برچسب: information security

Uber, in an update, said there is “no evidence” that users’ private information was compromised in a breach of its internal computer systems that was discovered late Thursday.
“We have no evidence that the incident involved access to sensitive user data (like trip history),” the company said. “All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.”
The ride-hailing company also said it’s brought back online all the internal software tools it took down previously as a precaution, reiterating it’s notified law enforcement of the matter.
It’s not immediately clear if the incident resulted in the theft of any other information or how long the intruder was inside Uber’s network.
Uber has not provided more specifics of how the incident played out beyond saying its investigation and response efforts are ongoing. But independent security researcher Bill Demirkapi characterized the company’s “no evidence” stance as “sketchy.”
“‘No evidence’ could mean the attacker did have access, Uber just hasn’t found evidence that the attacker *used* that access for ‘sensitive’ user data,” Demirkapi said. “Explicitly saying ‘sensitive’ user data rather than user data overall is also weird.”

The breach allegedly involved a lone hacker, an 18-year-old teenager, tricking an Uber employee into providing account access by social engineering the victim into accepting a multi-factor authentication (MFA) prompt that allowed the attacker to register their own device.
Upon gaining an initial foothold, the attacker found an internal network share that contained PowerShell scripts with privileged admin credentials, granting carte blanche access to other critical systems, including AWS, Google Cloud Platform, OneLogin, SentinelOne incident response portal, and Slack.
Singapore-based Group-IB’s follow-up analysis of downloaded artifacts as captured in some of the screenshots shared by the threat actor has revealed them to be logs gathered from info-stealing malware that were put up for sale just days before on the cybercriminal underground.
“These logs were put up for sale on September 12 and 14, which means that this was very fresh data, because the hack that utilized them was revealed from 15 to 16 September,” the cybersecurity firm said, adding the logs contained authorization information for OneLogin.
“These logs indicate that at least two Uber employees (from Indonesia and Brazil) have been infected by stealer malware: Raccoon and Vidar stealers,” Group-IB said, suggesting the hacker may also have attempted to use the purchased stolen data to advance through Uber’s network.
Worryingly, as revealed by security researcher Sam Curry, the teen hacker is also said to have gotten hold of privately disclosed vulnerability reports submitted via HackerOne as part of Uber’s bug bounty program.
HackerOne has since moved to disable Uber’s account, but the unauthorized access to unpatched security flaws in the platform could pose a huge security risk to the San Francisco-based firm should the hacker opt to sell the information to other threat actors for a quick profit.

So far, the attacker’s motivations behind the breach are unclear, although a message posted by the hacker announcing the breach on Slack included a call for higher pay for Uber’s drivers.
A separate report from The Washington Post noted that the attacker broke into the company’s networks for fun and might leak the company’s source code in a matter of months, while describing Uber’s security as “awful.”
“Many times we only talk about APTs, like nation states, and we forget about other threat actors including disgruntled employees, insiders, and like in this case, hacktivists,” Ismael Valenzuela Espejo, vice president of threat research and intelligence at BlackBerry, said.
“Organizations should include these as part of their threat modeling exercises to determine who may have a motivation to attack the company, their skill level and capabilities, and what the impact could be according to that analysis.”
The attack targeting Uber, as well as the recent string of incidents against Twilio, Cloudflare, Cisco, and LastPass, illustrates how social engineering continues to be a persistent thorn in the flesh for organizations.

It also shows that all it takes for a breach to take place is an employee to share their login credentials, proving that password-based authentication is a weak link in account security.
“Once again, we see that a company’s security is only as good as their most vulnerable employees,” Masha Sedova, co-founder and president of Elevate Security, said in a statement.
“We need to think beyond generic training, instead let’s pair our riskiest employees with more specific protective controls. As long as we continue to address cybersecurity as solely a technical challenge, we will continue to lose this battle,” Sedova added.
Episodes like these are also proof that Time-based One Time Password (TOTP) codes – typically generated via authenticator apps or sent as SMS messages – are inadequate at securing 2FA roadblocks.
One way to counter such threats is the use of phishing-resistant FIDO2-compliant physical security keys, which drops passwords in favor of an external hardware device that handles the authentication.
“MFA providers should *by default* automatically lock accounts out temporarily when too many prompts are sent in a short period of time,” Demirkapi said, urging organizations to limit privileged access.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

A decryptor for the LockerGoga ransomware has been made available by Romanian cybersecurity firm Bitdefender in collaboration with Europol, the No More Ransom project, and Zürich law enforcement authorities.
Identified in January 2019, LockerGoga drew headlines for its attacks against the Norwegian aluminum giant Norsk Hydro. It’s said to have infected more than 1,800 victims in 71 countries, causing an estimated $104 million in damages.

