A sophisticated phishing-as-a-service (PhaaS) platform called Darcula has set its sights on organizations in over 100 countries by leveraging a massive network of more than 20,000 counterfeit domains to help cyber criminals launch attacks at scale.

“Using iMessage and RCS rather than SMS to send text messages has the side effect of bypassing SMS firewalls, which is being used to great effect to target USPS along with postal services and other established organizations in 100+ countries,” Netcraft said.

Darcula has been employed in several high-profile phishing attacks over the last year, wherein the smishing messages are sent to both Android and iOS users in the U.K., in addition to those that leverage package delivery lures by impersonating legitimate services like USPS.

A Chinese-language PhaaS, Darcula is advertised on Telegram and offers support for about 200 templates impersonating legitimate brands that customers can avail for a monthly fee to set up phishing sites and carry out their malicious activities.

A majority of the templates are designed to mimic postal services, but they also include public and private utilities, financial institutions, government bodies (e.g., tax departments), airlines, and telecommunication organizations.

The phishing sites are hosted on purpose-registered domains that spoof the respective brand names to add a veneer of legitimacy. These domains are backed by Cloudflare, Tencent, Quadranet, and Multacom.

In all, more than 20,000 Darcula-related domains across 11,000 IP addresses have been detected, with an average of 120 new domains identified per day since the start of 2024. Some aspects of the PhaaS service were revealed in July 2023 by Israeli security researcher Oshri Kalfon.

One of the interesting additions to Darcula is its capability to update phishing sites with new features and anti-detection measures without having to remove and reinstall the phishing kit.

“On the front page, Darcula sites display a fake domain for sale/holding page, likely as a form of cloaking to disrupt takedown efforts,” the U.K.-based company said. “In previous iterations, Darcula’s anti-monitoring mechanism would redirect visitors that are believed to be bots (rather than potential victims) to Google searches for various cat breeds.”

Darcula’s smishing tactics also warrant special attention as they primarily leverage Apple iMessage and the RCS (Rich Communication Services) protocol used in Google Messages instead of SMS, thereby evading some filters put in place by network operators to prevent scammy messages from being delivered to prospective victims.

“While end-to-end encryption in RCS and iMessage delivers valuable privacy for end users, it also allows criminals to evade filtering required by this legislation by making the content of messages impossible for network operators to examine, leaving Google and Apple’s on-device spam detection and third-party spam filter apps as the primary line of defense preventing these messages from reaching victims,” Netcraft added.

“Additionally, they do not incur any per-message charges, which are typical for SMS, reducing the cost of delivery.”

The departure from traditional SMS-based phishing aside, another noteworthy aspect of Darcula’s smishing messages is their sneaky attempt to get around a safety measure in iMessage that prevents links from being clickable unless the message is from a known sender.

This entails instructing the victim to reply with a “Y” or “1” message and then reopen the conversation to follow the link. One such message posted on r/phishing subreddit shows that users are persuaded to click on the URL by claiming that they have provided an incomplete delivery address for the USPS package.

These iMessages are sent from email addresses such as pl4396@gongmiaq.com and mb6367587@gmail.com, indicating that the threat actors behind the operation are creating bogus email accounts and registering them with Apple to send the messages.

Google, for its part, recently said it’s blocking the ability to send messages using RCS on rooted Android devices to cut down on spam and abuse.

The end goal of these attacks is to trick the recipients into visiting bogus sites and handing over their personal and financial information to the fraudsters. There is evidence to suggest that Darcula is geared towards Chinese-speaking e-crime groups.

Phishing kits can have serious consequences as it permits less-skilled criminals to automate many of the steps needed to conduct an attack, thus lowering barriers to entry.

The development comes amid a new wave of phishing attacks that take advantage of Apple’s password reset feature, bombarding users with what’s called a prompt bombing (aka MFA fatigue) attack in hopes of hijacking their accounts.

Assuming a user manages to deny all the requests, “the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to ‘verify’ a one-time code,” security journalist Brian Krebs said.

The voice phishers have been found to use information about victims obtained from people search websites to increase the likelihood of success, and ultimately “trigger an Apple ID reset code to be sent to the user’s device,” which, if supplied, allows the attackers to reset the password on the account and lock the user out.

It’s being suspected that the perpetrators are abusing a shortcoming in the password reset page at iforgot.apple[.]com to send dozens of requests for a password change in a manner that bypasses rate limiting protections.

The findings also follow research from F.A.C.C.T. that SIM swappers are transferring a target user’s phone number to their own device with an embedded SIM (eSIM) in order to gain unauthorized access to the victim’s online services. The practice is said to have been employed in the wild for at least a year.

