In formjacking attacks, hackers inject malicious JavaScript code into the victim’s website to compromise and steal sensitive information. The deployed malware code alters the behavior of the targeted website without a user’s knowledge.

The researchers stated the skimmer has harvested victims’ sensitive information such as names, emails, phone numbers and sent them to a collection server – https://cdn-imgcloud[.]com/img, which is also malicious.

Also Read: Indian Users Third Most Affected by Formjacking Attacks

“The skimmer itself is highly polymorphic, elusive, and continuously evolving. When combined with cloud distribution platforms, the impact of a skimmer of this type could be very large. For these reasons, attacks like this raise the stakes for security researchers to untangle their sophisticated strategies and trace them to the root cause. We have to invent more sophisticated strategies to detect skimmer campaigns of this type since merely blocking domain names or URLs used by skimmers is ineffective,” the researchers said.

Hackers Deploy Malicious Code in Video

Unit42 researchers stated that attackers injected the skimmer codes into the player of the cloud video platform. It automatically downloads whenever a user imports the video embedded with malicious codes. Explaining how hackers injected the skimmer into the video, the researchers added, “When the cloud platform user creates a player, the user is allowed to add their own JavaScript customizations by uploading a JavaScript file to be included in their player. In this specific instance, the user uploaded a script that could be modified upstream to include malicious content. We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.”

The post Researchers Find New Web Skimmer Campaign Targeted Over 100 Sites appeared first on CISO MAG | Cyber Security Magazine.

Researchers say Process Ghosting is a new kind of executable image altering technique with some similarities of endpoint methods like Doppelgänging and Herpaderping. Process Ghosting leverages veiled malicious codes to escape anti-malware defenses and detection.

“With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, Process Hollowing, or Transactional NTFS (TxF),” Elastic Security said. “A gap between when a process is created and when security products are notified of its creation, giving malware developers a window to tamper with the executable before security products can scan it.”

Process Ghosting Attack Flow

1. Create a file.
2. Put the file into a delete-pending state using NtSetInformationFile(FileDispositionInformation). Note: Attempting to use FILE_DELETE_ON_CLOSE instead will not delete the file.
3. Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.
4. Create an image section for the file.
5. Close the delete-pending handle, deleting the file.
6. Create a process using the image section.
7. Assign process arguments and environment variables.
8. Create a thread to execute in the process.

In a proof-of-concept (PoC) demo video, the researchers detailed how Windows Defender initially tried to open the payload executable to scan it but kept failing because the file was in the delete-pending state. Later attempts to open it also failed because the file had already been deleted. The payload (ghost.exe) was executed without issue.

“We detected a variety of process image tampering techniques including Doppelgänging, Herpaderping, and Ghosting. It does this by checking the FILE_OBJECT for abnormalities during the process creation callback. These are reported in process creation events under process.Ext.defense_evasions,” Elastic Security added.

The post Process Ghosting: A New Executable Image Tampering Technique in the Wild appeared first on CISO MAG | Cyber Security Magazine.

Security firm RiskIQ recently uncovered a new kind of phishing kit dubbed “LogoKit.” The new kit is designed to deploy malware easily and allows other attackers to reuse and adapt.

“Unlike many other phishing kits that take advantage of complex layouts and multiple files, the LogoKit family is an embeddable set of JavaScript functions. These kits are designed to interact within the Document Object Model (DOM)–the site’s presentation layer. Interacting with the DOM allows for the script to dynamically alter the visible content and HTML form data within a page without user interaction,” RiskIQ said.

How LogoKit Spreads?

• Initially, the attacker sends an email ID, hidden with a specially crafted malicious URL.
• Once a victim clicks on the URL, it redirects the user to a fake corporate web site.
• The victim’s email is auto-filled into the email or username field to trick the users into thinking they have previously logged into the site.
• If the victims enter their password, LogoKit sends the target’s email and password to an external source operated by threat actors.
• LogoKit allows attackers to easily compromise websites and embed the malware or malicious script in them.

