Mar 12 2025

Chinese hackers implant backdoors in Juniper routers for covert access.

Category: Backdoor,Cyber War,Hardware Security,Information Warfaredisc7 @ 3:39 pm

Chinese state-sponsored hackers have been found exploiting Juniper networking devices, planting backdoors to gain persistent and stealthy access to targeted networks. Security researchers discovered that these attackers are leveraging zero-day vulnerabilities in Juniper routers to infiltrate organizations discreetly.

Once inside, the attackers deploy custom malware and backdoors, allowing them to maintain access even after security patches are applied. These tactics enable long-term espionage, data theft, and the ability to launch further attacks while avoiding detection.

The attack specifically targets government agencies, critical infrastructure, and enterprises, indicating a focus on intelligence gathering and cyber-espionage. By compromising network routers, the hackers can monitor and manipulate traffic without triggering security alerts.

Juniper has released security updates addressing these vulnerabilities, urging organizations to apply patches immediately and strengthen their network defenses. Companies are also advised to implement intrusion detection systems and conduct regular security audits to identify potential compromises.

This incident highlights the growing risks associated with router and network infrastructure attacks. As state-sponsored cyber threats evolve, organizations must prioritize proactive cybersecurity measures to safeguard their critical systems from persistent adversaries.

The compromise of Juniper routers by Chinese state-sponsored hackers has serious implications for cybersecurity, affecting national security, corporate operations, and individual privacy. These backdoor implants allow attackers to maintain persistent, stealthy access to networks, enabling espionage, data manipulation, and potential sabotage. Here are the key consequences of this attack:

1. National Security Risks

Since these attacks target government agencies and critical infrastructure, they pose a direct threat to national security. Foreign adversaries gaining access to sensitive communications and classified data can disrupt operations, manipulate intelligence, or even prepare for future cyber warfare.

2. Corporate Espionage and Financial Losses

Enterprises relying on Juniper routers risk intellectual property theft, financial fraud, and operational disruptions. Cybercriminals or state actors could steal trade secrets, research data, and confidential customer information, leading to financial losses and competitive disadvantages.

3. Network Manipulation and Supply Chain Attacks

By compromising core network infrastructure, attackers can intercept, alter, or reroute data traffic. This not only affects the integrity of communications but also opens the door for further exploitation, such as supply chain attacks, where hackers use compromised routers to infiltrate connected systems.

4. Persistent Threats and Long-Term Espionage

Even if organizations apply security patches, backdoors may remain undetected, allowing attackers to maintain long-term surveillance. This makes incident response and remediation challenging, as security teams may struggle to detect and remove all traces of the intrusion.

5. Erosion of Trust in Network Security

The breach highlights the vulnerabilities in networking hardware and raises concerns about the trustworthiness of network infrastructure providers. Organizations may need to rethink their vendor security policies, implement stricter monitoring, and diversify their network equipment suppliers to reduce reliance on potentially compromised hardware.

Mitigation Measures

To minimize risks, organizations should immediately apply Juniper’s security patches, conduct forensic investigations, and monitor network traffic for anomalies. Strengthening intrusion detection systems (IDS), implementing zero-trust security models, and segmenting networks can also help reduce the impact of such cyber threats.

This incident underscores the growing dangers of router and network infrastructure attacks, emphasizing the need for proactive cybersecurity measures to protect against state-sponsored cyber threats and advanced persistent threats (APTs).

Cyber Dragon: Inside China’s Information Warfare and Cyber Operations (The Changing Face of War)

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: covert access, Cyber Dragon, Juniper routers

Dec 17 2024

Criminals Exploit Windows Management Console to Deliver Backdoor Payloads

Category: Backdoor,Cybercrime,Windows Securitydisc7 @ 12:42 pm

Cybercriminals have launched a campaign known as FLUX#CONSOLE, exploiting Microsoft Common Console Document (.MSC) files to infiltrate systems with backdoor malware. This method allows attackers to bypass traditional antivirus defenses by leveraging lesser-known Windows features. The campaign represents a shift from the previously common use of LNK files in phishing attacks.

The attack begins with phishing emails that use tax-related themes to deceive users into opening seemingly legitimate documents. These emails contain attachments disguised as PDFs, such as “Income-Tax-Deduction-and-Rebates202441712.pdf,” which are actually .MSC files. The default setting in Windows hides file extensions, making it easier for these malicious files to masquerade as harmless documents.

When a user opens the .MSC file, it executes embedded malicious scripts under the legitimate mmc.exe process. The attackers employ advanced obfuscation techniques to conceal the malicious code, which is often written in JavaScript or VBScript. This method allows the malware to run unnoticed, as it appears to be part of a standard administrative tool.

The .MSC file serves as both a loader and dropper for the malware payload. It delivers a malicious DLL file named DismCore.dll, which is sideloaded through the legitimate Dism.exe process. To maintain persistence on the infected system, the malware creates scheduled tasks, such as “CoreEdgeUpdateServicesTelemetryFallBack,” ensuring it executes every five minutes, even after system reboots.

This campaign highlights the increasing sophistication of phishing techniques and the exploitation of trusted Windows features. By abusing .MSC files and legitimate system processes, attackers can evade detection and establish persistent access to compromised systems. Users and organizations should be cautious of unexpected emails with attachments and consider adjusting settings to display file extensions to better identify potentially malicious files.

For further details, access the article here

 vCISO Guide for Small & Mid Sized Businesses

DISC LLC is listed on Cynomi vCISO Directory

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Deliver Backdoor Payloads, Windows Management Console

Apr 08 2024

XZ Utils backdoor: Detection tools, scripts, rules

Category: Backdoordisc7 @ 11:54 am
XZ Utils backdoor: Detection tools, scripts, rules

Malware Data Science: Attack Detection and Attribution

What happened?

The open-source XZ Utils compression utility has been backdoored by a skilled threat actor who tried to get the malicious packages included in mainstream Linux distributions, to allow them unfettered, covert SSH access to Linux systems around the world.

“The author intentionally obfuscated the backdoor in distribution tarballs, intended for Linux distributions to use for building their packages. When the xz build system is instructed to create an RPM or DEB for the x86-64 architecture using gcc and gnu linker, the backdoor is included in the liblzma as part of the build process. This backdoor is then shipped as part of the binary within the RPM or DEB,” the Open Source Security Foundation succinctly explained.

