1010.TEAM 🇺🇦

Alert! Windows LPE Zero-day Exploit Advertised on Hacker Forums

4/19/2024

·

gbhackers.com

A new zero-day Local Privilege Escalation (LPE) exploit has been put up for sale on a notorious hacker forum.

This exploit, which has not yet been assigned a Common Vulnerabilities and Exposures (CVE) reference, is said to be capable of granting unauthorized users elevated privileges on any Windows system.

The asking price for this dangerous tool is a staggering $220,000, indicating its potential severity and the threat actor’s confidence in its effectiveness.

Impact on Windows Users

The emergence of this exploit is particularly alarming for Windows users, both individual and corporate, as it can potentially allow attackers to gain higher-level permissions on a targeted system.

This could lead to a range of malicious activities, from data theft and espionage to the deployment of ransomware and other destructive software.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

Without the necessary patches and specific details, users are left in a vulnerable position.

The exploit’s ability to affect all Windows platforms suggests that no version of the operating system is safe, and the lack of a CVE reference means that there is no official acknowledgment or fix available yet.

⚠️ ALERT: A new zero-day Local Privilege Escalation (LPE) exploit targeting Windows systems has been advertised on a hacker forum. The threat actor claims it can provide unauthorized access to escalate privileges on any Windows platform. With no CVE reference and a high asking… pic.twitter.com/QiDgOjJHzp
— Dark Matrix (@Dark_Matrix_) April 18, 2024

While the exact technical specifics of the exploit have not been disclosed publicly, the nature of Local Privilege Escalation vulnerabilities can give us some insight.

Typically, LPE exploits take advantage of flaws in the operating system’s security mechanisms that manage user permissions.

By exploiting such a flaw, an attacker can elevate a standard user account to one with administrative privileges, granting them the ability to modify system settings, access restricted data, and install software.

The high price tag of the exploit implies that it is both reliable and difficult to detect, making it a valuable tool for cybercriminals.

It is also possible that the exploit is ‘wormable,’ meaning it could be used to spread malware across networks without user interaction, exponentially increasing its threat level.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

The post Alert! Windows LPE Zero-day Exploit Advertised on Hacker Forums appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source

¶¶¶¶¶

Uncategorized

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
ULA has an ambitious plan to ‘reuse’ Vulcan rocket: keep it in space

4/18/2024

·

defenseone.com

The heavy-lift rocket’s upper stage might extend its service as a tug or defender.
Go to source

¶¶¶¶¶

Business

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
How Army special operators use deepfakes and drones to train for information warfare

4/18/2024

·

defenseone.com

One soldier helped create a voice-cloning program using off-the-shelf AI.
Go to source

¶¶¶¶¶

Science & Tech

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Global defense spending jumped in 2023

4/18/2024

·

defenseone.com

Security crises drove year-over-year growth to its highest level in a decade.
Go to source

¶¶¶¶¶

Ideas

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
The D Brief: Aid votes coming?; Ukraine war casualty counts; A plan to restart F-35 deliveries; Navy to miss recruiting goal; And a bit more.

4/18/2024

·

defenseone.com

Go to source

¶¶¶¶¶

THREATS

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
OfflRouter Malware Evades Detection in Ukraine for Almost a Decade

4/18/2024

·

thehackernews.com

Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015. Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform. “The documents contained VBA code to drop and run an executable with the name ‘ctrlpanel.exe,'”
Go to source

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Palo Alto ZeroDay Exploited in The Wild Following PoC Release

4/18/2024

·

gbhackers.com

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified as CVE-2024-3400.

This zero-day flaw, found in the GlobalProtect Gateway, is currently under active exploitation by attackers.

CVE-2024-3400 allows attackers to execute arbitrary OS commands on the affected systems without proper authentication.

The threat actors are now actively exploiting this Palo Alto ZeroDay in the wild following the PoC release.

Palo Alto ZeroDay Exploited

Researchers identified vulnerabilities and developed an exploit for GlobalProtect in three days that targeted Palo Alto VPN-SSL solutions.

WatchTowr explained a path traversal bug with a command injection resulting in a PoC via POST request to “…/ssl-vpn/hipreport.esp”.

It permits command injection through the SESSID cookie, which can potentially drop webshells as cron jobs.

