What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-09-19 12:07:36 | VMware, Microsoft warn of widespread Chromeloader malware attacks (lien direct) | The operators of the Chromeloader adware are evolving their attack methods and gradually transforming the low-risk tool into a dangerous malware loader, seen dropping ransomware in some cases. [...] | Ransomware Malware Tool | ||
 |
2022-09-19 11:32:00 | Excel Document Delivers Multiple Malware By Exploiting CVE-2017-11882 – Part I (lien direct) | FortiGuard Labs discovered an Excel document with an embedded file name that is randomized, which exploits CVE-2017-11882 to deliver and execute malware on a victim's device. Read our blog to learn what malware families it can download and what malicious actions it can conduct. | Malware | ||
 |
2022-09-19 05:09:43 | TeamTNT is back and targets servers to run Bitcoin encryption solvers (lien direct) | >AquaSec researchers observed the cybercrime gang TeamTNT hijacking servers to run Bitcoin solver since early September. In the first week of September, AquaSec researchers identified at least three different attacks targeting their honeypots, the experts associated them with the cybercrime gang TeamTNT. The TeamTNT botnet is a crypto-mining malware operation that has been active since April 2020 […] | Malware | ||
 |
2022-09-18 22:58:27 | Preventing ISO Malware , (Sun, Sep 18th) (lien direct) | In the last few weeks, I've seen a significant uptick in systems infected with Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things. | Malware | ★★★★★ | |
|
2022-09-17 11:17:23 | Emotet botnet now pushes Quantum and BlackCat ransomware (lien direct) | While monitoring the Emotet botnet's current activity, security researchers found that the malware is now being used by the Quantum and BlackCat ransomware gang to deploy their payloads. [...] | Ransomware Malware | ||
 |
2022-09-16 19:47:00 | Researchers Find Link b/w PrivateLoader and Ruzki Pay-Per-Install Services (lien direct) | Cybersecurity researchers have exposed new connections between a widely used pay-per-install (PPI) malware service known as PrivateLoader and another PPI service dubbed ruzki. "The threat actor ruzki (aka les0k, zhigalsz) advertises their PPI service on underground Russian-speaking forums and their Telegram channels under the name ruzki or zhigalsz since at least May 2021," SEKOIA said. The | Malware Threat | ||
 |
2022-09-16 12:29:16 | Le Top des Malwares du mois d\'août en France : FormBook garde la tête du classement devant AgentTesla et GuLoader (lien direct) | Le Top des Malwares du mois d'août en France : FormBook garde la tête du classement devant AgentTesla et GuLoader. Check Point Research (CPR), la branche de renseignement sur les menaces de Check Point® Software Technologies Ltd. publie son Classement de menace globale pour le mois d'août 2022. Selon CPR, FormBook est le malware le plus répandu en France. - Malwares | Malware | ||
|
2022-09-15 20:00:00 | Researchers Warn of Self-Spreading Malware Targeting Gamers via YouTube (lien direct) | Gamers looking for cheats on YouTube are being targeted with links to malicious password-protected archive files designed to install the RedLine Stealer malware and crypto miners on compromised machines. "The videos advertise cheats and cracks and provide instructions on hacking popular games and software," Kaspersky security researcher Oleg Kupreev said in a new report published today. | Malware | ||
|
2022-09-15 17:55:00 | Russian Gamaredon Hackers Target Ukrainian Government Using Info-Stealing Malware (lien direct) | An ongoing espionage campaign operated by the Russia-linked Gamaredon group is targeting employees of Ukrainian government, defense, and law enforcement agencies with a piece of custom-made information stealing malware. "The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine," Cisco Talos researchers Asheer Malhotra and Guilherme Venere said in a | Malware | ||
|
2022-09-15 15:32:00 | Experts warn of self-spreading malware targeting gamers looking for cheats on YouTube (lien direct) | >Threat actors target gamers looking for cheats on YouTube with the RedLine Stealer information-stealing malware and crypto miners Researchers from Kaspersky have spotted a self-extracting archive, served to gamers looking for cheats on YouTube, that was employed to deliver the RedLine Stealer information-stealing malware and crypto miners. The RedLine malware allows operators to steal several […] | Malware | ||
