CYBERSECURITY / DEFENSE / INTELLIGENCE

  • A renowned software documentation platform has confirmed a security breach that led to the unauthorized access of 91 GitHub tokens.

    This incident has raised alarms about the potential exposure of private repositories and the overall security measures to protect sensitive user data.

    A thorough examination of server logs revealed unusual requests from an unrecognized device, targeting sensitive API endpoints, with some attempts proving successful.

    This indicated that the attackers had gained access to private admin tokens, allowing them unauthorized entry into the system.

    Further investigations confirmed that the compromised GitHub tokens were used to access a customer’s repository.

    While there is no evidence to suggest that other repositories were accessed, the possibility cannot be entirely ruled out.

    Immediate Response and Remediation

    Mintlify acted swiftly in response to the breach by revoking all GitHub token access and rotating internal admin tokens.

    Document

    Free Webinar : Mitigating Vulnerability & 0-day Threats

    Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

    • The problem of vulnerability fatigue today
    • Difference between CVSS-specific vulnerability vs risk-based vulnerability
    • Evaluating vulnerabilities based on the business impact/risk
    • Automation to reduce alert fatigue and enhance security posture significantly

    AcuRisQ, that helps you to quantify risk accurately:

    The company also enhanced security protocols around endpoint authorization to prevent future unauthorized access and patched the vulnerability that led to the exposure.

    In addition to these immediate measures, Mintlify has partnered with third-party cybersecurity vendors for an extensive investigation and has bolstered its defenses against potential future attacks.

    These include enhancing monitoring and alerting systems, developing a comprehensive security policy, launching a bounty program for ethical hackers, and re-auditing its SOC 2 certification for 2024.

    The breach was discovered on March 1st, following an email raising concerns about the security of Mintlify’s endpoints.

    Timeline of Events

    • March 1, 4:55 PM PDT: The initial email was received, raising security concerns.
    • March 1, 6:41 PM PDT: Unrecognized device access was discovered in the logs.
    • March 1, 6:51 PM PDT: Revocation of all GitHub user access tokens and rotation of internal access tokens initiated.
    • March 2nd and 3rd: Continued collaboration with bug bounty reporters and further security enhancements implemented.

    Mintlify assures its users that no further action is required on their part to continue using the product safely.

    The vulnerabilities have been addressed, and measures have been taken to secure the system against similar incidents in the future.

    Ongoing Preventative Measures

    Mintlify’s commitment to security is evident in its ongoing efforts to prevent future breaches.

    Collaborating with leading cybersecurity firms, enhancing API endpoint monitoring, developing a security policy, and launching a bounty program are just a few steps to safeguard user data.

    The Mintlify data breach serves as a stark reminder of the ever-present threats in the digital world.

    However, the company’s transparent and swift response highlights its commitment to user security and trust.

    As Mintlify strengthens its defenses, users can take solace in knowing that their data’s security remains a top priority.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post Mintlify Data Breach Exposes Customer GitHub Tokens appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Over 900 websites inadvertently expose over 10 million passwords, many of which are in plaintext, alongside sensitive billing information and personally identifiable information (PII) of approximately 125 million users.

    This massive data exposure is attributed to misconfigured Firebase instances, a popular development platform for creating mobile and web applications, which, due to its ease of use, has led to widespread security oversights.

    The Root of the Problem: Firebase Misconfigurations

    Firebase, known for its comprehensive suite of tools that aid developers in building, managing, and growing their apps, has a critical flaw in its security rules configuration.

    Document

    Free Webinar : Mitigating Vulnerability & 0-day Threats

    Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

    • The problem of vulnerability fatigue today
    • Difference between CVSS-specific vulnerability vs risk-based vulnerability
    • Evaluating vulnerabilities based on the business impact/risk
    • Automation to reduce alert fatigue and enhance security posture significantly

    AcuRisQ, that helps you to quantify risk accurately:

    The platform allows for easy misconfiguration with zero warnings, leading to hundreds of sites exposing user records.

    This issue came into the spotlight following the initial investigation into Chattr.ai, prompting a more extensive scan for exposed PII across the internet due to misconfigured Firebase instances.

    The Hunt for Exposed Data

    The quest to uncover the extent of this exposure began with a rudimentary scanner developed in Python, designed to check for Firebase configuration variables in websites or their loaded JavaScript bundles.

    However, this approach quickly hit a roadblock as the program began to run out of memory within an hour of its operation.

