InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The Brute Ratel post-exploitation toolkit has been cracked and now is available in the underground hacking and cybercrime communities.
Threat actors have cracked the Brute Ratel C4 (BRC4) post-exploitation toolkit and leaked it for free in the cybercrime underground. The availability of the cracked version of the tool was first reported by the cybersecurity researcher Will Thomas (@BushidoToken),
ICYMI, threat actors on multiple underground forums are sharing around a copy of a cracked version of Brute Ratel (aka BRC4), brace for attacks
Unlike Cobalt strike beacons, BRc4 payloads are less popular, but with similar capabilities. The tool was specifically designed to avoid detection by security solutions such as endpoint detection and response (EDR) and antivirus (AV). Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal.
“Brute Ratel is the most advanced Red Team & Adversary Simulation Software in the current C2 Market. It can not only emulate different stages of an attacker killchain, but also provide a systematic timeline and graph for each of the attacks executed to help the Security Operations Team validate the attacks and improve the internal defensive mechanisms.” reads the description of the tool on its website. “Brute Ratel comes prebuilt with several opsOpec features which can ease a Red Team’s task to focus more on the analytical part of an engagement instead of focusing or depending on Open source tools for post-exploitation. Brute Ratel is a post-exploitation C2 in the end and however does not provide exploit generation features like metasploit or vulnerability scanning features like Nessus, Acunetix or BurpSuite.”
In June, researchers from Palo Alto Networks Unit 42 warned that threat actors are abusing legitimate adversary simulation software BRc4 in their campaigns to evade detection.
In July 2022, Sophos investigated an incident involving the use of the Brute Ratel tool in the wild, alongside Cobalt Strike, that was carried out by ALPHV/BlackCat ransomware gang.
Thomas is warning that a cracked copy of Brute Ratel is now circulating on multiple underground forums.
On 13 September 2022, an archive file called “bruteratel_1.2.2.Scandinavian_Defense.tar.gz” was uploaded to VirusTotal. This file contains a valid copy of BRC4 version 1.2.2/5.
Two weeks later, on 28 September, the author of BRC4, Chetan Nayak, confirmed the leak of the tool by MdSec, he blamed a Russian-speaking group known as Molecules for the leak of the cracked copy.
Brc4 v1.2.2/5 was leaked by MdSec and is circling the internet. I am tracking it over the past few weeks. MdSec uploaded the whole package to VT which was cracked by a Russian group Molecules, and now used by TAs which will most likely create an irrepairable damage. blog incoming pic.twitter.com/3NpUh2lOYF
— Chetan Nayak (Author of Brute Ratel C4) (@NinjaParanoid) September 28, 2022
“This means that with the right instructions, the cracked tool can now be run without the activation key that is required to launch the full software and use its features.” wrote Thomas. “There are now multiple posts on multiple of the most populated cybercrime forums where data brokers, malware developers, initial access brokers, and ransomware affiliates all hang out. This includes BreachForums, CryptBB, RAMP, Exploit[.]in, and Xss[.]is, as well as various Telegram and Discord groups. Threat actors connected to various organized cybercrime groups have expressed interest in the leak of the new tool.”
Searching for active threads on hacking forums like XSS it is already possible to find the cracked version of Brute Ratel C4 version 1.2.2.
The availability of the tool in the wild is very concerning because the post-exploitation tool can generate shellcode that is undetected by many EDR and AV products.
“This extended window of detection evasion can give threat actors enough time to establish initial access, begin lateral movement, and achieve persistence elsewhere. Due to its evasive generation of new payloads it renders stopping Brute Ratel by the traditional blocking of Indicators of Compromise (IOCs) inadequate. It is recommended that defenders use behaviour-based detection opportunities to thwart attacks, like the ones outlined in MdSec’s blog (see here).” concludes Thomas. “Overall, enterprises and public sector organizations must recognize the imminent threat of the proliferation of this tool. Its capabilities closely align with the objectives of ransomware groups that are already highly active and looking for new windows of opportunity.”
WhatsApp silently fixed two critical zero-day vulnerabilities that affect both Android & iOS versions allowing attackers to execute an arbitrary code remotely.
Facebook-owned messenger WhatsApp is one of the Top-ranked Messenger apps with more than Billion users around the world in both Android and iPhone.
Both vulnerabilities are marked under “critical” severity with a CVE Score of 10/10 and found by the WhatsApp internal security Team.
WhatsApp 0-Day Bugs
CVE-2022-36934 – An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.
Simplifying these following vulnerabilities, Whatsapp could cause your device to be hacked by receiving a Video File or When on a Video call.
CVE-2022-36934 – Integer Overflow Bug
An Integer overflow bug that affects WhatsApp allows attackers to execute the specially crafted arbitrary code during an established Video call without any sort of user interaction.
An integer overflow also know as “wraparound” occurs when an integer value is incremented to a value that is too large to store in the associated representation.
This RCE bug affects an unknown code of the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.
“A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().”