|
2022-09-15 13:35:15 | New malware bundle self-spreads through YouTube gaming videos (lien direct) | A new malware bundle uses victims' YouTube channels to upload malicious video tutorials advertising fake cheats and cracks for popular video games to spread the malicious package further. [...] | Malware | ||
|
2022-09-15 10:38:02 | Russian hackers use new info stealer malware against Ukrainian orgs (lien direct) | Russian hackers have been targeting Ukrainian entities with previously unseen info-stealing malware during a new espionage campaign that is still active. [...] | Malware | ||
 |
2022-09-15 10:35:26 | The mobile malware landscape in 2022 – Of Spyware, Zero-Click attacks, Smishing and Store Security (lien direct) | >Cyberattacks are increasing in number all the time. Indeed, our 2022 Mid-Year Report revealed a 42% global year-on-year increase in attacks. And according to the World Economic Forum's 2022 Global Risk Report, 95% of cybersecurity issues are traced back to human error. This should be a red flag for all organizations, especially with the transition… | Malware | ||
 |
2022-09-15 10:00:00 | Cyber threat hunting for SMBs: How MDR can help (lien direct) | >Categories: BusinessThreat hunting can weed out malware before anything bad like a data breach can happen, but cyber threat hunting is more difficult for SMBs to do than it is for large organizations due to resource constraints. That's where Managed Detection and Response (MDR) can help. (Read more...) | Data Breach Malware Threat | ||
 |
2022-09-15 08:02:21 | Gamaredon APT targets Ukrainian government agencies in new campaign (lien direct) |  By Asheer Malhotra and Guilherme Venere.Cisco Talos recently identified a new, ongoing campaign attributed to the Russia-linked Gamaredon APT that infects Ukrainian users with information-stealing malware.The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine.LNK files, PowerShell and VBScript enable initial access, while malicious binaries are deployed in the post-infection phase.We discovered the use of a custom-made information stealer implant that can exfiltrate victim files of interest and deploy additional payloads as directed by the attackers. Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain. The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint. The adversary uses phishing emails to deliver Microsoft Office documents containing remote templates with malicious VBScript macros. These macros download and open RAR archives containing LNK files that subsequently download and activate the next-stage payload on the infected endpoint. We observed considerable overlap between the tactics, techniques and procedures (TTPs), malware artifacts and infrastructure used in this campaign and those used in a series of attacks the Ukraine Computer Emergency Response Team (CERT-UA) recently attributed to Gamaredon.We also observed intrusion attempts against several Ukrainian entities. Based on these observations and Gamaredon's operational history of almost exclusively targeting Ukraine, we assess that this latest campaign is almost certainly directly targeting entities based in Ukraine. Attack ChainInitial AccessGamaredon APT actors likely gained initial footholds into targeted networks through malicious Microsoft Office documents distributed via email. This is consistent with spear-phishing techniques common to this APT. Malicious VBS macros concealed within remote templates execute when the user opens the document. The macros download RAR archives containing LNK files. The naming convention of the RAR archives in this campaign follows a similar pattern:31.07.2022.rar04.08.2022.rar |
Malware Threat | ||
|
2022-09-15 06:00:00 | Webworm hackers modify old malware in new attacks to evade attribution (lien direct) | Chinese cyberespionage hackers of the 'Webworm' group are undergoing experimentation, using modified decade-old RATs (remote access trojans) in the wild. [...] | Malware | ||
 |
2022-09-14 17:33:13 | Fake Security App Found Abuses Japanese Payment System (lien direct) | >
McAfee's Mobile Research team recently analyzed new malware targeting NTT DOCOMO users in Japan. The malware which was distributed on...