    A subsequent version of the scanner, rewritten in Go by a team member known as Logykk, proved more efficient, not suffering from the memory leak issues of its predecessor.

    Despite the improved efficiency, the scanning process was a waiting game. It was initially estimated to take around 11 days but extended to 2-3 weeks to comb through 5 1/2 million domains.

    The team also undertook the painstaking task of manually checking each domain, a time-consuming and repetitive process.

    A recent report by env has revealed that around 900 websites have inadvertently exposed over 10 million passwords, including sensitive billing information and personally identifiable information (PII) of approximately 125 million users.

    Catalyst: The Secondary Scanner

    The breakthrough came with the introduction of Catalyst. This secondary scanner automated checking for read access to common Firebase collections and those explicitly mentioned in the JavaScript itself.

    Private database table
    Private database table

     This tool not only identified accessible collections but also assessed the impact of the exposed data by sampling 100 records and extrapolating the findings across the total size of the collection.

    The findings were stored in a database using Supabase, an open-source competitor to Firebase, chosen with a touch of irony.

    The database contained detailed records of the exposed data, including project IDs, website URLs, counts of names, emails, phone numbers, hashed passwords, plaintext passwords, and billing information.

    The Alarming Numbers

    The scan revealed staggering numbers:

    • Total records exposed: 124,605,664
    • Names: 84,221,169
    • Emails: 106,266,766
    • Phone Numbers: 33,559,863
    • Passwords: 20,185,831 (with a significant portion in plaintext)
    • Billing Info: 27,487,924

    Notable Sites Affected

    Among the most affected were:

    1. Silid LMS: A learning platform with 27 million affected users, leading in total exposed user records.
    Silid LMS
    Silid LMS
    1. Online gambling network: Featuring rigged games and the most exposed bank account details and plaintext passwords.
    Online gambling network
    Online gambling network
    1. Lead Carrot: An online lead generator with 22 million affected people.
    Lead Carrot
    Lead Carrot
    1. MyChefTool: A restaurant business management app, leading in exposed names and emails.
    MyChefTool
    MyChefTool

    The team’s efforts to notify the affected sites resulted in 842 emails sent over 13 days, with an 85% delivery rate.

    However, only 24% of site owners fixed the misconfiguration, and only 1% responded to the emails.

    Alarmingly, only two site owners offered a bug bounty in response to the findings.

    This extensive investigation illuminates the critical need for better security practices and awareness among developers using platforms like Firebase.

    It also underscores the importance of automated tools in identifying and mitigating data exposure risks on the Internet.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post 900+ websites Exposing 10M+ Passwords: Most in Plaintext appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • In a cyberattack campaign dubbed “PhantomBlu,” hundreds of employees across various US-based organizations were targeted with phishing emails masquerading as messages from an accounting service.

    This campaign represents a significant evolution in the tactics, techniques, and procedures (TTPs) employed by cybercriminals.

    They are leveraging social engineering and advanced evasion techniques to deploy malicious code.

    The Ingenious Lure: Monthly Salary Reports

    The attackers meticulously crafted email messages that appeared to originate from a legitimate accounting service.

    They instructed recipients to download an attached Office Word document (.docx) purportedly containing their “monthly salary report.”

    Document

    Free Webinar : Mitigating Vulnerability & 0-day Threats

    Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

    • The problem of vulnerability fatigue today
    • Difference between CVSS-specific vulnerability vs risk-based vulnerability
    • Evaluating vulnerabilities based on the business impact/risk
    • Automation to reduce alert fatigue and enhance security posture significantly

    AcuRisQ, that helps you to quantify risk accurately:

    The emails included detailed instructions for accessing the password-protected document, exploiting human curiosity and trust to initiate the attack chain.

    Email Prompt
    Email Prompt

    Upon downloading and opening the attached file, targets were prompted to enter a provided password and enable editing to view their “salary graph.”

    This step cleverly exploited a legitimate Windows feature, OLE (Object Linking and Embedding), to execute malicious code discreetly.

    Password Prompt
    Password Prompt

    Decoding PhantomBlu: Advanced Evasion in Action

    The PhantomBlu campaign utilized a technique known as OLE template manipulation (Defense Evasion – T1221), marking the first recorded instance of this TTP being used to deliver the NetSupport RAT (Remote Access Trojan) via email.

    This method exploits document templates to execute malicious code without detection, bypassing traditional security measures by hiding the payload outside the document, which only executes upon user interaction.