The backdoor was discovered by Andres Freund, a software engineer at Microsoft, and its existence was publicly revealed a little over a week ago. Stable versions of a few Linux distros have been affected but widespread compromise has been avoided.

Threat researchers are still working on analyzing the backdoor and are revealing their findings daily.

It has become clear that is the work of a sophisticated threat actor who used many tricks to:

How to detect the XZ Utils backdoor?

Triggering/using the backdoor requires authentication via a private SSH key owned by the attacker, so exploitation – if it ever happens – will be limited. The fact that the vulnerable library versions haven’t ended up in many production systems is a huge blessing.

That said, a number of scripts and tools have been released allowing users to check for the presence of the backdoor.

Freund’s post on the OSS mailing list includes a script to detect vulnerable SSH binaries on systems, which has then been repurposed and extended to also check whether a system uses a backdoored version of the liblzma library.

Binarly, a firmware security firm, has set up an online scanner that allows users to analyze any binary for the backdoor implant.

“Such a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation. It could already be deployed elsewhere or partially reused in other operations. That’s exactly why we started focusing on more generic detection for this complex backdoor,” they noted.

Late last week, Bitdefender released another scanner, that must be deployed on systems that need testing. (Since the scanner requires root privileges to be effective, the company has released the source code.)

It can search for all infected liblzma libraries, even if they are not used by the Secure Shell Daemon application (sshd), as well as for a unique byte sequence injected by the backdoor during library compilation.

Elastic Security Labs researchers have published their analysis of the backdoor, as well as YARA signatures, detection rules, and osquery queries that Linux admins can use to find vulnerable liblzma libraries and identify potentially suspicious sshd behavior.

Malware Data Science: Attack Detection and Attribution

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Detection tools

Apr 03 2024

HOW TO CHECK IF A LINUX DISTRIBUTION IS COMPROMISED BY THE XZ UTILS BACKDOOR IN 6 STEPS

Category: Backdoor,Linux Securitydisc7 @ 9:14 am
How to Check if a Linux Distribution is Compromised by the XZ Utils Backdoor in 6 Steps

In an unsettling development that emerged late last week, the open-source community was thrust into a state of high alert following the disclosure that XZ Utils, a fundamental compression utility widespread across Linux distributions, had been compromised. This startling revelation has left a significant mark on the open-source ecosystem, prompting a swift and coordinated response from maintainers and security professionals alike.

Discovery of the Backdoor

The initial discovery of the backdoor was made by Andres Freund, a Microsoft software engineer, during routine diagnostics on Debian sid (development) installations. Freund’s investigation, sparked by unusually high CPU usage during SSH logins and accompanying error alerts, led to the identification of the culprit: a malicious insertion within the liblzma library, a core component of the XZ package. This finding was subsequently designated with the vulnerability identifier CVE-2024-3094. Attribution for this calculated insertion has been directed at an individual known as “Jia Tan” (JiaT75 on GitHub), who, through an elaborate scheme of social engineering and the use of sock puppet accounts, gained the trust of the XZ Utils maintainer community. This long-term infiltration underscores the advanced nature of the threat actor involved, pointing towards a highly skilled and resourceful adversary.

Affected Distributions and Response

STATUSDISTRIBUTIONRESPONSE
AffectedFedora Rawhide and Fedora Linux 40 betaConfirmed by Red Hat
AffectedopenSUSE Tumbleweed and openSUSE MicroOSConfirmed by openSUSE maintainers
AffectedDebian testing, unstable, experimental distributionsConfirmed by Debian maintainers
AffectedKali Linux (updates between March 26th to March 29th)Confirmed by OffSec
AffectedSome Arch Linux virtual machine and container imagesConfirmed by Arch Linux maintainers
Not AffectedRed Hat Enterprise Linux (RHEL)Confirmed by Red Hat
Not AffectedUbuntuConfirmed by Ubuntu
Not AffectedLinux MintConfirmed by Linux Mint
Not AffectedGentoo LinuxConfirmed by Gentoo Linux
Not AffectedAmazon Linux and Alpine LinuxConfirmed by Amazon Linux and Alpine Linux maintainers

Guidance and Recommendations

In light of these disclosures, affected parties have been advised to approach the situation as a definitive security incident, necessitating a comprehensive review and mitigation process. This includes the diligent examination for any unauthorized access or misuse, the rotation of exposed credentials, and a thorough security audit of systems that might have been compromised during the exposure window.

Insight into the Backdoor Mechanism

The intricacy of the backdoor, embedded within the xz-utils’ liblzma library and manifesting under precise conditions, notably through remote, unprivileged connections to public SSH ports, speaks volumes about the sophistication of the threat actors behind this maneuver. This backdoor not only raises concerns over performance degradation but also poses a significant risk to the integrity and security of the affected systems.

HOW TO DETECT IF YOU ARE A VICTIM

In light of the recent discovery of the CVE-2024-3094 backdoor in XZ Utils versions 5.6.0 and 5.6.1, the cybersecurity community has been on high alert. Binarly has introduced a free scanner to identify the presence of this backdoor in affected systems. Below is a detailed tutorial, including examples, on how to use the Binarly Free Scanner to detect the CVE-2024-3094 backdoor in your systems.

STEP 1: UNDERSTANDING THE THREAT

The CVE-2024-3094 backdoor in XZ Utils versions 5.6.0 and 5.6.1 poses a significant security risk, potentially allowing unauthorized remote access. It’s crucial to grasp the severity of this issue before proceeding.

Example: Imagine a scenario where an organization’s critical systems are running on a compromised version of XZ Utils, leaving the network vulnerable to attackers who could gain unauthorized access through the backdoor.

STEP 2: ACCESSING THE BINARLY FREE SCANNER

Navigate to XZ.fail, the dedicated website Binarly set up for the scanner.

Example: Open your web browser and type “https://xz.fail” in the address bar to access the Binarly Free Scanner’s homepage.

STEP 3: UTILIZING THE SCANNER

The Binarly Free Scanner uses advanced static analysis to detect the backdoor by examining ifunc transition behaviors in the binaries.