Hackers can take advantage of this remote code execution vulnerability to deploy the malware on the user’s device to steal sensitive files and also used for surveillance purposes.
According to WhatsApp Advisory “An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.”
Can a device be hacked when switched off? Recent studies suggest so. Let’s see how this is even possible.
Researchers from the Secure Mobile Networking Lab at the University of Darmstadt, Germany, have published a paper describing a theoretical method for hacking an iPhone — even if the device is off. The study examined the operation of the wireless modules, found ways to analyze the Bluetooth firmware and, consequently, to introduce malware capable of running completely independently of iOS, the device’s operating system.
With a little imagination, it’s not hard to conceive of a scenario in which an attacker holds an infected phone close to the victim’s device and transfers malware, which then steals payment card information or even a virtual car key.
The reason it requires any imagination at all is because the authors of the paper didn’t actually demonstrate this, stopping one step short of a practical attack implementation in which something really useful nasty is loaded into the smartphone. All the same, even without this, the researchers did a lot to analyze the undocumented functionality of the phone, reverse-engineer its Bluetooth firmware, and model various scenarios for using wireless modules.
So, if the attack didn’t play out, what’s this post about? We’ll explain, don’t worry, but first an important statement: if a device is powered off, but interaction with it (hacking, for example) is somehow still possible, then guess what — it’s not completely off!
How did we get to the point where switching something off doesn’t necessarily mean it’s actually off? Let’s start from the beginning…
Apple’s Low Power Mode
In 2021, Apple announced that the Find My service, which is used for locating a lost device, will now work even if the device is switched off. This improvement is available in all Apple smartphones since the iPhone 11.
If, for example, you lose your phone somewhere and its battery runs out after a while, it doesn’t turn off completely, but switches to Low Power Mode, in which only a very limited set of modules are kept alive. These are primarily the Bluetooth and Ultra WideBand (UWB) wireless modules, as well as NFC. There’s also the so-called Secure Element — a secure chip that stores your most precious secrets like credit card details for contactless payments or car keys — the latest feature available since 2020 for a limited number of vehicles.
Bluetooth in Low Power Mode is used for data transfer, while UWB — for determining the smartphone’s location. In Low Power Mode, the smartphone sends out information about itself, which the iPhones of passers-by can pick up. If the owner of a lost phone logs in to their Apple account online and marks the phone as lost, information from surrounding smartphones is then used to determine the whereabouts of the device. For details of how this works, see our recent post about AirTag stalking.
The announcement quickly prompted a heated discussion among information security experts about the maze of potential security risks. The research team from Germany decided to test out possible attack scenarios in practice.
When powering off the phone, the user now sees the “iPhone Remains Findable After Power Off” message. Source
Find My after power off
First of all, the researchers carried out a detailed analysis of the Find My service in Low Power Mode, and discovered some previously unknown traits. After power off, most of the work is handled by the Bluetooth module, which is reloaded and configured by a set of iOS commands. It then periodically sends data packets over the air, allowing other devices to detect the not-really-off iPhone.
It turned out that the duration of this mode is limited: in version iOS 15.3 only 96 broadcast sessions are set with an interval of 15 minutes. That is, a lost and powered-off iPhone will be findable for just 24 hours. If the phone powered off due to a low battery, the window is even shorter — about five hours. This can be considered a quirk of the feature, but a real bug was also found: sometimes when the phone is off, the “beacon” mode is not activated at all, although it should be.
Of most interest here is that the Bluetooth module is reprogrammed before power off; that is, its functionality is fundamentally altered. But what if it can be reprogrammed to the detriment of the owner?
Attack on a powered-off phone
In fact, the team’s main discovery was that the firmware of the Bluetooth module is not encrypted and not protected by Secure Boot technology. Secure Boot involves multistage verification of the program code at start-up, so that only firmware authorized by the device manufacturer can be run.
The lack of encryption permits analysis of the firmware and a search for vulnerabilities, which can later be used in attacks. But the absence of Secure Boot allows an attacker to go further and completely replace the manufacturer’s code with their own, which the Bluetooth module then executes. For comparison, analysis of the iPhone’s UWB module firmware revealed that it’s protected by Secure Boot, although the firmware isn’t encrypted either.
Of course, that’s not enough for a serious, practical attack. For that, an attacker needs to analyze the firmware, try to replace it with something of their own making, and look for ways to break in. The authors of the paper describe in detail the theoretical model of the attack, but don’t show practically that the iPhone is hackable through Bluetooth, NFC or UWB. What’s clear from their findings is that if these modules are always on, the vulnerabilities likewise will always work.
Apple was unimpressed by the study, and declined to respond. This in itself, however, says little: the company is careful to keep a poker face even in cases when a threat is serious and demonstrated to be so in practice.
Bear in mind that Apple goes to great lengths to keep its secrets under wraps: researchers have to deal with closed software code, often encrypted, on Apple’s own hardware, with made-to-order third-party modules. A smartphone is a large, complex system that’s hard to figure out, especially if the manufacturer hinders rather than helps.
