Wednesday, January 15, 2025
Home Blog Page 6

Russian Hackers Repurpose Decade-Old Malware Infrastructure to Deploy New Backdoors

By
RiSec.Mitch
-
0
russia

Russian cybercriminals known as the Turla group have repurposed an old malware infrastructure to deploy new backdoors and infect victims’ systems. The group, which has been active since at least 2007, is known for its sophisticated campaigns targeting government and diplomatic organizations, as well as private sector companies.

In this recent campaign, the hackers were able to compromise the infrastructure of an older malware strain, allowing them to use it to launch new attacks and evade detection. The Turla group is known for its ability to leverage a wide range of tools and techniques to carry out its operations, and this latest campaign underscores the group’s continued evolution and adaptability.

The servers were taken over by a variation of a common virus dubbed ANDROMEDA (also known as Gamarue), according to Google-owned Mandiant, which is monitoring the operation under the uncategorized cluster identifier UNC4210. This malware was posted to VirusTotal in 2013.

“UNC4210 re-registered at least three expired ANDROMEDA command-and-control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022,” Mandiant researchers said in an analysis published last week.

Turla, also known by the names Iron Hunter, Krypton, Uroburos, Venomous Bear, and Waterbug, is an elite nation-state outfit that primarily targets government, diplomatic, and military organizations using a large set of custom malware.

Since the onset of Russia’s military invasion of Ukraine in February 2022, the adversarial collective has been linked to a string of credential phishing and reconnaissance efforts aimed at entities located in the country.

To allegedly “assist” pro-Ukrainian hacktivists in launching distributed denial-of-service (DDoS) assaults against Russian websites, Turla allegedly developed a malicious Android app in July 2022, according to Google’s Threat Analysis Group (TAG).

The most recent discovery from Mandiant demonstrates how Turla has been covertly appropriating prior infections as a malware distribution strategy, in addition to profiting on ANDROMEDA’s ability to spread via infected USB keys.

“USB spreading malware continues to be a useful vector to gain initial access into organizations,” the threat intelligence firm said.

In the incident analyzed by Mandiant, an infected USB stick is said to have been inserted at an unnamed Ukrainian organization in December 2021, ultimately leading to the deployment of a legacy ANDROMEDA artifact on the host upon launching a malicious link (.LNK) file masquerading as a folder within the USB drive.

The threat actor then repurposed one of the dormant domains that were part of ANDROMEDA’s defunct C2 infrastructure – which it re-registered in January 2022 – to profile the victim by delivering the first-stage KOPILUWAK dropper, a JavaScript-based network reconnaissance utility.

Two days later, on September 8, 2022, the attack proceeded to the final phase with the execution of a .NET-based implant dubbed QUIETCANARY (aka Tunnus), resulting in the exfiltration of files created after January 1, 2021.

The tradecraft employed by Turla dovetails with prior reports of the group’s extensive victim profiling efforts coinciding with the Russo-Ukrainian war, potentially helping it tailor its follow-on exploitation efforts to harvest the information of interest to Russia.

It’s also one of the rare instances where a hacking unit has been identified targeting victims of a different malware campaign to meet its own strategic goals, while also obscuring its role.

“As older ANDROMEDA malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims,” the researchers said.

“This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities. Further, older malware and infrastructure may be more likely to be overlooked by defenders triaging a wide variety of alerts.”

COLDRIVER Targets U.S. Nuclear Research Labs#

The findings also come as Reuters reported that another Russian state-sponsored threat group codenamed COLDRIVER (aka Callisto or SEABORGIUM) targeted three nuclear research labs in the U.S. in early 2022.

To that end, the digital assaults entailed creating fake login pages for Brookhaven, Argonne, and Lawrence Livermore National Laboratories in an attempt to trick nuclear scientists into revealing their passwords.

The tactics are consistent with known COLDRIVER activity, which recently was unmasked spoofing the login pages of defense and intelligence consulting companies as well as NGOs, think tanks, and higher education entities in the U.K. and the U.S.

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Dridex Banking Malware Targets MacOS users with a new delivery method

By
RiSec.Mitch
-
0

The Dridex financial virus has been updated by Trend Micro experts to target the MacOS operating system and distribute documents containing malicious macros using a new method.

