Senator Ron Wyden wants the FTC and SEC to investigate the ransomware attack on UnitedHealth's Change subsidiary to see if there was criminal negligence by the CEO or board.

The post Senator Calls for FTC, SEC Probe Into UnitedHealth’s ‘Negligence’ in Breach appeared first on Security Boulevard.

Daft name, serious risk: Kit from ActionTec and Sagemcom remotely ruined and required replacement.

The post ‘Pumpkin Eclipse’ — 600,000+ Rural ISP Routers Bricked Beyond Repair appeared first on Security Boulevard.

Insight #1

Transparency isn't just about promising action, it's about proving it. It means sharing the data and results that show you're following through on your commitments.

The post Cybersecurity Insights with Contrast CISO David Lindner | 5/31/24 appeared first on Security Boulevard.

As per recent reports a new social engineering attack attributed to the North Korea-linked Kimsuky hacking group is targeting human rights activists using fake Facebook accounts. This tactic, involving fictitious identities, marks a significant shift from their typical email-based spear-phishing strategies. According to a report by South Korean cybersecurity firm Genians, the attackers pose as […]

The post Alert: Kimsuky Hacking Group Targets Human Rights Activists appeared first on TuxCare.

The post Alert: Kimsuky Hacking Group Targets Human Rights Activists appeared first on Security Boulevard.

Researchers discovered a new data theft campaign, active since at least 2021, attributed to an advanced persistent threat (APT) actor dubbed "LilacSquid." This campaign, observed by researchers at Cisco Talos, targets a diverse set of industries, including IT organizations in the United States, energy companies in Europe, and pharmaceutical firms in Asia. This broad victimology suggests that LilacSquid is agnostic to industry verticals, aiming to steal data from various sectors.

Use of Open-Source Tools and Customized Malware

The campaign from LilacSquid employs MeshAgent, an open-source remote management tool and a customized version of QuasarRAT that researchers refer as "PurpleInk," as primary implants after compromising vulnerable application servers exposed to the internet. LilacSquid exploits public-facing application server vulnerabilities and compromised remote desktop protocol (RDP) credentials to deploy a range of open-source tools and customized malware, including MeshAgent, SSF, PurpleInk, and loaders InkBox and InkLoader.

LilacSquid's Long-Term Access for Data Theft through Persistence

Talos assessed with high confidence that LilacSquid has been active since at least 2021, focusing on establishing long-term access to compromised organizations to siphon valuable data to attacker-controlled servers. The campaign has successfully compromised entities in Asia, Europe, and the United States across various sectors such as pharmaceuticals, oil and gas, and technology. LilacSquid uses two primary infection chains: exploiting vulnerable web applications and using compromised RDP credentials. [caption id="attachment_73284" align="aligncenter" width="1024"] LilacSquid Initial Access and Activity. (Credit: Cisco Talos)[/caption] Once a system is compromised through exploiting vulnerabilities on internet facing devices, LilacSquid deploys multiple access tools, including MeshAgent, SSF, InkLoader, and PurpleInk. [caption id="attachment_73286" align="aligncenter" width="1024"] LilacSquid's Lateral Movement via RDP. (Credit: Cisco Talos)[/caption] MeshAgent, downloaded using bitsadmin utility, connects to its command and control (C2) server, conducts reconnaissance, and activates other implants. On the other hand InkLoader, a .NET-based malware loader, is used when RDP credentials are compromised. It persists across reboots and executes PurpleInk, with the infection chain tailored for remote desktop sessions.

PurpleInk Implant of LilacSquid

PurpleInk, derived from QuasarRAT, has been customized extensively since 2021.

"Although QuasarRAT has been available to threat actors since at least 2014, we observed PurpleInk being actively developed starting in 2021 and continuing to evolve its functionalities separate from its parent malware family."

It features robust remote access capabilities, including process enumeration, file manipulation, system information gathering, remote shell access, and proxy server communication. Different variants of PurpleInk exhibit varying functionalities, with some stripped-down versions retaining core capabilities to evade detection. InkBox, an older loader used by LilacSquid, reads from a hardcoded file path on disk, decrypts its contents, and runs PurpleInk. Since 2023, LilacSquid has modularized the infection chain, with PurpleInk running as a separate process via InkLoader. [caption id="attachment_73282" align="aligncenter" width="1024"] PurpleInk Activation Chain (Credit: Cisco Talos)[/caption] Post-exploitation, MeshAgent activates other tools like SSF and PurpleInk. MeshAgent, configured with MSH files, allows operators to control infected devices extensively, managing files, viewing and controlling desktops, and gathering device information.

Parallels with North Korean APT Groups

The tactics, techniques, and procedures (TTPs) used in this campaign show similarities to those of North Korean APT groups, such as Andariel and Lazarus. Andariel is known for using MeshAgent to maintain post-compromise access, while Lazarus extensively employs SOCKs proxy and tunneling tools, along with custom malware, to create channels for secondary access and data exfiltration. LilacSquid has similarly deployed SSF and other malware to establish tunnels to their remote servers. The LilacSquid campaign highlights the persistent and evolving threat posed by sophisticated APT actors. By leveraging a combination of open-source tools and customized malware, LilacSquid successfully infiltrates and maintains long-term access to diverse organizations worldwide. IoCs to detect LilacSquid's PurpleInk infection:

PurpleInk: 2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8

Network IOCs 

67[.]213[.]221[.]6 192[.]145[.]127[.]190 45[.]9[.]251[.]14 199[.]229[.]250[.]142

Read 9 remaining paragraphs | Comments

In one of the largest mass bricking events in history, at least 600,000 routers belonging to subscribers of the same ISP service were essentially destroyed last October. The incident has been dubbed "Pumpkin Eclipse," with researchers still unclear on how the routers became infected. The affected devices displayed a steady red light and were unresponsive to troubleshooting attempts, and had to be replaced. Now new research is shedding light on the attack, which involved unusually sophisticated and stealthy attack methods.

'Pumpkin Eclipse' Router Attack

The attack began on October 25, 2023, as the ISP's subscribers began reporting their ActionTec T3200 and Sagemcom routers had suddenly stopped working. Users described the devices as unresponsive, with a steady red light on the front panel. Many blamed the ISP for the mass "bricking" of the routers, alleging the company had pushed faulty firmware updates. However, according to new research by Black Lotus Labs, the incident was in fact the result of a deliberate, malicious act. The researchers reported that over a 72-hour period, a malware known as "Chalubo" had infected over 600,000 routers connected to a single autonomous system number (ASN) belonging to an unnamed ISP. While the researchers avoided naming the ISP affected in the attack, the description of the attack matches frustrations expressed months ago by subscribers of the Windstream ISP, such as the router affected and its resulting behavior. The Chalubo malware, a commodity remote access trojan (RAT) first identified in 2018, employed sophisticated tactics to cover its tracks. It removed all files from the infected devices' disks, ran entirely in memory, and assumed random process names already present on the routers. The researchers believe the malware downloaded and ran code that permanently overwrote the router's default device firmware, rendering them permanently inoperable. The researchers state that while the motives behind the attack are unknown, its implications are troubling.

