Apr 09, 2024NewsroomBotnet / Vulnerability

Threat actors are actively scanning and exploiting a pair of security flaws that are said to affect as many as 92,000 internet-exposed D-Link network-attached storage (NAS) devices.

Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), the vulnerabilities impact legacy D-Link products that have reached end-of-life (EoL) status. D-Link, in an advisory, said it does not plan to ship a patch and instead urges customers to replace them.

“The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hard-coded credentials, and a command injection vulnerability via the system parameter,” security researcher who goes by the name netsecfish said in late March 2024.

Successful exploitation of the flaws could lead to arbitrary command execution on the affected D-Link NAS devices, granting threat actors the ability to access sensitive information, alter system configurations, or even trigger a denial-of-service (DoS) condition.

The issues affect the following models –

• DNS-320L
• DNS-325
• DNS-327L, and
• DNS-340L

Threat intelligence firm GreyNoise said it observed attackers attempting to weaponize the flaws to deliver the Mirai botnet malware, thus making it possible to remotely commandeer the D-Link devices.

In the absence of a fix, the Shadowserver Foundation is recommending that users either take these devices offline or have remote access to the appliance firewalled to mitigate potential threats.

The findings once again illustrate that Mirai botnets are continuously adapting and incorporating new vulnerabilities into their repertoire, with threat actors swiftly developing new variants that are designed to abuse these issues to breach as many devices as possible.

With network devices becoming common targets for financially motivated and nation-state-linked attackers, the development comes as Palo Alto Networks Unit 42 revealed that threat actors are increasingly switching to malware-initiated scanning attacks to flag vulnerabilities in target networks.

“Some scanning attacks originate from benign networks likely driven by malware on infected machines,” the company said.

“By launching scanning attacks from compromised hosts, attackers can accomplish the following: Covering their traces, bypassing geofencing, expanding botnets, [and] leveraging the resources of these compromised devices to generate a higher volume of scanning requests compared to what they could achieve using only their own devices.”

Mar 29, 2024NewsroomNetwork Security / IoT Security

A botnet previously considered to be rendered inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to fuel a criminal proxy service called Faceless.

“TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024,” the Black Lotus Labs team at Lumen Technologies said.

Faceless, detailed by security journalist Brian Krebs in April 2023, is a malicious residential proxy service that’s offered its anonymity services to other threat actors for a negligible fee that costs less than a dollar per day.

In doing so, it allows the customers to route their malicious traffic through tens of thousands of compromised systems advertised on the service, effectively concealing their true origins.

The Faceless-backed infrastructure has been assessed to be used by operators of malware such as SolarMarker and IcedID to connect to their command-and-control (C2) servers to obfuscate their IP addresses.

That being said, a majority of the bots are used for password spraying and/or data exfiltration, primarily targeting the financial sector, with more than 80% of the infected hosts located in the U.S.

Lumen said it first observed the malicious activity in late 2023, the goal being to breach EoL SOHO routers and IoT devices and, deploy an updated version of TheMoon, and ultimately enroll the botnet into Faceless.

The attacks entail dropping a loader that’s responsible for fetching an ELF executable from a C2 server. This includes a worm module that spreads itself to other vulnerable servers and another file called “.sox” that’s used to proxy traffic from the bot to the internet on behalf of a user.

In addition, the malware configures iptables rules to drop incoming TCP traffic on ports 8080 and 80 and allow traffic from three different IP ranges. It also attempts to contact an NTP server from a list of legitimate NTP servers in a likely effort to determine if the infected device has internet connectivity and it is not being run in a sandbox.

The targeting of EoL appliances to fabricate the botnet is no coincidence, as they are no longer supported by the manufacturer and become susceptible to security vulnerabilities over time. It’s also possible that the devices are infiltrated by means of brute-force attacks.

Additional analysis of the proxy network has revealed that more than 30% of the infections lasted for over 50 days, while about 15% of the devices were part of the network for 48 hours or less.

“Faceless has become a formidable proxy service that rose from the ashes of the ‘iSocks’ anonymity service and has become an integral tool for cyber criminals in obfuscating their activity,” the company said. “TheMoon is the primary, if not the only, supplier of bots to the Faceless proxy service.”

Mar 19, 2024NewsroomLinux / Cyber Espionage

A new variant of a data wiping malware called AcidRain has been detected in the wild that’s specifically designed for targeting Linux x86 devices.

The malware, dubbed AcidPour, is compiled for Linux x86 devices, SentinelOne’s Juan Andres Guerrero-Saade said in a series of posts on X.

“The new variant […] is an ELF binary compiled for x86 (not MIPS) and while it refers to similar devices/strings, it’s a largely different codebase,” Guerrero-Saade noted.

