Dec 05 2023

Hackers Use Weaponized Documents To Attack U.S. Aerospace Industry

Category: Cyberweapon,Cyberweapons,Hackingdisc7 @ 12:33 pm

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed AeroBlade, which appears to be aimed at carrying out both competitive and commercial cyberespionage.

The threat actor employed spear-phishing as the means of distribution mechanism.

A weaponized document that was delivered as an email attachment reportedly has a malicious VBA macro code embedded in it as well as a remote template injection mechanism to provide the next stage of the payload execution, according to the BlackBerry Threat Research and Intelligence team.

AeroBlade Execution Chain

The network infrastructure and weaponization of the attacker appear to have gone active around September 2022, based on the evidence. 

Researchers estimate that the attack’s offensive phase took place in July 2023 with medium to high confidence. The network infrastructure stayed the same during that period, but the attacker’s toolset increased, making it stealthier.

There were two campaigns found, and there were a few similarities between them, such as:

  • Both lure documents were named “[redacted].docx.”
  • The final payload is a reverse shell.
  • The command-and-control (C2) server IP address is the same.

There were a few differences between the two campaigns, such as:

  • The final payload of the attack is stealthier and uses more obfuscation and anti-analysis techniques.
  • The campaign’s final payload includes an option to list directories from infected victims.
https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2023/11/aeroblade-fig01.png
AeroBlade execution chain

A targeted email containing a malicious document attachment with the filename [redacted].docx is the first sign of an infection.

When the document is opened, it shows text in a purposefully jumbled font and a “lure” message requesting that the potential victim click on it to activate the content in Microsoft Office.

https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2023/11/aeroblade-fig02.png
Malicious document displays text in a scrambled font

The next-stage information is saved in an XML (eXtensible Markup Language) file inside a .dotm file. A.dotm file is a Microsoft Word document template that contains the default layout, settings, and macros for a document.

When the victim manually clicks the “Enable Content” lure message and opens the file, the [redacted].dotm document drops a new file to the system and opens it.

“The newly downloaded document is readable, leading the victim to believe that the file initially received by email is legitimate. In fact, it’s a classic cyber bait-and-switch, performed invisibly right under the victim’s nose”, researchers said.

An executable file that is run on the system via the macro will be the final stage of execution. The final payload is a DLL that connects to a hard-coded C2 server and functions as a reverse shell.  With the use of reverse shells, attackers can force communication and gain total control of the target machine by open ports.

https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2023/11/aeroblade-fig14.png
Example of information collected from infected system

An American aerospace organization was the targeted target of both campaigns, based on the content of the lure message. Its goal was probably to obtain insight into its target’s internal resources to assess its vulnerability to a potential ransom demand.

The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber weapon


May 24 2023

Hackers Use Weaponized DOCX File to Deploy Stealthy Malware

Category: Cyberweapon,Hackingdisc7 @ 8:30 am

CERT-UA has identified and addressed a cyber attack on the government information systems of Ukrainian governmental state bodies.

Through investigation, it was discovered that the department’s email address received communications on April 18, 2023, and April 20, 2023, appearing to originate from the authentic email account of the Embassy from Tajikistan (In Ukraine).

Weaponized DOCX File

Suspected to be a result of the compromised state of the embassy, these emails comprised an attachment in the form of a document that contained a macro in the initial case while referring to the same document in the later incident.

When the document is downloaded, and its macro is activated, it creates and opens a DOCX file called “SvcRestartTaskLogon” with a macro that generates another file with the “WsSwapAssessmentTask” macro. 

While it also includes a “SoftwareProtectionPlatform” file categorized as HATVIBE, which can load and execute additional files.

During the course of technical investigation, it was documented that on April 25, 2023, supplementary programs were generated on the computer, possibly facilitated by HATVIBE, under uncertain circumstances.

Here below, we have mentioned those additional generated apps:-

  • LOGPIE keylogger
  • CHERRYSPY backdoor

The files are created with Python and secured with PyArmor, while the “pytransform” module, providing encryption and code obfuscation, is further safeguarded with Themida.

The STILLARCH malware is employed for searching and exfiltrating files, including data from the LOGPIE keylogger, with file extensions such as:-

  • .~tmp
  • .doc

Further analysis of infrastructure and associated data determined that the group’s targets include organizations from various countries engaging in espionage activities under the code name UAC-0063, which have been monitored since 2021.

To minimize the vulnerability scope, it is advisable to limit user accounts from executing “mshta.exe,” Windows Script Host (“wscript.exe,” “cscript.exe”), and the Python interpreter, thereby reducing the potential attack surface.

InfoSec tools | InfoSec services | InfoSec books

Tags: Weaponized DOCX


Oct 14 2022

Weaponized Mod WhatsApp Version “YoWhatsApp” Attempt to Hack Android Devices

Category: Cyberweapon,HackingDISC @ 8:52 am

Cybersecurity researchers at Kaspersky Security Labs have recently identified an unofficial version of WhatsApp for Android, which is dubbed by experts “YoWhatsApp.”

This unofficial version of WhatsApp is mainly designed to steal users’ account access keys or login credentials. There are many unofficial versions of legitimate apps that are advertised as being unofficial versions. 

While these unofficial versions lure users by advertising features that the official versions do not have. Though YoWhatsApp is an unofficial version of WhatsApp, but, it’s a fully working messenger with some key additional features like we have mentioned below:- 

  • UI customization
  • Blocking access to individual chats
  • Several emojis

Unofficial WhatsApp: YoWhatsApp

There is no difference between YoWhatsApp and the standard WhatsApp application in terms of permissions. The promotion of this unofficial Android mod is done using ads on popular Android apps such as the following ones: 

  • Snaptube
  • Vidmate

n the latest version of YoWhatsApp, version 2.22.11.75, the threat actors were able to obtain the keys to the WhatsApp accounts of their victims and take full control.

