The Hackers News
A threat actor operating with interests aligned with North Korea has been deploying a malicious extension on Chromium-based web browsers that’s capable of stealing email content from Gmail and AOL.
Cybersecurity firm Volexity attributed the malware to an activity cluster it calls SharpTongue, which is said to share overlaps with an adversarial collective publicly referred to under the name Kimsuky.
SharpTongue has a history of singling out individuals working for organizations in the U.S., Europe, and South Korea who “work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea,” researchers Paul Rascagneres and Thomas Lancaster said.
Kimsuky‘s use of rogue extensions in attacks is not new. In 2018, the actor was seen utilizing a Chrome plugin as part of a campaign called Stolen Pencil to infect victims and steal browser cookies and passwords.
But the latest espionage effort is different in that it employs the extension, named Sharpext, to plunder email data. “The malware directly inspects and exfiltrates data from a victim’s webmail account as they browse it,” the researchers noted.
Targeted browsers include Google Chrome, Microsoft Edge, and Naver’s Whale browsers, with the mail-theft malware designed to harvest information from Gmail and AOL sessions.
Installation of the add-on is accomplished by means of replacing the browser’s Preferences and Secure Preferences files with those received from a remote server following a successful breach of a target Windows system.
he findings arrive several months after the Kimsuky actor was connected to intrusions against political institutions located in Russia and South Korea to deliver an updated version of a remote access trojan known as Konni.
Then last week, cybersecurity firm Securonix took the wraps off an ongoing set of attacks exploiting high-value targets, including the Czech Republic, Poland, and other countries, as part of a campaign codenamed STIFF#BIZON to distribute the Konni malware.
While the tactics and tools used in the intrusions point to a North Korean hacking group called APT37, evidence gathered pertaining to the attack infrastructure suggests the involvement of the Russia-aligned APT28 (aka Fancy Bear or Sofacy) actor.
“In the end, what makes this particular case interesting is the usage of Konni malware in conjunction with tradecraft similarities to APT28,” the researchers said, adding it could be a case of one group masquerading as another in order to confuse attribution and escape detection.
(CISA) on Friday added the recently disclosed Atlassian security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
The vulnerability, tracked as CVE-2022-26138, concerns the use of hard-coded credentials when the Questions For Confluence app is enabled in Confluence Server and Data Center instances.
A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group,” CISA notes in its advisory.A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group,” CISA notes in its advisory.
- Call Recorder APK (com.caduta.aisevsk)
- Rooster VPN (com.vpntool.androidweb)
- Super Cleaner- hyper & smart (com.j2ca.callrecorder)
- Document Scanner – PDF Creator (com.codeword.docscann)
- Universal Saver Pro (com.virtualapps.universalsaver)
- Eagle photo editor (com.techmediapro.photoediting)
- Call recorder pro+ (com.chestudio.callrecorder)
- Extra Cleaner (com.casualplay.leadbro)
- Crypto Utils (com.utilsmycrypto.mainer)
- FixCleaner (com.cleaner.fixgate)
- Just In: Video Motion (com.olivia.openpuremind)
- Lucky Cleaner (com.luckyg.cleaner)
- Simpli Cleaner (com.scando.qukscanner)
- Unicc QR Scanner (com.qrdscannerratedx)
Included among the droppers is an app named “Unicc QR Scanner” that was previously flagged by Zscaler this month as distributing the Coper banking trojan, a variant of the Exobot mobile malware.
Octo is also known to disable Google Play Protect and use virtual network computing (VNC) to record a victim device’s screen, including sensitive information such as banking credentials, email addresses and passwords, and PINs, all of which are subsequently exfiltrated to a remote server.
Banking droppers, for their part, have evolved since the start of the year, pivoting away from hard-coded payload download addresses to using an intermediary to conceal the address hosting the malware.
“Cybercriminals are constantly finding ways to evade detection and infect as many devices as possible,” the researchers said.
“Additionally, because there is a high demand for novel ways to distribute mobile malware, several malicious actors claim that their droppers could help other cybercriminals disseminate their malware on Google Play Store, resulting in a dropper-as-a-service (DaaS) model.”
CISA (USA) 6th June 2022
Security Agency (CISA) and Food and Drug Administration (FDA) have issued an advisory about critical security vulnerabilities in Illumina’s next-generation sequencing (NGS) software.
Three of the flaws are rated 10 out of 10 for severity on the Common Vulnerability Scoring System (CVSS), with two others having severity ratings of 9.1 and 7.4.
The issues impact software in medical devices used for “clinical diagnostic use in sequencing a person’s DNA or testing for various genetic conditions, or for research use only,” according to the FDA.
