“Our investigation teams have identified the malware on dozens of impacted systems, and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, in Ukraine. We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting,” MSTIC said.

While the attackers behind this malware campaign are unknown, Microsoft stated it had notified the affected users and organizations about WhisperGate.

WhisperGate Campaign Infection 

The WhisperGate malware is capable of overwriting the Master Boot Record (MBR) on victim systems with a fake ransom note. The ransom note contains a Bitcoin wallet and Tox ID. The malware executes when the compromised device is powered down. Once infected, the malware resides in various working directories, including C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, and is often named stage1.exe.

Also Read: Russian Networks Accused of Carrying Out Massive Cyberattack on Ukraine

“The malware executes when the associated device is powered down. Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse, and the malware destructs MBR and the contents of the files it targets,” MSTIC added.

Mitigations

• Review all authentication activity for remote access infrastructure, focusing on accounts configured with single-factor authentication, to confirm the authenticity and investigate any abnormal activity.
• Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and enforce MFA for remote connectivity.
• Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
• Enable Controlled Folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.

The post Microsoft Finds New Malware Targeting Organizations in Ukraine appeared first on CISO MAG | Cyber Security Magazine.

Hackers Spreading Ragnatela via BADNEWS

The researchers stated that Patchwork leveraged malicious RTF files to drop a new variant of the BADNEWS Trojan dubbed Ragnatela in its recent campaign from late November to early December 2021. The group used spear phishing emails to distribute the Ragnatela RAT across the targeted network systems.

Ragnatela capabilities include:

• Executing commands via cmd
• Capturing screenshots
• Logging Keystrokes
• Collecting list of all the files in victim’s machine
• Collecting a list of the running applications in the victim’s machine at specific periods
• Downing addition payloads
• Uploading files

Also Read: Pakistani APT Group ‘SideCopy’ Targets Officials in India and Afghanistan

Patchwork operators tricked victims with fake documents impersonating Pakistani authorities. The group used virtual machines and VPNs to develop and push updates to track their victims.

The victims of Ragnatela Trojan include:

• Ministry of Defense- Government of Pakistan
• National Defense University of Islam Abad
• Faculty of Bio-Science, UVAS University, Lahore, Pakistan
• International center for chemical and biological sciences
• HEJ Research Institute of Chemistry, International center for chemical and biological sciences, University of Karachi
• SHU University, Molecular medicine

Indicators of Compromise (IoC)

Lure

• karachidha[.]org/docs/EOIForm.rtf
  5b5b1608e6736c7759b1ecf61e756794cf9ef3bb4752c315527bcc675480b6c6

RAT

• dll
  3d3598d32a75fd80c9ba965f000639024e4ea1363188f44c5d3d6d6718aaa1a3

C2

• bgre[.]kozow[.]com

“While Patchwork uses the same lures and RAT, the group has shown interest in a new kind of target. Indeed this is the first time we have observed Patchwork targeting molecular medicine and biological science researchers. Thanks to data captured by the threat actor’s own malware, we were able to get a better understanding of who sits behind the keyboard,” the researchers said.

The post BADNEWS for Hackers! Patchwork Group Expose Themselves in Malware Campaign appeared first on CISO MAG | Cyber Security Magazine.

“The targeted employee used the password management feature provided by the web browser to save and use the account and password for the VPN site on the web browser. While doing so, the PC was infected with malware targeting account credentials, leaking accounts and passwords of various sites, which also included the VPN account of the company,” the analysts said.

Also Read: 3 Digital Assets That Are High in Demand on Dark Web Forums

Redline Available on Darknet

Active since 2020, the Redline Stealer first appeared on the Russian darknet forum. The malware is peddling on the dark web for $150-$200, allowing bad actors to leverage it. In addition to the malware, credentials leaked using Redline malware are sold on the dark web.

The main features of Redline malware include:

• Collecting and stealing information saved to browsers like login account and password, cookies, autofill, credit card information
• Collecting default system info such as the IP address of system and OS info
• Collecting hardware information such as the processor of the system, memory size, and GPU
• Collecting information of browsers and software installed in the system
  Collecting processes and anti-malware programs installed
• Controlling target system via SOAP protocol communication
• Uploading and downloading files
• Accessing arbitrary URLs and running files

Redline Expose 6M Records

Recently, security expert Bob Diachenko unveiled that Redline Stealer malware exposed more than 6 million records online. It found that the Redline malware campaign is the key source for trading stolen sensitive information on various cybercriminal and dark web forums.