Example: After accessing XZ.fail, you’ll be prompted to upload or specify the path to the binary files you wish to scan. Suppose you want to check a file named example.xz; you would select this file for scanning through the web interface or command line, depending on the tool’s usage options provided.

STEP 4: INTERPRETING THE RESULTS

Once the scan completes, the scanner will report back on whether the CVE-2024-3094 backdoor was detected in the scanned files.

Example: If the scanner finds the backdoor in example.xz, it might display a message such as “Backdoor Detected: CVE-2024-3094 present in example.xz”. If no backdoor is found, a message like “No Backdoor Detected: Your files are clean” would appear.

STEP 5: TAKING ACTION

If the scanner detects the backdoor, immediate action is required to remove the compromised binaries and replace them with secure versions.

Example: For a system administrator who finds the backdoor in example.xz, the next steps would involve removing this file, downloading a secure version of XZ Utils from a trusted source, and replacing the compromised file with this clean version.

STEP 6: CONTINUOUS VIGILANCE

Regularly scan your systems with the Binarly Free Scanner and other security tools to ensure no new threats have compromised your binaries.

Example: Set a monthly reminder to use the Binarly Free Scanner on all critical systems, especially after installing updates or adding new software packages, to catch any instances of the CVE-2024-3094 backdoor or other vulnerabilities.

The Binarly Free Scanner is a powerful tool in the fight against the CVE-2024-3094 backdoor, offering a reliable method for detecting and addressing this significant threat. By following these steps and incorporating the examples provided, users can effectively safeguard their systems from potential compromise.

The accidental discovery of this backdoor by Freund represents a crucial turning point, underscoring the importance of vigilant and proactive security practices within the open-source domain. This incident serves as a stark reminder of the vulnerabilities that can arise in even the most trusted components of the digital infrastructure. It has sparked a renewed debate on the necessity for enhanced security protocols and collaborative efforts to safeguard crucial open-source projects against increasingly sophisticated threats.

In the aftermath, the open-source community and its stewards are called upon to reassess their security posture, emphasizing the need for comprehensive auditing, transparent communication, and the adoption of robust security measures to prevent future compromises. This incident not only highlights the vulnerabilities inherent in the digital landscape but also the resilience and collaborative spirit of the open-source community in responding to and mitigating such threats.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: LINUX DISTRIBUTION

Jan 23 2024

North Korean Weaponize Fake Research

Category: Backdoor,Hackingdisc7 @ 8:26 am

North Korean Hackers Weaponize Fake Research to Deliver RokRAT Backdoor

Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023.

“ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report shared with The Hacker News.

The North Korea-linked adversary, also known by the name APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is assessed to be part of the Ministry of State Security (MSS), placing it apart from Lazarus Group and Kimsuky, which are elements within the Reconnaissance General Bureau (RGB).

Earlier this week, North Korean state media reported that the country had carried out a test of its “underwater nuclear weapons system” in response to drills by the U.S., South Korea, and Japan, describing the exercises as a threat to its national security.

The latest attack chain observed by SentinelOne targeted an expert in North Korean affairs by posing as a member of the North Korea Research Institute, urging the recipient to open a ZIP archive file containing presentation materials.

While seven of the nine files in the archive are benign, two of them are malicious Windows shortcut (LNK) files, mirroring a multi-stage infection sequence previously disclosed by Check Point in May 2023 to distribute the RokRAT backdoor.

There is evidence to suggest that some of the individuals who were targeted around December 13, 2023, were also previously singled out a month prior on November 16, 2023.

SentinelOne said its investigation also uncovered malware – two LNK files (“inteligence.lnk” and “news.lnk”) as well as shellcode variants delivering RokRAT – that’s said to be part of the threat actor’s planning and testing processes.

While the former shortcut file just opens the legitimate Notepad application, the shellcode executed via news.lnk paves the way for the deployment of RokRAT, although this infection procedure is yet to be observed in the wild, indicating its likely use for future campaigns.

Both LNK files have been observed deploying the same decoy document, a legitimate threat intelligence report about the Kimsuky threat group published by South Korean cybersecurity company Genians in late October 2023, in a move that implies an attempt to expand its target list.

This has raised the possibility that the adversary could be looking to gather information that could help it refine its operational playbook and also target or mimic cybersecurity professionals to infiltrate specific targets via brand impersonation techniques.

The development is a sign that the nation-state hacking crew is actively tweaking its modus operandi in an apparent effort to circumvent detection in response to public disclosure about its tactics and techniques.

“ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies,” the researchers said.

“This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.”

source: https://thehackernews.com/2024/01/north-korean-hackers-weaponize-fake.html

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: RokRAT Backdoor, The Hacker and the State

Sep 26 2023

HOW THIS ISRAELI BACKDOOR WRITTEN IN C#/.NET CAN BE USED TO HACK INTO ANY COMPANY

Category: Backdoordisc7 @ 9:04 am
How this Israeli Backdoor written in C#/.NET can be used to hack into any company

As part of an ongoing cyber espionage effort, the Iranian nation-state hacking group known as OilRig has continued to target government entities in the Middle East. This cyber espionage campaign makes use of a newly discovered backdoor in order to exfiltrate data. OilRig (APT34) is an Iranian cyberespionage gang that has been active since 2014 and has been targeting different sectors and governments in the Middle East, including Chemical, Energy,Finance and Telecom.

Following the commencement of the DNSpionage operation in 2018-2019 targeting Lebanon and the UAE, OilRig began the HardPass operation in 2019-2020 utilizing LinkedIn to target individuals in the energy and government sectors.

In recent weeks, the experts in charge of cybersecurity at trendmicro have discovered and assessed two campaigns run by the OilRig APT group:

Outer Space (2021)

Juicy Mix (2022)

Due to the operations’ concentration on the Middle East, Israeli organizations were the only ones targeted by these cyberespionage efforts. They gained access to the network by posing as genuine businesses using VBS droppers to plant C# and.NET backdoors and post-compromise data mining tools.

An Overview of the Campaign

Outer Space: It was an OilRig campaign from the year 2021 that employed an Israeli HR website as a command and control server for the Solar backdoor. . Here, with just the most fundamental functionalities, the Solar linked to the SC5k downloader, while the MKG was utilized for data exfiltration from browsers.

