Cyber Pulse: Edition 182 | 22 April 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

APT Group targeting blockchain and crypto industry

The prolific Lazarus APT group is back in action to expand its attack scope against organisations in the blockchain technology and cryptocurrency industry. In addition to this, the group has also revived the well-known Operation Dream Job campaign that lures targeted employees with fake job offers.

In an alert, the FBI, CISA and the Treasury Department revealed that the North Korea-based Lazarus hacking group is sending a large number of spear-phishing messages to employees working in blockchain technology and cryptocurrency firms in an attempt to steal cryptocurrency. These emails often mimic a recruitment effort and offer high-paying jobs to entice the recipients into downloading malware-laced cryptocurrency applications, referred to as TraderTraitor.

The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. The federal agencies also noted that the attackers were leveraging the malicious applications to install macOS and Windows variants of Manuscrypt malware that is capable of stealing system information and performing other malicious activities.

The campaign targets cryptocurrency exchanges, Defi, pay-to-earn cryptocurrency games, and crypto-coin trading companies. Also in the crosshairs are venture capital funds investing in cryptocurrencies and people holding large amounts of NFTs. Last week, the FBI made a major revelation about the massive heist that occurred at Axie Infinity last month. The Lazarus group was held responsible for executing the heist by exploiting the Ronin firm and stealing around $600 million in Ethereum and USD coins.

The CISA advisory indicates that the crypto-focused activity of Lazarus is unlikely to abate anytime soon. Moreover, the group is continuously expanding its tactics and techniques to exploit computer networks of interest to acquire cryptocurrency-intellectual property and gain financial assets. Therefore, organisations must implement mitigation measures to reduce the risk of such threats. Edited – Original source: CISA.

Ransomware targets ProxyShell weakness in MS Exchange Servers

A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon. From there, the threat actors perform network reconnaissance, steal admin account credentials, exfiltrate valuable data, ultimately deploying the file-encrypting payload. The details come from security and analytics company Varonis, who was called in to investigate a ransomware attack on one of its customers.

ProxyShell is a set of three vulnerabilities in the Microsoft Exchange Server that allow remote code execution without authentication on vulnerable deployments. The flaws have been used by multiple threat actors, including ransomware like Conti, BlackByte, Babuk, Cuba and LockFile, after exploits became available.

The flaws are tracked as CVE-2021-34473, CVE-2021-34523 and CVE-2021-31297, and their severity rating ranges from 7.2 (high) to 9.8 (critical). The security vulnerabilities are considered fully patched as of May 2021, but extensive technical details about them were only made available in August 2021, and soon after that, malicious exploitation started. The fact that Hive's affiliate was successful in exploiting ProxyShell in a recent attack shows that there is still room for targeting vulnerable servers.

Hive has gone a long way since it was first observed in the wild back in June 2021, having a successful start that prompted the FBI to release a dedicated report on its tactics and indicators of compromise. Last month, researchers at Sentinel Labs reported on a new payload-hiding obfuscation method employed by Hive, which indicates active development.
Edited – Original Source: Bleeping.

Anonymous targets multiple Russian organisations

Anonymous and groups linked to the famous collective continue to target Russian organisations, the hacktivists are breaching their systems and leaking stolen data online. Here are some of their recent targets:

Tendertech is a firm specialising in processing financial and banking documents on behalf of businesses and entrepreneurs. The list of the partner banks of the firm includes Transcapitalbank, Bank Uralsib, Bank Soyuz, RGS Bank, Bank ZENIT and Otkritie Bank. Anonymous claims to have stolen 426,000 emails and leaked an archive of 160 GB in size.

General Dept. of Troops and Civil Construction (GUOV i GS) is a construction company that works on projects in the interests of the Russian Ministry of Defense. GUOV i GS is wholly owned by the Russian Ministry of Defense through JSC Garnizon (formerly Oboronservis) and JSC GUOV / ГУОВ, the Main Directorate for the Arrangement of Troops with 49% and 51% shares, respectively. Anonymous claims to have stolen 15,600 emails and leaked an archive of 9.5 GB in size.

Synesis Surveillance System – Anonymous claims to have hacked the Synesis and Kipod surveillance systems. Synesis is under US sanctions due to Russia’s invasion of Ukraine. According to DDoSecrets, data was gathered in August 2020. It was leaked now in response to the Belarusian government taking control of the system. According to a statement on the company’s website, the transition of control of the system will result in the end of the Kipod software.

Neocom Geoservice is an engineering firm specialising in exploring oil and gas fields and providing drilling support. Their primary clients include Gazprom, Orenburgneft, Samotlorneftegaz, Tyumenneftegaz, and Rospan International. Anonymous claims to have stolen 87,500 emails and leaked an archive of 107 GB in size.

Gazregion is a construction company specialising in gas pipelines and facilities. Gazregion’s clients include Gazprom, and has thousands of kilometers of pipelines as part of the Russian Federation’s program to transport gas throughout the different regions. Three different hacktivist sources (Anonymous, NB65 and Porteur) submitted files from Gazregion at approximately the same time, with some overlap. The hacktivists leaked 222 GB's worth of emails, files and decryption keys.

