-
Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015. Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform. “The documents contained VBA code to drop and run an executable with the name ‘ctrlpanel.exe,'”
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified as CVE-2024-3400.
This zero-day flaw, found in the GlobalProtect Gateway, is currently under active exploitation by attackers.
CVE-2024-3400 allows attackers to execute arbitrary OS commands on the affected systems without proper authentication.
The threat actors are now actively exploiting this Palo Alto ZeroDay in the wild following the PoC release.
Palo Alto ZeroDay Exploited
Researchers identified vulnerabilities and developed an exploit for GlobalProtect in three days that targeted Palo Alto VPN-SSL solutions.Β
WatchTowr explained a path traversal bug with a command injection resulting in a PoC via POST request to “…/ssl-vpn/hipreport.esp”.
It permits command injection through the SESSID cookie, which can potentially drop webshells as cron jobs.
Rapid7’s and WatchTowr’s PoCs spread quickly, followed by TrustedSec and ShadowServer reporting on some real attacks, while some of the earlier PoCs were fake or malicious.Β
Expect widespread attacks soon since Palo Alto solutions are not audited enough.
Palo Alto increased the risk level to 5 out of 5 (CVE-2024-3400), requiring either patches be applied or specific Threat Prevention signatures configured in counteraction.Β
This modification will help prevent devices from becoming overloaded due to command execution attempts. They shared additional IOC and CLI commands, which mainly focused on recent vulnerabilities and not the original threat actor.Β
Onyphe developed a query tool that can help identify GlobalProtect versions, which can aid patch confirmation activity. However, this will expose vulnerable servers to threat actors.Β
EmergingThreats unveiled a Suricata rule designed explicitly to detect WatchTowr PoC usage. Rapid7 observed constant exploit attempts and documented them via multiple logs.
Palo Alto released patches for the critical 0day CVE-2024-3400 on April 14, with three fixes available for affected branches. On April 19, patches for the older versions will be released.
Another mass compromise has not been directed by adversaries, indicating a targeted campaign called MidnightEclipse.
Volexity established that the adversary had moved laterally into internal systems using a Python backdoor named βupdate.pyβ and additional payloads designed to exfiltrate valuable data.
Although some infrastructure is still online, no definite public PoC exists, and expert researchers might use the patched 0day for advanced research.
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP.The post Palo Alto ZeroDay Exploited in The Wild Following PoC Release appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
The infamous cybercrime syndicate known as FIN7 has been linked to a spear-phishing campaign targeting the U.S. automotive industry to deliver a known backdoor called Carbanak (aka Anunak). “FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights,” the BlackBerry research and intelligence team said in a new write-up. “They
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
IT employees in the automotive industry are often targeted by hackers because they have access to sensitive information such as customer data, intellectual property, and critical systems.
The connected technologies’ dependence on the automotive industry and the value of their data make them attractive targets for threat actors.
BlackBerry analysts recently discovered that the FIN7 hackers are actively attacking the IT employees of the automotive industry.
FIN7 Attacking IT Employees
According to some BlackBerry evaluations at the end of 2023, there was a spear-phishing campaign against a major United States-based car manufacturer by FIN7 hackers.
FIN7 used a free IP scanning tool as bait to exploit IT staff with admin rights and then deployed their Anunak backdoor.
It has been reported that these attacks were part of a broader campaign by FIN7, a financially motivated APT group from Russia known to be focused on sectors such as transportation and defense.Β
However, before this happened, the Blackberry team interrupted before they could perform a ransomware attack.
This demonstrates the importance of detecting early intrusion to mitigate possible losses.
FIN7 then shifted to hunting big game that could pay bigger ransoms, with great detailed plans for maximizing the impacts of attacks.
They are scouts who select and study targets carefully, zooming in for employees with high access rights and delivering payloads such as “WsTaskLoad.exe” via spear-phishing emails containing malicious URLs.
These attacks take advantage of trust in legitimate sites, highlighting the necessity for strong cyber security measures to mitigate such advanced threats.
.webp)
Attack chain (Source – BlackBerry) WsTaskLoad.exe executes the final payload of Anunak/Carbanak in multiple stages. It is called jutil.dll, and it then executes the exported function “SizeSizeImage.”
jutil.dll now reads and decrypts infodb\audio.wav; its decrypted blob is shellcode that gets copied to mspdf.dll, and it runs as code there.