Redline Stealer malware logs with more than 6M records were exposed online, publicly (now taken down). Internationally sourced data, exfiltrated in Sept and Aug 2021. RS is the key source of identity data sold on online criminal forums since its initial release in early 2020. pic.twitter.com/kv9MNL8hAE

— Bob Diachenko (@MayhemDayOne) December 25, 2021

Compromised credentials pose severe security threats to both organizations and users. Recently, the data breach search website Have I Been Pwned? reportedly added 441,657 unique email addresses stolen by RedLine malware operators. Data breach victims use Have I Been Pwned? platform to check whether their email ID or phone number has been compromised in any security breach. The users, who find their email address exposed, are required to update their passwords for all online accounts on the device, including corporate VPNs, email accounts, and other personal accounts.

How to disable auto-login in browsers

Firefox

1. Click on Menu > Settings
2. In the Privacy & Security section, uncheck the option “Ask to save logins for passwords and websites”
3. Also uncheck the option for Autofill logins and paswords
4. Uncheck Allow Windows single sign-on…
5. Near Logins & Passwords, click the Saved Logins button
6. Delete any login credentials that you see.

If you do not use Firefox as your default browser, you will find similar settings in other browsers. Look in the Privacy & Security section under Settings or Advanced Settings.

The post Redline Malware Campaign Reveals Risks of Saving Passwords in Browsers appeared first on CISO MAG | Cyber Security Magazine.

Nickel’s criminal activities included compromising confidential information from government agencies, think tanks, and human rights organizations. Microsoft also dissolved the group’s access to its victims and prevented the websites from executing attacks.

“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities. Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” Microsoft said.

Nickel’s Cyberespionage

Microsoft researchers observed the Nickel group using advanced and a variety of techniques to deploy specially crafted hard-to-detect malware that facilitates intrusion, surveillance, and data theft activities. The group also leveraged compromised third-party virtual private network (VPN) suppliers or stolen credentials from spear phishing campaigns to exploit the targets. Nickel has targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa.

Also Read: Microsoft Identifies Six Iranian State Actor Groups Deploying Ransomware

“Nation-state attacks continue to proliferate in number and sophistication. Our goal in this case, as in our previous disruptions that targeted Barium, operating from China, Strontium, operating from Russia, Phosphorus, operating from Iran, and Thallium, operating from North Korea, is to take down malicious infrastructure, better understand actor tactics, protect our customers, and inform the broader debate on acceptable norms in cyberspace. We will remain relentless in our efforts to improve the security of the ecosystem, and we will continue to share an activity we see, regardless of where it originates,” Microsoft added.

Cyberespionage on the Rise

A security research team from Palo Alto Networks’ Unit 42 uncovered an ongoing cyberespionage campaign by a Chinese group that has already targeted nine organizations belonging to critical global sectors, including education, defense, health care, energy, and technology. The campaign is reportedly focused on stealing critical information from U.S. defense contractors. It is believed the techniques used in the campaign are similar to those of the Chinese threat group Emissary Panda, also known as TG-3390 and APT27.

The post Microsoft Disrupts Chinese Threat Actor Group Nickel appeared first on CISO MAG | Cyber Security Magazine.

“The malware creates a backdoor and waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine. It is yet unclear which threat actor is behind the malware and number of infected devices,” the researchers said.

Using Go Language

Researchers stated that attackers wrote BotenaGo malware codes using the Go programming language.  Go, also known as Golang, is an open-source programming language designed by Google. The demand for Go language has increased dramatically after several malware creators leveraged it to write malware codes.

“Some of the reasons for its rising popularity relate to the ease of compiling the same code for different systems, making it easier for attackers to spread malware on multiple operating systems,” the researchers added.

How BotenaGo Exploit Works

Initially, the BotenaGo malware attack scans for vulnerabilities online and maps the potential victims to attack functions. It then queries the target with a GET request and starts exploiting it. BotenaGo attackers mainly exploit the vulnerabilities in connected devices and execute remote shell commands.

