Mar 20, 2024NewsroomDoS Attack / Network Security

A novel denial-of-service (DoS) attack vector has been found to target application-layer protocols based on User Datagram Protocol (UDP), putting hundreds of thousands of hosts likely at risk.

Called Loop DoS attacks, the approach pairs “servers of these protocols in such a way that they communicate with each other indefinitely,” researchers from the CISPA Helmholtz-Center for Information Security said.

UDP, by design, is a connectionless protocol that does not validate source IP addresses, making it susceptible to IP spoofing.

Thus, when attackers forge several UDP packets to include a victim IP address, the destination server responds to the victim (as opposed to the threat actor), creating a reflected denial-of-service (DoS) attack.

The latest study found that certain implementations of the UDP protocol, such as DNS, NTP, TFTP, Active Users, Daytime, Echo, Chargen, QOTD, and Time, can be weaponized to create a self-perpetuating attack loop.

“It pairs two network services in such a way that they keep responding to one another’s messages indefinitely,” the researchers said. “In doing so, they create large volumes of traffic that result in a denial-of-service for involved systems or networks. Once a trigger is injected and the loop set in motion, even the attackers are unable to stop the attack.”

Put simply, given two application servers running a vulnerable version of the protocol, a threat actor can initiate communication with the first server by spoofing the address of the second server, causing the first server to respond to the victim (i.e., the second server) with an error message.

The victim, in turn, will also exhibit similar behavior, sending back another error message to the first server, effectively exhausting each other’s resources and making either of the services unresponsive.

“If an error as input creates an error as output, and a second system behaves the same, these two systems will keep sending error messages back and forth indefinitely,” Yepeng Pan and Christian Rossow explained.

CISPA said an estimated 300,000 hosts and their networks can be abused to carry out Loop DoS attacks.

While there is currently no evidence that the attack has been weaponized in the wild, the researchers warned that exploitation is trivial and that multiple products from Broadcom, Cisco, Honeywell, Microsoft, MikroTik, and Zyxel are affected.

“Attackers need a single spoofing-capable host to trigger loops,” the researchers noted. “As such, it is important to keep up initiatives to filter spoofed traffic, such as BCP38.”

Jan 23, 2024NewsroomSoftware Security / Supply Chain

Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed.

The modules named warbeast2000 and kodiak2k were published at the start of the month, attracting 412 and 1,281 downloads before they were taken down by the npm maintainers. The most recent downloads occurred on January 21, 2024.

Software supply chain security firm ReversingLabs, which made the discovery, said there were eight different versions of warbeast2000 and more than 30 versions of kodiak2k.

Both the modules are designed to run a postinstall script after installation, which is designed to retrieve and execute two different JavaScript files.

While warbeast2000 attempts to access the private SSH key, kodiak2k is designed to look for a key named “meow,” raising the possibility that the threat actor likely used a placeholder name during the early stages of the development.

“This second stage malicious script reads the private SSH key stored in the id_rsa file located in the <homedir>/.ssh directory,” security researcher Lucija Valentić said. “It then uploaded the Base64-encoded key to an attacker-controlled GitHub repository.”

Subsequent versions of kodiak2k were found to execute a script found in an archived GitHub project hosting the Empire post-exploitation framework. The script is capable of launching the Mimikatz hacking tool to dump credentials from process memory.

“The campaign is just the latest example of cybercriminals and malicious actors using open source package managers and related infrastructure to support malicious software supply chain campaigns that target development organizations and end-user organizations,” Valentić said.

Dec 28, 2023NewsroomMalware / Cyber Threat

A new malware loader is being used by threat actors to deliver a wide range of information stealers such as Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms.

Cybersecurity firm ESET is tracking the trojan under the name Win/TrojanDownloader.Rugmi.

“This malware is a loader with three types of components: a downloader that downloads an encrypted payload, a loader that runs the payload from internal resources, and another loader that runs the payload from an external file on the disk,” the company said in its Threat Report H2 2023.

Telemetry data gathered by the company shows that detections for the Rugmi loader spiked in October and November 2023, surging from single digit daily numbers to hundreds per day.

Stealer malware is typically sold under a malware-as-a-service (MaaS) model to other threat actors on a subscription basis. Lumma Stealer, for instance, is advertised in underground forums for $250 a month. The most expensive plan costs $20,000, but it also gives the customers access to the source code and the right to sell it.

There is evidence to suggest that the codebase associated with Mars, Arkei, and Vidar stealers has been repurposed to create Lumma.

Besides continuously adapting its tactics to evade detection, the off-the-shelf tool is distributed through a variety of methods ranging from malvertising to fake browser updates to cracked installations of popular software such as VLC media player and OpenAI ChatGPT.

Another technique concerns the use of Discord’s content delivery network (CDN) to host and propagate the malware, as revealed by Trend Micro in October 2023.

This entails leveraging a combination of random and compromised Discord accounts to send direct messages to prospective targets, offering them $10 or a Discord Nitro subscription in exchange for their assistance on a project.

Users who agree to the offer are then urged to download an executable file hosted on Discord CDN that masquerades as iMagic Inventory but, in reality, contains the Lumma Stealer payload.

“Ready-made malware solutions contribute to the proliferation of malicious campaigns because they make the malware available even to potentially less technically skilled threat actors,” ESET said.

“Offering a broader range of functions then serves to render Lumma Stealer even more attractive as a product.”

The disclosures come as McAfee Labs disclosed a new variant of NetSupport RAT, which emerged from its legitimate progenitor NetSupport Manager and has since been put to use by initial access brokers to gather information and perform additional actions on victims of interest.

“The infection begins with obfuscated JavaScript files, serving as the initial point of entry for the malware,” McAfee said, adding it highlights the “evolving tactics employed by cybercriminals.”

The execution of the JavaScript file advances the attack chain by running PowerShell commands to retrieve the remote control and stealer malware from an actor-controlled server. The campaign’s primary targets include the U.S. and Canada.