CYBERSECURITY / DEFENSE / INTELLIGENCE

  • Malicious ads and bogus websites are acting as a conduit to deliver two different stealer malware, including Atomic Stealer, targeting Apple macOS users. The ongoing infostealer attacks targeting macOS users may have adopted different methods to compromise victims’ Macs, but operate with the end goal of stealing sensitive data, Jamf Threat Labs said in a report published Friday. One

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • RedHat on Friday released an “urgent security alert” warning that two versions of a popular data compression library called XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access. The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Minihan said he wishes his planes were better able to communicate as the command delivers aid to Gaza.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The redistribution of fuel to locations around the Pacific β€œwill really make us safer,” commander says.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Security vulnerabilities discovered in Dormakaba’s Saflok electronic RFID locks used in hotels could be weaponized by threat actors to forge keycards and stealthily slip into locked rooms. The shortcomings have been collectively named Unsaflok by researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana. They were reported to the Zurich-based

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A botnet previously considered to be rendered inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to fuel a criminal proxy service called Faceless. “TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024,” the Black Lotus Labs team at Lumen

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed “Operation FlightNight” targeting Indian government entities and energy companies. 

    The attackers, likely state-sponsored, leveraged a modified version of the open-source information stealer HackBrowserData to steal sensitive data.

    EclecticIQ identified that the attackers used Slack channels, a popular communication platform, as exfiltration points.Β 

    These channels were named “FlightNight,” giving the operation its name.

    Data Breach:

    The attackers successfully infiltrated multiple government agencies responsible for communication, IT, and national defense.

    Document

    Download Free CISO’s Guide to Avoiding the Next Breach

    Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.

    • Understand the importance of a zero trust strategy
    • Complete Network security Checklist
    • See why relying on a legacy VPN is no longer a viable security strategy
    • Get suggestions on how to present the move to a cloud-based network security solution
    • Explore the advantages of converged network security over legacy approaches
    • Discover the tools and technologies that maximize network security

    Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.

    Additionally, private energy companies were compromised, with details about financial documents, employee information, and even oil and gas drilling activities stolen.Β 

    A staggering 8.81 GB of data was exfiltrated, potentially aiding future intrusions.

    The attackers used a trick to get victims to install malware. 

    They sent emails disguised as invitations from the Indian Air Force. 

    These emails contained an ISO file, which appeared to be a harmless archive. 

    However, when the victim opened the ISO file, it actually launched a shortcut file (LNK) disguised as a PDF document.Β 

    Clicking the LNK file unknowingly activated the malware.

    The malware then exfiltrated confidential documents, private emails, and cached web browser data. 

    Malware infection chain in Operation FlightNight.attacker. 
    Indian Air Force invitation decoy side with information stealer payload. 

    The Malware’s Work:

    The stolen data included documents, emails, and browsing history.  

    Instead of sending the stolen data directly to the attackers, the malware uploaded it to channels on a communication platform called Slack. 

    To make it appear like normal activity on the network and to help the attackers avoid detection.

    Overlaps between new and earlier malware campaign.

    The attackers modified an existing tool called HackBrowserData to add new features like document theft and communication through Slack.  

    Analysis of the code confirmed these modifications. 

    The malware also used a specific naming scheme for temporary files and targeted certain file types like documents and databases to steal data faster.

    Finding The Victims:

    The malware made a big mistake by storing the keys needed to access and control the Slack channels directly in its code. 

    EclecticIQ researchers found these keys and used them to access the Slack channels where the stolen data was uploaded.Β Β 

    These channels contained information for the researchers:

    • A list of victims – who was targeted by the attack.
    • File paths – exactly where the stolen data came from on the victim’s computer.
    • Timestamps – when the data was stolen.
    • Download URLs – unique links that allow anyone with the link to download the stolen data!

    Another mistake was testing the connectivity over Slack workspaces.

    This helped researchers understand even more about the attacker’s setup, including details about the Slack team and the bots used to communicate.

    Recommendation/Mitigation

    • Disable the “remember me” feature in web browser and turn off automatic username completion.
    • Two-factor authentication (2FA)  adds an extra layer of security by requiring a second verification code in addition to password when logging in.
    • Be cautious with ISO files
    • Command-line auditing can help track suspicious activity related to LNK files, which can launch malware.
    • Watch for unusual amounts of data being sent to unknown Slack channels.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onΒ LinkedInΒ &Β Twitter.

    The post Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The notorious WarzoneRAT malware has made a comeback, despite the FBI’s recent efforts to dismantle its operations.

    Initially detected in 2018, WarzoneRAT was disrupted by the FBI in mid-February when they seized the malware’s infrastructure and arrested two individuals linked to the cybercrime scheme.

    However, ThreatMon’s recent advertisement for WarZoneRAT v3, with its enhanced features, indicates that the threat actors are far from giving up.

    Cybersecurity experts at Cyble Research & Intelligence Labs (CRIL) have uncovered a new campaign that leverages tax-themed spam emails to spread the WarzoneRAT (Avemaria) malware, a Remote Administration Tool (RAT) known for its remote control capabilities and ability to execute malicious actions under the command of a remote server.

    Infection Tactics: The LNK and HTA Files

    The infection begins when unsuspecting users open an email with the subject “taxorganizer2023” and execute an attached archive file.

    Document

    Download Free CISO’s Guide to Avoiding the Next Breach

    Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.