RiskIQ claimed that LogoKit uses simple login forms to dupe users that are embedded into more complex HTML documents pretending to be other services, by fetching their logos from a third-party service like Clearbit or Google’s favicon database. RiskIQ found more than 700 unique domains running with LogoKit, targeting various services like SharePoint, Adobe Document Cloud, OneDrive, Office 365, and Cryptocurrency exchanges.

According to RiskIQ, the following legitimate services have been used by LogoKit actors:

• me: Application Deployment Platform
• com: Google Cloud Platform
• app: Google Firebase
• com: Google Firebase
• googleapis.com: Google Cloud Storage
• googleapis.com: Google Firebase Storage
• amazonaws.com: Amazon S3 Object Storage
• app: Google CodeSandbox
• yandexcloud.net: Yandex Static Hosting
• io: GitHub Static Page Hosting
• com: DigitalOcean Object Storage
• com: Oracle Object Storage

“LogoKit continues the trend of attacking with simplicity and small footprints. In executing only a few lines of customizable JavaScript and loading resources from trusted sources, such as Google Firebase, LogoKit increases its chances of success,” RiskIQ added.

Related Story: Five Phishing Baits You Need to Know

The post LogoKit Phishing Kit Found Running on 700 Unique Domains appeared first on CISO MAG | Cyber Security Magazine.

According to a report, India stood first on the list of infected countries by this malware campaign with 603 infections. Brazil was listed second with 255 infections followed by Indonesia with 221 infections.

Kaspersky researchers claimed that they have recorded Frank Rootkit and found multiple similarities to the SilentFade’s campaign from 2016. A rootkit is a malicious software that allows an attacker to illicitly gain privileged access to the victim’s computer to infiltrate an operating system or a database to evade detection and perform malicious operations. A rootkit contains several malicious tools like keyloggers, banking credential stealers, password stealers, antivirus disablers, and bots.

SilentFade’s Rare Modus Operandi

Facebook stated the hacker group managed to defraud victims for more than $4 million, which they used to post malicious ads across the social networking platforms. Reportedly, SilentFade is linked to Chinese threat actors that targeted Facebook’s ad platform between late 2018 and February 2019.

The same group used a Trojan to compromise the users’ browsers and steal passwords and browser cookies to eventually obtain authorized access to their Facebook accounts. They mainly targeted accounts that had the payment method linked to their profiles. The malware campaign ran ads from compromised Facebook accounts and used cloaking elements to escape detection.

Secure Your Social Media

As threat actors often leverage social media platforms to target their victims and perform malicious operations online, users must secure their social media accounts and be vigilant on what they open or download online. Users must:

• Keep their personal data limited
• Enable privacy settings
• Avoid public Wi-Fi and use a secure VPN connection
• Use strong passwords or passphrases
• Always ensure that they make online purchases from legitimate and secure sites
• Update antivirus solutions regularly

Related Story: How to Report and Regain Access to Your Hacked Facebook Account

The post SilentFade Social Media Malware Campaign Resurfaces; Indian Users Most Targeted appeared first on CISO MAG | Cyber Security Magazine.

Information Accessed in the Data Breach

The attackers gained access to users’ login information like usernames, passwords, payment card information like credit card numbers, and personal information like names, dates of birth, email address, job titles and roles; primary job function, addresses, employee industry, and type of payroll software used. In addition, they also obtained profile photos and social media username data associated with some accounts.

APA notified the users affected in the incident and offered 12 months of free credit monitoring and $1,000,000 in identity theft insurance.

“Since discovering the cyberattack, APA has installed the latest security patches from our content management system to prevent any further exploitation of their website. APA technicians also reviewed all code changes made to the APA website since January; installed additional antivirus software on our servers; and increased the frequency of security patch implementation,” the Association said.

Magecart Attack, Again?