|
Malware | ||
 |
2022-09-14 17:22:49 | North Korean cyberespionage actor Lazarus targets energy providers with new malware (lien direct) | >Lazarus, a North Korean cyberespionage group, keeps hitting energy providers in the U.S., Canada and Japan with a new malware arsenal. | Malware | APT 38 | |
|
2022-09-14 15:50:00 | SparklingGoblin APT Hackers Using New Linux Variant of SideWalk Backdoor (lien direct) | A Linux variant of a backdoor known as SideWalk was used to target a Hong Kong university in February 2021, underscoring the cross-platform abilities of the implant. Slovak cybersecurity firm ESET, which detected the malware in the university's network, attributed the backdoor to a nation-state actor dubbed SparklingGoblin. The unnamed university is said to have been already targeted by the | Malware | ||
|
2022-09-14 15:40:00 | How to Do Malware Analysis? (lien direct) | According to the 2022 Malwarebytes Threat review, 40M Windows business computers' threats were detected in 2021. And malware analysis is necessary to combat and avoid this kind of attack. In this article, we will break down the goal of malicious programs' investigation and how to do malware analysis with a sandbox. What is malware analysis? Malware analysis is a process of studying a malicious | Malware Threat | ||
 |
2022-09-14 15:00:00 | FormBook Knocks Off Emotet As Most Used Malware in August (lien direct) | The report also suggested the Android spyware Joker took third place in the mobile index | Malware | ||
|
2022-09-14 14:21:00 | Researchers Detail OriginLogger RAT - Successor to Agent Tesla Malware (lien direct) | Palo Alto Networks Unit 42 has detailed the inner workings of a malware called OriginLogger, which has been touted as a successor to the widely used information stealer and remote access trojan (RAT) known as Agent Tesla. A .NET based keylogger and remote access, Agent Tesla has had a long-standing presence in the threat landscape, allowing malicious actors to gain remote access to targeted | Malware Threat | ||
 |
2022-09-14 12:34:36 | Hackers Are Using WeTransfer Links To Spread Malware (lien direct) | According to Metro, hackers are adopting a new phishing scam by disguising malware as WeTransfer links. The scam involves hackers sending a 'Proof of Payment' document from WeTransfer, but instead sharing a link containing malware.WeTransfer is a free file-sharing site used by several workers and businesses. Hackers have figured out a way to use this […] | Malware | ||
 |
2022-09-14 11:45:00 | Malware Infects Magento-Powered Stores via FishPig Distribution Server (lien direct) | For the past several weeks, Magento stores have been injected with malware via a supply chain attack that targeted the FishPig distribution server. Specialized in Magento optimizations and Magento-WordPress integrations, FishPig offers various Magento extensions that have gathered over 200,000 downloads. | Malware | ||
 |
2022-09-14 10:30:00 | FormBook knocks Emotet off top of malware chart (lien direct) | Pas de details / No more details | Malware | ||
|
2022-09-14 08:07:28 | Chinese hackers create Linux version of the SideWalk Windows malware (lien direct) | State-backed Chinese hackers have developed a Linux variant for the SideWalk backdoor used against Windows systems belonging to targets in the academic sector. [...] | Malware | ||
|
2022-09-14 06:57:33 | Easy Process Injection within Python, (Wed, Sep 14th) (lien direct) | Process injection is a common technique used by malware to cover their tracks. What&#;x26;#;xc2;&#;x26;#;xa0;looks more legit than a process called "notepad.exe" or "explorer.exe"&#;x26;#;x3f; They are multiple ways to perform process injection, one of them is called "Process Hollowing" (T1055/012/)&#;x26;#;x5b;1&#;x26;#;x5d;. When I&#;x26;#;39;m teaching FOR610, students are often surprised that it&#;x26;#;39;s a feature of the operating system, so, by default, not malicious. Microsoft offers all the required API calls to perform this. Some legit applications use many process injection techniques like your best antivirus or EDR solution! | Malware | ||
 |
2022-09-14 00:40:00 | Phishing Websites Disguised as Korean Groupware Login Website Being Distributed (lien direct) | The ASEC analysis team has been building a honeypot to collect various malware strains that are being distributed both in Korea and overseas. The honeypot also collects phishing emails and recently caught one targeting Korean users, which was being distributed continuously to Korean email accounts only since August. The phishing website the email is redirected to is disguised as a login page for a Korean groupware site, and over 2,500 cases were confirmed to access the website. Thus users must... | Malware | ||
|
