برچسب: hacking news

Cybersecurity researchers are warning of two different information-stealing malware, named FFDroider and Lightning Stealer, that are capable of siphoning data and launching further attacks.
“Designed to send stolen credentials and cookies to a Command & Control server, FFDroider disguises itself on victim’s machines to look like the instant messaging application ‘Telegram,'” Zscaler ThreatLabz researchers Avinash Kumar and Niraj Shivtarkar said in a report published last week.
Information stealers, as the name implies, are equipped to harvest sensitive information from compromised machines, such as keystrokes, screenshots, files, saved passwords and cookies from web browsers, that are then transmitted to a remote attacker-controlled domain.

FFDroider is distributed through cracked versions of installers and freeware with the primary objective of stealing cookies and credentials associated with popular social media and e-commerce platforms and using the plundered data to login into the accounts and capture other personal account-related information.
Web browsers targeted by the malware include Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge. The websites targeted encompass Facebook, Instagram, Twitter, Amazon, eBay, and Etsy.

“The stealer signs into victims’ social media platforms using stolen cookies, and extracts account information like Facebook Ads-manager to run malicious advertisements with stored payment methods and Instagram via API to steal personal information,” the researchers said.
FFDroider also comes with a downloader functionality to upgrade itself with new modules from an update server that allows it expand its feature set over time, enabling malicious actors to abuse the stolen data as a vector for initial access to a target.
Main Function of Lightning Stealer
Lightning stealer operates in a similar fashion in that it can steal Discord tokens, data from cryptocurrency wallets, and details pertaining to cookies, passwords, credit cards, and search history from more than 30 Firefox and Chromium-based browsers, all of which is exfiltrated to a server in JSON format.
“Info Stealers are adopting new techniques to become more evasive,” Cyble researchers said, adding it “witnessed ransomware groups leveraging Info Stealers to gain initial network access and, eventually, exfiltrating sensitive data.”

The development comes as stealer malware is becoming an increasingly common occurrence across different attack campaigns in recent months, in part to fill the void left by Raccoon Stealer’s exit from the market in late March due to the ongoing war in Ukraine.
In February 2022, Cyble Research disclosed details of an emerging threat called Jester Stealer that’s engineered to steal and transmit login credentials, cookies, credit card information along with data from passwords managers, chat messengers, email clients, crypto wallets, and gaming apps to the attackers.
Since then, at least three different info-stealers have emerged in the wild, including BlackGuard, Mars Stealer, and META, the last of which has been observed delivered via malspam campaigns to collect sensitive data.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

A first-of-its-kind malware targeting Amazon Web Services’ (AWS) Lambda serverless computing platform has been discovered in the wild.
Dubbed “Denonia” after the name of the domain it communicates with, “the malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls,” Cado Labs researcher Matt Muir said.

The artifact analyzed by the cybersecurity company was uploaded to the VirusTotal database on February 25, 2022, sporting the name “python” and packaged as a 64-bit ELF executable.
However, the filename is a misnomer, as Denonia is programmed in Go and harbors a customized variant of the XMRig cryptocurrency mining software. That said, the mode of initial access is unknown, although it’s suspected it may have involved the compromise of AWS Access and Secret Keys.

Another notable feature of the malware is its use of DNS over HTTPS (DoH) for communicating with its command-and-control server (“gw.denonia[.]xyz”) by concealing the traffic within encrypted DNS queries.
In a statement shared with The Hacker News, Amazon stressed that “Lambda is secure by default, and AWS continues to operate as designed,” and that users violating its acceptable use policy (AUP) will be prohibited from using its services.

While Denonia has been clearly designed to target AWS Lambda since it checks for Lambda environment variables prior to its execution, Cado Labs also found that it can be run outside of it in a standard Linux server environment.
“The software described by the researcher does not exploit any weakness in Lambda or any other AWS service,” the company said. “Since the software relies entirely on fraudulently obtained account credentials, it is a distortion of facts to even refer to it as malware because it lacks the ability to gain unauthorized access to any system by itself.”
However, “python” isn’t the only sample of Denonia unearthed so far, what with Cado Labs finding a second sample (named “bc50541af8fe6239f0faa7c57a44d119.virus”) that was uploaded to VirusTotal on January 3, 2022.
“Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks,” Muir said.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

A 32-year-old Ukrainian national has been sentenced to five years in prison in the U.S. for the individual’s criminal work as a “high-level hacker” in the financially motivated group FIN7.
Denys Iarmak, who worked as a penetration tester for the cartel from November 2016 through November 2018, had been previously arrested in Bangkok, Thailand in November 2019, before being extradited to the U.S. in May 2020.
In November 2021, Iarmak had pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.

FIN7 has been attributed to a number of attacks that have led to the theft of more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations in the U.S, costing the victims $1 billion in losses.
The criminal gang, also known as Carbanak Group and the Navigator Group, has a track record of hitting restaurant, gambling, and hospitality industries to siphon customer credit and debit card numbers since at least 2015 that were then used or sold for profit.
“Mr. Iarmak was directly involved in designing phishing emails embedded with malware, intruding on victim networks, and extracting data such as payment card information,” said U.S. Attorney Nicholas W. Brown of the Western District of Washington. “To make matters worse, he continued his work with the FIN7 criminal enterprise even after the arrests and prosecution of co-conspirators.”
According to court documents released by the U.S. Justice Department (DoJ), the defendant used Atlassian’s Jira project management and issue-tracking software to coordinate and share details pertaining to different intrusions conducted by the group.
“Under each issue, FIN7 members tracked their progress breaching a victim’s security, uploaded data stolen from the victim, and provided guidance to each other,” the DoJ said.