The attack that APA suffered is known as the Magecart attack (also called web skimming or e-skimming attacks) in which attackers inject malicious JavaScript code on e-commerce websites after exploiting a CMS vulnerability. Multiple security incidents have been reported on Magecart hackers earlier. Recently, researchers from threat intelligence firm RiskIQ uncovered a new Magecart campaign dubbed as “Magecart Group 7” that compromised over 19 e-commerce websites to steal customers’ payment card data. The researchers discovered a software skimmer “MakeFrame,” which injects HTML iframes into the targeted websites to obtain payment information.

The post Data Security Alert! American Payroll Association Suffers Web Skimming Attack appeared first on CISO MAG | Cyber Security Magazine.

What is Notarization?

Apple introduced the notarization process to ensure that their apps are malware-free. In notarization, app developers are required to submit their apps to a scanning process to detect for any malicious codes or other security issues. If an app does not pass notarization, it gets blocked by the built-in security function.

A Fail in Notarization

Mac security researcher Patrick Wardle discovered samples of the Shlayer adware that are notarized by Apple. The Flash installer adware campaign, which featured a malicious code, was not blocked by the built-in security function. The installer would run and download its payload on the device if a user clicks on it.

It is stated that the code could have been modified to pass or break the detection that Apple might have had for this adware. Wardle’s discovery led Apple to revoke the notarized payload and disable the developer account to further prevent the malware from running on Mac computers.

Malware on App Store

Avast, a maker of digital security and privacy products, recently discovered and reported three fleeceware apps to Apple’s App Store, which overcharge users, do not provide the services they promote and appear to be fleeceware. The apps are available on the Apple App Store as Beetle VPN, Buckler VPN, and Hat VPN Pro, and according to data from Sensor Tower, a mobile apps marketing intelligence and insights company, the apps have been downloaded over 420K, 271K, and 96K times, respectively, between April 2019 and May 2020. A fleeceware has a characteristic of overcharging users for functionality that is widely available in free or low-cost apps.

The post Notarization Fail! Apple Inadvertently Approves Malware on Macs appeared first on CISO MAG | Cyber Security Magazine.

According to SafeBreach Labs, the vulnerability, tracked as CVE-2019-15628, effects Trend Micro Maximum-Security version 16.0.1221 and below software components.

The researchers stated that the lack of safe DLL loading meant that attackers can exploit the bug to load unsigned DLLs.

Once exploited, the vulnerability can lead to application whitelisting bypass, evasion of cybersecurity protections, and potentially privilege escalation, the researchers stated.

“The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code each time it is restarted,” SafeBreach Labs said in a statement.

The other security bug, tracked as CVE-2019-15689, that discovered at the same time affects Kaspersky Secure Connection.  It’s said that this vulnerability can only be exploited if an attacker has already had administrator privileges.

According to researchers, attackers can manipulate this vulnerability during a post-exploitation phase to achieve signed code execution, persistence, and defense evasion.

“The vulnerability gives an attacker the ability to load and execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious DLL, the service will load the malicious code each time it is restarted,” SafeBreach Labs stated.

The final vulnerability, named as CVE-2019-7365, was discovered in the Autodesk desktop application – AdAppMgrSvc.exe.

“After an attacker gains access to a computer, he might have limited privileges which can limit access to certain files and data,” the researchers said. “The service provides him with the ability to operate as NT AUTHORITY\SYSTEM which is the most powerful user in Windows, so he can access almost every file and process which belongs to the user on the computer.”

SafeBreach Labs reported the vulnerabilities to the concerned authorities of Trend Micro, Kaspersky, and Autodesk. Kaspersky stated that it has fixed the security issue found in its Kaspersky Secure Connection. Trend Micro too issued a patch to fix the vulnerability.

Even Autodesk released a patch for CVE-2019-7365 for Autodesk Desktop Application (ADA) users. “We highly recommend that customers apply the latest update for ADA by clicking the update button on the application. A security advisory with more information is available on the Autodesk Trust Center,” Autodesk wrote to CISO MAG.

The post Researchers Find Vulnerabilities in Autodesk, Trend Micro, Kaspersky Software appeared first on CISO MAG | Cyber Security Magazine.