2022-09-14 00:30:00 | (Déjà vu) ASEC Weekly Malware Statistics (August 29th, 2022 – September 4th, 2022) (lien direct) | The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from August 29th, 2022 (Monday) to September 4th, 2022 (Sunday). For the main category, info-stealer ranked top with 45.9%, followed by downloader with 28.1%, backdoor with 18.5%, ransomware with 6.2%, and CoinMiner and banking malware with 0.7% each. Top 1 – GuLoader GuLoader, which ranked first place with 22.6%, is a downloader malware that... | Ransomware Malware | ||
 |
2022-09-13 19:15:13 | CVE-2022-39206 (lien direct) | Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to control the Docker daemon on the host machine. This is a known dangerous pattern, as it can be used to break out of Docker containers and, in most cases, gain root privileges on the host system. This issue allows regular (non-admin) users to potentially take over the build infrastructure of a OneDev instance. Attackers need to have an account (or be able to register one) and need permission to create a project. Since code.onedev.io has the right preconditions for this to be exploited by remote attackers, it could have been used to hijack builds of OneDev itself, e.g. by injecting malware into the docker images that are built and pushed to Docker Hub. The impact is increased by this as described before. Users are advised to upgrade to 7.3.0 or higher. There are no known workarounds for this issue. | Malware | ||
|
2022-09-13 16:04:00 | (Déjà vu) Asian Governments and Organizations Targeted in Latest Cyber Espionage Attacks (lien direct) | Government and state-owned organizations in a number of Asian countries have been targeted by a distinct group of espionage hackers as part of an intelligence gathering mission that has been underway since early 2021. "A notable feature of these attacks is that the attackers leveraged a wide range of legitimate software packages in order to load their malware payloads using a technique known as | Malware | ||
 |
2022-09-13 15:00:00 | Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Defense evasion, DDoS, Iran, Ransomware, PlugX, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Investigates Iranian Attacks Against the Albanian Government
(published: September 8, 2022)
Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania.
Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona
BRONZE PRESIDENT Targets Government Officials
(published: September 8, 2022)
Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters.
Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Malware Tool Vulnerability Threat Guideline | APT 27 APT 34 | |
|
2022-09-13 11:21:48 | Hackers breach software vendor for Magento supply-chain attacks (lien direct) | Hackers have injected malware in multiple extensions from FishPig, a vendor of Magento-WordPress integrations that count over 200,000 downloads. [...] | Malware | ||
|
2022-09-13 10:15:39 | Spyware, Ransomware, Cryptojacking Malware Increasingly Detected on ICS Devices (lien direct) | Spyware, ransomware and cryptojacking malware have been increasingly detected on industrial control system (ICS) computers, according to data collected in the first half of 2022 by cybersecurity firm Kaspersky. | Ransomware Malware | ||
|
2022-09-13 08:45:00 | Researchers Warn of 674% Surge in Deadbolt Ransomware (lien direct) | Malware continues to infect QNAP devices | Ransomware Malware | ||
|
2022-09-13 06:00:00 | Cyberspies drop new infostealer malware on govt networks in Asia (lien direct) | Security researchers have identified new cyber-espionage activity focusing on government entities in Asia, as well as state-owned aerospace and defense firms, telecom companies, and IT organizations. [...] | Malware | ||
 |
2022-09-12 14:41:17 | New Linux Cryptomining Malware (lien direct) | It’s pretty nasty: The malware was dubbed “Shikitega” for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to “mutate” its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each deliver multiple attacks, beginning with an ELF file that’s just 370 bytes. Shikitega also downloads Mettle, a Metasploit interpreter that gives the attacker the ability to control attached webcams and includes a sniffer, multiple reverse shells, process control, shell command execution and additional abilities to control the affected system... | Malware | ||
|
2022-09-10 17:42:59 | Phishing Word Documents with Suspicious URL, (Sat, Sep 10th) (lien direct) | Got this word document this week that was quarantined as phishing by Defender (223341099.docx) with the Subject: Urgent Payment Issue. Using Didier malware analysis tools, I ran through the following checks to see what could be embedded in it that is likely suspicious. I first checked the file using oledump.py to see if there were any OLE files in this document. | Malware | ||