    Malicious OLE Package

    Perception Point security researchers have recently identified a newly surfaced campaign targeting US-based organizations.

    Dubbed β€œPhantomBlu,” the emerging malware campaign employs new TTPs and behaviors to evade detection and deploy the notorious NetSupport RAT. 

    Upon clicking the embedded printer icon in the document, an archive .zip file containing an LNK file was opened, leading to the next phase of the attack.

    ZIP Containing LNK File
    ZIP Containing LNK File

    Dissecting the Malware: From Lure to Control

    A forensic analysis of the LNK file revealed it as a PowerShell dropper designed to retrieve and execute a script from a specified URL.

    The script was heavily obfuscated to conceal its true intentions, which included downloading a secondary ZIP file, unpacking it, and executing the NetSupport RAT.

    Examining the LNK File's Code
    Examining the LNK File’s Code

    The de-obfuscation of the PowerShell script provided insights into the malware’s operations, including creating a new registry key to ensure the malware’s persistence on the victim’s machine.

    De-obfuscated PowerShell Script
    De-obfuscated PowerShell Script

    Further investigation into the secondary URL used by the attackers revealed a user-agent gated payload delivery, which was bypassed to obtain the payload, mirroring the attackers’ approach.

    Retrieving the Hidden Content
    Retrieving the Hidden Content

    The secondary PowerShell script’s execution resulted in the deployment of the NetSupport RAT.

    Its configuration files revealed the command and control (C2) servers, highlighting PhantomBlu’s communication backbone and operational directives.

    NetSupport RAT's C2 Servers
    NetSupport RAT’s C2 Servers

    Beyond Evasion: Unraveling PhantomBlu’s Stealth

    The PhantomBlu campaign represents a departure from conventional TTPs associated with NetSupport RAT deployments, blending sophisticated evasion tactics with social engineering.

    Perception Point’s proprietary anti-evasion model, the Recursive Unpacker, played a crucial role in deconstructing the multi-layered obfuscation and evasion techniques employed by the PhantomBlu threat actors.

    PhantomBlu Attack Tree
    PhantomBlu Attack Tree

    IOCs

    Email 16e6dfd67d5049ffedb8c55bee6ad80fc0283757bc60d4f12c56675b1da5bf61
    Docx1abf56bc5fbf84805ed0fbf28e7f986c7bb2833972793252f3e358b13b638bb1
    Injected ZIP95898c9abce738ca53e44290f4d4aa4e8486398de3163e3482f510633d50ee6c
    LNK Filed07323226c7be1a38ffd8716bc7d77bdb226b81fd6ccd493c55b2711014c0188
    Final ZIP 94499196a62341b4f1cd10f3e1ba6003d0c4db66c1eb0d1b7e66b7eb4f2b67b6
    Client32.exe89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post Hackers Exploiting Microsoft Office Templates to Execute Malicious Code appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • In an era where digital transformation drives business across sectors, cybersecurity has transcended its traditional operational role to become a cornerstone of corporate strategy and risk management. This evolution demands a shift in how cybersecurity leadersβ€”particularly Chief Information Security Officers (CISOs)β€”articulate the value and urgency of cybersecurity investments to their boards.&

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Threat actors are leveraging digital document publishing (DDP) sites hosted on platforms like FlipSnack, Issuu, Marq, Publuu, RelayTo, and Simplebooklet for carrying out phishing, credential harvesting, and session token theft, once again underscoring how threat actors are repurposing legitimate services for malicious ends. “Hosting phishing lures on DDP sites increases the likelihood

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A new variant of a data wiping malware called AcidRain has been detected in the wild that’s specifically designed for targeting Linux x86 devices. The malware, dubbed AcidPour, is compiled for Linux x86 devices, SentinelOne’s Juan Andres Guerrero-Saade said in a series of posts on X. “The new variant […] is an ELF binary compiled for x86 (not MIPS) and while it refers to similar devices/

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The database includes indicators of compromise (IOCs) and relationships between different artifacts observed within an analysis session. In October 2022, ANY.RUN launched TI Threat Intelligence Feeds to allow users to utilize this data. 

    Security experts assess threats using ANY.RUN, an interactive malware sandbox, and the data collected from these analyses is used to build a threat intelligence database. 

    TI Lookup’s introduction in February 2023 further improved this capability by enabling users to recognize threats even from lone indicators that other security solutions might not.

    You can learn here about how ANY.RUN built Threat Intelligence Lookup.