This is accomplished by initiating an application on the operator’s website or application to transfer the number from a physical SIM card to an eSIM by masquerading as the victim, causing the legitimate owner to lose access to the number as soon as the eSIM QR Code is generated and activated.

“Having gained access to the victim’s mobile phone number, cybercriminals can obtain access codes and two-factor authentication to various services, including banks and messengers, opening up a mass of opportunities for criminals to implement fraudulent schemes,” security researcher Dmitry Dudkov said.

Mar 08, 2024NewsroomEndpoint Security / Network Security

Threat actors have been observed leveraging the QEMU open-source hardware emulator as tunneling software during a cyber attack targeting an unnamed “large company” to connect to their infrastructure.

While a number of legitimate tunneling tools like Chisel, FRP, ligolo, ngrok, and Plink have been used by adversaries to their advantage, the development marks the first QEMU that has been used for this purpose.

“We found that QEMU supported connections between virtual machines: the -netdev option creates network devices (backend) that can then connect to the virtual machines,” Kaspersky researchers Grigory Sablin, Alexander Rodchenko, and Kirill Magaskin said.

“Each of the numerous network devices is defined by its type and supports extra options.”

In other words, the idea is to create a virtual network interface and a socket-type network interface, thereby allowing the virtual machine to communicate with any remote server.

The Russian cybersecurity company said it was able to use QEMU to set up a network tunnel from an internal host within the enterprise network that didn’t have internet access to a pivot host with internet access, which connects to the attacker’s server on the cloud running the emulator.

The findings show that threat actors are continuously diversifying their attack strategies to blend their malicious traffic with actual activity and meet their operational goals.

“Malicious actors using legitimate tools to perform various attack steps is nothing new to incident response professionals,” the researchers said.

“This further supports the concept of multi-level protection, which covers both reliable endpoint protection, and specialized solutions for detecting and protecting against complex and targeted attacks including human-operated ones.”

Feb 22, 2024NewsroomNetwork Security / Penetration Testing

A recently open-sourced network mapping tool called SSH-Snake has been repurposed by threat actors to conduct malicious activities.

“SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network,” Sysdig researcher Miguel Hernández said.

“The worm automatically searches through known credential locations and shell history files to determine its next move.”

SSH-Snake was first released on GitHub in early January 2024, and is described by its developer as a “powerful tool” to carry out automatic network traversal using SSH private keys discovered on systems.

In doing so, it creates a comprehensive map of a network and its dependencies, helping determine the extent to which a network can be compromised using SSH and SSH private keys starting from a particular host. It also supports resolution of domains which have multiple IPv4 addresses.

“It’s completely self-replicating and self-propagating – and completely fileless,” according to the project’s description. “In many ways, SSH-Snake is actually a worm: It replicates itself and spreads itself from one system to another as far as it can.”

Sysdig said the shell script not only facilitates lateral movement, but also provides additional stealth and flexibility than other typical SSH worms.

The cloud security company said it observed threat actors deploying SSH-Snake in real-world attacks to harvest credentials, the IP addresses of the targets, and the bash command history following the discovery of a command-and-control (C2) server hosting the data.

“The usage of SSH keys is a recommended practice that SSH-Snake tries to take advantage of in order to spread,” Hernández said. “It is smarter and more reliable which will allow threat actors to reach farther into a network once they gain a foothold.”

When reached for comment, Joshua Rogers, the developer of SSH-Snake, told The Hacker News that the tool offers legitimate system owners a way to identify weaknesses in their infrastructure before attackers do, urging companies to use SSH-Snake to “discover the attack paths that exist – and fix them.”

“It seems to be commonly believed that cyber terrorism ‘just happens’ all of a sudden to systems, which solely requires a reactive approach to security,” Rogers said. “Instead, in my experience, systems should be designed and maintained with comprehensive security measures.”

“If a cyber terrorist is able to run SSH-Snake on your infrastructure and access thousands of servers, focus should be put on the people that are in charge of the infrastructure, with a goal of revitalizing the infrastructure such that the compromise of a single host can’t be replicated across thousands of others.”

Rogers also called attention to the “negligent operations” by companies that design and implement insecure infrastructure, which can be easily taken over by a simple shell script.

“If systems were designed and maintained in a sane manner and system owners/companies actually cared about security, the fallout from such a script being executed would be minimized – as well as if the actions taken by SSH-Snake were manually performed by an attacker,” Rogers added.