BotenaGo incorporates 30 exploiting techniques based on the target and vulnerability type. Some of the vulnerabilities that BotenaGo has targeted include:

• CVE-2020-9377, CVE-2015-2051, CVE-2016-11021 – D-Link routers
• CVE-2016-1555, CVE-2016-6277, CVE-2017-6077, CVE-2017-6334 – Netgear devices
• CVE-2020-8958 – Guangzhou 1GE ONU
• CVE-2017-18368, CVE-2020-9054 – Zyxel routers and NAS devices
• CVE-2020-10987 – Tenda products
• CVE-2019-19824 – Realtek SDK based routers
• CVE-2014-2321 – ZTE modems

Mitigation

Cybercriminals continue to create new malware and malware deploying techniques to target unwitting users. Practicing robust cyber hygiene and some actionable security measures could help mitigate the risks from evolving malware threats.

The post BotenaGo – A New Malware Targeting Millions of IoT Devices appeared first on CISO MAG | Cyber Security Magazine.

Top Malware Families

1. Trickbot 

Trickbot malware was once a banking Trojan and evolved as a prolific malware used in several cyberattacks against businesses and individuals across the globe. Trickbot’s capabilities include lateral movement in the network for maximum damage, exfiltrating user credentials from browsers, stealing cookies and OpenSSH keys, theft of RDP, VNC, and PuTTY credentials, and installing additional payloads like ransomware.

2. XMRig

XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency and was first seen in the wild in May 2017. The malware has affected 3% of organizations globally.

3. Remcos

Remcos is a remote access trojan (RAT) that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents attached to SPAM emails and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges. This malware has affected over 2% of organizations across the globe.

Also Read: Best way to handle malware attacks is automation and continuous monitoring

Most Targeted Sectors

While attackers distributed their malware variants globally, the most targeted industries are:

• Education and Research sector
• Communications
• Government and Military

Top Exploited Vulnerabilities

Check Point stated that Web Servers Malicious URL Directory Traversal is the most commonly exploited vulnerability in October 2021, affecting over 60% of organizations globally, followed by Web Server Exposed Git Repository Information Disclosure, impacting 55% of organizations worldwide, and HTTP Headers Remote Code Execution with a global impact of 54%.

“The Apache vulnerability only came to light early in October and is already one of the top ten most exploited vulnerabilities worldwide, showing how fast attackers move. This vulnerability can lead threat actors to map URLs to files outside the expected document root by launching a path traversal attack. It’s imperative that Apache users have appropriate protection technologies in place. This month, Trickbot, which is often used to drop ransomware, is the most prevalent malware. Globally, one out of every 61 organizations is impacted by ransomware every week. That’s a shocking figure, and companies need to do more. Many attacks start with a simple email, so educating users on how to identify a potential threat is one of the most important defenses an organization can deploy,” said Maya Horowitz, VP of Research at Check Point Software.

Mitigation

Explaining on how organizations can mitigate the significance risks from evolving malware threats, Prakash Bell, Customer Success Head and Security Engineer Team Lead, Check Point Software Technologies, India, said, “Several Malwares are very difficult for a “non-technical” eye to recognize. Therefore, if you suspect you have been infected it would be wise to consult with a security professional or use third party tools and protections designed to identify, block and even remove this threat from your computer.”

Prakash Bell also recommended certain security precautions which include:

1. Go to Check your username in the OS
2. Go to /Users/[username]/Library/LaunchAgents directory
3. Check for suspicious filenames in this directory (example below is a random name) /Users/user/Library/LaunchAgents/com.wznlVRt83Jsd.HPyT0b4Hwxh.plist
4. Remove the suspicious file

Some preventive measures to both Mac and Window users:

1. Not open suspicious attachments
2. Avoid visiting suspicious websites
3. Use 3rd party protection software to help identify and prevent malicious behavior on their computer

The post Trickbot Remains the Most Prevalent Malware appeared first on CISO MAG | Cyber Security Magazine.

The report stated that attackers also distributed Mekotio banking Trojan, malware backdoors like AsyncRAT and NjRAT, and the infamous TrickBot malware to gain the initial control of the compromised systems and deploy ransomware payloads.