    ANY.RUN’s Approach to Indicator Analysis

    An interactive sandbox environment allows for deep analysis of malware behavior. Suspicious files are executed within the sandbox, mimicking real-world scenarios that enable malware observation throughout its stages, including fetching payloads, encrypting files, or stealing data.Β 

    Analysts can even trigger the malware manually by simulating user actions such as entering passwords or solving CAPTCHAs. 

    The comprehensive analysis captures various indicators, including memory dumps, network traffic between the malware and its command-and-control server, and MITRE ATT&CK tactics. 

    Around 30 event-specific details are collected, encompassing file and registry information, command line activity, HTTP response content, and more, which provides a thorough understanding of the malware’s entire attack cycle.Β 

    Document

    Integrate ANY.RUN in Your Company for Effective Malware Analysis

    Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

    • Real-time Detection
    • Interactive Malware Analysis
    • Easy to Learn by New Security Team members
    • Get detailed reports with maximum data
    • Set Up Virtual Machine in Linux & all Windows OS Versions
    • Interact with Malware Safely

    If you want to test all these features now with completely free access to the sandbox:

    Origins of ANY.RUN’s IOCs

    ANY.RUN utilizes a global community of analysts to gather indicators of compromise (IOCs) through public sandbox submissions.Β 

    Daily, around 14,000 samples are uploaded, often stemming from suspicious activity detected by Security Information and Event Management (SIEM) logs or email investigations.

    Analysts configure a sandbox environment mimicking real-world conditions and run the sample; during the 1200-second interactive analysis, the sandbox captures process activity and network events and extracts IOCs like file hashes, domains, IP addresses, and URLs. 

    Comprehensive data collection from global submissions fuels ANY.RUN’s threat intelligence database currently stores a massive 24TB of information on evolving malware threats. 

    Boosting Security with ANY.RUN Threat Intelligence

    The solution offers a threat intelligence (TI) feed and a lookup portal, providing access to a constantly updated database of malware information that leverages data from over 1.5 million investigations by community and in-house analysts, allowing you to

    • Access the latest community-reported and analyst-discovered malware data.
    • Search across various aspects (fields) of 1.5 million investigations conducted in the past 6 months.
    • To identify risks, analyze command lines, registry changes, memory dumps, encrypted and unencrypted network traffic, and more.

    It offers threat intelligence in two formats:

    • Threat Intelligence Lookup – Search our portal for relevant events using 30 criteria. Use wildcards (*) or widely to search substrings. With rapid search, you will get results in 5 seconds. The attached IOCs and event fields include links to recorded sandbox research sessions.
    • Threat Intelligence Feeds – Receive STIX data from our Feeds directly into your TIP and SIEM systems. Set up firewalls for the current threats. New data provides indications and event fields for context every two hours.

    TI Lookup examines a massive database of Indicators of Compromise (IOCs) and related events across numerous parameters. Wildcards allow wide or particular searches, and results, including linked research sessions, are supplied in seconds.

    SIEM systems can use TI Feeds’ continuous threat data in STIX format and every two hours, IOCs and event details are added for threat analysis.

    What is ANY.RUN?

    ANY.RUN is a cloud-based malware lab that does most of the work for security teams. 400,000 professionals use ANY.RUN platform every day to look into events and speed up threat research on Linux and Windows cloud VMs.

    Advantages of ANY.RUN 

    • Real-time Detection: ANY.RUN can find malware and instantly identify many malware families using YARA and Suricata rules within about 40 seconds of posting a file.
    • Interactive Malware Analysis: ANY.RUN differs from many automated options because it lets you connect with the virtual machine from your browser. This live feature helps stop zero-day vulnerabilities and advanced malware that can get past signature-based protection.
    • Value for money: ANY.RUN’s cloud-based nature makes it a cost-effective option for businesses since your DevOps team doesn’t have to do any setup or support work.
    • Best for onboarding new security team members: ANY. RUN’s easy-to-use interface allows even new SOC researchers to quickly learn to examine malware and identify signs of compromise (IOCs).

    Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free

    The post How ANY.RUN Malware Sandbox Process IOCs for Threat Intelligence Lookup? appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • AhnLab security researchers detected a resurgence of CryptoWire, a ransomware strain originally prevalent in 2018, built with the AutoIt scripting language, which primarily spreads through phishing emails. 