Researchers Unsure Over Initial Attack Vector but Theorize Possibilities

Although the researchers identified the malware's multi-chain attack process and its spread across the ISP's network, they have been unable to determine the initial infection vector employed by the threat actor. They theorize that it could have possibly resulted from the exploit of an inherent vulnerability, exploit of weak credentials, or compromise of the routers' administrative panels. The researchers said the attack is highly concerning, as it represents a new precedent for malware capable of mass-bricking consumer networking devices. The researchers could only recall one prior similar event - the 2022 discovery of the AcidRain malware, which knocked out over 10,000 satellite internet modems in Ukraine and Europe during the start of the Russian invasion. The researchers said the impact of "Pumpkin Eclipse" attack was particularly severe, as the affected ISP's service area covers many rural and underserved communities. Residents may have lost access to emergency services, farmers could have been cut off from remote crop monitoring, and healthcare providers may have been unable to access patient records or provide telehealth services. "At this time, we do not assess this to be the work of a nation-state or state-sponsored entity," the Lumen researchers wrote. In fact, we have not observed any overlap with known destructive activity clusters; particularly those prone to destructive events such as Volt Typhoon, or SeaShell Blizzard. Nonetheless, they speculated that usage of a commodity malware family may have been a deliberate move to obscure the perpetrator's potential identity. Recovery from such a supply chain disruption is always more challenging in isolated or vulnerable regions, the researchers added. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Read 17 remaining paragraphs | Comments

The group behind the RedTail malware is exploiting a new vulnerability in Palo Alto Network's PAN-OS software to run a sophisticated cryptomining campaign that is likely backed by North Korea.

The post RedTail Malware Abuses Palo Alto Flaw in Latest Cryptomining Campaign appeared first on Security Boulevard.

The TrickBot botnet and other malware droppers have been targeted by international law enforcement in Operation Endgame.

The post TrickBot and Other Malware Droppers Disrupted by Law Enforcement appeared first on SecurityWeek.

Media reports claim that cybersecurity experts have recently unveiled new details about a remote access trojan (RAT) named Deuterbear, employed by the China-linked hacking group BlackTech. This sophisticated Deuterbear RAT malware is part of a broader cyber espionage operation targeting the Asia-Pacific region throughout the year.   Advancements Over Waterbear Deuterbear exhibits notable advancements over […]

The post Deuterbear RAT: China-Linked Hackers’ Cyber Espionage Tool appeared first on TuxCare.

The post Deuterbear RAT: China-Linked Hackers’ Cyber Espionage Tool appeared first on Security Boulevard.

Another day, another PyPI malware package. But this one has a new way to (try to) sneak into your computer.

The post Malicious PyPI Package ‘Pytoileur’ Targets Windows and Leverages Stack Overflow for Distribution appeared first on Security Boulevard.

Views: 2Source: www.bitdefender.com – Author: Graham Cluley The world-renowned auction house Christie’s has confirmed that it has fallen victim to a ransomware attack, seemingly orchestrated by a Russia-linked cybercriminal gang. Two weeks ago the CEO of the world’s wealthiest auction house posted on LinkedIn blamed a “technology security incident” after the Christie’s website went unexpectedly […]

La entrada Going going gone! Ransomware attack grabs Christie’s client data for a steal – Source: www.bitdefender.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Views: 3Source: www.cybertalk.org – Author: slandau By Zac Amos, Features Editor, Rehack.com. In recent years, ransomware has emerged as a critical threat to the healthcare industry, with attacks growing in frequency, sophistication and impact. These cyber assaults disrupt hospital operations, compromise patient safety and undermine data integrity. Understanding how ransomware tactics have evolved — from basic phishing […]

La entrada The evolution of healthcare ransomware attacks – Source: www.cybertalk.org se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Views: 2Source: www.infosecurity-magazine.com – Author: 1 Cybersecurity researchers have uncovered “pytoileur,” a malicious package on the Python Package Index (PyPI).  The package, posing as an “API Management tool written in Python,” concealed code that downloads and installs trojanized Windows binaries.  These binaries are capable of surveillance, achieving persistence and stealing cryptocurrency. The package was discovered […]

La entrada New PyPI Malware “Pytoileur” Steals Crypto and Evades Detection – Source: www.infosecurity-magazine.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Views: 0Source: securityaffairs.com – Author: Pierluigi Paganini Christie disclosed a data breach after a RansomHub attack Auction house Christie disclosed a data breach following a RansomHub cyber attack that occurred this month. Auction house Christie’s disclosed a data breach after the ransomware group RansomHub threatened to leak stolen data. The security breach occurred earlier this month. The website […]

La entrada Christie disclosed a data breach after a RansomHub attack – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Sonatype has discovered 'pytoileur', a malicious PyPI package hiding code that downloads and installs trojanized Windows binaries capable of surveillance, achieving persistence, and crypto-theft. Our discovery of the malware led us to probe into similar packages that are part of a wider, months-long "Cool package" campaign.

The post PyPI crypto-stealer targets Windows users, revives malware campaign appeared first on Security Boulevard.

Scammers impersonating Microsoft, Publishers Clearing House, Amazon and Apple are at the top of the FTC’s “who’s who” list. Based on consumer reports and complaints to the agency, hundreds of millions of dollars were stolen by bad actors pretending to be brands.

The post ‘Microsoft’ Scammers Steal the Most, the FTC Says appeared first on Security Boulevard.

Source: securityboulevard.com – Author: Wajahat Raja Recent reports claim that the Microsoft Threat Intelligence team stated that a cybercriminal group, identified as Storm-1811, has been exploiting Microsoft’s Quick Assist tool in a series of social engineering attacks. This group is known for deploying the Black Basta ransomware attack. On May 15, 2024, Microsoft released details […]

La entrada Black Basta Ransomware Attack: Microsoft Quick Assist Flaw – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Recent reports claim that the Microsoft Threat Intelligence team stated that a cybercriminal group, identified as Storm-1811, has been exploiting Microsoft’s Quick Assist tool in a series of social engineering attacks. This group is known for deploying the Black Basta ransomware attack. On May 15, 2024, Microsoft released details about how this financially motivated group […]

The post Black Basta Ransomware Attack: Microsoft Quick Assist Flaw appeared first on TuxCare.

The post Black Basta Ransomware Attack: Microsoft Quick Assist Flaw appeared first on Security Boulevard.

Russian hackers were found using legitimate remote monitoring and management software to spy on Ukraine and its allies. The malicious scripts required for downloading and running the RMM program on the victims’ computers are hidden among the legitimate Python code of the “Minesweeper” game from Microsoft. The Government Computer Emergency Response Team of Ukraine (CERT-UA), operating under the State Special Communications Service, warned that Russian cybercriminals are using the legitimate SuperOps RMM software program to gain unauthorized access to Ukrainian organizations’ information systems, particularly those in the financial sector. The Cyber Security Center of the National Bank of Ukraine (CSIRT-NBU) and CERT-UA recorded and analyzed phishing emails sent to victims with a Dropbox link containing an executable file (.SCR) that was about 33 megabytes in size. The emails were sent from the address “support@patient-docs-mail.com,” which impersonated a medical center and had the subject line “Personal Web Archive of Medical Documents.” The .SCR file contained a Python clone of the Minesweeper game along with malicious Python code that downloads additional scripts from a remote source “anotepad.com.” The Minesweeper code contained a function named “create_license_ver” which is repurposed to decode and execute the hidden malicious code. The legitimate SuperOps RMM program is eventually downloaded and installed from a ZIP file, granting attackers remote access to the victim’s computer. The CERT-UA found five similar files, named after financial and insurance institutions in Europe and the USA, indicating that these cyberattacks, which took place between February and March 2024, have a wide geographic reach. CERT-UA tracked this threat activity to an actor it identified as UAC-0188. UAC-0118, also known as FRwL or FromRussiaWithLove, is a Russian state-aligned hacktivist threat actor group that emerged during the Russia-Ukraine war in 2022. They primarily targeted critical infrastructure, media, energy and government entities. FRwL has been previously linked to the use of the Vidar stealer and Somnia ransomware, which they employ as a data wiper rather than for financial gain. While there is no direct evidence linking FRwL to the Russian Main Intelligence Directorate, it is possible that they coordinate activities with state-aligned hacktivist groups.