AcidRain first came to light in the early days of the Russo-Ukrainian war, with the malware deployed against KA-SAT modems from U.S. satellite company Viasat.

An ELF binary compiled for MIPS architectures is capable of wiping the filesystem and different known storage device files by recursively iterating over common directories for most Linux distributions.

The cyber attack was subsequently attributed to Russia by the Five Eyes nations, along with Ukraine and the European Union.

AcidPour, as the new variant is called, is designed to erase content from RAID arrays and Unsorted Block Image (UBI) file systems through the addition of file paths like “/dev/dm-XX” and “/dev/ubiXX,” respectively.

It’s currently not clear who the intended victims are, although SentinelOne said it notified Ukrainian agencies. The exact scale of the attacks is presently unknown.

The discovery once again underscores the use of wiper malware to cripple targets, even as threat actors are diversifying their attack methods for maximum impact.

Feb 21, 2024NewsroomNetwork Security / Vulnerability

Cybersecurity researchers have identified two authentication bypass flaws in open-source Wi-Fi software found in Android, Linux, and ChromeOS devices that could trick users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password.

The vulnerabilities, tracked as CVE-2023-52160 and CVE-2023-52161, have been discovered following a security evaluation of wpa_supplicant and Intel’s iNet Wireless Daemon (IWD), respectively.

The flaws “allow attackers to trick victims into connecting to malicious clones of trusted networks and intercept their traffic, and join otherwise secure networks without needing the password,” Top10VPN said in a new research conducted in collaboration with Mathy Vanhoef, who has previously uncovered Wi-Fi attacks like KRACK, DragonBlood, and TunnelCrack.

CVE-2023-52161, in particular, permits an adversary to gain unauthorized access to a protected Wi-Fi network, exposing existing users and devices to potential attacks such as malware infections, data theft, and business email compromise (BEC). It impacts IWD versions 2.12 and lower.

On the other hand, CVE-2023-52160 affects wpa_supplicant versions 2.10 and prior. It’s also the more pressing of the two flaws owing to the fact that it’s the default software used in Android devices to handle login requests to wireless networks.

That said, it only impacts Wi-Fi clients that aren’t properly configured to verify the certificate of the authentication server. CVE-2023-52161, however, affects any network that uses a Linux device as a wireless access point (WAP).

Successful exploitation of CVE-2023-52160 banks on the prerequisite that the attacker is in possession of the SSID of a Wi-Fi network to which the victim has previously connected. It also requires the threat actor to be in physical proximity to the victim.

“One possible such scenario might be where an attacker walks around a company’s building scanning for networks before targeting an employee leaving the office,” the researchers said.

Major Linux distributions such as Debian (1, 2), Red Hat (1), SUSE (1, 2), and Ubuntu (1, 2) have released advisories for the two flaws. The wpa_supplicant issue has also been addressed in ChromeOS from versions 118 and later, but fixes for Android are yet to be made available.

“In the meantime, it’s critical, therefore, that Android users manually configure the CA certificate of any saved enterprise networks to prevent the attack,” Top10VPN said.

Meta Platforms said it took a series of steps to curtail malicious activity from eight different firms based in Italy, Spain, and the United Arab Emirates (U.A.E.) operating in the surveillance-for-hire industry.

The findings are part of its Adversarial Threat Report for the fourth quarter of 2023. The spyware targeted iOS, Android, and Windows devices.

“Their various malware included capabilities to collect and access device information, location, photos and media, contacts, calendar, email, SMS, social media, and messaging apps, and enable microphone,camera, and screenshot functionality,” the company said.

The eight companies are Cy4Gate/ELT Group, RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group, and Mollitiam Industries.

These firms, per Meta, also engaged in scraping, social engineering, and phishing activity that targeted a wide range of platforms such as Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch and Telegram.

Specifically, a network of fictitious personas linked to RCS Labs, which is owned by Cy4Gate, is said to have tricked users into providing their phone numbers and email addresses, in addition to clicking on bogus links for conducting reconnaisance.

Another set of now-removed Facebook and Instagram accounts associated with Spanish spyware vendor Variston IT was employed for exploit development and testing, including sharing of malicious links. Last week, reports emerged that the company is shutting down its operations.

Meta also said it identified accounts used by Negg Group to test the delivery of its spyware, as well as by Mollitiam Industries, a Spanish firm that advertises a data collection service and spyware targeting Windows, macOS, and Android, to scrape public information.

Elsewhere, the social media giant actioned on networks from China, Myanmar, and Ukraine exhibiting coordinated inauthentic behavior (CIB) by removing over 2,000 accounts, Pages, and Groups from Facebook and Instagram.

