Jerry, Author at Safernet

Supply Chain Attacks on The Rise As PHP Infiltrated With Backdoor Malware

Post On: 7 April, 2021 By : Jerry

Malware has plagued the supply chain during the pandemic, providing an easy route for hackers to infiltrate systems relying on third-party applications and services. A new attack has been reported this week – on Sunday last; the PHP project announced that hackers gained access to its primary Git server. They proceeded to upload two malicious commits, including a backdoor. Luckily, the commits were discovered before being sent to production.

PHP is a general-purpose scripting language especially suited to web development. It is extremely popular and a powerful tool for making dynamic and interactive Web pages. PHP can be embedded into HTML, which can make a PHP-driven attack particularly dangerous.

The attacks were pushed to the php-src (source) repository, meaning the hackers could pull off a supply chain attack if developers picked up the code, believing it to be legitimate.

Both pushes, which be viewed here, claimed to be ‘fixing a typo’ within the code. The pushes were made using the accounts of PHPs founders, Rasmus Lerdorf and Nikita Popov. This gave the push an air of credibility, as it appeared to come from trusted sources.

In a statement, Popov explained, “We don’t yet know how exactly this happened, but everything points towards a compromise of the

git.php.net server (rather than a compromise of an individual git account).”

Popov went on to explain that PHP would be moving its servers to GitHub, hoping for added security.

“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.”

Popov also explained they would review their entire repository, searching for any corruption or traces of Malware.

Craig Young principal security researcher at Tripwire said regarding the attack, “Had it not been detected, the code could have ultimately poisoned the binary package repositories which countless organizations rely upon and trust. Open-source projects which are self-hosting their code repositories may be at increased risk of this type of supply chain attack and must have robust processes in place to detect and reject suspicious commits”

Malware Attacks On The Supply Chain

As business relies more on third-services, the digital supply chain has placed a target on its back for hackers with malware. While a business or industry may employ tight cybersecurity practices, a supply chain malware attack can mean targeting the weakest link and finding a foothold into a secured business. These sorts of attacks have been rife in the last 12 months, most notably the SolarWinds attack, which SaferNet covered previously.

Weaponizing code dependencies, like with PHP, is a relatively new attack vector. Last year, researchers spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository — all of which exfiltrated sensitive information. The packages weaponized a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects.

In December, RubyGems, an open-source package repository and manager for the Ruby web programming language, took two of its software packages offline after they were found to be laced with malware.

And in January, three malicious software packages were published to npm, masquerading as legitimate by using brandjacking. Any applications corrupted by the code could steal tokens and other information from Discord users, researchers said.

Previous to the pandemic, one of the most infamous malware supply chain attacks occurred in 2017, which was attributed to Russia. The NotPetya malware compromised Ukrainian accounting software as part of an attack designed to target the country’s infrastructure, but the malware spread quickly to other countries. NotPetya wound up doing more than $10 billion in damage and disrupted operations for multinational corporations such as Maersk, FedEx, and Merck.

Supply chain attacks are attractive to hackers because when commonly used software is compromised, the attackers could potentially gain access to all the enterprises that use that software.

Protection

As cyberattacks evolve and become more frequent, it’s important that homes and businesses have the right tools to combat the threats they’re facing. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Latest Mirai Botnet Update Targets Routers and New IoT Devices

Post On: 6 April, 2021 By : Jerry

The Mirai Botnet has found itself back in the headlines after a barrage of new attacks using updated modules against D-Link, Netgear, and Sonic Wall devices and routers. The new updates bring with its abilities to target flaws never seen before in Internet-of-Things (IoT) devices. Since late February, groups using Mirai have been targeting six known vulnerabilities and three previously unknown ones. These exploits include:

VisualDoor – a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January
CVE-2020-25506 – a D-Link DNS-320 firewall remote code execution (RCE) vulnerability
CVE-2021-27561 and CVE-2021-27562 – Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges
CVE-2021-22502 – an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40
CVE-2019-19356 – a Netis WF2419 wireless router RCE exploit, and
CVE-2020-26919 – a Netgear ProSAFE Plus RCE vulnerability

The three previously undisclosed command injection vulnerabilities were deployed against unknown targets, one of which, according to the researchers, has been observed in conjunction with a separate botnet by the name of MooBot.

Mirais longevity in the cybercrime community owes to the fact that its source code was publicly released in 2016, leading to slew of variants and updates since then. Its’ shifting nature has made it difficult to keep tabs on.

For the known vulnerabilities Mirai targeted, all have been patched. The only devices it is known to be affecting at current are devices without the latest updates. The unknown vulnerabilities are believed to be tied to IoT devices, a target group that Mirai has always gone after in its lifetime.

“We cannot say with certainty what the targeted devices are for the unidentified exploits,” Zhibin Zhang, principal researcher for Unit 42 stated, “However, based off of the other known exploits in the samples, as well as the nature of exploits historically selected to be incorporated with Mirai, it is highly probable they target IoT devices.”

Mirai port scanning in February, observed by Unit 42

The exploits themselves include two RCE attacks — including an exploit targeting a command-injection vulnerability in certain components; an exploit targeting the Common Gateway Interface (CGI) login script (stemming from a key parameter not being properly sanitized). The third exploit targets the op_type parameter, which is not properly sanitized leading to a command injection, said researchers.

The latter has “been observed in the past being used by the Moobot botnet, however, the exact target is unknown,” researchers noted

Mirai: A Storied Botnet

The Mirai Botnet has been around for several years. While other malware may go into periods of slow activity, Mirai has remained at the forefront of botnet headlines since its inception.

