Eggs Trojan Spreads Among LinkedIn Job Seekers

Post On: 2 May, 2021 By : Jerry

Aback-door trojan is infecting hopeful job-seekers on LinkedIn through a spear-phishing campaign, according to a new report by eSentire. The phishing email will attempt to get the job-seeker to click a malicious .zip file, which is the first step in deploying the More_Eggs trojan onto their device. The malicious files are tailored and will have “position” at the end of the file name, which helps them appear legitimate.

“For example, if the LinkedIn member’s job is listed as ‘Senior Account Executive—International Freight,’ the malicious .ZIP file would be titled ‘Senior Account Executive—International Freight position’ (note the ‘position’ added to the end),” according to the eSentire report. “Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs.”

As a back-door Trojan, More_Eggs allows hackers to access a user’s system from a remote location. This includes sending and receiving files and so can function as a malware loader for other virus strains.

While many groups have been found to use More_Eggs, it is developed by The Golden Chickens threat group. The group sells the trojan under a Malware-as-as-Service (MaaS) subscription.

Researchers at eSentire have noted 3 aspects of More_Eggs that makes it a “formidable threat to business and business professionals.”

Firstly, the trojan bypasses most antivirus defenses by abusing Windows processes. Secondly, it uses personalized spear-phishing to increase its chance of success. Lastly, more_eggs has been deployed at a time when job hunters are desperate to find work in the midst of a global pandemic.

The motivation behind the attacks are not yet known. There is little to gain from the devices on individuals who are unemployed; their devices are not connected to any corporate network. Some researchers have pointed out the attacks may lay dormant, and could activate at a point at the future when the victim does have access to business systems through the infected device.

In the report, eSentire follows the more_eggs LinkedIn attack on someone in the health care technology sector. Chris Hazelton with mobile security provider Lookout statedthat the victim that said was likely chosen so that cybercriminals could gain “access to an organization’s cloud infrastructure, with a potential goal of exfiltrating sensitive data related to intellectual property or even infrastructure-controlling medical devices. He added, “Connected devices, particularly medical devices, could be a treasure trove for cybercriminals.”

Morales added that to avoid compromise, all users on LinkedIn should be on the lookout for spear-phishing scams.

“Targeting LinkedIn is not rocket science,” he added. “It is social media for the corporate world with a description of the key players in every industry. I assume that I am a target too and always look for that.”

Potential Threat Actors Deploying More_Eggs Trojan

It is currently unknown which group is behind this campaign. It is unlikely to be The Golden Chickens themselves, as in the past, they have mostly been responsible for developing and selling the trojan. In their report, eSentire outlined 3 likely threat actor groups behind the campaign. These groups have used More_Eggs in the past, using the same methods as found in the current LinkedIn campaign.

FIN6 – FIN6 is a financial cybercrime group that primarily steals payment card data and sells it on underground marketplaces. The FIN6 group first gained notoriety in 2014 for their attacks against point-of-sale (POS) machines in retail outlets and hospitality companies. Continuing their quest for credit and debit card data, they later moved on to targeting e-Commerce companies and stole their credit card data via online skimming. The FIN6 threat group has also been known to infect some of their victims with ransomware.

Researchers reported in Feb. 2019 that FIN6 was specifically targeting numerous e-Commerce companies and using malicious documents to infect their targets with the more_eggs trojan as the initial phase of their attack.

Later that year, in August 2019, security researchers found that the FIN6 group began another malicious campaign. The researchers believe the FIN6 threat actors were actively going after multinational organizations. Similar to the current incident, FIN6 spearphished specific employees with fake job offers. If the targets fell for the lure, they too were infected with the more_eggs backdoor trojan.

Evilnum – The Evilnum cybercrime group is best known for compromising financial technology companies, companies that provide stock trading platforms and tools. Their target is financial information about the targeted FINTECH companies and their customers. They target items such as spreadsheets and documents with customer lists, investments, trading operations, and credentials for trading software/platforms and software.

The Evilnum group is also known to spearphish employees of the companies they are targeting and enclose malicious zip files. If executed, the employees get hit with the more_eggs backdoor trojan, along with other malware.

Cobalt Group – The Cobalt Group is also known to go after financial companies, and it has repeatedly used the more_eggs backdoor trojan in their attacks.

More_Eggs Trojan Analysis

The More_Eggs trojan are been analysed in depth by the IBM X-Force Incident Response and Intelligence Services (IRIS).

As mentioned, to gain access to victim environments, the threat actor began by targeting handpicked employees using LinkedIn messaging and email, advertising fake jobs to lure recipients into checking into the supposed offers.

Once the attacker has established communication with a victim via email, they convince them to click on a Google Drive URL purporting to contain an attractive job advert. Once clicked, the URL displays the message, “Online preview is not available,” then presents a second URL leading to a compromised or rogue domain, where the victim can download the payload under the guise of a job description.

That URL, in turn, downloads a ZIP file containing a malicious Windows Script File (WSF) that initiates the infection routine of the More_Eggs backdoor trojan.

The ZIP file and WSF files are deleted upon a successful malware infection, likely in an attempt to prevent researchers from recovering the original files from the filesystem. The filesystem, however, contains evidence of a non-malicious decoy document dropped to the disk drive during the spear phishing attacks.

The spear phishing attacks led to initial compromise and the installation of the More_eggs JScript backdoor, which established a reverse shell connection to the attacker’s command-and-control (C&C) infrastructure. Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd[.][exe].