OilRig started a new campaign in 2022 called “Juicy Mix.” It targeted Israeli organizations with improved tools, compromised a job site for command and control, and then attacked an Israeli healthcare organization with a Mango backdoor, two hidden browser-data dumpers, and a Credential Manager stealer. Juicy Mix was a hit.

In order to get access to the target system, both attacks used VBS droppers, which were most likely distributed using spear phishing emails.

Iranian hackers broke into Israeli security agency to steal surveillance footage of twin bombings in Jerusalem

These droppers distributed Mango, made sure the infection would remain, and linked to the command and control server. Concealing the base64 encoding and basic string deobfuscation that the embedded backdoor employed at the same time was accomplished using these methods.

After inserting the backdoor, the dropper transmits the compromised computer’s name to the command and control server in the form of a base64-encoded POST request. This is done after it has scheduled Mango (or Solar) to run every 14 minutes.

During the Outer Space campaign, OilRig launches Solar, a backdoor that is both simple and flexible. It is able to download and run files, as well as independently exfiltrate prepared data.

Mango, which had previously been known as Solar, has been replaced in Juicy Mix by OilRig’s Mango, which, although having similar features and a workflow, has substantial differences.

In the same way as Solar did, Mango starts an in-memory job that runs every 32 seconds, talks with the C&C server, and carries out orders. Mango, on the other hand, is distinct in that it replaces Solar’s Venus assignment with a whole new exfiltration command.

Post-compromise tools

The following post-compromise tools are included below for your convenience:

Downloader for SampleCheck5000, often known as SC5k

Data scrapers for browsers

Windows Credential Manager stealer

OilRig makes its way from Solar to Mango via implants that function similarly to backdoors. While they do make use of specialized technology for data collecting, they nevertheless rely on more traditional methods to get user information.

The parallels between the first-stage dropper and Saitama, the victimology patterns, and the usage of internet-facing exchange servers as a communication technique were identified in the case of Karkoff, which is how the campaign is connected to APT34.

If anything, the rising number of malicious tools connected with OilRig illustrates the threat actor’s “flexibility” to come up with new malware depending on the targeted environments and the privileges held at a particular stage of the assault. This “flexibility” may be inferred from the fact that the threat actor has created a growing number of harmful tools linked with OilRig.

Backdoor – Bypassing the gatekeepers in CyberSecurity

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ISRAELI BACKDOOR

Jun 01 2023

IF YOUR LAPTOP OR PC HAS GIGABYTE MOTHERBOARD THEN IT HAS BACKDOOR FOR HACKERS

Category: BackdoorDISC @ 11:09 am
If your Laptop or PC has Gigabyte motherboard then it has backdoor for hackers

Researchers at the cybersecurity firm Eclypsium, which focuses on firmware, reported today that they have found a secret backdoor  in the firmware of motherboards manufactured by the Taiwanese manufacturer Gigabyte. Gigabyte’s components are often used in gaming PCs and other high-performance systems. Eclypsium discovered that whenever a computer with the affected Gigabyte motherboard restarts, code inside the motherboard’s firmware silently triggers the launch of an updater application, which then downloads and runs another piece of software on the machine. Researchers discovered that the hidden code was built in an unsafe manner, making it possible for the mechanism to be hijacked and used to install malware rather than Gigabyte’s intended software.

Despite the fact that Eclypsium claims the hidden code is intended to be a harmless utility to keep the motherboard’s firmware updated, researchers determined that the implementation was vulnerable. And since the updater application is activated from the computer’s firmware rather than the operating system, it is difficult for users to either delete it or even detect it on their own. In the blog post, the company details the 271 different versions of Gigabyte motherboards that the researchers think are vulnerable. According to experts, individuals who are interested in discovering the motherboard that is used by their computer may do so by selecting “Start” in Windows and then selecting “System Information.”

Users who don’t trust Gigabyte to silently install code on their machine with a nearly invisible tool may have been concerned by Gigabyte’s updater alone. Other users may have been concerned that Gigabyte’s mechanism could be exploited by hackers who compromise the motherboard manufacturer to exploit its hidden access in a software supply chain attack. The update process was designed and built with obvious flaws that left it susceptible to being exploited in the following ways: It downloads code to the user’s workstation without properly authenticating it, and in certain cases, it even does it through an unsecured HTTP connection rather than an HTTPS one. This would make it possible for a man-in-the-middle attack to be carried out by anybody who is able to intercept the user’s internet connection, such as a malicious Wi-Fi network. The attack would enable the installation source to be faked.

New Acer UEFI firmware vulnerability (CVE-2022-4020) makes Antivirus or EDR useless in Acer laptops

Even if Gigabyte does release a fix for its firmware issue—after all, the problem stems from a Gigabyte tool that was intended to automate firmware updates—experts points out that firmware updates frequently fail silently on users’ machines, in many cases due to the complexity of the updates themselves and the difficulty of matching the firmware with the hardware.

In other instances, the updater that is installed by the mechanism in Gigabyte’s firmware is configured to be downloaded from a local network-attached storage device (NAS). This is a feature that appears to be designed for business networks to administer updates without all of their machines reaching out to the internet.  Under such circumstances, a malicious actor on the same network might potentially fake the location of the NAS in order to covertly install their own malware in its place.

The company has said that it has been collaborating with Gigabyte in order to report its results to the motherboard maker, and that Gigabyte has indicated that it intends to solve the concerns.

Meantime you can block the following URLs:

  • http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
  • https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
  • https://software-nas/Swhttp/LiveUpdate4

A list of affected models is available here.

Microsoft Defender for Endpoint in Depth: Take any organization’s endpoint security to the next level

InfoSec tools | InfoSec services | InfoSec books

Tags: BACKDOOR FOR HACKERS, GIGABYTE

Nov 15 2022

Avast details Worok espionage group’s compromise chain

Category: Backdoor,Cyber EspionageDISC @ 12:10 pm
Avast details Worok espionage group’s compromise chain

Cyber espionage group Worok abuses Dropbox API to exfiltrate data via using a backdoor hidden in apparently innocuous image files.

Researchers from cybersecurity firm Avast observed the recently discovered espionage group Worok abusing Dropbox API to exfiltrate data via using a backdoor hidden in apparently innocuous image files.