No one would describe the team’s findings as breathtaking, but they are the result of lots of painstaking work. The paper has merit for questioning the security policy of powering off the phone, but keeping some modules alive. The doubts were shown to be justified.
A half powered-off device
The paper concludes that the Bluetooth firmware is not sufficiently protected. It’s theoretically possible either to modify it in iOS or to reprogram the same Low Power Mode by expanding or changing its functionality. The UWB firmware can also be examined for vulnerabilities. The main problem, however, is that these wireless modules (as well as NFC) communicate directly with the protected enclave that is Secure Element. Which brings us to some of the paper’s most exciting conclusions:
Theoretically, it’s possible to steal a virtual car key from an iPhone — even if the device is powered off! Clearly, if the iPhone is the car key, losing the device could mean losing the car. However, in this case the actual phone remains in your possession while the key is stolen. Imagine it like this: an intruder approaches you at the mall, brushes their phone against your bag, and steals your virtual key.
It is theoretically possible to modify the data sent by the Bluetooth module, for example, in order to use a smartphone to spy on a victim — again, even if the phone is powered off.
Having payment card information stolen from your phone is another theoretical possibility.
But all this of course still remains to be proven. The work of the team from Germany shows once more that adding new functionality carries certain security risks that must be taken into account. Especially when the reality is so different from the perception: you think your phone is fully off, when in fact it isn’t.
This is not a completely new problem, mind. The Intel Management Engine and AMD Secure Technology, which also handle system protection and secure remote management, are active whenever the motherboard of a laptop or desktop computer is connected to a power source. As in the case of the Bluetooth/UWB/NFC/Secure Element bundle in iPhones, these systems have extensive rights inside the computer, and vulnerabilities in them can be very dangerous.
On the bright side, the paper has no immediate impact on ordinary users: the data obtained in the study is insufficient for a practical attack. As a surefire solution, the authors suggest that Apple should implement a hardware switch that kills the power to the phone completely. But given Apple’s physical-button phobia, you can be sure that won’t happen.
It has been reported that in New York City a number of financial institutions are facing an outburst of super-thin skimming devices known as “deep inserts”. In this type of skimming device, the card is inserted into the mouth of a slot on the ATM that accepts cards.
As a clever disguise, the card skimmers are paired up with pinhole cameras that are hidden within the cash machine in order to pose as part of that machine.
Approximately .68 millimeters is the height of the insert skimmer. It is important to note that this is plenty of space for the machine to capture and return the customer’s credit or debit card without interrupting the machine’s ability to retrieve the card.
Chip-card data or transactions are not snatched by these skimmers. However, most payment cards issued to American citizens still contain plain text cardholder data stored on the magnetic stripe.
Threat Actors’ Goal
In designing this skimmer, the thieves specifically sought the data stored on the magnetic stripe and the 4-digit PIN of the customer.
According to the Kerbs investigation report, With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs. ATMs made by NCR, called SelfServ 84 Walk-Up were abused by the threat actors to install these skimming devices.
Pinhole spy cameras are sometimes embedded in fake panels above PIN pads by skimmer thieves. As a result of incorporating insert kit into the ATMs of financial institutions, most of the insert skimmer attacks at this point have been successfully stopped.
The insert kit is a solution that NCR has developed to mitigate such attacks. A “smart detect kit” from NCR is also tested in field situations, which includes a USB camera to be able to monitor the interior of the card reader, which adds a photographic element to the test.
There will be a continued trend of miniaturization and stealthy device development for skimming devices as long as cardholder data will continue to be stored on magnetic strips on payment cards in plain text.
Whenever you are at a cash machine, make sure you make your mind up to avoid ATMs that are dodgy-looking or that have a low lighting fixture. And not only that even make sure to cover PIN pad with your hand to defeat such thefts.
This book is the hands-on and methodology guide for pentesting with Kali Linux. You’ll discover everything you need to know about the tools and techniques hackers use to gain access to systems like yours so you can erect reliable defenses for your virtual assets. Whether you’re new to the field or an established pentester, you’ll find what you need in this comprehensive guide.
Build a modern dockerized environment
Discover the fundamentals of the bash language in Linux
Use a variety of effective techniques to find vulnerabilities (OSINT, Network Scan, and more)
Analyze your findings and identify false positives and uncover advanced subjects, like buffer overflow, lateral movement, and privilege escalation
Apply practical and efficient pentesting workflows
Learn about Modern Web Application Security Secure SDLC
If you’re getting started along the exciting path of hacking, cybersecurity, and pentesting, Linux Basics for Hackers is an excellent first step. Using Kali Linux, an advanced penetration testing distribution of Linux, you’ll learn the basics of using the Linux operating system and acquire the tools and techniques you’ll need to take control of a Linux environment.