 |
2022-09-10 11:00:07 | Shape-shifting cryptominer savaging Linux endpoints and IoT (lien direct) | Also, Authorities seize WT1SHOP selling 5.8m sets of PII, The North Face users face tough secuirty hike In brief AT&T cybersecurity researchers have discovered a sneaky piece of malware targeting Linux endpoints and IoT devices in the hopes of gaining persistent access and turning victims into crypto-mining drones.… | Malware | ||
 |
2022-09-09 20:22:31 | New Linux malware combines unusual stealth with a full suite of capabilities (lien direct) | With polymorphic encoding and a multistage infection chain, Shikitega is hard to detect. | Malware | ||
|
2022-09-09 15:25:18 | The rise of Linux malware: 9 tips for securing the OSS (lien direct) | >Jack Wallen ponders the rising tide of Linux malware and offers advice on how to help mitigate the issue. | Malware | ||
|
2022-09-09 10:00:00 | Lampion malware returns in phishing attacks abusing WeTransfer (lien direct) | The Lampion malware is being distributed in greater volumes lately, with threat actors abusing WeTransfer as part of their phishing campaigns. [...] | Malware Threat | ||
|
2022-09-08 19:21:11 | New Conti Ransomware Campaign Observed in the Wild (lien direct) | FortiGuard Labs has observed a new wave of ransomware threats belonging to the Conti malware family, active in Mexico. These variants appear to target the latest Linux and ESX systems and enable the attacker to encrypt files on the victim's machine and guest virtual machines. The variants are all dynamically linked 64-bit ELF samples written in C.A similar sample to the ones in this campaign was documented previously by Trellix.Why is this Significant?This is significant because the newly observed campaign was launched by the Conti ransomware group who are known for taking encrypted files and stolen information belonging to countless companies from varying sectors hostage for profits. The group announced it plans to retaliate against western targets after the Russian invasion into Ukraine adding a political motivation on top of financial gain.This new campaign seems to be similar to the previous campaigns however, some of the samples involved have much lower detection rates at the time of this writing.What Does the Malware Do?Conti ransomware variants used in the new campaign performs activities identical to the previous ones; it encrypts files on the compromised machine and adds a ".conti" file extension to them after the threat actor exfiltrates information from victim's network. It will then demand a ransom payment from the victim in order to recover the affected files and to prevent stolen information from being released to the public.It leaves a ransom note that reads:All of your files are currently encrypted by CONTI strain. If you don't know who we are - just "Google it".As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly.DONT'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value.DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publich it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.DON'T TRY TO CONTACT feds or any recovery companies.We have our informants in these as a hostile intent and initiate the publication of whole compromised data immediatly.To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge.You can contact our team directly for further instructions through our website :TOR VERSION :(you should download and install TOR browser first https://torproject.org)http://[Removed].onion/-YOU SHOULD BE AWAREWe will speak only with an authorized person. It can be the CEO, top management, etc.In case you are not such a person - DON'T CONTACT USYour decisions and action can result in serious harm to your companyInform your supervisors and stay calmThe malware can also be run on ESX environments and has the ability to shut down and encrypt the associated virtual machines.The malware has a detailed helper dialog. This provides another indication for the fact Conti group consists of many people.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures for the Conti ransomware samples observed in the new campaign:Linux/Filecoder_Conti.083E!tr.ransomLinux/Filecoder_Conti.0B97!tr.ransomLinux/Filecoder_Conti.14E3!tr.ransomLinux/Filecoder_Conti.3233!tr.ransomLinux/Filecoder_Conti.3691!tr.ransomLinux/Filecoder_Conti.3FA2!tr.ransomLinux/Filecoder_Conti.5DE1!tr.ransomLinux/Filecoder_Conti.638B!tr.ransomLinux/Filecoder_Conti.65AB!tr.ransomLinux/Filecoder_Conti.919D!tr.ransomLinux/Filecoder_Conti.BDC5!tr.ransomLinux/Filecoder_Conti.C2F5!tr.ransomLinux/Filecoder_Conti.C3D1!tr.ransomLinux/Filecoder_Babyk.H!trPossibleThreatFortiEDR blocks the Conti samples pre-execution. | Ransomware Malware Threat | ||