While the Chinese cluster targeted U.S. audiences with content related to criticism of U.S. foreign policy towards Taiwan and Israel and its support of Ukraine, the network originating from Myanmar targeted its own residents with original articles that praised the Burmese army and disparaged the ethnic armed organizations and minority groups.

The third cluster is notable for its use of fake Pages and Groups to post content that supported Ukrainian politician Viktor Razvadovskyi, while also sharing “supportive commentary about the current government and critical commentary about the opposition” in Kazakhstan.

The development comes as a coalition of government and tech companies, counting Meta, have signed an agreement to curb the abuse of commercial spyware to commit human rights abuses.

As countermeasures, the company has introduced new features like enabled Control Flow Integrity (CFI) on Messenger for Android and VoIP memory isolation for WhatsApp in an effort to make exploitation harder and reduce the overall attack surface.

That said, the surveillance industry continues to thrive in myriad, unexpected forms. Last month, 404 Media — building off prior research from the Irish Council for Civil Liberties (ICCL) in November 2023 — unmasked a surveillance tool called Patternz that leverages real-time bidding (RTB) advertising data gathered from popular apps like 9gag, Truecaller, and Kik to track mobile devices.

“Patternz allows national security agencies utilize real-time and historical user advertising generated data to detect, monitor and predict users actions, security threats and anomalies based on users’ behavior, location patterns and mobile usage characteristics, ISA, the Israeli company behind the product claimed on its website.

Then last week, Enea took the wraps off a previously unknown mobile network attack known as MMS Fingerprint that’s alleged to have been utilized by Pegasus-maker NSO Group. This information was included in a 2015 contract between the company and the telecom regulator of Ghana.

While the exact method used remains something of a mystery, the Swedish telecom security firm suspects it likely involves the use of MM1_notification.REQ, a special type of SMS message called a binary SMS that notifies the recipient device of an MMS that’s waiting for retrieval from the Multimedia Messaging Service Center (MMSC).

The MMS is then fetched by means of MM1_retrieve.REQ and MM1_retrieve.RES, with the former being an HTTP GET request to the URL address contained in the MM1_notification.REQ message.

What’s notable about this approach is that user device information such as User-Agent (different from a web browser User-Agent string) and x-wap-profile is embedded in the GET request, thereby acting as a fingerprint of sorts.

“The (MMS) User-Agent is a string that typically identifies the OS and device,” Enea said. “x-wap-profile points to a UAProf (User Agent Profile) file that describes the capabilities of a mobile handset.”

A threat actor looking to deploy spyware could use this information to exploit specific vulnerabilities, tailor their malicious payloads to the target device, or even craft more effective phishing campaigns. That said, there is no evidence that this security hole has been exploited in the wild in recent months.

Feb 10, 2024NewsroommacOS Malware / Cyber Threat

Apple macOS users are the target of a new Rust-based backdoor that has been operating under the radar since November 2023.

The backdoor, codenamed RustDoor by Bitdefender, has been found to impersonate an update for Microsoft Visual Studio and target both Intel and Arm architectures.

The exact initial access pathway used to propagate the implant is currently not known, although it’s said to be distributed as FAT binaries that contain Mach-O files.

Multiple variants of the malware with minor modifications have been detected to date, likely indicating active development. The earliest sample of RustDoor dates back to November 2, 2023.

It comes with a wide range of commands that allow it to gather and upload files, and harvest information about the compromised endpoint.

Some versions also include configurations with details about what data to collect, the list of targeted extensions and directories, and the directories to exclude.

The captured information is then exfiltrated to a command-and-control (C2) server.

The Romanian cybersecurity firm said the malware is likely linked to prominent ransomware families like Black Basta and BlackCat owing to overlaps in C2 infrastructure.

“ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model,” security researcher Andrei Lapusneau said.

In December 2023, the U.S. government announced that it took down the BlackCat ransomware operation and released a decryption tool that more than 500 affected victims can use to regain access to files locked by the malware.

Feb 05, 2024NewsroomCyber Espionage / Cyber Extortion

The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called VajraSpy.

Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between April 2021 and March 2023.

“VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code,” security researcher Lukáš Štefanko said. “It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera.”

As many as 148 devices in Pakistan and India are estimated to have been compromised in the wild. The malicious apps distributed via Google Play and elsewhere primarily masqueraded as messaging applications, with the most recent ones propagated as recently as September 2023.