Perhaps Mirai’s most infamous attack came on October 12, 2016. On that date, a massive denial of service (DDoS) attack left much of the internet inaccessible on the U.S. east coast. The attack, which authorities initially feared was the work of a hostile nation-state, was in fact the work of the Mirai botnet.

This attack, which initially had much less grand ambitions grew more powerful than its creators ever dreamed possible. The origins of the botnet were speculated for some time, many believing it to be the work of high-profile cybercriminals. Instead, Mirai was created by a group of three friends who were using the botnet to run an extortion ring on Minecraft servers, a video game they played together.

It encapsulated some clever techniques, including the list of hardcoded passwords. But, in the words of an FBI agent who investigated the attacks, “These kids are super smart, but they didn’t do anything high level—they just had a good idea.”

Much more damaging than simply developing the botnet, the creators released the source code publicly in 2016. This has lead to a wild fire of Mira-related attacks, and researchers estimate there are more than 60 variations of the botnet currently.

Mirai has a few key characteristics seen across all variations of it:

Mirai can launch both HTTP flood and network-level attacks
There are certain IP address ranges that Mirai is hard-wired to avoid, including those owned by GE, Hewlett-Packard, and the U.S. Department of Defense
Upon infecting a device, Mirai looks for other malware on that device and wipes it out, in order to claim the gadget as its own
Mirai’s code contains a few Russian-language strings. This was intended to be a red-herring on its origin, but still remains in variations

Protection

With evolving botnet tools like Mirai posing new threats every day, its important you use the tools required to protect your devices. One of these tools is SaferNet.

Opportunistic Hackers Swoop In On American Rescue Act To Deploy Banking Malware

Post On: 6 April, 2021 By : Jerry

Malware often makes its nest in crisis areas. Individuals looking for aid, financial or otherwise, are key targets for phishing lures put out by hackers. These crisis-focused campaigns can be lucrative but are often looked down upon even in the most radical black-hat hacking circles. Regardless of the ethics behind the behavior, the American Rescue Act has proved to be an opportunity too tempting to pass up for a group of hackers targeting individuals seeking financial aid via stimulus checks.

The act itself was recently signed into law and aims to give financial aid to Americans, especially those hit particularly hard by the economic downturn caused by the pandemic. The act sends Americans who earn under a certain threshold a stimulus amount of $1,400 each.

Hackers see a payday for themselves here, and since early March, one group has been involved in an email phishing campaign, purporting to be the IRS. The group uses the IRS logo and even spoofs the sender domain in a reasonably convincing manner. The email says, “It is possible to get aid from the federal government of your choice” and then offers “quotes” for too-good-to-be-true things – such as a $4,000 check, the ability to “skip the queue for vaccination” and free food.

Phishing Email Used In The Campaign

If the target clicks “Get apply form,” they’ll be taken to an Excel sheet which states, “Fill this form below to accept Federal State Aid.”. The catch here is that the user is told that they must enable content macros if they wish to see the document in its entirety. Doing this will enable macros that set off a chain that will deploy the Dridex banking trojan on their machine. Dridex is a veteran in the banking malware scene and will siphon any and all banking credentials off an infected machine without a user’s knowledge.

Phishing attack prevention researchers Confense have been investigating the campaign. “While static analysis easily identifies the URLs used to download malware in this case, automated behavioral analysis may have trouble recognizing the activity as malicious because it does not use macros to directly download malware or run a PowerShell script,” researchers explained, in a posting on Tuesday. “The macros used by the .XLSM files drop an .XSL file to disk, and then use a Windows Management Instrumentation (WMI) query to gather system information.”

WMI is a subsystem of PowerShell that gives admins access to system monitoring tools, including the ability to ask for information about anything that exists on a given computer – such as which files and applications are present. It can also request responses to these queries to be given in a certain format.

“The WMI query employed in this case…demands that the dropped .XSL file be used to format the response to the query,” researchers wrote. “This formatting directive allows JavaScript contained in the .XSL file to be executed via WMI and download malware, avoiding the more commonly seen methods via PowerShell.”

Dridex Malware Origins

Dridex is an older strain of malware, first being reported a decade ago in 2011. It also goes by the names Bugat and Cridex. Dridex is mostly commonly deployed via phishing emails, and it generally targets banking credentials.

Dridex’ gain in popularity was comparatively slow, but by 2015 it had become the worlds foremost financial trojan. Most often, Dridex campaign targeted corporate emails. This lead to later versions of the Malware being updated to include ransomware deploying capabilities. Furthermore, Dridex developed increased obfuscation techniques as corporate anti-virus grew more sophisticated.

The original developers of Dridex are believed to be a Russian cybercrime group named ‘Evil Corp.’ (No points for originality!). In December 2019, authorities cracked down on the group with sanctions and charges against its leader, Maksim Yakubets, known for his lavish lifestyle. U.S. authorities are still offering up to $5 million for information leading to his arrest; they allege that Yakubets and Evil Corp. have stolen millions of dollars from victims using the Dridex banking trojan and Zeus malware.

Prevention

As with all phishing campaigns, they key to prevention is education. When reading emails, look for errors and keep a suspicious eye. Be wary of “too good to be true” claims, and keep up to date on government plans on distributing aid like seen with the American Rescue Act.

Beyond education, there are tools that can protect your home and business against Malware attacks like Dridex. One of these tools is SaferNet.