“Successful exploitation of these vulnerabilities may allow an unauthenticated malicious actor to take control of the affected product remotely and take any action at the operating system level,” CISA said in an alert.
“An attacker could impact settings, configurations, software, or data on the affected product and interact through the affected product with the connected network.”
Affected devices and instruments include NextSeq 550Dx, MiSeq Dx, NextSeq 500, NextSeq 550, MiSeq, iSeq 100, and MiniSeq using Local Run Manager (LRM) software versions 1.3 to 3.1.
The list of flaws is as follows –
CVE-2022-1517 (CVSS score: 10.0) – A remote code execution vulnerability at the operating system level that could allow an attacker to tamper with settings and access sensitive data or APIs.
CVE-2022-1518 (CVSS score: 10.0) – A directory traversal vulnerability that could allow an attacker to upload malicious files to arbitrary locations.
CVE-2022-1519 (CVSS score: 10.0) – An issue with the unrestricted upload of any file type, allowing an attacker to achieve arbitrary code execution.
CVE-2022-1521 (CVSS score: 9.1) – A lack of authentication in LRM by default, enabling an attacker to inject, modify, or access sensitive data.
CVE-2022-1524 (CVSS score: 7.4) – A lack of TLS encryption for LRM versions 2.4 and lower that could be abused by an attacker to stage a man-in-the-middle (MitM) attack and access credentials.
In addition to permitting remote control over the instruments, the flaws could be weaponized to compromise patients’ clinical tests, resulting in incorrect or altered results during diagnosis.
While there is no evidence that the flaws are being exploited in the wild, it’s recommended that customers apply the software patch released by Illumina last month to mitigate any potential risk.
Hacking Scenarios: How Hackers Choose Their Victims
June 07, 2022 (The Hacker News)
Enforcing the “double-extortion” technique aka pay-now-or-get-breached emerged as a head-turner last year.
May 6th, 2022 is a recent example.
The State Department said the Conti strain of ransomware was the most costly in terms of payments made by victims as of January.
Conti, a ransomware-as-a-service (RaaS) program, is one of the most notorious ransomware groups and has been responsible for infecting hundreds of servers with malware to gain corporate data or digital damage systems, essentially spreading misery to individuals and hospitals, businesses, government agencies and more all over the world.
So, how different is a ransomware attack like Conti from the infamous “WannaCry” or “NotPetya”?
While other Ransomware variants can spread fast and encrypt files within short time frames, Conti ransomware has demonstrated unmatched speed by which it can access victims’ systems.
Given the recent spate of data breaches, it is extremely challenging for organizations to be able to protect every organization from every hack.
Whether running a port scan or cracking default passwords, application vulnerability, phishing emails, or ransomware campaigns, every hacker has different reasons for infiltrating our systems. It is evident why certain individuals and companies are targeted because of their software or hardware weaknesses, while others affected do not have this common Achilles’ heel due to planning and barriers put in place.
We can bring in support of security experts like Indusface to defend ourselves and pursue an attack-reduction strategy to reduce both the likelihood and impact of becoming the victim of a cyberattack.
But what characteristics do companies possess that tend to attract cyberattacks, and why do hackers target them?
And if you knew your company was a likely target, would it make sense for you to be wary of the many ways your information could be compromised?
What Motivates a Hacker?
When hackers hack, they do so for several reasons. We’ve listed the 4 most common motivations behind the hacking.
1 — It’s About Money:
One of the most common motivations for breaking into a system is monetary gain. Many hackers may try to steal your passwords or bank accounts to make money by taking off with your hard-earned cash. Your customer information wouldn’t be safe if hackers made off with it as they could use this data in several ways, perhaps by blackmailing you or even selling it on the black market or deep web.
The average cost of a data breach was $3.86 million in 2004, according to IBM, and that number has since risen to $4.24 million as of 2021. It’s even expected to rise even more in forthcoming years.
2 — Hack + Activism aka Hacktivism
Some people look at hacking to start political and social revolutions, although the majority are interested in expressing their opinions and human rights or creating awareness over certain issues. However, they can target anyone they like – including terrorist organizations, white supremacist groups, or local government representatives.
Hacktivists, also known as ‘Anonymous,’ normally target terror groups like ISIS or white supremacist organizations, but they have also targeted local government groups. In January 2016, an attack on the Hurley Medical Center in Flint, Michigan, led to the leak of thousands of documents and records. The organization claimed responsibility with a video promising “justice” for the city’s ongoing water crisis that resulted in 12 deaths over time.