    Unlike most ransomware, CryptoWire reportedly includes the decryption key within its code, while recovering encrypted files likely requires a complex process.Β 

    Cryptowire GitHub
    Document

    Free Webinar : Mitigating Vulnerability & 0-day Threats

    Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

    • The problem of vulnerability fatigue today
    • Difference between CVSS-specific vulnerability vs risk-based vulnerability
    • Evaluating vulnerabilities based on the business impact/risk
    • Automation to reduce alert fatigue and enhance security posture significantly

    AcuRisQ, that helps you to quantify risk accurately:

    Main Features:

    The ransomware installs itself in a common location (“C:\Program Files\Common Files”) to ensure persistence, schedules tasks to maintain its presence on the system, and then scans the local network and connected devices to encrypt files, potentially compromising the entire network.Β 

    Registered task schedule

    Encrypted files are renamed with the “.encrypted” extension, and a log file named “domaincheck.txt” is saved on the desktop, possibly containing compromised system information.Β 

    A partial source code related to the expansion of encryption

    According to ASEC, the malware emptied the recycle bin and deleted shadow copies to hinder data recovery. Finally, a ransom message is displayed, demanding payment for decryption.Β 

    Ransomware can include the decryption key within itself or send it along with stolen system information to the attacker’s server.

    This method is uncommon, as most ransomware forces users through a complex decryption process to regain access to their files. 

    Preventing decryption

    To avoid infection, users should exercise caution when opening unknown files and utilize up-to-date anti-malware software to scan suspicious files. 

    The system has been infected with multiple threats as a Trojan downloader (Trojan/Win.Kryptik.C5576563) was detected on January 20th, 2024, which could have downloaded other malware. 

    More recently, on February 20th, 2024, ransomware (Ransomware/Win.bcdedit.C5590639) was also found, which likely encrypts files and demands a ransom for decryption.

    Malware behavior consistent with ransomware execution (MDP.Ransom.M1171) was additionally detected. 

    An analysis of the Indicators of Compromise (IoCs) revealed two MD5 hashes (cd4a0b371cd7dc9dab6b442b0583550c and a410d4535409a379fbda5bb5c32f6c9c) that could be used to identify malicious files.

    A C2 server address (hxxp://194.156.98[.]51/bot/log.php) was found to likely communicate with the malware to receive instructions or send stolen data, as immediate action is required to remove this malware and protect the system.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onΒ LinkedInΒ &Β Twitter.

    The post CryptoWire Ransomware Attacking Abuses Schedule Task To maintain Persistence appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Tampa, FL – In a significant crackdown on cybercrime, Sandu Boris Diaconu, a 31-year-old Moldovan national, has been sentenced to 42 months in federal prison after pleading guilty to charges related to operating a network of illicit websites. U.S.

    Senior District Judge James Moody, Jr. handed down the sentence following Diaconu’s admission of guilt on December 1, 2023, for his involvement in a sophisticated digital fraud operation.

    The E-Root Marketplace, as the network was known, became infamous for selling compromised computer credentials, allowing buyers to gain unauthorized access to computers and servers worldwide, including systems owned by individuals and companies within the United States.

    The marketplace was designed to be a covert operation, employing a distributed network structure to conceal the identities of its administrators, buyers, and sellers.

    Document

    Free Webinar : Mitigating Vulnerability & 0-day Threats

    Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

    • The problem of vulnerability fatigue today
    • Difference between CVSS-specific vulnerability vs risk-based vulnerability
    • Evaluating vulnerabilities based on the business impact/risk
    • Automation to reduce alert fatigue and enhance security posture significantly

    AcuRisQ, that helps you to quantify risk accurately:

    Diaconu’s role in the criminal enterprise included developing, publishing online, and collaborating with accomplices to manage the E-Root Marketplace.

    The platform facilitated the sale of access to compromised computers, effectively enabling a range of cybercrimes.

    The charges brought against Diaconu included conspiracy to commit access device and computer fraud and possession of 15 or more unauthorized access devices.

    His guilty plea and subsequent sentencing mark a victory for U.S. authorities in their ongoing efforts to combat international cybercrime.

    The case against Diaconu resulted from a concerted effort by law enforcement agencies to dismantle operations that threatened the digital security of individuals and businesses.

    The sentence serves as a reminder of the serious consequences facing those who engage in the illicit trade of stolen digital information and the commitment of the justice system to uphold cybersecurity.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onΒ LinkedInΒ &Β Twitter.

    The post E-Root Admin Sentenced to 42 Months in Prison for SellingΒ 350,000 Credentials appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A new variant of the WhiteSnake Stealer, a formidable malware that has been updated to be more elusive and efficient in its malicious endeavors.