Hacking On A Budget: WSH RAT Leads Way For Malware-As-A-Service

Post On: 6 April, 2021 By : Jerry

Malware has always been a threat in computing for nearly as long as computers have existed. Typically, the developers and spreaders of Malware would be skilled programmers and intellectuals who decided to use their talent for nefarious purposes. This high-entry threshold made it easier for cybersecurity companies. Talented hackers were fairly rare to come by, and so the number of major threats was once upon a time much lower than it is today.

The late ’90s and ’00s saw the genesis of Malware-as-a-Service (MaaS) with the appearance of Script Kiddies. A script kiddie was an individual, usually a juvenile; we would download hacking or malware scripts from websites and run them to carry out several attacks. These attacks were usually on the lower end of what malware is capable of.

The term is considered derogatory; Script kiddies usually only acted to impress others; they themselves were devoid of any meaningful skill with a computer.

However, this idea of being able to carry out a cyberattack without any skill took root in the community, and some business-savvy hackers saw an opportunity. In 2010, Chinese hackers released the IMDDOS service. At the time, IMDDOS was one of the largest botnets in the world. The hackers would charge customers a monthly service fee. After paying, a customer could sign in and choose to use parts of the botnet to carry out a DDOS attack on any target they wanted.

IMDDOS was extremely popular in the hacking community, and the service opened the floodgates. What Netflix did for streaming, IMDDOS did for MaaS. Like any other industries, different groups vied for control – Price wars occurred, monopolies were gained, disruptive new players entered the scene – Everything you’d expect from any new, popular industry.

One of the biggest to hold a monopoly was the H-Worm, also known as Houdini. Houdini appeared in 2013 as a Remote-Access-Trojan (RAT). A RAT allows the hacker to control nearly every aspect of a target machine using shell command execution, keyloggers, and spyware. The author of the Malware, also named Houdini, is based in Algeria. He is believed to be connected to another hacker, njq8, who developed njw0rm and njRAT/LV. The two share a common codebase – Sharing notes effectively.

The Houdini RAT was a popular Malware in the MaaS scene for many years, with many customers using it to carry out attacks globally. 2019 saw its successor, WSH RAT. WSH RAT uses mostly the same codebase as Houdini, though it executes via Javascript. This change makes its proliferation much more common.

MaaS is usually distributed on the Dark Web. Getting to distribution sites is one hurdle potential customers have to overcome, but it is not a particularly large one. This is another area WSH RAT does better than its competitors – It’s available on the front page of Google. This makes WSH RAT the most easily accessible piece of Malware available on the internet.

Phishing Email Holding WSH RAT

WSH RATs’ first appearance in 2019 was a series of attack campaigns on banking customers. Victims would receive an email purporting to be a bank, with a zip attached. The zip would contain an .EXE, which, when run, would let WSH RAT take hold of the system. The banking campaign in 2019 stole thousands of credentials from victims, which were sold on the Dark Web by various groups who had bought WSH RAT.

WSH-RAT features many out-of-the-box features attractive to cybercriminals, including:

Password siphoning from the major browsers and email applications
Full Remote Control
File Download and Execution
Script Execution
CMD Execution
Keylogging

The service is helpful for criminals on a budget, starting at $25 a month.

Feature and Price List From the WSH RAT website

WSH RAT has remained the go-to choice for hackers interested in Remote-Access attacks since 2019. Intrusion kits like WSH-RAT are continuously customized and wrapped by additional layers of multi-language code, most of the time unknown to the community. This can create issues for detection.

MaaS is the part of the underground cyber criminal that enables a wide range of attackers to leverage advanced capabilities to conduct intrusion operations and frauds, lowering the entry bar of cyber-crime and hacking. Though only being around a little longer than a decade, MaaS may well be the future of cyberthreats.

WSH RAT – Malware Analysis

Researchers at cybersecurity company Yoroi have carried out extensive research on WSH RAT.

The initial infection chain is a RTF malicious document, which uses the MS-17-11882 exploit.

Exploit MS17-11882

The equation editor’s shellcode downloads the second component of the infection chain from a previously compromised WordPress website. The file is a wrapper opportunely packed and with the only purpose to deploy the next stage, the entire Visual Basic Script of WSH-Rat. The contained packer is highly obfuscated to try to escape reverse engineering.

The core of WSH-RAT begins its head with the configuration. This is to allow threat actors re-code parts of WSH-RAT for their purpose.

Config Settings

Deeper into the core is the Command and Control (C&C) mechanism – Allowing WSH RAT to communicate with the hacker and listen for commands.

Retrieving the C&C info

After that, the bot retrieves the commands to execute from the C&C and it saves the inside the variable “cmd”. The command list is where WHS RAT can do most of its work.

Within the core of WSH RAT is also a payload launcher; allowing it to function as a carrier for other Malware.

Protection

Malware-as-a-Service is here to stay, and the future of cybersecurity means being able to protect against new threats on the horizon. Protecting your home or business means having the right tools for the job. One of these tools is SaferNet.

REvil Ransomware Group Makes Moves Globally in 2021

Post On: 6 April, 2021 By : Jerry

Ransomware struck industries hard in 2020, and 2021 is shaping up to be no different. The REvil Ransomware group, which targeted several hospitals last year, has made a series of attacks last month. In the last two weeks alone, the group has hit 9 large organizations across Africa, Europe, Mexico, and the United States. Within the US, companies hit include law firms, an insurance firm, an architectural company, and an agricultural co-op. The Ransomware group is being tracked by cybersecurity researchers at eSentire.

