Search This Blog

Showing posts with label Trend Micro. Show all posts

Extortion Emails by Bogus DarkSide Gang Targets Energy and Food Industry

 

In bogus extortion emails sent to firms in the energy and food industries, threat actors impersonate the now-defunct DarkSide Ransomware campaign. The Darkside ransomware attack first hit business networks in August 2020, asking millions of dollars in exchange for a decryptor and a pledge not to reveal stolen data. 

Following the ransomware gang's attack on the Colonial Pipeline, the country's largest petroleum pipeline, the ransomware gang was thrown into the spotlight, with the US government and law enforcement focusing their attention on the group. Because of the heightened scrutiny from law officials, DarkSide abruptly shut down its operations in May for fear of being arrested. 

Trend Micro researchers reveal in a new analysis that a new extortion campaign began in June, with threat actors imitating the DarkSide ransomware group. "Several companies in the energy and food industry have recently received threatening emails supposedly from DarkSide," explains Trend Micro researcher Cedric Pernet. "In this email, the threat actor claims that they have successfully hacked the target's network and gained access to sensitive information, which will be disclosed publicly if a ransom of 100 bitcoins (BTC) is not paid." 

The email campaign began on June 4 and has been targeting a few targets every day since then. Threatening emails were sent to the generic email accounts of a few firms. For each target, the Bitcoin wallet at the bottom of the email is the same. None of the aforementioned wallets have received or sent any Bitcoin payments. There has been no actual attack linked to the emails, and no new targets have been discovered. 

The researchers discovered that the same attacker had filled contact forms on many companies' websites in addition to sending targeted emails to them. The content of the web forms was identical to the text of the emails. They were able to obtain the sender's IP address, 205[.]185[.]127[.]35, which is a Tor network exit node. 

The threat actor appears to be exclusively interested in the energy (oil, gas, and/or petroleum) and food businesses, based on the telemetry data; in fact, all of their targets are in these industries. The campaign had the most impact on Japan, followed by Australia, the United States, Argentina, Canada, and India. China, Colombia, Mexico, the Netherlands, Thailand, and the United Kingdom are among the other countries affected.

Trend Micro Flaw Being Actively Exploited

 

The cybersecurity firm Trend Micro disclosed that the threat actors are once again using security solutions as attack vectors and this time attackers are deliberately leveraging a vulnerability in its antivirus solutions, identified as CVE-2020-24557, to gain admin rights on Windows systems. 

Apex One and OfficeScan XG enterprise security products are affected by the CVE-2020-24557 vulnerability. The issue resides in the logic that controls access to the Misc folder, it could be manipulated by an attacker to escalate privileges and execute code in the context of SYSTEM. An attacker may use the bug to exploit a specific product folder to temporarily disable protection, abuse a specific Windows feature, and gain privilege escalation, according to experts. 

According to the advisory published by Tenable, “A vulnerability in Trend Micro Apex One on Microsoft Windows may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function and attain privilege escalation. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.” 

Microsoft researcher Christopher Vella reported the flaw to Trend Micro via the Zero-Day Initiative programme in 2020, and the security firm addressed it in August 2020. Now, the security company has updated its security warning, acknowledging that the bug is being actively exploited in the wild by attackers and urging customers to install security updates. 

“Known vulnerabilities in Apex One, Apex One SaaS and OfficeScan agents could elevate privileges, allow an attacker to manipulate certain product folders to temporarily disable security features or to temporarily disable certain Windows features. It may be abused.” states the update published. 

JPCert also issued a warning about the above vulnerability, which has affected the following items and versions: 
– Trend Micro Apex One 2019 before Build 8422 
– Trend Micro Apex One as a Service prior to Build 202008 
– OfficeScan prior to XG SP1 Build 5702

In the advisory published by the JPCert, it stated “Since the vulnerability is already being exploited in the wild, the users of the affected products are recommended to update the affected system to the latest version as soon as possible. Please refer to the information provided by Trend Micro.” 

“We have confirmed attacks that exploit known vulnerabilities in the following products. Each patch that has already been released supports it, so if you have not applied it, please apply it as soon as possible.” stated the cybersecurity firm. 

Other vulnerabilities in the Apex One and OfficeScan XG security products, such as CVE-2019-18187, CVE-2020-8467, and CVE-2020-8468 have previously been revealed and some of them have been exploited by nation-state actors in real-world attacks.

Trend Micro Detects Vulnerabilities in The SHAREit Program

 

In the SHAREit program, Trend Micro has found several vulnerabilities. The bugs may be exploited by extracting sensitive data from users, and by using malicious code or programs to run arbitrary code with the ShareIt permissions. It can also contribute to remote execution code (RCE). In the past, the software was often associated with bugs that used to download and abuse users' files. While the app allows for the upload and update of file types like the Android Package (APK), there are most definitely accidentally unconsidered bugs correlated with these functions. 

SHAREit is one of the best-known applications in the Google Play Store. Users can download and distribute files and share them with others using this app. SHAREit was also one of 60 Chinese apps barred late last year in India. Notably, more than one billion times the Android application has been downloaded. 

The vulnerabilities can be used to execute malicious code for the SHAREit program on smartphones. The key cause of safety deficiencies is the lack of appropriate controls on who can access the code of the program.

Echo Duan, a mobile threats analyst for security firm Trend Micro, reported that malicious applications installed on a computer and user or attackers executing a personal network attack can be able to distribute malicious instructions to the SHAREit app and hijack its legal code-execution functionality, override local files on the app, or install applications from third parties without user knowledge.

The app is also susceptible to so-called Man-in-the-Disk Attacks, a form of vulnerability first identified by Check Point in 2018 that focuses on uncertain storage of insecure app assets in the storage capacity of the phone shared with other applications [in which attackers can erase, edit, or substitute them]. 

"We reported these vulnerabilities to the vendor, who has not responded yet," Duan said today. "We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data," he added, it will also be impossible to track attacks from the viewpoint of a defender.

On their website, SHAREit developers say that 1.8 billion people in over 200 countries around the world use their software. The iOS app for SHAREit does not have any influence on it and runs on another codebase. Though the software was last updated in its Play Store list on February 9, 2021, a fix for revealed vulnerabilities has been not listed in the update's changelog. At the time of publication, the software is still usable for download.

For software makers, businesses, and consumers alike, security should be a top priority. Trend Micro suggests that operating devices and applications themselves should be frequently upgraded and modified for secure mobile app use.