“Instead of reading privacy policies and performing data entry, security teams of companies worried about this type of script taking over their entire infrastructure should be performing total re-architecture of their systems by trained security specialists – not those that created the architecture in the first place.”

The disclosure comes as Aqua uncovered a new botnet campaign named Lucifer that exploits misconfigurations and existing flaws in Apache Hadoop and Apache Druid to corral them into a network for mining cryptocurrency and staging distributed denial-of-service (DDoS) attacks.

The hybrid cryptojacking malware was first documented by Palo Alto Networks Unit 42 in June 2020, calling attention to its ability to exploit known security flaws to compromise Windows endpoints.

As many as 3,000 distinct attacks aimed at the Apache big data stack have been detected over the past month, the cloud security firm said. This also comprises those that single out susceptible Apache Flink instances to deploy miners and rootkits.

“The attacker implements the attack by exploiting existing misconfigurations and vulnerabilities in those services,” security researcher Nitzan Yaakov said.

“Apache open-source solutions are widely used by many users and contributors. Attackers may view this extensive use as an opportunity to have inexhaustible resources for implementing their attacks on them.”

Feb 16, 2024NewsroomCybersecurity / Data Breach

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed state government organization’s network environment was compromised via an administrator account belonging to a former employee.

“This allowed the threat actor to successfully authenticate to an internal virtual private network (VPN) access point,” the agency said in a joint advisory published Thursday alongside the Multi-State Information Sharing and Analysis Center (MS-ISAC).

“The threat actor connected to the [virtual machine] through the victim’s VPN with the intent to blend in with legitimate traffic to evade detection.”

It’s suspected that the threat actor obtained the credentials following a separate data breach owing to the fact that the credentials appeared in publicly available channels containing leaked account information.

The admin account, which had access to a virtualized SharePoint server, also enabled the attackers to access another set of credentials stored in the server, which had administrative privileges to both the on-premises network and the Azure Active Directory (now called Microsoft Entra ID).

This further made it possible to explore the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller. The attackers behind the malicious activity are presently unknown.

A deeper investigation into the incident has revealed no evidence that the adversary moved laterally from the on-premises environment to the Azure cloud infrastructure.

The attackers ultimately accessed host and user information and posted the information on the dark web for likely financial gain, the bulletin noted, prompting the organization to reset passwords for all users, disable the administrator account as well as remove the elevated privileges for the second account.

It’s worth pointing out that neither of the two accounts had multi-factor authentication (MFA) enabled, underscoring the need for securing privileged accounts that grant access to critical systems. It’s also recommended to implement the principle of least privilege and create separate administrator accounts to segment access to on-premises and cloud environments.

The development is a sign that threat actors leverage valid accounts, including those belonging to former employees that have not been properly removed from the Active Directory (AD), to gain unauthorized access to organizations.

“Unnecessary accounts, software, and services in the network create additional vectors for a threat actor to compromise,” the agencies said.

“By default, in Azure AD all users can register and manage all aspects of applications they create. These default settings can enable a threat actor to access sensitive information and move laterally in the network. In addition, users who create an Azure AD automatically become the Global Administrator for that tenant. This could allow a threat actor to escalate privileges to execute malicious actions.”

Feb 07, 2024NewsroomCyber Espionage / Network Security

Chinese state-backed hackers broke into a computer network that’s used by the Dutch armed forces by targeting Fortinet FortiGate devices.

“This [computer network] was used for unclassified research and development (R&D),” the Dutch Military Intelligence and Security Service (MIVD) said in a statement. “Because this system was self-contained, it did not lead to any damage to the defense network.” The network had less than 50 users.

The intrusion, which took place in 2023, leveraged a known critical security flaw in FortiOS SSL-VPN (CVE-2022-42475, CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests.

Successful exploitation of the flaw paved the way for the deployment of a backdoor dubbed COATHANGER from an actor-controlled server that’s designed to grant persistent remote access to the compromised appliances.

“The COATHANGER malware is stealthy and persistent,” the Dutch National Cyber Security Centre (NCSC) said. “It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades.”

COATHANGER is distinct from BOLDMOVE, another backdoor linked to a suspected China-based threat actor that’s known to have exploited CVE-2022-42475 as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa as early as October 2022.

The development marks the first time the Netherlands has publicly attributed a cyber espionage campaign to China. Reuters, which broke the story, said the malware is named after a code snippet that contained a line from Lamb to the Slaughter, a short story by British author Roald Dahl.