REvil, also known as Sodinokibi or Sodin, was quiet for some years before resurfacing in 2019. The group behind the malware have hit several high-profile targets like Grubman Shire Meiselas & Sacks, Travelex and Brown-Forman Corp. REvil has also being reported on many hospital systems. Due to it being sold as Ransomware-as-a-Service (RaaS), it is frequently witnessed in infections.

The cybercriminals have posted much of the stolen data to Dark Web already. These include company computer file directories, partial customer lists, customer quotes, and copies of contracts. Researchers said they also posted what appears to be several official IDs, either belonging to an employee or a customer of the victim companies.

It is speculated a part of the gangs’ success has been in part due to their use of the Gootloader malware loader, which is designed to seed the virus. The loader has previously been seen to deploy REvil as well as the Gootkit Malware family. Beyond REvil, Gootloader has been reported as launching the Kronos Trojan and Cobalt Strike Malware. SaferNet reported on Gootloader and Gootkit in an article last week.

Researchers said they have seen REvil expanding its extortion tricks tactics and procedures (TTPs) to now contact victims’ business associates and the media, in order to put on the maximum amount of pressure on the victim to pay. They noted that in the last couple of days, the threat group also appears to be updating its website to make it easier to browse its victim list.

REvil SSN And Personal Records Breach

One of the larger attacks the REvil hackers took part in last month was a devastating attack on IT infrastructure and managed services firm Standley Systems. During the attack, the group managed to steal troves of personal information, including SSNs, service contracts, medical documents, personal data from Standley’s clients, and passports and licenses of Standley’s employees.

“Your customers have entrusted you with the most valuable thing – their backups and data for storage, but you have not coped with your task,” REvil wrote on its leak site. “Even after we provided you with the lost data, we did not hear a single word in response. Accordingly, you don’t give a damn about your customers … You are disrupting both your reputation and the reputation of people who have trusted you with their safety.”

The Standley Systems data was first posted to the REvil site on Feb. 15 and was then taken down from the site for some time before reappearing more recently. The information might have been taken down due to the start of negotiations between REvil and Standley and then reposted once talks between the two sides fell through.

The six Standley customers mentioned on REvils’ dark web site are natural gas producer Chaparral Energy, oil company Crawley Petroleum, injury evaluator Ellis Clinic, gas exploration company Everquest Energy Corporation, the Oklahoma Medical Board; and structural steel fabricator W&W Steel.

Generally, the Ransomware gang will first post a snippet of stolen data to a website; this is a tactic to ensure the company are frightened and become compliant. If the company is unmoved, the gang will auction the data.

REvil likes to go after data that can be used for identity theft or data that creates liability issues for clients of the victim organization. More than 1,300 companies lost intellectual property and other sensitive information last year after ransomware operators published their data to a leak site.

REvil Ransomware Analysis

Deployments of REvil first were observed a few years ago, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725. It is highly configurable, and it can be customized to behave differently depending on the host. This makes it a highly attractive RaaS client. Some of its features include:

Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453.
Whitelists files, folders and extensions from encryption.
Kills specific processes and services prior to encryption.
Encrypts files on local and network storage.
Customizes the name and body of the ransom note, and the contents of the background image.
Exfiltrates encrypted information on the infected host to remote controllers.
REvil uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers.

REvil was first advertised on Russian-language cybercrime forums. The main actor associated with advertising and promoting REvil ransomware is called Unknown aka UNKN. The RaaS is operated as an affiliate service, where affiliates spread the malware by acquiring victims and the REvil operators maintain the malware and payment infrastructure. Affiliates receive 60% to 70% of the ransom payment.

Unkown has acknowledged that his Ransomware is based on the now-retired GrandCrab Ransomware, saying, “We used to be affiliates of the GandCrab affiliate program. We bought the source code and started our own business. We developed custom features for our purposes”

REvil ransomware exploits a kernel privilege escalation vulnerability in win32k.sys tracked as CVE-2018-8453 to gain SYSTEM privileges on the infected host. If the configuration instructs a sample to execute this exploit, it will allocate executable memory, decrypt the exploit code in the newly allocated region and invoke it.

Protection Against Ransomware

REvil and other Ransomware clients are some of the most common and deadly cybersecurity threats out there today. Families and businesses should be aware of these threats, and equip the right tools to tackle them. One of these tools is SaferNet.

Obscure Programming Language Used to Deliver New Malware Loader Through Spear-Phishing Campaign

Post On: 6 April, 2021 By : Jerry

Malware developers use a variety of methods to avoid detection. An on-going campaign highlights one of these methods – Coding in an obscure programming language to bypass security defenses. Since February 3rd, threat actor TA800 has carried out a spear-phishing campaign to deliver their new Malware loader, NimzaLoader. NimzaLoader is programmed in Nim, an imperative, general-purpose language with syntax similar to Python. Nim is an uncommon language, meaning reverse-engineering NimzaLoader can be tricky, and security tools may be unable to analyze it.

TA800 has a long cybercrime history, and NimzaLoader seems to be a less-detectable version of a previous loader of theirs, BazaLoader. The campaign thus far has used highly-targeted spear-phishing and has claim 100 victim organizations across 40 industries.

The full extent of NimzaLoaders’ capabilities is not yet fully clear, but it has been reported as distributing Cobalt Strike. Cobalt Strike is a sophisticated Malware that has a host of tools at its hands, including keylogging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement. It is sold as Malware-as-a-Service (MaaS).

Consistent with previous campaigns, TA800 uses personalized details in the email lure, including the recipients’ name and company name.

The message contains a link, often shortened or obscured, purporting to be a link to important business PDF documents. Following the link, the target will be brought to a landing page with a link to the PDF. The link is disguised with Adobe logos and is hosted on Slack.