Possible Defense Against Ongoing Remote Monitoring Campaign

CERT-UA recommends the following:

• Organizations not using SuperOps RMM should verify the absence of network activity associated with the domain names: [.]superops[.]com, [.]superops[.]ai.
• Improve employee cyber hygiene.
• Use and constantly update anti-virus software.
• Regularly update operating systems and software.
• Use strong passwords and change them regularly.
• Back up important data.

Ukrainian Financial Institutions Also on Smokeloader’s Radar

The financially motivated group UAC-0006 has actively launched phishing attacks targeting Ukraine through 2023. CERT-UA reported the resurfacing of UAC-0006 in spring 2024, with hackers attempting to distribute Smokeloader, a common malware in the group’s toolkit. This threat group’s goal has primarily been to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems. SmokeLoader is a malicious bot application and trojan that can evade security measures to infect Windows devices. It can then install other malware, steal sensitive data and damage files, among other issues. Throughout 2023, UAC-0006 conducted several phishing campaigns against Ukraine, exploiting financial lures and using ZIP and RAR attachments to distribute Smokeloader CERT-UA last week issued another warning about a significant surge in UAC-0006 activity. Hackers have conducted at least two campaigns to distribute Smokeloader, displaying similar patterns to previous attacks. The latest operations involve emails with ZIP archives containing images that include executable files and Microsoft Access files with macros that execute PowerShell commands to download and run other executable files. After initial access, the attackers download additional malware, including TALESHOT and RMS. The botnet currently consists of several hundred infected computers. CERT-UA anticipates an increase in fraudulent operations involving remote banking systems and thus, strongly recommends enhancing the security of accountants’ automated workstations and ensuring the implementation of necessary policies and protection mechanisms to reduce infection risks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: www.cybertalk.org – Author: slandau EXECUTIVE SUMMARY: Email is the #1 means of communication globally. It’s simple, affordable and easily available. However, email systems weren’t designed with security in mind. In the absence of first-rate security measures, email can become a hacker’s paradise, offering unfettered access to a host of tantalizingly lucrative opportunities. Optimize your […]

La entrada 7 best practices for tackling dangerous emails – Source: www.cybertalk.org se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Threat actors compromised a popular audio-visual software package used in courtrooms, prisons, government, and lecture rooms around the world by injecting a loader malware that gives the hackers remote access to infected systems, collecting data about the host computer and downloading more malicious payloads along the way. The software supply chain attack targeted Justice AV..

The post Courtroom Recording Software Compromised in Supply Chain Attack appeared first on Security Boulevard.

Source: www.exponential-e.com – Author: Graham Cluley What’s happened?  Recorded Future has reports that the British Government is proposing sweeping change in its approach to ransomware attacks. The key proposed changes are: Mandatory reporting. All organisations and individuals hit by ransomware would be required to report the attack to the government. Licensing for extortion payments. All […]

La entrada UK Government ponders major changes to ransomware response – what you need to know – Source: www.exponential-e.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Inglorious Basta(rds): 16 days on, huge hospital system continues to be paralyzed by ransomware—and patient safety is at risk.

The post Black Basta Ascension Attack Redux — can Patients Die of Ransomware? appeared first on Security Boulevard.

Source: securityboulevard.com – Author: Nathan Eddy Human error is responsible for most cybersecurity risks, with nearly three-quarters (74%) of chief information security officers (CISOs) identifying it as their most significant vulnerability. In response, 87% of CISOs are adopting AI-powered technology to protect against human error and to block advanced human-centric cyber threats. These were among […]

La entrada CISO Cite Human Error as Top IT Security Risk – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

It’s the wetware. It’s always the wetware.

But that’s not the only takeaway from this year’s Voice of the CISO report.

The post CISO Cite Human Error as Top IT Security Risk appeared first on Security Boulevard.

Source: www.techrepublic.com – Author: Cedric Pernet A new report from IBM X-Force exposes changes in the Grandoreiro malware landscape. The banking trojan is now capable of targeting more than 1,500 global banks in more than 60 countries, and it has been updated with new features. Also, Grandoreiro’s targeting has become wider, as it initially only […]

La entrada IBM X-Force Report: Grandoreiro Malware Targets More Than 1,500 Banks in 60 Countries – Source: www.techrepublic.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Views: 0Source: securelist.com – Author: Cristian Souza, Eduardo Ovalle, Ashley Muñoz, Christopher Zachor Introduction Attackers always find creative ways to bypass defensive features and accomplish their goals. This can be done with packers, crypters, and code obfuscation. However, one of the best ways of evading detection, as well as maximizing compatibility, is to use the […]

La entrada ShrinkLocker: Turning BitLocker into ransomware – Source: securelist.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: securityaffairs.com – Author: Pierluigi Paganini An ongoing malware campaign exploits Microsoft Exchange Server flaws A threat actor is targeting organizations in Africa and the Middle East by exploiting Microsoft Exchange Server flaws to deliver malware. Positive Technologies researchers observed while responding to a customer’s incident spotted an unknown keylogger embedded in the main Microsoft Exchange Server […]

La entrada An ongoing malware campaign exploits Microsoft Exchange Server flaws – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: securityaffairs.com – Author: Pierluigi Paganini OmniVision disclosed a data breach after the 2023 Cactus ransomware attack The digital imaging products manufacturer OmniVision disclosed a data breach after the 2023 ransomware attack. OmniVision Technologies is a company that specializes in developing advanced digital imaging solutions. In 2023, OmniVision employed 2,200 people and had an annual revenue […]

La entrada OmniVision disclosed a data breach after the 2023 Cactus ransomware attack – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

In episode 330 Tom, Scott, and Kevin discuss the new features for iPhones and Android phones designed to warn users about secret trackers, possibly aiding in identifying stalkers. The hosts discuss Apple and Google’s collaboration on a technology called DOLT (Detecting Unwanted Location Trackers), aiming to improve user privacy by detecting Bluetooth trackers like Tiles […]

The post New Tracker Warning Features on iPhones & Androids, 2024 Verizon Data Breach Investigations Report appeared first on Shared Security Podcast.

The post New Tracker Warning Features on iPhones & Androids, 2024 Verizon Data Breach Investigations Report appeared first on Security Boulevard.

💾

WTH? DPRK IT WFH: Justice Department says N. Korean hackers are getting remote IT jobs, posing as Americans.

The post North Korea IT Worker Scam Brings Malware and Funds Nukes appeared first on Security Boulevard.

The Antidot Android banking trojan snoops on users and steals their credentials, contacts, and SMS messages.

The post New ‘Antidot’ Android Trojan Allows Cybercriminals to Hack Devices, Steal Data appeared first on SecurityWeek.