The Dridex banking Trojan has been around since 2014 and has undergone continual improvement thanks to the multiple attacks against financial institutions it has been a part of. The cybercriminal organisation known as Evil Corp is thought to be responsible for the banking virus.

The Mach-o executable file a.out served as the sample that Trend Micro examined (detected asTrojan.MacOS.DRIDEX.MANP).

The earliest sample Trend Micro examined was sent to VirusTotal in April 2019, while the most current was sent in December 2022.

The malicious document is embedded in the sample’s data segment, which the _payload doc variable uses. The virus executes a loop in which the contents of _payload doc are duplicated until the counter hits _payload doc len, the size of the malicious code, according to the disassembly. reads Trend Micro’s analysis, which was published. The “cstring segment plays a part in overwriting the code to the target files once the malicious code is ready.”

Researchers discovered that the affected.doc files comprise the ThisDocument object that contains the autoopen macro that calls the malicious routines when the infected document was initially discovered in 2015.


The find -name “*.doc” command is used by the malware to begin looking for.doc files in the current user’s (/User/user name) directory. The malicious code is then written using the echo ‘%s’ command after the programme uses a for loop to iterate through each document file I A plain hexadecimal dump contains the harmful macro code that was copied from the embedded page.

“While the macro feature in Microsoft Word is disabled by default, the malware will overwrite all the document files for the current user, including the clean files. This makes it more difficult for the user to determine whether the file is malicious since it doesn’t come from an external source.” continues the post.

The macros in the overwritten document connect to a remote server to retrieve additional payloads. Experts also noticed that the malware also drops an .exe file that will not run in a MacOS environment, a circumstance that suggests that the malicious code is still in the testing stage.

“While documents containing booby-trapped macros are typically delivered via social engineering attacks, the findings once again show that Microsoft’s decision to block macros by default has prompted threat actors to refine their tactics and find more efficient methods of entry.

“the malicious actors using Dridex are also trying to find new targets and more efficient methods of entry.” concludes the report. “Currently, the impact on MacOS users for this Dridex variant is minimized since the payload is an exe file (and therefore not compatible with MacOS environments). However, it still overwrites document files which are now the carriers of Dridex’s malicious macros. Furthermore, it’s possible that the threat actors behind this variant will implement further modifications that will make it compatible with MacOS.”

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Microsoft Discloses Methods Employed by 4 Ransomware Families Aiming at macOS

By
RiSec.Mitch
-
0
ransomware

KeRanger, FileCoder, MacRansom, and EvilQuest are four separate ransomware families that have been identified by Microsoft as having an effect on Apple macOS systems.

Although these malware families are ancient, the Security Threat Intelligence team of the IT behemoth wrote in a study on Thursday that they “exemplify the variety of capabilities and harmful behaviour achievable on the platform.”

These ransomware families first spread through what the creator of Windows refers to as “user-assisted methods,” in which the victim downloads and sets up trojanized software.

It can additionally arrive as a second-stage payload dropped by malware that already resides on the infected host or as a component of a supply chain attack.

Regardless of the assault strategy used, the attacks follow a similar pattern in which threat actors use legitimate operating system capabilities and weaknesses to gain access to the computers and encrypt important files.

This involves listing files using library functions like opendir, readdir, and closedir as well as the Unix search programme. Microsoft mentioned another approach, but the ransomware strains did not use it: the NSFileManager Objective-C interface.

In an effort to thwart analysis and debugging efforts, malware such as KeRanger, MacRansom, and EvilQuest have also been seen to employ a combination of hardware- and software-based tests to establish whether the malware is operating in a virtual environment.

Notably, KeRanger uses the strategy of delayed execution to avoid discovery. After being launched, it sleeps for three days before resuming its destructive operations.

Launch agents and kernel queues are used to establish persistence, which is necessary to ensure that the malware is run even after a system restart, according to Microsoft.

While KeRanger uses AES encryption in cypher block chaining (CBC) mode to accomplish its objectives, FileCoder uses the ZIP programme to encrypt files. On the other hand, both MacRansom and EvilQuest use a symmetric encryption technique.

In addition to standard ransomware functions, EvilQuest, which was initially discovered in July 2020, also has trojan-like characteristics like keylogging, compromising Mach-O files by inserting arbitrary code, and deactivating security tools.