Rapid7’s and WatchTowr’s PoCs spread quickly, followed by TrustedSec and ShadowServer reporting on some real attacks, while some of the earlier PoCs were fake or malicious.

Expect widespread attacks soon since Palo Alto solutions are not audited enough.

Palo Alto increased the risk level to 5 out of 5 (CVE-2024-3400), requiring either patches be applied or specific Threat Prevention signatures configured in counteraction.

This modification will help prevent devices from becoming overloaded due to command execution attempts. They shared additional IOC and CLI commands, which mainly focused on recent vulnerabilities and not the original threat actor.

Onyphe developed a query tool that can help identify GlobalProtect versions, which can aid patch confirmation activity. However, this will expose vulnerable servers to threat actors.

EmergingThreats unveiled a Suricata rule designed explicitly to detect WatchTowr PoC usage. Rapid7 observed constant exploit attempts and documented them via multiple logs.

Palo Alto released patches for the critical 0day CVE-2024-3400 on April 14, with three fixes available for affected branches. On April 19, patches for the older versions will be released.

Another mass compromise has not been directed by adversaries, indicating a targeted campaign called MidnightEclipse.

Volexity established that the adversary had moved laterally into internal systems using a Python backdoor named “update.py” and additional payloads designed to exfiltrate valuable data.

Although some infrastructure is still online, no definite public PoC exists, and expert researchers might use the patched 0day for advanced research.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

The post Palo Alto ZeroDay Exploited in The Wild Following PoC Release appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source

¶¶¶¶¶

cyber security / Cyber Security News / Vulnerability / Vulnerability Analysis

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor

4/18/2024

·

thehackernews.com

The infamous cybercrime syndicate known as FIN7 has been linked to a spear-phishing campaign targeting the U.S. automotive industry to deliver a known backdoor called Carbanak (aka Anunak). “FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights,” the BlackBerry research and intelligence team said in a new write-up. “They
Go to source

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
FIN7 Hackers Attacking IT Employees Of Automotive Industry

4/18/2024

·

gbhackers.com
IT employees in the automotive industry are often targeted by hackers because they have access to sensitive information such as customer data, intellectual property, and critical systems.

The connected technologies’ dependence on the automotive industry and the value of their data make them attractive targets for threat actors.

BlackBerry analysts recently discovered that the FIN7 hackers are actively attacking the IT employees of the automotive industry.

FIN7 Attacking IT Employees

According to some BlackBerry evaluations at the end of 2023, there was a spear-phishing campaign against a major United States-based car manufacturer by FIN7 hackers.

FIN7 used a free IP scanning tool as bait to exploit IT staff with admin rights and then deployed their Anunak backdoor.

It has been reported that these attacks were part of a broader campaign by FIN7, a financially motivated APT group from Russia known to be focused on sectors such as transportation and defense.

However, before this happened, the Blackberry team interrupted before they could perform a ransomware attack.

This demonstrates the importance of detecting early intrusion to mitigate possible losses.

FIN7 then shifted to hunting big game that could pay bigger ransoms, with great detailed plans for maximizing the impacts of attacks.

They are scouts who select and study targets carefully, zooming in for employees with high access rights and delivering payloads such as “WsTaskLoad.exe” via spear-phishing emails containing malicious URLs.

These attacks take advantage of trust in legitimate sites, highlighting the necessity for strong cyber security measures to mitigate such advanced threats.

Attack chain (Source – BlackBerry)

WsTaskLoad.exe executes the final payload of Anunak/Carbanak in multiple stages. It is called jutil.dll, and it then executes the exported function “SizeSizeImage.”

jutil.dll now reads and decrypts infodb\audio.wav; its decrypted blob is shellcode that gets copied to mspdf.dll, and it runs as code there.

This shellcode also reads and decrypts infodb\audio.wav again; this decrypted blob is a loader that can be loaded and run later by the same shellcode.

The loader identifies files in the current directory with dmxl.bin and dfm\open.db matching a certain mark.

The decrypted dmxml.bin constitutes the Anunak payload, having “rabt4201_x86” as the campaign ID.

Besides this, the WsTaskLoad.exe performs scripting dissemination and persistence establishment. The first thing it does is run an obfuscated PowerShell script called powertrash.