Whether it’s a single hacker or a simple online gang, the primary weapons of hacktivists include Distributed Denial of Service (DDoS) tools and vulnerability scanners- proven to cause financial losses for well-known corporations. Remember when donations to WikiLeaks were halted, and Anonymous rode high on a series of DDoS attacks?
3 — Insider Threats
Insider threats can come from anywhere, but they are viewed as one of the organizations’ greatest cyber security threats. Many threats can come from your employees, vendors, contractors, or a partner, making you feel like you’re walking on eggshells.
Someone within your organization is helping a threat become a reality. Now that we think about it, almost all of your employees, vendors, contractors, and partners are technically internal to the organization. One major weakness enterprises have their core systems of protection; the firewalls and anti-virus programs are easily bypassed by whoever has access to these programs at any one time.
So when the next wave of cyberattacks comes, who better than someone you’ve always trusted with key security access, damage control measures need to be implemented to prevent a repeat of a situation as catastrophic as Sony’s hack in 2014 (possibly perpetuated by its own employee).
4 — Revenge Game
If you have an unruly employee looking for a way to get revenge on your company, they will more than likely take the time to think of a good attack, leaving you thinking twice about dismissing them.
If they have access to your system, you can be sure that they will try to find any way possible to use their privileged status to get back at you even after leaving the company. One way of doing this is by accessing databases and accounts that require logins and passwords. In other cases, disgruntled workers might even sell vital information in exchange for money and more favorable job opportunities only to mess with your organization’s infrastructure.
Cybercriminals are utilizing a wide range of attack vectors so that they can infiltrate your system or take custody of it by using ransomware attacks like IP address spoofing, phishing, email attachments, and hard drive encryption.
The most common way to spread ransomware is through phishing emails. Hackers send carefully crafted phoney emails to trick a victim into opening an attachment or clicking on a link containing malicious software.
There are lots of different file formats malware can come in. For example, it could be in a
PDF, BMP, MOV, or DOC.
Once hackers take control over your company’s network, ransomware malware has a good chance of getting into your system, encrypting information, and taking hostage all the data stored on your devices.
b) Remote Desktop Protocol (RDP)
Running over port 3389, RDP is short for Remote Desktop Protocol, allowing IT administrators to remotely access machines and configure them or merely use their resources for various reasons – such as running maintenance.
The hacker begins by running a port scan on machines over the internet that have port 3389 open. 3389 is for SMB, or Server Message Block, which allows for basic file sharing between Windows computers and is often turned on in the early days of internet usage.
Once a hacker has gained access to open machines on port 3389, they often brute-force the password so they can log into them as an administrator. And then, it is a matter of time. Hackers can get into your machine and initiate the encryption operation to lock down your data by purposefully slowing or stopping critical processes.
c) Attacks on Unpatched Software
A weakness in the software is one of the most promising methods of attack deployment in today’s environment. In some cases, when software is not fully up to date or patched, attackers can enter networks without having to harvest credentials.
Cyber hackers can now do just as much analyzing and evaluating as security teams for their products. They have the same or even more tools to scan any given system, so it’s practical to be able to foresee their motivation and profiles.
With hackers becoming more sophisticated, it is of top priority to have proactive cybersecurity mechanisms to maintain the health of your business.
MICROSOFT Sezies 41 Domains Used In Spear-Phishing Attacks By Bohrium Hackers
Microsoft’s Digital Crimes Unit (DCU) last week disclosed that it had taken legal proceedings against an Iranian threat actor dubbed Bohrium in connection with a spear-phishing operation.
The adversarial collective is said to have targeted entities in tech, transportation, government, and education sectors located in the U.S., Middle East, and India.
“Bohrium actors create fake social media profiles, often posing as recruiters,” Amy Hogan-Burney of the DCU said in a tweet. “Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target’s computers with malware.”
According to an ex parte order shared by the tech giant, the goal of the intrusions was to steal and exfiltrate sensitive information, take control over the infected machines, and carry out remote reconnaissance.
To halt the malicious activities of Bohrium, Microsoft said it took down 41 “.com,” “.info,” “.live,” “.me,” “.net,” “.org,” and “.xyz” domains that were used as command-and-control infrastructure to facilitate the spear-phishing campaign.
The disclosure comes as Microsoft revealed that it identified and disabled malicious OneDrive activity perpetrated by a previously undocumented threat actor codenamed Polonium since February 2022.
The incidents, which involved the use of OneDrive as command-and-control, were part of a larger wave of attacks the hacking group launched against over 20 organizations based in Israel and Lebanon.