Downloading the file will immediately deploy NimzaLoader to the users’ machine, though it is unlikely they will experience any immediate changes. Use of the Nim programming language means the Malware can slide past file-scanning programs effortlessly. Once on the machine, NimzaLoader will drop Cobalt Strike, and the damage will begin.

NimzaLoader Malware Analysis

Much of this analysis has been carried out by cybersecurity researchers at Proofpoint.

NimzaLoader was developed using the Nim programming language, which can be seen various ‘Nim’ related strings in the executable:

TA800 has been active in the cybercrime scene for a few years and is mostly known as affiliate distributors. Affiliate distributors rarely write their own Malware and use MaaS in their attacks.

TA800 has mostly been active in North America and has targeted a wide range of industries. Usually, they are known for distributing banking trojans and malware loaders. The group is also known for carrying out several spear-phishing attacks. The attacks always include some sense of urgency for the users to carry out instructions. Some of these lures have included hard-to-resist subjects such as payment, meetings, termination, bonuses, and complaints in the email’s subject line or body.

The hackers made headlines in late 2020 when they carried out a series of attacks on the healthcare sector using a malware loader named BazaLoader. When hospital systems became infected with Bazaloader, it dropped Ryuk as a payload. Ryuk is a notorious Ransomware we have covered in previous articles.

Protection

In many forms of cyberattacks, but especially those of a phishing nature, education and intuition are key to protection. Being able to discern a legitimate email and a phishing email is a skill that is the first line of defense. In small businesses, employees should receive regular cybersecurity training to learn the signs.

Beyond training, there are tools out there that can prevent attacks like phishing. One of these tools is SaferNet.

Google Remove 9 Malware Infections From Play Store

Post On: 12 March, 2021 By : Jerry

Malware’s primary obstacle when it comes to mobile devices has always been the infection vector – The act of physically placing itself on a device. Hackers have come up with novel, clever, and complex ideas in the past. None of these have ever been as successful as using a Dropper. An attack using droppers can go unnoticed for quite some time, as was the case with Google as they removed 9 apps from the app store recently. Each app was a host for Malware, issued by a dropper dubbed Clast82.

Droppers are nothing new; they have been active on PCs for many years, though lately have made the mobile market their new home. A dropper will first appear as a normal app with everyday use. This could be a calculator app, a fitness tracker, a media player, or just about anything. The hacker will develop a completely legitimate app to build trust with the community and with Google Play.

Google Play has several strict policies to ensure that apps are legitimate, so building trust is critical for a dropper to succeed.

Once this trust is built, the dropper becomes active. A backdoor will open within the app and change the underlying code, turning it from a seemingly innocent utility to fully-fledged Malware. This bait-and-switch attack vector has sometimes been called a Quasi-Trojan; Like a trojan, it masks a more serious payload. Unlike a trojan, that payload is not present until the hacker decides to activate the backdoor.

The 9 apps removed from the Play Store had some devastating functionality when activated, capable of gaining intrusive access to the financial accounts of victims and full control of their devices.

Clast82 deployed AlienBot Banker and Rogue onto devices that held any of the apps. AlienBot Banker is malware that focuses on harvesting banking credentials from a mobile device. It does this by injecting malicious code into banking apps found on the device, allowing the hacker to take control.

Rogue is an MRAT (Mobile-Remote-Access-Trojan). Rogue generally allows the hacker to control all aspects of the phone and spy on users’ inputs.

The 9 apps that were removed are Cake VPN, Pacific VPN, eVPN, BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and QRecorder.

Methodology

Clast82 used two primary techniques to bypass Google Plays detection and to upload Malware to the users device.

Firstly, it used FireBase as a platform for Command-And-Control (C&C).

Secondly, it used GitHub as a 3rd party hosting platform to download the payload from.

During Google Plays evaluation period of the apps, the configuration from the Firebase C&C contains an ‘enable’ parameter. Based on the value of the parameter, the malware will decide to trigger malicious behavior or not. During the evaluation, the parameter will be false. Once the period has finished and Google publishes the app, the parameter will change to true.

“Disabled” configuration sent from the Firebase C&C

Cybersecurity researchers investigating the hackers github uncovered revealed they had created a new developer account for each app, along with different payloads of each of the 9 apps. This allowed them to deploy varied payloads as desired to each app.

Hackers Git Repo

With this system in place, an attack followed 5 steps:

Hacker Uploads To Google Play.
Googles’ evaluation is met with a False parameter at the Firebase C&C – No malware is present.
Google approves the app.
Victims install apps, which contacts the Firebase C&C. The parameter changes from False to True.
The device contacts the hackers Github and begins downloading Malware, unbeknownst to the user.

It is believed that the legitimacy of the apps as they were approved stems from the hacker using open-source libraries to develop the apps, effectively doing custom paint jobs on publicly available app source codes.

The Play Store as the Primary Attack Vector For Malware

A study in 2019 shed light on hackers using the Play Store as an attack vector Malware. It was found that the Play Store was infact the largest carrier for Malware on Android systems, and found that 67% of malicious apps came from Google’s Play Store. This number debunks the theory that third-party app stores such as Aptoide and APKMirror were harbingers of malware apps – These stores accounted for just 10% of malicious payload deliveries.

The same study analyzed 34 Million app installations for 7.9 Million unique apps. It found that between 10% and 24% of the apps analyzed contained some form of unwanted Malware.

These attacks are making the headlines more frequently it seems.