X-Force IRIS determined that the More_eggs backdoor later downloaded additional files, including a signed binary shellcode loader and a signed Dynamic Link Library (DLL), as described below, to create a reverse shell and connect to a remote host. The shellcode loader was observed on one infected device as updater.exe with the Metasploit-style service name APTYnDS1ABEuUHEA, indicating that it was installed as a service.

Once the attackers established a foothold on the network, they employed WMI and PowerShell techniques to perform network reconnaissance and move laterally within the environment. This type of method, called ‘living off the land’, can often blend with legitimate system administration activities, which can make it challenging for security controls to detect.

To cement their foothold and add persistence throughout the compromised environment, X-Force IRIS uncovered evidence that the attacker had selected several additional devices on which to install the More_eggs backdoor, creating redundancy in ways to get back into the network. Hackers remotely connected to these devices using PowerShell and WMI and downloaded and executed a DLL file, subsequently installing More_eggs on the device without dropping the nonmalicious decoy document.

After a successful phishing attack in which users have opened emails and browsed to malicious links, hackers install the More_eggs JScript backdoor on user devices alongside several other malware components.

The process begins with the consistent execution of a malicious DLL using the legitimate regsvr32[.][exe] Windows Utility. Once executed, the DLL is deleted from the system and its components are dropped to the system.

Protection

The more_eggs trojan is yet another attack vector being used by hackers to exploit people in need. As hackers step up their game, individuals and business owners need the right tools to defend themselves against ever-advancing threats. One of these tools is SaferNet.

What Is A VPN?

Post On: 9 April, 2021 By : Jerry

Virtual Private Networks, or VPNs, are an essential tool to online life, and they don’t need to be a mystery. At SaferNet we specialize in making the complex simple; learn more at www.safernet.com

Why VPN is necessary?

A Virtual Private Network is required in today’s connected society because tools and methods to intercept your data have grown more sophisticated. Hackers, governments, and even your own Internet Service Provider have complete access to all your online activity, including transmission of sensitive passwords and identify details. Having this type of data in the wrong hands can lead to breached social media accounts, your job’s corporate system becoming exposed, compromised online bank accounts, and even identity theft.

IRS Warns of Phishing Campaign Targeting Colleges and Universities

Post On: 7 April, 2021 By : Jerry

Anew Phishing campaign has appeared which targets colleges and universities. The IRS has warned of scammers impersonating their service, who are targeting traditional educational institutions. The phishing attacks are carried out via email and attempt to lure the victims in with several methods, mostly through a tax refund promise. The campaign focuses on staff and students who are using a .edu email address.”The phishing emails appear to target university and college students from both public and private, profit and non-profit institutions,” the revenue service said.

The attacks were first noted by Abnormal Security in late March. Researchers noted that the campaign was sent to as many as 50,000 email inboxes. The subject messages usually appears as “Tax Refund Payment” or “Recalculation of your tax refund payment” to attract the targets’ attention. The email will also state that the victim is due to receive $1400.

The Phishing Email Being Sent By The Scammers

Within the email is a link embedded in the text that reads ‘Claim your refund now.’ Clicking on the link will send the victim to the fraudulent IRS page and is prompted to fill out their information. Though many phishing web pages look suspicious, the fake IRS page, in this case, is high-fidelity.

Some of the information the victims is asked for includes:

Social Security number
First Name
Last Name
Date of Birth
Prior Year Annual Gross Income (AGI)
Driver’s License Number
Current Address
City
State/U.S. Territory
ZIP Code/Postal Code
Electronic Filing PIN

This impersonation is especially convincing as the attacker’s landing page is identical to the IRS website, including the popup alert that states, “THIS U.S. GOVERNMENT SYSTEM IS FOR AUTHORIZED USE ONLY,” a statement that also appears on the legitimate IRS website.

The Fraudulent Webpage

The attacker also attempts to conceal the URL as to not alert the recipient that the url leads to a form hosted on an amazon domain. This was to obscure the landing page in an attempt to forge legitimacy.

One of the reasons why the campaign is successful is because it has been able to bypass Outlooks’ security features. This attack likely bypassed email gateways because the existing gateways only take threat examples from ongoing and current attacks that are in high volume. Phishing attempts that utilize social engineering are much lower in volume, target specific persons, and are able to be hosted on domains that can be quickly taken down. Hackers often utilize this form of entry to bypass email security.

The IRS advises university staff and students who received one of these phishing emails not to click on any of the links embedded within and forward the emails (as file attachments) to [email protected]. They should also get an Identity Protection PIN ASAP to block identity thieves from filing fraudulent tax returns in their names using stolen personal information.

Phishing and Identity Theft

The IRS have long been impersonated by scammers and hackers in phishing campaigns. The goal of these campaigns is to sell victims data online, which will go on to be used in identity theft.

As recently as a November, there was another IRS phishing campaign. Hackers sent phishing emails to trick potential victims, stating that they had outstanding charges related to missed or late payments.

The attack targeted Outlook users, and was sent to over 70,000 inboxes.

To intimidate and send their victims into panic mode, the scammers resorted to legal threats and even add the possibility of an eventual arrest right from the start of the emails whose titles include a “warrant for your arrest” warning.

For added effect, the recipients were also told that the emails would also be forwarded to their employer so that their made-up outstanding amounts will be legally withheld out of their wages.

“We have sent you this warning notification about legal proceedings in May 2019. But you failed to respond on time,” the messages said. “This time, if you fail to respond then we will register this case in court. Consider this as a Final Warning.”

Protection Against Phishing Attacks

When Phishing attacks can bypass outlook security, it is important to have additional tools to combat fraudulent emails. One of these tools is SaferNet. Even if an email makes it through inbox security, SaferNet will kick in when a victim clicks a link, protecting the target from viewing and interacting with the page.