It also arrives days after U.S. authorities took steps to dismantle a botnet comprising out-of-date Cisco and NetGear routers that were used by Chinese threat actors like Volt Typhoon to conceal the origins of malicious traffic.

Last year, Google-owned Mandiant revealed that a China-nexus cyber espionage group tracked as UNC3886 exploited zero-days in Fortinet appliances to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands received from a remote server and exfiltrating sensitive data.

Feb 01, 2024NewsroomCyber Attack / Botnet

The threat actor behind a peer-to-peer (P2P) botnet known as FritzFrog has made a return with a new variant that leverages the Log4Shell vulnerability to propagate internally within an already compromised network.

“The vulnerability is exploited in a brute-force manner that attempts to target as many vulnerable Java applications as possible,” web infrastructure and security company Akamai said in a report shared with The Hacker News.

FritzFrog, first documented by Guardicore (now part of Akamai) in August 2020, is a Golang-based malware that primarily targets internet-facing servers with weak SSH credentials. It’s known to be active since January 2020.

It has since evolved to strike healthcare, education, and government sectors as well as improved its capabilities to ultimately deploy cryptocurrency miners on infected hosts.

What’s novel about the latest version is the use of the Log4Shell vulnerability as a secondary infection vector to specifically single out internal hosts rather than targeting vulnerable publicly-accessible assets.

“When the vulnerability was first discovered, internet-facing applications were prioritized for patching because of their significant risk of compromise,” security researcher Ori David said.

“Contrastly, internal machines, which were less likely to be exploited, were often neglected and remained unpatched — a circumstance that FritzFrog takes advantage of.”

This means that even if the internet-facing applications have been patched, a breach of any other endpoint can expose unpatched internal systems to exploitation and propagate the malware.

The SSH brute-force component of FritzFrog has also received a facelift of its own to identify specific SSH targets by enumerating several system logs on each of its victims.

Another notable change in the malware is use of the PwnKit flaw tracked as CVE-2021-4034 to achieve local privilege escalation.

“FritzFrog continues to employ tactics to remain hidden and avoid detection,” David said. “In particular, it takes special care to avoid dropping files to disk when possible.”

This is accomplished by means of the shared memory location /dev/shm, which has also been put to use by other Linux-based malware such as BPFDoor and Commando Cat, and memfd_create to execute memory-resident payloads.

The disclosure comes as Akamai revealed that the InfectedSlurs botnet is actively exploiting now-patched security flaws (from CVE-2024-22768 through CVE-2024-22772, and CVE-2024-23842) impacting multiple DVR device models from Hitron Systems to launch distributed denial-of-service (DDoS) attacks.

Network penetration testing plays a crucial role in protecting businesses in the ever-evolving world of cybersecurity. Yet, business leaders and IT pros have misconceptions about this process, which impacts their security posture and decision-making.

This blog acts as a quick guide on network penetration testing, explaining what it is, debunking common myths and reimagining its role in today’s security landscape.

What is network penetration testing?

Network penetration testing is a proactive approach to cybersecurity in which security experts simulate cyberattacks to identify gaps in an organization’s cyberdefense. The key objective of this process is to identify and rectify weaknesses before hackers can exploit them. This process is sometimes called “pentesting” or “ethical hacking.”

Network pentesting checks for chinks in an organization’s armor to help mitigate cyber-risks and protect against data, financial and reputational losses.

Differences between internal and external network penetration tests

Internal and external network penetration tests focus on different parts of an organization’s defense posture and are important for different reasons.

Internal network penetration tests assess the security of an organization’s internal network components like servers, databases and applications. Their objective is to identify vulnerabilities that can be exploited by an insider — a malicious employee, someone who could accidentally cause damage, or an outsider who’s already gained unauthorized access.

On the other hand, external network penetration tests look for threats from outside an organization caused by cybercriminals. They assess external-facing parts of an organization’s network, like websites and web applications, to simulate attacks that cybercriminals perform to gain unauthorized access.

It’s not a question of choosing one over the other. Internal and external network penetration tests are complementary layers of a comprehensive cybersecurity approach.

How network penetration testing works

The process of network penetration testing can broadly be divided into seven stages.

1. Defining the scope: The organization decides which systems to test using which methods and what is off-limits in collaboration with experts or penetration testers.
2. Gathering information: Testers collect information on the network, like IP addresses and domain names.
3. Detecting vulnerabilities: Testers identify vulnerabilities in the networking using various manual and automated tools and techniques.
4. Exploiting the vulnerabilities: Testers exploit the exposed security flaws to try and gain unauthorized access to systems and sensitive data.
5. Post exploitation: Testers use the information gathered in the previous stages to escalate access into systems and sensitive data to test and demonstrate the impact of a potential attack.
6. Reporting on the vulnerabilities: Testers report on identified vulnerabilities and recommend security fixes.
7. Fixing the vulnerabilities: Based on the report, the organization mitigates risks and improves its security posture.