It also packs in capabilities to execute any file directly from memory, effectively leaving no trace of the payload on disk.

“Ransomware continues to be one of the most prevalent and impactful threats affecting organizations, with attackers constantly evolving their techniques and expanding their tradecraft to cast a wider net of potential targets,” Microsoft said.

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

$8 billion in cryptocurrency withdrawals strike US bank Silvergate

By
RiSec.Mitch
-
0

Over $8 billion (£6.7 billion) of cryptocurrency-linked deposits have been removed by customers of US bank Silvergate, which offers cryptocurrency services.

During the final three months of 2022, about two thirds of the bank’s clients withdrew their deposits.

To fund the expense and maintain its liquidity, the bank liquidated $5.2 billion in assets.

A warning from three US agencies that holding or creating cryptocurrency was “very likely to be inconsistent with safe and sound banking procedures” was issued at the same time.

Since Silvergate is a bank that is listed on the New York Stock Exchange, it is subject to financial industry regulation. It is one of only a few companies in this industry that offer bitcoin services.

Sam Bankman-Fried, the former CEO of FTX, has entered a not guilty plea to charges that he deceived investors and customers. One million creditors may have lost their money, according to the prosecution.

The case has shook the whole cryptocurrency industry, causing other businesses to file for bankruptcy and a drop in the value of cryptocurrencies.

Silvergate’s CEO, Alan Lane, stated that due to the “rapid changes in the digital asset business,” the bank was selling assets to satisfy consumer withdrawals.

The industry has been experiencing a chilly “crypto winter” since last spring, and Silvergate is its latest casualty.

As a bank for bitcoin businesses that had trouble obtaining banking services from conventional sources, the so-called crypto bank held a somewhat unusual position in the market.

One of its clients was the now-bankrupt Alameda Research, whose owner Sam Bankman-Fried is facing fraud charges in the US and is awaiting trial.

That is a setback for Silvergate in and of itself, but Bankman-demise Fried’s has dealt the business a greater blow: market confidence.

Since Bankman-empire Fried’s crumbled, investors of all sizes have started transferring billions of dollars from firms that store cryptocurrency funds out of crypto companies.

Silvergate was a small US bank before it entered the world of cryptocurrency, and went public in November 2019.

At the market’s peak in 2021, its shares had grown by more than 1,500%, in no small part due to the massive growth of crypto in this period.

During this time it tried to launch its own stablecoin – a form of cryptocurrency which is directly tied to an asset such as gold, the US dollar or other cryptocurrencies.

And in January 2022, Silvergate spent $182m to acquire the technology behind Meta’s proposed Diem (formerly Libra) stablecoin that never saw the light of day.

In a filing to the US Securities and Exchange Commission, the bank said it had sold debt to cover the withdrawals and had written off the Diem purchase, meaning it is no longer counted as an asset.

It has also reduced its staff by 40% – around 200 people – and altogether the withdrawals have caused the bank to lose $718m, a total higher than its profit since 2013.

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Nearly 300 Vulnerabilities Patched by Huawei’s HarmonyOS in 2022

By
RiSec.Mitch
-
0

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022

Huawei is rewarding zero-click attacks that result in arbitrary code execution with prizes of up to €1 million through its HarmonyOS bug bounty programme. A maximum of €120,000 can be paid to researchers for new lockscreen bypass techniques.

Until the US government prohibited American companies from supplying software and technology to the Chinese company in 2019, Huawei smartphones and other gadgets relied on the Android operating system.

Later on in the year, Huawei announced HarmonyOS, a new operating system that runs on a variety of gadgets, including mobile phones, tablets, smart TVs, wearable technology, and car infotainment systems.

Huawei has a bug bounty programme with high payouts for severe vulnerabilities and exploit chains because the business is conscious that the operating system needs to be secure in order to compete with Android and iOS.

In comparison, roughly 800 vulnerabilities were patched in Android in 2022, according to data from CVE Details. However, Android is far more popular than HarmonyOS, which means it gets more scrutiny from security researchers.

According to a SecurityWeek research, HarmonyOS had more than 290 security holes addressed in 2022, including roughly 100 that affected third-party libraries. The information is taken from the company’s monthly security advisories from the previous year.