It is claimed that YoWhatsApp will allow users to send files up to 700 MB using their service. While there is a limit of 100 MB per file that can be sent from the official app to your contacts, and this makes the YoWhatsApp more appealing.

In a modified version of WhatsApp, the app sends the user’s access keys to a server located remotely on the developer’s server.

Source: Weaponized Mod WhatsApp Version “YoWhatsApp” Attempt to Hack Android Devices

Recommendations

Here below we have mentioned all the recommendations:-

  • Make sure you only install applications from official stores and websites that you can trust.
  • Make sure that you check what permissions you have given to installed apps.
  • Ensure that your smartphone is protected by a reliable mobile antivirus application.
  • Avoid downloading or installing unofficial mods.

Tags: whatsapp, YoWhatsApp


Jun 06 2022

Red TIM Research discovers a Command Injection with a 9,8 score on Resi

During the bug hunting activity, Red Team Research (RTR) detected 2 zero-day bugs on GEMINI-NET, a RESI Informatica solution.

It’s been detected an OS Command Injection, which has been identified from NIST as a Critical one, its score is 9,8.  This vulnerability comes from a failure to check the parameters sent as inputs into the system before they are processed by the server. 

Due to the lack of user input validation, an attacker can ignore the syntax provided by the software and inject arbitrary system commands with the user privileges of the application.

RESI S.p.A. has been for over thirty years a technological partner of the largest Italian organizations such as the Ministry of Defence, the Presidency of the Council of Ministers, the Italian Post Office, Leonardo, Ferrovie dello Stato, TIM, Italtel. Plus RESI S.p.A. Is one of the few Italian companies, that creates national technology.

Please note that patches for these specific vulnerabilities have been released by Resi.

Resi

What GEMINI-NET from Resi is

GEMINI-NET™ is a Resi product that allows active and passive monitoring of networks and communication services, used in many networks, both old and new generation. This platform is an OSS system that can be integrated, modular and scalable.

It monitors in real time all the needs related to typical network services and infrastructure issues and is able to optimize resources and data traffic on the network.

Resi

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Below are the details that have been published on the institutional website and NIST ratings.

CVE-2022-29539 â€“ RESI S.p.A

  • Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78)
    Software Version: 4.2
    NIST
    CVSv3: 9.8
    Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Below are the details that have been published on the institutional website and NIST ratings.

CVE-2022-29539 â€“ RESI S.p.A

  • Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78)
    Software Version: 4.2
    NISThttps://nvd.nist.gov/vuln/detail/CVE-2022-29539
    CVSv3: 9.8
    Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed “bug hunting” activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.

In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.

In two years, more than 70 CVEs have been published, 4 of them with a Critical severity (9.8 of CVSSv3 scores), 23 of them with a High severity and 36 of them with a Medium severity.

Speaking about a vulnerability detected on Johnson & Control’s Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERS”.

It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, and contributing to the security of the products used by many organizations and several individuals.

Secure Application Development


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: command injection, Secure Application Development


Jan 29 2022

The Battle for the World’s Most Powerful Cyberweapon

Category: Cyberweapon,SpywareDISC @ 11:49 am

A Times investigation reveals how Israel reaped diplomatic gains around the world from NSO’s Pegasus spyware — a tool America itself purchased but is now trying to ban.

In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the world’s most notorious maker of spyware. Then, with their equipment in place, they began testing.

The F.B.I. had bought a version of Pegasus, NSO’s premier spying tool. For nearly a decade, the Israeli firm had been selling its surveillance software on a subscription basis to law-enforcement and intelligence agencies around the world, promising that it could do what no one else — not a private company, not even a state intelligence service — could do: consistently and reliably crack the encrypted communications of any iPhone or Android smartphone.

Since NSO had introduced Pegasus to the global market in 2011, it had helped Mexican authorities capture Joaquín Guzmán Loera, the drug lord known as El Chapo. European investigators have quietly used Pegasus to thwart terrorist plots, fight organized crime and, in one case, take down a global child-abuse ring, identifying dozens of suspects in more than 40 countries. In a broader sense, NSO’s products seemed to solve one of the biggest problems facing law-enforcement and intelligence agencies in the 21st century: that criminals and terrorists had better technology for encrypting their communications than investigators had to decrypt them. The criminal world had gone dark even as it was increasingly going global.

But by the time the company’s engineers walked through the door of the New Jersey facility in 2019, the many abuses of Pegasus had also been well documented. Mexico deployed the software not just against gangsters but also against journalists and political dissidents. The United Arab Emirates used the software to hack the phone of a civil rights activist whom the government threw in jail. Saudi Arabia used it against women’s rights activists and, according to a lawsuit filed by a Saudi dissident, to spy on communications with Jamal Khashoggi, a columnist for The Washington Post, whom Saudi operatives killed and dismembered in Istanbul in 2018.

The Battle for the World’s Most Powerful Cyberweapon

The World’s Most Terrifying Spyware

Pegasus Spyware – ‘A Privacy Killer’

Finland says it found NSO’s Pegasus spyware on diplomats’ phones

Tags: cyberweapons, diplomats’ phones, Finland, NSO, NSO Group, Pegasus spyware, Pegasus Spyware - 'A Privacy Killer'