The operators behind the Ebury server-side malware botnet have been doing business since at least 2009 and, according to the threat researchers who have been tracking it for the last decade, are stronger and more active than ever. The malware has compromised at least 400,000 Linux servers over the past 15 years, with about 100,000..

The post 15-Year-Old Ebury Botnet Compromised 400,000 Linux Servers appeared first on Security Boulevard.

The Ebury Linux botnet has ensnared over 400,000 Linux systems in 15 years, with roughly 100,000 still infected.

The post 400,000 Linux Servers Hit by Ebury Botnet  appeared first on SecurityWeek.

Microsoft patched a zero-day vulnerability exploited by attackers to distribute QakBot and other malware payloads on susceptible Windows systems. Identified as CVE-2024-30051, this vulnerability is a privilege escalation flaw resulting from a heap-based buffer overflow in the Desktop Window Manager (DWM) core library. Successful exploitation grants attackers “SYSTEM privileges,” Microsoft said.

“These types of bugs are usually combined with a code execution bug to take over a target and are often used by ransomware (actors),” said Dustin Childs of the Zero Day Initiative.

Introduced in Windows Vista, the Desktop Window Manager (dwm.exe) is a compositing window manager that renders all GUI effects in Windows like transparent windows, live taskbar thumbnails, Flip3D, and even high-resolution monitor support. Applications do not draw directly on the screen. Instead, they write their window images to a specific spot in memory. Windows then combines and creates a “composite” of all these windows into one view before sending it to the monitor. This allows Windows to add effects like transparency and animations while displaying the windows. Kaspersky researchers uncovered this vulnerability while investigating another Windows DWM Core Library privilege escalation bug tracked as CVE-2023-36033, also exploited as a zero-day in attacks. While analyzing data related to recent exploits and associated attacks, Kaspersky researchers discovered an intriguing file uploaded to VirusTotal on April 1. The file's name hinted that it contained details on a Windows vulnerability. The file had information regarding a Windows DWM vulnerability – written in broken English - that could be exploited to escalate privileges to SYSTEM level, with the exploitation process nearly mirroring the one used in CVE-2023-36033 attacks, “but the vulnerability was different,” researchers said. Initially skeptical due to the document's quality and lack of crucial details on exploiting the vulnerability, further investigation confirmed the legitimacy of another zero-day vulnerability capable of privilege escalation. Kaspersky promptly reported it to Microsoft, leading to its designation as CVE-2024-30051 and subsequent patching in this month’s Patch Tuesday.

Zero-Day Exploited by QakBot

Following the reporting to Microsoft, Kaspersky continued monitoring for exploits and attacks leveraging this flaw.

“In mid-April we discovered an exploit for this zero-day vulnerability. We have seen it used together with QakBot and other malware and believe that multiple threat actors have access to it,” Kaspersky said.

Security researchers at Google Threat Analysis Group, DBAPPSecurity WeBin Lab, and Google-owned Mandiant also reported the zero-day to Microsoft, pointing to likely widespread exploitation in malware attacks, Childs said.

“Don’t wait to test and deploy this update as exploits are likely to increase now that a patch is available to reverse engineer,” said Childs.

The U.S. Cybersecurity and Infrastructure Security Agency also added CVE-2024-30051 to its Known Exploited Vulnerabilities catalog and directed all federal agencies to complete the patching process by June 4. Kaspersky plans to disclose technical specifics of CVE-2024-30051 once users have had adequate time to update their Windows systems.

QakBot’s Journey from Banking Trojan to Initial Access Broker

QakBot, also known as Qbot, emerged as a banking trojan in 2008 and was used to steal credentials, website cookies, and credit cards to commit financial fraud. QakBot operators evolved over the years into initial access brokers, partnering with other threat groups to provide initial access to enterprise and home networks for ransomware attacks, espionage, and data theft. QakBot’s infrastructure was taken down in August 2023 following a multinational law enforcement operation spearheaded by the FBI and known as “Operation Duck Hunt.” But Microsoft identified the resurgence of QakBot in phishing campaigns targeting the hospitality industry in December. Law enforcement linked QakBot infections to 700,000 victim computers which included ransomware attacks targeting businesses, healthcare providers, and government agencies worldwide, which according to conservative estimates caused hundreds of millions of dollars in damage. Throughout the years, Qakbot served as an initial infection vector for various ransomware gangs and their affiliates, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and most recently Black Basta.

Another Zero-Day Fix

Microsoft patched 59 CVEs in its May 2024 Patch Tuesday release, with one rated “critical,” 57 rated as “important” and one rated as “moderate.” The patch also contains a fix for another zero-day flaw other that the one exploited by QakBot. The other bug, tracked as CVE-2024-30040, is rated "important" on the CVSS scale and is a Windows MSHTML platform security feature bypass vulnerability. MSHTML is a proprietary browser engine for the Microsoft Windows version of Internet Explorer.

“This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls,” Microsoft said.

A hacker who socially-engineers a victim into opening a malicious document would be able to execute arbitrary code by passing OLE mitigations in the Microsoft suite of office applications. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Biden Administration is moving to cybersecurity standards for hospitals, but the AHA is pushing back, saying voluntary models are enough.

The post UnitedHealth, Ascension Attacks Feed Debate Over Health Care Security appeared first on Security Boulevard.

Threat actors are using DNS tunneling to track victims’ interaction with spam and to scan network infrastructures.

The post Attackers Use DNS Tunneling to Track Victim Activity, Scan Networks appeared first on SecurityWeek.

Executive Summary

Rapid7 has observed an ongoing campaign to distribute trojanized installers for WinSCP and PuTTY via malicious ads on commonly used search engines, where clicking on the ad leads to typo squatted domains. In at least one observed case, the infection has led to the attempted deployment of ransomware. The analysis conducted by Rapid7 features updates to past research, including a variety of new indicators of compromise, a YARA rule to help identify malicious DLLs, and some observed changes to the malware’s functionality.  Rapid7 has observed the campaign disproportionately affects members of IT teams, who are most likely to download the trojanized files while looking for legitimate versions. Successful execution of the malware then provides the threat actor with an elevated foothold and impedes analysis by blurring the intentions of subsequent administrative actions.

Overview

Beginning in early March 2024, Rapid7 observed the distribution of trojanized installers for the open source utilities WinSCP and PuTTy. WinSCP is a file transfer client, PuTTY a secure shell (SSH) client. The infection chain typically begins after a user searches for a phrase such as download winscp or download putty, on a search engine like Microsoft's Bing. The search results include an ad for the software the user clicks on, which ultimately redirects them to either a clone of the legitimate website, in the case of WinSCP, or a simple download page in the case of PuTTY. In both cases, a link to download a zip archive containing the trojan from a secondary domain was embedded on the web page.

The infection begins after the user has downloaded and extracted the contents of the zip archive and executed setup.exe, which is a renamed copy of pythonw.exe, the legitimate Python hidden console window executable.

Upon execution, setup.exe loads the malicious DLL python311.dll. As seen in Figure 2, the copy of the legitimate python311 DLL which setup.exe is intended to load has actually been renamed to python311x.dll. This technique is known as DLL side-loading, where a malicious DLL can be loaded into a legitimate, signed, executable by mimicking partial functionality and the name of the original library. The process of side-loading the DLL is also facilitated by hijacking the DLL search order, where attempts are made to load DLLs contained within the same directory first, before checking other directories on the system where a legitimate copy might be present. Rapid7 has also observed the Python 3.11 library being targeted in prior malware campaigns, such as the novel IDAT loader, discovered by Rapid7 during August of 2023.

