Select Page
Watch Out! Microsoft Spotted Spike in Astaroth Fileless Malware Attacks

Watch Out! Microsoft Spotted Spike in Astaroth Fileless Malware Attacks

Security researchers at Microsoft have released details of a new widespread campaign distributing an infamous piece of fileless malware that was primarily being found targeting European and Brazilian users earlier this year.

Dubbed Astaroth, the malware trojan has been making the rounds since at least 2017 and designed to steal users’ sensitive information like their credentials, keystrokes, and other data, without dropping any executable file on the disk or installing any software on the victim’s machine.

Initially discovered by researchers at Cybereason in February this year, Astaroath lived off the land by running the payload directly into the memory of a targeted computer or by leveraging legitimate system tools, such as WMIC, Certutil, Bitsadmin, and Regsvr32, to run the malicious code.

While reviewing the Windows telemetry data, Andrea Lelli, a researcher at Microsoft Defender ATP Research Team, recently spotted a sudden unusual spike in the usage of Management Instrumentation Command-line (WMIC) tool, leading to the disclosure of a fileless attack.

Further investigation revealed that the attackers behind this campaign are distributing multi-stage Astaroth malware through spear-phishing emails with a malicious link to a website hosting an LNK shortcut file.

Clicking the shortcut file executes Windows built-in WMIC tool that downloads and executes a JavaScript code, which further abuses the Bitsadmin tool to download all other malicious payloads that actually perform the malicious tasks of pilfering and uploading the victim’s data while disguising itself as a system process.

“All the payloads are Base64-encoded and decoded using the Certutil tool. Two of them result in plain DLL files (the others remain encrypted),” the researcher said in a blog post published Monday.

“The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypt and loads other files until the final payload, Astaroth, is injected into the Userinit process.”

This means that the malware doesn’t rely on any vulnerability exploit or traditional trojan downloader to download anything on the targeted system. Instead, it completely relies on system tools and commands during its entire attack chain to masquerade as a regular activity.

images from Hacker News

Over 1,300 Android Apps Caught Collecting Data Even If You Deny Permissions

Over 1,300 Android Apps Caught Collecting Data Even If You Deny Permissions

Smartphones are a goldmine of sensitive data, and modern apps work as diggers that continuously collect every possible information from your devices.

The security model of modern mobile operating systems, like Android and iOS, is primarily based on permissions that explicitly define which sensitive services, device capabilities, or user information an app can access, allowing users decide what apps can access.

However, new findings by a team of researchers at the International Computer Science Institute in California revealed that mobile app developers are using shady techniques to harvest users’ data even after they deny permissions.

In their talk “50 Ways to Pour Your Data” [PDF] at PrivacyCon hosted by the Federal Trade Commission last Thursday, researchers presented their findings that outline how more than 1,300 Android apps are collecting users’ precise geolocation data and phone identifiers even when they’ve explicitly denied the required permissions.

“Apps can circumvent the permission model and gain access to protected data without user consent by using both covert and side channels,” the researchers wrote.

“These channels occur when there is an alternate means to access the protected resource that is not audited by the security mechanism, thus leaving the resource unprotected.”

Researchers studied more than 88,000 apps from the Google Play store, 1,325 of which were found violating permission systems within the Android operating system by using hidden workarounds that allow them to look for users’ personal data from sources like metadata stored in photos and Wi-Fi connections.

Location Data — For instance, researchers found a photo-editing app, called Shutterfly, that collects location data of a device by extracting GPS coordinates from the metadata of photos, as a side-channel, even when users declined to grant the app permission to access location data.

“We observed that the Shutterfly app (com.shutterfly) sends precise geolocation data to its own server (apcmobile.thislife.com) without holding location permission.”

Moreover, it should be noted that if an app can access the user’s location, then all third-party services embedded in that app can also access it.

images from Hacker News

Microsoft Releases July 2019 Security Updates, 2 Flaws Under Active Attack

Microsoft Releases July 2019 Security Updates, 2 Flaws Under Active Attack

Microsoft today released its monthly batch of software security updates for the July month to patch a total of 77 vulnerabilities, 14 are rated Critical, 62 are Important, and 1 is rated Moderate in severity.