This shellcode also reads and decrypts infodb\audio.wav again; this decrypted blob is a loader that can be loaded and run later by the same shellcode.
The loader identifies files in the current directory with dmxl.bin and dfm\open.db matching a certain mark.
The decrypted dmxml.bin constitutes the Anunak payload, having “rabt4201_x86” as the campaign ID.
Besides this, the WsTaskLoad.exe performs scripting dissemination and persistence establishment. The first thing it does is run an obfuscated PowerShell script called powertrash.
This is established by the persistent installation of OpenSSH, scheduled as a job that opens up firewall ports.
The fake lure website “advanced-ip-sccanner[.]com” was pointed at “myipscanner[.]com”, and several other domains were registered too.
Post compromise, OpenSSH is utilized for external access with an SSH tunnel proxy server using a common fingerprint.
The target was a large multinational automobile manufacturer whose IT department had been deliberately pointed against.
The obfuscation and tool employed resemble FIN7 POWERTRASH tactics, confirming that the actor behind this incident was likely FIN7.
Recommendations
Here below we have mentioned all the recommendations:-
- Conduct Regular Security Training
- Social Engineering Awareness
- Phishing Report System
- Multi-Factor Authentication
- Password hygiene
- Security Updates and Patch Management
- Endpoint Security Solutions
- Monitor Suspicious Behavior
- Data Protection and Encryption
- Email Filtering and Authentication
- Incident Response
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP.The post FIN7 Hackers Attacking IT Employees Of Automotive Industry appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
As Russia’s invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS, APT44) cyber threat group remains highly active and increasingly integrated with Russian conventional military operations in support of Moscow’s war aims.
However, Sandworm’s disruptive operations now span globally across Russian political, military, and economic interests.
With 2024 seeing record participation in national elections, the group’s history of attempting to interfere in democratic processes elevates potential near-term threats.
Recently, cybersecurity researchers at Google’s Threat Intelligence team unveiled that Russian APT44 is the most notorious cyber sabotage group globally.
Russian APT44 Most Notorious Gang
The operationally mature APT44 (Sandworm) which is sponsored by Russian military intelligence infrastructure, carries out the full range of spying, warfare, and influencing operations β something that is quite unique to state groups who often specialize.
.webp)
APT44βs spectrum of operations (Source – Google Cloud) Russia’s “information confrontation” cyber warfare doctrine necessitates these abilities.
In pursuit of this, APT44 has actively sought to create several initiatives that would end up giving Russia an upper hand during times of war, Mandiant said.
During the early stages of the invasion, it ran a fierce campaign with wiper malware against Ukrainian critical infrastructure, sometimes aligned with kinetic strikes.
As the war proceeded, APT44 switched its interest towards intelligence gathering and launched campaigns to extract data from captured devices that could be used as intelligence sources for Russian forces at the front line.
The groupβs changing strategy illustrates flexibility in support of Moscowβs military goals.
.webp)
APT44βs wartime disruptive activity (Source – Google Cloud) As an arm of Russian military intelligence, APT44’s sabotage operations extend beyond military objectives to support the Kremlin’s broader national interests like political signaling, crisis response, and preserving perceived global reputation.
This has resulted in historically consequential attacks like disrupting Ukraine’s power grid in 2015-2016, the global NotPetya strike on Ukraine’s Constitution Day 2017, and the disruption of the 2018 Pyeongchang Olympics opening ceremony over Russia’s doping ban.Β
With high capabilities, risk tolerance, and a far-reaching mandate backing Russian foreign policy across governments, civil society, and critical infrastructure globally, APT44 presents a severe, persistent threat wherever Russian interests intersect.
Its aggressive cyber offense increases new attack concepts, likely lowering barriers for other state and non-state actors, a risk Russia itself appears concerned about based on observed defensive exercises.
APT44 is a well-known Russian-based advanced persistent threat group constituting a critical and growing international cyber threat.
For ten years, this group has been at the forefront when it comes to conducting cyber-attacks that are aimed at promoting the nationalist agenda of Russia, which focuses mainly on elections, sports events, and geopolitics.
The Ukraine war still continues, but APT44 has not shifted its concentration from the region as it may further the Kremlinβs global strategic goals, consequently perhaps impacting political dynamics, elections, and matters surrounding Russian neighboring countries.