    One of the key features of the updated WhiteSnake Stealer is its use of mutexes (mutual exclusions).

    Mutexes are a common programming practice to prevent the same program from being launched multiple times, which can lead to system instability or make the malware more detectable.

    Performing mutex check
    Performing mutex check

    Upon execution, the stealer checks for a specific mutex value predefined in its configuration file.

    If this mutex is already present on the system, indicating that an instance of the stealer is running, the newly executed stealer will terminate itself.

    This ensures that only one instance of the malware operates at a time, reducing the risk of detection and system resource exhaustion.

    Anti-VM Detection to Evade Analysis

    Another layer of stealth is the AntiVM feature.

    Document

    Free Webinar : Mitigating Vulnerability & 0-day Threats

    Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

    • The problem of vulnerability fatigue today
    • Difference between CVSS-specific vulnerability vs risk-based vulnerability
    • Evaluating vulnerabilities based on the business impact/risk
    • Automation to reduce alert fatigue and enhance security posture significantly

    AcuRisQ, that helps you to quantify risk accurately:

    Security researchers often use virtual machines (VMs) to analyze malware behavior in a controlled environment.

    To combat this, WhiteSnake Stealer can be configured to detect the presence of VMs and terminate itself if one is found.

    Performing AntiVM check
    Performing AntiVM check

    The stealer uses a WMI query to retrieve the computer system’s “Model” and “Manufacturer” properties.

    It then searches for strings that are typically associated with virtual environments, such as “VMware,” “virtual,” and “qemu.”

    If any of these strings are detected, the stealer will exit, thwarting any attempt to analyze or reverse-engineer its code.

    According to the latest findings by SonicWall Capture Labs’ threat research team, WhiteSnake Stealer malware has emerged, showcasing less obfuscation and increased danger. 

    Advanced-Data Exfiltration Capabilities

    Following the Anti-VM check, the malware proceeds to its primary function: data theft.

    The Create() function is called, leading to the ProcessCommands() function, designed to siphon sensitive data from various sources.

    The WhiteSnake Stealer targets a wide range of web browsers, including mainstream options like Google Chrome, Mozilla Firefox, and Microsoft Edge, as well as less common ones like Vivaldi and CocCoc Browser.

    It extracts cookies, autofill information, login credentials, browsing history, and more.

    In addition to web browser data, the stealer is programmed to target cryptocurrency wallets to capture the lucrative financial information associated with these assets.

     The table below shows the targeted cryptocurrency wallets and browser extensions.

    Cryptocurrency Wallets

    Cryptocurrency Wallet NameTargeted Directory
    Ledger%AppData%\ledger live
    Atomic%AppData%\atomic\Local Storage\leveldb
    Wasabi%AppData%\WalletWasabi\Client\Wallets
    Binance%AppData%\Binance
    Guarda%AppData%\Guarda\Local Storage\leveldb
    Coinomi%LocalAppData%\Coinomi\Coinomi\wallets
    Bitcoin%AppData%\Bitcoin\wallets
    Electrum%AppData%\Electrum\wallets
    Electrum-LTC%AppData%\Electrum-LTC\wallets
    Zcash%AppData%\Zcash
    Exodus%AppData%\Exodus
    JaxxLiberty%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
    JaxxClassic%AppData%\Jaxx\Local Storage\leveldb
    Monero%UserProfile%\Documents\Monero\wallets

    Targeted Cryptocurrency Wallets

    Beyond its sophisticated evasion techniques, WhiteSnake Stealer boasts a range of functionalities designed to harvest sensitive data from infected systems.

    While keylogging is disabled by default, attackers can activate this feature remotely and capture every keystroke of the victim.

    Moreover, the malware can hijack the victim’s microphone and webcam, turning personal devices into surveillance tools.

    Part of the code responsible for keylogging
    Part of the code responsible for keylogging

    The new variant of WhiteSnake Stealer demonstrates the continuous innovation by cybercriminals to bypass security measures and remain undetected.

    Implementing mutexes and anti-VM techniques, along with its comprehensive data theft capabilities, make it a significant threat to users and organizations.

    As the cyber threat landscape evolves, it is crucial for cybersecurity professionals and end-users to stay informed about the latest malware trends and to implement robust security measures to protect sensitive information.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post WhiteSnake Stealer Checks for Mutex & VM Function Before Execution appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