Almost twenty vulnerabilities have been classified as “critical,” while 94 have been classified as “high.”

These flaws can be used for privilege escalation, remote code execution, information gathering, and denial-of-service (DoS) attacks.

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Ransomware Attack Halts Operations at Canadian Mining Mill

By
RiSec.Mitch
-
0
ransomware

Following a ransomware attack, Canadian Copper Mountain Mining Corporation (CMMC) last week shut down its plant.

The company, which is listed on the Toronto Stock Exchange, owns the majority of the Copper Mountain mine. The mine, which is in southern British Columbia, generates an annual average output of 100 million pounds of copper equivalent.

In a cyber incident notice on its website, CMMC announced the shutdown of some of its systems, including the mill, after falling victim to a ransomware attack on December 27, 2022.

“The company has isolated operations, switched to manual processes, where possible, and the mill has been preventatively shutdown to determine the effect on its control system,” CMMC said.

The mining firm announced that it implemented risk management systems and protocols immediately after discovering the cyberattack and that the relevant authorities are assisting with the investigation.

“There have been no safety or environmental incidents as a result of the attack,” CMMC said.

The company has not shared information on the type of ransomware used in the attack, nor on how the attackers breached its systems.

According to a BleepingComputer report, however, stolen credentials might have been used for intrusion. Earlier in December, credentials belonging to a CMMC employee account were being offered for sale on a hacker portal.

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Cyber Weekly: NetGear urgent patch, malicious PyTorch compromise, LockBit ransoms Lisbon

By
RiSec.Mitch
-
0

Google to pay $29.5M to resolve two legal claims related to its location tracking policies.

Two states filed two cases against the firm accusing it of having tracked customers’ locations without their express agreement, the IT agreed to a $9.5 million settlement to D.C. and $20 million to Indiana respectively.

(RiSec)

NETGEAR fixes a severe bug in its routers. Patch it ASAP!

Netgear has fixed a bug affecting multiple WiFi router models, including Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC. They identified the flaw as a pre-authentication buffer overflow vulnerability and urged customers to address the firmware of their devices as soon as possible, since attackers can exploit this vulnerability without requiring permissions or user interaction. Threat actors often exploit this kind of issue to trigger a DoS condition or to execute arbitrary code on vulnerable devices.

(Security Affairs)

PyTorch discloses malicious dependency chain compromise over holidays

PyTorch, the open source machine learning framework, has identified a malicious dependency with the same name as the framework’s ‘torchtriton’ library. This has led to a successful compromise via the dependency confusion attack vector. PyTorch admins are warning users who installed PyTorch-nightly over the holidays, specifically between December 25th and December 30th to uninstall the framework and the counterfeit ‘torchtriton’ dependency.

(Bleeping Computer)

LockBit ransomware claims attack on Port of Lisbon in Portugal

A cyberattack that hit the Port of Lisbon Administration (APL), the third-largest port in Portugal, on Christmas day, has been claimed by the LockBit ransomware gang. The Port of Lisbon is part of the critical infrastructure of Portugal’s capital city, being one of the most accessed ports in Europe, due to its strategic location, and serving container ships, cruise ships, and pleasure craft. According to a company statement shared with local media outlets on Monday, the cyberattack did not impact the port’s operations. At the time of this recording, the port’s official website at “portodelisboa.pt” remains offline.

(Bleeping Computer)

New Linux malware uses 30 plugin exploits to backdoor WordPress sites

A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript. According to a report by antivirus vendor Dr. Web, the malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities. If the targeted website runs an outdated and vulnerable version of any of the above, the malware automatically fetches malicious JavaScript from its command and control (C2) server and injects the script into the website site. A list of the targeted plugins is available at Bleeping Computer.

(Bleeping Computer)

Malvertising campaign MasquerAds abuses Google Ads

Experts warn that a new campaign targets users searching for popular software. Guardio Labs researchers uncovered the campaign, tracked as MasquerAds and attributed it to a threat actor known as Vermux. The campaign aims at delivering tainted versions of popular software that deploy malicious payloads on users’ machines, including info-stealing malware such as Raccoon Stealer and Vidar. The threat actors behind this campaign used domains with typosquatted names that appeared on top of Google search results that pointed to benign sites, which were designed to trick visitors into clicking on them, and then redirect them to rogue sites.