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP.The post Russian APT44 – The Most Notorious Cyber Sabotage Group Globally appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
A new banker, SoumniBot, has recently been identified. It targets Korean users and is incredible by using an unusual method to evade investigation and detection, notably obfuscating the Android manifest.
In addition to its unique obfuscation, SoumniBot stands out for its ability to steal Korean online banking keysβsomething Android bankers hardly do.Β
This capability enables malicious actors to bypass bank authentication procedures and empty the wallets of unintentional victims.Β
Researchers say SoumniBot’s creators sadly succeeded because the Android manifest parser code’s validations were not strictly enough.
Techniques Used By SoumniBot
The Kaspersky researchers explain that the standard unarchiving function in the libziparchive library only allows the following two values for the Compression method in the record header: 0x0000 (STORED, which is uncompressed) and 0x0008 (DEFLATED, which is compressed using the zlib library’s deflate), else it returns an error.
However, the Android developers choose to provide a different scenario in which the value of the Compression method field is checked wrongly rather than utilizing this function.
βIf the APK parser comes across any Compression method value but 0x0008 (DEFLATED) in the APK for the AndroidManifest.
xml entry, it considers the data uncompressed. This allows app developers to put any value except 8 into Compression method and write uncompressed dataβ, researchers said.
Invalid Compression method value followed by uncompressed data The Android APK parser successfully identifies the manifest and permits application installation, even though any unpacker that correctly implements compression method validation would consider a manifest like that invalid.
Secondly, the size of the manifest file is indicated in the header of the AndroidManifest.xml entry within the ZIP archive.
Even though the entry’s size is indicated inaccurately, it will be copied from the archive unaltered if stored uncompressed.Β
The manifest parser ignores any overlay or information after the payload that isn’t connected to the manifest.
This is exploited by the malware, which adds some of the archive content to the unpacked manifest due to the archived manifest’s reported size exceeding its real size.Β
Finally, the names of the XML namespaces are represented by very long strings included in the manifest.
These kinds of strings make manifests unreadable for both people and programs, which might not have enough memory allocated to handle them.
βWhen run for the first time, the Trojan hides the app icon to complicate removal, and then starts to upload data in the background from the victimβs device to mainsite every 15 secondsβ, researchers said.
The information contains the victim’s ID, which was created using the trust device-android library, contact and account lists, the country inferred from the IP address, SMS and MMS messages, and other data.
The Trojan subscribes to messages from the MQTT server to receive commands.
If you want to avoid becoming a victim of malware of that kind, it is advised to use a reputable security app on your smartphone to identify the Trojan and stop it from installing despite all of its tactics.
Indicators of compromise
MD5
0318b7b906e9a34427bf6bbcf64b6fc8
00aa9900205771b8c9e7927153b77cf2
b456430b4ed0879271e6164a7c0e4f6e
fa8b1592c9cda268d8affb6bceb7a120C&C
https[://]google.kt9[.]site
https[://]dbdb.addea.workers[.]devThe post SoumniBot Exploiting Android Manifest Flaws to Evade Detection appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer base.
The breach, first reported by the online security platform Have I Been Pwned, has compromised the sensitive personal information of thousands of customers.
The breach has reportedly affected over 100,000 customers, making it one of the most significant data breaches in the retail sector this year.
The exact number is still being determined as the company works with cybersecurity experts to assess the full extent of the exposure.
Free Live Webinar for DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors - Register Here.Types of Personal Information Exposed
The information accessed by unauthorized parties includes a range of personal data, which is particularly concerning for customers.
The exposed data encompasses:
- Full names
- Email addresses
- Postal addresses
- Phone numbers
- Purchase histories
Most alarmingly, it has been reported that encrypted passwords and, in some cases, partial credit card information may also have been compromised.
However, the company assures that the encryption methods used for passwords are robust, reducing the risk of decryption.
Company’s Response
LeSlipFrancais has been swift in its response to the breach.
In a statement released to the public, the company expressed its deep regret over the incident and assured customers that immediate steps were being taken to secure their data and prevent future breaches.
The response plan includes:
- Immediate activation of a comprehensive security overhaul to identify and rectify the breach’s source.
- Collaboration with leading cybersecurity experts to enhance existing security measures.
- Direct communication with affected customers, guiding them to protect their personal information and offer credit monitoring services to those impacted.
Furthermore, LeSlipFrancais has pledged transparency throughout the process and is working closely with law enforcement agencies to investigate the breach.