This is established by the persistent installation of OpenSSH, scheduled as a job that opens up firewall ports.

The fake lure website “advanced-ip-sccanner[.]com” was pointed at “myipscanner[.]com”, and several other domains were registered too.

Post compromise, OpenSSH is utilized for external access with an SSH tunnel proxy server using a common fingerprint.

The target was a large multinational automobile manufacturer whose IT department had been deliberately pointed against.

The obfuscation and tool employed resemble FIN7 POWERTRASH tactics, confirming that the actor behind this incident was likely FIN7.

Recommendations

Here below we have mentioned all the recommendations:-
- Conduct Regular Security Training
- Social Engineering Awareness
- Phishing Report System
- Multi-Factor Authentication
- Password hygiene
- Security Updates and Patch Management
- Endpoint Security Solutions
- Monitor Suspicious Behavior
- Data Protection and Encryption
- Email Filtering and Authentication
- Incident Response
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

The post FIN7 Hackers Attacking IT Employees Of Automotive Industry appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source
¶¶¶¶¶

Cyber Attack / cyber security / Fin7 / incident response / Phishing / spear phishing

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

4/18/2024

·

gbhackers.com

As Russia’s invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS, APT44) cyber threat group remains highly active and increasingly integrated with Russian conventional military operations in support of Moscow’s war aims.

However, Sandworm’s disruptive operations now span globally across Russian political, military, and economic interests.

With 2024 seeing record participation in national elections, the group’s history of attempting to interfere in democratic processes elevates potential near-term threats.

Recently, cybersecurity researchers at Google’s Threat Intelligence team unveiled that Russian APT44 is the most notorious cyber sabotage group globally.

Russian APT44 Most Notorious Gang

The operationally mature APT44 (Sandworm) which is sponsored by Russian military intelligence infrastructure, carries out the full range of spying, warfare, and influencing operations – something that is quite unique to state groups who often specialize.

APT44’s spectrum of operations (Source – Google Cloud)

Russia’s “information confrontation” cyber warfare doctrine necessitates these abilities.

In pursuit of this, APT44 has actively sought to create several initiatives that would end up giving Russia an upper hand during times of war, Mandiant said.

During the early stages of the invasion, it ran a fierce campaign with wiper malware against Ukrainian critical infrastructure, sometimes aligned with kinetic strikes.

As the war proceeded, APT44 switched its interest towards intelligence gathering and launched campaigns to extract data from captured devices that could be used as intelligence sources for Russian forces at the front line.

The group’s changing strategy illustrates flexibility in support of Moscow’s military goals.

APT44’s wartime disruptive activity (Source – Google Cloud)

As an arm of Russian military intelligence, APT44’s sabotage operations extend beyond military objectives to support the Kremlin’s broader national interests like political signaling, crisis response, and preserving perceived global reputation.

This has resulted in historically consequential attacks like disrupting Ukraine’s power grid in 2015-2016, the global NotPetya strike on Ukraine’s Constitution Day 2017, and the disruption of the 2018 Pyeongchang Olympics opening ceremony over Russia’s doping ban.

With high capabilities, risk tolerance, and a far-reaching mandate backing Russian foreign policy across governments, civil society, and critical infrastructure globally, APT44 presents a severe, persistent threat wherever Russian interests intersect.

Its aggressive cyber offense increases new attack concepts, likely lowering barriers for other state and non-state actors, a risk Russia itself appears concerned about based on observed defensive exercises.

APT44 is a well-known Russian-based advanced persistent threat group constituting a critical and growing international cyber threat.

For ten years, this group has been at the forefront when it comes to conducting cyber-attacks that are aimed at promoting the nationalist agenda of Russia, which focuses mainly on elections, sports events, and geopolitics.

The Ukraine war still continues, but APT44 has not shifted its concentration from the region as it may further the Kremlin’s global strategic goals, consequently perhaps impacting political dynamics, elections, and matters surrounding Russian neighboring countries.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

The post Russian APT44 – The Most Notorious Cyber Sabotage Group Globally appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source

¶¶¶¶¶

Cyber Attack / Cyber Crime / Cyber Warfare / Global Cybersecurity / Network Security / Russian Intelligence

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

Impact on Windows Users

FIN7 Attacking IT Employees

Recommendations

Russian APT44 Most Notorious Gang