In February 2020, Google removed 56 apps from the Play Store, which infected 1.7 Million devices with Malware. July 2020 saw the rise of the Joker Malware on the Play Store, a devastating phishing program. PhantomLance, a notorious mobile Spyware platform, successfully carried out a 5-year campaign on the Play Store, which was just discovered a few months ago.

What You Can do For Protection

Protection against Droppers like Clast82 can be tricky because in most cases the user is unwillingly inviting Malware onto their device. As is the case with most forms of cybersecurity defense, knowledge is your key weapon.

When downloading an app from the Play Store, don’t hit ‘Install’ without taking some precautionary steps:

Research the developer. Do they seem legitimate?
Read the reviews. Remember that sometimes hackers will leave fake reviews – Be aware of this, and use your intuition.
Read the permissions before you download. If you feel uncomfortable giving an app as much access as it requests, don’t download!

Along with these steps, users should use the proper security tools to ensure their device is safe. One of these tools is SaferNet.

Try SaferNet Now!

Hackers Strike Millions of Flyers in Attack That Affects 90% of the Global Aviation Industry

Post On: 12 March, 2021 By : Jerry

Hackers have carried out a large data breach on SITA, an IT Software Supply company that serves 90% of the global aviation industry. SITA confirmed that in late February that its US-based database, which contains information regarding frequent-flyers, was compromised by hackers. Airlines share information regarding frequent-flyers through SITA software, leading to the personal information of millions of customers being exposed.

The breached servers were a part of the. SITA Passenger Service System (SITA PSS).

SITA has stated that each of the affected airlines have been briefed on the breach. Some of the companies who have made public statements about the attack are United, British Airways, Singapore Airlines, and Finnair.

SITA have not revealed details of the attack vector taken by hackers, nor has it disclosed the exact type of data exposed in the attack. Many airlines have issued public statements confirming what types of data have been affected in relation to their passengers.

Company spokesperson Edna Ayme-Yahil stated “SITA PSS was holding the data of airlines that are not its direct customers, but are alliance members, because other airlines that are SITA PSS customers have an obligation to recognize the frequent flyer status of individual passengers and ensure that such passengers receive the appropriate privileges when they fly with them. That obligation arises from the contractual commitments that the other airline has agreed in its contractual arrangements with an alliance organization. It is common practice for alliance members to recognize the frequent-flyer scheme tiers of the passengers they carry. This mandates the sharing of frequent-flyer data amongst alliance members and, consequently, the service providers to those alliance members (such as SITA).”

Hackers See Airlines As Tempting Targets

Airlines have long been tempting targets for hackers. The aviation and aerospace industry is involved in cyberattacks frequently due to the personal information they hold in their servers and the lack of priority on company cybersecurity.

In particular, privilege escalation and SQL-injection vulnerabilities are weak points for the industry, account for 57% of the vulnerabilities highlighted to companies by ethical hackers.

The last 12 months have devastating for airlines globally, as they shift focus to simply surviving the Pandemic and staying in business. Hackers are aware of this shift and have turned more of their attention toward airlines to exploit vulnerable systems.

Airlines are a digital-first business and have many legacy systems in place. If there is no priority on maintaining these, they often become rife with exploits as they become out-of-date.

Vulnerabilities in the Software Supply Chain

The SITA attack is just another in a long list of attacks on the third-party software supply chain. Notably 2020, the SolarWinds breach was reported on by SaferNet, while in 2021, we have seen the Accellion File Transfer Appliance breach.

Third-party software supply chains are often the weakest link in an organization and so are targeted by hackers. While a company may have tight security control, a third-party vendor may not. This can act as a doorway for hackers to breach internal systems.

Ran Nahmias, co-found of Cyberpion explains, “The proliferated effect of the attack on SITA is yet another example of how vulnerable organizations can be solely on the basis of their connections to third-party vendors. If these kinds of seemingly legitimate connections are not properly monitored and protected, they can result in damaging breaches that unleash highly confidential data, as evidenced in this situation.”

The responsibility is on IT teams to correctly vet third-party vendors. Going forward, software supply chain breaches will become more common, and company leaders must become more vigilant in scrutinizing their security.

Securing Enterprise Systems

Small businesses can use a number of tools to tighten their cybersecurity. One of these tools is SaferNet.

Try SaferNet Now!

Point Of Sale Malware: The Silent Virus Gripping Retail

Post On: 12 March, 2021 By : Jerry

Malware can affect any device, and point-of-sale (POS) devices seen in retail are no exception. POS devices are used to finalize a retail transaction, with a customer either swiping or tapping a card and now oftentimes using Apple Pay or Google Pay with their phone. POS devices are used globally, though the trend of customers opting to pay this way is most widespread in the United States.

For the most part, POS devices are not single units; rather, they are a periphery connected to a computer within the retail unit. Most commonly, these computers Windows or UNIX systems connected to the Internet. This interaction is the most frequently seen in the POS world, though modern developments have led to dongle POS readers, wireless transmitters, and more.

The goal of POS Malware is to intercept the card details and wire them back to a hacker. There are several methods used to accomplish this. As card security has advanced, hackers have developed more sophisticated methods to capture details.

The set of security standards used by the payment industry globally assures that most rudimentary Malware attacks are shut down. The key to these standards is enforcing end-to-encryption within the card’s magnetic strip or chip to protect against man-in-the-middle attacks. When a card interacts with the POS device, all its details are encrypted initially. Decryption will only occur in the POS device random-access-memory (RAM).

One of the most common methods for Malware to use here is RAM Scraping. In this case, a POS device is infected with a silent Remote Access Trojan (RAT). The RAT will read the data that is being processed by the RAM and upload it back to the hackers’ server.