The primary payload contained within python311.dll is a compressed archive encrypted and included within the DLL's resource section. During execution, this archive is unpacked to execute two child processes.

First, the malware executes the unpacked copy of the legitimate WinSCP installer, seen in Figure 3 as WinSCP-6.1.1-Setup.exe. Then, the malicious Python script systemd.py is executed via pythonw.exe after being unpacked into the staging directory %LOCALAPPDATA%\Oracle\ along with numerous Python dependencies. Following the successful execution of both processes, setup.exe then terminates.

The script systemd.py, executed via pythonw.exe, decrypts and executes a second Python script then performs decryption and reflective DLL injection of a Sliver beacon. Reflective DLL injection is the process of loading a library into a process directly from memory instead of from disk. In several cases, Rapid7 observed the threat actor take quick action upon successful contact with the Sliver beacon, downloading additional payloads, including Cobalt Strike beacons. The access is then used to establish persistence via scheduled tasks and newly created services after pivoting via SMB. In a recent incident, Rapid7 observed the threat actor attempt to exfiltrate data using the backup utility Restic, and then deploy ransomware, an attempt which was ultimately blocked during execution.

The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year. This campaign, referred to as Nitrogen by Malwarebytes, and eSentire, has previously been reported to use similar methods.

Technical Analysis

To take a more in depth look at the malware delivery and functionality, we analyzed a malware sample recently observed being delivered to users looking for a PuTTY installer.

Initial Access

The source of the infection was a malicious ad served to the user after their search for download putty. When the user clicked on the ad, which are typically pushed to the top of the search results for visibility, they were redirected to a typo-squatted domain at the URL hxxps://puttty[.]org/osn.php. The landing page includes a download button for PuTTY, as well as two legitimate links to download a Bitvise SSH server/client. However, when the download link is clicked by the user it calls the embedded function loadlink(), which redirects the user to hxxps://puttty[.]org/dwnl.php, which then finally redirects the user to the most recent host of the malicious zip archive to serve the download. At the time of writing, puttty[.]org and the relevant URLs were still active, serving the zip archive putty-0.80-installer.zip from the likely compromised WordPress domain areauni[.]com.

Rapid7 observed the base domain, puttty[.]org was also serving a cloned version of a PuTTY help article available at BlueHost, where the download link provided is actually for the official distributor of the software. This relatively benign page is most likely conditionally served as a way to reduce suspicion as noted by Malwarebytes.

In comparison, the typo-squatted WinSCP domains conditionally redirected visits to Rick Astley's Never Gonna Give You Up. Classic.

Execution

Upon extracting the zip archive putty-0.80-installer.zip, the user is once again presented with setup.exe, a renamed copy of pythonw.exe, to entice the user to initiate the infection by launching the executable.

Once executed, setup.exe will side-load the malicious DLL python311.dll. The DLL python311.dll then loads a renamed copy of the legitimate DLL, python3.dll, from the same directory after dynamically resolving the necessary functions from kernel32.dll by string match. Future requests for exported functions made by setup.exe can then be forwarded to python3.dll by python311.dll. This technique is commonly used when side-loading malware, so legitimate requests are proxied, which avoids unexpected behavior and improves stability of the payload delivery.

Following the successful sideloading procedure, the malware then performs pre-unpacking setup by dynamically resolving additional functions from ntdll.dll. The malware still uses functionality similar to the publicly available AntiHook and KrakenMask libraries to facilitate setup and execution, as previously noted by eSentire, which provides additional evasion capabilities. AntiHook contains functionality to enumerate the loaded modules of a process, searching each one for hooks, and remaps a clean, unhooked version of the module’s text section, if hooks are found. KrakenMask contains functionality to spoof the return address of function calls, to evade stack traces, and functionality to encrypt the processes virtual memory at rest to evade memory scanners.

The library ntdll.dll contains functions which make up the Windows Native API (NTAPI), which is generally the closest a process executed in user mode can get to utilizing functionality from the operating system’s kernel. By resolving NTAPI functions for use, malware can bypass detection applied to more commonly used user mode functions (WINAPI) and access lower level functionality that is otherwise unavailable. Several of the NTAPI function pointers resolved by the malware can be used for evasion techniques such as Event Tracing for Windows (ETW) tampering and bypass of the Anti-Malware Scan Interface (AMSI) as has been observed in prior Nitrogen campaign samples. Some of the functions are dynamically resolved from ntdll.dll are found using concatenation of stack strings to form the full name of the target API just before resolution is attempted, likely to help evade detection.

Resolved ntdll.dll functions
EtwEventWrite
EtwEventWriteFull
EtwNotificationRegister
EtwEventRegister

Table 1. Functions the malware dynamically resolves from ntdll.dll.

Other observed function strings
WldpQueryDynamicCodeTrust (wldp.dll)
AmsiScanBuffer (amsi.dll)

Table 2. Other evasion related WINAPI function strings observed in the malware

With setup complete, an encrypted resource stored within the resource section of python311.dll is retrieved using common resource WINAPI calls, including FindResourceA, LoadResource, SizeOfResource, and FreeResource.

The resource is then decrypted in memory using an AES-256 hex key and initialization vector (IV) that are stored in the data section in plain text. The resulting file is a zip archive which contains three compressed files, including a legitimate MSI installation package for PuTTY and another compressed archive named installer_data.zip.

To execute the PuTTY installer, the malware first creates a copy of the MSI file in the hard-coded directory C:\Users\Public\Downloads\ via a call to fopen and then decompresses and writes the retrieved MSI package content with multiple successive calls to fwrite and other CRT library file io functions, followed by fclose. The full output path is assembled by concatenating the target directory with the desired file name, which is retrieved from original_installer.txt. The contents of original_installer.txt are identical to the name of the MSI package observed in the resource, for this sample: putty-64bit-0.78-installer.msi.

The MSI package is then executed by a call to CreateProcessW with the command line msiexec.exe ALLUSERS=1 /i C:\Users\Public\Downloads\putty-64bit-0.78-installer.msi. So, before the execution of the next malware payload the user is provided with the software they were originally looking for. This functionality is commonly seen with trojans to avoid suspicion by the end user, as the user only sees the legitimate installation window pop up after initial execution. However, the version numbers between the executed MSI package, putty-64bit-0.78-installer.msi, and the initially downloaded zip archive, putty-64bit-0.80-installer.zip, don't match — a potential indicator.

The same procedure is then repeated to copy the decompressed contents of the folder Oracle contained within the zip archive installer_data.zip to the staging directory created at %LOCALAPPDATA%\Oracle\. After the unpacking process is complete, another call by the malware to CreateProcessW executes the next payload with the command line %LOCALAPPDATA%\Oracle\pythonw.exe %LOCALAPPDATA%\Oracle\systemd.py. With its purpose completed, the loader then clears memory and passes back control to setup.exe, which promptly terminates, leaving the pythonw.exe process running in the background.

The Python script systemd.py contains multiple junk classes, which in turn contain numerous junk function definitions to pad out the core script. Ultimately, the script decrypts the file %LOCALAPPDATA%\Oracle\data.aes, which is a Sliver beacon DLL (original name: BALANCED_NAPKIN.dll), performs local injection of the Sliver DLL, and then calls the export StartW. The contents of main and other included functionality within the script appears to have been mostly copied from the publicly available Github repo for PythonMemoryModule.