(Security Affairs)

Toyota’s Indian unit warns of a possible customer data breach

A data breach at Toyota’s Indian business might have exposed some customers’ personal information, the company said yesterday. Toyota India said it has notified the relevant Indian authorities of the data breach at Toyota Kirloskar Motor, a joint venture with Indian conglomerate Kirloskar Group. The announcement was made in an emailed statement without disclosing the size of the data breach or the number of customers affected. This follows an apparently unrelated issue last October at Toyota Motor’s T-Connect service which potentially leaked about 296,000 pieces of customer information.

(Reuters)

Canadian copper mine suffers ransomware attack, shuts down mills

Copper Mountain Mining Corporation produces approximately 100 million pounds of copper equivalent on average per year from its Copper Mountain Mine in southern British Columbia. The company said in a press release on Thursday that it had implemented several protocols, including isolating operations, after discovering an attack on its IT systems at both its corporate office and the mine itself. It stated also that there have been no safety or environmental incidents as a result of the attack. 

(The Record)

Poland warns of pro-Kremlin cyberattacks aimed at destabilization

Poland’s security agency said on Friday that the country has been a “constant target” of pro-Russian hackers since the start of the war between Russia and Ukraine. The cyberattacks on Poland’s government services, private companies, media organizations and ordinary citizens have intensified over the past year, it said. The country’s strategic, energy, and military enterprises are particularly at risk, it added. Polish cybersecurity officials said these cyberattacks are Russia’s response to Warsaw’s support for Ukraine and an attempt to destabilize the situation in the country. Since the start of Russia’s invasion of Ukraine in late February, Poland has provided Ukraine with about $9 billion in aid. On Friday, for example, Poland sent the third batch of Starlink satellite internet terminals to Ukraine, which will allow Ukrainians to stay connected during the winter blackouts. 

(The Record)

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Google to pay $29.5M to resolve two legal claims related to its location tracking policies.

By
RiSec.Mitch
-
0
google

After the states filed two cases against the firm accusing it of having tracked customers’ locations without their express agreement, the IT giant will pay $9.5 million to D.C. and $20 million to Indiana.

“Given the vast level of tracking and surveillance that technology companies can embed into their widely used products, it is only fair that consumers be informed of how important user data, including information about their every move, is gathered, tracked, and utilized by these companies. Significantly, this resolution also provides users with the ability and choice to opt of being tracked, as well as restrict the manner in which user information may be shared with third parties,” said Attorney General Karl A. Racine while announcing that Google will pay $9.5 million. “I am proud of how the exceptional lawyers and professionals in my office have creatively applied the District’s strong consumer protection laws to set the standard nationally and provide users far greater control of their personal information.”

“We sued because Google made it nearly impossible for users to stop their location from being tracked. Now, thanks to this settlement, Google must also make clear to consumers how their location data is collected, stored, and used.” Racine added.

Google is currently facing two similar lawsuits in Texas and Washington.

In November, Google agreed to pay $391.5 million to settle with 40 US states for misleading users about the collection of personal location data. The settlement is the largest attorney general-led consumer privacy settlement ever, states the announcement published by DoJ.

“Google misled its users into thinking they had turned off location tracking in their account settings, when, in fact, Google continued to collect their location information. In addition to the multimillion-dollar settlement, as part of the negotiations with the AGs, Google has agreed to significantly improve its location tracking disclosures and user controls starting in 2023.” reads the DoJ’s press release.

Oregon Attorney General Ellen Rosenblum, who led the settlement along with Nebraska AG Doug Peterson, pointed out that for years Google has prioritized profit over their users’ privacy.

The authorities started the investigation into Google collection practice following a 2018 Associated Press article that revealed Google “records your movements even when you explicitly tell it not to.”

According to the article, there are two settings responsible for the location data collection, the “Location History” and “Web & App Activity”. The former is “off” by default while the latter is automatically enabled when users set up a Google account, including all Android users.

Location data represent the core of the digital advertising business of the IT giant. However, location data can be used to expose a person’s identity and routines, and even infer personal details.

Google violated state consumer protection laws by misleading consumers about its location tracking practices since at least 2014. Google confused its users about the use of the account and device settings to limit Google’s location tracking.