|
2022-09-08 19:12:07 | New Shikitega Malware Targets Linux Machines (lien direct) | FortiGuard Labs is aware of a new report of a new malware for Linux observed in the wild. Dubbed Shikitega, its attack flow involves multiple modules that are downloaded from a Command and Control (C2) server. Each module has its own purpose and is responsible for downloading and executing the next module. The goal of Shikitega is to deploy XMRig cryptominer, taking control of the compromised Linux machine. Why is this Significant?This is significant because Shikitega is a new Linux malware that is designed to take a full control of a compromised machine. It uses variety of attack arsenals: "Shikata Ga Nai" ("it cannot be helped" in Japanese) polymorphic shellcode encoder to evade detection from AV products, exploits for a couple of vulnerabilities for privilege escalation, a Metasploit meterpreter called "Mettle" that enables the attacker to perform a wide range of malicious activities on the infected machine, and XMRig cryptominer for mining Monero. What is Shikitega Malware?Shikitega is a malware that is designed to run on Linux machines and consists of small modules.The Shikitega's infection chain starts with a single dropper containing a payload obfuscated by "Shikata Ga Nai" polymorphic encoder. Once the payload is decrypted and executed, it does not only download the next module from its C2 server but also downloads another dropper module and run them. One new module is a Metasploit meterpreter called "Mettle" that allows the attacker to perform malicious activities on the infected machine such as taking a control of webcams and executing shell commands. The other module is also encoded using "Shikata Ga Nai" and is responsible for downloading another module and executing it with root privileges by exploiting two vulnerabilities (CVE-2021-4034 and CVE-2021-3493). The next module is XMrig, which is a legitimate but oft-abused cryptominer for Monero cryptocurrency. What Vulnerabilities does Shikitega Exploit?Shikitega exploits CVE-2021-4034 and CVE-2021-3493 for privilege escalation. CVE-2021-4034 is a vulnerability in the polkit packages that provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Successful exploitation of the vulnerability an attacker with local network access to gain elevated privileges. The vulnerability has a CVSS score of 7.8 and is included in CISA's Known Exploited Vulnerabilities Catalog.CVE-2021-3493 is a flaw in the Linux kernel which the overlayfs stacking file system did not properly validate the application of file system capabilities with respect to user namespaces. Successful exploitation of the vulnerability an attacker with local network access to gain elevated privileges. The vulnerability has a CVSS score of 7.4.Are Patches Available for CVE-2021-4034 and CVE-2021-3493?Yes, both vulnerabilities have been fixed.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against available samples:PossibleThreatLinux/CVE_2021_3493.A!trLinux/CVE_2021_4034.G!trFortiGuard Labs is currently investigating additional coverage for CVE-2021-4034 and CVE-2021-3493. This Threat Signal will be updated when update becomes available. | Malware Vulnerability Threat | ||
|
2022-09-08 18:01:32 | New \'Shikitega\' Linux Malware Grabs Complete Control of Infected Systems (lien direct) | Security researchers with AT&T Alien Labs are warning of a new piece of malware that can take full control of infected Linux systems, including Internet of Things (IoT) devices. | Malware | ||
|
2022-09-08 16:51:52 | Bumblebee malware adds post-exploitation tool for stealthy infections (lien direct) | A new version of the Bumblebee malware loader has been spotted in the wild, featuring a new infection chain that uses the PowerSploit framework for stealthy reflective injection of a DLL payload into memory. [...] | Malware Tool | ||
|
2022-09-08 16:32:00 | Chinese Hackers Target Government Officials in Europe, South America and Middle East (lien direct) | A Chinese hacking group has been attributed to a new campaign aimed at infecting government officials in Europe, the Middle East, and South America with a modular malware known as PlugX. Cybersecurity firm Secureworks said it identified the intrusions in June and July 2022, once again demonstrating the adversary's continued focus on espionage against governments around the world. "PlugX is | Malware | ||
 |