What is HTML Smuggling?

HTML smuggling is a malicious technique used by hackers to hide malware payloads in an encoded script in a specially crafted HTML attachment or web page. The malicious script decodes and deploys the payload on the targeted device when the victim opens/clicks the HTML attachment/link. The HTML smuggling technique leverages legitimate HTML5 and JavaScript features to hide malicious payloads and evade security detections.

The HTML smuggling method is highly evasive. It could bypass standard perimeter security controls like web proxies and email gateways, which only check for suspicious attachments like EXE, ZIP, or DOCX.

NOBELIUM Group Used HTML Smuggling

Microsoft researchers stated this technique was observed in a spear-phishing campaign by the infamous NOBELIUM – a Russian state-sponsored group allegedly behind the SolarWinds hacks, the SUNBURST backdoor, GoldMax malware, and the TEARDROP malware campaigns. The researchers stated the malicious email campaign leveraged an HTML file attachment, which, when opened by the victim, uses HTML smuggling to download the primary payload on the targeted device.

Eventually, other cybercriminal groups appeared to have followed NOBELIUM’s suit and adopted the technique for their own campaigns. “The surge in the use of HTML smuggling in email campaigns is another example of how attackers keep refining specific components of their attacks by integrating highly evasive techniques. HTML smuggling uses legitimate features of HTML5 and JavaScript, which are both supported by all modern browsers, to generate malicious files behind the firewall. Specifically, HTML smuggling leverages the HTML5 “download” attribute for anchor tags, as well as the creation and use of a JavaScript Blob to put together the payload downloaded into an affected device,” Microsoft said. 

How to Detect HTML Smuggling?

Microsoft recommended security admins to use behavior rules to identify the common characteristics of HTML smuggling, which include:

• An attached ZIP file contains JavaScript
• An attachment is password-protected
• An HTML file contains a suspicious script code
• An HTML file decodes a Base64 code or obfuscates a JavaScript

For endpoints, security admins can prevent HTML smuggling activities by:

• Blocking JavaScript or VBScript from launching downloaded executable content
• Blocking execution of potentially obfuscated scripts
• Blocking executable files from running unless they meet a prevalence, age, or trusted list criterion

Mitigation

Organizations and users can prevent JavaScript codes from executing automatically by changing file associations for .js and .jse files to reduce the impact of threats that utilize HTML smuggling. Users and employees need to be aware of various malware infections and preventive measures to help mitigate malware-based threats.

The post HTML Smuggling – A Novel Malware Deploying Technique appeared first on CISO MAG | Cyber Security Magazine.

Lone Wolf Attack Phases 

The researchers observed Lone Wolf targeting entities in India and Afghanistan by leveraging malicious RTF documents that deploy a variety of commodity malware to victims. Lone Wolf campaign attacks occur in two phases:

• A reconnaissance phase that involves a custom file enumerator and infector to the victims
• An attack phase that deploys a variety of commodity RATs, such as DcRAT and QuasarRAT, on the targeted devices

 How Lone Wolf Attacks

The Lone Wolf operators were found using political and government-themed malicious domains to target the victims. They deployed dcRAT and QuasarRAT Trojans on targeted Windows via malicious documents by exploiting CVE-2017-11882 — a memory corruption vulnerability in Microsoft Office. They also created a Lahore-based fake IT firm called Bunse Technologies as a front to carry out their malicious activities.

The campaign also used malicious RTF documents, PowerShell scripts, and C# downloader binaries to distribute malware, while displaying decoy images to victims to appear legitimate.

“This campaign is a classic example of an individual threat actor employing political, humanitarian, and diplomatic themes in a campaign to deliver commodity malware to victims. Commodity RAT families are increasingly being used by both crimeware and APT groups to infect their targets. These RATs are packed with multiple functionalities to achieve complete control over the victim’s endpoint — from preliminary reconnaissance capabilities to arbitrary command execution and data exfiltration. These families also act as excellent launch pads for deploying additional malware against their victims. Furthermore, these out-of-the-box features enable the attackers to make minimal configuration changes to the RATs, taking away the need for a full-fledged development cycle of custom malware by an actor,” the researchers said.