The experts started their investigation from the analysis published by ESET on attacks against organizations and local governments in Asia and Africa. Avast experts were able to capture several PNG files embedding a data-stealing payload. They pointed out that data collection from victims’ machines using DropBox repository, and attackers use DropBox API for communication with the final stage.

Avast experts shed the light on the compromise chain detailing how attackers initially deployed the first-stage malware., tracked as CLRLoader, which loads the next-state payload PNGLoader.

“PNGLoader is a loader that extracts bytes from PNGs files and reconstructs them into an executable code. PNGLoader is a .NET DLL file obfuscated utilizing .NET Reactor; the file description provides information that mimics legitimate software such as Jscript Profiler or Transfer Service Proxy.” reads the report published by Avast. “The deobfuscated PNGLoader code includes the entry point (Setfilter) invoked by CLRLoader.”

The malicious code is supposedly deployed by threat actors by exploiting Proxyshell vulnerabilities. Then attackers used publicly available exploit tools to deploy their custom malicious tools.

Worok compromise-chains-3

The experts found two variants of PNGLoad, both used to decode the malicious code hidden in the image and run a PowerShell script or a .NET C#-based payload.

The PowerShell script has continued to be elusive, although the cybersecurity company noted it was able to flag a few PNG files belonging to the second category that dispensed a steganographically embedded C# malware.

“At first glance, the PNG pictures look innocent, like a fluffy cloud,” Avast said.

Avast extends the compromise chain detailed by ESET with the discovery of a .NET C# payload that they tracked as DropBoxControl, which represents a third stage.

Worok

DropboxControl is an information-stealing backdoor that communicates abuses the DropBox service for C2 communication.

“Noteworthy, the C&C server is a DropBox account, and whole communications, such as commands, uploads, and downloads, are performed using regular files in specific folders. Therefore, the backdoor commands are represented as files with a defined extension. DropBoxControl periodically checks the DropBox folder and executes commands based on the request files.” continues the report. “The response for each command is also uploaded to the DropBox folder as the result file.”

The backdoor can run arbitrary executables, download and upload data, delete and rename files, capture file information, sniff network communications, and exfiltrate metadata.

According to Avast, DropboxControl was not developed by the author of CLRLoad and PNGLoad due to important differences into the source code and its quality.

“The key finding of this research is the interception of the PNG files, as predicted by ESET. The stenographically embedded C# payload (DropBoxControl) confirms Worok as the cyberespionage group. They steal data via the DropBox account registered on active Google emails.” concludes AVAST. “The prevalence of Worok’s tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America.”

Tags: Cyber espionage group Worok

Sep 06 2022

Experts discovered TeslaGun Panel used by TA505 to manage its ServHelper Backdoor

Category: BackdoorDISC @ 8:18 am
Experts discovered TeslaGun Panel used by TA505 to manage its ServHelper Backdoor

Researchers discovered a previously undocumented software control panel, named TeslaGun, used by a cybercrime gang known as TA505.

Researchers from cybersecurity firm PRODAFT have discovered a previously undocumented software control panel, tracked as TeslaGun, used by a cybercrime group known as TA505.

Russian TA505 hacking group, aka Evil Corp, has been active since 2014 focusing on Retail and banking sectors. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.

The TA505 group was involved in campaigns aimed at distributing the Dridex banking Trojan, along with LockyBitPaymerPhiladelphiaGlobeImposter, and Jaff ransomware families.

Now PRODAFT experts state that the group has carried out mass phishing campaigns against at
least 8160 targets. Most of the victims are in the finance sector or individuals. TeslaGun victim data revealed that 3667 targets are in the US.

The financially-motivated group is known to have used multiple malware in its attacks, including FlawedAmmyy, the ServHelper backdoor and FlawedGrace malware.

The ServHelper backdoor is written in Delphi and according to the experts, the development team continues to update it by implementing new features since 2019. Researchers pointed out that almost every new campaign used a new variant of the malware.

Once downloaded the ServHelper backdoor set up reverse SSH tunnels that allow attackers to access to the infected system via Remote Desktop Protocol (RDP) on port 3389. In 2019, Proofpoint experts also discovered another ServHelper variant that does not include the tunneling and hijacking capabilities, in this case, the backdoor was used only as a downloader for the FlawedGrace RAT.

The TeslaGun control panel was used by the threat actors to manage the ServHelper backdoor, it acts as a C2 infrastructure allowing operators to issue commands.

“The actors regularly migrate their proxy servers to new servers in the same datacenter to attain a low detection rate. During our investigation, we observed several TeslaGun management panels predominantly residing in MivoCloud SRL, Moldova” reads the report published by the experts. “The TeslaGun panel has a pragmatic, minimalist design. The main dashboard only contains infected victim data, a generic comment section for each victim, and several options for filtering victim records.”

TeslaGun panel shows a table containing victims’ data, including SYSID/ID/IP, Country/State/City, First Time Connected/Last Time Connected, Command, Answer Operations/Tun Port/Operations, and Comments.

TeslaGun

TeslaGun also allows operators to send one command to all victim devices at the same time, or to configure a default command that runs when a new victim device is added to the panel.

During this investigation, the PTI researchers also discovered TA505 users executing RDP connections using tunnels.

The tool used by the gang to execute RDP connections allows to launch multiple hidden RDP instances. Once infected a victim, TA505 operators can connect to the victim via RDP to use remote connections simultaneously.

“ServHelper is an example of backdoor malware runs by a financially motivated and highly sophisticated threat group. TA505 appears to be well-embedded in the international cybercrime community, as demonstrated by its ability to collect and sell RDP connections to victim devices. The PTI team was able to gain valuable insight into how TA505 organizes its activities and achieves its goals. This will help cybersecurity policies to protect against backdoor attacks like ServHelper.” concludes the report. “From how TA505 commented their victims on TeslaGun panels perspective, it is obviously seen that TA505 is actively searching for online banking and shopping accounts, particularly from victims in the United States, but also from Russia, Romania, Brazil, and the UK.”

Bypassing the gatekeepers in CyberSecurity

Tags: TA505, TeslaGun Panel

Aug 04 2022

Thousands of hackers flock to ‘Dark Utilities’ C2-as-a-Service

Category: Backdoor,Command and controlDISC @ 1:51 pm
server

Security researchers found a new service called Dark Utilities that provides an easy and inexpensive way for cybercriminals to set up a command and control (C2) center for their malicious operations.

