Search This Blog

Showing posts with label Security Researchers. Show all posts

Hackers Have Devised a New Trick to Disable Macro Security Warnings

 

Threat actors have found a novel method for disabling macro security warnings in malspam assaults that use non-malicious documents. Microsoft Office macro malware that uses social engineering to infect computers has been a common feature of the threat landscape in recent years. Malware authors are constantly refining their strategies in order to avoid detection. Macro obfuscation, DDE, living off the land tools (LOLBAS), and even legacy-supported XLS formats are among the strategies used. 

Threat actors are now employing non-malicious documents to disable security warnings before executing macro code on the recipient's computer, according to McAfee Labs analysts. Without any malicious code present in the first spammed attachment macro, hackers download and run malicious DLLs (ZLoader). Zloader has been active since at least 2016, and it was used to propagate Zeus-like banking trojans (i.e. Zeus OpenSSL). It steals several functionalities from the renowned Zeus 2.0.8.9 banking Trojan. 

The assault chain begins with a spam mail that uses a Microsoft Word document to download a password-protected Microsoft Excel file from a remote server once opened. Only when the victim has enabled the macros hidden in the Word document could the downloads begin. “After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions.” read the analysis published by McAfee. 

“Once the macros are written and ready, the Word document sets the policy in the registry to ‘Disable Excel Macro Warning’ and invokes the malicious macro function from the Excel file. The Excel file now downloads the ZLoader payload. The ZLoader payload is then executed using rundll32.exe.” 

Word VBA extracts the content of the cells from the XLS file and uses it to generate a new macro for the same XLS file, writing the cell contents to XLS VBA macros as functions. Once the macros are finished, the Word document disables the macro security warnings by setting the registry policy (HKEY CURRENT USERSoftwareMicrosoftOffice12.0ExcelSecurityAccessVBOM) to Disable Excel Macro Warning and runs the malicious Excel macro function. The Excel file then uses rundll32.exe to download and run the Zloader payload. 

“Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payloads,” the researchers conclude.

EA Faces Criticism After Ignoring Warnings from Cybersecurity Researchers

 

After dismissing cybersecurity researchers' warnings in December 2020 that various flaws left the firm extremely vulnerable to hackers, gaming giant Electronic Arts is facing even more criticism from the cybersecurity industry. Electronic Arts Inc. is a video game developer and publisher based in Redwood City, California. As of May 2020, it is the second-largest gaming firm in America and Europe, after Activision Blizzard and ahead of Take-Two Interactive and Ubisoft in terms of revenue and market value.  

Cyberpion, an Israeli cybersecurity firm, contacted EA late last year to warn them about a number of domains that could be taken over, as well as misconfigured and potentially unknown assets and domains with misconfigured DNS records. Despite delivering EA a detailed document outlining the difficulties as well as a proof of concept, Cyberpion co-founder Ori Engelberg claims EA did nothing to fix the flaws. 

According to Engelberg, EA acknowledged receiving the information about the vulnerabilities and stated that they will contact Cyberpion if they had any further questions, but they never did. "We inspect the entire internet but as gamers, we are customers of EA. So many of our employees play FIFA and other games. We love EA so we wanted to contact them to help because their online presence is significant," Engelberg said. 

"What we found is the ability to take over assets of EA. It is more than just taking the assets of EA, it is about what can be done with these assets because we know EA. We know that if somebody can send emails from the domains of EA to us, the customers, or to suppliers of EA or to employees of EA, then that's the easiest door to the company. It isn't even a door. It is something simpler," Engelberg added. He said that malicious actors might use the stolen domains to send emails appearing to be from EA, asking customers to transfer account details or other data.

Last week, it was revealed that a "chain of vulnerabilities" might have allowed attackers to obtain access to personal information and take control of accounts, causing EA to face outrage. In recent weeks, Motherboard reported that EA's large data breach was caused by a hacker's ability to obtain access to an account by abusing Slack privileges. 

Hackers boasted on forums about stealing 780 GB of data from the company and acquiring full access to FIFA 21 matchmaking servers, FIFA 22 API keys, and various Microsoft Xbox and Sony software development kits. They also claim to have a lot more, such as the Frostbite source code and debugging tools, which is used to power EA's most popular games like Battlefield, FIFA, and Madden.