First, you’ll learn how to install Kali on a virtual machine and get an introduction to basic Linux concepts. Next, you’ll tackle broader Linux topics like manipulating text, controlling file and directory permissions, and managing user environment variables. You’ll then focus in on foundational hacking concepts like security and anonymity and learn scripting skills with bash and Python. Practical tutorials and exercises throughout will reinforce and test your skills as you learn how to:
Cover your tracks by changing your network information and manipulating the rsyslog logging utility
Write a tool to scan for network connections, and connect and listen to wireless networks
Keep your internet activity stealthy using Tor, proxy servers, VPNs, and encrypted email
Write a bash script to scan open ports for potential targets
Use and abuse services like MySQL, Apache web server, and OpenSSH
Build your own hacking tools, such as a remote video spy camera and a password cracker
In this book you’ll learn an offensive approach to enhance your penetration testing skills by testing the sophisticated tactics employed by real hackers. You’ll go through laboratory integration to cloud services so that you learn another dimension of exploitation that is typically forgotten during a penetration test. You’ll explore different ways of installing and running Kali Linux in a VM and containerized environment and deploying vulnerable cloud services on AWS using containers, exploiting misconfigured S3 buckets to gain access to EC2 instances.
This book delves into passive and active reconnaissance, from obtaining user information to large-scale port scanning. Building on this, different vulnerability assessments are explored, including threat modeling. See how hackers use lateral movement, privilege escalation, and command and control (C2) on compromised systems. By the end of this book, you’ll have explored many advanced pentesting approaches and hacking techniques employed on networks, IoT, embedded peripheral devices, and radio frequencies.
For more information about this book, we have a video with the author you can watch here.
This is a comprehensive guide for those who are new to Kali Linux and penetration testing that will have you up to speed in no time. Using real-world scenarios, you’ll understand how to set up a lab and explore core penetration testing concepts.
Throughout this book, you’ll focus on information gathering and even discover different vulnerability assessment tools bundled in Kali Linux. You’ll learn to discover target systems on a network, identify security flaws on devices, exploit security weaknesses and gain access to networks, set up Command and Control (C2) operations, and perform web application penetration testing. In this updated second edition, you’ll be able to compromise Active Directory and exploit enterprise networks.
Finally, this book covers best practices for performing complex web penetration testing techniques in a highly secured environment.
Find programming and software development online courses, created by experts to help you take your career to the next level.
Programming Online Courses
AWS Online Courses
You can choose the course based on your specific needs:
ISO 27001 Foundations course – you’ll learn about all of the standard’s requirements and the best practices for compliance.
ISO 27001 Internal Auditor course – besides the knowledge about the standard, you’ll also learn how to perform an internal audit in the company.
ISO 27001 Lead Auditor course – besides the knowledge about the standard, it also includes the training you need to become certified as a certification auditor.
ISO 27001 Lead Implementer course – besides the knowledge about the standard, it also includes the training you need to become an independent consultant for Information Security Management System implementation.
The online courses are suitable both for beginners and experienced professionals.
Learn at your preferred speed from any location at any time.
If you have any questions, feel free to send us an email to info@deurainfosec.com
(Reuters) – A team of hackers from two North American universities won the “Capture the Flag” championship, a contest seen as the “Olympics of hacking,” which draws together some of the world’s best in the field.
In the carpeted ballroom of one of the largest casinos in Las Vegas, the few dozen hackers competing in the challenge sat hunched over laptops from Friday through Sunday during the DEF CON security conference that hosts the event.
The winning team, called Maple Mallard Magistrates, included participants from Carnegie Mellon University, its alumni, and the University of British Columbia.
The contest involves breaking into custom-built software designed by the tournament organizers. Participants must not only find bugs in the program but also defend themselves from hacks coming from other competitors.
The hackers, mostly young men and women, included visitors from China, India, Taiwan, Japan and South Korea. Some worked for their respective governments, some for private firms and others were college students.
While their countries may be engaged in cyber espionage against one another, the DEF CON CTF contest allows elite hackers to come together in the spirit of sport.
The reward is not money, but prestige. “No other competition has the clout of this one,” said Giovanni Vigna, a participant who teaches at the University of California in Santa Barbara. “And everybody leaves politics at home.”
“You will easily find a participant here going to another who may be from a so-called enemy nation to say ‘you did an amazing job, an incredible hack.'”
The game has taken on new meaning in recent years as cybersecurity has been elevated as a national security priority by the United States, its allies and rivals. Over the last 10 years, the cybersecurity industry has boomed in value as hacking technology has evolved.
Winning the title is a lifelong badge of honor, said Aaditya Purani, a participant who works as an engineer at electric car maker Tesla Inc (TSLA.O).
This year’s contest was broadcast for the first time on YouTube, with accompanying live commentary in the style of televised sports.
DEF CON itself, which began as a meetup of a few hundred hackers in the late 1990s, was organized across four casinos this year and drew a crowd of more than 30,000, according to organizing staff.
On Saturday afternoon, participants at the “Capture the Flag” contest sat typing into their laptops as conference attendees streamed in and out of the room to watch. Some participants took their meals at the tables, munching on hamburgers and fries with their eyes fixed on screens.