The Dark Utilities service provides threat actors a platform that supports Windows, Linux, and Python-based payloads, and eliminates the effort associated with implementing a C2 communication channel.

A C2 server is how adversaries control their malware in the wild, sending out commands, configurations and new payloads, and receiving data collected from compromised systems.

The Dark Utilities operation is a ‘C2-as-a-service’ (C2aaS) that advertises reliable, anonymous C2 infrastructure and all the required additional functions for a starting price of just EUR 9,99.

report from Cisco Talos says that the service has around 3,000 active subscribers, which would bring the operators a revenue of about EUR 30,000.

Dark Utilities login portal
Dark Utilities login portal (Cisco)

Dark Utilities emerged in early 2022 and offers full-blown C2 capabilities both on the Tor network and on the clear web. It hosts payloads in the Interplanetary File System (IPFS) – a decentralized network system for storing and sharing data.

Multiple architectures are supported and it appears that the operators are planning on expanding the list to provide a larger set of options of devices that could be targeted.

Platform selection on payload screen
Platform selection on payload screen (Cisco)

Cisco Talos researchers say that selecting an operating system generates a command string that “threat actors are typically embedding into PowerShell or Bash scripts to facilitate the retrieval and execution of the payload on victim machines.”

The selected payload also establishes persistence on the target system by creating a Registry key on Windows, or a Crontab entry or a Systemd service on Linux.

According to the researchers, the administrative panel comes with multiple modules for various types of attack, including distributed denial-of-service (DDoS) and cryptojacking.

With tens of thousands of threat actors already subscribed and the low price, Dark Utilities is likely to attract an even larger crowd of less-skilled adversaries.

Source: Thousands of hackers flock to ‘Dark Utilities’ C2-as-a-Service

Tags: C2, C2 as a service, command and control

Jun 06 2022

Red TIM Research discovers a Command Injection with a 9,8 score on Resi

Category: App Security,Backdoor,Cyber Attack,Cyber Threats,CyberweaponDISC @ 8:33 am
Red TIM Research discovers a Command Injection with a 9,8 score on Resi

During the bug hunting activity, Red Team Research (RTR) detected 2 zero-day bugs on GEMINI-NET, a RESI Informatica solution.

It’s been detected an OS Command Injection, which has been identified from NIST as a Critical one, its score is 9,8.  This vulnerability comes from a failure to check the parameters sent as inputs into the system before they are processed by the server. 

Due to the lack of user input validation, an attacker can ignore the syntax provided by the software and inject arbitrary system commands with the user privileges of the application.

RESI S.p.A. has been for over thirty years a technological partner of the largest Italian organizations such as the Ministry of Defence, the Presidency of the Council of Ministers, the Italian Post Office, Leonardo, Ferrovie dello Stato, TIM, Italtel. Plus RESI S.p.A. Is one of the few Italian companies, that creates national technology.

Please note that patches for these specific vulnerabilities have been released by Resi.

Resi

What GEMINI-NET from Resi is

GEMINI-NET™ is a Resi product that allows active and passive monitoring of networks and communication services, used in many networks, both old and new generation. This platform is an OSS system that can be integrated, modular and scalable.

It monitors in real time all the needs related to typical network services and infrastructure issues and is able to optimize resources and data traffic on the network.

Resi

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Below are the details that have been published on the institutional website and NIST ratings.

CVE-2022-29539 – RESI S.p.A

  • Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78)
    Software Version: 4.2
    NIST
    https://nvd.nist.gov/vuln/detail/CVE-2022-29539

    CVSv3: 9.8
    Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Below are the details that have been published on the institutional website and NIST ratings.

CVE-2022-29539 – RESI S.p.A

  • Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78)
    Software Version: 4.2
    NISThttps://nvd.nist.gov/vuln/detail/CVE-2022-29539
    CVSv3: 9.8
    Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed “bug hunting” activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.

In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.

In two years, more than 70 CVEs have been published, 4 of them with a Critical severity (9.8 of CVSSv3 scores), 23 of them with a High severity and 36 of them with a Medium severity.

Speaking about a vulnerability detected on Johnson & Control’s Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERS”.

It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, and contributing to the security of the products used by many organizations and several individuals.

Secure Application Development


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: command injection, Secure Application Development

May 15 2022

Undetectable Backdoors in Machine-Learning Models

Category: Backdoor,Information SecurityDISC @ 12:11 pm
Machine-learning models vulnerable to undetectable backdoors • The Register

https://www.schneier.com/crypto-gram/archives/2022/0515.html#cg1

New paper: “Planting Undetectable Backdoors in Machine Learning Models“:

Abstract: Given the computational cost and technical expertise required to train machine learning models, users may delegate the task of learning to a service provider. We show how a malicious learner can plant an undetectable backdoor into a classifier. On the surface, such a backdoored classifier behaves normally, but in reality, the learner maintains a mechanism for changing the classification of any input, with only a slight perturbation. Importantly, without the appropriate “backdoor key”, the mechanism is hidden and cannot be detected by any computationally-bounded observer. We demonstrate two frameworks for planting undetectable backdoors, with incomparable guarantees.

First, we show how to plant a backdoor in any model, using digital signature schemes. The construction guarantees that given black-box access to the original model and the backdoored version, it is computationally infeasible to find even a single input where they differ. This property implies that the backdoored model has generalization error comparable with the original model. Second, we demonstrate how to insert undetectable backdoors in models trained using the Random Fourier Features (RFF) learning paradigm or in Random ReLU networks. In this construction, undetectability holds against powerful white-box distinguishers: given a complete description of the network and the training data, no efficient distinguisher can guess whether the model is “clean” or contains a backdoor.

Our construction of undetectable backdoors also sheds light on the related issue of robustness to adversarial examples. In particular, our construction can produce a classifier that is indistinguishable from an “adversarially robust” classifier, but where every input has an adversarial example! In summary, the existence of undetectable backdoors represent a significant theoretical roadblock to certifying adversarial robustness.

Feb 26 2022

Fileless SockDetour backdoor targets U.S.-based defense contractors

Category: BackdoorDISC @ 12:35 pm
Fileless SockDetour backdoor targets U.S.-based defense contractors

Researchers provided details about a stealthy custom malware dubbed SockDetour that targeted U.S.-based defense contractors.