The company has also established a dedicated hotline and support page for customers seeking assistance or information regarding the breach.
As the investigation continues, LeSlipFrancais faces restoring trust with its customers.
The breach serves as a stark reminder of the ever-present threats in the digital landscape and the importance of robust cybersecurity measures.
Customers are advised to remain vigilant, change their passwords, and monitor their accounts for any unusual activity.
LeSlipFrancais has reiterated its commitment to customer privacy and security, promising to take all necessary steps to protect personal information and prevent future breaches.
In the wake of this incident, the digital community is once again reminded of the critical importance of data security and the need for continuous vigilance in protecting personal information.
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAPThe post LeSlipFrancais Data Breach: Customers’ Personal Information Exposed appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Super Low RPO with Continuous Data Protection:Dial Back to Just Seconds Before an Attack Zerto, a Hewlett Packard Enterprise company, can help you detect and recover from ransomware in near real-time. This solution leverages continuous data protection (CDP) to ensure all workloads have the lowest recovery point objective (RPO) possible. The most valuable thing about CDP is that it does not use
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.
This groundbreaking product, described as Cisco’s most consequential security solution, introduces a cloud-native, AI-powered approach to securing highly distributed, AI-scale data centers.
Integrated directly into the network’s fabric, the Cisco Hypershield represents a radical departure from traditional security models, leveraging the power of hyperscaler security and connectivity for the enterprise.
The advent of artificial intelligence (AI) is propelling us into a future of digital abundance, where every individual and organization operates at a machine scale, effectively multiplying our global capacity.
Free Live Webinar for DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors - Register Here.This transformation necessitates reimagining our data centers, not just in terms of connectivity and operation but crucially also in terms of security.
Cisco is at the forefront of this evolution, addressing the dual shifts in infrastructure and applications.
With CPUs being complemented by GPUs and DPUs for specialized functions and applications fragmenting into thousands of microservices across various containers and clouds, the complexity of securing these environments has skyrocketed.
Despite billions invested in cybersecurity, the industry continues to grapple with significant challenges.
The sheer scale of modern applications, AI workloads, and devices introduces new vulnerabilities, making tasks like segmentation, patching, and upgrades increasingly tricky.
The introduction of Cisco Hypershield aims to address these challenges head-on, offering a solution that can autonomously adapt to the evolving landscape of digital threats.
Innovations Behind Cisco Hypershield
AI-Powered Security
At its core, Cisco Hypershield is built to leverage AI’s full potential, making it significantly more autonomous than existing security solutions.
This AI-first approach is exemplified in Cisco’s partnership with NVIDIA, focusing on co-creating security-specific AI models and optimizing Cisco Security products for NVIDIA’s technology.
eBPF and Hardware Acceleration
Cisco Hypershield utilizes modern technologies like eBPF and hardware acceleration to provide unparalleled security coverage.
eBPF allows deep visibility into every software process and I/O operation across distributed applications without compromising system integrity.
Meanwhile, hardware acceleration ensures that high-performance security control points can be deployed close to the workloads they protect, enhancing overall security efficacy.
Bringing Security to the Workloads
Cisco Hypershield introduces a novel architecture that distributes thousands of security enforcement points across public and private clouds, bringing security directly to the workloads.
This approach enables a range of innovative use cases, including:
- Autonomous Segmentation: Leveraging ongoing visibility into network flows and application changes to dynamically define and update granular segmentation rules, protecting against lateral movement.
- Distributed Exploit Protection: involves identifying high-risk vulnerabilities and deploying compensating controls to block attackers before patches can be applied or vulnerabilities are known.
- Self-Qualifying Upgrades: Utilizing a shadow data path to test upgrades and policy changes against live traffic, ensuring seamless transitions to the latest versions without downtime.
Cisco Hypershield represents a paradigm shift in how we approach security in the age of AI.
By embedding security into the network’s fabric and harnessing the power of AI, Cisco is not only addressing the current challenges faced by data centers but also paving the way for a more secure, efficient, and resilient digital future.
As organizations continue to navigate the complexities of digital transformation, Cisco Hypershield stands as a beacon of innovation, offering a glimpse into the future of cybersecurity.
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAPThe post Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
A new Android trojan called SoumniBot has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure. The malware is “notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest,” Kaspersky researcher Dmitry Kalinin said in a technical analysis.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
CYBERSECURITY / DEFENSE / INTELLIGENCE