Seungbeom Han, a systems engineer at Samsung Electronics, who was part of a South Korean team, said it was his first time at the contest and it had been an honor to qualify.
The competition was intense and sitting for eight hours a day at the chairs was not easy. They did take bathroom breaks, he said with a laugh, “but they are a waste of time.”
Reporting by Zeba Siddiqui in Las Vegas Editing by Matthew Lewis
Experts warn of hacker claiming access to 50 U.S. companies through breached MSP
Cybersecurity experts are raising concerns about an individual on a hacker forum claiming to have access to 50 American companies through an unnamed managed service provider (MSP).
MSPs are paid to manage IT infrastructure and provide support, typically by smaller organizations lacking their own IT departments. In recent years they have been singled out by cybersecurity agencies as potentially vulnerable access points for hackers to exploit.
Harlan Carvey, senior incident responder at cybersecurity firm Huntress, told The Record that on July 18 someone with the handle “Beeper” had posted in Russian on exploit.in asking for help monetizing access to a managed service provider.
“Looking for a Partner for MSP processing. I have access to the MSP panel of 50+ companies. Over 100 ESXi, 1,000+ servers … I want to work qualitatively, but I do not have enough people,” the translated message said.
“In terms of preparation, only little things are left, so my profit share will be high. Please send me a message for more details and suggestions.”
Several cybersecurity experts have shared the message on Twitter and other social media sites warning of the potential fallout from the kind of access the hacker purportedly has.
Carvey said it appears that the hacker gained access to an MSP’s management system and has already done some of the initial legwork.
“It sounds as if they’re claiming to have done some pre-work, perhaps something like identifying an account with a high privilege level. As a result, anyone who takes them up on their offer isn’t going to have to do much ‘heavy lifting’ to achieve whatever their goals may be,” Carvey said. “It doesn’t appear that there’s any data involved at this point, per se. Intent isn’t clear at this point, and it may depend upon who responds to the ad. The original poster does seem to be offering to answer questions and provide additional details.”
Carvey added that based on the typical customer base he sees for MSPs, personal details, business data and healthcare information could be at risk.
Some online noted that Kansas City-based MSP NetStandard announced on Wednesday morning that their hosted environment had been hit by a cyberattack. The company did not respond to requests for comment but told customers they discovered the attack on Tuesday and are “working to isolate the threat and minimize impact.”
“MyAppsAnywhere services, which include Hosted GP, Hosted CRM, Hosted Exchange, and Hosted Sharepoint, will be offline until further notice,” the company said.
“At this point, no additional information on the extent of the impact nor time to resolution can be provided. We are engaged with our cybersecurity insurance vendor to identify the source of the attack and determine when the environment can be safely brought back online.”
The cybersecurity authorities of the U.K. (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (FBI, CISA and NSA) warned in May that hackers and APT groups have stepped up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships.
Two of the most prominent hacks from the last two years involved popular MSPs – SolarWinds and Kaseya – and caused widespread damage due to the access they have to hundreds of companies and government agencies.
The CISA alert noted that government agencies are aware of reports of an increase in malicious cyber activity targeting MSPs, adding that they “expect this trend to continue.”
“As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support – why it’s critical that MSPs and their customers take action to protect their networks,” said CISA Director Jen Easterly.
Managed service providers make attractive targets for malicious actors to scale their attacks. MSPs and their customers should use these recommendations for handling the shared responsibilities of securing sensitive data. https://t.co/pZPluNVLQr
The agencies provided a range of recommendations to MSPs, such as hardening defenses against password spraying and phishing by potential attackers.
Former Obama administration cybersecurity commissioner Tom Kellermann, who now serves as head of cybersecurity strategy at VMware, previously told The Record that cybercrime cartels have studied the interdependencies of financial institutions and have a better understanding of which MSPs are used.
“In turn, these organizations are targeted and hacked to island hop into banks. Rogue nation states love this method of cyber-colonization,” Kellermann explained, referring to an attack that targets a third party in order to gain access to another entity. VMware has found that such attacks have increased 58% over the past year.
“I am concerned that as geopolitical tension metastasizes in cyberspace, these attacks will escalate and Russian cyber-spies will use this stratagem to deploy destructive malware across entire customer bases of MSP,” he said.
Also known as the Atlantis Cyber-Army, the emerging organization has an enigmatic leader and a core set of admins that offer a range of services, including exclusive data leaks, DDoS and RDP.
A for-hire cybercriminal group is feeling the talent-drought in tech just like the rest of the sector and has resorted to recruiting so-called “cyber-mercenaries” to carry out specific illicit hacks that are part of larger criminal campaigns.
Dubbed Atlas Intelligence Group (A.I.G.), the cybergang has been spotted by security researchers recruiting independent black-hat hackers to execute specific aspects of its own campaigns. A.I.G., also known as Atlantis Cyber-Army, functions as a cyber-threats-as-a-service criminal enterprise. The threat group markets services that include data leaks, distributed denial of service (DDoS), remote desktop protocol (RDP) hijacking and additional network penetration services, according to a Thursday report by threat intelligence firm Cyberint.