Iarmak is the third FIN7 member of the group to be sentenced in the U.S. after Fedir Hladyr and Andrii Kolpakov, both of whom were awarded a prison term of 10 years and seven years respectively in April and June last year.
The development comes as threat intelligence and incident response firm Mandiant detailed the evolution of FIN7 into a resilient cyber crime group, linking it to 17 clusters of previously unattributed threat activity spanning several years, while also calling out its upgraded attack toolkit and initial access techniques and its shift to ransomware to monetize its attacks.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Microsoft on Thursday disclosed that it obtained a court order to take control of seven domains used by APT28, a state-sponsored group operated by Russia’s military intelligence service, with the goal of neutralizing its attacks on Ukraine.
“We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications,” Tom Burt, Microsoft’s corporate vice president of customer security and trust, said.
APT28, also known by the names Sofacy, Sednit, Pawn Storm, Fancy Bear, Iron Twilight, and Strontium, is a cyber espionage group and an advanced persistent threat that’s known to be active since 2009, striking media, governments, military, and international non-governmental organizations (NGOs) that often have a security focus.

The tech giant noted that the sinkholed infrastructure was used by the threat actor to target Ukrainian institutions as well as governments and think tanks in the U.S. and the European Union so as to maintain long term persistent access and exfiltrate sensitive information.
Meta takes action against Ghostwriter and Phosphorus
The disclosure from Microsoft comes as Meta, the company formerly known as Facebook, revealed that it took action against covert adversarial networks originating from Azerbaijan and Iran on its platform, by taking down the accounts and blocking their domains from being shared.
The Azerbaijanian operation is believed to have singled out democracy activists, opposition groups, and journalists from the country and government critics abroad for carrying out credential phishing and espionage activities.
Another involved UNC788 (aka Charming Kitten, TA453, or Phosphorus), a government-linked hacking crew that has a history of conducting surveillance operations in support of Iranian strategic priorities.
“This group used a combination of low-sophistication fake accounts and more elaborate fictitious personas, which they likely used to build trust with potential targets and trick them into clicking on phishing links or downloading malicious applications,” Meta outlined in its first quarterly Adversarial Threat Report.
The malicious Android applications, dubbed HilalRAT, impersonated seemingly harmless Quran apps to extract sensitive information, such as contacts list, text messages, files, location information, as well as activate camera and microphone.
Meta also said it blocked the malicious activities associated with an unreported Iranian hacking group that leveraged tactics similar to that of Tortoiseshell to target or spoof companies in the energy, IT, maritime logistics, semiconductor, and telecom industries.

This campaign featured an elaborate set of bogus profiles on Instagram, LinkedIn, Facebook, and Twitter, with the actors posing as recruiters of real and front companies to trick users into clicking on phishing links to deliver information stealing malware that were disguised as VPN, calculator, audiobook, and messaging apps.
“They developed malware on the VMWare ThinApp virtualization platform, which allowed them to run it on many different systems and hold malicious payload back until the last minute, making malware detection more challenging,” Meta explained.
Lastly, also disrupted by Meta were takeover attempts made by the Belarus-aligned Ghostwriter group to break into the Facebook accounts of dozens of Ukrainian military personnel.
The attacks, which were successful in a “handful of cases,” abused the access to victims’ social media accounts and posted disinformation “calling on the Army to surrender as if these posts were coming from the legitimate account owners.”

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

The U.S. Department of Justice (DoJ) announced that it neutralized Cyclops Blink, a modular botnet controlled by a threat actor known as Sandworm, which has been attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
“The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command-and-control (C2) of the underlying botnet,” the DoJ said in a statement Wednesday.
In addition to disrupting its C2 infrastructure, the operation also closed the external management ports that the threat actor used to establish connections with the firewall appliances, effectively severing contact and preventing the hacking group from using the infected devices to commandeer the botnet.

The March 22 court-authorized disruption of Cyclops Blink comes a little over a month after intelligence agencies in the U.K. and the U.S. described the botnet as a replacement framework for the VPNFilter malware that was exposed and sinkholed in May 2018.
Cyclops Blink, which is believed to have emerged as early as June 2019, primarily targeted WatchGuard firewall appliances and ASUS routers, with the Sandworm group leveraging a previously identified security vulnerability in WatchGuard’s Firebox firmware as an initial access vector.
A follow-up analysis by cybersecurity firm Trend Micro last month suggested the possibility that the botnet is an attempt to “build an infrastructure for further attacks on high-value targets.”

“These network devices are often located on the perimeter of a victim’s computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks,” the DoJ added.
Details of the security flaw were never made public beyond the fact that the company addressed the issue as part of software updates issued in May 2021, with WatchGuard noting to the contrary that the vulnerabilities were internally detected and that they were not “actively found in the wild.”
The company has since revised its Cyclops Blink FAQs to spell out that the vulnerability in question is CVE-2022-23176 (CVSS score: 8.8), which could “allow an unprivileged user with access to Firebox management to authenticate to the system as an administrator” and gain unauthorized remote access.
ASUS, for its part, has released firmware patches as of April 1, 2022, to block the threat, recommending users to update to the latest version.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.