Rapid7 has replicated the unpacking process of the beacon DLL in a python extraction script that is now publicly available along with a yara rule to detect the malicious DLL.

Mitigations

Rapid7 recommends verifying the download source of freely available software. Check that the hash of the downloaded file(s) match those provided by the official distributor and that they contain a valid and relevant signature. The DLLs that are side-loaded by malware are often unsigned, and are often present in the same location as the legitimately signed and renamed original, to which requests are forwarded. Bookmark the official distribution domains for the download of future updates.

DNS requests for permutations of known domains can also be proactively blocked or the requests can be redirected to a DNS sinkhole. For example, by using the publicly available tool DNSTwist we can identify several additional suspicious domains that match the observed ASNs and country codes observed for many of the C2 IPv4 addresses observed to be contacted by the malware as well as known malware hosts/facilitators.

Domain	IPv4	ASN
wnscp[.]net	91.92.253[.]80	AS394711:LIMENET
puttyy[.]org	82.221.136[.]24	AS50613:Advania Island ehf
puutty[.]org	82.221.129[.]39	AS50613:Advania Island ehf
putyy[.]org	82.221.136[.]1	AS50613:Advania Island ehf

Table 3. More suspicious domains found via DNSTwist.

Rapid7 observed impacted users are disproportionately members of information technology (IT) teams who are more likely to download installers for utilities like PuTTY and WinSCP for updates or setup. When the account of an IT member is compromised, the threat actor gains a foothold with elevated privileges which impedes analysis by blending in their actions with that of the administrator(s), stressing the importance of verifying the source of files before download, and their contents before execution.

MITRE ATT&CK Techniques

Tactic	Technique	Procedure
Resource Development	T1583.008: Acquire Infrastructure: Malvertising	The threat actor uses ads to promote malware delivery via popular search engines.
Initial Access	T1189: Drive-by Compromise	The user clicks on a malicious ad populated from a typical search engine query for a software utility and is ultimately redirected to a page hosting malware.
Execution	T1106: Native API	The malware dynamically resolves and executes functions from ntdll.dll at runtime.
Execution	T1204.002: User Execution: Malicious File	The user downloads and executes setup.exe (renamed pythonw.exe), which side-loads and executes the malicious DLL python311.dll.
Execution	T1059.006: Command and Scripting Interpreter: Python	The malware executes a python script to load and execute a Sliver beacon.
Persistence	T1543.003: Create or Modify System Process: Windows Service	The threat actor creates a service to execute a C2 beacon. The threat actor loads a vulnerable driver to facilitate disabling antivirus software and other defenses present.
Persistence	T1053.005: Scheduled Task/Job: Scheduled Task	The threat actor creates a scheduled task to execute a C2 beacon.
Defense Evasion	T1140: Deobfuscate/Decode Files or Information	The malware uses various string manipulation and obfuscation techniques.
Defense Evasion	T1222.001: File and Directory Permissions Modification: Windows File and Directory Permissions Modification	The malware calls chmod to change file permissions prior to execution.
Defense Evasion	T1574.001: Hijack Execution Flow: DLL Search Order Hijacking	The malware contained in python311.dll is loaded by a renamed copy of pythonw.exe from the same directory.
Defense Evasion	T1574.002: Hijack Execution Flow: DLL Side-Loading	The malware contained in python311.dll is loaded by a renamed copy of pythonw.exe and proxies requests to a renamed copy of the legitimate DLL.
Defense Evasion	T1027.002: Obfuscated Files or Information: Software Packing	The final payload executed by the malware is unpacked through several layers of compression, encryption, and file formats.
Defense Evasion	T1027.013: Obfuscated Files or Information: Encrypted/Encoded File	The malware also stores other file dependencies with several layers of obfuscation
Defense Evasion	T1055.001: Process Injection: Dynamic-link Library Injection	The malware loads a Sliver beacon DLL via python script.
Lateral Movement	T1570: Lateral Tool Transfer	The threat actor uses SMB via Cobalt Strike to pivot post compromise
Exfiltration	T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage	The threat actor attempts to exfiltrate data to a backup using Restic.
Impact	T1486: Data Encrypted for Impact	The threat actor attempts the deployment of ransomware after exfiltrating data.

Rapid7 Detections

For Rapid7 MDR and InsightIDR customers, the following detection rules are currently deployed and alerting against malware campaigns like the one described in this blog:

Detections
Suspicious Process - Sliver C2 Interactive Shell Execution via PowerShell
Suspicious Process - Python Start Processes in Staging Directories
Attacker Technique - Renamed PythonW.exe Executed From Non-Standard Folder
Suspicious Service: Service Installed With Command Line using Python
Network Discovery - Nltest Enumerate Domain Controllers
Attacker Technique - Potential Process Hollowing To DLLHost
Suspicious Process - Gpupdate.exe Execution With No Arguments
Suspicious Process Access - LSASS Memory Dump Using MiniDumpWriteDump Function

Indicators of Compromise

Network Based Indicators (NBIs)

Domain/IPv4 Address	Notes
wnscp[.]net	Typo-squatted domain, found via DNSTwist
puttyy[.]org	Typo-squatted domain, found via DNSTwist
puutty[.]org	Typo-squatted domain, found via DNSTwist
putyy[.]org	Typo-squatted domain, found via DNSTwist
vvinscp[.]net	Typo-squatted domain
winnscp[.]net	Typo-squatted domain
puttty[.]org	Typo-squatted domain
areauni[.]com	Malicious zip archive host, likely compromised domain
mkt[.]geostrategy-ec[.]com	Malicious zip archive host, likely compromised domain
fkm-system[.]com	Malicious zip archive host, likely compromised domain
185.82.219[.]92	C2 address
91.92.242[.]183	C2 address
91.92.244[.]41	C2 address
91.92.249[.]106	C2 address
91.92.249[.]155	C2 address
91.92.252[.]238	C2 address
91.92.255[.]71	C2 address
91.92.255[.]77	C2 address
94.156.65[.]115	C2 address
94.156.65[.]98	C2 address
94.156.67[.]185	C2 address
94.156.67[.]188	C2 address
94.156.67[.]83	C2 address
94.158.244[.]32	C2 address

Host Based Indicators (HBIs)