The July 2019 security updates include patches for various supported versions of Windows operating systems and other Microsoft products, including Internet Explorer, Edge, Office, Azure DevOps, Open Source Software, .NET Framework, Azure, SQL Server, ASP.NET, Visual Studio, and Exchange Server.

Details of 6 security vulnerabilities, all rated important, were made public before a patch was released, none of which were found being exploited in the wild.

However, two new privilege escalation vulnerabilities, one affects all supported versions of the Windows operating system, and the other affects Windows 7 and Server 2008, have been reported as being actively exploited in the wild.

Both actively exploited vulnerabilities lead to elevation of privilege, one (CVE-2019-1132) of which resides in the Win32k component and could allow an attacker to run arbitrary code in kernel mode.

However, the other actively exploited vulnerability (CVE-2019-0880) resides in the way splwow64 (Thunking Spooler APIs) handles certain calls, allowing an attacker or a malicious program to elevate its privileges on an affected system from low-integrity to medium-integrity.

The publicly known flaws affect Docker runtime, SymCrypt Windows cryptographic library, Remote Desktop Services, Azure Automation, Microsoft SQL server, and Windows AppX Deployment Service (AppXSVC).

Microsoft also released updates to patch 14 critical vulnerabilities, and as expected, all of them lead to remote code execution attacks and affect Microsoft products ranging from Internet Explorer and Edge to Windows Server DHCP, Azure DevOps and Team Foundation Servers.

images from Hacker News

Marriott Faces $123 Million GDPR Fine Over Starwood Data Breach

Marriott Faces $123 Million GDPR Fine Over Starwood Data Breach

After fining British Airways with a record fine of £183 million earlier this week, the UK’s data privacy regulator is now planning to slap world’s biggest hotel chain Marriott International with a £99 million ($123 million) fine under GDPR over 2014 data breach.

This is the second major penalty notice in the last two days that hit companies for failing to protect its customers’ personal and financial information compromised and implement adequate security measures.

In November 2018, Marriott discovered that unknown hackers compromised their guest reservation database through its Starwood hotels subsidiary and walked away with personal details of approximately 339 million guests.

The compromised database leaked guests’ names, mailing addresses, phone numbers, email addresses, dates of birth, gender, arrival and departure information, reservation date, and communication preferences.

The breach, which likely happened in 2014, also exposed unencrypted passport numbers for at least 5 million users and credit card records of eight million customers.

According to the Information Commissioner’s Office (ICO), nearly 30 million residents of 31 countries in the European and 7 million UK residents were impacted by the Marriott data breach.

The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

Last year, the General Data Protection Regulation (GDPR) was introduced in Europe that forces companies to make sure the way they collect, process, and store data are safe.

images from Hacker News

Hackers’ Operating System Kali Linux Released for Raspberry Pi 4

Hackers’ Operating System Kali Linux Released for Raspberry Pi 4

We’ve got some really exciting news for you…

Offensive Security has released an official version of Kali Linux for Raspberry Pi 4—the most powerful version of the compact computer board yet that was released just two weeks ago with the full 4GB of RAM at low cost and easy accessibility.

Based on Debian, Kali Linux has always been the number one operating system for ethical hackers and penetration testers, and Raspberry Pi always has a gold standard for inexpensive single-board computing, designed to let people experiment with building software and hardware.

Due to the popularity of Kali Linux on previous versions of Raspberry Pi, Offensive Security says that the developers want to get Kali supported on the latest version of the Pi right away.

Now with the release of Raspberry Pi 4, Offensive Security is really excited to launch a new build of Kali Linux that takes advantage of everything the Raspberry Pi 4 has to offer including:

  • A more powerful CPU
  • Options for 1, 2, or 4GB of RAM
  • USB-C power supply
  • USB 2.0 and USB 3.0 ports
  • Full-throughput Gigabit ethernet
  • 2 micro HDMI ports

Offensive Security also notes that the penetration testing distro for the Raspberry Pi 4 also supports an onboard Wi-Fi monitor mode and frame injection support.

images from Hacker News