The ransomware operation received a significant blow in October 2021 when 12 people in connection with the group, alongside MegaCortex and Dharma, were apprehended as part of an international law enforcement effort.

The arrests, which took place in Ukraine and Switzerland, also saw the seizure of cash worth $52,000, five luxury vehicles, and a number of electronic devices. One of the accused is currently in pretrial detention in Zurich.
The Zurich Cantonal Police further said it spent the past months examining the data storage devices confiscated from the individual during the 2021 arrests and identified numerous private keys that were used to lock the data.

A decryption utility for MegaCortex is also expected to be published in the coming months. Victimized parties are also recommended to file a criminal complaint in their respective home countries.
“These keys enable the aggrieved companies and institutions to recover the data that was previously encrypted with the malware LockerGoga or MegaCortex,” the agency said.
As recommendations, the police department is urging organizations to securely handle emails, block suspicious email attachments, create regular backups, enforce two-factor authentication, and keep IT systems up-to-date.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

A state-sponsored advanced persistent threat (APT) actor newly christened APT42 (formerly UNC788) has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015.
Cybersecurity firm Mandiant said the group operates as the intelligence gathering arm of Iran’s Islamic Revolutionary Guard Corps (IRGC), not to mention shares partial overlaps with another cluster called APT35, which is also known as Charming Kitten, Cobalt Illusion, ITG18, Phosphorus, TA453, and Yellow Garuda.
APT42 has exhibited a propensity to strike various industries such as non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals spanning at least 14 countries, including in Australia, Europe, the Middle East, and the U.S.
Intrusions aimed at the pharmaceutical sector are also notable for the fact that they commenced at the onset of the COVID-19 pandemic in March 2020, indicating the threat actor’s ability to swiftly modify its campaigns in order to meet its operational priorities.

“APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with their victims in order to access their personal or corporate email accounts or to install Android malware on their mobile devices,” Mandiant said in a report.
The goal is to exploit the fraudulent trust relationships to steal credentials, enabling the threat actor to leverage the access to conduct follow-on compromises of corporate networks to gather sensitive data and use the breached accounts to phish additional victims.
Attack chains involve a mix of highly targeted spear-phishing messages aimed at individuals and organizations of strategic interest to Iran. They are also conceived with the intent to build trust with former government officials, journalists, policymakers, and the Iranian diaspora abroad in hopes of distributing malware.
Outside of using hacked email accounts associated with think tanks to target researchers and other academic organizations, APT42 is often known to impersonate journalists and other professionals to engage with the victims for several days or even weeks before sending a malicious link.

In one attack observed in May 2017, the group targeted members of an Iranian opposition group operating from Europe and North America with email messages that contained links to rogue Google Books pages, which redirected victims to sign-in pages designed to siphon credentials and two-factor authentication codes.
Surveillance operations involve the distribution of Android malware such as VINETHORN and PINEFLOWER via text messages that are capable of recording audio and phone calls, extracting multimedia content and SMSes, and tracking geolocations. A VINETHORN payload spotted between April and October 2021 masqueraded as a VPN app called SaferVPN.
“The use of Android malware to target individuals of interest to the Iranian government provides APT42 with a productive method of obtaining sensitive information on targets, including movement, contacts, and personal information,” the researchers noted.
The group is also said to use a raft of lightweight Windows malware from time to time – a PowerShell toehold backdoor named TAMECAT, a VBA-based macro dropper dubbed TABBYCAT, and a reverse shell macro known as VBREVSHELL – to augment their credential harvesting and espionage activities.