The Anonymous-linked group ‘GhostSec’ (@GS_M4F14) announced to have gained access to the IT system of Metrospetstekhnika, which is the provider of every metro in Russia and threatens to disrupt its operations.

One of the most active hacking crews, the Network Battalion 65, also claimed to have hacked another Russian bank, JSC Bank PSCB. The hackers said that they had access to credentials stored in the Chrome web browser.
Edited – Original source: CNBC.

Fake Windows 11 upgrade spreads malware

Cybercriminals are baiting unsuspecting users with a fake Windows 11 upgrade laden with a malicious threat. This malicious threat is an infostealer called Inno Stealer, which targets browser data and cryptocurrency wallets. At present, a campaign is active and relies on poisoning search results to advertise a website that mimics promotional pages for Windows 11 and infects users with information stealers.

The attackers are targeting users who are eager to install Windows 11 and ready to approach third-party sites without going into the details about specifications or other security validations. They created a malicious website promoting the fake Windows 11 upgrade. This fake site uses official Microsoft logos and favicons, along with a Download Now button. The download is unavailable over TOR or VPN connections. If a visitor loads the malicious website through a direct connection, they receive an ISO file that hides the executable for the infostealer.

The attackers have used Inno Stealer due to its use of the Inno Setup Windows installer. It has no code similarities with any other known commodity or other stealers. It targets various web browsers and crypto wallets such as Chrome, Brave, Comodo, Opera, Vivaldi, Edge, 360 Browser, GeroWallet, BraveWallet, and GuildWallet. The buzz for newer OS versions is becoming an opportunity for cybercriminals to spread their infostealers.

Thus, to stay protected, never download ISO files from unknown sources, especially for major OS upgrades. Users should visit the official site for getting the right information regarding the upgrade.
Edited – Original source: Windows Central.

Ransomware actor REvil is active again

REvil ransomware’s servers in the Tor network are active again after months of inactivity. At present, these servers are redirecting users to a new operation that is believed to have started in mid-December 2021. Recently, two security researchers noticed the new REvil leak site being advertised on a forum called RuTOR. It was noted that the new site was hosted on a different domain, however, the traffic was redirected to the original Tor sites used by REvil when it was active.

One of the researchers observed the current REvil-related leak site active between 5 and 10 April with no content. After a week, the new site was populated, sporting a large set of victims from REvil attacks. The site is showing 26 pages of victims – most of them from older REvil attacks – with two new operations, one of them being Oil India.

Moreover, the new leak site provides details on the conditions for affiliates, who are claimed to receive an improved version of the ransomware and a split of 80/20 for affiliates collecting a ransom. Researchers observed that the blog and payment sites for the group are now up and running on different servers. The recent revival of Tor servers suggests a potential attempt from the REvil ransomware group to gain ground again in the cybercrime landscape and restore its lost reputation. It shows that ransomware gangs can live many lives through rebranding, forks, and revival of past threats.

Thus, organisations should always be prepared with adequate security measures to stay protected.
Edited – Original source: TechCrunch.

Android chipset vulnerable to remote spying

Three security vulnerabilities have been disclosed in the audio decoders of Qualcomm and MediaTek chips that, if left unresolved, could allow an adversary to remotely gain access to media and audio conversations from affected mobile devices. According to Israeli cybersecurity company Check Point, the issues could be used as a launchpad to carry out remote code execution (RCE) attacks simply by sending a specially crafted audio file.

The vulnerabilities, dubbed ALHACK, are rooted in an audio coding format originally developed and open-sourced by Apple in 2011. Called the Apple Lossless Audio Codec (ALAC) or Apple Lossless, the audio codec format is used for lossless data compression of digital music.

Since then, several third-party vendors, including Qualcomm and MediaTek, have incorporated the Apple-supplied reference audio codec implementation as the basis for their own audio decoders. And while Apple has consistently patched and remediated security flaws in its proprietary version of ALAC, the open-sourced variant of the codec has not received a single update since it was uploaded to GitHub 11 years ago on 27 October 2011.

The vulnerabilities discovered by Check Point relate to this ported ALAC code, two of which have been identified in MediaTek processors and one in Qualcomm chipsets:

CVE-2021-0674 (CVSS score: 5.5, MediaTek) – A case of improper input validation in ALAC decoder leading to information disclosure without any user interaction.

CVE-2021-0675 (CVSS score: 7.8, MediaTek) – A local privilege escalation flaw in ALAC decoder stemming from out-of-bounds write.

CVE-2021-30351 (CVSS score: 9.8, Qualcomm) – An out-of-bound memory access due to improper validation of number of frames being passed during music playback.

Following responsible disclosure, all the three vulnerabilities were closed by the respective chipset manufacturers in December 2021.
Edited – Original source: Checkpoint.

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.