Increased Use of Commodity RATs

There has been a surge in the use of commodity RATs in recent times. Microsoft recently discovered a campaign targeting airline, cargo, and travel industries, which delivers RAT payloads via spear phishing emails.

In the past few months, Microsoft has been tracking a dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT. pic.twitter.com/aeMfUUoVvf

— Microsoft Threat Intelligence (@MsftSecIntel) May 11, 2021

The post Lone Wolf Campaign Targets India and Afghanistan with Commodity RATs appeared first on CISO MAG | Cyber Security Magazine.

What is Credential Phishing Attack?

In credential phishing attacks, threat actors distribute malicious URLs via emails impersonating popular brands. Once a victim clicks on the URL, it either downloads malware on the victim device or automatically redirects the user to a hacker-operated site that steals user credentials.

Attackers Impersonated Zix Brand

The researchers stated that attackers sent malicious emails to the targets by spoofing an encrypted message notification from Zix. The malicious links in the email directed the victims to download an HTML file onto the system. Zix stated the campaign targeted more than 75,000 mailboxes by evading security detections across Office 365, Google Workspace, Exchange, and Cisco ESA.

See also: What are Credential Stuffing Attacks and How to Prevent Them

Attackers reportedly sent emails titled “Secure Zix message,” claiming that the victim had received a secure message from Zix. The email recommended the victim click on the Message button to view the secure message. The spam emails were sent via thefullgospelbaptist.com domain.

Selective Targets

Attackers distributed their malicious links across a select group of employees from various departments by leveraging different attack techniques, including:

• Social engineering
• Brand impersonation
• Replicating existing workflows
• Drive-by download
• Exploiting legitimate domain

“While the spread is seemingly randomized, attackers might also have deliberately chosen their victims to be across departments and to contain a good mix of senior leadership and individual contributors. These employees are unlikely to communicate often with each other when they receive an email that looks suspicious,” the researchers said.

Security Precautions

Security experts from Armorblox also recommended users to:

• Implement augment native email security with additional controls
• Train the workforce to identify social engineering and other phishing tactics
• Follow password management best practices across all departments in the organization
• Deploy multi-factor authentication (MFA) on all possible business and personal accounts
• Avoid using passwords that tie into your publicly available information (date of birth, anniversary date, etc.)

The post Hackers Targeted Over 75,000 Mailboxes in a Credential Phishing Campaign appeared first on CISO MAG | Cyber Security Magazine.

Sardonic – A New Backdoor in the FIN8 Ecosystem

The researchers stated that Sardonic malware has several new components that were reportedly created just before the attack. The Sardonic backdoor has a wide range of capabilities helping attackers create new malware variants instantly without updating the components.

“FIN8 is known for taking extended breaks to improve their tactics, techniques, and procedures (TTPs), which increases their success rate. With each new version of their toolkit, they start with small tests on a limited pool of victims before launching a full-scale attack,” Bitdefender said in a statement.

FIN8’s Living off the Land Attack (LotL)

FIN8 primarily targets companies that provide financial services and their POS (point of sale) terminals via living off the land (LotL) attacks. In LotL attacks, hackers leverage tools or techniques that already exist in the threat landscape. Bitdefender researchers found FIN8 actors using built-in tools and interfaces such as PowerShell or WMI and exploiting legitimate services like sslip.io to hide their malicious activities.

In addition, FIN8 actors leverage different hacking vectors, including:

• Social Engineering
• Malicious Payload Download
• Lateral Movement
• Trial and Error to overcome defenses
• Attempt to establish persistency

Remediation

Bitdefender team also recommended security measures to minimize the impact of this malware. These include:

• Separate the POS network from the ones used by employees or guests
• Introduce cybersecurity awareness training for employees to help them spot phishing emails.
• Tune the email security solution to automatically discard malicious or suspicious attachments.
• Integrate threat intelligence into existing SIEM or security controls for relevant Indicators of compromise.
• Small and medium organizations should consider outsourcing security operations to managed detection and response providers.

The post FIN8 Hackers Found Using Sardonic Malware to Attack Financial Institutions appeared first on CISO MAG | Cyber Security Magazine.