Cybersecurity researchers from Palo Alto Networks’ Unit 42 have analyzed a previously undocumented and custom backdoor tracked as SockDetour that targeted U.S.-based defense contractors.

According to the experts, the SockDetour backdoor has been in the wild since at least July 2019.

Unit 42 attributes the malware to an APT campaign codenamed TiltedTemple (aka DEV-0322), threat actors also exploited the Zoho ManageEngine ADSelfService Plus vulnerability (

CVE-2021-40539
) and ServiceDesk Plus vulnerability (
CVE-2021-44077
). The attackers successfully compromised more than a dozen organizations across multiple industries, including technology, energy, healthcare, education, finance and defense.

SockDetour serves as a backup fileless Windows backdoor in case the primary one is removed. The analysis of one of the command and control (C2) servers used by TiltedTemple operators revealed the presence of other miscellaneous tools, including memory dumping tool and several webshells.

“SockDetour is a backdoor that is designed to remain stealthily on compromised Windows servers so that it can serve as a backup backdoor in case the primary one fails,” reads the analsysi published by Palo Alto Networks. “It is difficult to detect, since it operates filelessly and socketlessly on compromised Windows servers.”

Once SockDetour is injected into the process’s memory, it hijacks legitimate processes’ network sockets to establish an encrypted C2 channel, then it loads an unidentified plugin DLL file retrieved from the server.

SockDetour backdoor

According to Microsoft DEV-0322 is an APT group based in China, which employed commercial VPN solutions and compromised consumer routers in their attacker infrastructure.

Microsoft first spotted the DEV-0322 attacks by analyzing the Microsoft 365 Defender telemetry during a routine investigation in July 2021.

At least four defense contractors were targeted by the threat actor, and one of them was compromised.

SockDetour was delivered from an external FTP server, a compromised QNAP to a U.S.-based defense contractor’s internet-facing Windows server on July 27, 2021. The researchers speculate the QNAP NAS server was previously infected with QLocker ransomware.

“While it can be easily altered, the compilation timestamp of the SockDetour sample we analyzed suggests that it has likely been in the wild since at least July 2019 without any update to the PE file. Plus, we did not find any additional SockDetour samples on public repositories. This suggests that the backdoor successfully stayed under the radar for a long time.” concludes the report.

Learning Malware Analysis

Tags: SockDetour backdoor, U.S.-based defense contractors

Jan 25 2022

Sophisticated attackers used DazzleSpy macOS backdoor in watering hole attacks

Category: BackdoorDISC @ 9:59 am
Sophisticated attackers used DazzleSpy macOS backdoor in watering hole attacks

The investigation started in November after Google TAG published a blogpost about watering-hole attacks targeting macOS users in Hong Kong.

Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. The attackers exploited a XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina

The watering hole campaign targeted websites of a media outlet and important pro-democracy labor and political group. The researchers discovered that attackers deployed on the sites hosted two iframes that were used to serve iOS and macOS exploits to the visitors.

The experts believe that the attack was orchestrated by a nation-state actor, but did not attribute the campaign to a specific APT group.

ESET also attributed the attacks to an actor with strong technical capabilities. According to Felix Aimé from SEKOIA.IO, one of the sites used by threat actors in the attacks was a fake website targeting Hong Kong activists. 

Researchers also found the legitimate website of Hong Kong, pro-democracy radio station D100 that was compromised to distribute the same exploit before the Google TAG report.

DazzleSpy backdoor watering hole

“The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely. It’s interesting to note that some code, which suggests the vulnerability could also have been exploited on iOS and even on PAC-enabled (Pointer Authentication Code) devices such as the iPhone XS and newer, has been commented out” reads the analysis published by ESET.

Case study: Watering hole attacks

Tags: watering hole attacks

Dec 20 2021

Pegasus: Google reveals how the sophisticated spyware hacked into iPhones without user’s knowledge

Category: Backdoor,Cyber crime,Cyber Espionage,Cyber Spy,Cyber surveillance,Cyberweapons,Hacking,Malware,SpywareDISC @ 11:33 am
  • Pegasus spyware was allegedly used by governments to spy upon prominent journalists, politicians and activists.
  • A Google blog has revealed how the sophisticated software was used to attack iPhone users.
  • The software used a vulnerability in iMessages to hack into iPhones without the user’s knowledge.

The Pegasus spyware, developed by Israel’s NSO group, made headlines for being used by governments and regimes across the world including India to spy on journalists, activists, opposition leaders, ministers, lawyers and others. The spyware is accused of hacking into the phones of at least 180 journalists around the world, of which 40 are notable Indian personalities.

Now, a Google blog from the Project Zero team called the attacks technically sophisticated exploits and assessed the software to have capabilities rivalling spywares previously thought to be accessible to only a handful of nations.

The company has also faced multiple lawsuits including one in India where the Supreme Court (SC) set up a three-member panel headed by former SC judge RV Raveendran to probe whether the software was used by the government to spy on journalists and other dissidents.

Apart from India, Apple has also sued the Israeli firm after having patched its security exploit. The company was also banned in the United States after the details of the spyware were revealed. Let’s take a look at how this advanced snooping technology discretely worked on iPhones.

How Pegasus hacked iPhones

According to the Project Zero blog, a sample of the ForcedEntry exploit was worked upon by the team and Apple’s Security Engineering and Architecture (SEAR) group. Pegasus attacks on iPhones were possible due to the ForcedEntry exploit.

Best iPhone in 2021: Which model is right for you? | ZDNet

Pegasus is a spyware (Trojan/Script) that can be installed remotely on devices running on Apple ‘ s iOS & Google ‘ s Android operating systems. It is developed and marketed by the Israeli technology firm NSO Group. NSO Group sells Pegasus to ” vetted governments ” for ” lawful interception ” , which is understood to mean combating terrorism and organized crime, as the firm claims, but suspicions exist that it is availed for other purposes. Pegasus is a modular malware that can initiate total surveillance on the targeted device, as per a report by digital security company Kaspersky. It installs the necessary modules to read the user’s messages and mail, listen to calls, send back the browser history and more, which basically means taking control of nearly all aspects of your digital life. It can even listen in to encrypted audio and text files on your device that makes all the data on your device up for grabs.