“[A.I.G.] has introduced us to out-of-the-box thinking,” Cyberint’s Shmuel Gihon wrote in the report.
[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]
A.I.G., according to researchers, is unique in its outsourcing approach to committing cybercrimes. Organized threat groups tend to recruit individuals with certain capabilities that they can reuse and incent them with profit sharing. For example, Ransomware-as-a-Service organized crime campaigns can involve multiple threat actors – each getting a cut of any extorted lucre or digital assets stolen. What makes A.I.G. different is it outsources specific aspects of an attack to “mercenaries” who have no further involvement in an attack.
The report’s author, Gihon, said only A.I.G. administrators and the group’s leader—dubbed Mr. Eagle—know fully what the campaign will be and outsource isolated tasks to hired guns based on their skillsets.
Unique Business Model
This uncommon business model also allows the group, which has been operating since the beginning of May, to offer a range of cybercriminal services instead of a single core competency, he said.
“While many groups are focusing on one, maybe two, services that they offer, Atlas seems to grow rapidly and expand its operations in an efficient way which allows them to offer many services,” Gihon wrote.
A.I.G. tends to target government and state assets in countries all over the world, including the United States, Pakistan, Israel, Colombia and United Arab Emirates, researchers found.
Mr. Eagle not only leads the campaigns but also doubles as a chief marketing officer of sorts, putting a significant effort into advertising A.I.G.’s various cybercriminal services, he said.
Mandiant: “No evidence” we were hacked by LockBit ransomware
American cybersecurity firm Mandiant is investigating LockBit ransomware gang’s claims that they hacked the company’s network and stole data.
The ransomware group published a new page on its data leak website earlier today, saying that the 356,841 files they allegedly stole from Mandiant will be leaked online.
“All available data will be published!” the gang’s dark web leak site threatens under a timer showing just under three hours left until the countdown ends.
LockBit has yet to reveal what files it claims to have stolen from Mandiant’s systems since the file listing on the leak page is empty.
However, the page displays a 0-byte file named ‘mandiantyellowpress.com.7z’ that appears to be related to a mandiantyellowpress.com domain (registered today). Visiting this page redirects to the ninjaflex.com site.
When BleepingComputer reached out for more details on LockBit’s claims, the threat intel firm said it hadn’t yet found evidence of a breach.
“Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops,” Mark Karayan, Mandiant’s Senior Manager for Marketing Communications, told BleepingComputer.
Mandiant says it's looking into Lockbit ransomware gang's claims:
“Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops.” pic.twitter.com/JLM5ob1yCi
These claims come after Mandiant revealed in a report published last week that the Russian Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets’ networks to evade U.S. sanctions.
Mandiant announced in March that it entered into a definitive agreement to be acquired by Google in an all-cash transaction valued at roughly $5.4 billion.
The LockBit ransomware gang has been active since September 2019 as a ransomware-as-a-service (RaaS) and relaunched as the LockBit 2.0 RaaS in June 2021 after ransomware actors were banned from posting on cybercrime forums [1, 2].
Accenture, a Fortune 500 company and one of LockBit’s victims, confirmed to BleepingComputer in August 2021 that it was breached after the gang asked for a $50 million ransom not to leak data stolen from its network.
White hat hackers earned a total of $800,000 on the first day of the Pwn2Own Vancouver 2022, $450,000 for exploits targeting Microsoft Teams.
Pwn2Own Vancouver 2022 hacking contest has begun, it is the 15th edition of this important event organized by Trend Micro’s Zero Day Initiative (ZDI). This year, 17 contestants are attempting to exploit 21 targets across multiple categories.
During the first day of the event, white hat hackers earned a total of $800,000, a record for the first day of this contest, including $450,000 for successful exploits targeting Microsoft Teams.
All the attempts made during the first day were successful, the participants explored a total of 16 flaws affecting Microsoft Teams, Oracle VirtualBox, Firefox, Windows 11, Ubuntu, and Safari.
SUCCESS – Hector “p3rr0” Peralta was able to demonstrate an improper configuration against Microsoft Teams. He earns $150,000 and 15 Master of Pwn points.
SUCCESS – Masato Kinugawa was able to execute a 3-bug chain of injection, misconfiguraton and sandbox escape against Microsoft Teams, earning $150,000 and 15 Master of Pwn points.
SUCCESS – Daniel Lim Wee Soong (@daniellimws, Poh Jia Hao (@Chocologicall), Li Jiantao (@CurseRed) & Ngo Wei Lin (@Creastery of STAR Labs successfully demonstrated their zero-click exploit of 2 bugs (injection and arbitrary file write) on Microsoft Teams. They earn $150,000 and 15 Master of Pwn points.
Manfred Paul (@_manfp) successfully demonstrated the exploitation of prototype pollution and improper input validation on Mozilla Firefox. Paul earned $100,000 and 10 Master of Pwn points.
Paul also exploited an out-of-band write issue on Apple Safari and earned $50,000 and 5 additional Master of Pwn points.