Network penetration tests help organizations get a clear view of the effectiveness of their cyberdefense, helping them make informed and strategic security decisions.

Common misconceptions about network penetration testing

Now that we know what network penetration testing is and how it works, let’s dispel common myths.

Myth 1: Network penetration tests are a form of hacking.

While testers’ methods may be similar to those deployed by hackers, network penetration testing is an ethical process aiming to protect organizations. The same cannot be said of hacking because the intent is malicious.

Myth 2: You only need to run a network penetration test once.

Several factors determine an organization’s security, including the ever-evolving and advancing abilities of threat actors or cybercriminals and changing components in an organization’s IT infrastructure.

New threat avenues open frequently due to changes to these factors. Hence, you need to perform network penetration tests often, not just once, to keep up with the changes and identify potential vulnerabilities to mitigate risks and stay ahead of threats.

Myth 3: Network penetration tests are only for large corporations.

Small and medium businesses are prime targets for hackers because these organizations often lack the means to protect themselves efficiently. Roughly 40% of small businesses lose data due to cyberattacks, and about 60% go out of business within six months of a cyberattack. Network penetration testing can help these organizations improve their defense by identifying vulnerabilities that cybercriminals could exploit in advance.

Myth 4: Network penetration testing disrupts business operations.

The fear around network penetration testing is understandable. However, you can perform network penetration testing with minimal disruptions using advanced tools and technologies. In addition, you can request to conduct the pentest outside of business hours and on weekends.

Myth 5: Manual network penetration tests are the only way to be compliant.

Compliance requirements vary according to industries and geographies. The scope, frequency and testing requirement for network penetration testing differs for various standards. No one size fits all, and manual network penetration testing is certainly not the only way to be compliant.

Manual vs. automated network penetration testing

Network penetration testing, whether done manually or automatically, offers the clear advantage of identifying and rectifying vulnerabilities before hackers can exploit them.

With that said, both methods have their pros and cons.

Manual penetration testing is more hands-on and guided by human intuition, allowing you to explore security threats and vulnerabilities through the lens of security experts.

However, it’s also prone to human errors and inconsistencies. The methods testers use may fail to keep up with the evolution of threats. More importantly, manual network penetration testing is notoriously time-consuming and costly.

As far as automated network penetration testing is concerned, its efficacy depends on you choosing the right solution. However, if you can manage that, then automated network penetration testing can help you overcome the limitations of manual penetration testing.

Automated network penetration testing enables you to identify vulnerabilities that a malicious actor could exploit faster and more consistently. It’s also less prone to human errors and more scalable and cost-effective.

An advanced automated network penetration testing solution like vPenTest from Vonahi Security lets you continuously stay ahead of issues by running tests more frequently and enabling you to monitor your organization’s risk profile in near real-time. Improve your network and cybersecurity defenses – explore the benefits of vPenTest today at www.vonahi.io!

Protecting your business with automated network penetration testing

Given the complexity of modern IT infrastructures and the innovation of new attack methods, network penetration testing is a must-have in your cyber defense because it allows you to proactively check for vulnerabilities and fix them to prevent cyber catastrophes.

While manual penetration testing can be tedious and expensive, automated network penetration testing offers an efficient, cost-effective, and reliable alternative, allowing you to test more frequently with on-demand scheduling and monitor your network in near real-time.

In the battle for greater cybersecurity, automated penetration testing is an effective shield, helping organizations protect against downtime, reputation and financial damages and data loss incidents.

Empower your organization’s cybersecurity with Vonahi Security’s vPenTest – the industry-leading automated network penetration testing solution. Safeguard your business against cyber threats efficiently, cost-effectively, and in real-time. Join over 8,000 organizations benefiting from vPenTest. Visit Vonahi Security to secure your network and stay ahead of evolving cyber risks.

About Vonahi Security

Vonahi Security, a Kaseya Company, is a pioneer in building the future of offensive cybersecurity consulting services through automation. vPenTest from Vonahi is a SaaS platform that fully replicates manual internal and external network penetration testing, making it easy and affordable for organizations to continuously evaluate cybersecurity risks in real time. vPenTest is used by managed service providers, managed security service providers, and internal IT teams. Vonahi Security is headquartered in Atlanta, GA.