Tags: A Privacy Killer, hacked iphone, NSO Group, Pegasus spyware

Sep 14 2021

The Pegasus project: key takeaways for the corporate world

Category: Backdoor,Cyber surveillance,Cyberweapons,Information Security,MalwareDISC @ 10:02 pm
https://www.itsecurityguru.org/2021/09/09/the-pegasus-project-key-takeaways-for-the-corporate-world/

Forbidden Stories, a Paris-based non-profit organisation that seeks to ensure the freedom of speech of journalists, recently announced that the Pegasus Project surveillance solution by the Israeli NSO Group selected 50,000 phone numbers for surveillance by its customers following a data leak. 

The NSO Group has always maintained that the purpose of the Pegasus Project was for governments to monitor terrorist activity. However, this recent story, if true, could suggest that the solution has been abused for a long period of time and used for other nefarious purposes.

As reported by Forbidden Stories, the leaked data suggests the wide misuse of Pegasus Project and a range of surveillance targets that include human rights defenders, academics, businesspeople, lawyers, doctors, union leaders, diplomats, politicians and several heads of states. The NSO Group continues to contend these assertions are based on wrong assumptions and uncorroborated theories. Whether these statements are true or false, they raise interesting considerations for enterprises and government organisations that have a requirement to protect the smartphones of employees who have access to sensitive information.

Pegasus Project is reported to provide NSO Group customers full control of target devices, which makes it a threat of interest. However, it is not the first mobile threat that organisations should be concerned about. In another contested case, SNYK suggested that the Sour Mint threat, a Software Development Kit (SDK) developed by the Chinese mobile ad platform provider Mintegral and used by more than 1,200 apps in the Apple App Store, was responsible for spying on users by activity logging URL-based requests through the app. It was reported that user activity is logged to a third-party server that could potentially include personally identifiable information (PII).

Where things get interesting with Sour Mint is its ability to evade defences by slipping through the Quality Assurance (QA) process of the Apple App Store, which goes to show that even the thoroughness of Apple’s processes were not sufficient to detect malicious code in the case of this threat.

So, with the rise of mobile threats such as Pegasus Project and Sour Mint, how should organisations defend against such threats?

The Pegasus Project - YouTube

Ban on Use of Whatsapp / Likewise Means for Sharing of Official Letters /
Information (Advisory No. 2).

Mobile security solution review in light of the
WhatsApp Pegasus hack

Tags: Pegasus malware, The Pegasus project

Aug 20 2021

Apple’s iPhone Backdoor

Category: Backdoor,Information Security,Smart PhoneDISC @ 11:43 am
More on Apple’s iPhone Backdoor

More on Apple’s iPhone Backdoor

In this post, I’ll collect links on Apple’s iPhone backdoor for scanning CSAM images. Previous links are here and here.

Apple says that hash collisions in its CSAM detection system were expected, and not a concern. I’m not convinced that this secondary system was originally part of the design, since it wasn’t discussed in the original specification.

Good op-ed from a group of Princeton researchers who developed a similar system:

Our system could be easily repurposed for surveillance and censorship. The design wasn’t restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser.

Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices

Tags: iPhone Backdoor, Mobile Forensics

Aug 10 2021

Apple Adds a Backdoor to iMesssage and iCloud Storage

Category: BackdoorDISC @ 10:24 am
Apple Adds a Backdoor to iMesssage and iCloud Storage

This is pretty shocking coming from Apple, which is generally really good about privacy. It opens the door for all sorts of other surveillance, since now that the system is build it can be used for all sorts of other messages. And it breaks end-to-end encryption, despite Apple’s denials:

Does this break end-to-end encryption in Messages?

No. This doesn’t change the privacy assurances of Messages, and Apple never gains access to communications as a result of this feature. Any user of Messages, including those with with communication safety enabled, retains control over what is sent and to whom. If the feature is enabled for the child account, the device will evaluate images in Messages and present an intervention if the image is determined to be sexually explicit. For accounts of children age 12 and under, parents can set up parental notifications which will be sent if the child confirms and sends or views an image that has been determined to be sexually explicit. None of the communications, image evaluation, interventions, or notifications are available to Apple.

Detecting Backdoor Using Stepping Stone Detection Approach

Detecting Backdoor Using Stepping Stone Detection Approach by Khalid Alminshid and Mohd Omar

Tags: backdoors

Jun 13 2021

FBI/AFP-Run Encrypted Phone

Category: Backdoor,Crypto,CryptograghyDISC @ 9:33 am
FBI/AFP-Run Encrypted Phone

If there is any moral to this, it’s one that all of my blog readers should already know: trust is essential to security. And the number of people you need to trust is larger than you might originally think. For an app to be secure, you need to trust the hardware, the operating system, the software, the update mechanism, the login mechanism, and on and on and on. If one of those is untrustworthy, the whole system is insecure.

It’s the same reason blockchain-based currencies are so insecure, even if the cryptography is sound.

Tags: Australia, backdoors, cryptocurrency, encryption, FBI, law enforcement, trust

Jun 07 2021

Siloscape, first known malware that drops a backdoor into Kubernetes clusters

Category: Backdoor,MalwareDISC @ 10:32 pm
Siloscape, first known malware that drops a backdoor into Kubernetes clusters

Siloscape is a new strain of malware that targets Windows Server containers to execute code on the underlying node and spread in the Kubernetes cluster.

Researchers from Palo Alto Networks have spotted a piece of malware that targets Windows Server containers to execute code on the underlying node and then drop a backdoor into Kubernetes clusters.

Siloscape is a heavily obfuscated malware that was designed to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers and carry out malicious activities.

Compromising an entire cluster could allow an attacker to steal sensitive information, including credentials, confidential files, or even entire databases hosted in the cluster. 

“Siloscape uses the Tor proxy and an .onion domain to anonymously connect to its command and control (C2) server. I managed to gain access to this server. We identified 23 active Siloscape victims and discovered that the server was being used to host 313 users in total, implying that Siloscape was a small part of a broader campaign. I also discovered that this campaign has been taking place for more than a year.” reads the analysis published by Palo Alto Network researcher Daniel Prizmant.

Siloscape

Siloscape, first known malware that drops a backdoor into Kubernetes clusters

Tags: Kubernetes clusters

Next Page »