Diavol Ransomware is Linked to Wizard Spider Cybercrime Group

 

The cybercrime group behind the Trickbot botnet, Wizard Spider, has been linked to a new ransomware strain dubbed Diavol, according to FortiGuard Labs security analysts. In early June 2021, Diavol and Conti ransomware payloads were delivered on several systems in a ransomware attack prevented by the company's EDR technology. 

Wizard Spider is a financially motivated criminal group based in Russia that manages the Trickbot botnet, which is used to distribute second-stage malware to infected devices and networks. Because it spreads over corporate networks, Trickbot is especially hazardous to companies. If it gains administrative access to a domain controller, it will also steal the Active Directory database, allowing the organization to harvest even more network credentials.

From the use of asynchronous I/O operations for file encryption queuing to the use of nearly identical command-line options for the same functionality, the two ransomware groups' samples are cut from the same fabric (i.e., logging, drives and network shares encryption, network scanning). Despite the similarities, the researchers were unable to establish a clear relationship between Diavol ransomware and the Trickbot gang, due to some substantial variances that made attribution with high confidence impossible. For example, unlike Conti, Diavol ransomware has no built-in checks to prevent payloads from operating on Russian targets' systems. There's also no proof of data exfiltration capabilities before encryption, which is a classic ransomware extortion method. 

The encryption mechanism used by Diavol ransomware is based on user-mode Asynchronous Procedure Calls (APCs) and an asymmetric encryption algorithm. This distinguishes it from other ransomware families, which frequently employ symmetric methods to accelerate the encryption process. Diavol doesn't employ any obfuscation techniques, such as packing or anti-disassembly, but it nonetheless manages to obfuscate its essential routines by putting them in bitmap images.

When the ransomware executes on a compromised PC, it takes the code from the PE resource section of the pictures and inserts it into a buffer with execution permissions. Before the Diavol ransomware is finished, it will change the background of each encrypted Windows device to a black wallpaper with the following message: "All your files are encrypted! For more information see README-FOR-DECRYPT.txt."

"Currently, the source of the intrusion is unknown," Fortinet says. "The parameters used by the attackers, along with the errors in the hardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators which they are not yet fully accustomed to."

Growing Cyber-Underground Market for Initial-Access Brokers

 

Ransomware groups are increasingly purchasing access to corporate networks from "vendors" who have previously placed backdoors on targets. 

Email is a well-known entry point for fraudsters attempting to breach a corporate network. According to researchers instead of doing the heavy lifting themselves, ransomware groups are teaming with other criminal groups who have already opened the path for access using first-stage software. 

As per the report released Wednesday by Proofpoint, researchers discovered a "lucrative criminal ecosystem" that works together to launch effective ransomware attacks, such as the ones that have lately made headlines (Colonial Pipeline) and caused substantial damage around the world. 

According to the analysis, recognized ransomware gangs such as Ryuk, Egregor, and REvil first link up with threat actors who specialize in initial infection utilizing various forms of malware, such as TrickBot, BazaLoader, and IcedID, before unleashing the ultimate ransomware payload on the network. 

“Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network.” states report. 

Proofpoint has identified at least ten threat actors who utilize malicious email campaigns to spread first-stage loaders, which are then exploited by ransomware groups to deliver the final payload. Researchers discovered that the relationship between such threat actors and ransomware groups is not one-to-one, as multiple threat actors employ the same ransomware payloads. 

“Ransomware is rarely distributed directly via email. Just one ransomware strain accounts for 95 percent of ransomware as a first-stage email payload between 2020 and 2021,” according to the report. 

Proofpoint has also seen ransomware spread via the SocGholish malware, which infects users with fake updates and website redirects, as well as the Keitaro traffic distribution system (TDS) and follow-on exploit kits that operators employ to avoid detection, according to researchers. 

About Attackers and Malware of Choice: 

Proofpoint identifies 10 threat actors that researchers have been watching as initial access enablers to their malware and techniques of choice for getting network access, which they subsequently sell to various ransomware groups for more sinister objectives, according to the study. 

Researchers discovered that TA800, a prominent cybercrime actor that Proofpoint has been tracking since mid-2019, provides banking malware or malware loaders to the Ryuk ransomware gang, including TrickBot, BazaLoader, Buer Loader, and Ostap. 

Since mid-2020, Proofpoint has been tracking TA577, a cybercrime threat actor that "conducts broad targeting across numerous businesses and regions" to distribute payloads such as Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike via emails with malicious Microsoft Office files. 