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Vice Society Expands Its Armory with Custom-Branded Payload PolyVice

By
RiSec.Mitch
-
0

Vice Society ransomware gang, which targeted dozens of educational institutions only this year, is now using a new custom-branded ransomware payload in its recent cyberattacks. The ransomware variant, dubbed PolyVice, was first seen in the wild in July, however, the group started using this variant in late September.

PolyVice: the new encryptor

According to a report by SentinelOne researchers, PolyVice is a 64-bit binary that uses a hybrid encryption scheme.

  • The scheme combines asymmetric encryption with the NTRUEncrypt algorithm and symmetric encryption with the ChaCha20-Poly1305 algorithm.
  • Vice Society group has used intermittent encryption or partial encryption technique, where small chunks of files are encrypted instead of encrypting the entire file.
  • This leaves the data unusable within a fraction of the time required in comparison to encrypting the entire file.

Modus operandi

PolyVice utilizes a multi-threading approach that runs the encryption process via parallel processing on the victim’s processor. 

  • Each worker node of this parallel processing further analyzes the size of the targeted file to optimize the speed for faster encryption.
  • Files smaller than 5 MB are fully encrypted and bigger files are partially encrypted.  For files between 5 MB and 100 MB, two chunks of 2.5 MB are encrypted, while for larger files, 10 chunks of 2.5 MB each are encrypted across the file.
  • It adds .ViceSociety file extension to all encrypted files and drops ransom notes with the file name AllYFilesAE in each encrypted directory. Moreover, each PolyVice worker adds information necessary for decryption at the file footer.

Code similarities and differences

PolyVice has extensive code similarities with the payloads of the Chily ransomware and SunnyDay ransomware.

  • All these payloads have 100% matched functions and identical executable codebase, however, PolyVice contains some additional new functions.
  • The differences can be noticed in campaign-specific details such as the file extension, hardcoded master key, wallpaper, ransom note name, and content.
  • Moreover, researchers observed some debugging messages in PolyVice’s codebase, suggesting that the Vice Society group’s own ransomware implementation is in its early stage of development. 

A common code base shared among multiple malware (PolyVice, Chily, and SunnyDay) opens up several doors of possibilities to researchers.

Shedding lights on possibilities

  • The Vice Society may have sourced PolyVice from a vendor or a commodity ransomware builder who supplies similar tools to other ransomware groups.
  • There may be some ransomware developers operating a Locker-as-a-Service that provides a builder that allows buyers (Vice Society being one of them) to independently generate any number of customized lockers/decryptors and run its own RaaS programs.
  • At last, Vice Society, SunnyDay, and Chily ransomware could be byproducts of the same group.

Conclusion

The use of PolyVice indicates that the group is strengthening its ransomware campaigns by using its own expertise, such as the use of stronger encryption algorithms and better intermittent encryption methods. Vice Society has a history of deploying third-party ransomware in its intrusions, including HelloKitty, Five Hands, and Zeppelin. These ransomware implemented a weak encryption scheme that allowed for the decryption of locked files, potentially motivating the group to adopt a new locker and a robust encryption scheme.

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Cracking encrypted Lastpass vaults

By
RiSec.Mitch
-
0

The recent (2022) compromise of Lastpass included email addresses, home addresses, names, and encrypted customer vaults. In this post I will demonstrate how attackers may leverage tools like Hashcat to crack an encrypted vault.

Lastpass rusty lock cover

In this post I will go into technical details on what attackers could do with the stolen encrypted vaults, specifically how they could use tools like Hashcat to crack the master vault password and get access to sensitive log-in credentials.

To simulate the stolen data, I will use my test Lastpass account to extract an encrypted vault from the Chrome Browser extension on macOS. Following this, I will bruteforce the vault.

What happened?

The Verge published an article which includes a great summary of the breach. There is also a blog post by Lastpass themselves. To summarise, in August 2022 Lastpass suffered a data breach where customer data and source code was stolen. Lastpass didn’t do a good job at letting the public (and customers) know of how bad the breach actually was.

What was stolen?

  • a backup of customer vault data
  • company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses
  • source-code and other intellectual property

What can attackers do with the stolen vaults?