In this article, it turns out to be the first name (in Latin script, anyway) of a convicted cybercriminal called Glib Oleksandr Ivanov-Tolpintsev.
Originally from Ukraine, Tolpintsev, who is now 28, was arrested in Poland late in 2020.
He was extradited to the US the following year, first appearing in a Florida court on 07 September 2021, charged with “trafficking in unauthorized access devices, and trafficking in computer passwords.”
In plain English, Tolpintsev was accused of operating what’s known as a botnet (short for robot network), which refers to a collection of other people’s computers that a cybercriminal can control remotely at will.
A botnet acts as a network of zombie computers ready to download instructions and carry them out without the permission, or even the knowledge, of their legitimate owners.
Tolpintsev was also accused of using that botnet to crack passwords that he then sold on the dark web.
What to do?
Tolpintsev’s ill-gotten gains, at just over $80,000, may sound modest compared to the multi-million dollar ransoms demanded by some ransomware criminals.
But the figure of $82,648 is just what the DOJ was able to show he’d earned from his online password sales, and ransomware criminals were probably amongst his customers anyway.
So, don’t forget the following:
Pick proper passwords. For accounts that require a conventional username and password, choose wisely, or get a password manager to do it for you. Most password crackers use password lists that put the most likely and the easiest-to-type passwords at the top. These list generators use a variety of password construction rules in an effort to generate human-like “random” choices such as jemima-1985 (name and year of birth) ahead of passwords that a computer might have selected, such as dexndb-8793. Stolen password hashes that were stored with a slow-to-test algorithm such as PBKDF2 or bcrypt can slow an attacker down to trying just a few passwords a second, even with a large botnet of cracking computers. But if your password is one of the first few that gets tried, you’ll be one of the first few to get compromised.
Use 2FA if you can. 2FA, short for two-factor authentication, usually requires you to provide a one-time code when you login, as well as your password. The code is typically generated by an app on your phone, or sent in a text message, and is different every time. Other forms of 2FA include biometric, for example requiring you to scan a fingerprint, or cryptographic, such as requiring you to sign a random message with a private cryptographic key (a key that might be securely stored in a USB device or a smartcard, itself protected by a PIN). 2FA doen’t eliminate the risk of crooks breaking into your network, but it makes individual cracked or stolen passwords much less useful on their own.
Never re-use passwords. A good password manager will not only generated wacky, random passwords for you, it will prevent you from using the same password twice. Remember that the crooks don’t have to crack your Windows password or your FileVault password if it’s the same as (or similar to) the password you used on your local sports club website that just got hacked-and-cracked.
Never ignore malware, even on computers you don’t care about yourself. This story is a clear reminder that, when it comes to malware, an injury to one really is an injury to all. As Glib Oleksandr Ivanov-Tolpintsev showed, not all cybercriminals will use zombie malware on your computer directly against you – instead, they use your infected computer to help them attack other people.
Researchers uncovered a massive hacking campaign that compromised thousands of WordPress websites to redirect visitors to scam sites.
Cybersecurity researchers from Sucuri uncovered a massive campaign that compromised thousands of WordPress websites by injecting malicious JavaScript code that redirects visitors to scam content.
The infections automatically redirect site visitors to third-party websites containing malicious content (i.e. phishing pages, malware downloads), scam pages, or commercial websites to generate illegitimate traffic.
“The websites all shared a common issue — malicious JavaScript had been injected within their website’s files and the database, including legitimate core WordPress files, such as:
./wp-includes/js/jquery/jquery.min.js
./wp-includes/js/jquery/jquery-migrate.min.js“
“Once the website had been compromised, attackers had attempted to automatically infect any .js files with jQuery in the names. They injected code that begins with “/* trackmyposs*/eval(String.fromCharCode…”“reads the analysis published by Sucuri.
In some attacks, users were redirected to a landing page containing a CAPTCHA check. Upon clicking on the fake CAPTCHA, they’ll be opted in to receive unwanted ads even when the site isn’t open.
The ads will look like they are generated from the operating system and not from a browser.
According to Sucuri, at least 322 websites were compromised as a result of this new wave of attacks and were observed redirecting visitors to the malicious website drakefollow.com.
“Our team has seen an influx in complaints for this specific wave of the massive campaign targeting WordPress sites beginning May 9th, 2022, which has impacted hundreds of websites already at the time of writing.” concludes the report. “It has been found that attackers are targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts. We expect the hackers will continue registering new domains for this ongoing campaign as soon as existing ones become blacklisted.”
Website admins could check if their websites have been compromised by using Sucuri’s free remote website scanner.
A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight.
Sophisticated hackers believed to be tied to the North Korean government are actively targeting journalists with novel malware dubbed Goldbackdoor. Attacks have consisted of multistage infection campaign with the ultimate goal of stealing sensitive information from targets. The campaign is believed to have started in March and is ongoing, researchers have found.