• Privee Talk (com.priv.talk)
• MeetMe (com.meeete.org)
• Let’s Chat (com.letsm.chat)
• Quick Chat (com.qqc.chat)
• Rafaqat رفاق (com.rafaqat.news)
• Chit Chat (com.chit.chat)
• YohooTalk (com.yoho.talk)
• TikTalk (com.tik.talk)
• Hello Chat (com.hello.chat)
• Nidus (com.nidus.no or com.nionio.org)
• GlowChat (com.glow.glow)
• Wave Chat (com.wave.chat)

Rafaqat رفاق is notable for the fact that it’s the only non-messaging app and was advertised as a way to access the latest news. It was uploaded to Google Play on October 26, 2022, by a developer named Mohammad Rizwan and amassed a total of 1,000 downloads before it was taken down by Google.

The exact distribution vector for the malware is currently not clear, although the nature of the apps suggests that the targets were tricked into downloading them as part of a honey-trap romance scam, where the perpetrators convince them to install these bogus apps under the pretext of having a more secure conversation.

This is not the first time Patchwork – a threat actor with suspected ties to India – has leveraged this technique. In March 2023, Meta revealed that the hacking crew created fictitious personas on Facebook and Instagram to share links to rogue apps to target victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.

It’s also not the first time that the attackers have been observed deploying VajraRAT, which was previously documented by Chinese cybersecurity company QiAnXin in early 2022 as having been used in a campaign aimed at Pakistani government and military entities. Vajra gets its name from the Sanskrit word for thunderbolt.

Qihoo 360, in its own analysis of the malware in November 2023, tied it to a threat actor it tracks under the moniker Fire Demon Snake (aka APT-C-52).

Outside of Pakistan and India, Nepalese government entities have also been likely targeted via a phishing campaign that delivers a Nim-based backdoor. It has been attributed to the SideWinder group, another group that has been flagged as operating with Indian interests in mind.

The development comes as financially motivated threat actors from Pakistan and India have been found targeting Indian Android users with a fake loan app (Moneyfine or “com.moneyfine.fine”) as part of an extortion scam that manipulates the selfie uploaded as part of a know your customer (KYC) process to create a nude image and threatens victims to make a payment or risk getting the doctored photos distributed to their contacts.

“These unknown, financially motivated threat actors make enticing promises of quick loans with minimal formalities, deliver malware to compromise their devices, and employ threats to extort money,” Cyfirma said in an analysis late last month.

It also comes amid a broader trend of people falling prey to predatory loan apps, which are known to harvest sensitive information from infected devices, and employ blackmail and harassment tactics to pressure victims into making the payments.

According to a recent report published by the Network Contagion Research Institute (NCRI), teenagers from Australia, Canada, and the U.S. are increasingly targeted by financial sextortion attacks conducted by Nigeria-based cybercriminal group known as Yahoo Boys.

“Nearly all of this activity is linked to West African cybercriminals known as the Yahoo Boys, who are primarily targeting English-speaking minors and young adults on Instagram, Snapchat, and Wizz,” NCRI said.

Wizz, which has since had its Android and iOS apps taken down from the Apple App Store and the Google Play Store, countered the NCRI report, stating it’s “not aware of any successful extortion attempts that occurred while communicating on the Wizz app.”

Dec 27, 2023NewsroomPrivacy / App Security

A new Android backdoor has been discovered with potent capabilities to carry out a range of malicious actions on infected devices.

Dubbed Xamalicious by the McAfee Mobile Research Team, the malware is so named for the fact that it’s developed using an open-source mobile app framework called Xamarin and abuses the operating system’s accessibility permissions to fulfill its objectives.

It’s also capable of gathering metadata about the compromised device and contacting a command-and-control (C2) server to fetch a second-stage payload, but only after determining if it fits the bill.

The second stage is “dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps, among other actions financially motivated without user consent,” security researcher Fernando Ruiz said.

The cybersecurity firm said it identified 25 apps that come with this active threat, some of which were distributed on the official Google Play Store since mid-2020. The apps are estimated to have been installed at least 327,000 times.

A majority of the infections have been reported in Brazil, Argentina, the U.K., Australia, the U.S., Mexico, and other parts of Europe and the Americas. Some of the apps are listed below –

• Essential Horoscope for Android (com.anomenforyou.essentialhoroscope)
• 3D Skin Editor for PE Minecraft (com.littleray.skineditorforpeminecraft)
• Logo Maker Pro (com.vyblystudio.dotslinkpuzzles)
• Auto Click Repeater (com.autoclickrepeater.free)
• Count Easy Calorie Calculator (com.lakhinstudio.counteasycaloriecalculator)
• Sound Volume Extender (com.muranogames.easyworkoutsathome)
• LetterLink (com.regaliusgames.llinkgame)
• NUMEROLOGY: PERSONAL HOROSCOPE &NUMBER PREDICTIONS (com.Ushak.NPHOROSCOPENUMBER)
• Step Keeper: Easy Pedometer (com.browgames.stepkeepereasymeter)
• Track Your Sleep (com.shvetsStudio.trackYourSleep)
• Sound Volume Booster (com.devapps.soundvolumebooster)
• Astrological Navigator: Daily Horoscope & Tarot (com.Osinko.HoroscopeTaro)
• Universal Calculator (com.Potap64.universalcalculator)