RAM Scraping leaves little to no footprints on a system and allows hackers to build a database of potentially millions of credit card credentials without being detected. These credentials can have many uses to a hacker; Most often, they are all sold in blocks on the Dark Web for financial fraud and identity theft.

When card credentials are stolen in this way, it can be difficult to trace it back to the source, or even the location they were stolen from. Like many forms of data harvesting in the cybercrime world, the victim may not be impacted until months, or years have passed. POS Malware is a silent virus in the world of retail, and its future is promising for cybercriminals. There have been many different strains of Malware affecting POS devices, today we look at some of the most destructive ones.

Dexter Malware

Primary Victims: Restaurants, Convenience Stores

Dexter was one of the first major POS Malware strains found in a campaign that affected POS devices globally in 2012, though the attacks were centered on the US.

Dexter was reported in 40 countries in total and affected POS devices connected to Windows systems. Researchers found that card details were sent to the hackers’ command-and-control center (C&C) in Seychelles.

The Dexter malware sends a list of processes running on infected systems to the C&C server. The attackers then check whether any of those processes correspond to specific PoS software and if they do, they instruct the malware to dump their memory and upload the data back to the server.

The memory dumps are then parsed with an online tool that runs on the server and can extract payment card data from them. This is the information written on the magnetic stripes of payment cards and can be used to clone them.

Dexters’ main victims were restaurants and convenience stores, and at one point had siphoned the details of 20,000 credit cards. In 2013, Dexter was rewritten as StarDust, which is still active today.

MalumPOS Malware

Primary Victims: Hotels, Restaurants

MalumPOS Malware was first discovered in 2015, though it took until late 2016 for VISA to issue a warning about the virus. While not as active as it once was, MalumPOS is still found today globally.

MalumPOS targets the Oracle MICROS payment system, a popular POS system used in the hospitality and food industry. The Malware is written in the Delphi programming language.

At its height, MalumPOS could potentially infect 333,000 POS devices worldwide and scraped millions of credit cards. Oracle has since put out several patches to protect against MalumPOS, though during the initial infection, the company pleaded with vendors to change default administrator credentials to halt the infection.

MalumPOS infects a POS device through a driver update; it usually disguises itself as ‘Nvidia Display Driver’ or a similar display driver and can appear legitimate. It can go relatively undetected on a device for years.

BackOff Malware

Primary Victims: Home Depot, Target, Dairy Queen, UPS

BackOff was an aggressive strain of POS Malware that made headlines in 2014 and 2015, even prompting the Department of Homeland security to issue a statement.

BackOff targeted Windows POS systems. The Malware injects the malicious stub into the explorer.exe file (File Explorer seen on Windows devices) to gain access to the POS machines, and it scrapes the victim’s machine memory from running the processes. It searches this memory for leftover credit card data after a payment card has been swiped.

It had a wide reach, infecting many large chains across the US, including Home Depot, Target, Dairy Queen, and UPS. At one point, 10% of all Dairy Queen stores in the US had BackOff malware and were actively compromising customer card information.

Its spread was unseen at that point in the world of POS Malware; in August 2014 infection rate increased by 57%. The final number of how many cards were compromised is unknown, though researchers put it close to 4 million.

BackOff is rarely present in the major franchise stores but can still be found in POS systems belonging to small businesses. It is actively being developed to contain more features; later editions include advanced Spyware techniques like keylogging.

BlackPOS Malware

Primary Victims: Target, Neiman Marcus, Home Depot, Wendys, UPS

BlackPOS is perhaps the most infamous POS Malware created to date and was the catalyst behind the Target Thanksgiving Data Breach of 2013.

BlackPOS infects Windows systems. It is notably more sophisticated in its code and anti-detection efforts than other POS Malware strains. Its source code was also publicly available, meaning the virus has been updated and enhanced many times.

BlackPOS uses faster-searching techniques than its peers and foregoes regex searches. It samples 0x20000h bytes in each pass and continues scanning till it has scanned the entire memory region of the process being inspected. When desired data has been located, it is quietly exfiltrated back to the hackers C&C.

While BlackPOS infected many POS devices, its most well-known attack campaigns were against Neiman Marcus and Target.

Systems at Neiman Marcus were infected from July 2013 until January 2014. Over the course of several months, 1.1 Million customers’ credit card details were stolen.

The Target breach has been, to date, the most successful POS Malware attacks in history and one of the most destructive data breaches across all forms of cybercrime.

During Thanksgiving break of November 2013, Target’s POS system was infected with the BlackPOS malware. It was not until mid-December that the mega-store became aware of the breach in their security. The hackers could get into Target’s systems by compromising a company web server and uploading the BlackPOS software to Target’s POS systems. As a result of this attack, more than 40 million customer credit and debit card information, and more than 70 million addresses, phone numbers, names, and other personal information, was stolen from its mainframes.

Other Notable POS Malware Strains

There is a great diversity in the field of POS Malware, and the last decade has seen many new faces in the scene.

Rdasrv – It was discovered in 2011, and installs itself into the Windows computer as a service called rdasrv.exe. It scans for track 1 and track 2 credit card data using Perl compatible regular expressions which include the customer card holder’s name, account number, expiry date, CVV code, and other discretionary information. Once the information gets scraped it is stored into data.txt or currentblock.txt and sent to the hacker.

Alina – It was discovered in October 2012 and gets installed into the PC automatically. It gets embedded into the Auto It script and loads the malware into the memory. Then it scrapes credit card data from POS software.