File	SHA256	Notes
DellAPC.exe	8b1946e3e88cff3bee6b8a2ef761513fb82a1c81f97a27f959c08d08e4c75324	Dropped by the threat actor post compromise
DellCTSW2.exe	N/A	Dropped by the threat actor post compromise
DellCTSWin.exe	2ee435033d0e2027598fc6b35d8d6cbca32380eb4c059ba0806b9cfb1b4275cc	Dropped by the threat actor post compromise
DellPPem.exe	4b618892c9a397b2b831917264aaf0511ac1b7e4d5e56f177217902daab74a36	Dropped by the threat actor post compromise
DellPRT.exe	725aa783a0cd17df603fbe6b11b5a41c9fbfd6fc9e4f2e468c328999e5716faa	Dropped by the threat actor post compromise
KeePassDR.exe	c9042a7ed34847fee538c213300374c70c76436ee506273b35282c86a11d9e6a	Dropped by the threat actor post compromise
NVDisplay.Contain64.exe	35161a508dfaf8e04bb6de6bc793a3840a05f2c04bbbbf8c2237abebe8e670aa	Dropped by the threat actor post compromise
NVDisplay.Container64.exe	8bc39017b1ea59386f74d7c7822063b3b00315dd317f55ddc6634bde897c45c1	Dropped by the threat actor post compromise
NVDisplay.exe	bbdf350c6ae2438bf14fc6dc82bb54030abf9da0c948c485e297330e08850575	Dropped by the threat actor post compromise
OktaServiceAgent.exe	28e5ee69447cea77eee2942c04009735a199771ba64f6bce4965d674515d7322	Dropped by the threat actor post compromise
OktaServiceAgent.exe	f36e9dec2e7c574c07f3c01bbbb2e8a6294e85863f4d6552cccb71d9b73688ad	Dropped by the threat actor post compromise
PDMVault.exe	242b2c948181f8c2543163c961775393220d128ecb38a82fa62b80893f209cab	Dropped by the threat actor post compromise
PDMVault.exe	9be715df88024582eeabdb0a621477e04e2cf5f57895fa6420334609138463b9	Dropped by the threat actor post compromise
PDMVaultConf.exe	8b0d04f65a6a5a3c8fb111e72a1a176b7415903664bc37f0a9015b85d3fc0aa7	Dropped by the threat actor post compromise
PDMVaultL.exe	169ef0e828c3cd35128b0e8d8ca91fbf54120d9a2facf9eb8b57ea88542bc427	Dropped by the threat actor post compromise
PDMVaultLP.exe	N/A	Dropped by the threat actor post compromise
PDMVaultSec.exe	61214a7b14d6ffb4d27e53e507374aabcbea21b4dc574936b39bec951220e7ea	Dropped by the threat actor post compromise
PDMVaultSecs.exe	51af3d778b5a408b725fcf11d762b0f141a9c1404a8097675668f64e10d44d64	Dropped by the threat actor post compromise
PDMVaultTest.exe	96ea33a5f305015fdd84bea48a9e266c0516379ae33321a1db16bc6fabad5679	Dropped by the threat actor post compromise
ServerController.exe	02330e168d4478a4cd2006dd3a856979f125fd30f5ed24ee70a41e03e4c0d2f8	Dropped by the threat actor post compromise
SgrmBroker.exe	8834ec9b0778a08750156632b8e74b9b31134675a95332d1d38f982510c79acb	Dropped by the threat actor post compromise
VMImportHost.exe	c8a982e2be4324800f69141b5be814701bcc4167b39b3e47ed8908623a13eb10	Dropped by the threat actor post compromise
VMImportHost2.exe	47ec3a1ece8b30e66afd6bb510835bb072bbccc8ea19a557c59ccdf46fe83032	Dropped by the threat actor post compromise
VMImportHost3.exe	9bd3c7eff51c5746c21cef536971cc65d25e3646533631344728e8061a0624cb	Dropped by the threat actor post compromise
VMSAdmin.exe	f89720497b810afc9666f212e8f03787d72598573b41bc943cd59ce1c620a861	Dropped by the threat actor post compromise
VMSAdminUtil.exe	ca05485a1ec408e2f429e2e377cc5af2bee37587a2eb91dc86e8e48211ffc49e	Dropped by the threat actor post compromise
VMSAdminUtilityUp.exe	972ca168f7a8cddd77157e7163b196d1267fe2b338b93dabacc4a681e3d46b57	Dropped by the threat actor post compromise
VMSBackupConfig.exe	1576f71ac41c4fc93c8717338fbc2ba48374894345c33bdf831b16d0d06df23d	Dropped by the threat actor post compromise
VMSBackupUpdate.exe	a5dfc9c326b1303cc1323c286ecd9751684fb1cd509527e2f959fb79e5a792c2	Dropped by the threat actor post compromise
dp_agent.exe	13B2E749EB1E45CE999427A12BB78CBEBC87C415685315C77CDFB7F64CB9AAB0	Dropped by the threat actor post compromise
local.exe	bd4abc70de30e036a188fc9df7b499a19a0b49d5baefc99844dfdec6e70faf75	Dropped by the threat actor post compromise
lr_agent.exe	d95f6dec32b4ebed2c45ecc05215e76bf2f520f86ad6b5c5da1326083ba72e89	Dropped by the threat actor post compromise
ntfrss.exe	f36089675a652d7447f45c604e062c2a58771ec54778f6e06b2332d1f60b1999	Dropped by the threat actor post compromise
op_agent.exe	17e0005fd046e524c1681304493f0c51695ba3f24362a61b58bd2968aa1bd01a	Dropped by the threat actor post compromise
pp.txt	N/A	Notable naming scheme
pr_agent.exe	d27f9c0d761e5e1de1a741569e743d6747734d3cdaf964a9e8ca01ce662fac90	Dropped by the threat actor post compromise
python311.dll	CD7D59105B0D0B947923DD9ED371B9CFC2C2AA98F29B2AFBDCD3392AD26BDE94	Malicious DLL sideloaded by setup.exe. Compiled 2024-03-05. Original name: python311_WinSCP.dll.
python311.dll	02D8E4E5F74D38C8E1C9AD893E0CEC1CC19AA08A43ECC87AC043FA825382A583	Malicious DLL sideloaded by setup.exe. Compiled 2024-04-03. Original name: python311_WinSCP.dll.
python311.dll	500574522DBCDE5E6C89803C3DCA7F857F73E0868FD7F8D2F437F3CC31CE9E8D	Malicious DLL sideloaded by setup.exe. Compiled 2024-04-10. Original name: python311_Putty.dll.
-redacted-.exe	a1cb8761dd8e624d6872960e1443c85664e9fbf24d3e208c3584df49bbdb2d9c	Ransomware, named after the impacted domain.
readme.txt	N/A	Ransom note
resticORIG.exe	33f6acd3dfeda1aadf0227271937c1e5479c2dba24b4dca5f3deccc83e6a2f04	Exfil tool dropped by the threat actor
rr__agent.exe	d94ed93042d240e4eaac8b1b397abe60c6c50a5ff11e62180a85be8aa0b0cc4a	Dropped by the threat actor post compromise
truesight.sys	bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c	AV/EDR killer, used to facilitate the execution of ransomware.
veeam.backups.shell.exe	7d53122d6b7cff81e1c5fcdb3523ccef1dbd46c93020a0de65bc475760faff7d	Dropped by the threat actor post compromise
vmtools.exe	ED501E49B9418FCFAF56A2EFF7ADCF85A648BDEE2C42BB09DB8C11F024667BFA	Dropped by the threat actor post compromise
vmtoolsda.exe	12AFBEC79948007E87FDF9E311736160797F245857A45C040966E8E029CA97B3	Dropped by the threat actor post compromise
vmtoolsdr.exe	989A8E6A01AA20E298B1FFAE83B50CEF3E08F6B64A8F022288DC8D5729301674	Dropped by the threat actor post compromise
vmtoolsds.exe	0AA248300A9F6C498F5305AE3CB871E9EC78AE62E6D51C05C4D6DD069622F442	Dropped by the threat actor post compromise
vmtoolsdt.exe	DF0213E4B784A7E7E3B4C799862DB6EA60E34D8E22EB5E72A980A8C2E9B36177	Dropped by the threat actor post compromise
DellPP.exe	51D898DE0C300CAE7A57C806D652809D19BEB3E52422A7D8E4CB1539A1E2485D	Dropped by the threat actor post compromise
DellPP2.exe	8827B6FA639AFE037BB2C3F092CCB12D49B642CE5CEC496706651EBCB23D5B9E	Dropped by threat actor post compromise
data.aes	F18367D88F19C555F19E3A40B17DE66D4A6F761684A5EF4CDD3D9931A6655490	Encrypted Sliver beacon
data.aes	C33975AA4AB4CDF015422608962BD04C893F27BD270CF3F30958981541CDFEAD
Encrypted Sliver beacon
data.aes	868CD4974E1F3AC7EF843DA8040536CB04F96A2C5779265A69DF58E87DC03029	Encrypted Sliver beacon
systemd.py	69583C4A9BF96E0EDAFCF1AC4362C51D6FF71BBA0F568625AE65A1E378F15C65	Sliver beacon loader
systemd.py	03D18441C04F12270AAB3E55F68284DCD84721D1E56B32F8D8B732A52A654D2D	Sliver beacon loader
systemd.py	CF82366E319B6736A7EE94CCA827790E9FDEDFACE98601F0499ABEE61F613D5D	Sliver beacon loader

Будет! Russian ransomware rascals riled a Roman Catholic healthcare organization.