Xamalicious, which typically masquerades as health, games, horoscope, and productivity apps, is the latest in a long list of malware families that abuse Android’s accessibility services, requesting users’ access to it upon installation to carry out its tasks.

“To evade analysis and detection, malware authors encrypted all communication and data transmitted between the C2 and the infected device, not only protected by HTTPS, it’s encrypted as a JSON Web Encryption (JWE) token using RSA-OAEP with a 128CBC-HS256 algorithm,” Ruiz noted.

Even more troublingly, the first-stage dropper contains functions to self-update the main Android package (APK) file, meaning it can be weaponized to act as spyware or banking trojan without any user interaction.

McAfee said it identified a link between Xamalicious and an ad-fraud app named Cash Magnet, which facilitates app download and automated clicker activity to illicitly earn revenue by clicking on ads.

“Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin can provide an additional layer of obfuscation to malware authors that intentionally pick these tools to avoid detection and try to stay under the radar of security vendors and keep their presence on apps markets,” Ruiz said.

Android Phishing Campaign Targets India With Banker Malware

The disclosure comes as the cybersecurity company detailed a phishing campaign that employs social messaging apps like WhatsApp to distribute rogue APK files that impersonate legitimate banks such as the State Bank of India (SBI) and prompt the user to install them to complete a mandatory Know Your Customer (KYC) procedure.

Once installed, the app asks the user to grant it SMS-related permissions and redirects to a fake page that only captures the victim’s credentials but also their account, credit/debit card, and national identity information.

The harvested data, alongside the intercepted SMS messages, are forwarded to an actor-controlled server, thereby allowing the adversary to complete unauthorized transactions.

It’s worth noting that Microsoft last month warned of a similar campaign that utilizes WhatsApp and Telegram as distribution vectors to target Indian online banking users.

“India underscores the acute threat posed by this banking malware within the country’s digital landscape, with a few hits found elsewhere in the world, possibly from Indian SBI users living in other countries,” researchers Neil Tyagi and Ruiz said.

Dec 15, 2023NewsroomBotnet / Advanced Persistent Threat

A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon.

Dubbed KV-botnet by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity clusters that have been active since at least February 2022.

“The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years,” the company said.

The two clusters – codenamed KV and JDY – are said to be distinct yet working in tandem to facilitate access to high-profile victims as well as establish covert infrastructure. Telemetry data suggests that the botnet is commandeered from IP addresses based in China.

While the bots part of JDY engages in broader scanning using less sophisticated techniques, the KY component, featuring largely outdated and end-of-life products, is assessed to be reserved for manual operations against high-profile targets selected by the former.

It’s suspected that Volt Typhoon is at least one user of the KV-botnet and it encompasses a subset of their operational infrastructure, which is evidenced by the noticeable decline in operations in June and early July 2023, coinciding with the public disclosure of the adversarial collective’s targeting of critical infrastructure in the U.S.

Microsoft, which first exposed the threat actor’s tactics, said it “tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware.”

The exact initial infection mechanism process used to breach the devices is currently unknown. It’s followed by the first-stage malware taking steps to remove security programs and other malware strains so as to ensure that it’s the “only presence” on these machines.

It’s also designed to retrieve the main payload from a remote server, which, in addition to beaconing back to the same server, is also capable of uploading and downloading files, running commands, and executing additional modules.

Over the past month, the botnet’s infrastructure has received a facelift, targeting Axis IP cameras, indicating that the operators could be gearing up for a new wave of attacks.

“One of the rather interesting aspects of this campaign is that all the tooling appears to reside completely in-memory,” the researchers said. “This makes detection extremely difficult, at the cost of long-term persistence.”

“As the malware resides completely in-memory, by simply power-cycling the device the end user can cease the infection. While that removes the imminent threat, re-infection is occurring regularly.”

The findings arrive as The Washington Post reported that two dozen critical entities in the U.S. have been infiltrated by Volt Typhoon over the past year, including power and water utilities as well as communications and transportation systems.

“The hackers often sought to mask their tracks by threading their attacks through innocuous devices such as home or office routers before reaching their victims,” the report added.