APT42’s links to APT35 stems from links to an uncategorized threat cluster tracked as UNC2448, which Microsoft (DEV-0270) and Secureworks (Cobalt Mirage) disclosed as a Phosphorus subgroup carrying out ransomware attacks for financial gain using BitLocker.
Mandiant’s analysis further lends credence to Microsoft’s findings that DEV-0270/UNC2448 is operated by a front company that uses two public aliases, namely Secnerd and Lifeweb, both of which are connected to Najee Technology Hooshmand.
That having said, it’s suspected the two adversarial collectives, despite their affiliation with IRGC, originate from disparate missions based on differences in targeting patterns and the tactics employed.
A key point of distinction is that while APT35 is oriented towards long-term, resource-intensive operations targeting different industry verticals in the U.S. and the Middle East, APT42’s activities focus on individuals and entities for “domestic politics, foreign policy, and regime stability purposes.”
“The group has displayed its ability to rapidly alter its operational focus as Iran’s priorities change over time with evolving domestic and geopolitical conditions,” the researchers said.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Based on the findings of Malwarebytes’ Threat Review for 2022, 40 million Windows business computers’ threats were detected in 2021. In order to combat and avoid these kinds of attacks, malware analysis is essential. In this article, we will break down the goal of malicious programs’ investigation and how to do malware analysis with a sandbox.
What is malware analysis?
Malware analysis is a process of studying a malicious sample. During the study, a researcher’s goal is to understand a malicious program’s type, functions, code, and potential dangers. Receive the information organization needs to respond to the intrusion.
Results of analysis that you get:

• how malware works: if you investigate the code of the program and its algorithm, you will be able to stop it from infecting the whole system.
• characteristics of the program: improve detection by using data on malware like its family, type, version, etc.
• what is the goal of malware: trigger the sample’s execution to check out what data it is targeted at, but of course, do it in a safe environment.
• who is behind the attack: get the IPs, origin, used TTPs, and other footprints that hackers hide.
• a plan on how to prevent this kind of attack.

Types of malware analysis
Static and dynamic malware analysis
Key steps of malware analysis
Across these five steps, the main focus of the investigation is to find out as much as possible about the malicious sample, the execution algorithm, and the way malware works in various scenarios.
We believe that the most effective method to analyze malicious software is to mix static and dynamic methods. Here is a short guide on how to do malware analysis. Just follow the following steps:
Step 1. Set your virtual machine
You can customize a VM with specific requirements like a browser, Microsoft Office, choose OS bitness, and locale. Add tools for the analysis and install them in your VM: FakeNet, MITM proxy, Tor, VPN. But we can do it easily in ANY.RUN sandbox.
VM customization in ANY.RUN
Step 2. Review static properties
This is a stage for static malware analysis. Examine the executable file without running it: check the strings to understand malware’s functionality. Hashes, strings, and headers’ content will provide an overview of malware intentions.
For example, in the screenshot below, we can see the hashes, PE Header, mime type, and other information of the Formbook sample. To take a brief idea about functionality, we can take a look at the Import section in a sample for malware analysis, where all imported DLLs are listed.
Static discovering of the PE file
Step 3. Monitor malware behavior
Here is the dynamic approach to malware analysis. Upload a malware sample in a safe virtual environment. Interact with malware directly to make the program act and observe its execution. Check the network traffic, file modifications, and registry changes. And any other suspicious events.
In our online sandbox sample, we may take a look inside the network stream to receive the crook’s credentials info to C2 and information that was stolen from an infected machine.
Attacker’s credentials
Review of the stolen data
Step 4. Break down the code
If threat actors obfuscated or packed the code, use deobfuscation techniques and reverse engineering to reveal the code. Identify capabilities that weren’t exposed during previous steps. Even just looking for a function used by malware, you may say a lot about its functionality. For example, function “InternetOpenUrlA” states that this malware will make a connection with some external server.
Additional tools, like debuggers and disassemblers, are required at this stage.
Step 5. Write a malware report.
Include all your findings and data that you found out. Provide the following information:

• Summary of your research with the malicious program’s name, origin, and key features.
• General information about malware type, file’s name, size, hashes, and antivirus detection capacities.
• Description of malicious behavior, the algorithm of infection, spreading techniques, data collection, and ways of С2 communication.
• Necessary OS bitness, software, executables and initialization files, DLLs, IP addresses, and scripts.
• Review of the behavior activities like where it steals credentials from, if it modifies, drops, or installs files, reads values, and checks the language.
• Results of code analysis, headers data.
• Screenshots, logs, string lines, excerpts, etc.
• IOCs.