According to the research, the Sodinokibi or REvil ransomware organization is linked to TA577, which has had a 225 percent increase in activity in the last six months. 

Many other cybercrime groups were tracked like TA569, TA551, TA570, TA547, TA544, TA571, and TA575, which is a Dridex affiliate that has been tracked by Proofpoint since late 2020 and distributes malware via malicious URLs, Office attachments, and password-protected files, with each campaign transmitting an average of 4,000 emails to hundreds of businesses.

FIN7 is Spreading a Backdoor Called Lizar

 

Under the pretext of being a Windows pen-testing platform for ethical hackers, the infamous FIN7 cybercrime gang, a financially motivated organization, is spreading a backdoor called Lizar. 

Since mid-2015, the Russian criminal advanced persistent threat group FIN7 has targeted the retail, restaurant, and hospitality sectors in the United States. Combi Security, the front company for FIN7, manages a portion of the operation. It has been dubbed one of the world's most prolific criminal hacking organizations. FIN7 is also known as the Carbanak Group, but these two groups appear to be using the same Carbanak malware and are therefore monitored separately. 

FIN7 is posing as a legitimate company selling a security-analysis platform, according to the BI.ZONE Cyber Threats Research Team. According to the researchers, they go to great lengths to ensure authenticity: “These groups recruit workers who are unaware that they are dealing with actual malware or that their employer is a real criminal group.” 

The group usually targets victims with malware-laced phishing attacks in the hopes of infiltrating networks and selling bank-card data. It has also introduced ransomware/data exfiltration attacks to its arsenal since 2020, carefully choosing targets based on revenue using the ZoomInfo service, according to researchers. 

Its malware selection is often changing, with researchers sometimes being surprised by never-before-seen samples. However, the Carbanak remote-access trojan (RAT), which is highly complex and sophisticated in comparison to its peers, has been its go-to toolkit. Carbanak is commonly used for network reconnaissance and gaining a foothold. 

However, BI.ZONE researchers have recently discovered that the community is employing a new form of backdoor known as Lizar. According to an article published on Thursday, the new edition has been in use since February and provides a strong range of data extraction and lateral movement capabilities. 

 “Lizar is a diverse and complex toolkit,” according to the firm. “It is currently still under active development and testing, yet it is already being widely used to control infected computers, mostly throughout the United States.” 

Attacks on a gambling establishment, several educational institutions, and pharmaceutical firms in the United States, as well as an IT corporation headquartered in Germany and a financial institution in Panama, have been recorded so far.

Security Researchers Received More Than $6.7 MIllion by Google as Bug Bounty Rewards

 

Security experts from 62 nations were paid more than $6.7 million (nearly Rs. 49 crore) by Google for identifying susceptibilities in Google products last year. Google has successfully managed to run the Vulnerability Reward Programs (VRPs) for ten years and the company has paid nearly $28 million to the security experts for spotting the vulnerabilities in Google products.

Google stated this week that “the incredibly hard work, dedication, and expertise of our researchers in 2020 resulted in a record-breaking payout of over $6.7 million in rewards, with an additional $280,000 given to charity. Following our increase in exploit payouts in November 2019, we received a record 13 working exploit submissions in 2020, representing over $1 million in exploit reward payouts”.

According to the company, Guang Gong (@oldfresher) and the team of experts at the 360 Alpha Lab at Chinese cybersecurity firm Qihoo 360 discovered 30% of the total number of Android vulnerabilities as a part of the bug bounty program. The latest vulnerability spotted by this group is a 1-click remote root exploit in Android, Google said this team still hold the record for receiving the highest Android payout ($161,337) for spotting the vulnerability in 2019.

Last year, the tech giant paid $50,000 to the security experts for spotting the flaws in Android developer preview and introduced bounty programs for Android Auto OS, Android chipsets, and for writing fuzzers for Android code. In Google Play, Google expanded the standard for certified Android apps to incorporate apps utilizing the Exposure Notification API and executing contact tracing to fight Covid-19. 

Apart from bounty rewards, over 180 security researchers have received more than $400,000 from Google in the form of grants for submitting 200 bug reports that resulted in 100 confirmed susceptibilities in Google products and the open-source ecosystem. The other notable tech firms that have a similar bug bounty reward program are Facebook, OnePlus, Qualcomm, Mozilla, Microsoft, and Reddit.