The post FBI/CISA Warning: ‘Black Basta’ Ransomware Gang vs. Ascension Health appeared first on Security Boulevard.

Bad actors are always ready to exploit political strife to their own ends. Right now, they’re doing so with the conflict in the Middle East. A holistic defense against influence networks requires collaboration between government, technology companies and security research organizations.

The post Emerald Divide Uses GenAI to Exploit Social, Political Divisions in Israel Using Disinformation appeared first on Security Boulevard.

Recently, a wave of malware attacks has surfaced, exploiting vulnerabilities in the update mechanism of the eScan antivirus software. This eScan antivirus backdoor exploit distributes backdoors and cryptocurrency miners, such as XMRig, posing a significant threat to large corporate networks. In this blog, we’ll look into the details of this eScan antivirus backdoor exploit and […]

The post Backdoors and Miners Amid eScan Antivirus Backdoor Exploit appeared first on TuxCare.

The post Backdoors and Miners Amid eScan Antivirus Backdoor Exploit appeared first on Security Boulevard.

In the ever-evolving world of ransomware, it’s getting easier for threat groups to launch attacks – as evidence by the growing number of incidents – but more difficult to make a profit. Organizations’ cyber-defenses are getting more resilient, decryptors that enable victims to regain control of their data, and law enforcement crackdowns on high-profile cybercrime..

The post Ransomware Attacks are Up, but Profits are Down: Chainalysis appeared first on Security Boulevard.

The new Google Threat Intelligence cloud service draws from Mandiant, VirusTotal, and its own insights and combines them with generative AI.

The post Google Continues Mixing Generative AI into Cybersecurity appeared first on Security Boulevard.

Google is encouraging the adoption of multi-factor authentication to protect against phishing and other cyberattacks. It hopes 2-Step Verification (2SV) can help.

The post Google Makes Implementing 2FA Simpler appeared first on Security Boulevard.

War of the words: Fancy Bear actions are “intolerable and unacceptable,” complains German foreign minister Annalena Baerbock.

The post Germany Warns Russia: Hacking Will Have Consequences appeared first on Security Boulevard.

Finland has warned of an ongoing Android malware campaign that targets banking details of its victims by enticing them to download a malicious counterfeit McAfee app. Finland's Transport and Communications Agency – Traficom - issued a warning last week about an ongoing Android malware campaign that aims to withdraw money from the victim's online bank accounts. Traficom said this campaign exclusively targets Android devices, with no separate infection chain identified for Apple iPhone users. The agency has identified multiple cases of SMS messages written in Finnish language, instructing recipients to call a specified number. These messages often impersonate banks or payment service providers like MobilePay and utilize spoofing technology to appear as if they originate from domestic telecom operators or local networks. [caption id="attachment_66875" align="aligncenter" width="1024"] Finnish language smishing message (Credit: Traficom)[/caption] The scammers answering these calls direct victims to install a McAfee app under the guise of providing protection. However, the McAfee app being promoted is, in fact, malware designed to compromise victims' bank accounts. According to reports received by the Cyber Security Center, targets are prompted to download a McAfee application via a link provided in the message. This link leads to the download of an .apk application hosted outside the app store for Android devices. Contrary to expectations, this is not antivirus software but malware intended for installation on the phone. The OP Financial Group, a prominent financial service provider in Finland, also issued an alert on its website regarding these deceptive messages impersonating banks or national authorities. The police have similarly emphasized the threat posed by this malware, warning that it enables operators to access victims' banking accounts and initiate unauthorized money transfers. In one reported case, a victim lost 95,000 euros (approximately $102,000) due to the scam.

Vultur Android Malware Campaign Trademarks

While Finnish authorities have not definitively identified the type of malware involved or shared specific hashes or IDs for the APK files, the attacks bear a striking resemblance to those reported by Fox-IT analysts in connection with a new version of the Vultur trojan. [caption id="attachment_66873" align="alignnone" width="1024"] Vultur Trojan infection chain (Credit: Fox-IT)[/caption] The new iteration of the Vultur trojan employs hybrid smishing and phone call attacks to persuade targets into downloading a fake McAfee Security app. This app introduces the final payload in three separate parts for evasion purposes. Notable features of this latest version include extensive file management operations, abuse of Accessibility Services, app blocking, disabling Keyguard, and serving custom notifications in the status bar.

Things to Do If You Suspect Being Victim

If you suspect that your device has been infected with the malware, it is advisable to contact your bank immediately to enable protection measures. Additionally, restoring "factory settings" on the infected Android device to wipe all data and apps is recommended. OP Financial Group emphasizes that they do not request customers to share sensitive data over the phone or install any apps to receive or cancel payments. “We will never send you messages with a link to the online bank login page. The bank also never asks you for your ID or card information via messages. Such messages are scams and you should not click on the links in them,” the OP Financial Group said. “Even in order to receive or cancel a payment, you do not need to log in from a link, confirm with codes or provide your information. If you are asked to do this, contact the bank's customer service.” Any similar requests should also be promptly reported to the police. The news of the online banking fraud comes days after a multi-national police operation crack opened a massive fraudulent call center network run across Europe that targeted especially senior citizens with an intent to dupe them of thousands of dollars. The crack down, dubbed Operation Pandora, was initiated when a vigilant bank teller in Freiburg, Germany, alerted law enforcement of a customer aged 76-years attempting to withdraw a large sum of money. Scammers employed various tactics, posing as relatives, bank employees or police officers, to deceive victims into surrendering their savings. The operation revealed call centers operating in different countries, each specializing in different types of telephone fraud, from investment scams to debt collection demands. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Interesting social-engineering attack vector:

McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the “C++ Library Manager for Windows, Linux, and MacOS,” known as vcpkg.

The attacker is exploiting a property of GitHub: comments to a particular repo can contain files, and those files will be associated with the project in the URL.

What this means is that someone can upload malware and “attach” it to a legitimate and trusted project.

As the file’s URL contains the name of the repository the comment was created in, and as almost every software company uses GitHub, this flaw can allow threat actors to develop extraordinarily crafty and trustworthy lures.

For example, a threat actor could upload a malware executable in NVIDIA’s driver installer repo that pretends to be a new driver fixing issues in a popular game. Or a threat actor could upload a file in a comment to the Google Chromium source code and pretend it’s a new test version of the web browser.

These URLs would also appear to belong to the company’s repositories, making them far more trustworthy.