Interactive malware analysis
​​The modern antiviruses and firewalls couldn’t manage with unknown threats such as targeted attacks, zero-day vulnerabilities, advanced malicious programs, and dangers with unknown signatures. All these challenges can be solved by an interactive sandbox.
Interactivity is the key advantage of our service. With ANY.RUN you can work with a suspicious sample directly as if you opened it on your personal computer: click, run, print, reboot. You can work with the delayed malware execution and work out different scenarios to get effective results.
During your investigation, you can:

• Get interactive access: work with VM as on your personal computer: use a mouse, input data, reboot the system, and open files.
• Change the settings: pre-installed soft set, several OSs with different bitness and builds are ready for you.
• Choose tools for your VM: FakeNet, MITM proxy, Tor, OpenVPN.
• Research network connections: intercept packets and get a list of IP addresses.
• Instant access to the analysis: the VM immediately starts the analysis process.
• Monitor systems processes: observe malware behavior in real-time.
• Collect IOCs: IP addresses, domain names, hashes, and others are available.
• Get MITRE ATT@CK matrix: review TTP in detail.
• Have a process graph: evaluate all processes in a graph.
• Download a ready-made malware report: print all data in a convenient format.

All of these features help to reveal sophisticated malware and see the anatomy of the attack in real-time.
Write the “HACKERNEWS” promo code in the email subject at [email protected] and get 14 days of ANY.RUN premium subscription for free!
Try to crack malware using an interactive approach. If you use ANY.RUN sandbox, you can do malware analysis and enjoy fast results, a simple research process, investigate even sophisticated malware, and get detailed reports. Follow the steps, use smart tools and hunt malware successfully.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Palo Alto Networks Unit 42 has detailed the inner workings of a malware called OriginLogger, which has been touted as a successor to the widely used information stealer and remote access trojan (RAT) known as Agent Tesla.
A .NET based keylogger and remote access, Agent Tesla has had a long-standing presence in the threat landscape, allowing malicious actors to gain remote access to targeted systems and beacon sensitive information to an actor-controlled domain.
Known to be used in the wild since 2014, it’s advertised for sale on dark web forums and is generally distributed through malicious spam emails as an attachment.
In February 2021, cybersecurity firm Sophos disclosed two new variants of the commodity malware (version 2 and 3) that featured capabilities to steal credentials from web browsers, email apps, and VPN clients, as well as use Telegram API for command-and-control.

Now according to Unit 42 researcher Jeff White, what has been tagged as Agent Tesla version 3 is actually OriginLogger, which is said to have sprung up to fill the void left by the former after its operators shut shop on March 4, 2019, following legal troubles.
The cybersecurity firm’s starting point for the investigation was a YouTube video that was posted in November 2018 detailing its features, leading to the discovery of a malware sample (“OriginLogger.exe”) that was uploaded to the VirusTotal malware database on May 17, 2022.
The executable is a builder binary that allows a purchased customer to specify the kinds of data to be captured, including clipboard, screenshots, and the list of applications and services (e.g., browsers, email clients etc.) from which the credentials are to be extracted.

User authentication is achieved by sending a request to an OriginLogger server, which resolves to the domain names 0xfd3[.]com and its newer counterpart originpro[.]me based on two builder artifacts compiled on September 6, 2020, and June 29, 2022.
Unit 42 said it was able to identify a GitHub profile with the username 0xfd3 that hosted two source code repositories for stealing passwords from Google Chrome and Microsoft Outlook, both of which are used in OrionLogger.
OrionLogger, like Agent Tesla, is delivered via a decoy Microsoft Word document that, when opened, is designed to display an image of a passport for a German citizen and a credit card, along with a number of Excel Worksheets embedded into it.
The worksheets, in turn, contain a VBA macro that uses MSHTA to invoke an HTML page hosted on a remote server, which, for its part, includes an obfuscated JavaScript code to fetch two encoded binaries hosted on Bitbucket.

The first of the two pieces of malware is a loader that utilizes the technique of process hollowing to inject the second executable, the OrionLogger payload, into the aspnet_compiler.exe process, a legitimate utility to precompile ASP.NET applications.
“The malware uses tried and true methods and includes the ability to keylog, steal credentials, take screenshots, download additional payloads, upload your data in a myriad of ways and attempt to avoid detection,” White said.
What’s more, an analysis of a corpus of over 1,900 samples shows that the most common exfiltration mechanisms for sending the data back to the attacker is via SMTP, FTP, web uploads to the OrionLogger panel, and Telegram with the help of 181 unique bots.
“Commercial keyloggers have historically catered to less advanced attackers, but as illustrated in the initial lure document analyzed here, this does not make attackers any less capable of using multiple tools and services to obfuscate and make analysis more complicated,” White further said.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.