Researchers at Stairwell followed up on an initial report from South Korea’s NK News, which revealed that a North Korean APT known as APT37 had stolen info from the private computer of a former South Korean intelligence official. The threat actor–also known as Ricochet Collima, InkySquid, Reaper or ScarCruft—attempted to impersonate NK News and distributed what appeared to be a novel malware in an attempt to target journalists who were using the official as a source, according to the report.
NK News passed details to Stairwell for further investigation. Researchers from the cybersecurity firm uncovered specific details of the malware, called Goldbackdoor. The malware is likely a successor of the Bluelight malware, according to a report they published late last week.
“The Goldbackdoor malware shares strong technical overlaps with the Bluelight malware,” researchers wrote. “These overlaps, along with the suspected shared development resource and impersonation of NK News, support our attribution of Goldbackdoor to APT37.”
APT37 was previously seen using Bluelight as a secondary payload last August in a series of watering hole attacks against a South Korean newspaper that used known Internet Explorer vulnerabilities.
As Stairwell researchers noted, journalists are “high-value targets for hostile governments,” and often the target of cyber-espionage attacks. In fact, one of the biggest security stories of last year was various governments’ use of the NGO Group’s Pegasus spyware against journalists, among other targets.
“[Journalists] often are aggregators of stories from many individuals–sometimes including those with sensitive access,” Stairwell researchers wrote. “Compromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources.”
“Definitely worse” The platform has yet to confirm that it has indeed been attacked [but] Crypto.com announced it was pausing withdrawals after “a small number of users experienced unauthorized activity in their accounts.” … A household name in Asian markets, the Singapore-based exchange recently spent $700 million to buy the naming rights to the Staples Center—the Los Angeles home venue of the NBA’s Lakers and Clippers. … Events took a turn for the worse when security research company Peckshield [said] Crypto.com has lost at least 4,600 ETH (around $15 million in current prices) [and] that the true scale of the damage is “definitely worse.” … Peckshield added that half of the stolen funds were sent to Tornado Cash, the Ethereum-centric mixing service. … Remarkably, a few hours later, Crypto.com CEO Kris Marszalek said that no customer funds were lost.
“$16.3 million” Several users had reported on social media that their cryptocurrencies, at times equating to tens of thousands of dollars, had disappeared from their Crypto.com accounts in recent days. … Technical issues on crypto trading platforms have become commonplace as the hype surrounding digital assets grows. … Crypto influencer and podcast host Ben Baller said in a tweet on Monday that around 4.28 Ether, which equates to roughly $14,000, had been “stolen out of nowhere” [despite] two-factor authentication security measures. … Baller later alleged … a wallet belonging to Crypto.com had lost approximately 5,000 Ether, which equates to roughly $16.3 million. … A spokesperson from Crypto.com didn’t respond to a request for comment.
Pegasus spyware was allegedly used by governments to spy upon prominent journalists, politicians and activists.
A Google blog has revealed how the sophisticated software was used to attack iPhone users.
The software used a vulnerability in iMessages to hack into iPhones without the user’s knowledge.
The Pegasus spyware, developed by Israel’s NSO group, made headlines for being used by governments and regimes across the world including India to spy on journalists, activists, opposition leaders, ministers, lawyers and others. The spyware is accused of hacking into the phones of at least 180 journalists around the world, of which 40 are notable Indian personalities.
Now, a Google blog from the Project Zero team called the attacks technically sophisticated exploits and assessed the software to have capabilities rivalling spywares previously thought to be accessible to only a handful of nations.
The company has also faced multiple lawsuits including one in India where the Supreme Court (SC) set up a three-member panel headed by former SC judge RV Raveendran to probe whether the software was used by the government to spy on journalists and other dissidents.
Apart from India, Apple has also sued the Israeli firm after having patched its security exploit. The company was also banned in the United States after the details of the spyware were revealed. Let’s take a look at how this advanced snooping technology discretely worked on iPhones.
According to the Project Zero blog, a sample of the ForcedEntry exploit was worked upon by the team and Apple’s Security Engineering and Architecture (SEAR) group. Pegasus attacks on iPhones were possible due to the ForcedEntry exploit.
Pegasus is a spyware (Trojan/Script) that can be installed remotely on devices running on Apple ‘ s iOS & Google ‘ s Android operating systems. It is developed and marketed by the Israeli technology firm NSO Group. NSO Group sells Pegasus to ” vetted governments ” for ” lawful interception ” , which is understood to mean combating terrorism and organized crime, as the firm claims, but suspicions exist that it is availed for other purposes. Pegasus is a modular malware that can initiate total surveillance on the targeted device, as per a report by digital security company Kaspersky. It installs the necessary modules to read the user’s messages and mail, listen to calls, send back the browser history and more, which basically means taking control of nearly all aspects of your digital life. It can even listen in to encrypted audio and text files on your device that makes all the data on your device up for grabs.
![The Darkest Web (Allison Barton Book 2) by [Kristin Wright]](https://m.media-amazon.com/images/I/51qZVAen96S.jpg)