    • Understand the importance of a zero trust strategy
    • Complete Network security Checklist
    • See why relying on a legacy VPN is no longer a viable security strategy
    • Get suggestions on how to present the move to a cloud-based network security solution
    • Explore the advantages of converged network security over legacy approaches
    • Discover the tools and technologies that maximize network security

    Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.

    This file contains a deceptive shortcut file, “taxorganizer2023.png.lnk,” which appears to be an image but is, in fact, a malicious LNK file.

    When executed, it triggers a PowerShell command to download and extract a ZIP file, leading to the execution of an HTA file.

    This HTA file then retrieves a PowerShell script in memory, which downloads a VBScript file from a remote server, ultimately deploying the WarzoneRAT malware.

    Overall infection chain
    Overall infection chain

    Another infection method involves a ZIP archive named “MY TAX ORGANIZER.zip,” which contains a legitimate EXE file, a malicious DLL, and a PDF file.

    Running the EXE file triggers the DLL sideloading technique, loading the malicious DLL identified as WarzoneRAT.![DLL Sideloading Method](Figure 17 – DLL sideloading method)

    DLL sideloading method
    DLL sideloading method

    Technical Analysis: Unpacking the Malware

    The technical analysis of the campaign reveals a complex infection chain.

    The LNK file downloads a PNG file, which is a ZIP file, and extracts its contents.

    The subsequent execution of the HTA file leads to a series of scripts that perform various actions, including generating random equations for stealth, checking for antivirus processes, and creating directories and files for persistence.

    Content of HTA file before & after removing Junk codes
    Content of HTA file before & after removing Junk codes

    Final Payload: The Dangers of WarzoneRAT

    The final payload, WarzoneRAT (Avemaria), is a highly capable RAT that allows remote access and control over the victim’s computer.

    It can exfiltrate data, escalate privileges, manipulate the desktop remotely, harvest credentials, and perform keylogging, among other intrusive activities.

    Hardcoded strings of Avemaria
    Hardcoded strings of Avemaria

    The recent campaign highlights the persistent threat posed by cybercriminals who exploit the trust of users with themed spam emails.

    The sophisticated techniques used in this campaign, such as reflective loading and DLL sideloading, underscore the importance of vigilance and robust cybersecurity measures.

    As the WarzoneRAT malware continues to evolve and resurface, it is a stark reminder of the ongoing battle between cybercriminals and cybersecurity defenders.

    Users are urged to exercise caution when opening email attachments, even those that appear to be related to timely and relevant topics like tax organization.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Android devices are popular among hackers due to the platform’s extensive acceptance and open-source nature.

    However, it has a big attack surface with over 2.5 billion active Android devices all over the world.

    It also poses challenges when it comes to prompt vulnerability patching due to its fragmented ecosystem that consists of different hardware vendors and delayed software updates.

    Malware distribution, surveillance, and unauthorized financial gain, or any other malicious purpose are some examples of how cybercriminals take advantage of these loopholes in security.

    Recently, Google unveiled the Kernel Address Sanitizer (KASan) to strengthen the Android firmware and beyond.

    Android Firmware And Beyond

    KASan (Kernel Address Sanitizer) has broad applicability across firmware targets. Incorporating KASan-enabled builds into testing and fuzzing can proactively identify memory corruption vulnerabilities and stability issues before deployment on user devices.

    Document

    Download Free CISO’s Guide to Avoiding the Next Breach

    Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.

    • Understand the importance of a zero trust strategy
    • Complete Network security Checklist
    • See why relying on a legacy VPN is no longer a viable security strategy
    • Get suggestions on how to present the move to a cloud-based network security solution
    • Explore the advantages of converged network security over legacy approaches
    • Discover the tools and technologies that maximize network security

    Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.

    Google has already leveraged KASan on firmware targets, leading to the discovery and remediation of over 40 memory safety bugs, some critically severe, through proactive vulnerability detection.

    Address Sanitizer (ASan) is a compiler instrumentation tool that identifies invalid memory access bugs like out-of-bounds, use-after-free, and double-free errors during runtime.Β 

    For user-space targets, enabling ASan is straightforward with the -fsanitize=address option. However, for bare-metal code built with none system targets like arm-none-eabi, there’s no default runtime support. 

    The -fsanitize=kernel-address option exposes an interface to provide custom KASan runtime implementations, like the Linux kernel’s routines.

    KASan’s core idea is to instrument memory access operations like loads, stores, and memory copy functions to verify the validity of destination/source regions. 

    It only allows access to valid regions tracked in a shadow memory area, where each byte represents the state (allocated, freed, accessible bytes) of a fixed-size memory region. 

    Upon detecting an invalid access, KASan reports the violation.

    Enabling KASan for bare-metal targets requires implementing instrumentation routines to check region validity during memory operations, report violations, and manage shadow memory to track the state of covered regions.

    For Bare-Metal Firmware, Enabling KASan

    Here below we have mentioned all the sequential steps:-

    • KASan shadow memory
    • Implement a KASan runtime
    • Memory access check
    • Shadow memory management
    • Covering global variables
    • Memory copy functions
    • Avoiding false positives for noreturn functions
    • Hook heap memory allocation routines

    For the usage of KASan on bare-metal code, one should employ -fsanitize=kernel-address option of the compiler and -asan-mapping-offset to indicate the location of shadow memory, -asan-stack/globals=1 to cover stack/global variables and -asan-instrumentation-with-call-threshold=0 for outlining checks against code bloat.

    In addition, strategies such as leveraging Rust (a memory-safe language) are being advanced in order to proactively guard against memory vulnerabilities in the Android system.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onΒ LinkedInΒ &Β Twitter.

    The post Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