VSkimmer – Vskimmer scrapes the information from the Windows system by detecting the card readers attached to the reader and then sends the captured data to the hacker or control server.

FastPOS – FastPOS Malware is a POS malware that Trend Micro researchers discovered. This strikes the POS system very fast, snatches the credit and debit card information, and instantly sends the data to the hacker. The malware has the capability to exfiltrate the track data using two techniques such as key logger and memory scraper.

PunkeyPOS Malware – PandaLabs discovered this malware, and it infects the point of sale system to breach credit and debit card details. PunkeyPOS Malware uses two functions, such as keylogger and RAM Scraper, to steal information at POS Terminal. Once the information is stolen, it is encrypted and sent to the hackers’ C&C.

The Future of POS Malware

POS Malware has two future catalysts upcoming which could ensure its proliferation globally – The COVID Retail Reopening and the mass-adoption of Mobile POS (MPOS).

During the pandemic, cybercrime has been on the increase. There was nearly a 40% from 2019 to 2020, though POS Malware had little to no impact on this statistic due to lockdowns. As states and countries gradually easing lockdown regulations, brick-and-mortar stores welcome waves of returning customers.

With this comes an increase in POS Malware. POS cybercrime has always struck best around busy retail periods such as Thanksgiving, and the reopening of businesses will be no different. Businesses must have sufficient cybersecurity in place with this threat.

The other longer-term catalyst is the rise of MPOS. Apple Pay and Google Pay are becoming increasingly common and may eventually overtake physical credit cards. This presents a challenge for security and a massive opportunity for hackers.

No longer is the fear of penetration just around POS devices, but also in the mobile devices themselves. Mobile malware is undergoing rapid development and has begun to target card details stored within our mobile devices. With potential infections on both a phone and POS device, a hacker has two opportunities to strike.

Protection

Protection against POS Malware must be considered by both businesses using POS systems, and customers opting to use MPOS. Malware protection on both ends is required to conduct financial transactions. There is no method of malware protection that is 100% safe, but there are tools out there that can ensure you or your business operate as safely as possible.

SaferNet is one of these tools.

Try SaferNet Now!

Cloud Cybersecurity Firm Suffer Data Breach at Hands of Extortion Gang

Post On: 12 March, 2021 By : Jerry

Data Breaches within the cybersecurity world are always linked with a particular brand of Malware – Ransomware. This is not the case with the penetration of cloud cybersecurity firm Qualys. The data breach came at the hands of an extortion gang who have previously been linked with the CLOP Ransomware. In this data heist, no Ransomware was used, however.

The breach was made possible by the gang taking advantage of a zero-day vulnerability within the Accellion File Transfer Application (FTA). Security researchers at FireEye had made it known previously that the Accellion FTA had zero-day vulnerabilities present.

The gang used the vulnerability to access files hosted in a segregated environment. As proof, they shared screenshots on their Dark Web website of the files. The files contain customer information of individuals who use Qualys cloud cybersecurity services. The gang has used the same website previously to sell credentials stolen using the CLOP Ransomware.

Qualys have not publicly stated if they have received an extortion message from the gang yet, though an investigation is on-going.

Accellion Vulnerabilities Leading To The Data Breach

Last month, FireEye’s researchers disclosed the details of the four vulnerabilities within Accellions FTA. These vulnerabilities have been used by many other gangs, who have performed a wide range of data heists against several companies and also employed extortion tactics.

The four vulnerabilities are CVE-2021-27101, CVE-2021-27104, CVE-2021-27102, and CVE-2021-27103.

CVE-2021-27101: SQL injection via a crafted Host header
CVE-2021-27102: OS command execution via a local web service call
CVE-2021-27103: SSRF via a crafted POST request
CVE-2021-27104: OS command execution via a crafted POST request

While these were patched by Accellion, a further two exploits were discovered on March 1st; CVE-2021-27730 and CVE-2021-27731.

CVE-2021-27730: An argument injection vulnerability accessible only to authenticated users with administrative privileges, and
CVE-2021-27731: A stored cross-site scripting flaw accessible only to regular authenticated users

Hackers Behind The Data Breach

The group behind the breach has been dubbed as ‘UNC2546‘ by FireEye researchers. The company has been tracking the group since December 2020. UNC2546 has been involved in several data breaches using the zero-day vulnerabilities found in Accellions FTA.

UNC2546 deploy a web shell named DEWMODE to exfiltrate the data. DEWMODE will sit in the FTA and siphon data back to the groups’ control center.

UNC2546 take data and post it on the “CL0P^_- LEAKS” Dark Web website. Another cybercrime group, FIN11, runs the website. The connection between the two has led to speculation that UNC2546 is, in fact, a cell of FIN11.

FIN11 has been active since at least 2016 and has been involved in several ransomware attacks. Notably, they created the infamous CLOP ransomware. Through till 2018, the group targeted the financial, retail, and hospitality sectors. They have always shown interest in financial gain through Ransomware and extortion, hence the ‘FIN’ in their name.

From 2019 onward, FIN11 shifted attention to Point-Of-Sales (POS) attacks. POS malware is a relatively new branch of cybercrime that targets POS card terminals in retail outlets to exfiltrate card information. If a strain of POS malware propagates enough, it can be lucrative to the hackers.

Protection Against Data Breaches

A data breach brought on by zero-day vulnerabilities are common, though in most cases Ransomware, Phishing, and Spyware are the culprits.

It’s important to have the right tools to protect your business and family against Malware attacks like these. One of these tools is SaferNet.

Try SaferNet Now!