It really depends, there are a lot of things to consider. A few things that spring to mind are:

  • How are the encrypted vaults stored in the cloud?
  • Did a customer set a weak and easily guessed vault password?
  • What is the key iteration (default or custom)?
  • Other factors not covered?

And since I don’t know what the stolen data looks like, or how it may be encrypted, this blog post is only a theory and estimation based on data I have access to. This includes the SQLite database used by the Browser extension and data within it.

In the next sections I will demostrate how to extract the encrypted vault database from the Chrome extension and pull out specific information to start cracking with Hashcat.

Lastpass Browser extension

On Chrome Browsers each extension has a unique ID. The Lastpass extension uses hdokiejnpimakedhajhdlcegeplioahd as the ID. You can confirm this by visiting the URL chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/vault.html in your address bar. You will be presented with the vault log-in page.

You can think of it as a local site that uses HTML and JavaScript within your Browser.

Extracting encrypted vault

All extensions have their own folders which are stored locally on the system in various locations depending on OS.

As per online documentation the Lastpass support page states devices using Chrome Browsers on Windows systems store the vault data in the following PATH:

%LocalAppData%\Google\Chrome\User Data\Default\databases\chrome-extension_hdokiejnpimakedhajhdlcegeplioahd_0

On macOS systems the location is slightly different:

Note: I use two Profiles on Chrome, hence why you see Profile 1 instead of Default.

Lastpass SQLite database

In this folder a SQLite file named 1 with the version: SQLite version 3039004 should be present. This is where encrypted vault data is stored and used by the extension.

➜  file 1
1: SQLite 3.x database, last written using SQLite version 3039004, file counter 21, database pages 22, cookie 0x5, schema 4, largest root page 11, UTF-8, vacuum mode 1, version-valid-for 21

You can then use a tool like DB Browser for SQLite to view the database contents. I also copied it to Desktop and renamed the file to lastpass-vault-macos-chrome.sqlite so it’s easier to remember.

All the interesting data is stored in a table called LastPassData.

To start cracking Lastpass vault passwords using Hashcat you need three things:

  1. Key value
  2. Iteration count
  3. Account email address (hashed in database)

These need be formatted like so: KEY:ITERATION:EMAIL

Key value

To retrieve the key value, search column type where value key, and then in the data column select the second row e.g. T4vInfZ+6MGDeEendq4gvA== as shown below:

You can also execute the following SQL query:

SELECT substr(data, -24) FROM LastPassData WHERE type = 'key';

It is base64 encoded, which you can decode and get the hex value by:

echo "T4vInfZ+6MGDeEendq4gvA==" | base64 -d | xxd -p

We now have the first requirement: 4f8bc89df67ee8c1837847a776ae20bc

Iteration count

To retireve the Iteration count, search column type where value accts, and then in the data column the first few charaters before the ;. Lastpass changed the default iteration in 2018 from 5000 to 100100.

You can also execute the following SQL query:

SELECT SUBSTR(data,0,INSTR(data,';')) FROM LastPassData WHERE type = 'accts';

We also now have the second requirement: 100100

Email

The database contains a hashed email address value. But we do know that attackers already have this info since the recent Lastpass compromise included email addresses. For the purposes of this blog, I am not going to share the email address which I used.

Formatted hash

With all the requirements the hash should look like this:

4f8bc89df67ee8c1837847a776ae20bc:100100:test@example.com

Cracking Lastpass vaults with Hashcat

As a proof of concept I used my MacBook Air with the M1 chip to crack passwords. The speed was absolutely horrible 1110 H/s (hashes per second), but it did work. Attackers on the other hand can leverage multi-GPU device setups with optimised drivers that could easily reach speeds of 2,000,000+ H/s.

I downloaded the popular rockyou.txt wordlist and put my actual vault master plaintext password inside (using a quarter of the wordlist), otherwise it would take 6 hours+ to crack. I then set the following Hashcat options:

hashcat -a 0 -m 6800 lastpass-hash.txt ~/Downloads/rockyou.txt
  • -a 0 attack mode Wordlist
  • -m 6800 Lastpass hash algorithm
  • lastpass-hash.txt hash formatted (KEY:ITERATION:EMAIL)
  • rockyou.txt wordlist of plaintext passwords

And there we have it, the master vault plaintext password successfully recovered.

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
1...567...79Page 6 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.