2022-09-08 14:14:00 | North Korean state-sponsored hacker group Lazarus adds new RAT to its malware toolset (lien direct) | Security researchers have discovered a new remote access Trojan (RAT) being used in attack campaigns this year by Lazarus, a threat actor tied to the North Korean government. The new RAT has been used alongside other malware implants attributed to Lazarus and it's mainly used in the first stages of an attack.Dubbed MagicRAT, the new Lazarus malware program was developed using Qt, a framework commonly used to develop graphical user interfaces for cross-platform applications. Since the Trojan doesn't have a GUI, researchers from Cisco Talos believe the reason for using Qt was to make detection harder.To read this article in full, please click here | Malware Threat | APT 38 | |
|
2022-09-08 12:00:09 | Lazarus Group unleashed a MagicRAT to spy on energy providers (lien direct) | Cisco finds custom malware in North Korea's latest cyberespionage effort The North Korean state-sponsored crime ring Lazarus Group is behind a new cyberespionage campaign with the goal to steal data and trade secrets from energy providers across the US, Canada and Japan, according to Cisco Talos.… | Malware Medical | APT 38 | |
 |
2022-09-08 10:00:00 | Why does preparing for AI attacks need to be your next big agenda? (lien direct) | This blog has been written by an independent guest blogger. Since its advent, the debate over its ethical and unethical use of AI has been ongoing. From movies to discussions and research, the likely adversarial impact AI has had over the world has been a constant cause of concern for every privacy and security-conscious person out there. AI indeed plays a core role in the modern milestones the world has achieved nowadays. Nevertheless, despite graphic movies like I-Robot splaying out the potential damages of integrating AI into normal functions of life, AI has continued to grow rapidly. Its roots and impacts are evident in every sphere of life, be it medical, technological, educational, or industrial sectors. Its flipside that everyone has long since been dreading is rapidly starting to take form. The emergence of AI-based attacks AI-based attacks are still relatively rare, but according to a survey by Forrester, 88% of security experts believe that these AI-powered attacks will become more common in recent years. For now, some of the most prevalent AI-based cyber-attacks that have surfaced are as follows: AI manipulation or data poisoning For a long time, AI manipulation or data poisoning has become the typical type of AI-based cyber-attack. It is an adversarial attack that features hackers implementing data poisoning on trained AI models forcing them to become malicious. Nowadays, the use of AI is prevalent in almost every organization. AI tools play an essential part in data storage and analysis along with protection from various cyber-attacks such as malware or phishing. Such tools that are designed to automate tasks, but may enable threat protection to become a target of data poisoning. Since the AI works by observing behavior patterns and pre-fed information, a hacker can easily remove the pre-fed information and feed the AI tool with malicious data. Such an act can cause an adversarial impact. For example, hackers can manipulate a phishing tool designed to detect and delete phishing emails into accepting them within its users' inboxes. One common example of data poisoning attacks is AI-manipulated deepfakes that have taken the social media platform by storm. AI-based social engineering attacks Since AI is designed to develop principles and tasks typically associated with human cognition, cybercriminals can exploit it for several nefarious purposes, such as enhancing social engineering attacks. AI works by trying to identify and replicate anomalies in human behavior, making them a convenient tool to persuade users into undermining systems and handing over confidential information. Apart from that, during the reconnaissance phase of an attack, AI can be used to study the target by scouring social media and various databases. AI can find out the behavioral patterns of the target, such as the language they use, their interests, and what topics they usually talk about. The information collected can be used to create a successful spear phishing or BEC attack. AI automation Another significant advantage cyber criminals have in using AI-based attacks is automation. AI tools can significantly endanger endpoint security by automating intrusion detection techniques and launching attacks at unprecedented speeds. Moreover, AI can also scour target networks, computers, and applications for possible vulnerabilities and loopholes that hackers can exploit. Apart from that, automation allows cybercriminals to launch significantly larger attack campaigns. With AI automating most of their work, such as vulnerability assessment and data analysis, cybercriminals now have the leve | Malware Tool Vulnerability Threat |
To see everything:
Our RSS (filtrered)
